Configure Prohibited Traffic list
The PCI data security standards requires that systems in a cardholder data environment only include services necessary on the system. Using the Prohibited Traffic list, PCI compliance solutions administrators can define a list of prohibited services that they do not expect to see on systems within the environment.
To view the Prohibited Traffic list, do the following:
- Select Configure > Content > Content Management.
- Click the Prohibited Traffic lookup. The Prohibited Traffic lookup file (
prohibited_traffic.csv
) appears in the lookup editor.
transport,src,src_pci_domain,dest,dest_pci_domain,dest_port,is_prohibited,is_secure,note *,*,cardholder,*,untrust,*,true,false,deny_all_cardholder_to_untrust *,*,untrust,*,cardholder,*,true,false,deny_all_untrust_to_cardholder *,*,wireless,*,cardholder,80,true,false,deny_http_wireless_to_cardholder icmp,*,untrust,*,dmz,*,false,,permit_icmp_untrust_to_dmz tcp,*,untrust,*,dmz,80,false,,permit_tcp80_untrust_to_dmz tcp,*,untrust,*,dmz,443,false,true,permit_tcp443_untrust_to_dmz udp,*,untrust,*,dmz,500,false,true,permit_udp500_untrust_to_dmz udp,*,untrust,*,dmz,4500,false,true,permit_udp4500_untrust_to_dmz tcp,*,untrust,*,dmz,1723,false,true,permit_tcp1723_untrust_to_dmz udp,*,untrust,*,dmz,1701,false,true,permit_udp1701_untrust_to_dmz udp,*,dmz,*,cardholder,514,false,,permit_udp514_dmz_to_cardholder tcp,*,dmz,*,cardholder,443,false,,permit_tcp443_dmz_to_cardholder tcp,*,trust,*,trust,22,false,true,permit_tcp22_inside_trust tcp,*,trust,*,trust,80,false,,permit_tcp80_inside_trust ...
The first line in the file describes the fields in the file.
Field | Description | Example |
---|---|---|
transport | The transport protocol. | TCP |
src | The host that is the source of the activity. Use a wildcard * to match all hosts.
|
ACME_host_002 |
src_pci_domain | The source domain of the activity. | cardholder |
dest | The host that is the destination of the activity. Use a wildcard * to match all hosts.
|
ACME_host_001 |
dest_pci_domain | The source domain of of the activity. | cardholder |
dest_port | The destination port of the activity. | 80 |
is_prohibited | Is the service/traffic/port prohibited? | true false |
is_secure | Is the traffic for the given service encrypted (secure)? | true false |
note | A description about the traffic or activity. | permit_icmp_untrust_to_dmz |
src_category | Category of the source | pci_cardholder |
dest_category | Category of the source | pci_cardholder |
Add to, or modify this list using the editor. Click Save when you are done.
There is no file checking or verification for this editor, so any typo might break the lookup file.
Configure Primary Functions list | Configure Interesting Services list |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2
Feedback submitted, thanks!