Sensitive Data Preprocessor: logging single matches

[Erik Johnson <ejohnson () vailsys com>]

I have enabled the SDP and have it successfully logging matches for
Credit Card numbers and SSNs being sent in the clear through a mail
server. However, according to the following README:

http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/doc/README.sensitive_data?rev=HEAD

The preprocessor's alert threshold must be 'higher than the highest
individual count in your "sd_pattern" rules'. With sd_pattern allowing a
minimum count of 1, this means that the alert_threshold should be set to
a minimum of 2. In fact, when I set it to 1, it still didn't log an
alert until I put 2 valid credit card numbers into the email. This makes
catching emails with single credit card numbers impossible. Is there a
reason for this restriction, or a way around it?

I apologize if this has been answered before, I searched but was unable
to find any explanation.

Attachment: _bin
Description:

------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users