mirror of
https://github.com/zeek/zeek.git
synced 2025-10-14 04:28:20 +00:00
Merge remote-tracking branch 'origin/master' into topic/seth/metrics-merge
This commit is contained in:
Seth Hall
commit
e99e090b85
112 changed files with 183377 additions and 712 deletions
|
|
@ -1,4 +1,4 @@
|
|||
##! Detect file downloads over HTTP that have MD5 sums matching files in Team
|
||||
##! Detect file downloads over HTTP that have MD5 sums matching files in Team
|
||||
##! Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).
|
||||
##! By default, not all file transfers will have MD5 sums calculated. Read the
|
||||
##! documentation for the :doc:base/protocols/http/file-hash.bro script to see
|
||||
|
|
@ -10,11 +10,17 @@
|
|||
module HTTP;
|
||||
|
||||
export {
|
||||
redef enum Notice::Type += {
|
||||
redef enum Notice::Type += {
|
||||
## The MD5 sum of a file transferred over HTTP matched in the
|
||||
## malware hash registry.
|
||||
Malware_Hash_Registry_Match
|
||||
};
|
||||
|
||||
## The malware hash registry runs each malware sample through several A/V engines.
|
||||
## Team Cymru returns a percentage to indicate how many A/V engines flagged the
|
||||
## sample as malicious. This threshold allows you to require a minimum detection
|
||||
## rate (default: 50%).
|
||||
const MHR_threshold = 50 &redef;
|
||||
}
|
||||
|
||||
event log_http(rec: HTTP::Info)
|
||||
|
|
@ -22,14 +28,15 @@ event log_http(rec: HTTP::Info)
|
|||
if ( rec?$md5 )
|
||||
{
|
||||
local hash_domain = fmt("%s.malware.hash.cymru.com", rec$md5);
|
||||
when ( local addrs = lookup_hostname(hash_domain) )
|
||||
when ( local MHR_result = lookup_hostname_txt(hash_domain) )
|
||||
{
|
||||
# 127.0.0.2 indicates that the md5 sum was found in the MHR.
|
||||
if ( 127.0.0.2 in addrs )
|
||||
# Data is returned as "<dateFirstDetected> <detectionRate>"
|
||||
local MHR_answer = split1(MHR_result, / /);
|
||||
if ( length(MHR_answer) == 2 && to_count(MHR_answer[2]) >= MHR_threshold )
|
||||
{
|
||||
local url = HTTP::build_url_http(rec);
|
||||
local message = fmt("%s %s %s", rec$id$orig_h, rec$md5, url);
|
||||
NOTICE([$note=Malware_Hash_Registry_Match,
|
||||
NOTICE([$note=Malware_Hash_Registry_Match,
|
||||
$msg=message, $id=rec$id, $URL=url]);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,21 +0,0 @@
|
|||
##! Intelligence based HTTP detections. Not yet working!
|
||||
|
||||
@load base/protocols/http/main
|
||||
@load base/protocols/http/utils
|
||||
@load base/frameworks/intel/main
|
||||
|
||||
module HTTP;
|
||||
|
||||
event log_http(rec: Info)
|
||||
{
|
||||
local url = HTTP::build_url(rec);
|
||||
local query = [$str=url, $subtype="url", $or_tags=set("malicious", "malware")];
|
||||
if ( Intel::matcher(query) )
|
||||
{
|
||||
local msg = fmt("%s accessed a malicious URL from the intelligence framework", rec$id$orig_h);
|
||||
NOTICE([$note=Intel::Detection,
|
||||
$msg=msg,
|
||||
$sub=HTTP::build_url_http(rec),
|
||||
$id=rec$id]);
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue