@@ -119,28 +119,31 @@ type track_count: record { index: count &default=0; }; +function default_track_count(a: addr): track_count + { + local x: track_count; + return x; + } + const default_notice_thresholds: vector of count = { - 20, 100, 1000, 10000, 100000, 1000000, 10000000, + 30, 100, 1000, 10000, 100000, 1000000, 10000000, } &redef; # This is total rip off from scan.bro, but placed in the global namespace # and slightly reworked to be easier to work with and more general. -function thresh_check(v: vector of count, tracker: track_count): bool +function check_threshold(v: vector of count, tracker: track_count): bool { if ( tracker$index <= |v| && tracker$n >= v[tracker$index] ) { ++tracker$index; return T; } - else - { - return F; - } + return F; } -function default_thresh_check(tracker: track_count): bool +function default_check_threshold(tracker: track_count): bool { - return thresh_check(default_notice_thresholds, tracker); + return check_threshold(default_notice_thresholds, tracker); } # This can be used for &default values on tables when the index is an addr. functions-ext.bro @@ -170,7 +170,7 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) & ++activity_counters[id$orig_h]$sql_injections$n; - if ( default_thresh_check(activity_counters[id$orig_h]$sql_injections) ) + if ( default_check_threshold(activity_counters[id$orig_h]$sql_injections) ) { NOTICE([$note=HTTP_SQL_Injection_Attack, $msg=fmt("SQL injection attack (n=%d): %s -> %s", @@ -185,7 +185,7 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) & sess_ext$force_log=T; add sess_ext$force_log_reasons["sql_injection_probe"]; - if ( default_thresh_check(activity_counters[c$id$orig_h]$sql_injection_probes) ) + if ( default_check_threshold(activity_counters[c$id$orig_h]$sql_injection_probes) ) { NOTICE([$note=HTTP_SQL_Injection_Heavy_Probing, $msg=fmt("Heavy probing from %s", id$orig_h), http-ext.bro @@ -27,8 +27,7 @@ event bro_init() "resp_h", "resp_p", "force_log_reasons", "method", "url", "referrer", - "user_agent", "proxied_for", - "force_log_reasons")); + "user_agent", "proxied_for")); # Set this log to always accept output because the POST logging # must be specifically enabled per-request anyway. logging.http-ext.bro @@ -22,8 +22,19 @@ export { const authentication_data_size = 5500 &redef; const guessing_timeout = 30 mins; + redef enum Notice += { + SSH_Login, + SSH_PasswordGuessing, + SSH_LoginByPasswordGuesser, + SSH_Login_From_Strange_Hostname, + SSH_Bytecount_Inconsistency, + }; + # Keeps count of how many rejections a host has had - global password_rejections: table[addr] of count &default=0 &write_expire=guessing_timeout; + global password_rejections: table[addr] of track_count + &default=default_track_count + &write_expire=guessing_timeout; + # Keeps track of hosts identified as guessing passwords global password_guessers: set[addr] &read_expire=guessing_timeout+1hr; @@ -49,14 +60,6 @@ export { # This is a table with orig subnet as the key, and subnet as the value. const ignore_guessers: table[subnet] of subnet &redef; - - redef enum Notice += { - SSH_Login, - SSH_PasswordGuessing, - SSH_LoginByPasswordGuesser, - SSH_Login_From_Strange_Hostname, - SSH_Bytecount_Inconsistency, - }; } # Examples for how to handle notices from this script. @@ -88,7 +91,7 @@ event check_ssh_connection(c: connection, done: bool) # If this is no longer a known SSH connection, just return. if ( c$id !in active_ssh_conns ) return; - + # If this is still a live connection and the byte count has not # crossed the threshold, just return and let the resheduled check happen later. if ( !done && c$resp$size < authentication_data_size ) @@ -99,7 +102,7 @@ event check_ssh_connection(c: connection, done: bool) # doesn't send back at least 50 bytes. if (c$resp$size < 50) return; - + local ssh_conn = active_ssh_conns[c$id]; local status = "failure"; local direction = is_local_addr(c$id$orig_h) ? "to" : "from"; @@ -113,20 +116,22 @@ event check_ssh_connection(c: connection, done: bool) if ( log_geodata_on_failure ) location = (direction == "to") ? lookup_location(c$id$resp_h) : lookup_location(c$id$orig_h); + if ( c$id$orig_h !in password_rejections ) + password_rejections[c$id$orig_h] = default_track_count(c$id$orig_h); + # Track the number of rejections if ( !(c$id$orig_h in ignore_guessers && c$id$resp_h in ignore_guessers[c$id$orig_h]) ) - password_rejections[c$id$orig_h] += 1; + ++password_rejections[c$id$orig_h]$n; - if ( password_rejections[c$id$orig_h] > password_guesses_limit && - c$id$orig_h !in password_guessers ) + if ( default_check_threshold(password_rejections[c$id$orig_h]) ) { add password_guessers[c$id$orig_h]; NOTICE([$note=SSH_PasswordGuessing, $conn=c, $msg=fmt("SSH password guessing by %s", c$id$orig_h), - $sub=fmt("%d failed logins", password_rejections[c$id$orig_h]), - $n=password_rejections[c$id$orig_h]]); + $sub=fmt("%d failed logins", password_rejections[c$id$orig_h]$n), + $n=password_rejections[c$id$orig_h]$n]); } } # TODO: This is to work around a quasi-bug in Bro which occasionally @@ -137,15 +142,15 @@ event check_ssh_connection(c: connection, done: bool) status = "success"; location = (direction == "to") ? lookup_location(c$id$resp_h) : lookup_location(c$id$orig_h); - if ( password_rejections[c$id$orig_h] > password_guesses_limit && + if ( password_rejections[c$id$orig_h]$n > password_guesses_limit && c$id$orig_h !in password_guessers) { add password_guessers[c$id$orig_h]; NOTICE([$note=SSH_LoginByPasswordGuesser, $conn=c, - $n=password_rejections[c$id$orig_h], + $n=password_rejections[c$id$orig_h]$n, $msg=fmt("Successful SSH login by password guesser %s", c$id$orig_h), - $sub=fmt("%d failed logins", password_rejections[c$id$orig_h])]); + $sub=fmt("%d failed logins", password_rejections[c$id$orig_h]$n)]); } local message = fmt("SSH login %s %s \"%s\" \"%s\" %f %f %s (triggered with %d bytes)", ssh-ext.bro 93b819b51912747623e65aea714a53be1b82199b Seth Hall hall.692@osu.edu http://github.com/sethhall/bro_scripts/commit/7d4f8eff57f1c3aff362a7db6982882ee4f61260 7d4f8eff57f1c3aff362a7db6982882ee4f61260 2009-11-02T19:28:06-08:00 2009-11-02T19:28:06-08:00 SSH now uses default_check_threshold Fixed a number of bugs. ec3025c1297d5c8ad67e4559b21e31ea0d3d3ff0 Seth Hall hall.692@osu.edu