forked from sethhall/bro-scripts
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathsmtp-ext-phish-passwords.bro
115 lines (103 loc) · 3.76 KB
/
smtp-ext-phish-passwords.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
@load global-ext
@load smtp-ext
module PHISH;
global smtp_password_conns: set[conn_id] &read_expire=2mins;
export {
redef enum Notice += {
SMTP_PossiblePWPhish,
SMTP_PossiblePWPhishReply,
};
global phishing_counter: table[string] of count &default=0 &create_expire=1hr &synchronized;
global phishing_reply_tos: set[string] &synchronized &redef;
global phishing_ignore_froms: set[string] &redef;
global phishing_threshold = 50;
const phish_keywords =
/[pP][aA][sS][sS][wW][oO][rR][dD]/
| /[uU][sS][eE][rR].?[nN][aA][mM][eE]/
| /[nN][eE][tT][iI][dD]/ &redef;
}
event bro_init()
{
LOG::create_logs("password-mail", All, F, T);
LOG::define_header("password-mail", cat_sep("\t", "",
"ts",
"orig_h", "orig_p",
"resp_h", "resp_p",
"helo", "message-id", "in-reply-to",
"mailfrom", "rcptto",
"date", "from", "reply_to", "to", "subject",
"files", "last_reply", "x-originating-ip",
"path", "is_webmail", "agent"));
}
event bro_done()
{
print "Counter";
print phishing_counter;
print "bad reply-tos";
print phishing_reply_tos;
}
event smtp_data(c: connection, is_orig: bool, data: string)
{
if(is_local_addr(c$id$orig_h))
return;
# look for 'password'
if(phish_keywords in data)
add smtp_password_conns[c$id];
}
event smtp_ext(id: conn_id, si: smtp_ext_session_info)
{
if(is_local_addr(id$orig_h)) {
for (to in si$rcptto){
if(to in phishing_reply_tos){
NOTICE([$note=SMTP_PossiblePWPhishReply,
$msg=fmt("%s replied to %s - %s", si$mailfrom, to, si$subject),
$id=id,
$sub=si$mailfrom
]);
}
}
} else {
if (id !in smtp_password_conns)
return;
if(si$mailfrom in phishing_ignore_froms)
return;
phishing_counter[si$mailfrom] += |si$rcptto|;
if(phishing_counter[si$mailfrom] > phishing_threshold){
local to_add ="";
if(si$reply_to != "")
to_add = si$reply_to;
else if(si$from != "")
to_add = si$from;
else
to_add = si$mailfrom;
if(to_add !in phishing_reply_tos){
add phishing_reply_tos[to_add];
NOTICE([$note=SMTP_PossiblePWPhish,
$msg=fmt("%s(%s) may be phishing - %s", si$mailfrom, si$reply_to, si$subject),
$id=id,
$sub=si$mailfrom
]);
}
}
local log = LOG::get_file_by_id("password-mail", id, F);
print log, cat_sep("\t", "\\N",
network_time(),
id$orig_h, port_to_count(id$orig_p), id$resp_h, port_to_count(id$resp_p),
si$helo,
si$msg_id,
si$in_reply_to,
si$mailfrom,
fmt_str_set(si$rcptto, /["'<>]|([[:blank:]].*$)/),
si$date,
si$from,
si$reply_to,
fmt_str_set(si$to, /["']/),
si$subject,
fmt_str_set(si$files, /["']/),
si$last_reply,
si$x_originating_ip == 0.0.0.0 ? "" : fmt("%s", si$x_originating_ip),
si$path,
si$is_webmail,
si$agent);
}
}