mavam · December 14, 2015 07:19 · mavam · Mar 3, 2013
diff --git a/miniduke.bro b/miniduke.bro
 @load base/frameworks/notice

 module Malware;

 export {
  redef enum Notice::Type += {
    ## Miniduke C&C activity.
    Miniduke_CC_Activity
  };
 }

 redef record HTTP::Info += {
  miniduke: string &optional;
 };

 function report(c: connection, uri: string)
  {
    local param = split1(uri, /=/)[2];
    local payload = decode_base64(gsub(gsub(param, /-/, "+"), /_/, "/"));
    NOTICE([$note=Miniduke_CC_Activity,
           $msg=fmt("Miniduke C&C activity: %s", payload),
           $conn=c]);
  }

 event http_request(c: connection, method: string, original_URI: string,
    unescaped_URI: string, version: string)
  {
    if ( /index\.php\?[[:alnum:]]+=([=-_]|[[:alnum:]])+/ in unescaped_URI )
      c$http$miniduke = unescaped_URI;
  }

 event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
  {
    if ( is_orig || ! c$http?$miniduke || /image\/gif/ !in c$http$mime_type )
      return;
    report(c, c$http$miniduke);
    delete c$http$miniduke;
  }
	@load base/frameworks/notice

	module Malware;

	export {
	redef enum Notice::Type += {
	## Miniduke C&C activity.
	Miniduke_CC_Activity
	};
	}

	redef record HTTP::Info += {
	miniduke: string &optional;
	};

	function report(c: connection, uri: string)
	{
	local param = split1(uri, /=/)[2];
	local payload = decode_base64(gsub(gsub(param, /-/, "+"), /_/, "/"));
	NOTICE([$note=Miniduke_CC_Activity,
	$msg=fmt("Miniduke C&C activity: %s", payload),
	$conn=c]);
	}

	event http_request(c: connection, method: string, original_URI: string,
	unescaped_URI: string, version: string)
	{
	if ( /index\.php\?[[:alnum:]]+=([=-_]\|[[:alnum:]])+/ in unescaped_URI )
	c$http$miniduke = unescaped_URI;
	}

	event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
	{
	if ( is_orig \|\| ! c$http?$miniduke \|\| /image\/gif/ !in c$http$mime_type )
	return;
	report(c, c$http$miniduke);
	delete c$http$miniduke;
	}