[Bro] Notice and Sumstats and how to whitelist IPs
Azoff, Justin S
jazoff at illinois.edu
Thu Sep 6 06:40:46 PDT 2018
> On Sep 5, 2018, at 6:18 PM, Dillon Murphy <DMurphy at lfcu.com> wrote:
>
> Hello everyone,
>
> I can’t seem to figure out how to break out of scripts that trigger notices based on a sumstats function. I have a few Exfiltration scripts and my network scanner triggers many alerts. I only encounter this problem when sumstats is involved.
>
>
> @load base/frameworks/sumstats
> @load base/frameworks/notice
>
> module Exfiltration;
>
> export {
> redef enum Notice::Type += {
> notice::icmp_data_exfil,
> };
>
> const frequent_icmp_senders: set[subnet] {192.168.0.1/32} &redef;
> const icmp_interval = 2min &redef;
> const icmp_per_query_interval = 120.0 &redef;
> }
>
> function check_icmp(c:connection)
> {
> if (c$id$orig_h in frequent_icmp_senders) return;
> if (c$id$resp_h in frequent_icmp_senders) return;
>
> SumStats::observe("Messages",
> SumStats::Key($host=c$id$orig_h),
> SumStats::Observation($num=1));
> }
>
That looks right to me.
If the orig or resp hosts are in frequent_icmp_senders observe() will never be called
and the connections will be effectively ignored.
This issue wouldn't have anything to do with sumstats.. if there is a problem it would be with the
logic in how observe() is called initially. It could be as simple as a typo of the IP in the frequent senders set.
—
Justin Azoff
More information about the Bro
mailing list