Toronto Data Loss Prevention User Group

 View Only

  • 1.  Session IDs are captured by PCI Policy

    Posted Feb 15, 2018 02:44 PM

    Hello

    I m trying to fine tune PCI policy to avoid false positives.The events are generated because the Credit Card number(used all breadth) takes the session ids, tracker cookies as valid numbers. Please find the below message of the body

    Path: /​live/​prender
    Parameters:
    name: uid
    value: 5a7cab82350582f9
    name: rev
    value: v8.2.4-wp
    name: delay
    value: 0
    name: ids
    value: 5459-5488-5450-5487
    name: sid
    value: 5a85dba25622911e
    Content:
    {}  

    The above incident generated an event because it found 5459-5488-5450-5487 to be valid. My objective is not to capture sessionid, tracker cookies through policy, thereby reducing false positives.

    Please help.



  • 2.  RE: Session IDs are captured by PCI Policy
    Best Answer

    Trusted Advisor
    Posted Feb 15, 2018 05:40 PM

    Vishnu,

    First you should NOT use the Wide Breadth.. It will constanly give you a false positive and there is no way to remove FP's when it comes to the URL or seson ID's.

    1. You can use the Medium Breadth, that will at least validate if the CCN is real using the algorithim.
      1. Even with the algorithim check, you will still get a lot of FP's.. it might help but not sure.
    2. The best and really only way is to use the Narrow Breadth and that will require a keyword with the CCN and validation.
      1. You can then truly start to eliminate sites based on some other keywords.

    Good Luck

    Ronak

    PLEASE MARKED SOLVED WHEN POSSIBLE