[Zeek] sethhall/credit-card-exposure
Seth Hall
seth at corelight.com
Wed Dec 18 12:48:39 PST 2019
Awesome! Looking forward to any changes. And I agree about the results
of that script, I've seen a few catches with that thing that are pretty
bad and catching them was very nice.
.Seth
On 12 Dec 2019, at 9:47, Nick Turley wrote:
> We’ve been meaning to share some of our work with the community so
> this has prompted a call to action :)
>
> Nick Turley
> Security Architect
> CES Security Operations Center
> Office: (801) 422-4994 | Cell: (801) 310-3816 | nick_turley at byu.edu
> ________________________________
> From: Michael Shirk <shirkdog.bsd at gmail.com>
> Sent: Thursday, December 12, 2019 7:19:53 AM
> To: Nick Turley <nick_turley at byu.edu>
> Cc: Scot Harris <SHARRIS at hollywoodfl.org>; zeek at zeek.org
> <zeek at zeek.org>
> Subject: Re: [Zeek] sethhall/credit-card-exposure
>
> You can submit a pull request to Seth's GitHub repo if you can share
> the modifications with the community.
>
> --
> Michael Shirk
> Daemon Security, Inc.
> https://www.daemon-security.com
>
> On Thu, Dec 12, 2019, 09:18 Nick Turley
> <nick_turley at byu.edu<mailto:nick_turley at byu.edu>> wrote:
> We’ve had pretty good luck with the package but we had to make
> modifications to get it working the way we wanted. We also modified it
> so it would work on Corelight. We’ve been running it on our Bro 2.6
> cluster for some time. SSN detection is a high false positive game in
> a large environment like ours, so our analysts are still required to
> review the extracted payload and make a determination.
>
> Some of the modifications include extracting a chunk of the payload
> where the SSN was detected and including that in the notice log. We
> also added the protocol that was detected and associated info. For
> example, if SMB, we include the file name and location identified. As
> I recall, there was also a bug we fixed that wasn’t masking the SSNs
> correctly.
>
> We also feed in all 50 state historical SSN prefixes and include the
> state data in the notice log. However, SSNs after 2011 I believe are
> now randomized so this will be less effective over time.
>
> While we get a number of false positives, the module has also helped
> us discover some fairly serious security issues.
>
> When I get to the office, I would be happy to share our code.
>
> Nick Turley
> Security Architect
> CES Security Operations Center
> Office: (801) 422-4994 | Cell: (801) 310-3816 |
> nick_turley at byu.edu<mailto:nick_turley at byu.edu>
> ________________________________
> From: zeek-bounces at zeek.org<mailto:zeek-bounces at zeek.org>
> <zeek-bounces at zeek.org<mailto:zeek-bounces at zeek.org>> on behalf of
> Scot Harris <SHARRIS at hollywoodfl.org<mailto:SHARRIS at hollywoodfl.org>>
> Sent: Thursday, December 12, 2019 6:26:27 AM
> To: zeek at zeek.org<mailto:zeek at zeek.org>
> <zeek at zeek.org<mailto:zeek at zeek.org>>
> Subject: [Zeek] sethhall/credit-card-exposure
>
>
> Does anyone have experience with the sethhall/credit-card-exposure
> package?
>
>
>
> I installed it and it is generating some results that does not seem
> valid.
>
>
>
> Running zeek 3.0 with this package installed using zkg.
>
>
>
> The odd data includes packets that go from my workstation to the zeek
> main server on port 80 that is flagged as having credit card numbers
> in it.
>
>
>
> I don’t think that actually occurred.
>
>
>
> So was wondering if someone else had that package and what kind of
> results they are getting.
>
>
>
> Thank you.
>
>
>
>
>
>
>
> __________________________________________
> Scot Harris
> Network Engineer
> City of Hollywood
> Information Technology
>
> P.O. Box 229045
> Hollywood, FL 33022-9045
> Office: 954-921-3304
> E-mail: SHARRIS at hollywoodfl.org<mailto:SHARRIS at hollywoodfl.org>
> [www.hollywoodfl.org]
> Notice: Florida has a broad public records law. All correspondence
> sent to the City of Hollywood via e-mail may be subject to disclosure
> as a matter of public record.
> __________________________________________
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org<mailto:zeek at zeek.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Zeek
mailing list