[Bro] Bro scripts
Matthias Vallentin
vallentin at icir.org
Thu Oct 28 17:59:36 PDT 2010
> I'm doing work on Bro's policy scripts for the next release and I want
> to find policy scripts floating around that can be shared and any
> helpful code snippets. Anything you can contribute would be greatly
> appreciated, thanks!
The whole buzz about Firesheep caused me to hack up a sidejacking
detector. I haven't tested it because I literally wrote it 5 minutes
ago.
Matthias
Here is the code:
@load http-request
@load http-reply
module HTTP;
export
{
redef enum Notice += { CookieReuse };
# Number of cookies per client.
const max_cookies = 1 &redef;
# The time after when we expiring entries.
const cookie_expiration = 1 hr &redef;
}
# Count the number of cookies per client.
global cookies: table[string] of set[addr] &write_expire = cookie_expiration;
event http_header(c: connection, is_orig: bool, name: string, value: string)
{
# We are only looking for session IDs in the client cookie header.
if (! (is_orig && name == /[cC][oO][oO][kK][iI][eE]/))
return;
local client = c$id$orig_h;
if (value !in cookies)
cookies[value] = set();
else
add cookies[value][client];
if (|cookies[value]| <= max_cookies)
return;
local s = lookup_http_request_stream(c);
NOTICE([$note=CookieReuse, $src=client,
$msg=fmt("potential sidejacking by %s: cookie used by %d addresses",
client, |cookies[value]|)]);
}
More information about the Bro
mailing list