From 47f5d256d80427aec26fb0ba8fe16a26bb44d200 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 20 Nov 2012 01:01:37 -0500 Subject: [PATCH] Added a script module for detecting hosts doing traceroutes. --- .../misc/detect-traceroute/__load__.bro | 1 + .../detect-traceroute/detect-low-ttls.sig | 9 ++ .../policy/misc/detect-traceroute/main.bro | 87 +++++++++++++++++++ 3 files changed, 97 insertions(+) create mode 100644 scripts/policy/misc/detect-traceroute/__load__.bro create mode 100644 scripts/policy/misc/detect-traceroute/detect-low-ttls.sig create mode 100644 scripts/policy/misc/detect-traceroute/main.bro diff --git a/scripts/policy/misc/detect-traceroute/__load__.bro b/scripts/policy/misc/detect-traceroute/__load__.bro new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/policy/misc/detect-traceroute/__load__.bro @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/policy/misc/detect-traceroute/detect-low-ttls.sig b/scripts/policy/misc/detect-traceroute/detect-low-ttls.sig new file mode 100644 index 0000000000..c04a8905f7 --- /dev/null +++ b/scripts/policy/misc/detect-traceroute/detect-low-ttls.sig @@ -0,0 +1,9 @@ +signature traceroute-detector-ipv4 { + header ip[8] < 10 + event "match" +} + +signature traceroute-detector-ipv6 { + header ip6[7] < 10 + event "match" +} diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.bro new file mode 100644 index 0000000000..0709834cea --- /dev/null +++ b/scripts/policy/misc/detect-traceroute/main.bro @@ -0,0 +1,87 @@ +##! This script detects large number of ICMP Time Exceeded messages heading +##! toward hosts that have sent low TTL packets. +##! It generates a notice when the number of ICMP Time Exceeded +##! messages for a source-destination pair exceeds threshold +@load base/frameworks/metrics +@load base/frameworks/signatures +@load-sigs ./detect-low-ttls.sig + +redef Signatures::ignored_ids += /traceroute-detector.*/; + +module Traceroute; + +export { + redef enum Log::ID += { LOG }; + + redef enum Notice::Type += { + ## Indicates that a host was seen running traceroutes. For more + ## detail about specific traceroutes that we run, refer to the + ## traceroute.log. + Detected + }; + + ## By default this script requires that any host detected running traceroutes + ## first send low TTL packets (TTL < 10) to the traceroute destination host. + ## Changing this this setting to `F` will relax the detection a bit by + ## solely relying on ICMP time-exceeded messages to detect traceroute. + const require_low_ttl_packets = T &redef; + + ## Defines the threshold for ICMP Time Exceeded messages for a src-dst pair. + ## This threshold only comes into play after a host is found to be + ## sending low ttl packets. + const icmp_time_exceeded_threshold = 2 &redef; + + ## Interval at which to watch for the + ## :bro:id:`ICMPTimeExceeded::icmp_time_exceeded_threshold` variable to be crossed. + ## At the end of each interval the counter is reset. + const icmp_time_exceeded_interval = 1min &redef; + + ## The log record for the traceroute log. + type Info: record { + ## Timestamp + ts: time &log; + ## Address initiaing the traceroute. + src: addr &log; + ## Destination address of the traceroute. + dst: addr &log; + }; + + global log_traceroute: event(rec: Traceroute::Info); +} + +# Track hosts that have sent low TTL packets. +global low_ttlers: set[addr, addr] = {} &create_expire=2min &synchronized; + +event bro_init() &priority=3 + { + Log::create_stream(Traceroute::LOG, [$columns=Info, $ev=log_traceroute]); + + Metrics::add_filter("traceroute.time_exceeded", + [$log=F, + $every=icmp_time_exceeded_interval, + $measure=set(Metrics::UNIQUE), + $threshold=icmp_time_exceeded_threshold, + $threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = { + local parts = split1(index$str, /-/); + local src = to_addr(parts[1]); + local dst = to_addr(parts[2]); + Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst]); + NOTICE([$note=Traceroute::Detected, + $msg=fmt("%s seems to be running traceroute", src), + $src=src, $dst=dst, + $identifier=parts[1]]); + }]); + } + +# Low TTL packets are detected with a signature. +event signature_match(state: signature_state, msg: string, data: string) + { + if ( state$sig_id == /traceroute-detector.*/ ) + add low_ttlers[state$conn$id$orig_h, state$conn$id$resp_h]; + } + +event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context) + { + if ( ! require_low_ttl_packets || [context$id$orig_h, context$id$resp_h] in low_ttlers ) + Metrics::add_data("traceroute.time_exceeded", [$str=cat(context$id$orig_h,"-",context$id$resp_h)], [$str=cat(c$id$orig_h)]); + }