update to code-red.bro to detect today's new worm

Vern Paxson vern at aciri.org
Tue Sep 18 10:13:37 PDT 2001 

The appended version calls it "Code Red type 3", though that's a misnomer.
However, I thought I should get this out pronto and worry about getting
the name right later.

		Vern


@load site

# Change these initializations to correspond to your own /16 and /24 nets.
# redef local_16_nets = { 128.3.0.0, 131.243.0.0, };
# redef local_24_nets = { 1.2.3.0, };

redef capture_filter += "tcp dst port 80";

# redef sensitive_URIs += /root\.exe/;

global code_red_log = open_log_file("code-red") &redef;
global code_red_list1: table[addr] of count &default=0;
global code_red_list2: table[addr] of count &default=0;
global code_red_list3: table[addr] of count &default=0;

# If you define the following to a non-empty value, then they will be
# invoked for the first instances of confirmed local/remote Code Red
# infections.
global local_code_red_response_pgm = "" &redef;
global remote_code_red_response_pgm = "" &redef;

event http_request(c: connection, request: string, URI: string)
	{
	if ( /(\.id[aq]\?.*(NNNNNNNNNNNNN|XXXXXXXXXXXXX))|(\/scripts\/root\.exe\?\/c\+tftp)/ in URI )
		{
		local id = c$id;
		local src = id$orig_h;
		local is_local = is_local_addr(src);
		local where = is_local ? "local" : "remote";
		local live = reading_live_traffic();

		# The following will be 1/2/3 for the first time we
		# see a given local/remote host exhibit type I, II, III
		local new_CR_type = 0;

		if ( /NNNNNNNNNNNNN/ in URI )
			{
			if ( ++code_red_list1[src] == 1 )
				new_CR_type = 1;
			}

		else if ( /XXXXXXXXXXXXX/ in URI )
			{
			if ( ++code_red_list2[src] == 1 )
				new_CR_type = 2;
			}

		else
			{
			if ( ++code_red_list3[src] == 1 )
				new_CR_type = 3;
			}

		if ( new_CR_type != 0 )
			{
			# First time we've seen it.

			if ( is_local )
				{
				log fmt("local Code Red %d worm source: %s",
					new_CR_type, src);

				if ( live && local_code_red_response_pgm != "" )
					system(fmt("%s %s",
						local_code_red_response_pgm,
						src));
				}

			else
				if ( live && remote_code_red_response_pgm != "" )
					system(fmt("%s %s",
						remote_code_red_response_pgm,
						src));

			print code_red_log,
				fmt("%.6f %s Code Red %d worm source: %s",
					network_time(),
					where, new_CR_type, src);
			}
		}

	else if ( /default\.ida..../ in URI )
		print code_red_log,
			fmt("%.6f unknown default.ida probe from: %s (%s)",
				network_time(), src, URI);
	}

# Ignore "weird" events, we get some due to the capture_filter above that
# only captures the client side of an HTTP session.
event conn_weird(name: string, c: connection)
	{
	}

More information about the Bro mailing list