mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
9709b1d522
* origin/topic/robin/reporting: Syslog BiF now goes through the reporter as well. Avoiding infinite loops when an error message handlers triggers errors itself. Renaming the Logger to Reporter. Overhauling the internal reporting of messages to the user. Updating a bunch of tests/baselines as well. Conflicts: aux/broccoli policy.old/alarm.bro policy/all.bro policy/bro.init policy/frameworks/notice/weird.bro policy/notice.bro src/SSL-binpac.cc src/bro.bif src/main.cc
82 lines
2.4 KiB
Text
82 lines
2.4 KiB
Text
# $Id: brolite-sigs.bro 3856 2006-12-02 00:18:57Z vern $
|
|
|
|
# Bro Lite signature configuration file
|
|
|
|
# General policy - these scripts are more infrastructural than service
|
|
# oriented, so in general avoid changing anything here.
|
|
|
|
# Set global constant. This can be used in ifdef statements to determine
|
|
# if signatures are enabled.
|
|
const use_signatures = T;
|
|
|
|
@load snort # basic definitions for signatures
|
|
@load signatures # the signature policy engine
|
|
@load sig-functions # addl. functions added for signature accuracy
|
|
@load sig-action # actions related to particular signatures
|
|
|
|
# Flag HTTP worm sources such as Code Red.
|
|
@load worm
|
|
|
|
# Do worm processing
|
|
redef notice_action_filters += { [RemoteWorm] = file_notice };
|
|
|
|
# Ports that need to be captured for signatures to see a useful
|
|
# cross section of traffic.
|
|
redef capture_filters += {
|
|
["sig-http"] =
|
|
"tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8001",
|
|
["sig-ftp"] = "port ftp",
|
|
["sig-telnet"] = "port telnet",
|
|
["sig-portmapper"] = "port 111",
|
|
["sig-smtp"] = "port smtp",
|
|
["sig-imap"] = "port 143",
|
|
["sig-snmp"] = "port 161 or port 162",
|
|
["sig-dns"] = "port 53",
|
|
|
|
# rsh/rlogin/rexec
|
|
["sig-rfoo"] = "port 512 or port 513 or port 515",
|
|
|
|
# Range of TCP ports for general RPC traffic. This can also
|
|
# occur on other ports, but these should catch a lot without
|
|
# a major performance hit. We skip ports assosciated with
|
|
# HTTP, SSH and M$.
|
|
["sig-rpc"] = "tcp[2:2] > 32770 and tcp[2:2] < 32901 and tcp[0:2] != 80 and tcp[0:2] != 22 and tcp[0:2] != 139",
|
|
};
|
|
|
|
### Why is this called "tcp3"?
|
|
# Catch outbound M$ scanning. Returns filter listing local addresses
|
|
# along with the interesting ports.
|
|
function create_tcp3_filter(): string
|
|
{
|
|
local local_addrs = "";
|
|
local firsttime = T;
|
|
|
|
for ( l in local_nets )
|
|
{
|
|
if ( firsttime )
|
|
{
|
|
local_addrs = fmt("src net %s", l);
|
|
firsttime = F;
|
|
}
|
|
else
|
|
local_addrs = fmt("%s or src net %s", local_addrs, l);
|
|
}
|
|
|
|
local MS_scan_ports =
|
|
"dst port 135 or dst port 137 or dst port 139 or dst port 445";
|
|
|
|
if ( local_addrs == "" )
|
|
return MS_scan_ports;
|
|
else
|
|
return fmt("(%s) and (%s)", local_addrs, MS_scan_ports);
|
|
}
|
|
|
|
# Create and apply the filter.
|
|
redef capture_filters += { ["tcp3"] = create_tcp3_filter()};
|
|
|
|
# Turn on ICMP analysis.
|
|
redef capture_filters += { ["icmp"] = "icmp"};
|
|
|
|
# Load the addendum signatures. These are utility signatures that do not
|
|
# produce event messages.
|
|
redef signature_files += "sig-addendum";
|