forked from sethhall/bro-scripts
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathhttp-ext-block-exe-hosts.bro
49 lines (40 loc) · 1.17 KB
/
http-ext-block-exe-hosts.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
@load http-ext
@load ipblocker
module HTTP;
export {
redef enum Notice += {
HTTP_IncorrectFileTypeBadHost
};
const bad_exec_domains =
/co\.cc/
| /cx\.cc/
| /cz\.cc/
| /^www1/
&redef;
const bad_exec_urls =
/php.adv=/
| /http:\/\/[0-9]{1,3}\.[0-9]{1,3}.*\/index\.php\?[^=]+=[^=]+$/ #try to match http://1.2.3.4/index.php?foo=bar
| /load.php/
&redef;
const bad_user_agents =
/Java\/1/
&redef;
}
redef notice_action_filters += {
[HTTP_IncorrectFileTypeBadHost] = notice_exec_ipblocker_dest,
};
event http_ext(id: conn_id, si: http_ext_session_info) &priority=1
{
if(is_local_addr(id$resp_h))
return;
if(! ("identified-files" in si$tags && si$mime_type == "application/x-dosexec"))
return;
if( (bad_exec_domains in si$host || bad_exec_urls in si$url)
||(/\.exe/ !in si$url && bad_user_agents in si$user_agent)) {
NOTICE([$note=HTTP_IncorrectFileTypeBadHost,
$id=id,
$msg=fmt("EXE Downloaded from bad host %s %s %s", id$orig_h, id$resp_h, si$url),
$sub="http-ext"
]);
}
}