Merge remote branch 'origin/fastpath'

* origin/fastpath: Fix missing action in notice policy for looking up GeoIP data. Better persistent state config warning messages (fixes #433). A few updates for SQL injection detection. Fixed some DPD signatures for IRC. Fixes ticket #311. Removing Off_Port_Protocol_Found notice. SSH::Interesting_Hostname_Login cleanup. Fixes #664. Teach Broxygen to more generally reference attribute values by name. Fixed a really dumb bug that was causing the malware hash registry script to break. Fix Broxygen confusing scoped id at start of line as function parameter. Remove remnant of libmagic optionality
2025-10-10 02:28:21 +00:00 · 2011-12-16 02:36:43 -08:00 · 2011-12-16 02:36:43 -08:00 · 4e17ef63f0
commit 4e17ef63f0
parent f1e132cd1a 86cba4c33f
19 changed files with 43 additions and 59 deletions
--- a/scripts/policy/protocols/http/detect-MHR.bro
+++ b/scripts/policy/protocols/http/detect-MHR.bro
@ -7,9 +7,12 @@
@load base/frameworks/notice
@load base/protocols/http

+module HTTP;
+
 export {
 	redef enum Notice::Type += { 
-		## If the MD5 sum of a file transferred over HTTP 
+		## The MD5 sum of a file transferred over HTTP matched in the
+		## malware hash registry.
 		Malware_Hash_Registry_Match
 	};
 }
--- a/scripts/policy/protocols/http/detect-sqli.bro
+++ b/scripts/policy/protocols/http/detect-sqli.bro
@ -12,12 +12,12 @@ export {
 		SQL_Injection_Attacker,
 		## Indicates that a host was seen to have SQL injection attacks against
 		## it.  This is tracked by IP address as opposed to hostname.
-		SQL_Injection_Attack_Against,
+		SQL_Injection_Victim,
 	};
 	
 	redef enum Metrics::ID += {
-		SQL_ATTACKER,
-		SQL_ATTACKS_AGAINST,
+		SQLI_ATTACKER,
+		SQLI_VICTIM,
 	};

 	redef enum Tags += {
@ -56,14 +56,14 @@ event bro_init() &priority=3
 	# determine when it looks like an actual attack and how to respond when
 	# thresholds are crossed.
 	
-	Metrics::add_filter(SQL_ATTACKER, [$log=F,
+	Metrics::add_filter(SQLI_ATTACKER, [$log=F,
 	                                   $notice_threshold=sqli_requests_threshold,
 	                                   $break_interval=sqli_requests_interval,
 	                                   $note=SQL_Injection_Attacker]);
-	Metrics::add_filter(SQL_ATTACKS_AGAINST, [$log=F, 
-	                                          $notice_threshold=sqli_requests_threshold,
-	                                          $break_interval=sqli_requests_interval, 
-	                                          $note=SQL_Injection_Attack_Against]);
+	Metrics::add_filter(SQLI_VICTIM, [$log=F,
+	                                 $notice_threshold=sqli_requests_threshold,
+	                                 $break_interval=sqli_requests_interval,
+	                                 $note=SQL_Injection_Victim]);
 	}

 event http_request(c: connection, method: string, original_URI: string,
@ -73,7 +73,7 @@ event http_request(c: connection, method: string, original_URI: string,
 		{
 		add c$http$tags[URI_SQLI];
 		
-		Metrics::add_data(SQL_ATTACKER, [$host=c$id$orig_h], 1);
-		Metrics::add_data(SQL_ATTACKS_AGAINST, [$host=c$id$resp_h], 1);
+		Metrics::add_data(SQLI_ATTACKER, [$host=c$id$orig_h], 1);
+		Metrics::add_data(SQLI_VICTIM, [$host=c$id$resp_h], 1);
 		}
 	}
--- a/scripts/policy/protocols/ssh/interesting-hostnames.bro
+++ b/scripts/policy/protocols/ssh/interesting-hostnames.bro
@ -36,7 +36,9 @@ event SSH::heuristic_successful_login(c: connection)
 			if ( interesting_hostnames in hostname )
 				{
 				NOTICE([$note=Interesting_Hostname_Login,
-				        $msg=fmt("Interesting login from hostname: %s", hostname),
+				        $msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
+				                 Site::is_local_addr(host) ? "local" : "remote",
+				                 host == c$id$orig_h ? "client" : "server"),
 				        $sub=hostname, $conn=c]);
 				}
 			}