Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
Commits on Nov 24, 2012
  1. Retire Facebook chat script.

    authored
    Since Facebook recently switched to HTTPS only, this script no longer works on
    live traffic. It is still available as separate gist for educational purposes:
    
        https://gist.github.com/4141216
    
    Closes #1.
Commits on Dec 1, 2011
  1. Add meta.bro for event profiling.

    authored
    This script is intended for profiling the event load. It only works in the
    branch topic/matthias/meta-analysis. See the comments in the file for details.
Commits on Nov 27, 2011
  1. Improve the Duqu detector.

    authored
    The previous version of the detector incorrectly handled the http_request event
    and tried to use yet unpopulated fields of c$http in there, such as
    request_body_len or the cookie value. Now we process the http message in the
    event http_message_done to make sure that the message contains all the
    necessary fields.
    
    Based on the log files from CrySys Lab, it seems that the POST occurs before
    the initial JPEG GET, as reported in the Symantec report. However, this could
    just be a capturing artefact, which is why the detector's state machine still
    uses the JPEG GET request as prerequisite event before the POST. If other
    traces confirm that the GET and POST are decoupled, it makes sense to decouple
    the state machine.
Commits on Nov 10, 2011
  1. Update README.

    authored
  2. Update README.

    authored
Commits on Nov 9, 2011
  1. Fix whitespace via :retab.

    authored
  2. Add a rough Duqu detector.

    authored
    This script is based on Symantec's description of Duqu's network behavior, as
    described in http://bit.ly/duqu-analysis. It implements a small state machine
    that tracks Duqu's HTTP request/response behavior. Currently, it does not track
    the SMB C&C behavior. If you have a sample trace of Duqu, please contact me so
    that I can improve it.
Commits on Nov 4, 2011
  1. Tweak JSON value extraction.

    authored
Commits on Nov 3, 2011
  1. Nitpick on wording.

    authored
  2. Update Facebook webchat analyzer for Bro 2.x.

    authored
    This revamped version fo facebook.bro uses the new bodies.bro script to keep
    track of HTTP bodies. The previous version had a tightly couples implementation
    of the two rather disjoint concepts. Now, facebook.bro is much cleaner and
    focuses only on the tasks it needs to get done, which is parsing HTTP bodies.
    
    With the new Bro 2.x logging framework, the output of this script is now a
    separate stream that logs into facebook.log. Here is some example output:
    
        #separator \x09
        #path   facebook
        #fields timestamp       chat_from       chat_to chat_msg
        #types  string  string  string  string
        1303218454567   Mondo Cheeze    Udder Kaos      So I need the URL, dude.  What is it?
        1303218465938   Udder Kaos      Mondo Cheeze    the URL?
        1303218474259   Mondo Cheeze    Udder Kaos      Yeah for the secret image
        1303218481721   Udder Kaos      Mondo Cheeze    ok lemme see
        ...
Commits on Jul 12, 2011
Commits on Jun 14, 2011
  1. Initial import.

    authored
Something went wrong with that request. Please try again.