base/frameworks/notice/weird.bro

Weird

This script provides a default set of actions to take for “weird activity” events generated from Bro’s event engine. Weird activity is defined as unusual or exceptional activity that can indicate malformed connections, traffic that doesn’t conform to a particular protocol, malfunctioning or misconfigured hardware, or even an attacker attempting to avoid/confuse a sensor. Without context, it’s hard to judge whether a particular category of weird activity is interesting, but this script provides a starting point for the user.

Namespace:Weird
Imports:base/frameworks/notice/main.bro, base/utils/conn-ids.bro, base/utils/site.bro
Source File:/scripts/base/frameworks/notice/weird.bro

Summary

Options

Weird::actions: table &default = Weird::ACTION_LOG &optional &redef A table specifying default/recommended actions per weird type.
Weird::ignore_hosts: set &redef To completely ignore a specific weird for a host, add the host and weird name into this set.
Weird::weird_do_not_ignore_repeats: set &redef Don’t ignore repeats for weirds in this set.

State Variables

Weird::did_log: set &create_expire = 1.0 day &redef A state set which tracks unique weirds solely by name to reduce duplicate logging.
Weird::did_notice: set &create_expire = 1.0 day &redef A state set which tracks unique weirds solely by name to reduce duplicate notices from being raised.
Weird::weird_ignore: set &create_expire = 10.0 mins &redef This table is used to track identifier and name pairs that should be temporarily ignored because the problem has already been reported.

Types

Weird::Action: enum Types of actions that may be taken when handling weird activity events.
Weird::Info: record The record type which contains the column fields of the weird log.

Redefinitions

Log::ID: enum The weird logging stream identifier.
Notice::Type: enum  

Events

Weird::log_weird: event Handlers of this event are invoked once per write to the weird logging stream before the data is actually written.

Detailed Interface

Options

Weird::actions
Type:table [string] of Weird::Action
Attributes:&default = Weird::ACTION_LOG &optional &redef
Default:
{
   ["irc_invalid_whois_message_format"] = Weird::ACTION_LOG,
   ["bad_RPC"] = Weird::ACTION_LOG_PER_ORIG,
   ["irc_invalid_whois_operator_line"] = Weird::ACTION_LOG,
   ["DNS_truncated_len_lt_hdr_len"] = Weird::ACTION_LOG,
   ["inappropriate_FIN"] = Weird::ACTION_LOG,
   ["matching_undelivered_data"] = Weird::ACTION_LOG,
   ["DNS_truncated_quest_too_short"] = Weird::ACTION_LOG,
   ["bad_ident_port"] = Weird::ACTION_LOG,
   ["non_IPv4_packet"] = Weird::ACTION_LOG_ONCE,
   ["irc_invalid_whois_user_line"] = Weird::ACTION_LOG,
   ["originator_RPC_reply"] = Weird::ACTION_LOG_PER_ORIG,
   ["DNS_truncated_ans_too_short"] = Weird::ACTION_LOG,
   ["NUL_in_line"] = Weird::ACTION_LOG,
   ["partial_ident_request"] = Weird::ACTION_LOG,
   ["SSL_many_server_names"] = Weird::ACTION_LOG,
   ["netbios_server_session_request"] = Weird::ACTION_LOG,
   ["pop3_bad_base64_encoding"] = Weird::ACTION_LOG,
   ["smb_andx_command_failed_to_parse"] = Weird::ACTION_LOG,
   ["active_connection_reuse"] = Weird::ACTION_LOG,
   ["irc_invalid_join_line"] = Weird::ACTION_LOG,
   ["irc_invalid_topic_reply"] = Weird::ACTION_LOG,
   ["pop3_client_sending_server_commands"] = Weird::ACTION_LOG,
   ["connection_originator_SYN_ack"] = Weird::ACTION_LOG_PER_ORIG,
   ["irc_invalid_who_line"] = Weird::ACTION_LOG,
   ["partial_RPC_request"] = Weird::ACTION_LOG,
   ["SYN_after_reset"] = Weird::ACTION_LOG,
   ["simultaneous_open"] = Weird::ACTION_LOG_PER_CONN,
   ["irc_invalid_who_message_format"] = Weird::ACTION_LOG,
   ["irc_invalid_whois_channel_line"] = Weird::ACTION_LOG,
   ["pending_data_when_closed"] = Weird::ACTION_LOG,
   ["DHCP_no_type_option"] = Weird::ACTION_LOG,
   ["illegal_%_at_end_of_URI"] = Weird::ACTION_LOG,
   ["truncated_IP"] = Weird::ACTION_LOG,
   ["premature_connection_reuse"] = Weird::ACTION_LOG,
   ["incompletely_captured_fragment"] = Weird::ACTION_LOG,
   ["bad_RPC_program"] = Weird::ACTION_LOG,
   ["line_terminated_with_single_CR"] = Weird::ACTION_LOG,
   ["irc_too_many_invalid"] = Weird::ACTION_LOG,
   ["bad_UDP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
   ["excessive_data_without_further_acks"] = Weird::ACTION_LOG,
   ["irc_invalid_squery_message_format"] = Weird::ACTION_LOG,
   ["DNS_RR_length_mismatch"] = Weird::ACTION_LOG,
   ["SYN_seq_jump"] = Weird::ACTION_LOG,
   ["unsolicited_SYN_response"] = Weird::ACTION_IGNORE,
   ["DNS_label_len_gt_pkt"] = Weird::ACTION_LOG_PER_ORIG,
   ["DNS_AAAA_neg_length"] = Weird::ACTION_LOG,
   ["fragment_inconsistency"] = Weird::ACTION_LOG_PER_ORIG,
   ["DHCP_wrong_op_type"] = Weird::ACTION_LOG,
   ["base64_illegal_encoding"] = Weird::ACTION_LOG,
   ["DNS_label_forward_compress_offset"] = Weird::ACTION_LOG_PER_ORIG,
   ["responder_RPC_call"] = Weird::ACTION_LOG_PER_ORIG,
   ["HTTP_chunked_transfer_for_multipart_message"] = Weird::ACTION_LOG,
   ["UDP_datagram_length_mismatch"] = Weird::ACTION_LOG_PER_ORIG,
   ["deficit_netbios_hdr_len"] = Weird::ACTION_LOG,
   ["line_terminated_with_single_LF"] = Weird::ACTION_LOG,
   ["RPC_rexmit_inconsistency"] = Weird::ACTION_LOG,
   ["truncated_ARP"] = Weird::ACTION_LOG,
   ["bad_rlogin_prolog"] = Weird::ACTION_LOG,
   ["multiple_RPCs"] = Weird::ACTION_LOG_PER_ORIG,
   ["truncated_NTP"] = Weird::ACTION_LOG,
   ["internally_truncated_header"] = Weird::ACTION_LOG,
   ["ident_request_addendum"] = Weird::ACTION_LOG,
   ["bad_HTTP_version"] = Weird::ACTION_LOG,
   ["pop3_malformed_auth_plain"] = Weird::ACTION_LOG,
   ["data_before_established"] = Weird::ACTION_LOG,
   ["DNS_RR_bad_length"] = Weird::ACTION_LOG,
   ["rsh_text_after_rejected"] = Weird::ACTION_LOG,
   ["dns_changed_number_of_responses"] = Weird::ACTION_LOG_PER_ORIG,
   ["DNS_truncated_RR_rdlength_lt_len"] = Weird::ACTION_LOG,
   ["HTTP_version_mismatch"] = Weird::ACTION_LOG,
   ["DNS_label_too_long"] = Weird::ACTION_LOG_PER_ORIG,
   ["dns_reply_seen_after_done"] = Weird::ACTION_LOG_PER_ORIG,
   ["HTTP_bad_chunk_size"] = Weird::ACTION_LOG,
   ["unexpected_client_HTTP_data"] = Weird::ACTION_LOG,
   ["FIN_advanced_last_seq"] = Weird::ACTION_LOG,
   ["FIN_after_reset"] = Weird::ACTION_IGNORE,
   ["unescaped_special_URI_char"] = Weird::ACTION_LOG,
   ["pop3_server_command_unknown"] = Weird::ACTION_LOG,
   ["possible_split_routing"] = Weird::ACTION_LOG,
   ["partial_finger_request"] = Weird::ACTION_LOG,
   ["DHCP_wrong_msg_type"] = Weird::ACTION_LOG,
   ["excessively_large_fragment"] = Weird::ACTION_LOG,
   ["data_without_SYN_ACK"] = Weird::ACTION_LOG,
   ["TCP_christmas"] = Weird::ACTION_LOG,
   ["bad_SYN_ack"] = Weird::ACTION_LOG,
   ["DNS_NAME_too_long"] = Weird::ACTION_LOG,
   ["SMB_parsing_error"] = Weird::ACTION_LOG,
   ["irc_invalid_command"] = Weird::ACTION_LOG,
   ["DNS_RR_unknown_type"] = Weird::ACTION_LOG,
   ["irc_invalid_dcc_message_format"] = Weird::ACTION_LOG,
   ["SYN_inside_connection"] = Weird::ACTION_LOG,
   ["repeated_SYN_reply_wo_ack"] = Weird::ACTION_LOG,
   ["truncated_header"] = Weird::ACTION_LOG,
   ["unmatched_HTTP_reply"] = Weird::ACTION_LOG,
   ["RST_storm"] = Weird::ACTION_LOG,
   ["spontaneous_RST"] = Weird::ACTION_IGNORE,
   ["irc_invalid_mode_message_format"] = Weird::ACTION_LOG,
   ["corrupt_tcp_options"] = Weird::ACTION_LOG_PER_ORIG,
   ["irc_line_size_exceeded"] = Weird::ACTION_LOG,
   ["repeated_SYN_with_ack"] = Weird::ACTION_LOG,
   ["excess_netbios_hdr_len"] = Weird::ACTION_LOG,
   ["HTTP_overlapping_messages"] = Weird::ACTION_LOG,
   ["partial_ftp_request"] = Weird::ACTION_LOG,
   ["irc_invalid_reply_number"] = Weird::ACTION_LOG,
   ["invalid_irc_global_users_reply"] = Weird::ACTION_LOG,
   ["irc_invalid_kick_message_format"] = Weird::ACTION_LOG,
   ["above_hole_data_without_any_acks"] = Weird::ACTION_LOG,
   ["malformed_ssh_version"] = Weird::ACTION_LOG,
   ["fragment_with_DF"] = Weird::ACTION_LOG,
   ["rlogin_text_after_rejected"] = Weird::ACTION_LOG,
   ["RST_with_data"] = Weird::ACTION_LOG,
   ["DNS_Conn_count_too_large"] = Weird::ACTION_LOG,
   ["irc_invalid_invite_message_format"] = Weird::ACTION_LOG,
   ["RPC_underflow"] = Weird::ACTION_LOG,
   ["unexpected_multiple_HTTP_requests"] = Weird::ACTION_LOG,
   ["unexpected_server_HTTP_data"] = Weird::ACTION_LOG,
   ["bad_TCP_header_len"] = Weird::ACTION_LOG,
   ["crud_trailing_HTTP_request"] = Weird::ACTION_LOG,
   ["inflate_failed"] = Weird::ACTION_LOG,
   ["baroque_SYN"] = Weird::ACTION_LOG,
   ["pop3_server_sending_client_commands"] = Weird::ACTION_LOG,
   ["fragment_size_inconsistency"] = Weird::ACTION_LOG_PER_ORIG,
   ["malformed_ssh_identification"] = Weird::ACTION_LOG,
   ["irc_invalid_names_line"] = Weird::ACTION_LOG,
   ["SYN_with_data"] = Weird::ACTION_LOG_PER_ORIG,
   ["window_recision"] = Weird::ACTION_LOG,
   ["unescaped_%_in_URI"] = Weird::ACTION_LOG,
   ["fragment_overlap"] = Weird::ACTION_LOG_PER_ORIG,
   ["spontaneous_FIN"] = Weird::ACTION_IGNORE,
   ["bad_TCP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
   ["no_smb_session_using_parsesambamsg"] = Weird::ACTION_LOG,
   ["irc_invalid_privmsg_message_format"] = Weird::ACTION_LOG,
   ["SYN_after_close"] = Weird::ACTION_LOG,
   ["bad_IP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
   ["bad_ident_request"] = Weird::ACTION_LOG,
   ["excess_RPC"] = Weird::ACTION_LOG_PER_ORIG,
   ["pop3_client_command_unknown"] = Weird::ACTION_LOG,
   ["fragment_protocol_inconsistency"] = Weird::ACTION_LOG,
   ["HTTP_unknown_method"] = Weird::ACTION_LOG,
   ["transaction_subcmd_missing"] = Weird::ACTION_LOG,
   ["SYN_after_partial"] = Weird::ACTION_NOTICE_PER_ORIG,
   ["double_%_in_URI"] = Weird::ACTION_LOG,
   ["netbios_raw_session_msg"] = Weird::ACTION_LOG,
   ["unknown_netbios_type"] = Weird::ACTION_LOG,
   ["multiple_HTTP_request_elements"] = Weird::ACTION_LOG,
   ["data_after_reset"] = Weird::ACTION_LOG,
   ["DNS_label_len_gt_name_len"] = Weird::ACTION_LOG_PER_ORIG,
   ["irc_invalid_notice_message_format"] = Weird::ACTION_LOG,
   ["bad_HTTP_reply"] = Weird::ACTION_LOG,
   ["irc_line_too_short"] = Weird::ACTION_LOG,
   ["partial_RPC"] = Weird::ACTION_LOG_PER_ORIG,
   ["FIN_storm"] = Weird::ACTION_NOTICE_PER_ORIG,
   ["excessive_RPC_len"] = Weird::ACTION_LOG_PER_ORIG,
   ["successful_RPC_reply_to_invalid_request"] = Weird::ACTION_NOTICE_PER_ORIG,
   ["bad_ident_reply"] = Weird::ACTION_LOG,
   ["netbios_client_session_reply"] = Weird::ACTION_LOG,
   ["irc_invalid_line"] = Weird::ACTION_LOG,
   ["bad_rsh_prolog"] = Weird::ACTION_LOG,
   ["excessively_small_fragment"] = Weird::ACTION_LOG_PER_ORIG,
   ["irc_invalid_oper_message_format"] = Weird::ACTION_LOG,
   ["irc_invalid_njoin_line"] = Weird::ACTION_LOG,
   ["bad_ICMP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
   ["unpaired_RPC_response"] = Weird::ACTION_LOG
}

A table specifying default/recommended actions per weird type.

Weird::ignore_hosts
Type:set [addr, string]
Attributes:&redef
Default:{}

To completely ignore a specific weird for a host, add the host and weird name into this set.

Weird::weird_do_not_ignore_repeats
Type:set [string]
Attributes:&redef
Default:
{
   "bad_TCP_checksum",
   "bad_IP_checksum",
   "bad_ICMP_checksum",
   "bad_UDP_checksum"
}

Don’t ignore repeats for weirds in this set. For example, it’s handy keeping track of clustered checksum errors.

State Variables

Weird::did_log
Type:set [string, string]
Attributes:&create_expire = 1.0 day &redef
Default:{}

A state set which tracks unique weirds solely by name to reduce duplicate logging. This is deliberately not synchronized because it could cause overload during storms.

Weird::did_notice
Type:set [string, string]
Attributes:&create_expire = 1.0 day &redef
Default:{}

A state set which tracks unique weirds solely by name to reduce duplicate notices from being raised.

Weird::weird_ignore
Type:set [string, string]
Attributes:&create_expire = 10.0 mins &redef
Default:{}

This table is used to track identifier and name pairs that should be temporarily ignored because the problem has already been reported. This helps reduce the volume of high volume weirds by only allowing a unique weird every create_expire interval.

Types

Weird::Action
Type:

enum

Weird::ACTION_UNSPECIFIED

A dummy action indicating the user does not care what internal decision is made regarding a given type of weird.

Weird::ACTION_IGNORE

No action is to be taken.

Weird::ACTION_LOG

Log the weird event every time it occurs.

Weird::ACTION_LOG_ONCE

Log the weird event only once.

Weird::ACTION_LOG_PER_CONN

Log the weird event once per connection.

Weird::ACTION_LOG_PER_ORIG

Log the weird event once per originator host.

Weird::ACTION_NOTICE

Always generate a notice associated with the weird event.

Weird::ACTION_NOTICE_ONCE

Generate a notice associated with the weird event only once.

Weird::ACTION_NOTICE_PER_CONN

Generate a notice for the weird event once per connection.

Weird::ACTION_NOTICE_PER_ORIG

Generate a notice for the weird event once per originator host.

Types of actions that may be taken when handling weird activity events.

Weird::Info
Type:

record

ts: time &log

The time when the weird occurred.

uid: string &log &optional

If a connection is associated with this weird, this will be the connection’s unique ID.

id: conn_id &log &optional

conn_id for the optional connection.

name: string &log

The name of the weird that occurred.

addl: string &log &optional

Additional information accompanying the weird if any.

notice: bool &log &default = F &optional

Indicate if this weird was also turned into a notice.

peer: string &log &optional

The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble.

The record type which contains the column fields of the weird log.

Events

Weird::log_weird
Type:event (rec: Weird::Info)

Handlers of this event are invoked once per write to the weird logging stream before the data is actually written.

Rec:The weird columns about to be logged to the weird stream.
Copyright 2013, The Bro Project. Last updated on July 19, 2016. Created using Sphinx 1.4.4.