Seth Hall created BIT-1339:
------------------------------
Summary: Remove src and dst from notice
Key: BIT-1339
URL: https://bro-tracker.atlassian.net/browse/BIT-1339
Project: Bro Issue Tracker
Issue Type: Improvement
Components: Bro
Affects Versions: git/master
Reporter: Seth Hall
Assignee: Seth Hall
Email from Brian Kellog...
Related to this, I'm planning on deprecating $src and $dst from notices and
removing their use from all shipped Bro scripts.
{quote}
I'm going through and updating the NOTICEs for different detection scripts
built into Bro. Trying to get the generated NOTICE logs set correctly for ELSA
to parse. It is working but I'm not sure if I'm doing this the most Bro
appropriate way. Couple questions:
Is this the best way to accomplish this task? Secondly, if advisable, how do
we get these script changes incorporated into Bro base? I'm not that
experienced with git but willing to learn more if needed. These changes were
made, again, to benefit ELSA searching/grouping and for the Bro correlation
script recently released.
Here's what I changed/add to some of the built-in detection scripts (Lines with
"+" are what I changed/added):
/opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
NOTICE([$note=Password_Guessing,
$msg=fmt("%s appears to be guessing SSH passwords (seen in %d
connections).", key$host, r$num),
$sub=sub_msg,
+ #$src=key$host,
+
$id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
$identifier=cat(key$host)]);
}]);
/opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
NOTICE([$note=FTP::Bruteforcing,
+ #$src=key$host,
+
$id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
$msg=message,
$identifier=cat(key$host)]);
}]);
/opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
NOTICE([$note=SQL_Injection_Attacker,
$msg="An SQL injection attacker was discovered!",
$email_body_sections=vector(format_sqli_samples(r$samples)),
+ #$src=key$host,
+
$id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
+ $sub=cat(format_sqli_samples(r$samples)),
$identifier=cat(key$host)]);
}]);
…
NOTICE([$note=SQL_Injection_Victim,
$msg="An SQL injection victim was discovered!",
$email_body_sections=vector(format_sqli_samples(r$samples)),
+ #$src=key$host,
+
$id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
+ $sub=cat(format_sqli_samples(r$samples)),
$identifier=cat(key$host)]);
}]);
/opt/bro/share/bro/policy/misc/scan.bro
NOTICE([$note=Address_Scan,
#$src=key$host,
+
$id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
+ #$p=to_port(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
}]);
…
NOTICE([$note=Port_Scan,
#$src=key$host,
+
$id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
+ #$dst=to_addr(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
}]);
/opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
NOTICE([$note=Traceroute::Detected,
$msg=fmt("%s seems to be running traceroute using %s", src,
proto),
+ #$src=src,
+ $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
$identifier=cat(src,proto)]);
}]);
{quote}
--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
