Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 18:48:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Updates to several things that are loosely linked together.

Browse source 
- Changed enum values to determine hosts and directions.
- Fixed a bug in detecting mail clients.
- Fixed a couple of problems with vulnerable software detection.
- New variable "Software::asset_tracking" for
  determining which software to track.
This commit is contained in:
Seth Hall 2011-06-14 13:39:50 -04:00
parent 9253157302
commit f13cf830ea
6 changed files with 37 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

4
policy/frameworks/software/base.bro
View file

@ -65,7 +65,7 @@ export {
## The hosts whose software should be detected and tracked. ## The hosts whose software should be detected and tracked.
## Choices are: LocalHosts, RemoteHosts, Enabled, Disabled ## Choices are: LocalHosts, RemoteHosts, Enabled, Disabled
const logging = Enabled &redef; const asset_tracking=AllHosts &redef;
## Some software is more interesting when the version changes and this ## Some software is more interesting when the version changes and this
## a set of all software that should raise a notice when a different ## a set of all software that should raise a notice when a different
@ -408,7 +408,7 @@ event software_register(id: conn_id, info: Info)
function found(id: conn_id, info: Info): bool function found(id: conn_id, info: Info): bool
{ {
if ( info$force_log || addr_matches_hosts(info$host, logging) ) if ( info$force_log || addr_matches_hosts(info$host, asset_tracking) )
{ {
event software_register(id, info); event software_register(id, info);
return T; return T;

10
policy/frameworks/software/vulnerable.bro
View file

@ -3,11 +3,11 @@
module Software; module Software;
redef enum Notice::Type += {
Vulnerable_Version,
};
export { export {
redef enum Notice::Type += {
Vulnerable_Version,
};
## This is a table of software versions indexed by the name of the ## This is a table of software versions indexed by the name of the
## software and yielding the latest version that is vulnerable. ## software and yielding the latest version that is vulnerable.
const vulnerable_versions: table[string] of Version &redef; const vulnerable_versions: table[string] of Version &redef;
@ -23,6 +23,6 @@ event log_software(rec: Info)
if ( rec$name in vulnerable_versions && if ( rec$name in vulnerable_versions &&
cmp_versions(rec$version, vulnerable_versions[rec$name]) <= 0 ) cmp_versions(rec$version, vulnerable_versions[rec$name]) <= 0 )
{ {
NOTICE([$note=Vulnerable_Version, $relevant_host=rec$host, $msg=software_fmt(rec)]); NOTICE([$note=Vulnerable_Version, $src=rec$host, $msg=software_fmt(rec)]);
} }
} }

43
policy/protocols/conn/known-hosts.bro
View file

@ -1,3 +1,8 @@
##! This script logs hosts that Bro determines have performed complete TCP
##! handshakes and logs the address once per day (by default). The log that
##! output provides an easy way to determine a count of the IP addresses in
##! use on a network per day.
@load utils/directions-and-hosts @load utils/directions-and-hosts
module KnownHosts; module KnownHosts;
@ -6,21 +11,23 @@ redef enum Log::ID += { KNOWN_HOSTS };
export { export {
type Log: record { type Log: record {
## The timestamp at which the host was detected.
ts: time &log; ts: time &log;
address: addr &log; ## The address that was detected originating or responding to a TCP
## connection.
host: addr &log;
}; };
# The hosts whose existence should be logged. ## The hosts whose existence should be logged.
# Choices are: LocalHosts, RemoteHosts, Enabled, Disabled ## Choices are: LocalHosts, RemoteHosts, Enabled, Disabled
const logging = Enabled &redef; const logging = LocalHosts &redef;
# In case you are interested in more than logging just local assets ## The set of all known addresses to store for preventing duplicate
# you can split the log file. ## logging of addresses. It can also be used from other scripts to
#const split_log_file = F &redef; ## inspect if an address has been seen in use.
## Maintain the list of known hosts for 24 hours so that the existence
# Maintain the list of known hosts for 24 hours so that the existence ## of each individual address is logged each day.
# of each individual address is logged each day. global known_hosts: set[addr] &create_expire=1day &synchronized &redef;
global known_hosts: set[addr] &create_expire=1day &synchronized;
global log_known_hosts: event(rec: Log); global log_known_hosts: event(rec: Log);
} }
@ -34,14 +41,12 @@ event connection_established(c: connection) &priority=5
{ {
local id = c$id; local id = c$id;
if ( id$orig_h !in known_hosts && addr_matches_hosts(id$orig_h, logging) ) for ( host in set(id$orig_h, id$resp_h) )
{ {
add known_hosts[id$orig_h]; if ( host !in known_hosts && addr_matches_hosts(host, logging) )
Log::write(KNOWN_HOSTS, [$ts=network_time(), $address=id$orig_h]); {
} add known_hosts[host];
if ( id$resp_h !in known_hosts && addr_matches_hosts(id$resp_h, logging) ) Log::write(KNOWN_HOSTS, [$ts=network_time(), $address=host]);
{ }
add known_hosts[id$resp_h];
Log::write(KNOWN_HOSTS, [$ts=network_time(), $address=id$resp_h]);
} }
} }

2
policy/protocols/conn/known-services.bro
View file

@ -24,7 +24,7 @@ export {
}; };
# The hosts whose services should be logged. # The hosts whose services should be logged.
const logged_hosts = Enabled &redef; const logged_hosts = AllHosts &redef;
global known_services: set[addr, port] &create_expire=1day &synchronized; global known_services: set[addr, port] &create_expire=1day &synchronized;

4
policy/protocols/smtp/base.bro
View file

@ -66,9 +66,9 @@ export {
## Direction to capture the full "Received from" path. ## Direction to capture the full "Received from" path.
## RemoteHosts - only capture the path until an internal host is found. ## RemoteHosts - only capture the path until an internal host is found.
## LocalHosts - only capture the path until the external host is discovered. ## LocalHosts - only capture the path until the external host is discovered.
## Enabled - always capture the entire path. ## AllHosts - always capture the entire path.
## Disabled - never capture the path. ## Disabled - never capture the path.
const mail_path_capture = Enabled &redef; const mail_path_capture = AllHosts &redef;
global log_smtp: event(rec: Info); global log_smtp: event(rec: Info);
} }

7
policy/protocols/smtp/software.bro
View file

@ -43,7 +43,6 @@ export {
| /^SquirrelMail/ | /^SquirrelMail/
| /^NeoMail/ | /^NeoMail/
| /ZimbraWebClient/ &redef; | /ZimbraWebClient/ &redef;
} }
event smtp_data(c: connection, is_orig: bool, data: string) &priority=4 event smtp_data(c: connection, is_orig: bool, data: string) &priority=4
@ -66,8 +65,8 @@ event log_smtp(rec: Info)
{ {
s_type = WEBMAIL; s_type = WEBMAIL;
# If the earliest received header indicates that the connection # If the earliest received header indicates that the connection
# was via HTTP, then that means the actual mail software is installed # was via HTTP, then that likely means the actual mail software
# on the second value in the path. # is installed on the second address in the path.
if ( rec?$first_received && /via HTTP/ in rec$first_received ) if ( rec?$first_received && /via HTTP/ in rec$first_received )
client_ip = rec$path[|rec$path|-2]; client_ip = rec$path[|rec$path|-2];
} }
@ -75,7 +74,7 @@ event log_smtp(rec: Info)
if ( addr_matches_hosts(rec$id$orig_h, if ( addr_matches_hosts(rec$id$orig_h,
detect_clients_in_messages_from) ) detect_clients_in_messages_from) )
{ {
local s = Software::parse(rec$user_agent, rec$path[|rec$path|-1], s_type); local s = Software::parse(rec$user_agent, client_ip, s_type);
Software::found(rec$id, s); Software::found(rec$id, s);
} }
} }