Script for malicious User agent list

Development
1

Hey there,

I am currently trying to create a script in local.zeek that contains a list with malicious user agents and every time when one of these agents exists in http.log a weird or notice log will be generated

Can someone help me with any kind of script close to this situation or ideas

Thank you !

2

There are two ways to do this that come to mind immediately.

If you want the list of user agents to be dynamic, you could potentially use the input framework to load the. malicious user agents.

Both approaches should be fairly straightforward. You still should create a new script file and load it in local.zeek, instead of just putting this directly into local.zeek.

1 Like
3

Thank you so much @johanna .

I used the Input Framework to import the agents. Also, I created a new log file (“malicious_user_agents.log”) using Logging Framework , the new log files contains the time stamp, uid, user agent and the message " Malicious User-Agent ’ ’ detected "

Check this video for ideas: https://www.youtube.com/watch?v=-nTR5kAXf2w

Here is my script and I hope that someone will find it useful

module malicious_user_agents;

export {
        redef enum Log::ID += {  malicious_user_agents::LOG };

        type Info: record {

                ts:                     time    &log;
                uid:            string  &log;
                user_agent:     string  &log;
                msg:            string  &log &default="HTTP";
        };

        global log_httpextend: event(rec: Info);
}

# Record type for Input Framework
type UserAgentEntry: record {
    user_agent: string;
};

# Global set to store malicious User-Agent strings
global user_agents: set[string] = set();

event zeek_init()
{
        Log::create_stream(malicious_user_agents::LOG, [$columns=Info, $ev=log_httpextend]);
# Input Framework to load malicious User-Agent strings
    Input::add_table([
        $source = "malicious_agents.txt",
        $name = "user_agent",
        $idx = UserAgentEntry,
        $destination = user_agents
    ]);
}

# Event triggered when malicious User-Agent is detected in HTTP headers
event http_header(c: connection, is_orig: bool, original_name: string, name: string, value: string)
{
    
    # Check if the header is from the client (orig) and the User-Agent header matches a malicious one
    if (is_orig && name == "USER-AGENT" && value in user_agents) {
        # Create a record for logging in malicious_user_agents.log
        local info: malicious_user_agents::Info = [
        $ts = network_time(),
        $uid = c$uid,
        $user_agent = value,
        $msg = fmt("Malicious User-Agent '%s' detected", value)
        ];
        # Write to the malicious_user_agents.log
        Log::write(malicious_user_agents::LOG, info);
    }
}

The malicious_agents.txt file looks like this:

#fields user_agent
AlphaBot
Anarchie
Anarchy
....

Thank you !