mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 22:58:20 +00:00
43da40f2c6
- SSH::Login_From_Interesting_Hostname is now SSH::Interesting_Hostname_Login - Added some documentation.
45 lines
1.3 KiB
Text
45 lines
1.3 KiB
Text
##! This script will generate a notice if an apparent SSH login originates
|
|
##! or heads to a host with a reverse hostname that looks suspicious. By
|
|
##! default, the regular expression to match "interesting" hostnames includes
|
|
##! names that are typically used for infrastructure hosts like nameservers,
|
|
##! mail servers, web servers and ftp servers.
|
|
|
|
@load base/frameworks/notice
|
|
|
|
module SSH;
|
|
|
|
export {
|
|
redef enum Notice::Type += {
|
|
## Generated if a login originates or responds with a host and the
|
|
## reverse hostname lookup resolves to a name matched by the
|
|
## :bro:id:`interesting_hostnames` regular expression.
|
|
Interesting_Hostname_Login,
|
|
};
|
|
|
|
## Strange/bad host names to see successful SSH logins from or to.
|
|
const interesting_hostnames =
|
|
/^d?ns[0-9]*\./ |
|
|
/^smtp[0-9]*\./ |
|
|
/^mail[0-9]*\./ |
|
|
/^pop[0-9]*\./ |
|
|
/^imap[0-9]*\./ |
|
|
/^www[0-9]*\./ |
|
|
/^ftp[0-9]*\./ &redef;
|
|
}
|
|
|
|
event SSH::heuristic_successful_login(c: connection)
|
|
{
|
|
for ( host in set(c$id$orig_h, c$id$resp_h) )
|
|
{
|
|
when ( local hostname = lookup_addr(host) )
|
|
{
|
|
if ( interesting_hostnames in hostname )
|
|
{
|
|
NOTICE([$note=Interesting_Hostname_Login,
|
|
$msg=fmt("Interesting login from hostname: %s", hostname),
|
|
$sub=hostname, $conn=c]);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|