-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathREADME.rst
68 lines (44 loc) · 2.04 KB
/
README.rst
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
SSN Exposure
============
Detect US Social Security Numbers with Zeek. This script only works with Zeek 3.0+.
Installation
------------
Zeek Package Manager
********************
This is a test for the new Zeek package manager. If you don't have the package
manager and you don't want to work with early code please use the alternate
manual installation method.
::
zkg refresh
zkg install ssn-exposure
Alternate Manual Installation
*****************************
::
cd <prefix>/share/zeek/site/
git clone git://github.com/sethhall/ssn-exposure.git
echo "@load ssn-exposure" >> local.zeek
After the ssn-exposure module is loaded, follow the configuration examples below. One or both of the following options must be done or the script won't do anything.
Configuration
-------------
There are some configuration options that you will likely want to pay attention to. In particular, it's likely that you will want to configure the SsnExposure::prefixes variable unless you have a list of relevant SSNs for your organization in which case you will want to configure the SsnExposure::ssn_file variable to point to a file on disk with a list of SSNs that are relevant for you.
Examples
--------
Prefix configuration
~~~~~~~~~~~~~~~~~~~~
This method is more prone to false positives than the next method, but it's quick and easy to begin using after finding the relevant state prefixes from: http://www.mrfa.org/ssn.htm
Configure likely state prefixes in local.zeek::
redef SsnExposure::prefixes += {
[$state="Ohio", $low=268, $high=302],
[$state="Pennsylvania", $low=159, $high=211],
};
SSN list configuration
~~~~~~~~~~~~~~~~~~~~~~
A list of "known SSNs" which will be used for validation after candidate values are extracted from the network.
Configure the SSN list file in local.zeek::
redef SsnExposure::ssn_file = "/var/data/ssn-list.txt";
Create the ssn-list.txt (or whatever file you referenced above)::
123456789
123456788
123456777
123456666
This file will be reread everytime it changes at runtime so updates do not require a restart.