[Bro] Notice and Sumstats and how to whitelist IPs
Azoff, Justin S
jazoff at illinois.edu
Thu Sep 6 15:00:09 PDT 2018
> On Sep 6, 2018, at 4:42 PM, Dillon Murphy <DMurphy at lfcu.com> wrote:
>
> No problem at all. Here is the complete script. If you need one, I'll work getting you a pcap to run it against.
>
> Thank you Justin!
>
> @load base/frameworks/sumstats
> @load base/frameworks/notice
>
>
> module Exfiltration;
>
> export {
> redef enum Notice::Type += {
> notice::icmp_data_exfil,
> };
>
> const frequent_icmp_senders: set[subnet] {192.168.0.1/32} &redef;
> const icmp_interval = 2min &redef;
> const icmp_per_query_interval = 120.0 &redef;
> }
>
> function check_icmp(c:connection)
> {
> if (c$id$orig_h in frequent_icmp_senders) return;
> if (c$id$resp_h in frequent_icmp_senders) return;
> if (c$id$orig_h !in Site::local_nets) return;
> if (c$id$resp_h in Site::local_nets) return;
>
> SumStats::observe("Messages",
> SumStats::Key($host=c$id$orig_h),
> SumStats::Observation($num=1));
>
> }
Huh.. well nothing calls this check_icmp function you have there so that script does nothing at all.
This looks like a "The princess is in another castle" kind of thing.
Is something else calling
SumStats::observe("Messages", ...
Normally the stream name you use would be named something like "http.sqli.attacker" or "ftp.failed_auth" or in your case "icmp.exfil.connection"
If you are just using "Messages", and using that same stream in more than one script, that
would explain why you are seeing a lot unexplained notices.
—
Justin Azoff
More information about the Bro
mailing list