[Bro] Notice and Sumstats and how to whitelist IPs
Dillon Murphy
DMurphy at lfcu.com
Thu Sep 6 13:42:31 PDT 2018
No problem at all. Here is the complete script. If you need one, I'll work getting you a pcap to run it against.
Thank you Justin!
@load base/frameworks/sumstats
@load base/frameworks/notice
module Exfiltration;
export {
redef enum Notice::Type += {
notice::icmp_data_exfil,
};
const frequent_icmp_senders: set[subnet] {192.168.0.1/32} &redef;
const icmp_interval = 2min &redef;
const icmp_per_query_interval = 120.0 &redef;
}
function check_icmp(c:connection)
{
if (c$id$orig_h in frequent_icmp_senders) return;
if (c$id$resp_h in frequent_icmp_senders) return;
if (c$id$orig_h !in Site::local_nets) return;
if (c$id$resp_h in Site::local_nets) return;
SumStats::observe("Messages",
SumStats::Key($host=c$id$orig_h),
SumStats::Observation($num=1));
}
event bro_init()
{
local messages_reducer = SumStats::Reducer($stream="Messages",
$apply=set(SumStats::SUM));
SumStats::create([$name = "messages",
$epoch = icmp_interval,
$reducers = set(messages_reducer),
$threshold = icmp_per_query_interval,
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["Messages"]$sum;
},
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local dur = icmp_interval;
NOTICE([$note=notice::icmp_data_exfil,
$src=key$host,
$msg=fmt("%s sent %s/%s ICMP messages in %s", key$host, result["Messages"]$sum, icmp_per_query_interval, dur),
$sub=fmt("Severity: 7"),
$suppress_for=10mins,
$identifier=cat(key$host)]);
}
]);
}
---------------------------------------------------------------
Dillon Murphy ▪ Information Security Operations Analyst I
Logix Federal Credit Union
P.O. Box 6759 ▪ Burbank, CA 91510
(818) 565-2547 Direct
(888) 718-5328 ext. 2547 Toll Free
dmurphy at lfcu.com ▪ www.lfcu.com
-----Original Message-----
From: Azoff, Justin S <jazoff at illinois.edu>
Sent: Thursday, September 06, 2018 1:19 PM
To: Dillon Murphy <DMurphy at lfcu.com>
Cc: bro at bro.org
Subject: Re: [Bro] Notice and Sumstats and how to whitelist IPs
> On Sep 6, 2018, at 4:02 PM, Dillon Murphy <DMurphy at lfcu.com> wrote:
>
> Hey Justin,
>
> I thought the same thing, but I rechecked the IP over and over again and it is correct. I’ve also added the whitelist to the script in many different ways, but still had no luck. I’ve been able to get this to work easily on all scripts that don’t load the sumstats framework. I’ve rewritten the scripts multiple times, tested them out in try.bro.org and my tool and nothing has worked to stop the notices. I’ve tried to break and return in functions and events, but that didn’t work.
>
> I’ve even contacted our vendor for my tool who originally added some of the scripts and their head engineer has not been able to solve it yet. It seems to just keep continuing to keep track of the intervals and sends the data to the notice, even if the IP matches what’s in the white list. I’m no major bro scripting expert, but my vendors engineer is a well-known bro scripter, and if they had no luck, my chances are slim.
>
> It seems that it should be as easy as returning on any matching IP, but I guess not. I don’t know what I’m missing, and I’m running out of ideas.
>
> If you have any questions, please let me know.
>
> Thank you for looking at my post!
>
Hard to tell what is wrong without seeing the scripts.
As you say it IS as easy as returning early from a function when an IP matches.
If you can share the complete script that is not working properly I can help you fix it :-)
—
Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180906/0b48c672/attachment.html
More information about the Bro
mailing list