[Zeek] sethhall/credit-card-exposure

Thu Dec 12 06:19:53 PST 2019

You can submit a pull request to Seth's GitHub repo if you can share the
modifications with the community.

--
Michael Shirk
Daemon Security, Inc.
https://www.daemon-security.com

On Thu, Dec 12, 2019, 09:18 Nick Turley <nick_turley at byu.edu> wrote:

> We’ve had pretty good luck with the package but we had to make
> modifications to get it working the way we wanted. We also modified it so
> it would work on Corelight. We’ve been running it on our Bro 2.6 cluster
> for some time. SSN detection is a high false positive game in a large
> environment like ours, so our analysts are still required to review the
> extracted payload and make a determination.
>
> Some of the modifications include extracting a chunk of the payload where
> the SSN was detected and including that in the notice log. We also added
> the protocol that was detected and associated info. For example, if SMB, we
> include the file name and location identified. As I recall, there was also
> a bug we fixed that wasn’t masking the SSNs correctly.
>
> We also feed in all 50 state historical SSN prefixes and include the state
> data in the notice log. However, SSNs after 2011 I believe are now
> randomized so this will be less effective over time.
>
> While we get a number of false positives, the module has also helped us
> discover some fairly serious security issues.
>
> When I get to the office, I would be happy to share our code.
>
> Nick Turley
> Security Architect
> CES Security Operations Center
> Office: (801) 422-4994 | Cell: (801) 310-3816 | nick_turley at byu.edu
> ------------------------------
> *From:* zeek-bounces at zeek.org <zeek-bounces at zeek.org> on behalf of Scot
> Harris <SHARRIS at hollywoodfl.org>
> *Sent:* Thursday, December 12, 2019 6:26:27 AM
> *To:* zeek at zeek.org <zeek at zeek.org>
> *Subject:* [Zeek] sethhall/credit-card-exposure
>
>
> Does anyone have experience with the sethhall/credit-card-exposure package?
>
>
>
> I installed it and it is generating some results that does not seem valid.
>
>
>
> Running zeek 3.0 with this package installed using zkg.
>
>
>
> The odd data includes packets that go from my workstation to the zeek main
> server on port 80 that is flagged as having credit card numbers in it.
>
>
>
> I don’t think that actually occurred.
>
>
>
> So was wondering if someone else had that package and what kind of results
> they are getting.
>
>
>
> Thank you.
>
>
>
>
>
>
> __________________________________________
> *Scot Harris*
> Network Engineer
> City of Hollywood
> Information Technology
>
> P.O. Box 229045
> Hollywood, FL 33022-9045
> Office: 954-921-3304
> E-mail: SHARRIS at hollywoodfl.org
> [image: www.hollywoodfl.org]
> Notice: Florida has a broad public records law. All correspondence sent to
> the City of Hollywood via e-mail may be subject to disclosure as a matter
> of public record.
> __________________________________________
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191212/1ef7aa10/attachment-0001.html 