grigorescu/exposed.bro

## exposed.bro
module Exposed;

export {
    redef enum Notice::Type += {
        Service
    };
    const exposed_services: table[port] of string ={} &redef;
}

redef exposed_services+= [[11211/tcp] = "memcached"];
redef exposed_services+= [[6379/tcp] = "redis"];
redef exposed_services+= [[2375/tcp] = "docker"];
redef exposed_services+= [[50070/tcp] = "hadoop"];

event connection_established(c: connection){
    local id = c$id;
    local h = id$resp_h;
    local p = id$resp_p;
    if (! Site::is_local_addr(h))
        return;
    if (Site::is_local_addr(id$orig_h))
        return;
    if(p !in exposed_services)
            return;
    local srv = exposed_services[p];
    local hp = fmt("%s:%s", h, p);
    NOTICE([
            $note=Service,
            $msg=fmt("exposed %s service on %s", srv, hp),
            $sub=hp,
            $id=id,
            $src=h,
            $dst=id$orig_h,
            $identifier=hp,
            $suppress_for=1day
    ]);
}
	module Exposed;

	export {
	redef enum Notice::Type += {
	Service
	};
	const exposed_services: table[port] of string ={} &redef;
	}

	redef exposed_services+= [[11211/tcp] = "memcached"];
	redef exposed_services+= [[6379/tcp] = "redis"];
	redef exposed_services+= [[2375/tcp] = "docker"];
	redef exposed_services+= [[50070/tcp] = "hadoop"];

	event connection_established(c: connection){
	local id = c$id;
	local h = id$resp_h;
	local p = id$resp_p;
	if (! Site::is_local_addr(h))
	return;
	if (Site::is_local_addr(id$orig_h))
	return;
	if(p !in exposed_services)
	return;
	local srv = exposed_services[p];
	local hp = fmt("%s:%s", h, p);
	NOTICE([
	$note=Service,
	$msg=fmt("exposed %s service on %s", srv, hp),
	$sub=hp,
	$id=id,
	$src=h,
	$dst=id$orig_h,
	$identifier=hp,
	$suppress_for=1day
	]);
	}