mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Updating baselines for doc changes.
This commit is contained in:
Robin Sommer
parent
589a0239be
commit
d070b01828
6 changed files with 41 additions and 32 deletions
2
CHANGES
2
CHANGES
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
2.1-1376 | 2013-09-20 14:18:30 -0700
|
2.1-1377 | 2013-09-20 14:38:15 -0700
|
||||||
|
|
||||||
* Updates to the scripting introduction. (Scott Runnels)
|
* Updates to the scripting introduction. (Scott Runnels)
|
||||||
|
|
||||||
|
|
|
||||||
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
||||||
2.1-1376
|
2.1-1377
|
||||||
|
|
|
||||||
|
|
@ -2,24 +2,20 @@
|
||||||
|
|
||||||
-- event.bif.bro
|
-- event.bif.bro
|
||||||
|
|
||||||
|
## Generated for every new connection. This event is raised with the first
|
||||||
|
## packet of a previously unknown connection. Bro uses a flow-based definition
|
||||||
|
## of "connection" here that includes not only TCP sessions but also UDP and
|
||||||
|
## ICMP flows.
|
||||||
|
global new_connection: event(c: connection );
|
||||||
|
## Generated when a TCP connection timed out. This event is raised when
|
||||||
|
## no activity was seen for an interval of at least
|
||||||
|
## :bro:id:`tcp_connection_linger`, and either one endpoint has already
|
||||||
|
## closed the connection or one side never became active.
|
||||||
|
global connection_timeout: event(c: connection );
|
||||||
|
## Generated when a connection's internal state is about to be removed from
|
||||||
|
## memory. Bro generates this event reliably once for every connection when it
|
||||||
|
## is about to delete the internal state. As such, the event is well-suited for
|
||||||
## script-level cleanup that needs to be performed for every connection. This
|
## script-level cleanup that needs to be performed for every connection. This
|
||||||
## event is generated not only for TCP sessions but also for UDP and ICMP
|
## event is generated not only for TCP sessions but also for UDP and ICMP
|
||||||
## flows.
|
## flows.
|
||||||
##
|
global connection_state_remove: event(c: connection );
|
||||||
##
|
|
||||||
global connection_external: event(c: connection , tag: string );
|
|
||||||
|
|
||||||
|
|
||||||
## Generated when a UDP session for a supported protocol has finished. Some of
|
|
||||||
## Bro's application-layer UDP analyzers flag the end of a session by raising
|
|
||||||
## Generated when a connection is seen that is marked as being expected.
|
|
||||||
|
|
||||||
|
|
||||||
global ipv6_ext_headers: event(c: connection , p: pkt_hdr );
|
|
||||||
## their specifics differ slightly. Often, however, both will be raised for
|
|
||||||
## the same connection if some of its data is missing. We should eventually
|
|
||||||
## merge the two.
|
|
||||||
global ack_above_hole: event(c: connection );
|
|
||||||
|
|
||||||
|
|
||||||
##
|
|
||||||
|
|
|
||||||
|
|
@ -2,8 +2,6 @@
|
||||||
|
|
||||||
-- detect-MHR.bro
|
-- detect-MHR.bro
|
||||||
|
|
||||||
|
@load base/frameworks/files
|
||||||
module TeamCymruMalwareHashRegistry;
|
@load base/frameworks/notice
|
||||||
|
@load frameworks/files/hash-all-files
|
||||||
export {
|
|
||||||
redef enum Notice::Type += {
|
|
||||||
|
|
|
||||||
|
|
@ -2,6 +2,8 @@
|
||||||
|
|
||||||
-- detect-MHR.bro
|
-- detect-MHR.bro
|
||||||
|
|
||||||
|
export {
|
||||||
|
redef enum Notice::Type += {
|
||||||
## The hash value of a file transferred over HTTP matched in the
|
## The hash value of a file transferred over HTTP matched in the
|
||||||
## malware hash registry.
|
## malware hash registry.
|
||||||
Match
|
Match
|
||||||
|
|
@ -15,3 +17,10 @@
|
||||||
/application\/x-java-applet/ |
|
/application\/x-java-applet/ |
|
||||||
/application\/jar/ |
|
/application\/jar/ |
|
||||||
/video\/mp4/ &redef;
|
/video\/mp4/ &redef;
|
||||||
|
|
||||||
|
## The malware hash registry runs each malware sample through several A/V engines.
|
||||||
|
## Team Cymru returns a percentage to indicate how many A/V engines flagged the
|
||||||
|
## sample as malicious. This threshold allows you to require a minimum detection
|
||||||
|
## rate.
|
||||||
|
const notice_threshold = 10 &redef;
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -2,13 +2,6 @@
|
||||||
|
|
||||||
-- detect-MHR.bro
|
-- detect-MHR.bro
|
||||||
|
|
||||||
## The malware hash registry runs each malware sample through several A/V engines.
|
|
||||||
## Team Cymru returns a percentage to indicate how many A/V engines flagged the
|
|
||||||
## sample as malicious. This threshold allows you to require a minimum detection
|
|
||||||
## rate.
|
|
||||||
const notice_threshold = 10 &redef;
|
|
||||||
}
|
|
||||||
|
|
||||||
event file_hash(f: fa_file, kind: string, hash: string)
|
event file_hash(f: fa_file, kind: string, hash: string)
|
||||||
{
|
{
|
||||||
if ( kind=="sha1" && match_file_types in f$mime_type )
|
if ( kind=="sha1" && match_file_types in f$mime_type )
|
||||||
|
|
@ -21,3 +14,16 @@ event file_hash(f: fa_file, kind: string, hash: string)
|
||||||
if ( |MHR_answer| == 2 )
|
if ( |MHR_answer| == 2 )
|
||||||
{
|
{
|
||||||
local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
|
local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
|
||||||
|
local mhr_detect_rate = to_count(MHR_answer[2]);
|
||||||
|
|
||||||
|
local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
|
||||||
|
if ( mhr_detect_rate >= notice_threshold )
|
||||||
|
{
|
||||||
|
local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected);
|
||||||
|
local virustotal_url = fmt("https://www.virustotal.com/en/file/%s/analysis/", hash);
|
||||||
|
NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue