[Bro] Bro scripts
Martin Holste
mcholste at gmail.com
Thu Oct 28 18:48:30 PDT 2010
That's pretty cool! I do have one suggestion, though: Instead of
tracking by IP, how about one cookie per user agent? That will help
catch the side jacking when used under a NAT.
On Thursday, October 28, 2010, Matthias Vallentin <vallentin at icir.org> wrote:
>> I'm doing work on Bro's policy scripts for the next release and I want
>> to find policy scripts floating around that can be shared and any
>> helpful code snippets. Anything you can contribute would be greatly
>> appreciated, thanks!
>
> The whole buzz about Firesheep caused me to hack up a sidejacking
> detector. I haven't tested it because I literally wrote it 5 minutes
> ago.
>
> Matthias
>
> Here is the code:
>
> @load http-request
> @load http-reply
>
> module HTTP;
>
> export
> {
> redef enum Notice += { CookieReuse };
>
> # Number of cookies per client.
> const max_cookies = 1 &redef;
>
> # The time after when we expiring entries.
> const cookie_expiration = 1 hr &redef;
> }
>
>
> # Count the number of cookies per client.
> global cookies: table[string] of set[addr] &write_expire = cookie_expiration;
>
> event http_header(c: connection, is_orig: bool, name: string, value: string)
> {
> # We are only looking for session IDs in the client cookie header.
> if (! (is_orig && name == /[cC][oO][oO][kK][iI][eE]/))
> return;
>
> local client = c$id$orig_h;
> if (value !in cookies)
> cookies[value] = set();
> else
> add cookies[value][client];
>
> if (|cookies[value]| <= max_cookies)
> return;
>
> local s = lookup_http_request_stream(c);
> NOTICE([$note=CookieReuse, $src=client,
> $msg=fmt("potential sidejacking by %s: cookie used by %d addresses",
> client, |cookies[value]|)]);
> }
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list