From e8b60d1ba85a23696926f028eea030b31b0c0cb9 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 2 Apr 2013 00:55:25 -0400 Subject: [PATCH] Updated FTP bruteforce detection and a few other small changes. --- .../base/frameworks/measurement/simple.bro | 6 ---- .../protocols/conn/conn-stats-per-host.bro | 27 -------------- .../protocols/ftp/detect-bruteforcing.bro | 35 +++++++++++-------- .../.stdout | 4 +-- 4 files changed, 22 insertions(+), 50 deletions(-) delete mode 100644 scripts/base/frameworks/measurement/simple.bro delete mode 100644 scripts/policy/protocols/conn/conn-stats-per-host.bro diff --git a/scripts/base/frameworks/measurement/simple.bro b/scripts/base/frameworks/measurement/simple.bro deleted file mode 100644 index 51bf7e8c44..0000000000 --- a/scripts/base/frameworks/measurement/simple.bro +++ /dev/null @@ -1,6 +0,0 @@ - -module Metrics; - -export { - -} \ No newline at end of file diff --git a/scripts/policy/protocols/conn/conn-stats-per-host.bro b/scripts/policy/protocols/conn/conn-stats-per-host.bro deleted file mode 100644 index d537d13b72..0000000000 --- a/scripts/policy/protocols/conn/conn-stats-per-host.bro +++ /dev/null @@ -1,27 +0,0 @@ - -@load base/protocols/conn -@load base/frameworks/measurement - -event bro_init() &priority=5 - { - Metrics::add_filter("conn.orig.data", - [$every=5mins, - $measure=set(Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV), - $period_finished=Metrics::write_log]); - Metrics::add_filter("conn.resp.data", - [$every=5mins, - $measure=set(Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV), - $period_finished=Metrics::write_log]); - } - - -event connection_state_remove(c: connection) - { - if ( ! (c$conn$conn_state == "SF" && c$conn$proto == tcp) ) - return; - - if ( Site::is_local_addr(c$id$orig_h) ) - Metrics::add_data("conn.orig.data", [$host=c$id$orig_h], [$num=c$orig$size]); - if ( Site::is_local_addr(c$id$resp_h) ) - Metrics::add_data("conn.resp.data", [$host=c$id$resp_h], [$num=c$resp$size]); - } \ No newline at end of file diff --git a/scripts/policy/protocols/ftp/detect-bruteforcing.bro b/scripts/policy/protocols/ftp/detect-bruteforcing.bro index 286cc95979..bcf7a59d06 100644 --- a/scripts/policy/protocols/ftp/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ftp/detect-bruteforcing.bro @@ -25,20 +25,25 @@ export { event bro_init() { - Metrics::add_filter("ftp.failed_auth", [$every=bruteforce_measurement_interval, - $measure=set(Metrics::UNIQUE), - $threshold_val_func(val: Metrics::Result) = { return val$num; }, - $threshold=bruteforce_threshold, - $threshold_crossed(index: Metrics::Index, val: Metrics::Result) = - { - local dur = duration_to_mins_secs(val$end-val$begin); - local plural = val$unique>1 ? "s" : ""; - local message = fmt("%s had %d failed logins on %d FTP server%s in %s", index$host, val$num, val$unique, plural, dur); - NOTICE([$note=FTP::Bruteforcing, - $src=index$host, - $msg=message, - $identifier=cat(index$host)]); - }]); + local r1: Measurement::Reducer = [$stream="ftp.failed_auth", $apply=set(Measurement::UNIQUE)]; + Measurement::create([$epoch=bruteforce_measurement_interval, + $reducers=set(r1), + $threshold_val(key: Measurement::Key, result: Measurement::Result) = + { + return result["ftp.failed_auth"]$num; + }, + $threshold=bruteforce_threshold, + $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = + { + local r = result["ftp.failed_auth"]; + local dur = duration_to_mins_secs(r$end-r$begin); + local plural = r$unique>1 ? "s" : ""; + local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur); + NOTICE([$note=FTP::Bruteforcing, + $src=key$host, + $msg=message, + $identifier=cat(key$host)]); + }]); } event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) @@ -47,6 +52,6 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) if ( cmd == "USER" || cmd == "PASS" ) { if ( FTP::parse_ftp_reply_code(code)$x == 5 ) - Metrics::add_data("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); + Measurement::add_data("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); } } \ No newline at end of file diff --git a/testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout b/testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout index 09c65c3864..ac8785d182 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout +++ b/testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout @@ -1,6 +1,6 @@ THRESHOLD_SERIES: hit a threshold series value at 3 for measurement_key(host=1.2.3.4) -THRESHOLD: hit a threshold value at 6 for measurement_key(host=1.2.3.4) THRESHOLD_SERIES: hit a threshold series value at 6 for measurement_key(host=1.2.3.4) -THRESHOLD: hit a threshold value at 1001 for measurement_key(host=7.2.1.5) +THRESHOLD: hit a threshold value at 6 for measurement_key(host=1.2.3.4) THRESHOLD_SERIES: hit a threshold series value at 1001 for measurement_key(host=7.2.1.5) +THRESHOLD: hit a threshold value at 1001 for measurement_key(host=7.2.1.5) THRESHOLD WITH RATIO BETWEEN REDUCERS: hit a threshold value at 55x for measurement_key(host=7.2.1.5)