We’ve had pretty good luck with the package but we had to make modifications to get it working the way we wanted. We also modified it so it would work on Corelight. We’ve been running it on our Bro 2.6 cluster for some time. SSN detection is a high false positive game in a large environment like ours, so our analysts are still required to review the extracted payload and make a determination.
Some of the modifications include extracting a chunk of the payload where the SSN was detected and including that in the notice log. We also added the protocol that was detected and associated info. For example, if SMB, we include the file name and location identified. As I recall, there was also a bug we fixed that wasn’t masking the SSNs correctly.
We also feed in all 50 state historical SSN prefixes and include the state data in the notice log. However, SSNs after 2011 I believe are now randomized so this will be less effective over time.
While we get a number of false positives, the module has also helped us discover some fairly serious security issues.
When I get to the office, I would be happy to share our code.
CES Security Operations Center
Office: (801) 422-4994 | Cell: (801) 310-3816 | firstname.lastname@example.org