make last plugin nicer and samplify sqli detector

2025-10-06 16:48:19 +00:00 · 2013-05-15 01:09:52 -07:00 · 2013-05-15 01:09:52 -07:00 · b0c4dcdfed
commit b0c4dcdfed
parent d939c2bdfc
2 changed files with 29 additions and 24 deletions
--- a/scripts/policy/protocols/http/detect-sqli.bro
+++ b/scripts/policy/protocols/http/detect-sqli.bro
@ -63,7 +63,7 @@ event bro_init() &priority=3
 	# Add filters to the metrics so that the metrics framework knows how to
 	# determine when it looks like an actual attack and how to respond when
 	# thresholds are crossed.
-	local r1: SumStats::Reducer = [$stream="http.sqli.attacker", $apply=set(SumStats::SUM), $samples=collect_SQLi_samples];
+	local r1: SumStats::Reducer = [$stream="http.sqli.attacker", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples];
 	SumStats::create([$epoch=sqli_requests_interval,
 	                  $reducers=set(r1),
 	                  $threshold_val(key: SumStats::Key, result: SumStats::Result) =
@ -76,12 +76,12 @@ event bro_init() &priority=3
 	                  	local r = result["http.sqli.attacker"];
 	                  	NOTICE([$note=SQL_Injection_Attacker,
 	                  	        $msg="An SQL injection attacker was discovered!",
-	                  	        $email_body_sections=vector(format_sqli_samples(SumStats::get_samples(r))),
+	                  	        $email_body_sections=vector(format_sqli_samples(r$sample_vector)),
 	                  	        $src=key$host,
 	                  	        $identifier=cat(key$host)]);
 	                  	}]);

-	local r2: SumStats::Reducer = [$stream="http.sqli.victim", $apply=set(SumStats::SUM), $samples=collect_SQLi_samples];
+	local r2: SumStats::Reducer = [$stream="http.sqli.victim", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples];
 	SumStats::create([$epoch=sqli_requests_interval,
 	                  $reducers=set(r2),
 	                  $threshold_val(key: SumStats::Key, result: SumStats::Result) =
@ -94,7 +94,7 @@ event bro_init() &priority=3
 	                  	local r = result["http.sqli.victim"];
 	                  	NOTICE([$note=SQL_Injection_Victim,
 	                  	        $msg="An SQL injection victim was discovered!",
-	                  	        $email_body_sections=vector(format_sqli_samples(SumStats::get_samples(r))),
+	                  	        $email_body_sections=vector(format_sqli_samples(r$sample_vector)),
 	                  	        $src=key$host,
 	                  	        $identifier=cat(key$host)]);
 	                  	}]);