Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Small change to load the correct scan file in local.bro.

Browse source
This commit is contained in:
Seth Hall 2012-12-03 14:58:11 -05:00
parent 1542b3696e
commit 4bb8babb45
2 changed files with 26 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

50
scripts/policy/misc/scan.bro
View file

@ -98,31 +98,6 @@ event bro_init() &priority=5
$threshold_crossed=port_scan_threshold_crossed]); $threshold_crossed=port_scan_threshold_crossed]);
} }
function is_failed_conn(c: connection): bool
{
# Sr || ( (hR || ShR) && (data not sent in any direction) )
if ( (c$orig$state == TCP_SYN_SENT && c$resp$state == TCP_RESET) ||
(((c$orig$state == TCP_RESET && c$resp$state == TCP_SYN_ACK_SENT) ||
(c$orig$state == TCP_RESET && c$resp$state == TCP_ESTABLISHED && "S" in c$history )
) && /[Dd]/ !in c$history )
)
return T;
return F;
}
function is_reverse_failed_conn(c: connection): bool
{
# reverse scan i.e. conn dest is the scanner
# sR || ( (Hr || sHr) && (data not sent in any direction) )
if ( (c$resp$state == TCP_SYN_SENT && c$orig$state == TCP_RESET) ||
(((c$resp$state == TCP_RESET && c$orig$state == TCP_SYN_ACK_SENT) ||
(c$resp$state == TCP_RESET && c$orig$state == TCP_ESTABLISHED && "s" in c$history )
) && /[Dd]/ !in c$history )
)
return T;
return F;
}
function add_metrics(id: conn_id, reverse: bool) function add_metrics(id: conn_id, reverse: bool)
{ {
local scanner = id$orig_h; local scanner = id$orig_h;
@ -167,6 +142,31 @@ function add_metrics(id: conn_id, reverse: bool)
Metrics::add_data("scan.port.fail", [$host=scanner, $str=cat(victim)], [$str=cat(scanned_port)]); Metrics::add_data("scan.port.fail", [$host=scanner, $str=cat(victim)], [$str=cat(scanned_port)]);
} }
function is_failed_conn(c: connection): bool
{
# Sr || ( (hR || ShR) && (data not sent in any direction) )
if ( (c$orig$state == TCP_SYN_SENT && c$resp$state == TCP_RESET) ||
(((c$orig$state == TCP_RESET && c$resp$state == TCP_SYN_ACK_SENT) ||
(c$orig$state == TCP_RESET && c$resp$state == TCP_ESTABLISHED && "S" in c$history )
) && /[Dd]/ !in c$history )
)
return T;
return F;
}
function is_reverse_failed_conn(c: connection): bool
{
# reverse scan i.e. conn dest is the scanner
# sR || ( (Hr || sHr) && (data not sent in any direction) )
if ( (c$resp$state == TCP_SYN_SENT && c$orig$state == TCP_RESET) ||
(((c$resp$state == TCP_RESET && c$orig$state == TCP_SYN_ACK_SENT) ||
(c$resp$state == TCP_RESET && c$orig$state == TCP_ESTABLISHED && "s" in c$history )
) && /[Dd]/ !in c$history )
)
return T;
return F;
}
## Generated for an unsuccessful connection attempt. This ## Generated for an unsuccessful connection attempt. This
## event is raised when an originator unsuccessfully attempted ## event is raised when an originator unsuccessfully attempted
## to establish a connection. “Unsuccessful” is defined as at least ## to establish a connection. “Unsuccessful” is defined as at least

2
scripts/site/local.bro
View file

@ -9,7 +9,7 @@
@load tuning/defaults @load tuning/defaults
# Load the scan detection script. # Load the scan detection script.
@load protocols/conn/scan @load misc/scan
# Generate notices when vulnerable versions of software are discovered. # Generate notices when vulnerable versions of software are discovered.
# The default is to only monitor software found in the address space defined # The default is to only monitor software found in the address space defined