update to code-red.bro to detect today's new worm

Zeek
1

The appended version calls it "Code Red type 3", though that's a misnomer.
However, I thought I should get this out pronto and worry about getting
the name right later.

    Vern

@load site

# Change these initializations to correspond to your own /16 and /24 nets.
# redef local_16_nets = { 128.3.0.0, 131.243.0.0, };
# redef local_24_nets = { 1.2.3.0, };

redef capture_filter += "tcp dst port 80";

# redef sensitive_URIs += /root\.exe/;

global code_red_log = open_log_file("code-red") &redef;
global code_red_list1: table[addr] of count &default=0;
global code_red_list2: table[addr] of count &default=0;
global code_red_list3: table[addr] of count &default=0;

# If you define the following to a non-empty value, then they will be
# invoked for the first instances of confirmed local/remote Code Red
# infections.
global local_code_red_response_pgm = "" &redef;
global remote_code_red_response_pgm = "" &redef;

event http_request(c: connection, request: string, URI: string)
  {
  if ( /(\.id[aq]\?.*(NNNNNNNNNNNNN|XXXXXXXXXXXXX))|(\/scripts\/root\.exe\?\/c\+tftp)/ in URI )
    {
    local id = c$id;
    local src = id$orig_h;
    local is_local = is_local_addr(src);
    local where = is_local ? "local" : "remote";
    local live = reading_live_traffic();

    # The following will be 1/2/3 for the first time we
    # see a given local/remote host exhibit type I, II, III
    local new_CR_type = 0;

    if ( /NNNNNNNNNNNNN/ in URI )
      {
      if ( ++code_red_list1[src] == 1 )
        new_CR_type = 1;
      }

    else if ( /XXXXXXXXXXXXX/ in URI )
      {
      if ( ++code_red_list2[src] == 1 )
        new_CR_type = 2;
      }

    else
      {
      if ( ++code_red_list3[src] == 1 )
        new_CR_type = 3;
      }

    if ( new_CR_type != 0 )
      {
      # First time we've seen it.

      if ( is_local )
        {
        log fmt("local Code Red %d worm source: %s",
          new_CR_type, src);

        if ( live && local_code_red_response_pgm != "" )
          system(fmt("%s %s",
            local_code_red_response_pgm,
            src));
        }

      else
        if ( live && remote_code_red_response_pgm != "" )
          system(fmt("%s %s",
            remote_code_red_response_pgm,
            src));

      print code_red_log,
        fmt("%.6f %s Code Red %d worm source: %s",
          network_time(),
          where, new_CR_type, src);
      }
    }

  else if ( /default\.ida..../ in URI )
    print code_red_log,
      fmt("%.6f unknown default.ida probe from: %s (%s)",
        network_time(), src, URI);
  }

# Ignore "weird" events, we get some due to the capture_filter above that
# only captures the client side of an HTTP session.
event conn_weird(name: string, c: connection)
  {
  }