Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 14:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Changed how traceroute detection works by having it check for low ttl packets after detecting time exceeded messages.

Browse source
This commit is contained in:
Seth Hall 2012-11-30 11:27:09 -05:00
parent bb7db64841
commit 1542b3696e
1 changed files with 24 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

34
scripts/policy/misc/detect-traceroute/main.bro
View file

@ -29,7 +29,7 @@ export {
## Defines the threshold for ICMP Time Exceeded messages for a src-dst pair. ## Defines the threshold for ICMP Time Exceeded messages for a src-dst pair.
## This threshold only comes into play after a host is found to be ## This threshold only comes into play after a host is found to be
## sending low ttl packets. ## sending low ttl packets.
const icmp_time_exceeded_threshold = 2 &redef; const icmp_time_exceeded_threshold = 3 &redef;
## Interval at which to watch for the ## Interval at which to watch for the
## :bro:id:`ICMPTimeExceeded::icmp_time_exceeded_threshold` variable to be crossed. ## :bro:id:`ICMPTimeExceeded::icmp_time_exceeded_threshold` variable to be crossed.
@ -49,10 +49,21 @@ export {
global log_traceroute: event(rec: Traceroute::Info); global log_traceroute: event(rec: Traceroute::Info);
} }
# Track hosts that have sent low TTL packets. # Track hosts that have sent low TTL packets and which hosts they
# sent them to.
global low_ttlers: set[addr, addr] = {} &create_expire=2min &synchronized; global low_ttlers: set[addr, addr] = {} &create_expire=2min &synchronized;
event bro_init() &priority=3 function traceroute_detected(src: addr, dst: addr)
{
Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst]);
NOTICE([$note=Traceroute::Detected,
$msg=fmt("%s seems to be running traceroute", src),
$src=src, $dst=dst,
$identifier=cat(src)]);
}
event bro_init() &priority=5
{ {
Log::create_stream(Traceroute::LOG, [$columns=Info, $ev=log_traceroute]); Log::create_stream(Traceroute::LOG, [$columns=Info, $ev=log_traceroute]);
@ -65,11 +76,15 @@ event bro_init() &priority=3
local parts = split1(index$str, /-/); local parts = split1(index$str, /-/);
local src = to_addr(parts[1]); local src = to_addr(parts[1]);
local dst = to_addr(parts[2]); local dst = to_addr(parts[2]);
Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst]); if ( require_low_ttl_packets )
NOTICE([$note=Traceroute::Detected, {
$msg=fmt("%s seems to be running traceroute", src), when ( [src, dst] in low_ttlers )
$src=src, $dst=dst, {
$identifier=parts[1]]); traceroute_detected(src, dst);
}
}
else
traceroute_detected(src, dst);
}]); }]);
} }
@ -82,6 +97,5 @@ event signature_match(state: signature_state, msg: string, data: string)
event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context) event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
{ {
if ( ! require_low_ttl_packets || [context$id$orig_h, context$id$resp_h] in low_ttlers ) Metrics::add_data("traceroute.time_exceeded", [$str=cat(context$id$orig_h,"-",context$id$resp_h)], [$str=cat(c$id$orig_h)]);
Metrics::add_data("traceroute.time_exceeded", [$str=cat(context$id$orig_h,"-",context$id$resp_h)], [$str=cat(c$id$orig_h)]);
} }