[Bro] (no subject)

ps sunu pssunu6 at gmail.com
Sat Apr 29 03:06:11 PDT 2017


Hi

              below script i need to add connection related info  inside
notice log

Skip to content
This repository
Search
Pull requests
Issues
Gist
 @binups
 Sign out
 Watch 14
  Star 29
  Fork 10 fox-it/bro-scripts
 Code  Issues 1  Pull requests 0  Projects 0  Wiki  Pulse  Graphs
Branch: master Find file Copy
pathbro-scripts/smb-ransomware/smb-ransomware.bro
b3aa56d  on 12 Sep 2016
@fox-srt fox-srt Adding SMB Ransomware policy for BroCon 2016
1 contributor
RawBlameHistory
120 lines (93 sloc)  2.85 KB
@load base/frameworks/files
@load base/protocols/smb
@load base/frameworks/notice
@load base/frameworks/sumstats

global fuidmap : set[string];

module FoxCryptoRansom;

export {
redef enum Notice::Type += {
## Notice corresponding to a possible ransomware attack
RANSOMWARE_SMB
};

## Entropy check on the first packet send
const enc_off = 0 &redef;

## Entropy check on certain bytes
const enc_sdata = 0 &redef;
const enc_edata = 1000 &redef;
## Entropy and Mean corresponding to a possible ransomware attack
const enc_entropy = 7.5 &redef;
const enc_mean = 125 &redef;

## Notice values corresponding to a possible ransomware attack
const threshold_time = 30sec &redef;
const threshold_limit = 5.0 &redef;

## Ignore list for certain filenames
const ignore_list = /GoogleChrome/ &redef;

redef enum Log::ID += {LOG};
type Info: record {
ts: time &log;
filename: string &log;
entropy: double &log;
mean: double &log;
};
}

event chunk_event (f: fa_file, data: string, off: count)
{
if ( off == enc_off ) {
local fox_entropy =  find_entropy(data[enc_sdata:enc_edata]);
if ( fox_entropy$entropy >= enc_entropy && fox_entropy$mean >= enc_mean ) {

SumStats::observe("SMB traffic detected", SumStats::Key(),
SumStats::Observation($num=1));
local rec: FoxCryptoRansom::Info = [ $ts=network_time(), $filename =
f$info$filename, $entropy=fox_entropy$entropy, $mean=fox_entropy$mean ];
Log::write(FoxCryptoRansom::LOG, rec);
}
}
}


event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
{
if (f$source == "SMB"){

local filename = "UNKNOWN";

if (f$info?$filename){
filename = f$info$filename;
}
local mime_type = "UNKNOWN";

if (f$info?$mime_type){
mime_type = f$info$mime_type;
}

if (mime_type == "UNKNOWN"){

if (ignore_list in filename){
return;
}else{

if ( ! c$smb_state$current_file?$action){
return ;
}else{
if (c$smb_state$current_file$action == SMB::FILE_WRITE){
local fuid = c$smb_state$current_file$fuid;
if (fuid !in fuidmap){
Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT,
Files::AnalyzerArgs($chunk_event=chunk_event));
add fuidmap[fuid];
}
}else{
}
}
}
}
}
}

event bro_init()
{
local r1 = SumStats::Reducer($stream="SMB traffic detected",
$apply=set(SumStats::SUM));

SumStats::create([$name = "Ransomware detection",
$epoch = threshold_time,
$reducers = set(r1),
$threshold = threshold_limit,
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["SMB traffic detected"]$sum;
},
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
NOTICE([$note=RANSOMWARE_SMB,
$msg="Ransomware encrypting share detected"]);
}]);

Log::create_stream(FoxCryptoRansom::LOG, [$columns=Info, $path="entropy"]);
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170429/e3e9b45b/attachment.html 


More information about the Bro mailing list