[Bro] auth_bruteforcing.bro error
ps sunu
pssunu6 at gmail.com
Wed Apr 5 06:50:51 PDT 2017
thanks
On Wed, Apr 5, 2017 at 7:19 PM, ps sunu <pssunu6 at gmail.com> wrote:
> i cleared using below code
>
> if( c$http?$cluster_client_ip )
>
> On Wed, Apr 5, 2017 at 6:29 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
>
>> cluster_client_ip is the user defined field, http record doesn't have any
>> field name "cluster_client_ip".
>> I think what you want is c$http$id$orig_h , if that's what the purpose
>> of cluster_client_ip is.
>> Also your host is "string" type, you can change it to "addr" type:
>>
>> Might wanna try something like:
>>
>> type Info: record {
>> <snip>
>> * host: addr &log &optional;*
>> <snip>
>> };
>>
>> SumStats::observe("http.auth_errors.attacker",
>> [$host=c$http$id$orig_h],
>> []);
>>
>> Also, not sure how this part is working(As c doesn't have "conn" field as
>> well.):
>>
>> if ( c?$conn )
>> SumStats::observe("http.auth_errors.victim",
>> [$host=c$conn$id$resp_h],
>> []);
>>
>>
>>
>> On Wed, Apr 5, 2017 at 8:23 AM, ps sunu <pssunu6 at gmail.com> wrote:
>>
>>>
>>>
>>> I am using below code while running this i am getting below error from
>>> below area
>>>
>>>
>>> *if(!auth_success) {*
>>> * SumStats::observe("http.auth_errors.attacker",*
>>> *
>>> [$host=to_addr(c$http$cluster_client_ip)],*
>>> * []);*
>>> * if ( c?$conn )*
>>>
>>> error
>>>
>>>
>>> *field value missing [AuthBruteforcing::c$http$cluster_client_ip]*
>>> code
>>>
>>> @load base/frameworks/notice
>>> @load base/frameworks/sumstats
>>> @load base/protocols/http
>>>
>>> module AuthBruteforcing;
>>>
>>> export {
>>> redef enum Notice::Type += {
>>> ## Indicates that a host performing HTTP requests leading to
>>> ## excessive HTTP auth errors was detected.
>>> HTTP_AuthBruteforcing_Attacker,
>>> ## Indicates that a host was seen to respond excessive HTTP
>>> ## auth errors. This is tracked by IP address as opposed to
>>> ## hostname.
>>> HTTP_AuthBruteforcing_Victim,
>>> };
>>>
>>> # Let's tag the http item
>>> redef enum HTTP::Tags += {
>>> ## HTTP status code 401, describing a HTTP auth error
>>> HTTP_AUTH_ERROR,
>>> ## HTTP describing a successful HTTP auth
>>> HTTP_AUTH_SUCCESS,
>>> };
>>>
>>> redef enum Log::ID += { LOG };
>>>
>>> type Info: record {
>>> ts: time &log;
>>> uid: string &log;
>>> id: conn_id &log &optional;
>>> cluster_client_ip: string &log &optional;
>>> status_code: count &log &optional;
>>> host: string &log &optional;
>>> uri: string &log &optional;
>>> username: string &log &optional;
>>> auth_success: bool &log &optional;
>>> };
>>>
>>> global log_auth: event(rec: Info);
>>>
>>> ## Defines the threshold that determines if a auth bruteforcing
>>> attack
>>> ## is ongoing based on the number of requests that appear to be
>>> ## attacks.
>>> const auth_errors_threshold: double = 50.0 &redef;
>>>
>>> ## Interval at which to watch for the
>>> ## :bro:id:`AuthBruteforcing::auth_errors_requests_threshold`
>>> variable to be crossed.
>>> ## At the end of each interval the counter is reset.
>>> const auth_errors_interval = 5min &redef;
>>>
>>> ## Interval at which to watch for the
>>> ## :bro:id:`AuthBruteforcing::excessive_auth_errors_threshold`
>>> variable to be
>>> ## crossed. At the end of each interval the counter is reset.
>>> const excessive_auth_errors_interval = 1min &redef;
>>>
>>> const internal_space: subnet = 10.0.0.0/8 &redef;
>>> const public_space: subnet = 63.245.208.0/20 &redef;
>>>
>>> const ignore_host_resp: set[addr] = { } &redef;
>>> const ignore_host_orig: set[addr] = { } &redef;
>>> }
>>>
>>> event bro_init() &priority=3
>>> {
>>> # Create auth_bruteforcing.log
>>> Log::create_stream(AuthBruteforcing::LOG, [$columns=Info,
>>> $ev=log_auth]);
>>>
>>> # HTTP auth errors for requests FROM the same host
>>> local r1: SumStats::Reducer = [$stream="http.auth_errors.attacker",
>>> $apply=set(SumStats::SUM)];
>>> SumStats::create([$name="auth-http-errors-attackers",
>>> $epoch=auth_errors_interval,
>>> $reducers=set(r1),
>>> $threshold_val(key: SumStats::Key, result:
>>> SumStats::Result) = {
>>> return result["http.auth_errors.attac
>>> ker"]$sum;
>>> },
>>> $threshold=auth_errors_threshold,
>>> $threshold_crossed(key: SumStats::Key, result:
>>> SumStats::Result) = {
>>> NOTICE([$note=HTTP_AuthBruteforcing_Attacker,
>>> $msg=fmt("HTTP auth bruteforcing from
>>> attacker %s", key$host),
>>> $sub=fmt("%.0f auth failed in %s",
>>> result["http.auth_errors.attacker"]$sum, auth_errors_interval),
>>> $src=key$host,
>>> $n=to_count(fmt("%.0f",
>>> result["http.auth_errors.attacker"]$sum))
>>> ]);
>>> }]);
>>>
>>> # HTTP errors for requests TO the same host
>>> local r2: SumStats::Reducer = [$stream="http.auth_errors.victim",
>>> $apply=set(SumStats::SUM)];
>>> SumStats::create([$name="auth-http-errors-victims",
>>> $epoch=auth_errors_interval,
>>> $reducers=set(r2),
>>> $threshold_val(key: SumStats::Key, result:
>>> SumStats::Result) = {
>>> return result["http.auth_errors.victim"]$sum;
>>> },
>>> $threshold=auth_errors_threshold,
>>> $threshold_crossed(key: SumStats::Key, result:
>>> SumStats::Result) = {
>>> NOTICE([$note=HTTP_AuthBruteforcing_Victim,
>>> $msg=fmt("HTTP auth bruteforcing to
>>> victim %s", key$host),
>>> $sub=fmt("%.0f auth failed in %s",
>>> result["http.auth_errors.victim"]$sum, auth_errors_interval),
>>> $src=key$host,
>>> $n=to_count(fmt("%.0f",
>>> result["http.auth_errors.victim"]$sum))
>>> ]);
>>> }]);
>>> }
>>>
>>> # Make sure we have all the http info before looking for auth errors
>>> event http_message_done(c: connection, is_orig: bool, stat:
>>> http_message_stat)
>>> {
>>> # only conns we want
>>> local ports_ext: set[port] = { 80/tcp };
>>> local ports_int: set[port] = { 80/tcp, 81/tcp, 443/tcp };
>>>
>>> if (c$id$resp_h in ignore_host_resp)
>>> return;
>>> if (c$id$orig_h in ignore_host_orig)
>>> return;
>>>
>>> if (((c$id$resp_h in internal_space) && (c$id$resp_p in ports_int))
>>> || ((c$id$resp_h in public_space) && (c$id$resp_p in ports_ext))) {
>>>
>>> if (c$http?$username && c$http?$status_code) {
>>> local auth_success : bool = T;
>>> if (c$http$status_code == 401) {
>>> auth_success = F;
>>> add c$http$tags[HTTP_AUTH_ERROR];
>>> }
>>> else if (c$http$status_code < 400) {
>>> auth_success = T;
>>> add c$http$tags[HTTP_AUTH_SUCCESS];
>>> }
>>> if(!auth_success) {
>>> SumStats::observe("http.auth_errors.attacker",
>>> [$host=to_addr(c$http$cluster_
>>> client_ip)],
>>> []);
>>> if ( c?$conn )
>>> SumStats::observe("http.auth_errors.victim",
>>> [$host=c$conn$id$resp_h],
>>> []);
>>> }
>>> }
>>> }
>>> }
>>>
>>>
>>>
>>> https://github.com/michalpurzynski/bro-gramming/blob/ae37c0d
>>> 6bfc62e25a797426d6791cf340b045d17/auth_bruteforcing.bro
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170405/c3d3fb18/attachment.html
More information about the Bro
mailing list