diff --git a/policy/frameworks/metrics/base/main.bro b/policy/frameworks/metrics/base/main.bro index 354172fd42..5cd6d6ccfc 100644 --- a/policy/frameworks/metrics/base/main.bro +++ b/policy/frameworks/metrics/base/main.bro @@ -2,9 +2,9 @@ module Metrics; -redef enum Log::ID += { METRICS }; - export { + redef enum Log::ID += { METRICS }; + type ID: enum { ALL, }; @@ -12,10 +12,10 @@ export { const default_aggregation_mask = 24 &redef; const default_break_interval = 5mins &redef; - # TODO: configure a metrics config logging stream to log the current + # TODO: configure a metrics filter logging stream to log the current # metrics configuration in case someone is looking through # old logs and the configuration has changed since then. - type Config: record { + type Filter: record { name: ID &optional; ## Global mask by which you'd like to aggregate traffic. aggregation_mask: count &optional; @@ -46,13 +46,13 @@ export { value: count &log; }; - global configure: function(name: ID, config: Config); + global add_filter: function(name: ID, filter: Filter); global add_data: function(name: ID, index: Index, increment: count); global log_metrics: event(rec: Info); } -global metric_configs: table[ID] of Config = table(); +global metric_filters: table[ID] of Filter = table(); type MetricIndex: table[string] of count &default=0; type MetricTable: table[string] of MetricIndex; @@ -68,12 +68,12 @@ function reset(name: ID) store[name] = table(); } -event log_it(config: Config) +event log_it(filter: Filter) { # If this node is the manager in a cluster, this needs to request values # for this metric from all of the workers. - local name = config$name; + local name = filter$name; for ( agg_subnet in store[name] ) { local metric_values = store[name][agg_subnet]; @@ -92,29 +92,32 @@ event log_it(config: Config) Log::write(METRICS, m); } } + + reset(name); - schedule config$break_interval { log_it(config) }; + + schedule filter$break_interval { log_it(filter) }; } -function configure(name: ID, config: Config) +function add_filter(name: ID, filter: Filter) { - if ( config?$aggregation_table && config?$aggregation_mask ) + if ( filter?$aggregation_table && filter?$aggregation_mask ) { - print "INVALID Metric configuration: Defined $aggregation_table and $aggregation_mask."; + print "INVALID Metric filter: Defined $aggregation_table and $aggregation_mask."; return; } - config$name = name; - metric_configs[name] = config; + filter$name = name; + metric_filters[name] = filter; store[name] = table(); # Only do this on the manager if in a cluster. - schedule config$break_interval { log_it(config) }; + schedule filter$break_interval { log_it(filter) }; } function add_data(name: ID, index: Index, increment: count) { - local conf = metric_configs[name]; + local conf = metric_filters[name]; local agg_subnet = ""; if ( index?$host ) @@ -127,14 +130,14 @@ function add_data(name: ID, index: Index, increment: count) } else if ( conf?$aggregation_table ) agg_subnet = fmt("%s", conf$aggregation_table[index$host]); + else + agg_subnet = fmt("%s", index$host); } if ( agg_subnet !in store[name] ) - store[name][agg_subnet] = table([index$index] = increment); - else - { - if ( index$index !in store[name][agg_subnet] ) - store[name][agg_subnet][index$index] = 0; - store[name][agg_subnet][index$index] = store[name][agg_subnet][index$index] + increment; - } + store[name][agg_subnet] = table(); + + if ( index$index !in store[name][agg_subnet] ) + store[name][agg_subnet][index$index] = 0; + store[name][agg_subnet][index$index] = store[name][agg_subnet][index$index] + increment; } diff --git a/policy/protocols/http/base/detect-sqli.bro b/policy/protocols/http/base/detect-sqli.bro index 4c91d7e097..955e9dddf6 100644 --- a/policy/protocols/http/base/detect-sqli.bro +++ b/policy/protocols/http/base/detect-sqli.bro @@ -6,8 +6,14 @@ module HTTP; export { redef enum Notice::Type += { + SQL_Injection_Attacker, SQL_Injection_Attack, }; + + redef enum Metrics::ID += { + SQL_ATTACKER, + SQL_ATTACK_AGAINST, + }; redef enum Tags += { ## Indicator of a URI based SQL injection attack. @@ -22,15 +28,26 @@ export { ## This regular expression is used to match URI based SQL injections const match_sql_injection_uri = /[\?&][^[:blank:]\|]+?=[\-0-9%]+([[:blank:]]|\/\*.*?\*\/)*['"]?([[:blank:]]|\/\*.*?\*\/|\)?;)+([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])[^a-zA-Z&]/ - | /[\?&][^[:blank:]\|]+?=[\-0-9%]+([[:blank:]]|\/\*.*?\*\/)*['"]?([[:blank:]]|\/\*.*?\*\/|\)?;)+([oO][rR]|[aA][nN][dD])([[:blank:]]|\/\*.*?\*\/)+['"]?[^a-zA-Z&]+?=/ + | /[\?&][^[:blank:]\|]+?=[\-0-9%]+([[:blank:]]|\/\*.*?\*\/)*['"]?([[:blank:]]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[aA][nN][dD])([[:blank:]]|\/\*.*?\*\/)+['"]?[^a-zA-Z&]+?=/ | /[\?&][^[:blank:]]+?=[\-0-9%]*([[:blank:]]|\/\*.*?\*\/)*['"]([[:blank:]]|\/\*.*?\*\/)*(\-|\+|\|\|)([[:blank:]]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT])/ - | /[\?&][^[:blank:]\|]+?=([[:blank:]]|\/\*.*?\*\/)*['"]([[:blank:]]|\/\*.*?\*\/|;)*([oO][rR]|[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT]|\()[^a-zA-Z&]/ + | /[\?&][^[:blank:]\|]+?=([[:blank:]]|\/\*.*?\*\/)*['"]([[:blank:]]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT]|\()[^a-zA-Z&]/ | /[\?&][^[:blank:]]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\(/ &redef; } +event bro_init() + { + Metrics::add_filter(SQL_ATTACKER, [$break_interval=5mins, $note=SQL_Injection_Attack]); + Metrics::add_filter(SQL_ATTACK_AGAINST, [$break_interval=5mins, $note=SQL_Injection_Attack]); + } + event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) &priority=3 { if ( match_sql_injection_uri in unescaped_URI ) + { add c$http$tags[URI_SQLI]; + + Metrics::add_data(SQL_ATTACKER, [$host=c$id$orig_h], 1); + Metrics::add_data(SQL_ATTACK_AGAINST, [$host=c$id$resp_h], 1); + } } \ No newline at end of file