Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 21:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Documentation updates for HTTP & IRC scripts.

Browse source 
Closes #733
This commit is contained in:
Seth Hall 2012-01-08 02:22:52 -05:00
parent 48ed922e06
commit 3be1222532
17 changed files with 160 additions and 111 deletions
Download patch file Download diff file Expand all files Collapse all files

8
scripts/policy/protocols/http/detect-MHR.bro
View file

@ -1,8 +1,8 @@
##! This script takes MD5 sums of files transferred over HTTP and checks them with
##! Team Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).
##! Detect file downloads over HTTP that have MD5 sums matching files in Team
##! Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).
##! By default, not all file transfers will have MD5 sums calculated. Read the
##! documentation for the :doc:base/protocols/http/file-hash.bro script to see how to
##! configure which transfers will have hashes calculated.
##! documentation for the :doc:base/protocols/http/file-hash.bro script to see
##! how to configure which transfers will have hashes calculated.
@load base/frameworks/notice
@load base/protocols/http

2
scripts/policy/protocols/http/detect-intel.bro
View file

@ -1,4 +1,4 @@
##! Intelligence based HTTP detections.
##! Intelligence based HTTP detections. Not yet working!
@load base/protocols/http/main
@load base/protocols/http/utils

6
scripts/policy/protocols/http/detect-sqli.bro
View file

@ -16,7 +16,9 @@ export {
};
redef enum Metrics::ID += {
## Metric to track SQL injection attackers.
SQLI_ATTACKER,
## Metrics to track SQL injection victims.
SQLI_VICTIM,
};
@ -30,7 +32,7 @@ export {
COOKIE_SQLI,
};
## This defines the threshold that determines if an SQL injection attack
## Defines the threshold that determines if an SQL injection attack
## is ongoing based on the number of requests that appear to be SQL
## injection attacks.
const sqli_requests_threshold = 50 &redef;
@ -40,7 +42,7 @@ export {
## At the end of each interval the counter is reset.
const sqli_requests_interval = 5min &redef;
## This regular expression is used to match URI based SQL injections
## Regular expression is used to match URI based SQL injections.
const match_sql_injection_uri =
/[\?&][^[:blank:]\x00-\x37\|]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+/
| /[\?&][^[:blank:]\x00-\x37\|]+?=[\-0-9%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS])/

4
scripts/policy/protocols/http/detect-webapps.bro
View file

@ -1,3 +1,5 @@
##! Detect and log web applications through the software framework.
@load base/frameworks/signatures
@load base/frameworks/software
@load base/protocols/http
@ -10,10 +12,12 @@ redef Signatures::ignored_ids += /^webapp-/;
export {
redef enum Software::Type += {
## Identifier for web applications in the software framework.
WEB_APPLICATION,
};
redef record Software::Info += {
## Most root URL where the software was discovered.
url: string &optional &log;
};
}

5
scripts/policy/protocols/http/software-browser-plugins.bro
View file

@ -1,5 +1,5 @@
##! This script take advantage of a few ways that installed plugin information
##! leaks from web browsers.
##! Detect browser plugins as they leak through requests to Omniture
##! advertising servers.
@load base/protocols/http
@load base/frameworks/software
@ -13,6 +13,7 @@ export {
};
redef enum Software::Type += {
## Identifier for browser plugins in the software framework.
BROWSER_PLUGIN
};
}

3
scripts/policy/protocols/http/software.bro
View file

@ -6,8 +6,11 @@ module HTTP;
export {
redef enum Software::Type += {
## Identifier for web servers in the software framework.
SERVER,
## Identifier for app servers in the software framework.
APPSERVER,
## Identifier for web browsers in the software framework.
BROWSER,
};

3
scripts/policy/protocols/http/var-extraction-cookies.bro
View file

@ -1,4 +1,4 @@
##! This script extracts and logs variables from cookies sent by clients
##! Extracts and logs variables names from cookies sent by clients.
@load base/protocols/http/main
@load base/protocols/http/utils
@ -6,6 +6,7 @@
module HTTP;
redef record Info += {
## Variable names extracted from all cookies.
cookie_vars: vector of string &optional &log;
};

4
scripts/policy/protocols/http/var-extraction-uri.bro
View file

@ -1,10 +1,12 @@
##! This script extracts and logs variables from the requested URI
##! Extracts and log variables from the requested URI in the default HTTP
##! logging stream.
@load base/protocols/http
module HTTP;
redef record Info += {
## Variable names from the URI.
uri_vars: vector of string &optional &log;
};