[Bro] detect-tor.gro
ps sunu
pssunu6 at gmail.com
Wed Apr 19 05:13:12 PDT 2017
Hi,
from below detect-tor script i need ssl session id, inside
notice log
@load base/frameworks/notice
module DetectTor;
export {
redef enum Notice::Type += {
## Indicates that a host using Tor was discovered.
DetectTor::Found
};
## Distinct Tor-like X.509 certificates to see before deciding it's Tor.
const tor_cert_threshold = 1.0;
## Time period to see the :bro:see:`tor_cert_threshold` certificates
## before deciding it's Tor.
const tor_cert_period = 5min;
# Number of Tor certificate samples to collect.
const tor_cert_samples = 3 &redef;
}
event bro_init()
{
local r1 = SumStats::Reducer($stream="ssl.tor-looking-cert",
$apply=set(SumStats::UNIQUE, SumStats::SAMPLE),
$num_samples=tor_cert_samples);
SumStats::create([$name="detect-tor",
$epoch=tor_cert_period,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result:
SumStats::Result) =
{
return result["ssl.tor-looking-cert"]$unique+0.0;
},
$threshold=tor_cert_threshold,
$threshold_crossed(key: SumStats::Key, result:
SumStats::Result) =
{
local r = result["ssl.tor-looking-cert"];
local samples = r$samples;
local sub_msg = fmt("Sampled certificates: ");
for ( i in samples )
{
if ( samples[i]?$str )
sub_msg = fmt("%s%s %s", sub_msg, i==0 ? "":",",
samples[i]$str);
print r;
}
NOTICE([$note=DetectTor::Found,
$msg=fmt("%s was found using Tor by connecting to
servers with at least %d unique weird certs", key$host, r$unique),
$id= ??
$session_id=??
$sub=sub_msg,
$src=key$host,
$identifier=cat(key$host)]);
}]);
}
event ssl_established(c: connection )
{
if ( c$ssl?$subject && /^CN=www.[^=,]*$/ == c$ssl$subject && c$ssl?$issuer
&& /^CN=www.[^=,]*$/ == c$ssl$issuer )
{
SumStats::observe("ssl.tor-looking-cert", [$host=c$id$orig_h],
[$str=c$ssl$subject]);
}
#print c$ssl;
}
Regards,
Sunu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170419/dcba8382/attachment.html
More information about the Bro
mailing list