mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
33 lines
718 B
Text
33 lines
718 B
Text
# $Id: tftp.bro 4758 2007-08-10 06:49:23Z vern $
|
|
|
|
# Very simplistic - doesn't pick up the replies.
|
|
|
|
@load notice
|
|
@load udp-common
|
|
@load site
|
|
|
|
module TFTP;
|
|
|
|
export {
|
|
redef enum Notice += {
|
|
OutboundTFTP, # outbound TFTP seen
|
|
};
|
|
}
|
|
|
|
redef capture_filters += { ["tftp"] = "udp port 69" };
|
|
|
|
global tftp_notice_count: table[addr] of count &default = 0 &read_expire = 7 days;
|
|
|
|
event udp_request(u: connection)
|
|
{
|
|
if ( u$id$resp_p == 69/udp && u$id$orig_p >= 1024/udp )
|
|
{
|
|
local src = u$id$orig_h;
|
|
local dst = u$id$resp_h;
|
|
|
|
if ( is_local_addr(src) && ! is_local_addr(dst) &&
|
|
++tftp_notice_count[src] == 1 )
|
|
NOTICE([$note=OutboundTFTP, $conn=u,
|
|
$msg=fmt("outbound TFTP: %s -> %s", src, dst)]);
|
|
}
|
|
}
|