Small usability and correctness updates.

- Removed an notice definition from the base SSL scripts. - Moved a logging stream ID into the export section for known-services and bumped priority for creating the stream. - Adding configuration knobs for the SQL injection attack detection script and renaming the HTTP::SQL_Injection_Attack notice to HTTP::SQL_Injection_Attack_Against - Bumped priority when creating Known::CERTS_LOG.
2025-10-02 14:48:21 +00:00 · 2011-09-12 16:14:28 -04:00 · 2011-09-12 16:14:28 -04:00 · c87704cc25
commit c87704cc25
parent eda8632d62
4 changed files with 29 additions and 23 deletions
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@ -1,15 +1,10 @@
@load ./consts
-@load base/frameworks/notice

 module SSL;

 export {
 	redef enum Log::ID += { LOG };

-	redef enum Notice::Type += {
-		Self_Signed_Cert
-	};
-
 	type Info: record {
 		ts:               time             &log;
 		uid:              string           &log;
--- a/scripts/policy/protocols/conn/known-services.bro
+++ b/scripts/policy/protocols/conn/known-services.bro
@ -7,9 +7,9 @@

 module Known;

-redef enum Log::ID += { SERVICES_LOG };
-
 export {
+	redef enum Log::ID += { SERVICES_LOG };
+	
 	type Info: record {
 		ts:             time            &log;
 		host:           addr            &log;
@ -33,7 +33,7 @@ redef record connection += {
 	known_services_watch: bool &default=F;
 };

-event bro_init()
+event bro_init() &priority=5
 	{
 	Log::create_stream(Known::SERVICES_LOG, [$columns=Info,
 	                                         $ev=log_known_services]);
--- a/scripts/policy/protocols/http/detect-sqli.bro
+++ b/scripts/policy/protocols/http/detect-sqli.bro
@ -1,19 +1,19 @@
 ##! SQL injection detection in HTTP.

-@load base/frameworks/notice/main
-@load base/frameworks/metrics/main
-@load base/protocols/http/main
+@load base/frameworks/notice
+@load base/frameworks/metrics
+@load base/protocols/http

 module HTTP;

 export {
 	redef enum Notice::Type += {
 		SQL_Injection_Attacker,
-		SQL_Injection_Attack,
+		SQL_Injection_Attack_Against,
 	};
 	
 	redef enum Metrics::ID += {
-		SQL_ATTACKS,
+		SQL_ATTACKER,
 		SQL_ATTACKS_AGAINST,
 	};

@ -27,6 +27,16 @@ export {
 		COOKIE_SQLI,
 	};
 	
+	## This defines the threshold that determines if an SQL injection attack
+	## is ongoing based on the number of requests that appear to be SQL 
+	## injection attacks.
+	const sqli_requests_threshold = 50 &redef;
+	
+	## Interval at which to watch for the :bro:id:`sqli_requests_threshold`
+	## variable to be crossed.  At the end of each interval the counter is 
+	## reset.
+	const sqli_requests_interval = 5min &redef;
+
 	## This regular expression is used to match URI based SQL injections
 	const match_sql_injection_uri = 
 		  /[\?&][^[:blank:]\x00-\x37\|]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x37]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x37]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x37]|\/\*.*?\*\/)+/
@ -37,15 +47,16 @@ export {
 		| /\/\*![[:digit:]]{5}.*?\*\// &redef;
 }

-event bro_init()
+event bro_init() &priority=3
 	{
-	Metrics::add_filter(SQL_ATTACKS, [$log=F,
-	                                  $break_interval=5mins, 
+	Metrics::add_filter(SQL_ATTACKER, [$log=F,
+	                                   $notice_threshold=sqli_requests_threshold,
+	                                   $break_interval=sqli_requests_interval, 
 	                                   $note=SQL_Injection_Attacker]);
 	Metrics::add_filter(SQL_ATTACKS_AGAINST, [$log=F, 
-	                                          $break_interval=5mins, 
-	                                          $note=SQL_Injection_Attack, 
-	                                          $notice_threshold=50]);
+	                                          $notice_threshold=sqli_requests_threshold,
+	                                          $break_interval=sqli_requests_interval, 
+	                                          $note=SQL_Injection_Attack_Against]);
 	}

 event http_request(c: connection, method: string, original_URI: string,
@ -55,7 +66,7 @@ event http_request(c: connection, method: string, original_URI: string,
 		{
 		add c$http$tags[URI_SQLI];
 		
-		Metrics::add_data(SQL_ATTACKS, [$host=c$id$orig_h], 1);
+		Metrics::add_data(SQL_ATTACKER, [$host=c$id$orig_h], 1);
 		Metrics::add_data(SQL_ATTACKS_AGAINST, [$host=c$id$resp_h], 1);
 		}
 	}
--- a/scripts/policy/protocols/ssl/known-certs.bro
+++ b/scripts/policy/protocols/ssl/known-certs.bro
@ -34,7 +34,7 @@ export {
 	global log_known_certs: event(rec: Info);
 }

-event bro_init()
+event bro_init() &priority=5
 	{
 	Log::create_stream(Known::CERTS_LOG, [$columns=Info, $ev=log_known_certs]);
 	}