-
Notifications
You must be signed in to change notification settings - Fork 24
/
conn_bad_subnet.bro
executable file
·38 lines (32 loc) · 1.18 KB
/
conn_bad_subnet.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Contributor(s):
# Michal Purzynski [email protected]
#
# Script to detect connections to subnet given as a table index. Yields metadata.
module ConnBadSubnet;
redef enum Notice::Type += {
IN_ORIG,
IN_RESP,
};
event new_connection(c: connection)
{
if ( ! c?$id )
return;
if ( ! c$id?$orig_h )
return;
if ( c$id$orig_h in bad_subnets )
NOTICE([$note=IN_ORIG,
$msg=fmt("Suspicious IP %s known from %s attacks initated connection to our host %s ", cat(c$id$orig_h), bad_subnets[c$id$orig_h], cat(c$id$resp_h)),
$uid=c$uid,
$id=c$id,
$identifier=cat(c$uid)]);
if ( c$id$resp_h in bad_subnets )
NOTICE([$note=IN_RESP,
$msg=fmt("Our host %s initiated connection to suspicious %s known from %s attacks", cat(c$id$orig_h), cat(c$id$resp_h), bad_subnets[c$id$resp_h]),
$uid=c$uid,
$id=c$id,
$identifier=cat(c$uid)]);
}