[Bro] auth_bruteforcing.bro error
ps sunu
pssunu6 at gmail.com
Wed Apr 5 06:49:34 PDT 2017
i cleared using below code
if( c$http?$cluster_client_ip )
On Wed, Apr 5, 2017 at 6:29 PM, fatema bannatwala <
fatema.bannatwala at gmail.com> wrote:
> cluster_client_ip is the user defined field, http record doesn't have any
> field name "cluster_client_ip".
> I think what you want is c$http$id$orig_h , if that's what the purpose of
> cluster_client_ip is.
> Also your host is "string" type, you can change it to "addr" type:
>
> Might wanna try something like:
>
> type Info: record {
> <snip>
> * host: addr &log &optional;*
> <snip>
> };
>
> SumStats::observe("http.auth_errors.attacker",
> [$host=c$http$id$orig_h],
> []);
>
> Also, not sure how this part is working(As c doesn't have "conn" field as
> well.):
>
> if ( c?$conn )
> SumStats::observe("http.auth_errors.victim",
> [$host=c$conn$id$resp_h],
> []);
>
>
>
> On Wed, Apr 5, 2017 at 8:23 AM, ps sunu <pssunu6 at gmail.com> wrote:
>
>>
>>
>> I am using below code while running this i am getting below error from
>> below area
>>
>>
>> *if(!auth_success) {*
>> * SumStats::observe("http.auth_errors.attacker",*
>> *
>> [$host=to_addr(c$http$cluster_client_ip)],*
>> * []);*
>> * if ( c?$conn )*
>>
>> error
>>
>>
>> *field value missing [AuthBruteforcing::c$http$cluster_client_ip]*
>> code
>>
>> @load base/frameworks/notice
>> @load base/frameworks/sumstats
>> @load base/protocols/http
>>
>> module AuthBruteforcing;
>>
>> export {
>> redef enum Notice::Type += {
>> ## Indicates that a host performing HTTP requests leading to
>> ## excessive HTTP auth errors was detected.
>> HTTP_AuthBruteforcing_Attacker,
>> ## Indicates that a host was seen to respond excessive HTTP
>> ## auth errors. This is tracked by IP address as opposed to
>> ## hostname.
>> HTTP_AuthBruteforcing_Victim,
>> };
>>
>> # Let's tag the http item
>> redef enum HTTP::Tags += {
>> ## HTTP status code 401, describing a HTTP auth error
>> HTTP_AUTH_ERROR,
>> ## HTTP describing a successful HTTP auth
>> HTTP_AUTH_SUCCESS,
>> };
>>
>> redef enum Log::ID += { LOG };
>>
>> type Info: record {
>> ts: time &log;
>> uid: string &log;
>> id: conn_id &log &optional;
>> cluster_client_ip: string &log &optional;
>> status_code: count &log &optional;
>> host: string &log &optional;
>> uri: string &log &optional;
>> username: string &log &optional;
>> auth_success: bool &log &optional;
>> };
>>
>> global log_auth: event(rec: Info);
>>
>> ## Defines the threshold that determines if a auth bruteforcing attack
>> ## is ongoing based on the number of requests that appear to be
>> ## attacks.
>> const auth_errors_threshold: double = 50.0 &redef;
>>
>> ## Interval at which to watch for the
>> ## :bro:id:`AuthBruteforcing::auth_errors_requests_threshold`
>> variable to be crossed.
>> ## At the end of each interval the counter is reset.
>> const auth_errors_interval = 5min &redef;
>>
>> ## Interval at which to watch for the
>> ## :bro:id:`AuthBruteforcing::excessive_auth_errors_threshold`
>> variable to be
>> ## crossed. At the end of each interval the counter is reset.
>> const excessive_auth_errors_interval = 1min &redef;
>>
>> const internal_space: subnet = 10.0.0.0/8 &redef;
>> const public_space: subnet = 63.245.208.0/20 &redef;
>>
>> const ignore_host_resp: set[addr] = { } &redef;
>> const ignore_host_orig: set[addr] = { } &redef;
>> }
>>
>> event bro_init() &priority=3
>> {
>> # Create auth_bruteforcing.log
>> Log::create_stream(AuthBruteforcing::LOG, [$columns=Info,
>> $ev=log_auth]);
>>
>> # HTTP auth errors for requests FROM the same host
>> local r1: SumStats::Reducer = [$stream="http.auth_errors.attacker",
>> $apply=set(SumStats::SUM)];
>> SumStats::create([$name="auth-http-errors-attackers",
>> $epoch=auth_errors_interval,
>> $reducers=set(r1),
>> $threshold_val(key: SumStats::Key, result:
>> SumStats::Result) = {
>> return result["http.auth_errors.attacker"]$sum;
>> },
>> $threshold=auth_errors_threshold,
>> $threshold_crossed(key: SumStats::Key, result:
>> SumStats::Result) = {
>> NOTICE([$note=HTTP_AuthBruteforcing_Attacker,
>> $msg=fmt("HTTP auth bruteforcing from
>> attacker %s", key$host),
>> $sub=fmt("%.0f auth failed in %s",
>> result["http.auth_errors.attacker"]$sum, auth_errors_interval),
>> $src=key$host,
>> $n=to_count(fmt("%.0f",
>> result["http.auth_errors.attacker"]$sum))
>> ]);
>> }]);
>>
>> # HTTP errors for requests TO the same host
>> local r2: SumStats::Reducer = [$stream="http.auth_errors.victim",
>> $apply=set(SumStats::SUM)];
>> SumStats::create([$name="auth-http-errors-victims",
>> $epoch=auth_errors_interval,
>> $reducers=set(r2),
>> $threshold_val(key: SumStats::Key, result:
>> SumStats::Result) = {
>> return result["http.auth_errors.victim"]$sum;
>> },
>> $threshold=auth_errors_threshold,
>> $threshold_crossed(key: SumStats::Key, result:
>> SumStats::Result) = {
>> NOTICE([$note=HTTP_AuthBruteforcing_Victim,
>> $msg=fmt("HTTP auth bruteforcing to
>> victim %s", key$host),
>> $sub=fmt("%.0f auth failed in %s",
>> result["http.auth_errors.victim"]$sum, auth_errors_interval),
>> $src=key$host,
>> $n=to_count(fmt("%.0f",
>> result["http.auth_errors.victim"]$sum))
>> ]);
>> }]);
>> }
>>
>> # Make sure we have all the http info before looking for auth errors
>> event http_message_done(c: connection, is_orig: bool, stat:
>> http_message_stat)
>> {
>> # only conns we want
>> local ports_ext: set[port] = { 80/tcp };
>> local ports_int: set[port] = { 80/tcp, 81/tcp, 443/tcp };
>>
>> if (c$id$resp_h in ignore_host_resp)
>> return;
>> if (c$id$orig_h in ignore_host_orig)
>> return;
>>
>> if (((c$id$resp_h in internal_space) && (c$id$resp_p in ports_int))
>> || ((c$id$resp_h in public_space) && (c$id$resp_p in ports_ext))) {
>>
>> if (c$http?$username && c$http?$status_code) {
>> local auth_success : bool = T;
>> if (c$http$status_code == 401) {
>> auth_success = F;
>> add c$http$tags[HTTP_AUTH_ERROR];
>> }
>> else if (c$http$status_code < 400) {
>> auth_success = T;
>> add c$http$tags[HTTP_AUTH_SUCCESS];
>> }
>> if(!auth_success) {
>> SumStats::observe("http.auth_errors.attacker",
>> [$host=to_addr(c$http$cluster_
>> client_ip)],
>> []);
>> if ( c?$conn )
>> SumStats::observe("http.auth_errors.victim",
>> [$host=c$conn$id$resp_h],
>> []);
>> }
>> }
>> }
>> }
>>
>>
>>
>> https://github.com/michalpurzynski/bro-gramming/blob/ae37c0d
>> 6bfc62e25a797426d6791cf340b045d17/auth_bruteforcing.bro
>>
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170405/63f08938/attachment-0001.html
More information about the Bro
mailing list