-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
73 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| <beginning> | ||
| <!-- Property 103: RDP honeypot (Draft) | ||
| --> | ||
| <property value="THEN" delay_units="ms" delay_min="0" delay_max="0" property_id="103" type_property="ATTACK" | ||
| description="RDP traffic to honeypot 15.235.141.63" | ||
| > | ||
| <event value="COMPUTE" event_id="1" | ||
| description="IP add of the honeypot 15.235.141.63" | ||
| boolean_expression="(#em_check_botnetcc(ip.src, ip.dst) == true)"/> | ||
| <event value="COMPUTE" event_id="2" | ||
| description="RDP packet" | ||
| boolean_expression="(rdp.packet_count > 0)"/> | ||
| </property> | ||
|
|
||
| <embedded_functions><![CDATA[ | ||
| #include <arpa/inet.h> | ||
| //hash table | ||
| static mmt_hash_t *table = NULL; | ||
| static inline int em_check_botnetcc( const char *ip_src, const char *ip_dst ){ | ||
| //struct in_addr addr; | ||
| //uint32_t ip = *(uint32_t *) ip_dst; | ||
| //addr.s_addr = ip; | ||
| //mmt_debug("Checking IP %"PRIu32" - %s", ip, inet_ntoa( addr ) ); | ||
| if( mmt_hash_search( table, ip_dst, 4 ) != NULL ) | ||
| return true; | ||
| if( mmt_hash_search( table, ip_src, 4 ) != NULL ) | ||
| return true; | ||
| return false; | ||
| } | ||
| static const char* list_ips[] = { | ||
| "15.235.141.63"}; | ||
| //This fuction is called when the rules in this file being loaded into MMT-Security | ||
| void on_load(){ | ||
| int i; | ||
| //number of uri | ||
| int length = sizeof( list_ips ) / sizeof( list_ips[0] ); | ||
| const char* ip; | ||
| uint32_t key; | ||
| struct in_addr addr; | ||
| //create a new hash table | ||
| table = mmt_hash_create( length ); | ||
| mmt_debug("Rule 32.botcc: Created a table for checking bootnet having %d IPs", length ); | ||
| //add items to the hash table | ||
| for( i=0; i<length; i++ ){ | ||
| ip = list_ips[i]; | ||
| //convert ip string to uint32_t | ||
| if( inet_aton( ip, &addr ) == 0 ){ | ||
| mmt_error( "Invalid IP address: %s", ip ); | ||
| continue; | ||
| } | ||
| key = addr.s_addr; | ||
| mmt_hash_add( table, &key, 4, (void*) ip, false ); | ||
| } | ||
| }//end on_load() | ||
| //This fuction is called when exiting MMT-Security | ||
| void on_unload(){ | ||
| mmt_hash_free( table ); | ||
| }//end on_unload() | ||
| ]]></embedded_functions> | ||
| </beginning> | ||
|
|
||
|
|