Skip to content

Instantly share code, notes, and snippets.

@mavam
Last active July 27, 2020 02:14
Show Gist options
  • Save mavam/5028034 to your computer and use it in GitHub Desktop.
Save mavam/5028034 to your computer and use it in GitHub Desktop.
Bro script-level customization points.

General

# Process packets despite bad checksums.
redef ignore_checksums = T;

File Analysis

This will change significantly with Bro 2.2 when we have the file analysis framework.

Extract full TCP payload stream

event connection_established(c: connection)
{
  if (...)
  {
    c$extract_orig = T;
    c$extract_resp = T;
  }
}

Extract files from protocols

# Enable extraction for supported protocols.
redef IRC::extract_file_types = /application\/.*/;
redef FTP::extract_file_types = /application\/.*/;
redef HTTP::extract_file_types = /application\/.*/;
redef SMTP::extract_file_types = /application\/.*/;

# Change prefix of filename on disk.
redef IRC::extraction_prefix = "file-irc";
redef FTP::extraction_prefix = "file-ftp";
redef HTTP::extraction_prefix = "file-http";
redef SMTP::extraction_prefix = "file-smtp";

# Tweak SMTP excerpt length.
redef SMTP::default_entity_excerpt_len = 1024;

Enable password logging

redef FTP::default_capture_password = T;
redef HTTP::default_capture_password = T;

Compute hash digests

# Specify a MIME type pattern.
redef HTTP::generate_md5 = /.*/;
redef SMTP::generate_md5 = /.*/;

Map file extensions to MIME types

redef HTTP::mime_types_extensions: table[string] of pattern = {
    ["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL][lL])/,
};

Detect malware in HTTP via Team Cymru's Malware Hash Registry

@load policy/http/detect-MHR

Software Management

Track vulnerable version on the network

redef Software::vulnerable_versions += {
  ["Flash"] = [$major=10,$minor=2,$minor2=153,$addl="1"],
  ["Java"] = [$major=1,$minor=6,$minor2=0,$addl="22"],
};

Detect popular web apps

# Look at protocols/http/detect-webapps.sig for extending.
@load protocols/http/detect-webapps

Protocol Analysis

Log HTTP server header names

@load protocols/http/header-names
redef HTTP::log_server_header_names = T;

Log specific HTTP header values

# Log cookies to http.log.
redef record HTTP::Info += { cookie: string &log &optional; };
event http_header(c: connection, is_orig: bool, name: string, value: string)
  {
  if ( is_orig && name == "COOKIE" )
    c$http$cookie = value;
  }

Calibrate SSH bruteforcing parameters

redef SSH::password_guesses_limit = 20;  # default: 30
redef SSH::guessing_timeout = 10 mins;   # default: 30 mins

Generate notice when SSL certificates expire soon

redef SSL::notify_when_cert_expiring_in = 1 day; # default: 30 days

Add a new root certificate

# Map the issuer to the DER-encoded certificate.
redef SSL::root_certs += { ["OU=SnakeTrust,C=US"] = "\x30\x82..." };

Write SSL certificates to disk (in PEM format)

 # By default only for locally served certificates.
@load policy/protocols/ssl/extract-certs-pem

# Record only remote certificates (ALL_HOSTS also possible).
redef SSL::extract_certs_pem = REMOTE_HOSTS;

Add GeoIP information to connection logs

redef record Conn::Info += {
  orig_cc: string &optional &log;
  resp_cc: string &optional &log;
};

event connection_state_remove(c: connection)
  {
    local orig_loc = lookup_location(c$id$orig_h);
    if ( orig_loc?$country_code )
      c$conn$orig_cc = orig_loc$country_code;
    local resp_loc = lookup_location(c$id$resp_h);
    if ( resp_loc?$country_code )
      c$conn$resp_cc = resp_loc$country_code;
  }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment