Skip to content

Instantly share code, notes, and snippets.

@LiamRandall

LiamRandall/bro-customization.md

Forked from mavam/bro-customization.md
Created February 26, 2013 19:30
Show Gist options
  • Save LiamRandall/5041348 to your computer and use it in GitHub Desktop.
Save LiamRandall/5041348 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
bro-customization.md

General

# Process packets despite bad checksums.
redef ignore_checksums = T;

File Analysis

This will change significantly with Bro 2.2 when we have the file analysis framework.

Extract full TCP payload stream

event connection_established(c: connection)
{
  if (...)
  {
    c$extract_orig = T;
    c$extract_resp = T;
  }
}

Extract files from protocols

# Enable extraction for supported protocols.
redef IRC::extract_file_types = /application\/.*/;
redef FTP::extract_file_types = /application\/.*/;
redef HTTP::extract_file_types = /application\/.*/;
redef SMTP::extract_file_types = /application\/.*/;

# Change prefix of filename on disk.
redef IRC::extraction_prefix = "file-irc";
redef FTP::extraction_prefix = "file-ftp";
redef HTTP::extraction_prefix = "file-http";
redef SMTP::extraction_prefix = "file-smtp";

# Tweak SMTP excerpt length.
redef SMTP::default_entity_excerpt_len = 1024;

Enable password logging

redef FTP::default_capture_password = T:
redef HTTP::default_capture_password = T:

Compute hash digests

# Specify a MIME type pattern.
redef HTTP::generate_md5 = /.*/;
redef SMTP::generate_md5 = /.*/;

Map file extensions to MIME types

redef HTTP::mime_types_extensions: table[string] of pattern = {
    ["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL][lL])/,
};

Detect malware in HTTP via Team Cymru's Malware Hash Registry

@load policy/http/detect-MHR

Software Management

Track vulnerable version on the network

redef Software::vulnerable_versions += {
  ["Flash"] = [$major=10,$minor=2,$minor2=153,$addl="1"],
  ["Java"] = [$major=1,$minor=6,$minor2=0,$addl="22"],
};

Detect popular web apps

# Look at protocols/http/detect-webapps.sig for extending.
@load protocols/http/detect-webapps

Protocol Analysis

Log HTTP server header names

@load protocols/http/header-names
redef HTTP::log_server_header_names = T;

Log HTTP cookie values

TODO

Calibrate SSH bruteforcing parameters

redef SSH::password_guesses_limit = 20;  # default: 30
redef SSH::guessing_timeout = 10 mins;   # default: 30 mins

Generate notice when SSL certificates expire soon

redef SSL::notify_when_cert_expiring_in = 1 day; # default: 30 days

Add a new root certificate

# Map the issuer to the DER-encoded certificate.
redef SSL::root_certs += { ["OU=SnakeTrust,C=US"] = "\x30\x82..." };

Write SSL certificates to disk (in PEM format)

 # By default only for locally served certificates.
@load policy/protocols/ssl/extract-certs-pem

# Record only remote certificates (ALL_HOSTS also possible).
redef SSL::extract_certs_pem = REMOTE_HOSTS;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment