Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Ported scripts using metrics framework and added a new smtp script.

Browse source 
- New script measures a couple of aspects of SMTP traffic.

- Existing metrics scripts had a small amount of work done
  to make them work with changes to metrics framework.
This commit is contained in:
Seth Hall 2012-03-28 11:39:27 -04:00
parent 5904043e85
commit 6600e62ea3
5 changed files with 61 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

13
scripts/base/frameworks/metrics/main.bro
View file

@ -36,6 +36,12 @@ export {
network: subnet &optional; network: subnet &optional;
} &log; } &log;
## Represents data being added for a single metric data point. Used internally.
type DataPoint: record {
num: count &optional;
unique_vals: set[string] &optional;
};
## The record type that is used for logging metrics. ## The record type that is used for logging metrics.
type Info: record { type Info: record {
## Timestamp at which the metric was "broken". ## Timestamp at which the metric was "broken".
@ -142,13 +148,8 @@ export {
## Event to access metrics records as they are passed to the logging framework. ## Event to access metrics records as they are passed to the logging framework.
global log_metrics: event(rec: Info); global log_metrics: event(rec: Info);
## Internal use only
type MetricMeasurement: record {
num: count &optional;
unique_vals: set[string] &optional;
};
## Type to store a table of metrics values. Interal use only! ## Type to store a table of metrics values. Interal use only!
type MetricTable: table[Index] of MetricMeasurement; type MetricTable: table[Index] of DataPoint;
} }
redef record Notice::Info += { redef record Notice::Info += {

16
scripts/policy/frameworks/metrics/conn-example.bro
View file

@ -4,22 +4,18 @@
@load base/frameworks/metrics @load base/frameworks/metrics
@load base/utils/site @load base/utils/site
redef enum Metrics::ID += {
CONNS_ORIGINATED,
CONNS_RESPONDED
};
event bro_init() event bro_init()
{ {
Metrics::add_filter(CONNS_ORIGINATED, [$aggregation_mask=24, $break_interval=1mins]); #Metrics::add_filter("conns.originated", [$aggregation_mask=24, $break_interval=1mins]);
Metrics::add_filter("conns.originated", [$aggregation_table=Site::local_nets_table, $break_interval=1mins]);
# Site::local_nets must be defined in order for this to actually do anything. # Site::local_nets must be defined in order for this to actually do anything.
Metrics::add_filter(CONNS_RESPONDED, [$aggregation_table=Site::local_nets_table, $break_interval=1mins]); Metrics::add_filter("conns.responded", [$aggregation_table=Site::local_nets_table, $break_interval=1mins]);
} }
event connection_established(c: connection) event connection_established(c: connection)
{ {
Metrics::add_data(CONNS_ORIGINATED, [$host=c$id$orig_h], 1); Metrics::add_data("conns.originated", [$host=c$id$orig_h], 1);
Metrics::add_data(CONNS_RESPONDED, [$host=c$id$resp_h], 1); Metrics::add_data("conns.responded", [$host=c$id$resp_h], 1);
} }

15
scripts/policy/protocols/http/detect-sqli.bro
View file

@ -15,13 +15,6 @@ export {
SQL_Injection_Victim, SQL_Injection_Victim,
}; };
redef enum Metrics::ID += {
## Metric to track SQL injection attackers.
SQLI_ATTACKER,
## Metrics to track SQL injection victims.
SQLI_VICTIM,
};
redef enum Tags += { redef enum Tags += {
## Indicator of a URI based SQL injection attack. ## Indicator of a URI based SQL injection attack.
URI_SQLI, URI_SQLI,
@ -58,11 +51,11 @@ event bro_init() &priority=3
# determine when it looks like an actual attack and how to respond when # determine when it looks like an actual attack and how to respond when
# thresholds are crossed. # thresholds are crossed.
Metrics::add_filter(SQLI_ATTACKER, [$log=F, Metrics::add_filter("http.sqli.attacker", [$log=F,
$notice_threshold=sqli_requests_threshold, $notice_threshold=sqli_requests_threshold,
$break_interval=sqli_requests_interval, $break_interval=sqli_requests_interval,
$note=SQL_Injection_Attacker]); $note=SQL_Injection_Attacker]);
Metrics::add_filter(SQLI_VICTIM, [$log=F, Metrics::add_filter("http.sqli.victim", [$log=F,
$notice_threshold=sqli_requests_threshold, $notice_threshold=sqli_requests_threshold,
$break_interval=sqli_requests_interval, $break_interval=sqli_requests_interval,
$note=SQL_Injection_Victim]); $note=SQL_Injection_Victim]);
@ -75,7 +68,7 @@ event http_request(c: connection, method: string, original_URI: string,
{ {
add c$http$tags[URI_SQLI]; add c$http$tags[URI_SQLI];
Metrics::add_data(SQLI_ATTACKER, [$host=c$id$orig_h], 1); Metrics::add_data("http.sqli.attacker", [$host=c$id$orig_h], 1);
Metrics::add_data(SQLI_VICTIM, [$host=c$id$resp_h], 1); Metrics::add_data("http.sqli.victim", [$host=c$id$resp_h], 1);
} }
} }

32
scripts/policy/protocols/smtp/metrics.bro Normal file
View file

@ -0,0 +1,32 @@
##! This script is meant to answer the following questions...
##! "How many unique 'MAIL FROM' addresses are being used by local mail servers per hour?"
##! "How much mail is being sent from each local mail server per hour?"
@load base/frameworks/metrics
module SMTPMetrics;
export {
## Define the break intervals for all of the metrics collected and logged by this script.
const breaks = 1hr &redef;
}
event bro_init() &priority=5
{
Metrics::add_filter("smtp.mailfrom", [$pred(index: Metrics::Index) = {
return addr_matches_host(index$host, LOCAL_HOSTS); },
$break_interval=breaks]);
Metrics::add_filter("smtp.messages", [$pred(index: Metrics::Index) = {
return addr_matches_host(index$host, LOCAL_HOSTS); },
$break_interval=breaks]);
}
event SMTP::log_smtp(rec: SMTP::Info)
{
Metrics::add_data("smtp.messages", [$host=rec$id$orig_h], 1);
if ( rec?$mailfrom )
Metrics::add_unique("smtp.mailfrom", [$host=rec$id$orig_h], rec$mailfrom);
}

9
scripts/policy/protocols/ssh/detect-bruteforcing.bro
View file

@ -20,11 +20,6 @@ export {
Login_By_Password_Guesser, Login_By_Password_Guesser,
}; };
redef enum Metrics::ID += {
## Metric is to measure failed logins.
FAILED_LOGIN,
};
## The number of failed SSH connections before a host is designated as ## The number of failed SSH connections before a host is designated as
## guessing passwords. ## guessing passwords.
const password_guesses_limit = 30 &redef; const password_guesses_limit = 30 &redef;
@ -46,7 +41,7 @@ export {
event bro_init() event bro_init()
{ {
Metrics::add_filter(FAILED_LOGIN, [$name="detect-bruteforcing", $log=F, Metrics::add_filter("ssh.login.failure", [$name="detect-bruteforcing", $log=F,
$note=Password_Guessing, $note=Password_Guessing,
$notice_threshold=password_guesses_limit, $notice_threshold=password_guesses_limit,
$notice_freq=1hr, $notice_freq=1hr,
@ -75,5 +70,5 @@ event SSH::heuristic_failed_login(c: connection)
# be ignored. # be ignored.
if ( ! (id$orig_h in ignore_guessers && if ( ! (id$orig_h in ignore_guessers &&
id$resp_h in ignore_guessers[id$orig_h]) ) id$resp_h in ignore_guessers[id$orig_h]) )
Metrics::add_data(FAILED_LOGIN, [$host=id$orig_h], 1); Metrics::add_data("ssh.login.failure", [$host=id$orig_h], 1);
} }