Initial import of svn+ssh:://svn.icir.org/bro/trunk/bro as of r7088

policy/http-request.bro

@@ -0,0 +1,104 @@
+# $Id: http-request.bro 6726 2009-06-07 22:09:55Z vern $
+
+# Analysis of HTTP requests.
+
+@load http
+
+module HTTP;
+
+export {
+	const sensitive_URIs =
+		  /etc\/(passwd|shadow|netconfig)/
+		| /IFS[ \t]*=/
+		| /nph-test-cgi\?/
+		| /(%0a|\.\.)\/(bin|etc|usr|tmp)/
+		| /\/Admin_files\/order\.log/
+		| /\/carbo\.dll/
+		| /\/cgi-bin\/(phf|php\.cgi|test-cgi)/
+		| /\/cgi-dos\/args\.bat/
+		| /\/cgi-win\/uploader\.exe/
+		| /\/search97\.vts/
+		| /tk\.tgz/
+		| /ownz/	# somewhat prone to false positives
+		| /viewtopic\.php.*%.*\(.*\(/	# PHP attack, 26Nov04
+		# a bunch of possible rootkits
+		| /sshd\.(tar|tgz).*/
+		| /[aA][dD][oO][rR][eE][bB][sS][dD].*/
+		# | /[tT][aA][gG][gG][eE][dD].*/	# prone to FPs
+		| /shv4\.(tar|tgz).*/
+		| /lrk\.(tar|tgz).*/
+		| /lyceum\.(tar|tgz).*/
+		| /maxty\.(tar|tgz).*/
+		| /rootII\.(tar|tgz).*/
+		| /invader\.(tar|tgz).*/
+	&redef;
+
+	# Used to look for attempted password file fetches.
+	const passwd_URI = /passwd/ &redef;
+
+	# URIs that match sensitive_URIs but can be generated by worms,
+	# and hence should not be flagged (because they're so common).
+	const worm_URIs =
+		  /.*\/c\+dir/
+		| /.*cool.dll.*/
+		| /.*Admin.dll.*Admin.dll.*/
+	&redef;
+
+	# URIs that should not be considered sensitive if accessed by
+	# a local client.
+	const skip_remote_sensitive_URIs =
+		/\/cgi-bin\/(phf|php\.cgi|test-cgi)/
+	&redef;
+
+	const sensitive_post_URIs = /wwwroot|WWWROOT/ &redef;
+}
+
+redef capture_filters +=  {
+	["http-request"] = "tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000"
+};
+
+event http_request(c: connection, method: string, original_URI: string,
+			unescaped_URI: string, version: string)
+	{
+	local log_it = F;
+	local URI = unescaped_URI;
+
+	if ( (sensitive_URIs in URI && URI != worm_URIs) ||
+	     (method == "POST" && sensitive_post_URIs in URI) )
+		{
+		if ( is_local_addr(c$id$orig_h) &&
+		     skip_remote_sensitive_URIs in URI )
+			; # don't flag it after all
+		else
+			log_it = T;
+		}
+
+	local s = lookup_http_request_stream(c);
+
+	if ( process_HTTP_replies )
+		{
+		# To process HTTP replies, we need to record the corresponding
+		# requests.
+		local n = s$first_pending_request + s$num_pending_requests;
+
+		s$requests[n] = [$method=method, $URI=URI, $log_it=log_it,
+					$passwd_req=passwd_URI in URI];
+		++s$num_pending_requests;
+
+		# if process_HTTP_messages
+		local msg = s$next_request;
+
+		init_http_message(msg);
+		msg$initiated = T;
+		}
+	else
+		{
+		if ( log_it )
+			NOTICE([$note=HTTP_SensitiveURI, $conn=c,
+				$method = method, $URL = URI,
+				$msg=fmt("%s %s: %s %s",
+					id_string(c$id), c$addl, method, URI)]);
+		print http_log,
+			fmt("%.6f %s %s %s", network_time(), s$id, method, URI);
+		}
+	}