[Bro] auth_bruteforcing.bro error
fatema bannatwala
fatema.bannatwala at gmail.com
Wed Apr 5 05:59:01 PDT 2017
cluster_client_ip is the user defined field, http record doesn't have any
field name "cluster_client_ip".
I think what you want is c$http$id$orig_h , if that's what the purpose of
cluster_client_ip is.
Also your host is "string" type, you can change it to "addr" type:
Might wanna try something like:
type Info: record {
<snip>
* host: addr &log &optional;*
<snip>
};
SumStats::observe("http.auth_errors.attacker",
[$host=c$http$id$orig_h],
[]);
Also, not sure how this part is working(As c doesn't have "conn" field as
well.):
if ( c?$conn )
SumStats::observe("http.auth_errors.victim",
[$host=c$conn$id$resp_h],
[]);
On Wed, Apr 5, 2017 at 8:23 AM, ps sunu <pssunu6 at gmail.com> wrote:
>
>
> I am using below code while running this i am getting below error from
> below area
>
>
> *if(!auth_success) {*
> * SumStats::observe("http.auth_errors.attacker",*
> *
> [$host=to_addr(c$http$cluster_client_ip)],*
> * []);*
> * if ( c?$conn )*
>
> error
>
>
> *field value missing [AuthBruteforcing::c$http$cluster_client_ip]*
> code
>
> @load base/frameworks/notice
> @load base/frameworks/sumstats
> @load base/protocols/http
>
> module AuthBruteforcing;
>
> export {
> redef enum Notice::Type += {
> ## Indicates that a host performing HTTP requests leading to
> ## excessive HTTP auth errors was detected.
> HTTP_AuthBruteforcing_Attacker,
> ## Indicates that a host was seen to respond excessive HTTP
> ## auth errors. This is tracked by IP address as opposed to
> ## hostname.
> HTTP_AuthBruteforcing_Victim,
> };
>
> # Let's tag the http item
> redef enum HTTP::Tags += {
> ## HTTP status code 401, describing a HTTP auth error
> HTTP_AUTH_ERROR,
> ## HTTP describing a successful HTTP auth
> HTTP_AUTH_SUCCESS,
> };
>
> redef enum Log::ID += { LOG };
>
> type Info: record {
> ts: time &log;
> uid: string &log;
> id: conn_id &log &optional;
> cluster_client_ip: string &log &optional;
> status_code: count &log &optional;
> host: string &log &optional;
> uri: string &log &optional;
> username: string &log &optional;
> auth_success: bool &log &optional;
> };
>
> global log_auth: event(rec: Info);
>
> ## Defines the threshold that determines if a auth bruteforcing attack
> ## is ongoing based on the number of requests that appear to be
> ## attacks.
> const auth_errors_threshold: double = 50.0 &redef;
>
> ## Interval at which to watch for the
> ## :bro:id:`AuthBruteforcing::auth_errors_requests_threshold`
> variable to be crossed.
> ## At the end of each interval the counter is reset.
> const auth_errors_interval = 5min &redef;
>
> ## Interval at which to watch for the
> ## :bro:id:`AuthBruteforcing::excessive_auth_errors_threshold`
> variable to be
> ## crossed. At the end of each interval the counter is reset.
> const excessive_auth_errors_interval = 1min &redef;
>
> const internal_space: subnet = 10.0.0.0/8 &redef;
> const public_space: subnet = 63.245.208.0/20 &redef;
>
> const ignore_host_resp: set[addr] = { } &redef;
> const ignore_host_orig: set[addr] = { } &redef;
> }
>
> event bro_init() &priority=3
> {
> # Create auth_bruteforcing.log
> Log::create_stream(AuthBruteforcing::LOG, [$columns=Info,
> $ev=log_auth]);
>
> # HTTP auth errors for requests FROM the same host
> local r1: SumStats::Reducer = [$stream="http.auth_errors.attacker",
> $apply=set(SumStats::SUM)];
> SumStats::create([$name="auth-http-errors-attackers",
> $epoch=auth_errors_interval,
> $reducers=set(r1),
> $threshold_val(key: SumStats::Key, result:
> SumStats::Result) = {
> return result["http.auth_errors.attacker"]$sum;
> },
> $threshold=auth_errors_threshold,
> $threshold_crossed(key: SumStats::Key, result:
> SumStats::Result) = {
> NOTICE([$note=HTTP_AuthBruteforcing_Attacker,
> $msg=fmt("HTTP auth bruteforcing from
> attacker %s", key$host),
> $sub=fmt("%.0f auth failed in %s",
> result["http.auth_errors.attacker"]$sum, auth_errors_interval),
> $src=key$host,
> $n=to_count(fmt("%.0f",
> result["http.auth_errors.attacker"]$sum))
> ]);
> }]);
>
> # HTTP errors for requests TO the same host
> local r2: SumStats::Reducer = [$stream="http.auth_errors.victim",
> $apply=set(SumStats::SUM)];
> SumStats::create([$name="auth-http-errors-victims",
> $epoch=auth_errors_interval,
> $reducers=set(r2),
> $threshold_val(key: SumStats::Key, result:
> SumStats::Result) = {
> return result["http.auth_errors.victim"]$sum;
> },
> $threshold=auth_errors_threshold,
> $threshold_crossed(key: SumStats::Key, result:
> SumStats::Result) = {
> NOTICE([$note=HTTP_AuthBruteforcing_Victim,
> $msg=fmt("HTTP auth bruteforcing to
> victim %s", key$host),
> $sub=fmt("%.0f auth failed in %s",
> result["http.auth_errors.victim"]$sum, auth_errors_interval),
> $src=key$host,
> $n=to_count(fmt("%.0f",
> result["http.auth_errors.victim"]$sum))
> ]);
> }]);
> }
>
> # Make sure we have all the http info before looking for auth errors
> event http_message_done(c: connection, is_orig: bool, stat:
> http_message_stat)
> {
> # only conns we want
> local ports_ext: set[port] = { 80/tcp };
> local ports_int: set[port] = { 80/tcp, 81/tcp, 443/tcp };
>
> if (c$id$resp_h in ignore_host_resp)
> return;
> if (c$id$orig_h in ignore_host_orig)
> return;
>
> if (((c$id$resp_h in internal_space) && (c$id$resp_p in ports_int)) ||
> ((c$id$resp_h in public_space) && (c$id$resp_p in ports_ext))) {
>
> if (c$http?$username && c$http?$status_code) {
> local auth_success : bool = T;
> if (c$http$status_code == 401) {
> auth_success = F;
> add c$http$tags[HTTP_AUTH_ERROR];
> }
> else if (c$http$status_code < 400) {
> auth_success = T;
> add c$http$tags[HTTP_AUTH_SUCCESS];
> }
> if(!auth_success) {
> SumStats::observe("http.auth_errors.attacker",
> [$host=to_addr(c$http$cluster_
> client_ip)],
> []);
> if ( c?$conn )
> SumStats::observe("http.auth_errors.victim",
> [$host=c$conn$id$resp_h],
> []);
> }
> }
> }
> }
>
>
>
> https://github.com/michalpurzynski/bro-gramming/blob/
> ae37c0d6bfc62e25a797426d6791cf340b045d17/auth_bruteforcing.bro
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170405/ec703a28/attachment-0001.html
More information about the Bro
mailing list