Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 10:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Updated FTP bruteforce detection and a few other small changes.

Browse source
This commit is contained in:
Seth Hall 2013-04-02 00:55:25 -04:00
parent 423bf3b3bf
commit e8b60d1ba8
4 changed files with 22 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

6
scripts/base/frameworks/measurement/simple.bro
View file

@ -1,6 +0,0 @@
module Metrics;
export {
}

27
scripts/policy/protocols/conn/conn-stats-per-host.bro
View file

@ -1,27 +0,0 @@
@load base/protocols/conn
@load base/frameworks/measurement
event bro_init() &priority=5
{
Metrics::add_filter("conn.orig.data",
[$every=5mins,
$measure=set(Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV),
$period_finished=Metrics::write_log]);
Metrics::add_filter("conn.resp.data",
[$every=5mins,
$measure=set(Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV),
$period_finished=Metrics::write_log]);
}
event connection_state_remove(c: connection)
{
if ( ! (c$conn$conn_state == "SF" && c$conn$proto == tcp) )
return;
if ( Site::is_local_addr(c$id$orig_h) )
Metrics::add_data("conn.orig.data", [$host=c$id$orig_h], [$num=c$orig$size]);
if ( Site::is_local_addr(c$id$resp_h) )
Metrics::add_data("conn.resp.data", [$host=c$id$resp_h], [$num=c$resp$size]);
}

27
scripts/policy/protocols/ftp/detect-bruteforcing.bro
View file

@ -25,19 +25,24 @@ export {
event bro_init() event bro_init()
{ {
Metrics::add_filter("ftp.failed_auth", [$every=bruteforce_measurement_interval, local r1: Measurement::Reducer = [$stream="ftp.failed_auth", $apply=set(Measurement::UNIQUE)];
$measure=set(Metrics::UNIQUE), Measurement::create([$epoch=bruteforce_measurement_interval,
$threshold_val_func(val: Metrics::Result) = { return val$num; }, $reducers=set(r1),
$threshold=bruteforce_threshold, $threshold_val(key: Measurement::Key, result: Measurement::Result) =
$threshold_crossed(index: Metrics::Index, val: Metrics::Result) =
{ {
local dur = duration_to_mins_secs(val$end-val$begin); return result["ftp.failed_auth"]$num;
local plural = val$unique>1 ? "s" : ""; },
local message = fmt("%s had %d failed logins on %d FTP server%s in %s", index$host, val$num, val$unique, plural, dur); $threshold=bruteforce_threshold,
$threshold_crossed(key: Measurement::Key, result: Measurement::Result) =
{
local r = result["ftp.failed_auth"];
local dur = duration_to_mins_secs(r$end-r$begin);
local plural = r$unique>1 ? "s" : "";
local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur);
NOTICE([$note=FTP::Bruteforcing, NOTICE([$note=FTP::Bruteforcing,
$src=index$host, $src=key$host,
$msg=message, $msg=message,
$identifier=cat(index$host)]); $identifier=cat(key$host)]);
}]); }]);
} }
@ -47,6 +52,6 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
if ( cmd == "USER" || cmd == "PASS" ) if ( cmd == "USER" || cmd == "PASS" )
{ {
if ( FTP::parse_ftp_reply_code(code)$x == 5 ) if ( FTP::parse_ftp_reply_code(code)$x == 5 )
Metrics::add_data("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); Measurement::add_data("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]);
} }
} }

4
testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout
View file

@ -1,6 +1,6 @@
THRESHOLD_SERIES: hit a threshold series value at 3 for measurement_key(host=1.2.3.4) THRESHOLD_SERIES: hit a threshold series value at 3 for measurement_key(host=1.2.3.4)
THRESHOLD: hit a threshold value at 6 for measurement_key(host=1.2.3.4)
THRESHOLD_SERIES: hit a threshold series value at 6 for measurement_key(host=1.2.3.4) THRESHOLD_SERIES: hit a threshold series value at 6 for measurement_key(host=1.2.3.4)
THRESHOLD: hit a threshold value at 1001 for measurement_key(host=7.2.1.5) THRESHOLD: hit a threshold value at 6 for measurement_key(host=1.2.3.4)
THRESHOLD_SERIES: hit a threshold series value at 1001 for measurement_key(host=7.2.1.5) THRESHOLD_SERIES: hit a threshold series value at 1001 for measurement_key(host=7.2.1.5)
THRESHOLD: hit a threshold value at 1001 for measurement_key(host=7.2.1.5)
THRESHOLD WITH RATIO BETWEEN REDUCERS: hit a threshold value at 55x for measurement_key(host=7.2.1.5) THRESHOLD WITH RATIO BETWEEN REDUCERS: hit a threshold value at 55x for measurement_key(host=7.2.1.5)