From f0b32b21ee1c7723ef37c968977824a265ca1527 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 21 Oct 2011 14:08:54 -0400 Subject: [PATCH 1/4] weird.bro rewrite. - I want to test it for a short while before committing it to master just to make sure it is a sane modification. --- scripts/base/frameworks/notice/weird.bro | 614 +++++++++--------- scripts/policy/tuning/defaults/__load__.bro | 1 - .../defaults/remove-high-volume-notices.bro | 10 - 3 files changed, 297 insertions(+), 328 deletions(-) delete mode 100644 scripts/policy/tuning/defaults/remove-high-volume-notices.bro diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro index 86ea78422f..d7ae230449 100644 --- a/scripts/base/frameworks/notice/weird.bro +++ b/scripts/base/frameworks/notice/weird.bro @@ -8,223 +8,211 @@ export { redef enum Log::ID += { LOG }; redef enum Notice::Type += { - ## Generic unusual but alarm-worthy activity. - Weird_Activity, + ## Generic unusual but notice-worthy weird activity. + Activity, }; type Info: record { + ## The time when the weird occurred. ts: time &log; + ## If a connection is associated with this weird, this will be the + ## connection's unique ID. uid: string &log &optional; + ## conn_id for the optional connection. id: conn_id &log &optional; - msg: string &log; + ## The name of the weird that occurred. + name: string &log; + ## Additional information accompanying the weird if any. addl: string &log &optional; + ## Indicate if this weird was also turned into a notice. notice: bool &log &default=F; + ## The peer that originated this weird. This is helpful in cluster + ## deployments if a particular cluster node is having trouble to help + ## identify which node is having trouble. + peer: string &log &optional; }; - type WeirdAction: enum { - WEIRD_UNSPECIFIED, WEIRD_IGNORE, WEIRD_FILE, - WEIRD_NOTICE_ALWAYS, WEIRD_NOTICE_PER_CONN, - WEIRD_NOTICE_PER_ORIG, WEIRD_NOTICE_ONCE, + type Action: enum { + ACTION_UNSPECIFIED, + ACTION_IGNORE, + ACTION_LOG, + ACTION_LOG_ONCE, + ACTION_LOG_PER_CONN, + ACTION_LOG_PER_ORIG, + ACTION_NOTICE, + ACTION_NOTICE_ONCE, + ACTION_NOTICE_PER_CONN, + ACTION_NOTICE_PER_ORIG, }; - # Which of the above actions lead to logging. For internal use. - const notice_actions = { - WEIRD_NOTICE_ALWAYS, WEIRD_NOTICE_PER_CONN, - WEIRD_NOTICE_PER_ORIG, WEIRD_NOTICE_ONCE, - }; + const actions: table[string] of Action = { + ["above_hole_data_without_any_acks"] = ACTION_LOG, + ["active_connection_reuse"] = ACTION_LOG, + ["bad_HTTP_reply"] = ACTION_LOG, + ["bad_HTTP_version"] = ACTION_LOG, + ["bad_ICMP_checksum"] = ACTION_LOG, + ["bad_ident_port"] = ACTION_LOG, + ["bad_ident_reply"] = ACTION_LOG, + ["bad_ident_request"] = ACTION_LOG, + ["bad_rlogin_prolog"] = ACTION_LOG, + ["bad_rsh_prolog"] = ACTION_LOG, + ["rsh_text_after_rejected"] = ACTION_LOG, + ["bad_RPC"] = ACTION_LOG_PER_ORIG, + ["bad_RPC_program"] = ACTION_LOG, + ["bad_SYN_ack"] = ACTION_LOG, + ["bad_TCP_checksum"] = ACTION_LOG, + ["bad_UDP_checksum"] = ACTION_LOG, + ["baroque_SYN"] = ACTION_LOG, + ["base64_illegal_encoding"] = ACTION_LOG, + ["connection_originator_SYN_ack"] = ACTION_LOG_PER_ORIG, + ["corrupt_tcp_options"] = ACTION_NOTICE_PER_ORIG, + ["crud_trailing_HTTP_request"] = ACTION_LOG, + ["data_after_reset"] = ACTION_LOG, + ["data_before_established"] = ACTION_LOG, + ["data_without_SYN_ACK"] = ACTION_LOG, + ["DHCP_no_type_option"] = ACTION_LOG, + ["DHCP_wrong_msg_type"] = ACTION_LOG, + ["DHCP_wrong_op_type"] = ACTION_LOG, + ["DNS_AAAA_neg_length"] = ACTION_LOG, + ["DNS_Conn_count_too_large"] = ACTION_LOG, + ["DNS_NAME_too_long"] = ACTION_LOG, + ["DNS_RR_bad_length"] = ACTION_LOG, + ["DNS_RR_length_mismatch"] = ACTION_LOG, + ["DNS_RR_unknown_type"] = ACTION_LOG, + ["DNS_label_forward_compress_offset"] = ACTION_LOG_PER_ORIG, + ["DNS_label_len_gt_name_len"] = ACTION_LOG_PER_ORIG, + ["DNS_label_len_gt_pkt"] = ACTION_LOG_PER_ORIG, + ["DNS_label_too_long"] = ACTION_LOG_PER_ORIG, + ["DNS_truncated_RR_rdlength_lt_len"] = ACTION_LOG, + ["DNS_truncated_ans_too_short"] = ACTION_LOG, + ["DNS_truncated_len_lt_hdr_len"] = ACTION_LOG, + ["DNS_truncated_quest_too_short"] = ACTION_LOG, + ["dns_changed_number_of_responses"] = ACTION_LOG_PER_ORIG, + ["dns_reply_seen_after_done"] = ACTION_LOG_PER_ORIG, + ["excessive_data_without_further_acks"] = ACTION_LOG, + ["excess_RPC"] = ACTION_LOG_PER_ORIG, + ["excessive_RPC_len"] = ACTION_LOG_PER_ORIG, + ["FIN_advanced_last_seq"] = ACTION_LOG, + ["FIN_after_reset"] = ACTION_IGNORE, + ["FIN_storm"] = ACTION_NOTICE, + ["HTTP_bad_chunk_size"] = ACTION_LOG, + ["HTTP_chunked_transfer_for_multipart_message"] = ACTION_LOG, + ["HTTP_overlapping_messages"] = ACTION_LOG, + ["HTTP_unknown_method"] = ACTION_LOG, + ["HTTP_version_mismatch"] = ACTION_LOG, + ["ident_request_addendum"] = ACTION_LOG, + ["inappropriate_FIN"] = ACTION_LOG, + ["inflate_failed"] = ACTION_LOG, + ["invalid_irc_global_users_reply"] = ACTION_LOG, + ["irc_invalid_command"] = ACTION_LOG, + ["irc_invalid_dcc_message_format"] = ACTION_LOG, + ["irc_invalid_invite_message_format"] = ACTION_LOG, + ["irc_invalid_join_line"] = ACTION_LOG, + ["irc_invalid_kick_message_format"] = ACTION_LOG, + ["irc_invalid_line"] = ACTION_LOG, + ["irc_invalid_mode_message_format"] = ACTION_LOG, + ["irc_invalid_names_line"] = ACTION_LOG, + ["irc_invalid_njoin_line"] = ACTION_LOG, + ["irc_invalid_notice_message_format"] = ACTION_LOG, + ["irc_invalid_oper_message_format"] = ACTION_LOG, + ["irc_invalid_privmsg_message_format"] = ACTION_LOG, + ["irc_invalid_reply_number"] = ACTION_LOG, + ["irc_invalid_squery_message_format"] = ACTION_LOG, + ["irc_invalid_topic_reply"] = ACTION_LOG, + ["irc_invalid_who_line"] = ACTION_LOG, + ["irc_invalid_who_message_format"] = ACTION_LOG, + ["irc_invalid_whois_channel_line"] = ACTION_LOG, + ["irc_invalid_whois_message_format"] = ACTION_LOG, + ["irc_invalid_whois_operator_line"] = ACTION_LOG, + ["irc_invalid_whois_user_line"] = ACTION_LOG, + ["irc_line_size_exceeded"] = ACTION_LOG, + ["irc_line_too_short"] = ACTION_LOG, + ["irc_too_many_invalid"] = ACTION_LOG, + ["line_terminated_with_single_CR"] = ACTION_LOG, + ["line_terminated_with_single_LF"] = ACTION_LOG, + ["malformed_ssh_identification"] = ACTION_LOG, + ["malformed_ssh_version"] = ACTION_LOG, + ["matching_undelivered_data"] = ACTION_LOG, + ["multiple_HTTP_request_elements"] = ACTION_LOG, + ["multiple_RPCs"] = ACTION_LOG_PER_ORIG, + ["non_IPv4_packet"] = ACTION_LOG_ONCE, + ["NUL_in_line"] = ACTION_LOG, + ["originator_RPC_reply"] = ACTION_LOG_PER_ORIG, + ["partial_finger_request"] = ACTION_LOG, + ["partial_ftp_request"] = ACTION_LOG, + ["partial_ident_request"] = ACTION_LOG, + ["partial_RPC"] = ACTION_LOG_PER_ORIG, + ["partial_RPC_request"] = ACTION_LOG, + ["pending_data_when_closed"] = ACTION_LOG, + ["pop3_bad_base64_encoding"] = ACTION_LOG, + ["pop3_client_command_unknown"] = ACTION_LOG, + ["pop3_client_sending_server_commands"] = ACTION_LOG, + ["pop3_malformed_auth_plain"] = ACTION_LOG, + ["pop3_server_command_unknown"] = ACTION_LOG, + ["pop3_server_sending_client_commands"] = ACTION_LOG, + ["possible_split_routing"] = ACTION_LOG, + ["premature_connection_reuse"] = ACTION_LOG, + ["repeated_SYN_reply_wo_ack"] = ACTION_LOG, + ["repeated_SYN_with_ack"] = ACTION_LOG, + ["responder_RPC_call"] = ACTION_LOG_PER_ORIG, + ["rlogin_text_after_rejected"] = ACTION_LOG, + ["RPC_rexmit_inconsistency"] = ACTION_LOG, + ["RPC_underflow"] = ACTION_LOG, + ["RST_storm"] = ACTION_LOG, + ["RST_with_data"] = ACTION_LOG, # PC's do this + ["simultaneous_open"] = ACTION_LOG_PER_CONN, + ["spontaneous_FIN"] = ACTION_IGNORE, + ["spontaneous_RST"] = ACTION_IGNORE, + ["SMB_parsing_error"] = ACTION_LOG, + ["no_smb_session_using_parsesambamsg"] = ACTION_LOG, + ["smb_andx_command_failed_to_parse"] = ACTION_LOG, + ["transaction_subcmd_missing"] = ACTION_LOG, + ["successful_RPC_reply_to_invalid_request"] = ACTION_NOTICE_PER_ORIG, + ["SYN_after_close"] = ACTION_LOG, + ["SYN_after_partial"] = ACTION_NOTICE_PER_ORIG, + ["SYN_after_reset"] = ACTION_LOG, + ["SYN_inside_connection"] = ACTION_LOG, + ["SYN_seq_jump"] = ACTION_LOG, + ["SYN_with_data"] = ACTION_LOG, + ["TCP_christmas"] = ACTION_LOG, + ["truncated_ARP"] = ACTION_LOG, + ["truncated_NTP"] = ACTION_LOG, + ["UDP_datagram_length_mismatch"] = ACTION_LOG_PER_ORIG, + ["unexpected_client_HTTP_data"] = ACTION_LOG, + ["unexpected_multiple_HTTP_requests"] = ACTION_LOG, + ["unexpected_server_HTTP_data"] = ACTION_LOG, + ["unmatched_HTTP_reply"] = ACTION_LOG, + ["unpaired_RPC_response"] = ACTION_LOG, + ["window_recision"] = ACTION_LOG, + ["double_%_in_URI"] = ACTION_LOG, + ["illegal_%_at_end_of_URI"] = ACTION_LOG, + ["unescaped_%_in_URI"] = ACTION_LOG, + ["unescaped_special_URI_char"] = ACTION_LOG, + ["deficit_netbios_hdr_len"] = ACTION_LOG, + ["excess_netbios_hdr_len"] = ACTION_LOG, + ["netbios_client_session_reply"] = ACTION_LOG, + ["netbios_raw_session_msg"] = ACTION_LOG, + ["netbios_server_session_request"] = ACTION_LOG, + ["unknown_netbios_type"] = ACTION_LOG, + ["excessively_large_fragment"] = ACTION_LOG, + ["excessively_small_fragment"] = ACTION_LOG_PER_ORIG, + ["fragment_inconsistency"] = ACTION_LOG_PER_ORIG, + ["fragment_overlap"] = ACTION_LOG_PER_ORIG, + ["fragment_protocol_inconsistency"] = ACTION_LOG, + ["fragment_size_inconsistency"] = ACTION_LOG_PER_ORIG, + ## These do indeed happen! + ["fragment_with_DF"] = ACTION_LOG, + ["incompletely_captured_fragment"] = ACTION_LOG, + ["bad_IP_checksum"] = ACTION_LOG, + ["bad_TCP_header_len"] = ACTION_LOG, + ["internally_truncated_header"] = ACTION_LOG, + ["truncated_IP"] = ACTION_LOG, + ["truncated_header"] = ACTION_LOG, + } &default=ACTION_LOG &redef; - const weird_action: table[string] of WeirdAction = { - # tcp_weird - ["above_hole_data_without_any_acks"] = WEIRD_FILE, - ["active_connection_reuse"] = WEIRD_FILE, - ["bad_HTTP_reply"] = WEIRD_FILE, - ["bad_HTTP_version"] = WEIRD_FILE, - ["bad_ICMP_checksum"] = WEIRD_FILE, - ["bad_ident_port"] = WEIRD_FILE, - ["bad_ident_reply"] = WEIRD_FILE, - ["bad_ident_request"] = WEIRD_FILE, - ["bad_rlogin_prolog"] = WEIRD_FILE, - ["bad_rsh_prolog"] = WEIRD_FILE, - ["rsh_text_after_rejected"] = WEIRD_FILE, - ["bad_RPC"] = WEIRD_NOTICE_PER_ORIG, - ["bad_RPC_program"] = WEIRD_FILE, - ["bad_SYN_ack"] = WEIRD_FILE, - ["bad_TCP_checksum"] = WEIRD_FILE, - ["bad_UDP_checksum"] = WEIRD_FILE, - ["baroque_SYN"] = WEIRD_FILE, - ["base64_illegal_encoding"] = WEIRD_FILE, - ["connection_originator_SYN_ack"] = WEIRD_FILE, - ["corrupt_tcp_options"] = WEIRD_NOTICE_PER_ORIG, - ["crud_trailing_HTTP_request"] = WEIRD_FILE, - ["data_after_reset"] = WEIRD_FILE, - ["data_before_established"] = WEIRD_FILE, - ["data_without_SYN_ACK"] = WEIRD_FILE, - ["DHCP_no_type_option"] = WEIRD_FILE, - ["DHCP_wrong_msg_type"] = WEIRD_FILE, - ["DHCP_wrong_op_type"] = WEIRD_FILE, - ["DNS_AAAA_neg_length"] = WEIRD_FILE, - ["DNS_Conn_count_too_large"] = WEIRD_FILE, - ["DNS_NAME_too_long"] = WEIRD_FILE, - ["DNS_RR_bad_length"] = WEIRD_FILE, - ["DNS_RR_length_mismatch"] = WEIRD_FILE, - ["DNS_RR_unknown_type"] = WEIRD_FILE, - ["DNS_label_forward_compress_offset"] = WEIRD_NOTICE_PER_ORIG, - ["DNS_label_len_gt_name_len"] = WEIRD_NOTICE_PER_ORIG, - ["DNS_label_len_gt_pkt"] = WEIRD_NOTICE_PER_ORIG, - ["DNS_label_too_long"] = WEIRD_NOTICE_PER_ORIG, - ["DNS_truncated_RR_rdlength_lt_len"] = WEIRD_FILE, - ["DNS_truncated_ans_too_short"] = WEIRD_FILE, - ["DNS_truncated_len_lt_hdr_len"] = WEIRD_FILE, - ["DNS_truncated_quest_too_short"] = WEIRD_FILE, - ["dns_changed_number_of_responses"] = WEIRD_NOTICE_PER_ORIG, - ["dns_reply_seen_after_done"] = WEIRD_NOTICE_PER_ORIG, - ["excessive_data_without_further_acks"] = WEIRD_FILE, - ["excess_RPC"] = WEIRD_NOTICE_PER_ORIG, - ["excessive_RPC_len"] = WEIRD_NOTICE_PER_ORIG, - ["FIN_advanced_last_seq"] = WEIRD_FILE, - ["FIN_after_reset"] = WEIRD_IGNORE, - ["FIN_storm"] = WEIRD_NOTICE_ALWAYS, - ["HTTP_bad_chunk_size"] = WEIRD_FILE, - ["HTTP_chunked_transfer_for_multipart_message"] = WEIRD_FILE, - ["HTTP_overlapping_messages"] = WEIRD_FILE, - ["HTTP_unknown_method"] = WEIRD_FILE, - ["HTTP_version_mismatch"] = WEIRD_FILE, - ["ident_request_addendum"] = WEIRD_FILE, - ["inappropriate_FIN"] = WEIRD_FILE, - ["inflate_data_failed"] = WEIRD_FILE, - ["inflate_failed"] = WEIRD_FILE, - ["invalid_irc_global_users_reply"] = WEIRD_FILE, - ["irc_invalid_command"] = WEIRD_FILE, - ["irc_invalid_dcc_message_format"] = WEIRD_FILE, - ["irc_invalid_invite_message_format"] = WEIRD_FILE, - ["irc_invalid_join_line"] = WEIRD_FILE, - ["irc_invalid_kick_message_format"] = WEIRD_FILE, - ["irc_invalid_line"] = WEIRD_FILE, - ["irc_invalid_mode_message_format"] = WEIRD_FILE, - ["irc_invalid_names_line"] = WEIRD_FILE, - ["irc_invalid_njoin_line"] = WEIRD_FILE, - ["irc_invalid_notice_message_format"] = WEIRD_FILE, - ["irc_invalid_oper_message_format"] = WEIRD_FILE, - ["irc_invalid_privmsg_message_format"] = WEIRD_FILE, - ["irc_invalid_reply_number"] = WEIRD_FILE, - ["irc_invalid_squery_message_format"] = WEIRD_FILE, - ["irc_invalid_topic_reply"] = WEIRD_FILE, - ["irc_invalid_who_line"] = WEIRD_FILE, - ["irc_invalid_who_message_format"] = WEIRD_FILE, - ["irc_invalid_whois_channel_line"] = WEIRD_FILE, - ["irc_invalid_whois_message_format"] = WEIRD_FILE, - ["irc_invalid_whois_operator_line"] = WEIRD_FILE, - ["irc_invalid_whois_user_line"] = WEIRD_FILE, - ["irc_line_size_exceeded"] = WEIRD_FILE, - ["irc_line_too_short"] = WEIRD_FILE, - ["irc_too_many_invalid"] = WEIRD_FILE, - ["line_terminated_with_single_CR"] = WEIRD_FILE, - ["line_terminated_with_single_LF"] = WEIRD_FILE, - ["malformed_ssh_identification"] = WEIRD_FILE, - ["malformed_ssh_version"] = WEIRD_FILE, - ["matching_undelivered_data"] = WEIRD_FILE, - ["multiple_HTTP_request_elements"] = WEIRD_FILE, - ["multiple_RPCs"] = WEIRD_NOTICE_PER_ORIG, - ["non_IPv4_packet"] = WEIRD_NOTICE_ONCE, - ["NUL_in_line"] = WEIRD_FILE, - ["originator_RPC_reply"] = WEIRD_NOTICE_PER_ORIG, - ["partial_finger_request"] = WEIRD_FILE, - ["partial_ftp_request"] = WEIRD_FILE, - ["partial_ident_request"] = WEIRD_FILE, - ["partial_RPC"] = WEIRD_NOTICE_PER_ORIG, - ["partial_RPC_request"] = WEIRD_FILE, - ["pending_data_when_closed"] = WEIRD_FILE, - ["pop3_bad_base64_encoding"] = WEIRD_FILE, - ["pop3_client_command_unknown"] = WEIRD_FILE, - ["pop3_client_sending_server_commands"] = WEIRD_FILE, - ["pop3_malformed_auth_plain"] = WEIRD_FILE, - ["pop3_server_command_unknown"] = WEIRD_FILE, - ["pop3_server_sending_client_commands"] = WEIRD_FILE, - ["possible_split_routing"] = WEIRD_FILE, - ["premature_connection_reuse"] = WEIRD_FILE, - ["repeated_SYN_reply_wo_ack"] = WEIRD_FILE, - ["repeated_SYN_with_ack"] = WEIRD_FILE, - ["responder_RPC_call"] = WEIRD_NOTICE_PER_ORIG, - ["rlogin_text_after_rejected"] = WEIRD_FILE, - ["RPC_rexmit_inconsistency"] = WEIRD_FILE, - ["RPC_underflow"] = WEIRD_FILE, - ["RST_storm"] = WEIRD_NOTICE_ALWAYS, - ["RST_with_data"] = WEIRD_FILE, # PC's do this - ["simultaneous_open"] = WEIRD_NOTICE_PER_CONN, - ["spontaneous_FIN"] = WEIRD_IGNORE, - ["spontaneous_RST"] = WEIRD_IGNORE, - ["SMB_parsing_error"] = WEIRD_FILE, - ["no_smb_session_using_parsesambamsg"] = WEIRD_FILE, - ["smb_andx_command_failed_to_parse"] = WEIRD_FILE, - ["transaction_subcmd_missing"] = WEIRD_FILE, - ["SSLv3_data_without_full_handshake"] = WEIRD_FILE, - ["unexpected_SSLv3_record"] = WEIRD_FILE, - ["successful_RPC_reply_to_invalid_request"] = WEIRD_NOTICE_PER_ORIG, - ["SYN_after_close"] = WEIRD_FILE, - ["SYN_after_partial"] = WEIRD_NOTICE_PER_ORIG, - ["SYN_after_reset"] = WEIRD_FILE, - ["SYN_inside_connection"] = WEIRD_FILE, - ["SYN_seq_jump"] = WEIRD_FILE, - ["SYN_with_data"] = WEIRD_FILE, - ["TCP_christmas"] = WEIRD_FILE, - ["truncated_ARP"] = WEIRD_FILE, - ["truncated_NTP"] = WEIRD_FILE, - ["UDP_datagram_length_mismatch"] = WEIRD_NOTICE_PER_ORIG, - ["unexpected_client_HTTP_data"] = WEIRD_FILE, - ["unexpected_multiple_HTTP_requests"] = WEIRD_FILE, - ["unexpected_server_HTTP_data"] = WEIRD_FILE, - ["unmatched_HTTP_reply"] = WEIRD_FILE, - ["unpaired_RPC_response"] = WEIRD_FILE, - ["unsolicited_SYN_response"] = WEIRD_IGNORE, - ["window_recision"] = WEIRD_FILE, - ["double_%_in_URI"] = WEIRD_FILE, - ["illegal_%_at_end_of_URI"] = WEIRD_FILE, - ["unescaped_%_in_URI"] = WEIRD_FILE, - ["unescaped_special_URI_char"] = WEIRD_FILE, - - ["UDP_zone_transfer"] = WEIRD_NOTICE_ONCE, - - ["deficit_netbios_hdr_len"] = WEIRD_FILE, - ["excess_netbios_hdr_len"] = WEIRD_FILE, - ["netbios_client_session_reply"] = WEIRD_FILE, - ["netbios_raw_session_msg"] = WEIRD_FILE, - ["netbios_server_session_request"] = WEIRD_FILE, - ["unknown_netbios_type"] = WEIRD_FILE, - - # flow_weird - ["excessively_large_fragment"] = WEIRD_NOTICE_ALWAYS, - - # Code Red generates slews ... - ["excessively_small_fragment"] = WEIRD_NOTICE_PER_ORIG, - - ["fragment_inconsistency"] = WEIRD_NOTICE_PER_ORIG, - ["fragment_overlap"] = WEIRD_NOTICE_PER_ORIG, - ["fragment_protocol_inconsistency"] = WEIRD_NOTICE_ALWAYS, - ["fragment_size_inconsistency"] = WEIRD_NOTICE_PER_ORIG, - ["fragment_with_DF"] = WEIRD_FILE, # these do indeed happen! - ["incompletely_captured_fragment"] = WEIRD_NOTICE_ALWAYS, - - # net_weird - ["bad_IP_checksum"] = WEIRD_FILE, - ["bad_TCP_header_len"] = WEIRD_FILE, - ["internally_truncated_header"] = WEIRD_NOTICE_ALWAYS, - ["truncated_IP"] = WEIRD_FILE, - ["truncated_header"] = WEIRD_FILE, - - # generated by policy script - ["Land_attack"] = WEIRD_NOTICE_PER_ORIG, - ["bad_pm_port"] = WEIRD_NOTICE_PER_ORIG, - - ["ICMP-unreachable for wrong state"] = WEIRD_NOTICE_PER_ORIG, - - } &redef; - - # table that maps weird types into a function that should be called - # to determine the action. - const weird_action_filters: - table[string] of function(c: connection): WeirdAction &redef; - - const weird_ignore_host: set[addr, string] &redef; + ## To completely ignore a specific weird for a host, add the host + ## and weird name into this set. + const ignore_hosts: set[addr, string] &redef; # But don't ignore these (for the weird file), it's handy keeping # track of clustered checksum errors. @@ -233,26 +221,45 @@ export { "bad_ICMP_checksum", } &redef; + ## This table is used to track identifier and name pairs that should be + ## temporarily ignored because the problem has already been reported. + ## This helps reduce the volume of high volume weirds by only allowing + ## a unique weird every ``create_expire`` interval. + global weird_ignore: set[string, string] &create_expire=10min &redef; + + ## A state set which tracks unique weirds solely by the name to reduce + ## duplicate logging. This is not synchronized deliberately because it + ## could cause overload during storms + global did_log: set[string, string] &create_expire=1day &redef; + + ## A state set which tracks unique weirds solely by the name to reduce + ## duplicate notices from being raised. + global did_notice: set[string, string] &create_expire=1day &redef; + global log_weird: event(rec: Info); } -# id/msg pairs that should be ignored (because the problem has already -# been reported). -global weird_ignore: table[string] of set[string] &write_expire = 10 min; +# These actions result in the output being limited and further redundant +# weirds not progressing to being logged or noticed. +const limiting_actions = { + ACTION_LOG_ONCE, + ACTION_LOG_PER_CONN, + ACTION_LOG_PER_ORIG, + ACTION_NOTICE_ONCE, + ACTION_NOTICE_PER_CONN, + ACTION_NOTICE_PER_ORIG, +}; -# For WEIRD_NOTICE_PER_CONN. -global did_notice_conn: set[addr, port, addr, port, string] - &read_expire = 1 day; +# This is an internal set to track which Weird::Action values lead to notice +# creation. +const notice_actions = { + ACTION_NOTICE, + ACTION_NOTICE_PER_CONN, + ACTION_NOTICE_PER_ORIG, + ACTION_NOTICE_ONCE, +}; -# For WEIRD_NOTICE_PER_ORIG. -global did_notice_orig: set[addr, string] &read_expire = 1 day; - -# For WEIRD_NOTICE_ONCE. -global did_weird_log: set[string] &read_expire = 1 day; - -global did_inconsistency_msg: set[conn_id]; - -# Used to pass the optional connection into report_weird(). +# Used to pass the optional connection into report(). global current_conn: connection; event bro_init() &priority=5 @@ -260,12 +267,54 @@ event bro_init() &priority=5 Log::create_stream(Weird::LOG, [$columns=Info, $ev=log_weird]); } -function report_weird(t: time, name: string, id: string, have_conn: bool, - addl: string, action: WeirdAction, no_log: bool) +function flow_id_string(src: addr, dst: addr): string { + return fmt("%s -> %s", src, dst); + } + +function report(t: time, name: string, identifier: string, have_conn: bool, addl: string) + { + local action = actions[name]; + + # If this weird is to be ignored let's drop out of here very early. + if ( action == ACTION_IGNORE || [name, identifier] in weird_ignore ) + return; + + if ( action in limiting_actions ) + { + if ( action in notice_actions ) + { + # Handle notices + if ( action == ACTION_NOTICE_PER_ORIG && have_conn ) + identifier = flow_id_string(current_conn$id$orig_h, current_conn$id$resp_h); + else if ( action == ACTION_NOTICE_ONCE ) + identifier = ""; + + # If this weird was already noticed then we're done. + if ( [name, identifier] in did_notice ) + return; + add did_notice[name, identifier]; + } + else + { + # Handle logging. + if ( action == ACTION_LOG_PER_ORIG && have_conn ) + identifier = flow_id_string(current_conn$id$orig_h, current_conn$id$resp_h); + else if ( action == ACTION_LOG_ONCE ) + identifier = ""; + + # If this weird was already logged then we're done. + if ( [name, identifier] in did_log ) + return; + add did_log[name, identifier]; + } + } + + # Create the Weird::Info record. local info: Info; info$ts = t; - info$msg = name; + info$name = name; + info$peer = peer_description; if ( addl != "" ) info$addl = addl; if ( have_conn ) @@ -274,128 +323,59 @@ function report_weird(t: time, name: string, id: string, have_conn: bool, info$id = current_conn$id; } - if ( action == WEIRD_IGNORE || - (id in weird_ignore && name in weird_ignore[id]) ) - return; - - if ( action == WEIRD_UNSPECIFIED ) - { - if ( name in weird_action && weird_action[name] == WEIRD_IGNORE ) - return; - else - { - action = WEIRD_NOTICE_ALWAYS; - info$notice = T; - } - } - - if ( action in notice_actions && ! no_log ) + if ( action in notice_actions ) { + info$notice = T; + local n: Notice::Info; - n$note = Weird_Activity; - n$msg = info$msg; + n$note = Activity; + n$msg = info$name; if ( have_conn ) n$conn = current_conn; if ( info?$addl ) n$sub = info$addl; NOTICE(n); } - else if ( id != "" && name !in weird_do_not_ignore_repeats ) - { - if ( id !in weird_ignore ) - weird_ignore[id] = set() &mergeable; - add weird_ignore[id][name]; - } - + + # This is for the temporary ignoring to reduce volume for identical weirds. + if ( name !in weird_do_not_ignore_repeats ) + add weird_ignore[name, identifier]; + Log::write(Weird::LOG, info); } -function report_weird_conn(t: time, name: string, id: string, addl: string, - c: connection) +function report_conn(t: time, name: string, identifier: string, addl: string, c: connection) { - if ( [c$id$orig_h, name] in weird_ignore_host || - [c$id$resp_h, name] in weird_ignore_host ) + local cid = c$id; + if ( [cid$orig_h, name] in ignore_hosts || + [cid$resp_h, name] in ignore_hosts ) return; - local no_log = F; - local action = WEIRD_UNSPECIFIED; - - if ( name in weird_action ) - { - if ( name in weird_action_filters ) - action = weird_action_filters[name](c); - - if ( action == WEIRD_UNSPECIFIED ) - action = weird_action[name]; - - local cid = c$id; - - if ( action == WEIRD_NOTICE_PER_CONN ) - { - if ( [cid$orig_h, cid$orig_p, cid$resp_h, cid$resp_p, name] in did_notice_conn ) - no_log = T; - else - add did_notice_conn[cid$orig_h, cid$orig_p, cid$resp_h, cid$resp_p, name]; - } - - else if ( action == WEIRD_NOTICE_PER_ORIG ) - { - if ( [c$id$orig_h, name] in did_notice_orig ) - no_log = T; - else - add did_notice_orig[c$id$orig_h, name]; - } - - else if ( action == WEIRD_NOTICE_ONCE ) - { - if ( name in did_weird_log ) - no_log = T; - else - add did_weird_log[name]; - } - } - current_conn = c; - report_weird(t, name, id, T, addl, action, no_log); + report(t, name, identifier, T, addl); } -function report_weird_orig(t: time, name: string, id: string, orig: addr) +function report_orig(t: time, name: string, identifier: string, orig: addr) { - local no_log = F; - local action = WEIRD_UNSPECIFIED; - - if ( name in weird_action ) - { - action = weird_action[name]; - if ( action == WEIRD_NOTICE_PER_ORIG ) - { - if ( [orig, name] in did_notice_orig ) - no_log = T; - else - add did_notice_orig[orig, name]; - } - } - - report_weird(t, name, id, F, "", action, no_log); - } + if ( [orig, name] in ignore_hosts ) + return; + report(t, name, identifier, F, ""); + } + + +# The following events come from core generated weirds typically. event conn_weird(name: string, c: connection, addl: string) { - report_weird_conn(network_time(), name, id_string(c$id), addl, c); + report_conn(network_time(), name, id_string(c$id), addl, c); } event flow_weird(name: string, src: addr, dst: addr) { - report_weird_orig(network_time(), name, fmt("%s -> %s", src, dst), src); + report_orig(network_time(), name, flow_id_string(src, dst), src); } event net_weird(name: string) { - report_weird(network_time(), name, "", F, "", WEIRD_UNSPECIFIED, F); - } - -event connection_state_remove(c: connection) - { - delete weird_ignore[id_string(c$id)]; - delete did_inconsistency_msg[c$id]; + report(network_time(), name, "", F, ""); } diff --git a/scripts/policy/tuning/defaults/__load__.bro b/scripts/policy/tuning/defaults/__load__.bro index 790a706b7d..ffc760e5f7 100644 --- a/scripts/policy/tuning/defaults/__load__.bro +++ b/scripts/policy/tuning/defaults/__load__.bro @@ -1,3 +1,2 @@ -@load ./remove-high-volume-notices @load ./packet-fragments @load ./warnings \ No newline at end of file diff --git a/scripts/policy/tuning/defaults/remove-high-volume-notices.bro b/scripts/policy/tuning/defaults/remove-high-volume-notices.bro deleted file mode 100644 index 18f2974d42..0000000000 --- a/scripts/policy/tuning/defaults/remove-high-volume-notices.bro +++ /dev/null @@ -1,10 +0,0 @@ -##! This strives to tune out high volume and less useful data -##! from the notice log. - -@load base/frameworks/notice -@load base/frameworks/notice/weird - -redef Notice::ignored_types += { - ## Only allow these to go in the weird log. - Weird::Weird_Activity, -}; From 0cdcf490d68eb19d83548602f56fd1a3c55a5b2d Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 21 Oct 2011 14:17:54 -0400 Subject: [PATCH 2/4] Restoring former default weird behavior for unsolicited_SYN_response. --- scripts/base/frameworks/notice/weird.bro | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro index d7ae230449..6de34f10a9 100644 --- a/scripts/base/frameworks/notice/weird.bro +++ b/scripts/base/frameworks/notice/weird.bro @@ -46,6 +46,7 @@ export { }; const actions: table[string] of Action = { + ["unsolicited_SYN_response"] = ACTION_IGNORE, ["above_hole_data_without_any_acks"] = ACTION_LOG, ["active_connection_reuse"] = ACTION_LOG, ["bad_HTTP_reply"] = ACTION_LOG, From 29bace02b26d2ffe274b2966768254bb78e8b3a1 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 21 Oct 2011 14:31:40 -0400 Subject: [PATCH 3/4] More small weird refinements to reduce overload attacks. --- scripts/base/frameworks/notice/weird.bro | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro index 6de34f10a9..38dea64b29 100644 --- a/scripts/base/frameworks/notice/weird.bro +++ b/scripts/base/frameworks/notice/weird.bro @@ -51,7 +51,7 @@ export { ["active_connection_reuse"] = ACTION_LOG, ["bad_HTTP_reply"] = ACTION_LOG, ["bad_HTTP_version"] = ACTION_LOG, - ["bad_ICMP_checksum"] = ACTION_LOG, + ["bad_ICMP_checksum"] = ACTION_LOG_PER_ORIG, ["bad_ident_port"] = ACTION_LOG, ["bad_ident_reply"] = ACTION_LOG, ["bad_ident_request"] = ACTION_LOG, @@ -61,12 +61,12 @@ export { ["bad_RPC"] = ACTION_LOG_PER_ORIG, ["bad_RPC_program"] = ACTION_LOG, ["bad_SYN_ack"] = ACTION_LOG, - ["bad_TCP_checksum"] = ACTION_LOG, - ["bad_UDP_checksum"] = ACTION_LOG, + ["bad_TCP_checksum"] = ACTION_LOG_PER_ORIG, + ["bad_UDP_checksum"] = ACTION_LOG_PER_ORIG, ["baroque_SYN"] = ACTION_LOG, ["base64_illegal_encoding"] = ACTION_LOG, ["connection_originator_SYN_ack"] = ACTION_LOG_PER_ORIG, - ["corrupt_tcp_options"] = ACTION_NOTICE_PER_ORIG, + ["corrupt_tcp_options"] = ACTION_LOG_PER_ORIG, ["crud_trailing_HTTP_request"] = ACTION_LOG, ["data_after_reset"] = ACTION_LOG, ["data_before_established"] = ACTION_LOG, @@ -95,7 +95,7 @@ export { ["excessive_RPC_len"] = ACTION_LOG_PER_ORIG, ["FIN_advanced_last_seq"] = ACTION_LOG, ["FIN_after_reset"] = ACTION_IGNORE, - ["FIN_storm"] = ACTION_NOTICE, + ["FIN_storm"] = ACTION_NOTICE_PER_ORIG, ["HTTP_bad_chunk_size"] = ACTION_LOG, ["HTTP_chunked_transfer_for_multipart_message"] = ACTION_LOG, ["HTTP_overlapping_messages"] = ACTION_LOG, @@ -160,7 +160,7 @@ export { ["RPC_rexmit_inconsistency"] = ACTION_LOG, ["RPC_underflow"] = ACTION_LOG, ["RST_storm"] = ACTION_LOG, - ["RST_with_data"] = ACTION_LOG, # PC's do this + ["RST_with_data"] = ACTION_LOG, ["simultaneous_open"] = ACTION_LOG_PER_CONN, ["spontaneous_FIN"] = ACTION_IGNORE, ["spontaneous_RST"] = ACTION_IGNORE, @@ -204,7 +204,7 @@ export { ## These do indeed happen! ["fragment_with_DF"] = ACTION_LOG, ["incompletely_captured_fragment"] = ACTION_LOG, - ["bad_IP_checksum"] = ACTION_LOG, + ["bad_IP_checksum"] = ACTION_LOG_PER_ORIG, ["bad_TCP_header_len"] = ACTION_LOG, ["internally_truncated_header"] = ACTION_LOG, ["truncated_IP"] = ACTION_LOG, From ff51068598cc3d4815c0139391afee3adc938c9f Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Sat, 22 Oct 2011 01:13:15 -0400 Subject: [PATCH 4/4] Fixing a bug with handling downgrade from weird conn to orig. --- scripts/base/frameworks/notice/weird.bro | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro index 38dea64b29..2303c97fbc 100644 --- a/scripts/base/frameworks/notice/weird.bro +++ b/scripts/base/frameworks/notice/weird.bro @@ -286,8 +286,8 @@ function report(t: time, name: string, identifier: string, have_conn: bool, addl if ( action in notice_actions ) { # Handle notices - if ( action == ACTION_NOTICE_PER_ORIG && have_conn ) - identifier = flow_id_string(current_conn$id$orig_h, current_conn$id$resp_h); + if ( have_conn && action == ACTION_NOTICE_PER_ORIG ) + identifier = fmt("%s", current_conn$id$orig_h); else if ( action == ACTION_NOTICE_ONCE ) identifier = ""; @@ -299,8 +299,8 @@ function report(t: time, name: string, identifier: string, have_conn: bool, addl else { # Handle logging. - if ( action == ACTION_LOG_PER_ORIG && have_conn ) - identifier = flow_id_string(current_conn$id$orig_h, current_conn$id$resp_h); + if ( have_conn && action == ACTION_LOG_PER_ORIG ) + identifier = fmt("%s", current_conn$id$orig_h); else if ( action == ACTION_LOG_ONCE ) identifier = "";