[Zeek] sethhall/credit-card-exposure

Seth Hall seth at corelight.com
Wed Dec 18 12:48:39 PST 2019 

Awesome!  Looking forward to any changes.  And I agree about the results 
of that script, I've seen a few catches with that thing that are pretty 
bad and catching them was very nice.

   .Seth

On 12 Dec 2019, at 9:47, Nick Turley wrote:

> We’ve been meaning to share some of our work with the community so 
> this has prompted a call to action :)
>
> Nick Turley
> Security Architect
> CES Security Operations Center
> Office: (801) 422-4994 | Cell: (801) 310-3816 | nick_turley at byu.edu
> ________________________________
> From: Michael Shirk <shirkdog.bsd at gmail.com>
> Sent: Thursday, December 12, 2019 7:19:53 AM
> To: Nick Turley <nick_turley at byu.edu>
> Cc: Scot Harris <SHARRIS at hollywoodfl.org>; zeek at zeek.org 
> <zeek at zeek.org>
> Subject: Re: [Zeek] sethhall/credit-card-exposure
>
> You can submit a pull request to Seth's GitHub repo if you can share 
> the modifications with the community.
>
> --
> Michael Shirk
> Daemon Security, Inc.
> https://www.daemon-security.com
>
> On Thu, Dec 12, 2019, 09:18 Nick Turley 
> <nick_turley at byu.edu<mailto:nick_turley at byu.edu>> wrote:
> We’ve had pretty good luck with the package but we had to make 
> modifications to get it working the way we wanted. We also modified it 
> so it would work on Corelight. We’ve been running it on our Bro 2.6 
> cluster for some time. SSN detection is a high false positive game in 
> a large environment like ours, so our analysts are still required to 
> review the extracted payload and make a determination.
>
> Some of the modifications include extracting a chunk of the payload 
> where the SSN was detected and including that in the notice log. We 
> also added the protocol that was detected and associated info. For 
> example, if SMB, we include the file name and location identified. As 
> I recall, there was also a bug we fixed that wasn’t masking the SSNs 
> correctly.
>
> We also feed in all 50 state historical SSN prefixes and include the 
> state data in the notice log. However, SSNs after 2011 I believe are 
> now randomized so this will be less effective over time.
>
> While we get a number of false positives, the module has also helped 
> us discover some fairly serious security issues.
>
> When I get to the office, I would be happy to share our code.
>
> Nick Turley
> Security Architect
> CES Security Operations Center
> Office: (801) 422-4994 | Cell: (801) 310-3816 | 
> nick_turley at byu.edu<mailto:nick_turley at byu.edu>
> ________________________________
> From: zeek-bounces at zeek.org<mailto:zeek-bounces at zeek.org> 
> <zeek-bounces at zeek.org<mailto:zeek-bounces at zeek.org>> on behalf of 
> Scot Harris <SHARRIS at hollywoodfl.org<mailto:SHARRIS at hollywoodfl.org>>
> Sent: Thursday, December 12, 2019 6:26:27 AM
> To: zeek at zeek.org<mailto:zeek at zeek.org> 
> <zeek at zeek.org<mailto:zeek at zeek.org>>
> Subject: [Zeek] sethhall/credit-card-exposure
>
>
> Does anyone have experience with the sethhall/credit-card-exposure 
> package?
>
>
>
> I installed it and it is generating some results that does not seem 
> valid.
>
>
>
> Running zeek 3.0 with this package installed using zkg.
>
>
>
> The odd data includes packets that go from my workstation to the zeek 
> main server on port 80 that is flagged as having credit card numbers 
> in it.
>
>
>
> I don’t think that actually occurred.
>
>
>
> So was wondering if someone else had that package and what kind of 
> results they are getting.
>
>
>
> Thank you.
>
>
>
>
>
>
>
> __________________________________________
> Scot Harris
> Network Engineer
> City of Hollywood
> Information Technology
>
> P.O. Box 229045
> Hollywood, FL 33022-9045
> Office: 954-921-3304
> E-mail: SHARRIS at hollywoodfl.org<mailto:SHARRIS at hollywoodfl.org>
> [www.hollywoodfl.org]
> Notice: Florida has a broad public records law. All correspondence 
> sent to the City of Hollywood via e-mail may be subject to disclosure 
> as a matter of public record.
> __________________________________________
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org<mailto:zeek at zeek.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

--
Seth Hall * Corelight, Inc * www.corelight.com

More information about the Zeek mailing list