mirror of
https://github.com/zeek/zeek.git
synced 2025-10-05 08:08:19 +00:00
Measurement framework is ready for testing.
- New, expanded API. - Calculations moved into plugins. - Scripts using measurement framework ported. - Updated the script-land queue implementation to make it more generic. -
This commit is contained in:
Seth Hall
parent
93eca70e6b
commit
b477d2b02d
11 changed files with 183 additions and 186 deletions
|
|
@ -27,9 +27,9 @@ event bro_init()
|
|||
{
|
||||
Metrics::add_filter("ftp.failed_auth", [$every=bruteforce_measurement_interval,
|
||||
$measure=set(Metrics::UNIQUE),
|
||||
$threshold_val_func(val: Metrics::ResultVal) = { return val$num; },
|
||||
$threshold_val_func(val: Metrics::Result) = { return val$num; },
|
||||
$threshold=bruteforce_threshold,
|
||||
$threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) =
|
||||
$threshold_crossed(index: Metrics::Index, val: Metrics::Result) =
|
||||
{
|
||||
local dur = duration_to_mins_secs(val$end-val$begin);
|
||||
local plural = val$unique>1 ? "s" : "";
|
||||
|
|
|
|||
|
|
@ -50,11 +50,11 @@ export {
|
|||
| /\/\*![[:digit:]]{5}.*?\*\// &redef;
|
||||
}
|
||||
|
||||
function format_sqli_samples(samples: vector of string): string
|
||||
function format_sqli_samples(samples: vector of Measurement::DataPoint): string
|
||||
{
|
||||
local ret = "SQL Injection samples\n---------------------";
|
||||
for ( i in samples )
|
||||
ret += "\n" + samples[i];
|
||||
ret += "\n" + samples[i]$str;
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
|
@ -63,31 +63,41 @@ event bro_init() &priority=3
|
|||
# Add filters to the metrics so that the metrics framework knows how to
|
||||
# determine when it looks like an actual attack and how to respond when
|
||||
# thresholds are crossed.
|
||||
Metrics::add_filter("http.sqli.attacker",
|
||||
[$every=sqli_requests_interval,
|
||||
$measure=set(Metrics::SUM),
|
||||
local r1: Measurement::Reducer = [$stream="http.sqli.attacker", $apply=set(Measurement::SUM), $samples=collect_SQLi_samples];
|
||||
Measurement::create([$epoch=sqli_requests_interval,
|
||||
$reducers=set(r1),
|
||||
$threshold_val(key: Measurement::Key, result: Measurement::Result) =
|
||||
{
|
||||
return double_to_count(result["http.sqli.attacker"]$sum);
|
||||
},
|
||||
$threshold=sqli_requests_threshold,
|
||||
$samples=collect_SQLi_samples,
|
||||
$threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = {
|
||||
$threshold_crossed(key: Measurement::Key, result: Measurement::Result) =
|
||||
{
|
||||
local r = result["http.sqli.attacker"];
|
||||
NOTICE([$note=SQL_Injection_Attacker,
|
||||
$msg="An SQL injection attacker was discovered!",
|
||||
$email_body_sections=vector(format_sqli_samples(val$samples)),
|
||||
$src=index$host,
|
||||
$identifier=cat(index$host)]);
|
||||
}]);
|
||||
$email_body_sections=vector(format_sqli_samples(r$samples)),
|
||||
$src=key$host,
|
||||
$identifier=cat(key$host)]);
|
||||
}]);
|
||||
|
||||
Metrics::add_filter("http.sqli.victim",
|
||||
[$every=sqli_requests_interval,
|
||||
$measure=set(Metrics::SUM),
|
||||
local r2: Measurement::Reducer = [$stream="http.sqli.victim", $apply=set(Measurement::SUM), $samples=collect_SQLi_samples];
|
||||
Measurement::create([$epoch=sqli_requests_interval,
|
||||
$reducers=set(r2),
|
||||
$threshold_val(key: Measurement::Key, result: Measurement::Result) =
|
||||
{
|
||||
return double_to_count(result["http.sqli.victim"]$sum);
|
||||
},
|
||||
$threshold=sqli_requests_threshold,
|
||||
$samples=collect_SQLi_samples,
|
||||
$threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = {
|
||||
$threshold_crossed(key: Measurement::Key, result: Measurement::Result) =
|
||||
{
|
||||
local r = result["http.sqli.victim"];
|
||||
NOTICE([$note=SQL_Injection_Victim,
|
||||
$msg="An SQL injection victim was discovered!",
|
||||
$email_body_sections=vector(format_sqli_samples(val$samples)),
|
||||
$src=index$host,
|
||||
$identifier=cat(index$host)]);
|
||||
}]);
|
||||
$email_body_sections=vector(format_sqli_samples(r$samples)),
|
||||
$src=key$host,
|
||||
$identifier=cat(key$host)]);
|
||||
}]);
|
||||
}
|
||||
|
||||
event http_request(c: connection, method: string, original_URI: string,
|
||||
|
|
@ -97,7 +107,7 @@ event http_request(c: connection, method: string, original_URI: string,
|
|||
{
|
||||
add c$http$tags[URI_SQLI];
|
||||
|
||||
Metrics::add_data("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]);
|
||||
Metrics::add_data("http.sqli.victim", [$host=c$id$resp_h], [$str=original_URI]);
|
||||
Measurement::add_data("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]);
|
||||
Measurement::add_data("http.sqli.victim", [$host=c$id$resp_h], [$str=original_URI]);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -42,21 +42,27 @@ export {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Metrics::add_filter("ssh.login.failure", [$name="detect-bruteforcing", $log=F,
|
||||
$every=guessing_timeout,
|
||||
$measure=set(Metrics::SUM),
|
||||
$threshold=password_guesses_limit,
|
||||
$threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = {
|
||||
# Generate the notice.
|
||||
NOTICE([$note=Password_Guessing,
|
||||
$msg=fmt("%s appears to be guessing SSH passwords (seen in %.0f connections).", index$host, val$sum),
|
||||
$src=index$host,
|
||||
$identifier=cat(index$host)]);
|
||||
# Insert the guesser into the intel framework.
|
||||
Intel::insert([$host=index$host,
|
||||
$meta=[$source="local",
|
||||
$desc=fmt("Bro observed %0.f apparently failed SSH connections.", val$sum)]]);
|
||||
}]);
|
||||
local r1: Measurement::Reducer = [$stream="ssh.login.failure", $apply=set(Measurement::SUM)];
|
||||
Measurement::create([$epoch=guessing_timeout,
|
||||
$reducers=set(r1),
|
||||
$threshold_val(key: Measurement::Key, result: Measurement::Result) =
|
||||
{
|
||||
return double_to_count(result["ssh.login.failure"]$sum);
|
||||
},
|
||||
$threshold=password_guesses_limit,
|
||||
$threshold_crossed(key: Measurement::Key, result: Measurement::Result) =
|
||||
{
|
||||
local r = result["ssh.login.failure"];
|
||||
# Generate the notice.
|
||||
NOTICE([$note=Password_Guessing,
|
||||
$msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num),
|
||||
$src=key$host,
|
||||
$identifier=cat(key$host)]);
|
||||
# Insert the guesser into the intel framework.
|
||||
Intel::insert([$host=key$host,
|
||||
$meta=[$source="local",
|
||||
$desc=fmt("Bro observed %d apparently failed SSH connections.", r$num)]]);
|
||||
}]);
|
||||
}
|
||||
|
||||
event SSH::heuristic_successful_login(c: connection)
|
||||
|
|
@ -76,5 +82,5 @@ event SSH::heuristic_failed_login(c: connection)
|
|||
# be ignored.
|
||||
if ( ! (id$orig_h in ignore_guessers &&
|
||||
id$resp_h in ignore_guessers[id$orig_h]) )
|
||||
Metrics::add_data("ssh.login.failure", [$host=id$orig_h], [$num=1]);
|
||||
Measurement::add_data("ssh.login.failure", [$host=id$orig_h], [$num=1]);
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue