forked from michalpurzynski/bro-gramming
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathradius_bruteforcing.bro
executable file
·73 lines (66 loc) · 3.19 KB
/
radius_bruteforcing.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Script to detect Radius auth bruteforcing
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Contributor(s):
# Michal Purzynski [email protected]
@load base/frameworks/notice
@load base/frameworks/sumstats
@load base/protocols/http
module MozillaRadiusErrors;
export {
redef enum Notice::Type += {
Auth_Bruteforcing_User,
Auth_Bruteforcing_MAC,
};
const auth_errors_threshold: double = 3.0 &redef;
const auth_errors_interval = 1min &redef;
}
event bro_init()
{
local r1: SumStats::Reducer = [$stream="radius.auth_errors.user", $apply=set(SumStats::SUM)];
local r2: SumStats::Reducer = [$stream="radius.auth_errors.mac", $apply=set(SumStats::SUM)];
SumStats::create([$name="radius-auth-errors-users",
$epoch=auth_errors_interval,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) = {
return result["radius.auth_errors.user"]$sum;
},
$threshold=auth_errors_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) = {
NOTICE([$note=Auth_Bruteforcing_User,
$msg=fmt("Radius auth bruteforcing for user %s", key$str),
$sub=fmt("%.0f auth failed in %s", result["radius.auth_errors.user"]$sum, auth_errors_interval),
$n=to_count(fmt("%.0f", result["radius.auth_errors.user"]$sum))
]);
}]);
SumStats::create([$name="radius-auth-errors-macs",
$epoch=auth_errors_interval,
$reducers=set(r2),
$threshold_val(key: SumStats::Key, result: SumStats::Result) = {
return result["radius.auth_errors.mac"]$sum;
},
$threshold=auth_errors_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) = {
NOTICE([$note=Auth_Bruteforcing_MAC,
$msg=fmt("Radius auth bruteforcing for MAC %s", key$str),
$sub=fmt("%.0f auth failed in %s", result["radius.auth_errors.mac"]$sum, auth_errors_interval),
$n=to_count(fmt("%.0f", result["radius.auth_errors.mac"]$sum))
]);
}]);
}
event RADIUS::log_radius(rec: RADIUS::Info)
{
if ( ( rec?$result ) && ( rec$result != "success" ) ) {
if ( ( rec?$username ) && ( |rec$username| > 1 ) )
SumStats::observe("radius.auth_errors.user",
[$str=rec$username],
SumStats::Observation($num=1));
if ( ( rec?$connect_info ) && ( |rec$connect_info| > 1 ) )
SumStats::observe("radius.auth_errors.mac",
[$str=rec$connect_info],
SumStats::Observation($num=1));
}
}