PreDefined SSN Pattern Match

L2 Linker

PreDefined SSN Pattern Match

Hi All,

A Social Security number (SSN) CANNOT :

* Contain all zeroes in any specific group (ie 000-##-####, ###-00-####, or ###-##-0000)
* Begin with ‘666’.
* Begin with any value from ‘900-999′
* Be ‘078-05-1120′ (due to the Woolworth’s Wallet Fiasco)
* Be ‘219-09-9999′ (appeared in an advertisement for the Social Security Administration)
* Contains all matching values (ie 000-00-0000, 111-11-1111, 222-22-2222, etc.)
* Contains all incrementing values (ie 123-45-6789)

In my LAB, I tried to match few SSN values with pre-defined SSN pattern match.


Here are the results,


235-85-7896 - match
111-11-1111 - match
888-88-8888 - match
078-05-1120 - match
219-09-9999 - match
123-45-6789 - match

>>>


000-00-0000 - not a match
000-78-8956 - not a match
900-89-8547 - not a match
666-89-5896 - not a match
999-89-8956 - not a match
999-99-9999 - not a match
000-89-5869 - not a match
458-00-5689 - not a match
458-98-0000 - not a match

Based on the results,

>>> SSN is matching “111-11-111  to 888-88-888” was matching Predefined SSN, which should not be the case.

>>> SSN was matching 078-05-1120, 219-09-9999 and 123-45-6789, which it should not.

Any thoughts?

L4 Transporter

Re: PreDefined SSN Pattern Match

rsingh,

Could you please upload screenshots/logs of the SSNs matching and not matching? Also please verify your dynamic update versions here also. Easiest way would be to do a 'show system info' output from command line, or screenshot the info from Dynamic updates in the WebGUI.

I specifically took a look at some of the SSNs you mentioned to see if they should, or should not, match according to the SSN patterns listed on the .gov websites.

SSNs are broken down into three sections.

EX: 111-22-3333

Area Number (111)

Group Number (22)

Serial Number (3333)

Area Numbers can range from 001-772

Group Numbers can range from 10-99

Serial Numbers can range from 0001-9999

Using the above information, we can determine what should, and should not, be allowed by the pattern specified for SSNs.

111-11-1111 matches the criteria listed.

888-88-8888 does not match the criteria listed.  The 888 Area number is not valid.

458-00-5689 does not match the criteria listed. The 00 Group number is not valid.

458-98-0000 does not match the criteria listed. The 0000 Serial number is not valid.

078-05-1120 does not match the criteria listed. The 05 Group number is not valid.

219-09-9999 does not match the criteria listed. The 09 Group number is not valid.

123-45-6789 does meet the criteria listed.

I'm not sure exactly what the signature pattern is, but it looks like they need to include the exceptions you mentioned, such as 111-11-1111, 888-88-8888 and 123-45-6789.

219-09-9999 should not meet the criteria per the group number, yet ssn validator says the ssn is valid?

Sources:

https://www.dhs.state.il.us/page.aspx?item=14444

http://www.ssa.gov/employer/ssnvhighgroup.htm

http://www.ssa.gov/employer/stateweb.htm

SSN Validator | Free SSN Validation | Free SSN Verification

EDIT:

'Social Security Number: is detected as any 9 digit number, regardless of format. This is prone to false positive' I am looking into the pattern match information to confirm.

L6 Presenter

Re: PreDefined SSN Pattern Match

Please refer to the following document:

What are the Data Filtering Best Practices?

If the pattern is not matching accurately, please contact your Palo Alto Networks SE to have a Feature Request filed.

L2 Linker

Re: PreDefined SSN Pattern Match

Hi Mivaldi,

I am a TAC engineer. I did this test in my lab and posted the results to confirm the behavior. Unfortunately, I don't have the snapshots/logs now. I need to again perform the tests to collect it.

Regards,

Rahul Singh

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!