mirror of
https://github.com/zeek/zeek.git
synced 2025-10-16 13:38:19 +00:00
Pass over doc xref links and linking style.
This commit is contained in:
Jon Siwek
parent
7822ebcb2e
commit
e88ac7221d
8 changed files with 25 additions and 34 deletions
|
|
@ -1,8 +1,3 @@
|
|||
__ http://www.bro.org/sphinx-git/scripts/base/protocols/ftp/main.bro.html#id-FTP::parse_ftp_reply_code
|
||||
__ http://www.bro.org/sphinx-git/frameworks/sumstats.html
|
||||
__ http://www.bro.org/sphinx-git/frameworks/notice.html
|
||||
__ http://www.bro.org/sphinx-git/_downloads/detect-bruteforcing.bro
|
||||
__ http://www.bro.org/sphinx-git/scripts/policy/frameworks/files/detect-MHR.bro.html
|
||||
|
||||
.. _bro-ids:
|
||||
|
||||
|
|
@ -34,7 +29,8 @@ We start by defining a threshold for the number of attempts and a monitoring int
|
|||
const bruteforce_measurement_interval = 15mins &redef;
|
||||
}
|
||||
|
||||
Now, using the ftp_reply event, we check for error codes from the `500 series <http://en.wikipedia.org/wiki/List_of_FTP_server_return_codes>`_ for the "USER" and "PASS" commands, representing rejected usernames or passwords. For this, we can use the `FTP::parse_ftp_reply`__ function to break down the reply code and check if the first digit is a "5" or not. If true, we then use the `SumStats`__ framework to keep track of the number of failed attempts.
|
||||
Now, using the ftp_reply event, we check for error codes from the `500 series <http://en.wikipedia.org/wiki/List_of_FTP_server_return_codes>`_ for the "USER" and "PASS" commands, representing rejected usernames or passwords. For this, we can use the :bro:see:`FTP::parse_ftp_reply_code` function to break down the reply code and check if the first digit is a "5" or not. If true, we then use the
|
||||
:ref:`Summary Statistics Framework <sumstats-framework>` to keep track of the number of failed attempts.
|
||||
|
||||
.. code:: bro
|
||||
|
||||
|
|
@ -73,7 +69,7 @@ exceeds the specified threshold during the measuring interval.
|
|||
}]);
|
||||
}
|
||||
|
||||
Printing a message on the console is a good start but it will be better if we raise an alarm instead using the `Notice`__ framework. For this, we need to define a new Notice type and trigger the alarm under the right
|
||||
Printing a message on the console is a good start but it will be better if we raise an alarm instead using the :ref:`Notice Framework <notice-framework>`. For this, we need to define a new Notice type and trigger the alarm under the right
|
||||
conditions. Below is the final code for our script.
|
||||
|
||||
.. code:: bro
|
||||
|
|
@ -139,7 +135,7 @@ conditions. Below is the final code for our script.
|
|||
}
|
||||
}
|
||||
|
||||
As a final note, the `detect-bruteforcing.bro`__ script above is include with Bro out of the box, so you only need to load it at startup to instruct Bro to detect and notify of FTP bruteforce attacks.
|
||||
As a final note, the :doc:`detect-bruteforcing.bro </scripts/policy/protocols/ftp/detect-bruteforcing.bro>` script above is include with Bro out of the box, so you only need to load it at startup to instruct Bro to detect and notify of FTP bruteforce attacks.
|
||||
|
||||
-------------
|
||||
Other Attacks
|
||||
|
|
@ -150,6 +146,6 @@ Checking files against known malware hashes
|
|||
-------------------------------------------
|
||||
Files transmitted on your network could either be completely harmless or contain viruses and other threats. One possible action against
|
||||
this threat is to compute the hashes of the files and compare them against a list of known malware hashes. Bro simplifies this task
|
||||
by offering a `detect-MHR.bro`__ script that creates and compares
|
||||
by offering a :doc:`detect-MHR.bro </scripts/policy/frameworks/files/detect-MHR.bro>` script that creates and compares
|
||||
hashes against the `Malware Hash Registry <https://www.team-cymru.org/Services/MHR/>`_ maintained by Team Cymru. You only need to load this
|
||||
script along with your other scripts at startup time.
|
||||
|
|
|
|||
|
|
@ -1,3 +1,6 @@
|
|||
|
||||
.. _file-analysis-framework:
|
||||
|
||||
=============
|
||||
File Analysis
|
||||
=============
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
|
||||
.. _notice-framework:
|
||||
|
||||
Notice Framework
|
||||
================
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +1,6 @@
|
|||
|
||||
.. _sumstats-framework:
|
||||
|
||||
==================
|
||||
Summary Statistics
|
||||
==================
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
__ http://www.bro.org/sphinx-git/scripts/base/protocols/http/main.bro.html
|
||||
__ http://www.bro.org/sphinx-git/frameworks/file-analysis.html
|
||||
|
||||
.. _http-monitor:
|
||||
|
||||
|
|
@ -43,7 +41,8 @@ point, we would like to stress out the fact that there is no just one right way
|
|||
depend on the expertise of the person doing the analysis and the specific details of the task to accomplish.
|
||||
|
||||
For more information about how to handle the HTTP protocol in Bro, including a complete list
|
||||
of the fields available in http.log, go to Bro's HTTP reference `page`__.
|
||||
of the fields available in http.log, go to Bro's
|
||||
:doc:`HTTP script reference </scripts/base/protocols/http/main.bro>`.
|
||||
|
||||
------------------------
|
||||
Detecting a Proxy Server
|
||||
|
|
@ -219,8 +218,9 @@ Inspecting Files
|
|||
|
||||
Files are often transmitted on regular HTTP conversations between a client and a server. Most of the time these files are harmless,
|
||||
just images and some other multimedia content, but there are also types of files, specially executable files, that can damage
|
||||
your system. We can instruct Bro to create a copy of all executable files that it sees for later analysis using the `File Analysis
|
||||
Framework`__ (introduced with Bro 2.2) as shown in the following script.
|
||||
your system. We can instruct Bro to create a copy of all executable files that it sees for later analysis using the
|
||||
:ref:`File Analysis Framework <file-analysis-framework>`
|
||||
(introduced with Bro 2.2) as shown in the following script.
|
||||
|
||||
.. code:: bro
|
||||
|
||||
|
|
|
|||
|
|
@ -44,8 +44,6 @@ Reference Section
|
|||
|
||||
..
|
||||
|
||||
* `Notice Index <bro-noticeindex.html>`_ (TODO: Move to reference
|
||||
section, but can't figure out how to include it into toctree)
|
||||
* :ref:`General Index <genindex>`
|
||||
* :ref:`search`
|
||||
|
||||
|
|
|
|||
|
|
@ -1,19 +1,9 @@
|
|||
__ http://www.bro.org/sphinx-git/scripts/base/protocols/http/main.bro.html#type-HTTP::Info
|
||||
__ http://www.bro.org/sphinx-git/scripts/base/protocols/ftp/info.bro.html#type-FTP::Info
|
||||
__ http://www.bro.org/sphinx-git/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info
|
||||
__ http://www.bro.org/sphinx-git/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo
|
||||
__ http://www.bro.org/sphinx-git/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info
|
||||
__ http://www.bro.org/sphinx-git/scripts/base/protocols/dns/main.bro.html#type-DNS::Info
|
||||
__ http://www.bro.org/sphinx-git/scripts/base/protocols/conn/main.bro.html#type-Conn::Info
|
||||
__ http://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info
|
||||
__ http://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html#type-Files::Info
|
||||
__ http://www.bro.org/sphinx-git/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info
|
||||
|
||||
.. _using-bro:
|
||||
.. _bro-logging:
|
||||
|
||||
=========
|
||||
Using Bro
|
||||
=========
|
||||
===========
|
||||
Bro Logging
|
||||
===========
|
||||
|
||||
.. contents::
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
__ http://www.bro.org/sphinx-git/frameworks/sumstats.html
|
||||
|
||||
.. _mime-stats:
|
||||
|
||||
|
|
@ -12,17 +11,17 @@ non-text attachments on email, it is also used by Web browser to identify the ty
|
|||
|
||||
In this tutorial, we will show how to use the Sumstats Framework to collect some statistics information based on MIME types, specifically the total number of
|
||||
occurrences, size in bytes, and number of unique hosts transmitting files over HTTP per each type. For instructions about extracting and creating a local copy
|
||||
of these files, visit `this <../httpmonitor/index.html#inspecting-files>`_ tutorial instead.
|
||||
of these files, visit :ref:`this <http-monitor>` tutorial instead.
|
||||
|
||||
------------------------------------------------
|
||||
MIME Statistics with Sumstats
|
||||
------------------------------------------------
|
||||
When working with the `Sumstats`__ framework, you need to define three different pieces: (i) Observations, where
|
||||
When working with the :ref:`Summary Statistics Framework <sumstats-framework>`, you need to define three different pieces: (i) Observations, where
|
||||
the event is observed and fed into the framework. (ii) Reducers, where observations are collected and measured. (iii) Sumstats, where the main functionality
|
||||
is implemented.
|
||||
|
||||
So, we start by defining our observation along with a record to store all statistics values and an observation interval. We are conducting our observation on
|
||||
the `HTTP::log_http` event and we are interested in the MIME type, size of the file ("response_body_len") and the originator host ("orig_h"). We use the MIME
|
||||
the :bro:see:`HTTP::log_http` event and we are interested in the MIME type, size of the file ("response_body_len") and the originator host ("orig_h"). We use the MIME
|
||||
type as our key and create observers for the other two values.
|
||||
|
||||
.. code:: bro
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue