[Bro] NAT detection (was: Re: Bro scripts)
Gregor Maier
gregor at icir.org
Sun Oct 31 15:38:46 PDT 2010
Hi,
I've played around with NAT detection based on user-agent strings and IP
TTL.
See http://www.icir.org/gregor/papers/gregor-phd.pdf, Chapter 4
cu
gregor
On 10/28/10 18:48 , Martin Holste wrote:
> That's pretty cool! I do have one suggestion, though: Instead of
> tracking by IP, how about one cookie per user agent? That will help
> catch the side jacking when used under a NAT.
>
> On Thursday, October 28, 2010, Matthias Vallentin <vallentin at icir.org> wrote:
>>> I'm doing work on Bro's policy scripts for the next release and I want
>>> to find policy scripts floating around that can be shared and any
>>> helpful code snippets. Anything you can contribute would be greatly
>>> appreciated, thanks!
>>
>> The whole buzz about Firesheep caused me to hack up a sidejacking
>> detector. I haven't tested it because I literally wrote it 5 minutes
>> ago.
>>
>> Matthias
>>
>> Here is the code:
>>
>> @load http-request
>> @load http-reply
>>
>> module HTTP;
>>
>> export
>> {
>> redef enum Notice += { CookieReuse };
>>
>> # Number of cookies per client.
>> const max_cookies = 1 &redef;
>>
>> # The time after when we expiring entries.
>> const cookie_expiration = 1 hr &redef;
>> }
>>
>>
>> # Count the number of cookies per client.
>> global cookies: table[string] of set[addr] &write_expire = cookie_expiration;
>>
>> event http_header(c: connection, is_orig: bool, name: string, value: string)
>> {
>> # We are only looking for session IDs in the client cookie header.
>> if (! (is_orig && name == /[cC][oO][oO][kK][iI][eE]/))
>> return;
>>
>> local client = c$id$orig_h;
>> if (value !in cookies)
>> cookies[value] = set();
>> else
>> add cookies[value][client];
>>
>> if (|cookies[value]| <= max_cookies)
>> return;
>>
>> local s = lookup_http_request_stream(c);
>> NOTICE([$note=CookieReuse, $src=client,
>> $msg=fmt("potential sidejacking by %s: cookie used by %d addresses",
>> client, |cookies[value]|)]);
>> }
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Gregor Maier gregor at icir.org
Int. Computer Science Institute (ICSI) gregor at icsi.berkeley.edu
1947 Center St., Ste. 600 http://www.icir.org/gregor/
Berkeley, CA 94704
USA
More information about the Bro
mailing list