Sample Bro Policy

From BroWiki

Do you have some Bro policy code that others might find useful? Request a wiki account and post it here!

• Policy for handling Broccoli events parsed from sshd logs:
  • syslog.bro and user-check.bro (questions)
• Policy for generating / watching for heartbeat events from between 2 instances of Bro:
  • server-heartbeat.bro and client-heartbeat.bro (questions)
• Policy for catching hosts sending spam by watching percentage of rejected SMTP sessions. New version using the "when" statement soon.
  • smtp-rejects.bro (questions)
• Policy for watching DNS traffic for two interestign events:
  

    (1) domain names that look like host.local.com.evil.com 

    (2) lookups that return 127.0.0.0/8, 10.0.0.0/8 or 192.168.0.0/16 addresses.  Further lookups providing new address information are logged as well.  These transitions have been used for bot C&C before.

• • dns.bot.bro (questions)
• Policy for identifying a class of PHP related attacks similar to:
  

     /modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=hxxp://usuarios.arnet.com.ar/larry123/safe.txt?

    the download address is parsed put of the URI and possibly resolved. Another 'when' example!

Connections to these addresses are flagged as hot and alarmed.

• • php_path_attack.bro (questions)