Search for Credit card

New to extrahop, has any one wrote a query to trigger when an credit card number is passed in cleartext on wires ?

Hi @kdesai - apologies for having missed this post.

If you’re interested in doing this for web traffic, here’s a broad-strokes approach.

  1. Create a trigger assigned to the HTTP_REQUEST and HTTP_RESPONSE events
  2. Check if HTTP.isEncrypted, and if so return; - this will let your trigger exit early if the message isn’t cleartext.
  3. Decode HTTP.payload and then look for runs of [-\d] in the resulting string
  4. If you find a run of characters of of the appropriate length, do the Luhn number calculation to see if it’s actually a credit card number.
  5. If not return;
  6. Call HTTP.commitRecord() to save this transaction for later investigation
  7. Commit the transaction to an application; this will enable you to view summary metrics of who is sending and receiving credit card numbers in the clear, as well as quickly filtering to just those transactions.

Here’s a scaffolding for a trigger.

if (HTTP.isEncrypted) return;

function passesLuhnCheck(maybeCreditCard) {
    // ... implementation elided
}

const CC_REGEX = /.../;
/**
 * Search a string for runs of dashes and digits that could be a credit card number.
 * 
 * @param {string} txt Any text to search for credit cards
 */
function textHasCreditCardNumber(txt) {
    const ccPatternMatch = txt.match(CC_REGEX);
    if (!ccPatternMatch) return false;
    return passesLuhnCheck(ccPatternMatch[0]);
}

const foundMatchInPayload = textHasCreditCardNumber(HTTP.payload ? HTTP.payload.decode('utf-8') : '');
// Add more conditions here if you want to check fields such as the URL or headers

if (!foundMatchInPayload && !Flow.store.requestHadCreditCard) return;

HTTP.commitRecord();

if (event === 'HTTP_REQUEST') {
    // Application.commit is only valid on HTTP_RESPONSE, so mark
    // the flow to do the application commit when the server responds.
    Flow.store.requestHadCreditCard = true;
} else {
    Flow.store.requestHadCreditCard = null;
    Application('creditCardInCleartext').commit();
}