grigorescu

@load base/frameworks/files

module ExtractHTTP;

## This module extracts file seen over HTTP, according to a flexible redef-able policy.                                                                                                                                                                                         

export {
       type Policy: record {
                ## MIME types to extract                                                                                                                                                                                                                         
                mime_types:  set[string] &optional;

grigorescu

# From: https://bitbucket.org/birkenfeld/pygments-main/src/863c453b293e2db0d63b52d517d4ca994725e364/pygments/lexers/dsls.py?at=default

class BroLexer(RegexLexer):
    """
    For `Bro <http://bro-ids.org/>`_ scripts.

    .. versionadded:: 1.5
    """
    name = 'Bro'
    aliases = ['bro']

grigorescu

@load base/utils/exec

module Blackhole;

export {
	redef enum Log::ID += { LOG };

	type Info: record {
		## The time at which the query was observed
		ts:            time               &log;

grigorescu

# Calculates metrics on March Madness video streaming, including 
# unique IPs, total HTTP requests, and total bytes downloaded.
# Sample output:
#
# fields	ts	ts_delta	app	uniq_hosts	hits	bytes
# types	time	interval	string	count	count	count
# 1395331457.824587	900.000000	march-madness	4	569	164589761
# 1395332324.854514	900.000000	march-madness	17	1917	704801124

@load misc/app-stats

grigorescu

##! Analyzes the Finger protocol

module Finger;

export {
        redef enum Log::ID += { LOG };
      
        ## The record type which contains the column fields of the DHCP log.
        type Info: record {
                ## The earliest time a finger request or response was seen.

grigorescu

{
  "bro_logs": {
    "template": "bro-*",
    "settings": {
      "number_of_shards": 4,
      "number_of_replicas": 0,
      "index.cache.field.type": "soft",
      "index.refresh_interval": "30s",
      "index.analysis": {
        "analyzer": {

grigorescu

redef enum Notice::Type += {
	Potential_Beaconing_Detected
};
 
event bro_init()
	{
	local r1 = SumStats::Reducer($stream="end_of_conn", $apply=set(SumStats::VARIANCE, SumStats::SUM));
	SumStats::create([$name="variance_of_orig_bytes",
	                  $epoch=5min,
	                  $reducers=set(r1),

grigorescu

##! Add ASNs for the originator and responder of a connection
##! to the connection logs.

module Conn;

export {
	redef record Conn::Info += {
		## ASN for the originator of the connection based 
		## on a GeoIP lookup.
		orig_asn: string &optional &log;

grigorescu

Perhaps you decided though that seeing hits on your intelligence in certain locations is not actually what you wanted. The same do_notice script has the ability to limit your notices by the location that the intelligence was seen. Create a new intel-3.dat file that shows you are only interested in matching the intelligence if it was seen in the host header.

#fields<TAB>indicator<TAB>indicator_type<TAB>meta.source<TAB>meta.do_notice<TAB>meta.if_in
fetchback.com<TAB>Intel::DOMAIN<TAB>my_special_source<TAB>T<TAB>HTTP::IN_HOST_HEADER

The only change that needs to happen in the script is to load the new intelligence file, but we will include the new script here. Name it intel-3.bro.

grigorescu

It’s very possible that hits on intelligence could be something that you want turned into a notice even though the basic intel framework does not provide that functionality. This is an example of data driven notice creation with the do_notice.bro script that is included with Bro.

We need to create a new intelligence file. Create intel-2.dat.

#fields<TAB>indicator<TAB>indicator_type<TAB>meta.source<TAB>meta.do_notice
fetchback.com<TAB>Intel::DOMAIN<TAB>my_special_source<TAB>T

The only difference from the previous intelligence file is the do_notice column.