This repository has been archived by the owner on Oct 29, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathssl_failure.bro
51 lines (35 loc) · 1.56 KB
/
ssl_failure.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#saw this traffic in 2017-04-25-Smoke-Loader-post-infection-traffic.pcap on malwaretrafficanalysis.net if anyones interested to look
#definitely a test script, supposed to run over pcaps, where you can easily identify the local host
export {
redef enum Notice::Type += {
multiple_ssl_failures::Found
};
}
event ssl_alert(c: connection, is_orig: bool, level: count, desc: count)
{
if (!is_orig && desc == 40)
{
SumStats::observe("odd SSL failure",
[$host=c$id$orig_h],
[$str=cat(c$id$resp_h)]);
}
}
event bro_init()
{
local r1 = SumStats::Reducer($stream="odd SSL failure",
$apply=set(SumStats::SUM));
SumStats::create([$name="SSL failure",
$epoch=20secs,
$reducers=set(r1),
$threshold=5.0,
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["odd SSL failure"]$sum;
},
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
NOTICE([$note=multiple_ssl_failures::Found,
$msg=fmt("%s did more than 5 failed ssl connections within 5 seconds", key$host)]);
}]);
# print fmt("%s more than 5 failed ssl connections within 5 seconds", key$host);
}