[Bro] wordpress passive version/plugin tester

Scott Campbell scampbell at lbl.gov
Tue Jan 20 18:38:27 PST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Given the breakneck patch cycle that wordpress and it's mighty army of
plugins goes through, I put together a quick bit of policy that will
look out for communications between the host and api.wordpress.com and
record all the relevant data.  This can probably be improved, but it
seems a nice place to start.

Code can be found here:
https://github.com/set-element/misc-scripts/blob/master/wordpress.bro

Sample software.log output looks like:

> 
> nerscs-mbp:tmp scottc$ more software.log #separator \x09 
> #set_separator  , #empty_field    (empty) #unset_field    - #path
> software #open   2015-01-20-17-30-01 #fields ts      host    host_p
> software_type   name    version.major   version.minor
> version.minor2  version.minor3  version.addl    unparsed_version 
> #types  time    addr    port    enum    string  count   count
> count   count   string  string 1421262142.829722       10.10.10160
> 42440   WP_PARSE::WEB_WORDPRESS_CORE    Wordpress       3       4
> 1       -       -       3.4.1 1421262142.829722       10.10.10160
> 42440   WP_PARSE::WEB_WORDPRESS_APP     WP_PHP  5       3       3
> -       -       5.3.3 1421262142.829722       10.10.10160    42440
> WP_PARSE::WEB_WORDPRESS_APP     WP_MySQL        5       0       95
> -       -       5.0.95 1421262143.379851       10.10.10160    42441
> WP_PARSE::WEB_WORDPRESS_PLUGIN  Akismet 2       5       6       -
> -       2.5.6 1421262143.379851       10.10.10160    42441
> WP_PARSE::WEB_WORDPRESS_PLUGIN  Contact+Form+Plugin     3       23
> -       -       -       3.23 1421262143.379851       10.10.10160
> 42441   WP_PARSE::WEB_WORDPRESS_PLUGIN  Custom+Meta+Widget      1
> 4       0       -       -       1.4.0 1421262143.379851
> 10.10.10160    42441   WP_PARSE::WEB_WORDPRESS_PLUGIN  Hello+Dolly
> 1       6       -       -       -       1.6 1421262143.379851
> 10.10.10160    42441   WP_PARSE::WEB_WORDPRESS_PLUGIN
> Jetpack+by+WordPress.com        1       6       1       -       -
> 1.6.1 1421262143.379851       10.10.10160    42441
> WP_PARSE::WEB_WORDPRESS_PLUGIN  papercite       0       5       5
> -       -       0.5.5 1421262143.379851       10.10.10160    42441
> WP_PARSE::WEB_WORDPRESS_PLUGIN  Revision+Control        2       1
> -       -       -       2.1 1421262143.379851       10.10.10160
> 42441   WP_PARSE::WEB_WORDPRESS_PLUGIN  Ultimate+TinyMCE        3
> 0       -       -       -       3.0 1421262143.379851
> 10.10.10160    42441   WP_PARSE::WEB_WORDPRESS_PLUGIN
> WordPress+Importer      0       6       -       -       -
> 0.6 #close  2015-01-20-17-30-01

enjoy!
scott
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlS/ESMACgkQK2Plq8B7ZBx18wCgiN7at9Iweu3TjitrdDzS7Mg3
aOQAn1ievv0WTfsk3Z/hg01oAycVwRzd
=zaMV
-----END PGP SIGNATURE-----

More information about the Bro mailing list