[Bro] bro script looking for hacker keywords
Benson Mathews
benson.mathews at gmail.com
Fri Sep 4 06:33:46 PDT 2015
Hi,
I'm trying to write a bro script that would alert me whenever certain
hacker keywords are seen in the http traffic.
I found a bro script that captures the POST content and modified it a bit
to check for the keywords.
module HTTP;
export {
## The number of bytes that will be included in the http
## log from the client body.
const post_body_limit = 1024;
redef record Info += {
post_body: string &log &optional;
};
redef enum Notice::Type += {
Hack_keyword_match
};
}
event http_entity_data(c: connection, is_orig: bool, length: count, data:
string)
{
if ( is_orig && Site::is_local_addr(c$id$resp_h) &&
!(Site::is_local_addr(c$id$orig_h)) )
{
if (/******KEYWORDS TO MATCH******/ in data )
{
NOTICE([$note=Hack_keyword_match,
$msg=fmt("%s maybe attempting to
access/upload hack file on %s. data: %s", c$id$orig_h,c$id$resp_h , data),
$src=c$id$orig_h,
$sub="Hack keyword match",
$identifier=c$uid]);
if ( ! c$http?$post_body )
c$http$post_body = sub_bytes(data, 0,
post_body_limit);
else if ( |c$http$post_body| < post_body_limit )
c$http$post_body = string_cat(c$http$post_body,
sub_bytes(data, 0, post_body_limit-|c$http$post_body|));
}
}
}
I do see some positive alerts when hackers try to bruteforce a login with
passwords that match the keywords list, but I'm getting some false
positives when the http response is gzip encoded. Is there a function that
would decode the data, or another event I could use to achieve this...
Thanks,
Benson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150904/03792c3d/attachment.html
More information about the Bro
mailing list