CapOne-Zeek-Docker/capitalone/frameworks/logging/purplerain.zeek

#
# Copyright (c) 2017 Capital One. All rights reserved.
# Author: Derek Ditch <derek.ditch@criticalstack.com>
#

@load policy/misc/capture-loss
@load policy/protocols/conn/weirds
@load policy/protocols/dns/detect-external-names
@load policy/protocols/ftp/detect-bruteforcing
@load policy/protocols/ftp/detect
@load policy/protocols/http/detect-sqli
@load policy/frameworks/intel/do_notice
@load policy/frameworks/packet-filter/shunt
@load policy/frameworks/dpd/detect-protocols
@load policy/misc/scan
@load policy/protocols/smtp/blocklists
@load policy/protocols/smtp/detect-suspicious-orig
@load policy/frameworks/software/version-changes
@load policy/frameworks/software/vulnerable
@load policy/protocols/ssh/interesting-hostnames
@load policy/protocols/ssh/geo-data
@load policy/protocols/ssh/detect-bruteforcing
@load policy/protocols/ssl/expiring-certs
@load policy/protocols/ssl/validate-ocsp
@load policy/protocols/ssl/validate-certs
@load policy/protocols/ssl/weak-keys
@load policy/frameworks/files/detect-MHR
@load policy/misc/detect-traceroute

module PurpleRain;

export {
  const pr_notice_types: set[Notice::Type] = {
  #  Authentication::BruteForcing,
  #  Authentication::UnauthorizedAccount,
  #  Authentication::UnauthorizedKerbService,
  #  Authentication::UnauthorizedMethod,
  #  Authentication::UnauthorizedSource,
    CaptureLoss::Too_Much_Loss,
  #  Conn::Content_Gap,
    Conn::Retransmission_Inconsistency,
    DNS::External_Name,
    FTP::Bruteforcing,
    FTP::Site_Exec_Success,
  #  Heartbleed::SSL_Heartbeat_Attack,
  #  Heartbleed::SSL_Heartbeat_Attack_Success,
  #  Heartbleed::SSL_Heartbeat_Many_Requests,
  #  Heartbleed::SSL_Heartbeat_Odd_Length,
    HTTP::SQL_Injection_Attacker,
    HTTP::SQL_Injection_Victim,
    Intel::Notice,
  #  Intel::Dynamic_DNS,
  #  Intel::IP_from_Watched_Domain,
    Notice::Tally,
  #  Oracle::Authentication,
  #  Oracle::Connection,
  #  Oracle::Query,
    PacketFilter::Cannot_BPF_Shunt_Conn,
    PacketFilter::Compile_Failure,
    PacketFilter::Dropped_Packets,
    PacketFilter::Install_Failure,
    PacketFilter::No_More_Conn_Shunts_Available,
    PacketFilter::Too_Long_To_Compile_Filter,
  #  ProtocolDetector::Protocol_Found,
    ProtocolDetector::Server_Found,
  #  RDP::Connection,
    Scan::Address_Scan,
    Scan::Port_Scan,
    Signatures::Count_Signature,
    Signatures::Multiple_Sig_Responders,
    Signatures::Multiple_Signatures,
    Signatures::Sensitive_Signature,
    Signatures::Signature_Summary,
  #  SMB::Admin_Share_Access,
  #  SMB::At_Task_Scheduler,
  #  SMB::Registry_Access,
  #  SMB::Sensitive_Directory_Access,
  #  SMB::Service_Create,
  #  SMB::Service_Start,
  #  SMB::Service_Stop,
    SMTP::Blocklist_Blocked_Host,
    SMTP::Blocklist_Error_Message,
    SMTP::Suspicious_Origination,
    Software::Software_Version_Change,
    Software::Vulnerable_Version,
    SSH::Interesting_Hostname_Login,
    SSH::Login_By_Password_Guesser,
    SSH::Password_Guessing,
    SSH::Watched_Country_Login,
  #  SSL::Certificate_Changed,
    SSL::Certificate_Expired,
    SSL::Certificate_Expires_Soon,
    SSL::Certificate_Not_Valid_Yet,
    SSL::Invalid_Ocsp_Response,
    SSL::Invalid_Server_Cert,
    SSL::Old_Version,
    SSL::Weak_Cipher,
    SSL::Weak_Key,
    TeamCymruMalwareHashRegistry::Match,
    Traceroute::Detected,
  #  Tunneling::DNS,
  #  Tunneling::ICMP,
  #  Tunneling::Teredo,
  #  VirusTotal::Match,
    Weird::Activity
    } &redef;
}

function purple_rain_notices(rec: Notice::Info) : bool
  {
    return rec$note in pr_notice_types;
  }

event zeek_init()
  {
    local filter: Log::Filter = [$name="pr-notices", $path="pr-notice", $pred=purple_rain_notices];
    Log::add_filter(Notice::LOG, filter);
  }