sethhall / bro_scripts

 
@load notice
 
module SSN;
 
export {
	# You must redef this variable with a normalized list of SSNs.
	#   If you would like or require trivial obfuscation, you can set 
	#   the use_md5_hashed_ssns variable to T and put md5 hashed SSNs
	#   into the list.
	# Example for redefining this variable... (huge sets are handled easily)
	#   redef SSN::SSN_list = {"264439985", "351669087"};
	const SSN_list: set[string] &redef;
 
	# As commented above, set this to T if you are using hashed SSNs in your 
	# SSN_list variable.
	const use_md5_hashed_ssns = F;
 
	const ssn_log = open_log_file("ssn-exposure") &raw_output &redef;
 
	redef enum Notice += {
	  SSN_Exposure,
	  SSN_MassExposure,
	};
 
	# The threshold of SSNs that you want to qualify as a mass disclosure.
	# This allows you to only alarm on more significant disclosures (instead of people sending their own SSN).
	# NOT CURRENTLY WORKING!
	const mass_exposure_num = 5;
 
	# Uncomment the following line if you'd like to use the signature based 
	# technique in this script.
	#const use_ssn_sigs = T;
}
 
# This variable is for tracking the valid SSNs detected per-connection.
#   This should catch SSN leakage over email.
global ssn_conn_tracker: table[conn_id] of set[string] &create_expire=5mins &default=function(id:conn_id):string_set { return set(); };
 
# This variable tracks the valid SSNs detected per-service.
#   The idea is that this would catch SSN leakage through an SQL injection attack.
global ssn_serv_tracker: table[addr, port] of set[string] &create_expire=5mins &default=function(a:addr, p:port):string_set { return set(); };
 
@ifdef (use_ssn_sigs)
@load signatures
redef signature_files += "ssn.sig";
redef signature_actions += { ["ssn-match"] = SIG_IGNORE };
@else 
# Conn is needed because of a small dependency between smtp.bro and conn.bro
@load conn
@load smtp
@load http-reply
@endif
 
#redef notice_action_filters += { [SSN::SSN_Exposure] = ignore_notice };
 
const ssn_regex = /[^0-9\/]\0?[0-6](\0?[0-9]){2}\0?[ \-]?(\0?[0-9]){2}\0?[ \-]?(\0?[0-9]){4}(\0?[[:blank:]\r\n<\"\'])/;
 
# This function is used for validating and notifying about SSNs in a string.
function check_ssns(c: connection, data: string): bool
	{
	local ssnps = find_all(data, ssn_regex);
 
	for ( ssnp in ssnps )
		{
		# Make sure the number has either 2 hyphens, 2 spaces, or no separators.
		if ( /[0-9]{3}-[0-9]{2}-[0-9]{4}/ in ssnp ||
		     /[0-9]{3} [0-9]{2} [0-9]{4}/ in ssnp ||
		     /[0-9]{9}/ in ssnp )
			{
			# Remove all non-numerics
			local clean_ssnp = gsub(ssnp, /[^0-9]/, "");
			# Strip off any leading chars
			local ssn = sub_bytes(clean_ssnp, byte_len(clean_ssnp)-8, 9);
 
			#print fmt("Checking on -%s-", ssn);
			local hash_ssn: string;
			if ( use_md5_hashed_ssns )
				hash_ssn = md5_hash(ssn);
			else
				hash_ssn = ssn;
 
			if ( hash_ssn in SSN_list )
				{
				local id = c$id;
				#print fmt("  %s - Found it! (%s)", ssn, md5_hash(ssn));
				add ssn_conn_tracker[id][ssn];
				if ( |ssn_conn_tracker[id]| >= mass_exposure_num )
					{
					NOTICE([$note=SSN_MassExposure,
					        $conn=c,
					        $msg=fmt("More than %i SSNs disclosed in one connection.", mass_exposure_num)]);
					}
				else
					{
					NOTICE([$note=SSN_Exposure,
					        $conn=c,
					        $msg=fmt("Contents of disclosed ssn session: %s", data),
					        $sub=hash_ssn]);
					}
 
				print ssn_log, cat_sep("\t", "\\N", network_time(),
				                       id$orig_h, fmt("%d", id$orig_p), 
				                       id$resp_h, fmt("%d", id$resp_p), 
				                       ssn, data);
				return T;
				}
			}
		}
		return F;
	}
 
# This is used if the mime event parsing technique is used.
#   This seems to be the better technique if HTTP and SMTP are where
#   the SSN leakage problems are in your environment (especially if you 
#   are able to use DPD).
event smtp_data(c: connection, is_orig: bool, data: string)
	{
	# Only looking at outbound SMTP.
	if ( is_orig && is_local_addr(c$id$orig_h) && 
	     c$start_time > network_time()-10secs && ssn_regex in data )
		check_ssns(c, data);
	}
 
event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
	{
	# We're looking for outbound POST data and outbound HTTP data contents.
	if ( ((is_local_addr(c$id$resp_h) && !is_orig) || (is_local_addr(c$id$orig_h) && is_orig)) &&
	     c$start_time > network_time()-10secs && ssn_regex in data )
		check_ssns(c, data);
	}
 
# This event is broken in Robin's branch currently
#event mime_all_data(c: connection, length: count, data: string)
#	{
#	# Only check the regex for connections younger than 10 seconds.
#	#   This helps avoid load during large and/or long connections.
#	if ( c$start_time > network_time()-10secs && ssn_regex in data )
#		check_ssns(c, data);
#	}
 
# This is used if the signature based technique is in use
function validate_ssn_match(state: signature_state, data: string): bool
	{
	# TODO: Don't handle HTTP data this way.  Should return F if this is
	#       an http/smtp session and handle the relevant *_data events.
	if ( /^GET/ in data )
		return F;
 
	return check_ssns(state$conn, data);
	}
 
# Change this to only run when not analyzing traffic.
#   Consider it a test for this script.
#event bro_init()
#	{
#	
#	local blah = "GET as df12345-6789 ads 100000000 f asdf asd f 000287-76-2154f this is a test";
#	
#	local ssns = find_ssns(blah);
#	for ( i in ssns )
#		{
#		print fmt("Checking on %s", ssns[i]);
#		if ( md5_hash(ssns[i]) in SSN_list )
#			{
#			print fmt("  %s - Found it! (%s)", ssns[i], md5_hash(ssns[i]));
#			}
#		}
#	
#	}