Simple DLP with Ngrep

Data Leak

DLP stands for “Data Loss Prevention” or sometimes, “Data Leak Protection“. Companies primary goal is to make business. And their activities rely on their data (customers, databases, research results, statistics, source code, …). DLP is a security process which takes care of: monitoring, identify and protection of the data. The goal is to prevent confidential information to go outside the company security perimeter (example: a co-worker sending a Word document with confidential data to an e-mail address).

DLP is a complex process to implement. However from time to time, it can be very useful to detect “suspicious” activity on a network or specific events. I’ll will show you it’s quite easy to implement a simple “watchdog” which will perform the basic DLP component: the monitoring!

Scenario: we would like to receive a notification when the following specific event occurs on our network: a credit card number passing through the network in clear text.

What do we need?

  • A tool to analyze the network traffic up to layer 7;
  • A method to catch the CC number;
  • A notification tool.

To analyze the network traffic, we’ll use the Linux machine properly connected to the network. The box should be able to capture all the network traffic in promiscuous mode (this will not be explained in details here – check with your local network admin). We will first use ngrep. This tool is the pending version of the grep tool:

ngrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets.

It’s usage is quite simple. You have to specific the capture network interface, a search string and an optional packet filter. The following example will report all “USER” or “PASS” commands issued by POP3 clients:

# ngrep -q -d eth0.10 "USER|PASS" port 110

ngrep is a very powerful command and can be used to catch more specific traffic with hexadecimal patterns or regular expressions. To achieve our second goal (catch the credit card number), we can use a regular expression. Personally, I’m not an expert and I prefer to let guru’s write them for me: On, there are plenty of ready-to-use regular expressions. Here is a nice one to catch credit cards:


(Check here for details)

We are now able to detect CC numbers passing over our network:

# ngrep -q -d eth0.10 \
-w "((4\d{3})|(5[1-5]\d{2})|(6011))-?\d{4}-?\d{4}-?\d{4}|3[4,7]\d{13}" \
-O /tmp/creditcard.dump

All packets containing a CC will be logged to dumped to /tmp/creditcard.dump. This file could be analyzed later via a tool like Wireshark. But we still have a problem: how to be alerted when a credit card number is detected? IBM (yes, Big Blue itself) will help us with inotify. This is a set of tools for UNIX environment which allows to monitor changes on specific inodes. Exactly what we need! Let’s go for a few lines of shell:

# ngrep -q -d eth0.10 \
-w "((4\d{3})|(5[1-5]\d{2})|(6011))-?\d{4}-?\d{4}-?\d{4}|3[4,7]\d{13}" \
-O /tmp/creditcard.dump &
# inotifywait -m -e MODIFY --timefmt "%D %T" \
  --format "Credit Card detected on %T, check out creditcard.dump!" \ 
/tmp/creditcard.dump | while read LINE
   echo $LINE | mail -s "Event"

Et voila, when a credit card number will be detected, a mail will be sent to <> and the time stamp of the event. This is just an example which worked for me. There are for sure plenty of other things to test or implement like dumping the last packet of the cap file with tcpdump into the mail body. Feel free to experiment!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.