-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploitkit.bro
68 lines (62 loc) · 2.63 KB
/
exploitkit.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
module ExploitKit;
# One of the many ways to look for Exploit Kit/drive-by behavior. By default, this script looks for
# a common exploit type: Java JAR (zip), Java Applet, or PDF that precedes a DOS executable. The
# behavior is tracked by source IP and a 2min window is allowed for an exploit type and exec to be
# seen. Additionally, all DOS executables downloaded via HTTP with a User-Agent that contains 'Java/'
# will be flagged.
#
# Notices are generated for the suspicious file combination, and for the JVM downloading executable
# content.
#
# Mike (sooshie@gmail.com)
global monitored_hosts: table[addr] of set[string] &create_expire=2mins &synchronized &mergeable;
export {
redef enum Notice::Type += { ExploitKit::SuspiciousDownloads, ExploitKit::JVMDownload };
const exe_file_types: set[string] = {
"application/x-dosexec",
} &redef;
const exploit_file_types: set[string] = {
"application/pdf",
"application/zip",
"application/x-java-applet",
"application/x-shockwave-flash",
} &redef;
}
event file_mime_type(f: fa_file, mime_type: string)
{
#if ( |mime_type| > 0 )
if ( !f$info$local_orig )
{
if ( mime_type in exe_file_types )
{
for ( cid in f$conns )
{
local s = "";
if ( f$conns[cid]$http?$current_entity && f$conns[cid]$http$current_entity?$filename )
s = fmt("Filename: %s", f$conns[cid]$http$current_entity$filename);
if ( cid$orig_h in monitored_hosts )
{
local files = "";
for ( fi in monitored_hosts[cid$orig_h] ) { files += fmt("%s, ", fi); }
local message = fmt("Suspicious File Combination: %s%s", files, mime_type);
NOTICE([$note=ExploitKit::SuspiciousDownloads, $msg=message, $sub=s, $conn=f$conns[cid]]);
}
if ( f$conns[cid]?$http && f$conns[cid]$http?$user_agent && ( strstr(f$conns[cid]$http$user_agent, "Java/") != 0 ) )
{
message = fmt("JVM EXE Download: %s", mime_type);
NOTICE([$note=ExploitKit::JVMDownload, $msg=message, $sub=s, $conn=f$conns[cid]]);
}
}
}
if ( mime_type in exploit_file_types )
{
for ( cid in f$conns )
{
if ( cid$orig_h !in monitored_hosts )
monitored_hosts[cid$orig_h] = set();
add(monitored_hosts[cid$orig_h][mime_type]);
}
}
}
return;
}