Created
November 24, 2015 21:23
-
-
Save dcode/dfe6026fd9865fb8e1ab to your computer and use it in GitHub Desktop.
Use bro to alert on interesting cases that are not TCP for intel ip addresses. There's probably some glitches.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Support for UDP, ICMP, and non-established TCP connections in "interesting" cases | |
| # This will only generate Intel matches when a connection is removed from Bro | |
| # | |
| # Interesting cases: | |
| # seen IN_RESP in a failed outbound connection to a known phishing site, useful to know | |
| # seen in IN_RESP in a failed outbound port 22/tcp connection to a known ssh scanner, useful to know | |
| # | |
| # Probably uninteresting: | |
| # seen IN_ORIG in a failed incoming port 22 connection from a known ssh scanner, probably just noise. | |
| # | |
| # Derek Ditch <derek.ditch@gmail.com> | |
| # | |
| # Adapted from script by CrowdStrike <josh.liburdi@crowdstrike.com> | |
| @load base/frameworks/intel | |
| @load policy/frameworks/intel/seen/where-locations | |
| event connection_state_remove(c: connection) | |
| { | |
| if ( c$conn?$proto && ( c$conn$proto != tcp || ( c$conn?$history && c$conn$proto == tcp && "h" !in c$conn$history ) ) ) | |
| { | |
| if ( !Site::is_local_addr(c$id$resp_h) ) | |
| { | |
| Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]); | |
| } | |
| else if ( Site::is_local_addr(c$id$orig_h) && c$resp_pkts > 0 ) | |
| { | |
| Intel::seen([$host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG]); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment