Few questions...

Thu Jul 25 00:17:14 PDT 2002

> Is there a main Bro web page? (besides Vern's homepage)  Anything like
> www.bro-ids.org?

Not yet.

The plan has long been to wait until the Bro manual is finished before
raising Bro's public profile.  But while the manual is about 2/3's done,
finding time to finish it off has proven difficult - I'm definitely
overcommitted on various projects .... :-(

> Does anyone keep a repository of modules, or is anyone writing/creating new
> bro modules?

I integrate modules sent by others.  There are a number of new ones that
we're using internally, and will be part of the next Bro alpha release,
scheduled for September.

> For instance the code red one could/should easily be modified
> for nimda or any other variant.  Anyone done this?

Yes, we use it for Code Red 1, Code Red 2, and Nimda.  A version was sent
to the mailing list on September 18 (same day Nimda was released).  I've
appended the current in-house version, for those interested.

> How many sites are actually using Bro?

I don't know.

> How many people are on this mailing list?

A bit over 200.

> From what experience I have using bro I think it's really good.  However, I
> see much more advancement/development on packages like Snort, which seem to
> have a much higher (more involved?) user community.

This certainly fits with the long-term plan.  The key has been waiting for
the right time to "go public", and my sense has been that that should wait
for the manual to be complete.  I've been trying to find a way to expedite
this; hearing from folks like you helps in this regard (others in the list,
please do let me know if you've checked out the current manual and do or
do not find the missing elements a significant hindrance).

		Vern

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

@load site

# Change these initializations to correspond to your own /16 and /24 nets.
# redef local_16_nets = { 128.3.0.0, 131.243.0.0, };
# redef local_24_nets = { 1.2.3.0, };

# redef capture_filter += "tcp dst port 80";

global worm_log = open_log_file("worm") &redef;

# Maps types of worms to URI patterns.
const worm_types: table[string] of pattern = {
	["Code Red 1"] = /\.id[aq]\?.*NNNNNNNNNNNNN/,
	["Code Red 2"] = /\.id[aq]\?.*XXXXXXXXXXXXX/,
	["Nimda"] = /\/scripts\/root\.exe\?\/c\+tftp/ |
			/\/MSADC\/root.exe\?\/c\+dir/ |
			/cool\.dll.*httpodbc\.dll/,	# 29Oct01 Nimda variant
} &redef;

# Indexed by infectee.
global worm_list: table[addr] of count &default=0;

# Indexed by infectee and type of worm.
global worm_type_list: table[addr, string] of count &default=0;

# Invoked each time a new infectee (or a new type of worm for an existing
# infectee) is seen.  For the first instance of any type for a new infectee,
# two events will be generated, one with worm_type of "first instance",
# and another with the particular worm type.
global worm_infectee_seen: event(infectee: addr, is_local: bool, worm_type: string);

# Invoked whenever connection c has included a URI of worm type "worm_type".
event worm_instance(c: connection, worm_type: string)
	{
	local id = c$id;
	local src = id$orig_h;
	local is_local = is_local_addr(src);

	if ( ++worm_list[src] == 1 )
		event worm_infectee_seen(src, is_local, "first instance");

	if ( ++worm_type_list[src, worm_type] == 1 )
		event worm_infectee_seen(src, is_local, worm_type);
	}

event worm_infectee_seen(infectee: addr, is_local: bool, worm_type: string)
	{
	if ( worm_type == "first instance" )
		return;	# just do the reporting for the specific type

	local where = is_local ? "local" : "remote";
	local msg = fmt("%s %s worm source: %s", where, worm_type, infectee);

	if ( is_local )
		log msg;

	print worm_log, fmt("%.6f %s", network_time(), msg);
	}

event http_request(c: connection, request: string, URI: string)
	{
	# It's a pity to do this as a loop.  Better would be if Bro could
	# search the patterns as one large RE and note which matched.

	for ( wt in worm_types )
		if ( worm_types[wt] in URI )
			event worm_instance(c, wt);
	}

# Ignore "weird" events, we get some due to the capture_filter above that
# only captures the client side of an HTTP session.
event conn_weird(name: string, c: connection)
	{
	}