http
variablessensitive_URIs : pattern
GET
, HEAD
,
POST
) specifying
a URI that matches this pattern is flagged as sensitive.
Default: URIs with /etc/passwd
or /etc/shadow
embedded
in them, or /cfdocs/expeval
(used in some Cold Fusion exploits).
Note: This latter generates some false hits; it's mainly included
just to convey the notion of looking for direct attacks rather than
attacks used to exploit sensitive files like the first ones.
Deficiency: It would be very handy to have variables providing hooks for more context when considering whether a particular access is sensitive, such as whether the request was inbound or outbound.
sensitive_post_URIs : pattern
POST
method specifying a URI that matches this pattern is flagged as
sensitive.
Default: URIs with wwwroot
embedded in them.
In addition, http_log
holds the name of the HTTP log file to
which Bro writes HTTP session summaries. It defaults to
open_log_file("http")
.
Here we show an example of what entries in this file look like:
972482763.371224 %1596 start 200.241.229.80 > 131.243.2.12 %1596 GET /ITG.hm.pg.docs/dissect/portuguese/dissect.html %1596 GET /vfrog/bottom.icon.gif %1596 GET /vfrog/top.icon.gif %1596 GET /vfrog/movies/off.gif %1596 GET /vfrog/new.frog.small.gif
Here we see a transcript of
the 1596th HTTP session seen since Bro started running. The first line
gives its start time and the participating hosts. The
next five lines all correspond to GET
methods retrieving different
items from the Web server. Deficiency: Bro can't log whether the retrievals succeeded or failed because it doesn't yet have an HTTP reply analyzer.
The corresponding lines in the red
file look like:
972482762.872695 481.551 http 441 5040 131.243.2.12 200.241.229.80 S3 X %10596 972482764.686470 18.7611 http 596 7712 131.243.2.12 200.241.229.80 S3 X %10596 972482764.685047 ? http 603 2959 131.243.2.12 200.241.229.80 S1 X %10596
That there are three rather than five reflects (i) that the client
used persistent HTTP, and so didn't need one connection per item, but
also (ii) the client used three parallel connections (the maximum
the standard allows is only two) to fetch the items more quickly. As with FTP
sessions, the %10596
addl
annotation lets you
correlate the red
entries with the log entries.
Note: All three of the connections wound up in unusual states. The first
two are in state S3
, which, as indicated by Table 7.3,
means that the responder (in this case, the Web server) attempted to close
the connection, but their was no reply from the originator. The last is
in state S1
, indicating that neither side attempted to close the
connection (which is why no duration is listed for the connection).