[Bro] bro script looking for hacker keywords

Benson Mathews benson.mathews at gmail.com
Fri Sep 4 06:33:46 PDT 2015


I'm trying to write a bro script that would alert me whenever certain
hacker keywords are seen in the http traffic.

I found a bro script that captures the POST content and modified it a bit
to check for the keywords.

module HTTP;

export {
        ## The number of bytes that will be included in the http
        ## log from the client body.
        const post_body_limit = 1024;

        redef record Info += {
                post_body: string &log &optional;
  redef enum Notice::Type += {

event http_entity_data(c: connection, is_orig: bool, length: count, data:
        if ( is_orig && Site::is_local_addr(c$id$resp_h) &&
!(Site::is_local_addr(c$id$orig_h))  )
                if (/******KEYWORDS TO MATCH******/ in data )
                                $msg=fmt("%s maybe attempting to
access/upload hack file on %s. data: %s", c$id$orig_h,c$id$resp_h , data),
                                $sub="Hack keyword match",

                if ( ! c$http?$post_body )
                        c$http$post_body = sub_bytes(data, 0,
                else if ( |c$http$post_body| < post_body_limit )
                        c$http$post_body = string_cat(c$http$post_body,
sub_bytes(data, 0, post_body_limit-|c$http$post_body|));

I do see some positive alerts when hackers try to bruteforce a login with
passwords that match the keywords list, but I'm getting some false
positives when the http response is gzip encoded. Is there a function that
would decode the data, or another event I could use to achieve this...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150904/03792c3d/attachment.html 

More information about the Bro mailing list