[Bro-Dev] bloomfilter_counting_init parameterization ?

Aashish Sharma asharma at lbl.gov
Mon May 9 11:26:24 PDT 2016 

Nevermind my email!

I found: src/probabilistic/cardinality-counter.bif

Thanks,
Aashish



On Mon, May 9, 2016 at 2:29 AM, Aashish Sharma <asharma at lbl.gov> wrote:
> Matthias,
>
> I am encountering some big tables in my scan-detection heuristics and which grow due to scanners:
>
> So was thinking of this possibility to use counting bloomfilters instead of tables and sets. After-all we are still looking for cardinality of tables and sets for identifying scanners.
>
> for example:
>
> 1) global distinct_peers: table[addr] of set[addr]
>
> then ....
> .....
>
>         if ( orig !in distinct_peers )
>                 distinct_peers[orig] = set() &mergeable;
>
>         if ( resp !in distinct_peers[orig] )
>                 add distinct_peers[orig][resp];
>
>         local n = |distinct_peers[orig]|;
>
>
> and if  n > N - its a scanner !!!
>
>
> SO I was wondering can the following be somehow represented as combinations of counting bloomfilters:
>
>         1) global distinct_peers: table[addr] of set[addr]
>
>         and/or
>
>         2) global distinct_backscatter_peers: table[addr] of table[port] of set[addr]
>
> Aashish
>
>
> Here is an example proof-of-concept policy of what I am tryig to explore:
>
> ======================= bloom-scan.bro ==========
>
> module Scan;
>
> global src: opaque of bloomfilter ;
> global dst_port: opaque of bloomfilter ;
>
>
> event bro_init()
> {
>
>         src  =  bloomfilter_counting_init(3, 128, 100000000);
>         dst_port =  bloomfilter_counting_init(3, 128, 100000000);
> }
>
>
> function check_bloom (c: connection)
> {
>
>         local orig = c$id$orig_h;
>         local resp = c$id$resp_h ;
>         local resp_p = c$id$resp_p ;
>
>
>         if (resp_p == 40884/tcp || resp_p == 40876/tcp)
>                 return ;
>
>         bloomfilter_add (src, orig);
>         bloomfilter_add (dst_port, fmt("%s%s", resp, resp_p));
>
>
>         local src_counts =  bloomfilter_lookup(src, orig) ;
>         local dst_counts = bloomfilter_lookup(dst_port, fmt("%s%s", resp, resp_p)) ;
>
>         #### idea here is that a remote scanner is going to be hitting a lot of local hosts
>         #### so footprint (conn counts of the remote scanner) is going to be dis-propotionate to
>         ### footprint of local host+port
>
>         if (src_counts > 30 && dst_counts < 5)
>                 print fmt ("possible_scanner: %s -> %s on %s ( counts: %s, %s)", orig, resp, resp_p, src_counts, dst_counts);
>
>
> }
>
>
> event partial_connection(c: connection)
>        {
>        Scan::check_bloom(c);
>        }
>
> event connection_attempt(c: connection)
>        {
>        Scan::check_bloom(c);
>        }
>
> event connection_half_finished(c: connection)
>        {
>        # Half connections never were "established", so do scan-checking here.
>        Scan::check_bloom(c);
>        }
>
> event connection_rejected(c: connection)
>        {
>        Scan::check_bloom(c);
>        }
>
> event connection_reset(c: connection)
>        {
>                Scan::check_bloom(c);
>        }
>
> event connection_pending(c: connection)
>        {
>        if ( c$orig$state == TCP_PARTIAL && c$resp$state == TCP_INACTIVE )
>                Scan::check_bloom(c);
>        }
>
>

More information about the bro-dev mailing list