mirror of
https://github.com/zeek/zeek.git
synced 2025-10-15 21:18:20 +00:00
Merge remote branch 'origin/fastpath'
* origin/fastpath: Fix missing action in notice policy for looking up GeoIP data. Better persistent state config warning messages (fixes #433). A few updates for SQL injection detection. Fixed some DPD signatures for IRC. Fixes ticket #311. Removing Off_Port_Protocol_Found notice. SSH::Interesting_Hostname_Login cleanup. Fixes #664. Teach Broxygen to more generally reference attribute values by name. Fixed a really dumb bug that was causing the malware hash registry script to break. Fix Broxygen confusing scoped id at start of line as function parameter. Remove remnant of libmagic optionality
This commit is contained in:
Robin Sommer
commit
4e17ef63f0
19 changed files with 43 additions and 59 deletions
|
|
@ -80,15 +80,15 @@ signature irc_server_reply {
|
|||
tcp-state responder
|
||||
}
|
||||
|
||||
signature irc_sig3 {
|
||||
signature irc_server_to_server1 {
|
||||
ip-proto == tcp
|
||||
payload /(.*\x0a)*(\x20)*[Ss][Ee][Rr][Vv][Ee][Rr](\x20)+.+\x0a/
|
||||
payload /(|.*[\r\n]) *[Ss][Ee][Rr][Vv][Ee][Rr] +[^ ]+ +[0-9]+ +:.+[\r\n]/
|
||||
}
|
||||
|
||||
signature irc_sig4 {
|
||||
signature irc_server_to_server2 {
|
||||
ip-proto == tcp
|
||||
payload /(.*\x0a)*(\x20)*[Ss][Ee][Rr][Vv][Ee][Rr](\x20)+.+\x0a/
|
||||
requires-reverse-signature irc_sig3
|
||||
payload /(|.*[\r\n]) *[Ss][Ee][Rr][Vv][Ee][Rr] +[^ ]+ +[0-9]+ +:.+[\r\n]/
|
||||
requires-reverse-signature irc_server_to_server1
|
||||
enable "irc"
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ export {
|
|||
## Add a helper to the notice policy for looking up GeoIP data.
|
||||
redef Notice::policy += {
|
||||
[$pred(n: Notice::Info) = { return (n$note in Notice::lookup_location_types); },
|
||||
$action = ACTION_ADD_GEODATA,
|
||||
$priority = 10],
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ module ProtocolDetector;
|
|||
|
||||
export {
|
||||
redef enum Notice::Type += {
|
||||
Off_Port_Protocol_Found, # raised for each connection found
|
||||
Protocol_Found,
|
||||
Server_Found,
|
||||
};
|
||||
|
|
@ -155,13 +154,10 @@ function report_protocols(c: connection)
|
|||
{
|
||||
if ( [a, c$id$resp_h, c$id$resp_p] in valids )
|
||||
do_notice(c, a, valids[a, c$id$resp_h, c$id$resp_p]);
|
||||
|
||||
else if ( [a, 0.0.0.0, c$id$resp_p] in valids )
|
||||
do_notice(c, a, valids[a, 0.0.0.0, c$id$resp_p]);
|
||||
else
|
||||
do_notice(c, a, NONE);
|
||||
|
||||
append_addl(c, analyzer_name(a));
|
||||
}
|
||||
|
||||
delete conns[c$id];
|
||||
|
|
@ -218,20 +214,6 @@ event protocol_confirmation(c: connection, atype: count, aid: count)
|
|||
}
|
||||
}
|
||||
|
||||
# event connection_analyzer_disabled(c: connection, analyzer: count)
|
||||
# {
|
||||
# if ( c$id !in conns )
|
||||
# return;
|
||||
#
|
||||
# delete conns[c$id][analyzer];
|
||||
# }
|
||||
|
||||
function append_proto_addl(c: connection)
|
||||
{
|
||||
for ( a in conns[c$id] )
|
||||
append_addl(c, fmt_protocol(get_protocol(c, a)));
|
||||
}
|
||||
|
||||
function found_protocol(c: connection, analyzer: count, protocol: string)
|
||||
{
|
||||
# Don't report anything running on a well-known port.
|
||||
|
|
|
|||
|
|
@ -7,9 +7,12 @@
|
|||
@load base/frameworks/notice
|
||||
@load base/protocols/http
|
||||
|
||||
module HTTP;
|
||||
|
||||
export {
|
||||
redef enum Notice::Type += {
|
||||
## If the MD5 sum of a file transferred over HTTP
|
||||
## The MD5 sum of a file transferred over HTTP matched in the
|
||||
## malware hash registry.
|
||||
Malware_Hash_Registry_Match
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,12 +12,12 @@ export {
|
|||
SQL_Injection_Attacker,
|
||||
## Indicates that a host was seen to have SQL injection attacks against
|
||||
## it. This is tracked by IP address as opposed to hostname.
|
||||
SQL_Injection_Attack_Against,
|
||||
SQL_Injection_Victim,
|
||||
};
|
||||
|
||||
redef enum Metrics::ID += {
|
||||
SQL_ATTACKER,
|
||||
SQL_ATTACKS_AGAINST,
|
||||
SQLI_ATTACKER,
|
||||
SQLI_VICTIM,
|
||||
};
|
||||
|
||||
redef enum Tags += {
|
||||
|
|
@ -56,14 +56,14 @@ event bro_init() &priority=3
|
|||
# determine when it looks like an actual attack and how to respond when
|
||||
# thresholds are crossed.
|
||||
|
||||
Metrics::add_filter(SQL_ATTACKER, [$log=F,
|
||||
Metrics::add_filter(SQLI_ATTACKER, [$log=F,
|
||||
$notice_threshold=sqli_requests_threshold,
|
||||
$break_interval=sqli_requests_interval,
|
||||
$note=SQL_Injection_Attacker]);
|
||||
Metrics::add_filter(SQL_ATTACKS_AGAINST, [$log=F,
|
||||
$notice_threshold=sqli_requests_threshold,
|
||||
$break_interval=sqli_requests_interval,
|
||||
$note=SQL_Injection_Attack_Against]);
|
||||
Metrics::add_filter(SQLI_VICTIM, [$log=F,
|
||||
$notice_threshold=sqli_requests_threshold,
|
||||
$break_interval=sqli_requests_interval,
|
||||
$note=SQL_Injection_Victim]);
|
||||
}
|
||||
|
||||
event http_request(c: connection, method: string, original_URI: string,
|
||||
|
|
@ -73,7 +73,7 @@ event http_request(c: connection, method: string, original_URI: string,
|
|||
{
|
||||
add c$http$tags[URI_SQLI];
|
||||
|
||||
Metrics::add_data(SQL_ATTACKER, [$host=c$id$orig_h], 1);
|
||||
Metrics::add_data(SQL_ATTACKS_AGAINST, [$host=c$id$resp_h], 1);
|
||||
Metrics::add_data(SQLI_ATTACKER, [$host=c$id$orig_h], 1);
|
||||
Metrics::add_data(SQLI_VICTIM, [$host=c$id$resp_h], 1);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -36,7 +36,9 @@ event SSH::heuristic_successful_login(c: connection)
|
|||
if ( interesting_hostnames in hostname )
|
||||
{
|
||||
NOTICE([$note=Interesting_Hostname_Login,
|
||||
$msg=fmt("Interesting login from hostname: %s", hostname),
|
||||
$msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
|
||||
Site::is_local_addr(host) ? "local" : "remote",
|
||||
host == c$id$orig_h ? "client" : "server"),
|
||||
$sub=hostname, $conn=c]);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue