Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 14:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Reshuffling notice declarations to make them exported.

Browse source 
- Notices were not available outside of their namespaces.
This commit is contained in:
Seth Hall 2011-06-09 11:59:06 -04:00
parent 590e6d0360
commit d3d9fedd2c
26 changed files with 193 additions and 198 deletions
Download patch file Download diff file Expand all files Collapse all files

4
policy/protocols/http/base.bro
View file

@ -2,9 +2,9 @@
module HTTP;
redef enum Log::ID += { HTTP };
export {
redef enum Log::ID += { HTTP };
## Indicate a type of attack or compromise in the record to be logged.
type Tags: enum {
EMPTY

30
policy/protocols/http/detect-sqli.bro
View file

@ -1,25 +1,25 @@
##! SQL injection detection in HTTP.
@load http/base
@load notice
@load metrics
module HTTP;
redef enum Notice::Type += {
SQL_Injection_Attack,
};
redef enum Tags += {
## Indicator of a URI based SQL injection attack.
URI_SQLI,
## Indicator of client body based SQL injection attack. This is
## typically the body content of a POST request. Not implemented yet!
POST_SQLI,
## Indicator of a cookie based SQL injection attack. Not implemented yet!
COOKIE_SQLI,
};
export {
redef enum Notice::Type += {
SQL_Injection_Attack,
};
redef enum Tags += {
## Indicator of a URI based SQL injection attack.
URI_SQLI,
## Indicator of client body based SQL injection attack. This is
## typically the body content of a POST request. Not implemented yet!
POST_SQLI,
## Indicator of a cookie based SQL injection attack. Not implemented yet!
COOKIE_SQLI,
};
## This regular expression is used to match URI based SQL injections
const match_sql_injection_uri =
/[\?&][^[:blank:]\|]+?=[\-0-9%]+([[:blank:]]|\/\*.*?\*\/)*['"]?([[:blank:]]|\/\*.*?\*\/|\)?;)+([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])[^a-zA-Z&]/

14
policy/protocols/http/detect-webapps.bro
View file

@ -10,13 +10,15 @@ redef signature_files += "http/detect-webapps.sig";
# Ignore the signatures used to match webapps
redef Signatures::ignored_ids += /^webapp-/;
redef enum Software::Type += {
WEB_APPLICATION,
};
export {
redef enum Software::Type += {
WEB_APPLICATION,
};
redef record Software::Info += {
url: string &optional &log;
};
redef record Software::Info += {
url: string &optional &log;
};
}
event signature_match(state: signature_state, msg: string, data: string) &priority=5
{

26
policy/protocols/http/file-extract.bro
View file

@ -19,22 +19,22 @@ export {
## The on-disk prefix for files to be extracted from HTTP entity bodies.
const extraction_prefix = "http-item" &redef;
}
redef record Info += {
## This field can be set per-connection to determine if the entity body
## will be extracted. It must be set to T on or before the first
## entity_body_data event.
extract_file: bool &default=F;
redef record Info += {
## This field can be set per-connection to determine if the entity body
## will be extracted. It must be set to T on or before the first
## entity_body_data event.
extract_file: bool &default=F;
## This is the holder for the file handle as the file is being written
## to disk.
extraction_file: file &log &optional;
};
## This is the holder for the file handle as the file is being written
## to disk.
extraction_file: file &log &optional;
};
redef record State += {
entity_bodies: count &optional;
};
redef record State += {
entity_bodies: count &optional;
};
}
## Mark files to be extracted if they were identified as a mime type matched
## by the extract_file_types variable and they aren't being extracted yet.

33
policy/protocols/http/file-hash.bro
View file

@ -5,16 +5,13 @@
module HTTP;
redef enum Notice::Type += {
## Indicates an MD5 sum in Team Cymru's Malware Hash Registry.
## http://www.team-cymru.org/Services/MHR/
HTTP_MHR_Malware,
## Notice type when locally defined MD5 sums are encountered.
HTTP_MD5,
};
export {
redef enum Notice::Type += {
## Indicates an MD5 sum in Team Cymru's Malware Hash Registry.
## http://www.team-cymru.org/Services/MHR/
HTTP_MHR_Malware,
};
redef record Info += {
## The MD5 sum for a file transferred over HTTP will be stored here.
md5: string &log &optional;
@ -29,15 +26,9 @@ export {
calculating_md5: bool &default=F;
};
# Generate MD5 sums for these filetypes.
## Generate MD5 sums for these filetypes.
const generate_md5 = /application\/x-dosexec/ # Windows and DOS executables
| /application\/x-executable/ &redef; # *NIX executable binary
# MD5 sums that are "interesting" for your local network.
# The index is the MD5 sum and the yield value is used as the $msg value
# for notices so that you can filter in your local notice policy.
# TODO: this will change to use the intelligence framework.
const interesting_md5: table[string] of string &redef;
}
@ -75,15 +66,7 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &
local url = build_url(c$http);
c$http$calculating_md5 = F;
c$http$md5 = md5_hash_finish(c$id);
if ( c$http$md5 in interesting_md5 )
{
NOTICE([$note=HTTP_MD5, $conn=c, $method=c$http$method,
$URL=url,
$msg=interesting_md5[c$http$md5],
$sub=c$http$md5]);
}
local hash_domain = fmt("%s.malware.hash.cymru.com", c$http$md5);
when ( local addrs = lookup_hostname(hash_domain) )
{

25
policy/protocols/http/file-ident.bro
View file

@ -9,19 +9,18 @@
module HTTP;
redef enum Notice::Type += {
# This notice is thrown when the file extension doesn't
# seem to match the file contents.
HTTP_IncorrectFileType,
};
redef record Info += {
## This will record the mime_type identified.
mime_type: string &log &optional;
};
export {
redef enum Notice::Type += {
# This notice is thrown when the file extension doesn't
# seem to match the file contents.
IncorrectFileType,
};
redef record Info += {
## This will record the mime_type identified.
mime_type: string &log &optional;
};
redef enum Tags += {
IDENTIFIED_FILE
};
@ -65,7 +64,7 @@ event signature_match(state: signature_state, msg: string, data: string) &priori
{
local url = build_url(c$http);
local message = fmt("%s %s %s", msg, c$http$method, url);
NOTICE([$note=HTTP_IncorrectFileType,
NOTICE([$note=IncorrectFileType,
$msg=message,
$conn=c,
$method=c$http$method,

16
policy/protocols/http/headers.bro
View file

@ -4,13 +4,15 @@
module HTTP;
redef record Info += {
## The vector of HTTP headers. No header values are included here, just
## the header names.
## TODO: with an empty vector as &default, the vector isn't coerced to the
## correct type.
headers: vector of string &log &optional;
};
export {
redef record Info += {
## The vector of HTTP headers. No header values are included here, just
## the header names.
## TODO: with an empty vector as &default, the vector isn't coerced to the
## correct type.
headers: vector of string &log &optional;
};
}
event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=4
{

19
policy/protocols/http/software.bro
View file

@ -5,21 +5,20 @@
module HTTP;
redef enum Software::Type += {
WEB_SERVER,
WEB_BROWSER,
WEB_BROWSER_PLUGIN
};
export {
redef enum Software::Type += {
WEB_SERVER,
WEB_BROWSER,
WEB_BROWSER_PLUGIN
};
## The pattern of HTTP User-Agents which you would like to ignore.
const ignored_user_agents = /NO_DEFAULT/ &redef;
## These are patterns to identify browser plugins (including toolbars)
## based on the User-Agent header.
const plugin_user_agents = /BingBar [0-9\.]*/ # Bing toolbar
| /GoogleToolbar [0-9\.]*;/ &redef; # Google toolbar
const plugin_user_agents = /BingBar [0-9\.]*/ ##< Bing toolbar
| /GoogleToolbar [0-9\.]*;/ &redef; ##< Google toolbar
}
event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=2
@ -46,8 +45,6 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
else
{
if ( name == "SERVER" )
{
Software::found(c$id, Software::parse(value, c$id$resp_h, WEB_SERVER));
}
}
}