[Bro] http-ext-identified-files
Will
baxterw3232 at gmail.com
Fri Apr 1 11:20:33 PDT 2011
Hey Seth,
I recently updated one of our bro boxes focusing on http traffic with your
'ext' scripts. I am drawing blank on a few things.
1. The old way of flagging via 'HTTP_WatchedMIMEType' appears to have gone
away in lieu of 'add si$tags["identified-files"];'
The new 'redef signature_files += "http-ext-identified-files.sig";' looks to
have replaced the magic_mime. I see that by default, file type in that
signature file are ignored.
For the time being, I have added the 'NOTICE' and 'HTTP_WatchedMIMEType'
back in because I really want email alerts for any watched_mime_types not
coming from a whitelisted location.
So, what is the correct way to generate alerts? My botched version is below.
2. By adding the 'NOTICE' back in below, I think I botched the 'add
si$tags["identified-files"];', because none of the files are getting logged
to identified files.
Thanks in advance!
Will
-----------------------------------------------------
/trun/bro/site]# cat http-ext-identified-files.bro
@load global-ext
@load http-ext
@load http-reply
@load http-body
@load signatures
redef signature_files += "http-ext-identified-files.sig";
module HTTP;
export {
redef enum Notice += {
# This notice is thrown when the file extension doesn't
# seem to match the file contents.
HTTP_IncorrectFileType,
# Generated when we see a MIME type we flagged for watching.
HTTP_WatchedMIMEType,
};
# MIME types that you'd like this script to identify and log.
const watched_mime_types = /application\/x-dosexec/
| /application\/x-executable/
| /application\/octet-stream/
| /application\/x-compressed/
| /application\/x-gzip/ &redef;
# URLs included here are not logged and notices are not thrown.
# Take care when defining regexes to not be overly broad.
const ignored_urls =
/^http:\/\/(au\.|www\.)?download\.windowsupdate\.com\/msdownload\/update/
| /^http:\/\/.*\.sun\.com\//
| /^http:\/\/.*\.macromedia\.com\//
| /^http:\/\/download\.microsoft\.com\//
|
/^http:\/\/(platformdl\.|ardownload\.|fpdownload\.)adobe\.com\// &redef;
# Create regexes that *should* in be in the urls for specifics mime
types.
# Notices are thrown if the pattern doesn't match the url for the
file type.
const mime_types_extensions: table[string] of pattern = {
["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL][lL])/,
} &redef;
}
# Don't delete the http sessions at the end of the request!
redef watch_reply=T;
# Ignore the signatures used to match files
redef ignored_signatures += /^matchfile-/;
# This script uses the file tagging method to create a separate file.
event bro_init()
{
# Add the tag for log file splitting.
LOG::define_tag("http-ext", "identified-files");
}
event signature_match(state: signature_state, msg: string, data: string)
{
# Only signatures matching file types are dealt with here.
if ( /^matchfile/ !in state$id ) return;
# Not much point in any of this if we don't know about the
# HTTP-ness of the connection.
if ( state$conn$id !in conn_info ) return;
local si = conn_info[state$conn$id];
# Set the mime type seen.
si$mime_type = msg;
local message = fmt("%s %s %s", msg, si$method, si$url);
if ( ignored_urls !in si$url )
{
if ( watched_mime_types in msg )
{
NOTICE([$note=HTTP_WatchedMIMEType, $msg=message,
$conn=state$conn, $method=si$method, $URL=si$url]);
# Add a tag for logging purposes.
add si$tags["identified-files"];
}
if ( msg in mime_types_extensions &&
mime_types_extensions[msg] !in si$url )
{
NOTICE([$note=HTTP_IncorrectFileType, $msg=message,
$conn=state$conn, $method=si$method, $URL=si$url]);
}
event file_transferred(state$conn, data, "", msg);
}
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110401/b124f25d/attachment.html
More information about the Bro
mailing list