mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Merge remote branch 'origin/fastpath'
* origin/fastpath: Fix missing action in notice policy for looking up GeoIP data. Better persistent state config warning messages (fixes #433). A few updates for SQL injection detection. Fixed some DPD signatures for IRC. Fixes ticket #311. Removing Off_Port_Protocol_Found notice. SSH::Interesting_Hostname_Login cleanup. Fixes #664. Teach Broxygen to more generally reference attribute values by name. Fixed a really dumb bug that was causing the malware hash registry script to break. Fix Broxygen confusing scoped id at start of line as function parameter. Remove remnant of libmagic optionality
This commit is contained in:
Robin Sommer
commit
4e17ef63f0
19 changed files with 43 additions and 59 deletions
|
|
@ -1 +1 @@
|
|||
Subproject commit 82bd9613fb869e44f5f0d7929bdd9a88cde84077
|
||||
Subproject commit 0f99acfbf6205830f0db699a75554262c26427f9
|
||||
|
|
@ -1 +1 @@
|
|||
Subproject commit 4d387ce660468b44df99d4c87d6016ae4ed2fdc4
|
||||
Subproject commit 1a7a9357fba88a43c90a39d8d72b42fa53b89b75
|
||||
|
|
@ -1 +1 @@
|
|||
Subproject commit 05d51b55dd5a8430151cff74f7876bd73385d5cd
|
||||
Subproject commit a1a03c686866bd30ee086ff933128055a20ebd56
|
||||
|
|
@ -1 +1 @@
|
|||
Subproject commit 406c689c88997c4459eaf36bd2c65bce2e847c2d
|
||||
Subproject commit 03d39aa5d4ab24cd9b8e404a9ceb583d5270444c
|
||||
|
|
@ -1 +1 @@
|
|||
Subproject commit 38890e851416fa9fc827a1d36f06c4cb9f7d4e69
|
||||
Subproject commit 7230a09a8c220d2117e491fdf293bf5c19819b65
|
||||
2
cmake
2
cmake
|
|
@ -1 +1 @@
|
|||
Subproject commit f0f7958639bb921985c1f58f1186da4b49b5d54d
|
||||
Subproject commit 44f2985475e5ff6cc9061683e21ef4b184bdfc7e
|
||||
|
|
@ -17,9 +17,6 @@
|
|||
/* We are on a Linux system */
|
||||
#cmakedefine HAVE_LINUX
|
||||
|
||||
/* Define if you have the <magic.h> header file. */
|
||||
#cmakedefine HAVE_MAGIC_H
|
||||
|
||||
/* Define if you have the `mallinfo' function. */
|
||||
#cmakedefine HAVE_MALLINFO
|
||||
|
||||
|
|
|
|||
|
|
@ -183,6 +183,7 @@ export {
|
|||
|
||||
## Summarize "an_event" here.
|
||||
## Give more details about "an_event" here.
|
||||
## Example::an_event should not be confused as a parameter.
|
||||
## name: describe the argument here
|
||||
global an_event: event(name: string);
|
||||
|
||||
|
|
|
|||
|
|
@ -80,15 +80,15 @@ signature irc_server_reply {
|
|||
tcp-state responder
|
||||
}
|
||||
|
||||
signature irc_sig3 {
|
||||
signature irc_server_to_server1 {
|
||||
ip-proto == tcp
|
||||
payload /(.*\x0a)*(\x20)*[Ss][Ee][Rr][Vv][Ee][Rr](\x20)+.+\x0a/
|
||||
payload /(|.*[\r\n]) *[Ss][Ee][Rr][Vv][Ee][Rr] +[^ ]+ +[0-9]+ +:.+[\r\n]/
|
||||
}
|
||||
|
||||
signature irc_sig4 {
|
||||
signature irc_server_to_server2 {
|
||||
ip-proto == tcp
|
||||
payload /(.*\x0a)*(\x20)*[Ss][Ee][Rr][Vv][Ee][Rr](\x20)+.+\x0a/
|
||||
requires-reverse-signature irc_sig3
|
||||
payload /(|.*[\r\n]) *[Ss][Ee][Rr][Vv][Ee][Rr] +[^ ]+ +[0-9]+ +:.+[\r\n]/
|
||||
requires-reverse-signature irc_server_to_server1
|
||||
enable "irc"
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ export {
|
|||
## Add a helper to the notice policy for looking up GeoIP data.
|
||||
redef Notice::policy += {
|
||||
[$pred(n: Notice::Info) = { return (n$note in Notice::lookup_location_types); },
|
||||
$action = ACTION_ADD_GEODATA,
|
||||
$priority = 10],
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ module ProtocolDetector;
|
|||
|
||||
export {
|
||||
redef enum Notice::Type += {
|
||||
Off_Port_Protocol_Found, # raised for each connection found
|
||||
Protocol_Found,
|
||||
Server_Found,
|
||||
};
|
||||
|
|
@ -155,13 +154,10 @@ function report_protocols(c: connection)
|
|||
{
|
||||
if ( [a, c$id$resp_h, c$id$resp_p] in valids )
|
||||
do_notice(c, a, valids[a, c$id$resp_h, c$id$resp_p]);
|
||||
|
||||
else if ( [a, 0.0.0.0, c$id$resp_p] in valids )
|
||||
do_notice(c, a, valids[a, 0.0.0.0, c$id$resp_p]);
|
||||
else
|
||||
do_notice(c, a, NONE);
|
||||
|
||||
append_addl(c, analyzer_name(a));
|
||||
}
|
||||
|
||||
delete conns[c$id];
|
||||
|
|
@ -218,20 +214,6 @@ event protocol_confirmation(c: connection, atype: count, aid: count)
|
|||
}
|
||||
}
|
||||
|
||||
# event connection_analyzer_disabled(c: connection, analyzer: count)
|
||||
# {
|
||||
# if ( c$id !in conns )
|
||||
# return;
|
||||
#
|
||||
# delete conns[c$id][analyzer];
|
||||
# }
|
||||
|
||||
function append_proto_addl(c: connection)
|
||||
{
|
||||
for ( a in conns[c$id] )
|
||||
append_addl(c, fmt_protocol(get_protocol(c, a)));
|
||||
}
|
||||
|
||||
function found_protocol(c: connection, analyzer: count, protocol: string)
|
||||
{
|
||||
# Don't report anything running on a well-known port.
|
||||
|
|
|
|||
|
|
@ -7,9 +7,12 @@
|
|||
@load base/frameworks/notice
|
||||
@load base/protocols/http
|
||||
|
||||
module HTTP;
|
||||
|
||||
export {
|
||||
redef enum Notice::Type += {
|
||||
## If the MD5 sum of a file transferred over HTTP
|
||||
## The MD5 sum of a file transferred over HTTP matched in the
|
||||
## malware hash registry.
|
||||
Malware_Hash_Registry_Match
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,12 +12,12 @@ export {
|
|||
SQL_Injection_Attacker,
|
||||
## Indicates that a host was seen to have SQL injection attacks against
|
||||
## it. This is tracked by IP address as opposed to hostname.
|
||||
SQL_Injection_Attack_Against,
|
||||
SQL_Injection_Victim,
|
||||
};
|
||||
|
||||
redef enum Metrics::ID += {
|
||||
SQL_ATTACKER,
|
||||
SQL_ATTACKS_AGAINST,
|
||||
SQLI_ATTACKER,
|
||||
SQLI_VICTIM,
|
||||
};
|
||||
|
||||
redef enum Tags += {
|
||||
|
|
@ -56,14 +56,14 @@ event bro_init() &priority=3
|
|||
# determine when it looks like an actual attack and how to respond when
|
||||
# thresholds are crossed.
|
||||
|
||||
Metrics::add_filter(SQL_ATTACKER, [$log=F,
|
||||
Metrics::add_filter(SQLI_ATTACKER, [$log=F,
|
||||
$notice_threshold=sqli_requests_threshold,
|
||||
$break_interval=sqli_requests_interval,
|
||||
$note=SQL_Injection_Attacker]);
|
||||
Metrics::add_filter(SQL_ATTACKS_AGAINST, [$log=F,
|
||||
Metrics::add_filter(SQLI_VICTIM, [$log=F,
|
||||
$notice_threshold=sqli_requests_threshold,
|
||||
$break_interval=sqli_requests_interval,
|
||||
$note=SQL_Injection_Attack_Against]);
|
||||
$note=SQL_Injection_Victim]);
|
||||
}
|
||||
|
||||
event http_request(c: connection, method: string, original_URI: string,
|
||||
|
|
@ -73,7 +73,7 @@ event http_request(c: connection, method: string, original_URI: string,
|
|||
{
|
||||
add c$http$tags[URI_SQLI];
|
||||
|
||||
Metrics::add_data(SQL_ATTACKER, [$host=c$id$orig_h], 1);
|
||||
Metrics::add_data(SQL_ATTACKS_AGAINST, [$host=c$id$resp_h], 1);
|
||||
Metrics::add_data(SQLI_ATTACKER, [$host=c$id$orig_h], 1);
|
||||
Metrics::add_data(SQLI_VICTIM, [$host=c$id$resp_h], 1);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -36,7 +36,9 @@ event SSH::heuristic_successful_login(c: connection)
|
|||
if ( interesting_hostnames in hostname )
|
||||
{
|
||||
NOTICE([$note=Interesting_Hostname_Login,
|
||||
$msg=fmt("Interesting login from hostname: %s", hostname),
|
||||
$msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
|
||||
Site::is_local_addr(host) ? "local" : "remote",
|
||||
host == c$id$orig_h ? "client" : "server"),
|
||||
$sub=hostname, $conn=c]);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
11
src/Attr.cc
11
src/Attr.cc
|
|
@ -60,16 +60,19 @@ void Attr::DescribeReST(ODesc* d) const
|
|||
d->Add("=");
|
||||
d->SP();
|
||||
|
||||
if ( expr->Type()->Tag() == TYPE_FUNC )
|
||||
d->Add(":bro:type:`func`");
|
||||
|
||||
else if ( expr->Type()->Tag() == TYPE_ENUM )
|
||||
if ( expr->Tag() == EXPR_NAME )
|
||||
{
|
||||
d->Add(":bro:enum:`");
|
||||
d->Add(":bro:see:`");
|
||||
expr->Describe(d);
|
||||
d->Add("`");
|
||||
}
|
||||
|
||||
else if ( expr->Type()->Tag() == TYPE_FUNC )
|
||||
{
|
||||
d->Add(":bro:type:`func`");
|
||||
}
|
||||
|
||||
else
|
||||
{
|
||||
d->Add("``");
|
||||
|
|
|
|||
|
|
@ -359,7 +359,7 @@ bool NameExpr::DoUnserialize(UnserialInfo* info)
|
|||
if ( id )
|
||||
::Ref(id);
|
||||
else
|
||||
reporter->Warning("unserialized unknown global name");
|
||||
reporter->Warning("configuration changed: unserialized unknown global name from persistent state");
|
||||
|
||||
delete [] name;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -167,7 +167,7 @@ ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+))
|
|||
return TOK_POST_DOC;
|
||||
}
|
||||
|
||||
<DOC>##{OWS}{ID}:.* {
|
||||
<DOC>##{OWS}{ID}:[^:].* {
|
||||
const char* id_start = skip_whitespace(yytext + 2);
|
||||
yylval.str = copy_string(canon_doc_func_param(id_start).c_str());
|
||||
return TOK_DOC;
|
||||
|
|
@ -181,7 +181,7 @@ ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+))
|
|||
}
|
||||
}
|
||||
|
||||
##{OWS}{ID}:.* {
|
||||
##{OWS}{ID}:[^:].* {
|
||||
if ( generate_documentation )
|
||||
{
|
||||
// Comment is documenting either a function parameter or return type,
|
||||
|
|
|
|||
|
|
@ -217,6 +217,7 @@ Events
|
|||
|
||||
Summarize "an_event" here.
|
||||
Give more details about "an_event" here.
|
||||
Example::an_event should not be confused as a parameter.
|
||||
|
||||
:param name: describe the argument here
|
||||
|
||||
|
|
|
|||
|
|
@ -42,6 +42,8 @@ event bro_init ()
|
|||
#add positive_matches["/index.asp?ARF_ID=(1/(1-(asc(mid(now(),18,1))\(2^7) mod 2)))"];
|
||||
#add positive_matches["/index.php' and 1=convert(int,(select top 1 table_name from information_schema.tables))--sp_password"];
|
||||
#add positive_matches["/index.php?id=873 and user=0--"];
|
||||
#add positive_matches["?id=1;+if+(1=1)+waitfor+delay+'00:00:01'--9"];
|
||||
#add positive_matches["?id=1+and+if(1=1,BENCHMARK(728000,MD5(0x41)),0)9"];
|
||||
|
||||
# The positive_matches below are from the mod_security evasion challenge.
|
||||
# All supported attacks are uncommented.
|
||||
|
|
@ -95,14 +97,6 @@ event bro_init ()
|
|||
#add negative_matches["/index/hmm.gif?utmdt=Record > Create a Graph"];
|
||||
#add negative_matches["/index.php?test='||\x0aTO_CHAR(foo_bar.Foo_Bar_ID)||"];
|
||||
|
||||
local regex =
|
||||
/[\?&][^[:blank:]\x00-\x37\|]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+/
|
||||
| /[\?&][^[:blank:]\x00-\x37\|]+?=[\-0-9%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS])/
|
||||
| /[\?&][^[:blank:]\x00-\x37]+?=[\-0-9%]*([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x37]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x37]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT])/
|
||||
| /[\?&][^[:blank:]\x00-\x37\|]+?=([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x37]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[nN]?[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,}/
|
||||
| /[\?&][^[:blank:]\x00-\x37]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\(/
|
||||
| /\/\*![[:digit:]]{5}.*?\*\//;
|
||||
|
||||
print "If anything besides this line prints out, there is a problem.";
|
||||
for ( test in positive_matches )
|
||||
{
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue