Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/seth/signatures-uid'

Browse source 
* origin/topic/seth/signatures-uid:
  Add a uid field to the signatures.log (contributed by Anthony Verez)
This commit is contained in:
Seth Hall 2014-04-03 10:51:31 -04:00
commit 2f57c26d5b
3 changed files with 24 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

5
CHANGES
View file

@ -1,4 +1,9 @@
2.2-317 | 2014-04-03 10:51:31 -0400
* Add a uid field to the signatures.log. Addresses BIT-1171
(Anthony Verez)
2.2-315 | 2014-04-01 16:50:01 -0700 2.2-315 | 2014-04-01 16:50:01 -0700
* Change logging's "#types" description of sets to "set". Addresses * Change logging's "#types" description of sets to "set". Addresses

2
VERSION
View file

@ -1 +1 @@
2.2-315 2.2-317

32
scripts/base/frameworks/signatures/main.bro
View file

@ -70,6 +70,9 @@ export {
## The network time at which a signature matching type of event ## The network time at which a signature matching type of event
## to be logged has occurred. ## to be logged has occurred.
ts: time &log; ts: time &log;
## A unique identifier of the connection which triggered the
## signature match event
uid: string &log &optional;
## The host which triggered the signature match event. ## The host which triggered the signature match event.
src_addr: addr &log &optional; src_addr: addr &log &optional;
## The host port on which the signature-matching activity ## The host port on which the signature-matching activity
@ -167,7 +170,7 @@ event signature_match(state: signature_state, msg: string, data: string)
# Trim the matched data down to something reasonable # Trim the matched data down to something reasonable
if ( |data| > 140 ) if ( |data| > 140 )
data = fmt("%s...", sub_bytes(data, 0, 140)); data = fmt("%s...", sub_bytes(data, 0, 140));
local src_addr: addr; local src_addr: addr;
local src_port: port; local src_port: port;
local dst_addr: addr; local dst_addr: addr;
@ -192,6 +195,7 @@ event signature_match(state: signature_state, msg: string, data: string)
{ {
local info: Info = [$ts=network_time(), local info: Info = [$ts=network_time(),
$note=Sensitive_Signature, $note=Sensitive_Signature,
$uid=state$conn$uid,
$src_addr=src_addr, $src_addr=src_addr,
$src_port=src_port, $src_port=src_port,
$dst_addr=dst_addr, $dst_addr=dst_addr,
@ -212,11 +216,11 @@ event signature_match(state: signature_state, msg: string, data: string)
if ( ++count_per_resp[dst,sig_id] in count_thresholds ) if ( ++count_per_resp[dst,sig_id] in count_thresholds )
{ {
NOTICE([$note=Count_Signature, $conn=state$conn, NOTICE([$note=Count_Signature, $conn=state$conn,
$msg=msg, $msg=msg,
$n=count_per_resp[dst,sig_id], $n=count_per_resp[dst,sig_id],
$sub=fmt("%d matches of signature %s on host %s", $sub=fmt("%d matches of signature %s on host %s",
count_per_resp[dst,sig_id], count_per_resp[dst,sig_id],
sig_id, dst)]); sig_id, dst)]);
} }
} }
@ -290,16 +294,16 @@ event signature_match(state: signature_state, msg: string, data: string)
orig, vcount, resp); orig, vcount, resp);
Log::write(Signatures::LOG, Log::write(Signatures::LOG,
[$ts=network_time(), [$ts=network_time(),
$note=Multiple_Signatures, $note=Multiple_Signatures,
$src_addr=orig, $src_addr=orig,
$dst_addr=resp, $sig_id=sig_id, $sig_count=vcount, $dst_addr=resp, $sig_id=sig_id, $sig_count=vcount,
$event_msg=fmt("%s different signatures triggered", vcount), $event_msg=fmt("%s different signatures triggered", vcount),
$sub_msg=vert_scan_msg]); $sub_msg=vert_scan_msg]);
NOTICE([$note=Multiple_Signatures, $src=orig, $dst=resp, NOTICE([$note=Multiple_Signatures, $src=orig, $dst=resp,
$msg=fmt("%s different signatures triggered", vcount), $msg=fmt("%s different signatures triggered", vcount),
$n=vcount, $sub=vert_scan_msg]); $n=vcount, $sub=vert_scan_msg]);
last_vthresh[orig] = vcount; last_vthresh[orig] = vcount;
} }