1、过滤出数据包中的文件
global mime_to_ext: table[string] of string = {
["application/x-dosexec"] = "exe",
["text/plain"] = "txt",
["image/jpeg"] = "jpg",
["image/png"] = "png",
["text/html"] = "html",
};
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( f$source != "HTTP" )
return;
if ( ! meta?$mime_type )
return;
if ( meta$mime_type !in mime_to_ext )
return;
local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[meta$mime_type]);
print fmt("Extracting file %s", fname);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}
抓取数据包:tcpdump -i eth0 -s 0 -w mypackets.trace
调用脚本进行过滤文件bro -r mypackets.trace file_extraction.bro
结果文件:
[root@host201 logs]# ll -rt
总用量 800
-rw-r--r--. 1 root root 717676 12月 18 13:09 mypackets.trace
-rw-r--r--. 1 root root 561 12月 18 13:10 file_extraction.bro
drwxr-xr-x. 2 root root 4096 12月 18 13:10 extract_files
-rw-r--r--. 1 root root 5255 12月 18 13:10 weird.log
-rw-r--r--. 1 root root 694 12月 18 13:10 reporter.log
-rw-r--r--. 1 root root 253 12月 18 13:10 packet_filter.log
-rw-r--r--. 1 root root 12451 12月 18 13:10 files.log
-rw-r--r--. 1 root root 12261 12月 18 13:10 http.log
-rw-r--r--. 1 root root 28469 12月 18 13:10 dns.log
-rw-r--r--. 1 root root 15450 12月 18 13:10 conn.log
源数据分析:
1450419292.524501 ts
Fot4Nm2UYbynsWfTc9 fuid
180.97.66.49 tx_hosts
192.168.123.202 rx_hosts
CeKCf41wLLqduuZFP2 conn_uids
HTTP source
0 depth
EXTRACT,MD5,SHA1 analyzers
image/jpeg mime_type
- filename
0.000073 duration
F local_orig
F is_orig
3363 seen_bytes
3363 total_bytes
0 missing_bytes
0 overflow_bytes
F timedout
- parent_fuid
1a0f656c80b01ae5576556f9f52205e0 md5
3ed843a5f4e0b51e3349c9abed5061400ab5da74 sha1
- sha256
HTTP-Fot4Nm2UYbynsWfTc9.jpg extracted
2、告警产生
export {
redef enum Notice::Type += {
## Generated if a login originates or responds with a host where
## the reverse hostname lookup resolves to a name matched by the
## :bro:id:`SSH::interesting_hostnames` regular expression.
Interesting_File,
};
redef Notice::mail_dest = "xxxxx@xxx.com.cn";
}
global mime_to_ext: table[string] of string = {
["application/x-dosexec"] = "exe",
["text/plain"] = "txt",
["image/jpeg"] = "jpg",
["image/png"] = "png",
["text/html"] = "html",
};
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( f$source != "HTTP" )
return;
if ( ! meta?$mime_type )
return;
if ( meta$mime_type !in mime_to_ext )
return;
local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[meta$mime_type]);
NOTICE([$note=Interesting_File,
$msg=fname]);
}
#日志
hook Notice::policy(n: Notice::Info)
{
if(n$note==Interesting_File)
{
print n;
add n$actions[Notice::ACTION_LOG];
}
}
#发邮件
hook Notice::policy(n: Notice::Info)
{
if(n$note!=Interesting_File)
{
print n;
add n$actions[Notice::ACTION_EMAIL];
}
}
#告警
hook Notice::policy(n: Notice::Info)
{
if(n$note!=Interesting_File)
{
print n;
add n$actions[Notice::ACTION_ALARM];
}
}
-rw-r--r--. 1 root root 717676 12月 21 14:32 mypackets.trace
-rw-r--r--. 1 root root 5259 12月 21 15:25 weird.log
-rw-r--r--. 1 root root 694 12月 21 15:25 reporter.log
-rw-r--r--. 1 root root 10793 12月 21 15:25 files.log
-rw-r--r--. 1 root root 15454 12月 21 15:25 conn.log
-rw-r--r--. 1 root root 253 12月 21 15:25 packet_filter.log
-rw-r--r--. 1 root root 10757 12月 21 15:25 notice.log
-rw-r--r--. 1 root root 12261 12月 21 15:25 http.log
-rw-r--r--. 1 root root 28487 12月 21 15:25 dns.log
-rw-r--r--. 1 root root 1079 12月 21 15:26 framework_notice_hook_01.bro