[Bro] Notice and Sumstats and how to whitelist IPs

Dillon Murphy DMurphy at lfcu.com
Wed Sep 5 15:18:05 PDT 2018


Hello everyone,

I can’t seem to figure out how to break out of scripts that trigger notices based on a sumstats function. I have a few Exfiltration scripts and my network scanner triggers many alerts. I only encounter this problem when sumstats is involved.


@load base/frameworks/sumstats
@load base/frameworks/notice

module Exfiltration;

export {
                redef enum Notice::Type += {
                notice::icmp_data_exfil,
                };

                const frequent_icmp_senders: set[subnet] {192.168.0.1/32} &redef;
                const icmp_interval = 2min &redef;
                const icmp_per_query_interval = 120.0 &redef;
}

function check_icmp(c:connection)
                {
                if (c$id$orig_h in frequent_icmp_senders) return;
                if (c$id$resp_h in frequent_icmp_senders) return;

                SumStats::observe("Messages",
                                  SumStats::Key($host=c$id$orig_h),
                                  SumStats::Observation($num=1));
                }

event bro_init()
                {
                local messages_reducer = SumStats::Reducer($stream="Messages",
                                                           $apply=set(SumStats::SUM));

                SumStats::create([$name = "messages",
                                 $epoch = icmp_interval,
                                 $reducers = set(messages_reducer),
                                 $threshold = icmp_per_query_interval,
                                 $threshold_val(key: SumStats::Key, result: SumStats::Result) =
                                                 {
                                                 return result["Messages"]$sum;
                                                 },
                                 $threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
                                                 {
                                                 local dur = icmp_interval;
                                                 NOTICE([$note=notice::icmp_data_exfil,
                                                         $src=key$host,
                                                         $msg=fmt("%s sent %s/%s ICMP messages in %s", key$host, result["Messages"]$sum, icmp_per_query_interval, dur),
                                                                                                                                                                                                                                $sub=fmt("Severity: 7"),
                                                                                                                                                                                                                                $suppress_for=10mins,
                                                         $identifier=cat(key$host)]);
                                                 }
                                ]);
                }

How do I get it to stop counting and not send a notice if an IP is in a white list?

Thanks!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180905/ff8e000f/attachment-0001.html 


More information about the Bro mailing list