[Bro] Notice and Sumstats and how to whitelist IPs
Dillon Murphy
DMurphy at lfcu.com
Thu Sep 6 15:24:13 PDT 2018
Hey Justin,
It looks like half the script is being removed every time I send it. Here is the other half.
event bro_init()
{
local messages_reducer = SumStats::Reducer($stream="Messages",
$apply=set(SumStats::SUM));
SumStats::create([$name = "messages",
$epoch = icmp_interval,
$reducers = set(messages_reducer),
$threshold = icmp_per_query_interval,
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["Messages"]$sum;
},
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
print key;
local dur = icmp_interval;
NOTICE([$note=notice::icmp_data_exfil,
$src=key$host,
$msg=fmt("%s sent %s/%s ICMP messages in %s", key$host, result["Messages"]$sum, icmp_per_query_interval, dur),
$sub=fmt("Severity: 7"),
$suppress_for=10mins,
$identifier=cat(key$host)]);
}
]);
}
---------------------------------------------------------------
Dillon Murphy ▪ Information Security Operations Analyst I
Logix Federal Credit Union
P.O. Box 6759 ▪ Burbank, CA 91510
(818) 565-2547 Direct
(888) 718-5328 ext. 2547 Toll Free
dmurphy at lfcu.com<mailto:dmurphy at lfcu.com> ▪ www.lfcu.com<http://www.lfcu.com/>
[Logo-Blue]
From: Azoff, Justin S <jazoff at illinois.edu>
Sent: Thursday, September 06, 2018 3:00 PM
To: Dillon Murphy <DMurphy at lfcu.com>
Cc: bro at bro.org
Subject: Re: [Bro] Notice and Sumstats and how to whitelist IPs
> On Sep 6, 2018, at 4:42 PM, Dillon Murphy <DMurphy at lfcu.com<mailto:DMurphy at lfcu.com>> wrote:
>
> No problem at all. Here is the complete script. If you need one, I'll work getting you a pcap to run it against.
>
> Thank you Justin!
>
> @load base/frameworks/sumstats
> @load base/frameworks/notice
>
>
> module Exfiltration;
>
> export {
> redef enum Notice::Type += {
> notice::icmp_data_exfil,
> };
>
> const frequent_icmp_senders: set[subnet] {192.168.0.1/32}<http://192.168.0.1/32}> &redef;
> const icmp_interval = 2min &redef;
> const icmp_per_query_interval = 120.0 &redef;
> }
>
> function check_icmp(c:connection)
> {
> if (c$id$orig_h in frequent_icmp_senders) return;
> if (c$id$resp_h in frequent_icmp_senders) return;
> if (c$id$orig_h !in Site::local_nets) return;
> if (c$id$resp_h in Site::local_nets) return;
>
> SumStats::observe("Messages",
> SumStats::Key($host=c$id$orig_h),
> SumStats::Observation($num=1));
>
> }
Huh.. well nothing calls this check_icmp function you have there so that script does nothing at all.
This looks like a "The princess is in another castle" kind of thing.
Is something else calling
SumStats::observe("Messages", ...
Normally the stream name you use would be named something like "http.sqli.attacker" or "ftp.failed_auth<ftp://ftp.failed_auth>" or in your case "icmp.exfil.connection"
If you are just using "Messages", and using that same stream in more than one script, that
would explain why you are seeing a lot unexplained notices.
—
Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180906/e14d6fac/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 7514 bytes
Desc: image001.png
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180906/e14d6fac/attachment-0001.bin
More information about the Bro
mailing list