I'm trying to write a Snort rule to look for SSNs. Due to the limitations of the appliance in place I can not use the pre-processor settings. How intense would it be to run a PCRE rule for SSNs? This would essentially perform a regex comparison on every packet which seems pretty intensive.
Asked
Active
Viewed 102 times
1 Answers
0
Are you trying to implement DLP using Snort? You might find these links interesting.
Any kind of regex processing is bound to be intensive if there is a lot of network traffic. You can perhaps make your rule filters more specific so that Snort does not attempt to do regex match against everything? Target applications/protocols that are likely to contain interesting data.
ngn
- 333
- 1
- 10