sethhall/credit-card-exposure

Scot · December 12, 2019, 1:26pm

Does anyone have experience with the sethhall/credit-card-exposure package?

I installed it and it is generating some results that does not seem valid.

Running zeek 3.0 with this package installed using zkg.

The odd data includes packets that go from my workstation to the zeek main server on port 80 that is flagged as having credit card numbers in it.

I don’t think that actually occurred.

So was wondering if someone else had that package and what kind of results they are getting.

Thank you.

Nick_Turley1 · December 12, 2019, 2:07pm

We’ve had pretty good luck with the package but we had to make modifications to get it working the way we wanted. We also modified it so it would work on Corelight. We’ve been running it on our Bro 2.6 cluster for some time. SSN detection is a high false positive game in a large environment like ours, so our analysts are still required to review the extracted payload and make a determination.

Some of the modifications include extracting a chunk of the payload where the SSN was detected and including that in the notice log. We also added the protocol that was detected and associated info. For example, if SMB, we include the file name and location identified. As I recall, there was also a bug we fixed that wasn’t masking the SSNs correctly.

We also feed in all 50 state historical SSN prefixes and include the state data in the notice log. However, SSNs after 2011 I believe are now randomized so this will be less effective over time.

While we get a number of false positives, the module has also helped us discover some fairly serious security issues.

When I get to the office, I would be happy to share our code.

Nick Turley
Security Architect
CES Security Operations Center
Office: (801) 422-4994 | Cell: (801) 310-3816 | nick_turley@byu.edu

Michael_Shirk · December 12, 2019, 2:19pm

You can submit a pull request to Seth’s GitHub repo if you can share the modifications with the community.

Nick_Turley1 · December 12, 2019, 2:47pm

We’ve been meaning to share some of our work with the community so this has prompted a call to action

Nick Turley
Security Architect
CES Security Operations Center
Office: (801) 422-4994 | Cell: (801) 310-3816 | nick_turley@byu.edu

Vern · December 12, 2019, 9:21pm

Great - this will be really cool to have!

Vern

Seth_Hall2 · December 18, 2019, 8:48pm

Awesome! Looking forward to any changes. And I agree about the results of that script, I've seen a few catches with that thing that are pretty bad and catching them was very nice.

.Seth

Topic		Replies	Views
Certificate questions Zeek	4	498	May 6, 2022
Zeek Package Contest – ZPC-2 – Winners Announced! Zeek	1	85	May 6, 2022
Help needed on Detect-MHR Zeek	3	207	August 30, 2023
Zeek Newsletter - Issue 22 - October 2022 Zeek newsletter	1	388	October 31, 2022
Zeek Newsletter - Issue 16 - February - March 2022 Zeek	1	138	May 6, 2022

sethhall/credit-card-exposure

Related Topics