forked from michalpurzynski/bro-gramming
-
Notifications
You must be signed in to change notification settings - Fork 0
/
unusual_http_methods.bro
executable file
·103 lines (91 loc) · 3.44 KB
/
unusual_http_methods.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Software distributed under the License is distributed on an "AS IS" basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
# for the specific language governing rights and limitations under the
# License.
#
# The Initial Developer of the Original Code is
# Mozilla Corporation
# Portions created by the Initial Developer are Copyright (C) 2014
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
# Michal Purzynski [email protected]
@load base/frameworks/notice
@load base/protocols/http
module MozillaUnusualHTTP;
export {
redef enum Notice::Type += {
Interesting_HTTP_Method_Success,
Interesting_HTTP_Method_Fail,
};
redef enum HTTP::Tags += {
HTTP_BAD_METHOD_OK,
HTTP_BAD_METHOD_FAIL,
};
global whitelist_hosts_methods: table[addr, string] of set[subnet] = table() &redef;
const suspicious_http_methods: set[string] = {
"DELETE", "TRACE", "CONNECT",
"PROPPATCH", "MKCOL", "SEARCH",
"COPY", "MOVE", "LOCK", "UNLOCK",
"POLL", "REPORT", "SUBSCRIBE", "BMOVE"
} &redef;
const monitor_ip_spaces: set[subnet] &redef;
const monitor_ports: set[port] &redef;
const ignore_hosts_orig: set[subnet] &redef;
const ignore_hosts_resp: set[subnet] &redef;
}
event http_reply(c: connection, version: string, code: count, reason: string)
{
local cluster_client_ip: addr;
local http_host: string;
if ( ! c?$http )
return;
if ( ! c$http?$method )
return;
if ( c$http?$host )
http_host = c$http$host;
else
http_host = "NONE";
if ( c$id$resp_h !in monitor_ip_spaces )
return;
if ( c$id$resp_p !in monitor_ports )
return;
if ( c$id$resp_h in ignore_hosts_resp )
return;
if ( c$id$orig_h in ignore_hosts_orig )
return;
if ( ! c$http?$cluster_client_ip )
cluster_client_ip = c$id$orig_h;
else
cluster_client_ip = to_addr(c$http$cluster_client_ip);
if ( ( c$http?$cluster_client_ip ) && ( to_addr(c$http$cluster_client_ip) in ignore_hosts_orig ) )
return;
if ( c$http$method ! in suspicious_http_methods )
return;
if ( [c$id$resp_h, c$http$method] in whitelist_hosts_methods ) {
if ( c$id$orig_h in whitelist_hosts_methods[c$id$resp_h, c$http$method] )
return;
if ( cluster_client_ip in whitelist_hosts_methods[c$id$resp_h, c$http$method] )
return;
} else {
if ( c$http$status_code < 300 ) {
add c$http$tags[HTTP_BAD_METHOD_OK];
NOTICE([$note=Interesting_HTTP_Method_Success,
$msg=fmt("%s successfully used method %s on %s host %s", cluster_client_ip, c$http$method, c$id$resp_h, http_host),
$uid=c$uid,
$id=c$id,
$identifier=cat(http_host,c$http$method,cluster_client_ip)]);
} else {
add c$http$tags[HTTP_BAD_METHOD_FAIL];
NOTICE([$note=Interesting_HTTP_Method_Fail,
$msg=fmt("%s failed to used method %s on %s host %s", cluster_client_ip, c$http$method, c$id$resp_h, http_host),
$uid=c$uid,
$id=c$id,
$identifier=cat(http_host,c$http$method,cluster_client_ip)]);
}
}
}