(no subject)

Hi

below script i need to add connection related info inside notice log

Skip to content
This repository
Search
Pull requests
Issues
Gist
@binups
Sign out
Watch 14
Star 29
Fork 10 fox-it/bro-scripts
Code Issues 1 Pull requests 0 Projects 0 Wiki Pulse Graphs
Branch: master Find file Copy pathbro-scripts/smb-ransomware/smb-ransomware.bro
b3aa56d on 12 Sep 2016
@fox-srt fox-srt Adding SMB Ransomware policy for BroCon 2016
1 contributor
RawBlameHistory
120 lines (93 sloc) 2.85 KB
@load base/frameworks/files
@load base/protocols/smb
@load base/frameworks/notice
@load base/frameworks/sumstats

global fuidmap : set[string];

module FoxCryptoRansom;

export {
redef enum Notice::Type += {

Notice corresponding to a possible ransomware attack

RANSOMWARE_SMB
};

Entropy check on the first packet send

const enc_off = 0 &redef;

Entropy check on certain bytes

const enc_sdata = 0 &redef;
const enc_edata = 1000 &redef;

Entropy and Mean corresponding to a possible ransomware attack

const enc_entropy = 7.5 &redef;
const enc_mean = 125 &redef;

Notice values corresponding to a possible ransomware attack

const threshold_time = 30sec &redef;
const threshold_limit = 5.0 &redef;

Ignore list for certain filenames

const ignore_list = /GoogleChrome/ &redef;

redef enum Log::ID += {LOG};
type Info: record {
ts: time &log;
filename: string &log;
entropy: double &log;
mean: double &log;
};
}

event chunk_event (f: fa_file, data: string, off: count)
{
if ( off == enc_off ) {
local fox_entropy = find_entropy(data[enc_sdata:enc_edata]);
if ( fox_entropy$entropy >= enc_entropy && fox_entropy$mean >= enc_mean ) {

SumStats::observe(“SMB traffic detected”, SumStats::Key(), SumStats::Observation($num=1));

local rec: FoxCryptoRansom::Info = [ $ts=network_time(), $filename = f$info$filename, $entropy=fox_entropy$entropy, $mean=fox_entropy$mean ];
Log::write(FoxCryptoRansom::LOG, rec);
}
}
}

event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
{
if (f$source == “SMB”){

local filename = “UNKNOWN”;

if (f$info?$filename){
filename = f$info$filename;
}

local mime_type = “UNKNOWN”;

if (f$info?$mime_type){
mime_type = f$info$mime_type;
}

if (mime_type == “UNKNOWN”){

if (ignore_list in filename){
return;
}else{

if ( ! c$smb_state$current_file?$action){
return ;
}else{

if (c$smb_state$current_file$action == SMB::FILE_WRITE){
local fuid = c$smb_state$current_file$fuid;

if (fuid !in fuidmap){
Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, Files::AnalyzerArgs($chunk_event=chunk_event));
add fuidmap[fuid];
}
}else{
}
}
}
}
}
}

event bro_init()
{
local r1 = SumStats::Reducer($stream=“SMB traffic detected”,
$apply=set(SumStats::SUM));

SumStats::create([$name = “Ransomware detection”,
$epoch = threshold_time,
$reducers = set(r1),
$threshold = threshold_limit,
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result[“SMB traffic detected”]$sum;
},
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
NOTICE([$note=RANSOMWARE_SMB,
$msg=“Ransomware encrypting share detected”]);
}]);

Log::create_stream(FoxCryptoRansom::LOG, [$columns=Info, $path=“entropy”]);
}