Bro detection scripts updates

Zeek
1

I'm going through and updating the NOTICEs for different detection scripts built into Bro. Trying to get the generated NOTICE logs set correctly for ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro appropriate way. Couple questions:

Is this the best way to accomplish this task? Secondly, if advisable, how do we get these script changes incorporated into Bro base? I'm not that experienced with git but willing to learn more if needed. These changes were made, again, to benefit ELSA searching/grouping and for the Bro correlation script recently released.

Here's what I changed/add to some of the built-in detection scripts (Lines with "+" are what I changed/added):

/opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
NOTICE([$note=Password_Guessing,
                $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num),
                $sub=sub_msg,
+ #$src=key$host,
+ $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
                $identifier=cat(key$host)]);
}]);

/opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
NOTICE([$note=FTP::Bruteforcing,
+ #$src=key$host,
+ $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
                $msg=message,
                $identifier=cat(key$host)]);
}]);

/opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
NOTICE([$note=SQL_Injection_Attacker,
                $msg="An SQL injection attacker was discovered!",
                $email_body_sections=vector(format_sqli_samples(r$samples)),
+ #$src=key$host,
+ $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
+ $sub=cat(format_sqli_samples(r$samples)),
                $identifier=cat(key$host)]);
}]);

NOTICE([$note=SQL_Injection_Victim,
                $msg="An SQL injection victim was discovered!",
                $email_body_sections=vector(format_sqli_samples(r$samples)),
+ #$src=key$host,
+ $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
+ $sub=cat(format_sqli_samples(r$samples)),
                $identifier=cat(key$host)]);
}]);

/opt/bro/share/bro/policy/misc/scan.bro
NOTICE([$note=Address_Scan,
                #$src=key$host,
+ $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
+ #$p=to_port(key$str),
                $sub=side,
                $msg=message,
                $identifier=cat(key$host)]);
}]);

NOTICE([$note=Port_Scan,
                #$src=key$host,
+ $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
+ #$dst=to_addr(key$str),
                $sub=side,
                $msg=message,
                $identifier=cat(key$host)]);
}]);

/opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
NOTICE([$note=Traceroute::Detected,
                $msg=fmt("%s seems to be running traceroute using %s", src, proto),
+ #$src=src,
+ $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
                $identifier=cat(src,proto)]);
}]);

Thanks,
-Brian

2

You might be right in how you’ve done this. I never felt very comfortable with how this ended up getting implemented. I’ll file a ticket and see if I can address the ones you’ve pointed out and see if there are anymore. I’ll probably also mark the src and dst fields as deprecated and maybe do a reporter message if they’re ever used (to give people a bit of breathing room before we break any existing scripts they have).

Here’s the ticket in case you or anyone else wants to comment on it:
  https://bro-tracker.atlassian.net/browse/BIT-1339

Great suggestion, thanks!
.Seth