[Bro] auth_bruteforcing.bro error

fatema bannatwala fatema.bannatwala at gmail.com
Wed Apr 5 07:32:21 PDT 2017


>if( c$http?$cluster_client_ip )
Though, I wonder if this condition is ever going to result in true...


On Wed, Apr 5, 2017 at 9:49 AM, ps sunu <pssunu6 at gmail.com> wrote:

> i cleared using below code
>
> if( c$http?$cluster_client_ip )
>
> On Wed, Apr 5, 2017 at 6:29 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
>
>> cluster_client_ip is the user defined field, http record doesn't have any
>> field name "cluster_client_ip".
>> I think what you want is c$http$id$orig_h , if that's what the purpose
>> of  cluster_client_ip is.
>> Also your host is "string" type, you can change it to "addr" type:
>>
>> Might wanna try something like:
>>
>> type Info: record {
>>         <snip>
>> *        host:              addr     &log &optional;*
>>         <snip>
>>     };
>>
>> SumStats::observe("http.auth_errors.attacker",
>>                                       [$host=c$http$id$orig_h],
>>                                       []);
>>
>> Also, not sure how this part is working(As c doesn't have "conn" field as
>> well.):
>>
>> if ( c?$conn )
>>                         SumStats::observe("http.auth_errors.victim",
>>                                           [$host=c$conn$id$resp_h],
>>                                           []);
>>
>>
>>
>> On Wed, Apr 5, 2017 at 8:23 AM, ps sunu <pssunu6 at gmail.com> wrote:
>>
>>>
>>>
>>>  I am using below code while running this i am getting below  error from
>>> below area
>>>
>>>
>>> *if(!auth_success) {*
>>> *                    SumStats::observe("http.auth_errors.attacker",*
>>> *
>>> [$host=to_addr(c$http$cluster_client_ip)],*
>>> *                                      []);*
>>> *                    if ( c?$conn )*
>>>
>>> error
>>>
>>>
>>> *field value missing [AuthBruteforcing::c$http$cluster_client_ip]*
>>> code
>>>
>>> @load base/frameworks/notice
>>> @load base/frameworks/sumstats
>>> @load base/protocols/http
>>>
>>> module AuthBruteforcing;
>>>
>>> export {
>>>     redef enum Notice::Type += {
>>>         ## Indicates that a host performing HTTP requests leading to
>>> ## excessive HTTP auth errors was detected.
>>>         HTTP_AuthBruteforcing_Attacker,
>>>         ## Indicates that a host was seen to respond excessive HTTP
>>>         ## auth errors. This is tracked by IP address as opposed to
>>>         ## hostname.
>>>         HTTP_AuthBruteforcing_Victim,
>>>     };
>>>
>>>     # Let's tag the http item
>>>     redef enum HTTP::Tags += {
>>>         ## HTTP status code 401, describing a HTTP auth error
>>>         HTTP_AUTH_ERROR,
>>>         ## HTTP describing a successful HTTP auth
>>>         HTTP_AUTH_SUCCESS,
>>>     };
>>>
>>>     redef enum Log::ID += { LOG };
>>>
>>>     type Info: record {
>>>         ts:                time        &log;
>>>         uid:               string      &log;
>>>         id:                conn_id     &log &optional;
>>>         cluster_client_ip: string      &log &optional;
>>>         status_code:       count       &log &optional;
>>>         host:              string      &log &optional;
>>>         uri:               string      &log &optional;
>>>         username:          string      &log &optional;
>>>         auth_success:      bool        &log &optional;
>>>     };
>>>
>>>     global log_auth: event(rec: Info);
>>>
>>>     ## Defines the threshold that determines if a auth bruteforcing
>>> attack
>>>     ## is ongoing based on the number of requests that appear to be
>>>     ## attacks.
>>>     const auth_errors_threshold: double = 50.0 &redef;
>>>
>>>     ## Interval at which to watch for the
>>>     ## :bro:id:`AuthBruteforcing::auth_errors_requests_threshold`
>>> variable to be crossed.
>>>     ## At the end of each interval the counter is reset.
>>>     const auth_errors_interval = 5min &redef;
>>>
>>>     ## Interval at which to watch for the
>>>     ## :bro:id:`AuthBruteforcing::excessive_auth_errors_threshold`
>>> variable to be
>>>     ## crossed. At the end of each interval the counter is reset.
>>>     const excessive_auth_errors_interval = 1min &redef;
>>>
>>>     const internal_space: subnet = 10.0.0.0/8 &redef;
>>>     const public_space: subnet = 63.245.208.0/20 &redef;
>>>
>>>     const ignore_host_resp: set[addr] = { } &redef;
>>>     const ignore_host_orig: set[addr] = { } &redef;
>>> }
>>>
>>> event bro_init() &priority=3
>>> {
>>>     # Create auth_bruteforcing.log
>>>     Log::create_stream(AuthBruteforcing::LOG, [$columns=Info,
>>> $ev=log_auth]);
>>>
>>>     # HTTP auth errors for requests FROM the same host
>>>     local r1: SumStats::Reducer = [$stream="http.auth_errors.attacker",
>>> $apply=set(SumStats::SUM)];
>>>     SumStats::create([$name="auth-http-errors-attackers",
>>>                       $epoch=auth_errors_interval,
>>>                       $reducers=set(r1),
>>>                       $threshold_val(key: SumStats::Key, result:
>>> SumStats::Result) = {
>>>                           return result["http.auth_errors.attac
>>> ker"]$sum;
>>>                       },
>>>                       $threshold=auth_errors_threshold,
>>>                       $threshold_crossed(key: SumStats::Key, result:
>>> SumStats::Result) = {
>>>                           NOTICE([$note=HTTP_AuthBruteforcing_Attacker,
>>>                                   $msg=fmt("HTTP auth bruteforcing from
>>> attacker %s", key$host),
>>>                                   $sub=fmt("%.0f auth failed in %s",
>>> result["http.auth_errors.attacker"]$sum, auth_errors_interval),
>>>                                   $src=key$host,
>>>                                   $n=to_count(fmt("%.0f",
>>> result["http.auth_errors.attacker"]$sum))
>>>                           ]);
>>>                       }]);
>>>
>>>     # HTTP errors for requests TO the same host
>>>     local r2: SumStats::Reducer = [$stream="http.auth_errors.victim",
>>> $apply=set(SumStats::SUM)];
>>>     SumStats::create([$name="auth-http-errors-victims",
>>>                       $epoch=auth_errors_interval,
>>>                       $reducers=set(r2),
>>>                       $threshold_val(key: SumStats::Key, result:
>>> SumStats::Result) = {
>>>                           return result["http.auth_errors.victim"]$sum;
>>>                       },
>>>                       $threshold=auth_errors_threshold,
>>>                       $threshold_crossed(key: SumStats::Key, result:
>>> SumStats::Result) = {
>>>                           NOTICE([$note=HTTP_AuthBruteforcing_Victim,
>>>                                   $msg=fmt("HTTP auth bruteforcing to
>>> victim %s", key$host),
>>>                                   $sub=fmt("%.0f auth failed in %s",
>>> result["http.auth_errors.victim"]$sum, auth_errors_interval),
>>>                                   $src=key$host,
>>>                                   $n=to_count(fmt("%.0f",
>>> result["http.auth_errors.victim"]$sum))
>>>                           ]);
>>>                       }]);
>>> }
>>>
>>> # Make sure we have all the http info before looking for auth errors
>>> event http_message_done(c: connection, is_orig: bool, stat:
>>> http_message_stat)
>>> {
>>>     # only conns we want
>>>     local ports_ext: set[port] = { 80/tcp };
>>>     local ports_int: set[port] = { 80/tcp, 81/tcp, 443/tcp };
>>>
>>>     if (c$id$resp_h in ignore_host_resp)
>>>         return;
>>>     if (c$id$orig_h in ignore_host_orig)
>>>    return;
>>>
>>>     if (((c$id$resp_h in internal_space) && (c$id$resp_p in ports_int))
>>> || ((c$id$resp_h in public_space) && (c$id$resp_p in ports_ext))) {
>>>
>>>             if (c$http?$username && c$http?$status_code) {
>>>                 local auth_success : bool = T;
>>>                 if (c$http$status_code == 401) {
>>>                     auth_success = F;
>>>                     add c$http$tags[HTTP_AUTH_ERROR];
>>>                 }
>>>                 else if (c$http$status_code < 400) {
>>>                     auth_success = T;
>>>                     add c$http$tags[HTTP_AUTH_SUCCESS];
>>>                 }
>>>                 if(!auth_success) {
>>>                     SumStats::observe("http.auth_errors.attacker",
>>>                                       [$host=to_addr(c$http$cluster_
>>> client_ip)],
>>>                                       []);
>>>                     if ( c?$conn )
>>>                         SumStats::observe("http.auth_errors.victim",
>>>                                           [$host=c$conn$id$resp_h],
>>>                                           []);
>>>                 }
>>>             }
>>>         }
>>> }
>>>
>>>
>>>
>>> https://github.com/michalpurzynski/bro-gramming/blob/ae37c0d
>>> 6bfc62e25a797426d6791cf340b045d17/auth_bruteforcing.bro
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170405/ef5a5772/attachment-0001.html 


More information about the Bro mailing list