:tocdepth: 3

base/frameworks/notice/weird.bro
================================
.. bro:namespace:: Weird

This script provides a default set of actions to take for "weird activity"
events generated from Bro's event engine.  Weird activity is defined as
unusual or exceptional activity that can indicate malformed connections,
traffic that doesn't conform to a particular protocol, malfunctioning
or misconfigured hardware, or even an attacker attempting to avoid/confuse
a sensor.  Without context, it's hard to judge whether a particular
category of weird activity is interesting, but this script provides
a starting point for the user.

:Namespace: Weird
:Imports: :doc:`base/frameworks/notice/main.bro </scripts/base/frameworks/notice/main.bro>`, :doc:`base/utils/conn-ids.bro </scripts/base/utils/conn-ids.bro>`, :doc:`base/utils/site.bro </scripts/base/utils/site.bro>`
:Source File: :download:`/scripts/base/frameworks/notice/weird.bro`

Summary
~~~~~~~
Options
#######
================================================================================================================================= ==============================================================
:bro:id:`Weird::actions`: :bro:type:`table` :bro:attr:`&default` = ``Weird::ACTION_LOG`` :bro:attr:`&optional` :bro:attr:`&redef` A table specifying default/recommended actions per weird type.
:bro:id:`Weird::ignore_hosts`: :bro:type:`set` :bro:attr:`&redef`                                                                 To completely ignore a specific weird for a host, add the host
                                                                                                                                  and weird name into this set.
:bro:id:`Weird::weird_do_not_ignore_repeats`: :bro:type:`set` :bro:attr:`&redef`                                                  Don't ignore repeats for weirds in this set.
================================================================================================================================= ==============================================================

State Variables
###############
============================================================================================================ ====================================================================
:bro:id:`Weird::did_log`: :bro:type:`set` :bro:attr:`&create_expire` = ``1.0 day`` :bro:attr:`&redef`        A state set which tracks unique weirds solely by name to reduce
                                                                                                             duplicate logging.
:bro:id:`Weird::did_notice`: :bro:type:`set` :bro:attr:`&create_expire` = ``1.0 day`` :bro:attr:`&redef`     A state set which tracks unique weirds solely by name to reduce
                                                                                                             duplicate notices from being raised.
:bro:id:`Weird::weird_ignore`: :bro:type:`set` :bro:attr:`&create_expire` = ``10.0 mins`` :bro:attr:`&redef` This table is used to track identifier and name pairs that should be
                                                                                                             temporarily ignored because the problem has already been reported.
============================================================================================================ ====================================================================

Types
#####
=========================================== =======================================================================
:bro:type:`Weird::Action`: :bro:type:`enum` Types of actions that may be taken when handling weird activity events.
:bro:type:`Weird::Info`: :bro:type:`record` The record type which contains the column fields of the weird log.
=========================================== =======================================================================

Redefinitions
#############
========================================== ====================================
:bro:type:`Log::ID`: :bro:type:`enum`      The weird logging stream identifier.
:bro:type:`Notice::Type`: :bro:type:`enum` 
========================================== ====================================

Events
######
============================================= ==============================================================
:bro:id:`Weird::log_weird`: :bro:type:`event` Handlers of this event are invoked once per write to the weird
                                              logging stream before the data is actually written.
============================================= ==============================================================


Detailed Interface
~~~~~~~~~~~~~~~~~~
Options
#######
.. bro:id:: Weird::actions

   :Type: :bro:type:`table` [:bro:type:`string`] of :bro:type:`Weird::Action`
   :Attributes: :bro:attr:`&default` = ``Weird::ACTION_LOG`` :bro:attr:`&optional` :bro:attr:`&redef`
   :Default:

   ::

      {
         ["multiple_HTTP_request_elements"] = Weird::ACTION_LOG,
         ["truncated_IP"] = Weird::ACTION_LOG,
         ["pop3_malformed_auth_plain"] = Weird::ACTION_LOG,
         ["pop3_server_sending_client_commands"] = Weird::ACTION_LOG,
         ["RPC_rexmit_inconsistency"] = Weird::ACTION_LOG,
         ["SYN_seq_jump"] = Weird::ACTION_LOG,
         ["deficit_netbios_hdr_len"] = Weird::ACTION_LOG,
         ["irc_invalid_mode_message_format"] = Weird::ACTION_LOG,
         ["SYN_after_partial"] = Weird::ACTION_NOTICE_PER_ORIG,
         ["bad_IP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
         ["partial_RPC_request"] = Weird::ACTION_LOG,
         ["irc_invalid_whois_operator_line"] = Weird::ACTION_LOG,
         ["crud_trailing_HTTP_request"] = Weird::ACTION_LOG,
         ["HTTP_chunked_transfer_for_multipart_message"] = Weird::ACTION_LOG,
         ["ident_request_addendum"] = Weird::ACTION_LOG,
         ["irc_invalid_notice_message_format"] = Weird::ACTION_LOG,
         ["irc_invalid_invite_message_format"] = Weird::ACTION_LOG,
         ["RST_storm"] = Weird::ACTION_LOG,
         ["HTTP_unknown_method"] = Weird::ACTION_LOG,
         ["DNS_truncated_RR_rdlength_lt_len"] = Weird::ACTION_LOG,
         ["transaction_subcmd_missing"] = Weird::ACTION_LOG,
         ["HTTP_version_mismatch"] = Weird::ACTION_LOG,
         ["simultaneous_open"] = Weird::ACTION_LOG_PER_CONN,
         ["HTTP_bad_chunk_size"] = Weird::ACTION_LOG,
         ["fragment_size_inconsistency"] = Weird::ACTION_LOG_PER_ORIG,
         ["bad_SYN_ack"] = Weird::ACTION_LOG,
         ["active_connection_reuse"] = Weird::ACTION_LOG,
         ["unexpected_multiple_HTTP_requests"] = Weird::ACTION_LOG,
         ["FIN_after_reset"] = Weird::ACTION_IGNORE,
         ["excess_netbios_hdr_len"] = Weird::ACTION_LOG,
         ["bad_rlogin_prolog"] = Weird::ACTION_LOG,
         ["dns_reply_seen_after_done"] = Weird::ACTION_LOG_PER_ORIG,
         ["excess_RPC"] = Weird::ACTION_LOG_PER_ORIG,
         ["irc_invalid_njoin_line"] = Weird::ACTION_LOG,
         ["HTTP_overlapping_messages"] = Weird::ACTION_LOG,
         ["originator_RPC_reply"] = Weird::ACTION_LOG_PER_ORIG,
         ["rlogin_text_after_rejected"] = Weird::ACTION_LOG,
         ["excessive_RPC_len"] = Weird::ACTION_LOG_PER_ORIG,
         ["pop3_bad_base64_encoding"] = Weird::ACTION_LOG,
         ["DNS_RR_bad_length"] = Weird::ACTION_LOG,
         ["bad_ident_port"] = Weird::ACTION_LOG,
         ["irc_invalid_command"] = Weird::ACTION_LOG,
         ["NUL_in_line"] = Weird::ACTION_LOG,
         ["SYN_after_reset"] = Weird::ACTION_LOG,
         ["possible_split_routing"] = Weird::ACTION_LOG,
         ["excessively_small_fragment"] = Weird::ACTION_LOG_PER_ORIG,
         ["truncated_header"] = Weird::ACTION_LOG,
         ["partial_ident_request"] = Weird::ACTION_LOG,
         ["premature_connection_reuse"] = Weird::ACTION_LOG,
         ["irc_invalid_who_line"] = Weird::ACTION_LOG,
         ["excessively_large_fragment"] = Weird::ACTION_LOG,
         ["repeated_SYN_reply_wo_ack"] = Weird::ACTION_LOG,
         ["base64_illegal_encoding"] = Weird::ACTION_LOG,
         ["unescaped_%_in_URI"] = Weird::ACTION_LOG,
         ["data_without_SYN_ACK"] = Weird::ACTION_LOG,
         ["DNS_truncated_ans_too_short"] = Weird::ACTION_LOG,
         ["data_after_reset"] = Weird::ACTION_LOG,
         ["line_terminated_with_single_CR"] = Weird::ACTION_LOG,
         ["unpaired_RPC_response"] = Weird::ACTION_LOG,
         ["FIN_advanced_last_seq"] = Weird::ACTION_LOG,
         ["connection_originator_SYN_ack"] = Weird::ACTION_LOG_PER_ORIG,
         ["DNS_label_forward_compress_offset"] = Weird::ACTION_LOG_PER_ORIG,
         ["pop3_client_sending_server_commands"] = Weird::ACTION_LOG,
         ["dns_changed_number_of_responses"] = Weird::ACTION_LOG_PER_ORIG,
         ["unexpected_server_HTTP_data"] = Weird::ACTION_LOG,
         ["DNS_RR_unknown_type"] = Weird::ACTION_LOG,
         ["partial_RPC"] = Weird::ACTION_LOG_PER_ORIG,
         ["excessive_data_without_further_acks"] = Weird::ACTION_LOG,
         ["DNS_NAME_too_long"] = Weird::ACTION_LOG,
         ["DNS_AAAA_neg_length"] = Weird::ACTION_LOG,
         ["successful_RPC_reply_to_invalid_request"] = Weird::ACTION_NOTICE_PER_ORIG,
         ["pop3_server_command_unknown"] = Weird::ACTION_LOG,
         ["responder_RPC_call"] = Weird::ACTION_LOG_PER_ORIG,
         ["DHCP_wrong_msg_type"] = Weird::ACTION_LOG,
         ["SMB_parsing_error"] = Weird::ACTION_LOG,
         ["unexpected_client_HTTP_data"] = Weird::ACTION_LOG,
         ["netbios_client_session_reply"] = Weird::ACTION_LOG,
         ["DNS_truncated_quest_too_short"] = Weird::ACTION_LOG,
         ["bad_HTTP_version"] = Weird::ACTION_LOG,
         ["irc_invalid_squery_message_format"] = Weird::ACTION_LOG,
         ["partial_ftp_request"] = Weird::ACTION_LOG,
         ["above_hole_data_without_any_acks"] = Weird::ACTION_LOG,
         ["repeated_SYN_with_ack"] = Weird::ACTION_LOG,
         ["irc_line_size_exceeded"] = Weird::ACTION_LOG,
         ["DNS_label_len_gt_pkt"] = Weird::ACTION_LOG_PER_ORIG,
         ["netbios_server_session_request"] = Weird::ACTION_LOG,
         ["DNS_label_len_gt_name_len"] = Weird::ACTION_LOG_PER_ORIG,
         ["multiple_RPCs"] = Weird::ACTION_LOG_PER_ORIG,
         ["irc_invalid_line"] = Weird::ACTION_LOG,
         ["netbios_raw_session_msg"] = Weird::ACTION_LOG,
         ["bad_HTTP_reply"] = Weird::ACTION_LOG,
         ["spontaneous_RST"] = Weird::ACTION_IGNORE,
         ["unsolicited_SYN_response"] = Weird::ACTION_IGNORE,
         ["unknown_netbios_type"] = Weird::ACTION_LOG,
         ["bad_TCP_header_len"] = Weird::ACTION_LOG,
         ["irc_invalid_kick_message_format"] = Weird::ACTION_LOG,
         ["irc_invalid_oper_message_format"] = Weird::ACTION_LOG,
         ["DNS_truncated_len_lt_hdr_len"] = Weird::ACTION_LOG,
         ["bad_RPC_program"] = Weird::ACTION_LOG,
         ["inflate_failed"] = Weird::ACTION_LOG,
         ["corrupt_tcp_options"] = Weird::ACTION_LOG_PER_ORIG,
         ["RST_with_data"] = Weird::ACTION_LOG,
         ["FIN_storm"] = Weird::ACTION_NOTICE_PER_ORIG,
         ["TCP_christmas"] = Weird::ACTION_LOG,
         ["DNS_label_too_long"] = Weird::ACTION_LOG_PER_ORIG,
         ["irc_invalid_whois_channel_line"] = Weird::ACTION_LOG,
         ["pop3_client_command_unknown"] = Weird::ACTION_LOG,
         ["irc_invalid_dcc_message_format"] = Weird::ACTION_LOG,
         ["irc_too_many_invalid"] = Weird::ACTION_LOG,
         ["DHCP_wrong_op_type"] = Weird::ACTION_LOG,
         ["fragment_protocol_inconsistency"] = Weird::ACTION_LOG,
         ["malformed_ssh_version"] = Weird::ACTION_LOG,
         ["SYN_after_close"] = Weird::ACTION_LOG,
         ["no_smb_session_using_parsesambamsg"] = Weird::ACTION_LOG,
         ["unescaped_special_URI_char"] = Weird::ACTION_LOG,
         ["fragment_with_DF"] = Weird::ACTION_LOG,
         ["fragment_overlap"] = Weird::ACTION_LOG_PER_ORIG,
         ["baroque_SYN"] = Weird::ACTION_LOG,
         ["line_terminated_with_single_LF"] = Weird::ACTION_LOG,
         ["bad_ident_request"] = Weird::ACTION_LOG,
         ["bad_ident_reply"] = Weird::ACTION_LOG,
         ["DNS_Conn_count_too_large"] = Weird::ACTION_LOG,
         ["invalid_irc_global_users_reply"] = Weird::ACTION_LOG,
         ["irc_invalid_reply_number"] = Weird::ACTION_LOG,
         ["non_IPv4_packet"] = Weird::ACTION_LOG_ONCE,
         ["SYN_inside_connection"] = Weird::ACTION_LOG,
         ["SYN_with_data"] = Weird::ACTION_LOG_PER_ORIG,
         ["bad_rsh_prolog"] = Weird::ACTION_LOG,
         ["DHCP_no_type_option"] = Weird::ACTION_LOG,
         ["matching_undelivered_data"] = Weird::ACTION_LOG,
         ["pending_data_when_closed"] = Weird::ACTION_LOG,
         ["unmatched_HTTP_reply"] = Weird::ACTION_LOG,
         ["bad_RPC"] = Weird::ACTION_LOG_PER_ORIG,
         ["data_before_established"] = Weird::ACTION_LOG,
         ["malformed_ssh_identification"] = Weird::ACTION_LOG,
         ["illegal_%_at_end_of_URI"] = Weird::ACTION_LOG,
         ["incompletely_captured_fragment"] = Weird::ACTION_LOG,
         ["irc_invalid_topic_reply"] = Weird::ACTION_LOG,
         ["irc_invalid_names_line"] = Weird::ACTION_LOG,
         ["irc_invalid_privmsg_message_format"] = Weird::ACTION_LOG,
         ["bad_ICMP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
         ["spontaneous_FIN"] = Weird::ACTION_IGNORE,
         ["smb_andx_command_failed_to_parse"] = Weird::ACTION_LOG,
         ["irc_invalid_whois_user_line"] = Weird::ACTION_LOG,
         ["window_recision"] = Weird::ACTION_LOG,
         ["bad_TCP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
         ["irc_invalid_who_message_format"] = Weird::ACTION_LOG,
         ["partial_finger_request"] = Weird::ACTION_LOG,
         ["truncated_ARP"] = Weird::ACTION_LOG,
         ["RPC_underflow"] = Weird::ACTION_LOG,
         ["double_%_in_URI"] = Weird::ACTION_LOG,
         ["fragment_inconsistency"] = Weird::ACTION_LOG_PER_ORIG,
         ["irc_invalid_join_line"] = Weird::ACTION_LOG,
         ["DNS_RR_length_mismatch"] = Weird::ACTION_LOG,
         ["inappropriate_FIN"] = Weird::ACTION_LOG,
         ["bad_UDP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
         ["irc_line_too_short"] = Weird::ACTION_LOG,
         ["SSL_many_server_names"] = Weird::ACTION_LOG,
         ["truncated_NTP"] = Weird::ACTION_LOG,
         ["UDP_datagram_length_mismatch"] = Weird::ACTION_LOG_PER_ORIG,
         ["irc_invalid_whois_message_format"] = Weird::ACTION_LOG,
         ["internally_truncated_header"] = Weird::ACTION_LOG,
         ["rsh_text_after_rejected"] = Weird::ACTION_LOG
      }

   A table specifying default/recommended actions per weird type.

.. bro:id:: Weird::ignore_hosts

   :Type: :bro:type:`set` [:bro:type:`addr`, :bro:type:`string`]
   :Attributes: :bro:attr:`&redef`
   :Default: ``{}``

   To completely ignore a specific weird for a host, add the host
   and weird name into this set.

.. bro:id:: Weird::weird_do_not_ignore_repeats

   :Type: :bro:type:`set` [:bro:type:`string`]
   :Attributes: :bro:attr:`&redef`
   :Default:

   ::

      {
         "bad_TCP_checksum",
         "bad_ICMP_checksum",
         "bad_IP_checksum",
         "bad_UDP_checksum"
      }

   Don't ignore repeats for weirds in this set.  For example,
   it's handy keeping track of clustered checksum errors.

State Variables
###############
.. bro:id:: Weird::did_log

   :Type: :bro:type:`set` [:bro:type:`string`, :bro:type:`string`]
   :Attributes: :bro:attr:`&create_expire` = ``1.0 day`` :bro:attr:`&redef`
   :Default: ``{}``

   A state set which tracks unique weirds solely by name to reduce
   duplicate logging.  This is deliberately not synchronized because it
   could cause overload during storms.

.. bro:id:: Weird::did_notice

   :Type: :bro:type:`set` [:bro:type:`string`, :bro:type:`string`]
   :Attributes: :bro:attr:`&create_expire` = ``1.0 day`` :bro:attr:`&redef`
   :Default: ``{}``

   A state set which tracks unique weirds solely by name to reduce
   duplicate notices from being raised.

.. bro:id:: Weird::weird_ignore

   :Type: :bro:type:`set` [:bro:type:`string`, :bro:type:`string`]
   :Attributes: :bro:attr:`&create_expire` = ``10.0 mins`` :bro:attr:`&redef`
   :Default: ``{}``

   This table is used to track identifier and name pairs that should be
   temporarily ignored because the problem has already been reported.
   This helps reduce the volume of high volume weirds by only allowing 
   a unique weird every ``create_expire`` interval.

Types
#####
.. bro:type:: Weird::Action

   :Type: :bro:type:`enum`

      .. bro:enum:: Weird::ACTION_UNSPECIFIED Weird::Action

         A dummy action indicating the user does not care what
         internal decision is made regarding a given type of weird.

      .. bro:enum:: Weird::ACTION_IGNORE Weird::Action

         No action is to be taken.

      .. bro:enum:: Weird::ACTION_LOG Weird::Action

         Log the weird event every time it occurs.

      .. bro:enum:: Weird::ACTION_LOG_ONCE Weird::Action

         Log the weird event only once.

      .. bro:enum:: Weird::ACTION_LOG_PER_CONN Weird::Action

         Log the weird event once per connection.

      .. bro:enum:: Weird::ACTION_LOG_PER_ORIG Weird::Action

         Log the weird event once per originator host.

      .. bro:enum:: Weird::ACTION_NOTICE Weird::Action

         Always generate a notice associated with the weird event.

      .. bro:enum:: Weird::ACTION_NOTICE_ONCE Weird::Action

         Generate a notice associated with the weird event only once.

      .. bro:enum:: Weird::ACTION_NOTICE_PER_CONN Weird::Action

         Generate a notice for the weird event once per connection.

      .. bro:enum:: Weird::ACTION_NOTICE_PER_ORIG Weird::Action

         Generate a notice for the weird event once per originator host.

   Types of actions that may be taken when handling weird activity events.

.. bro:type:: Weird::Info

   :Type: :bro:type:`record`

      ts: :bro:type:`time` :bro:attr:`&log`
         The time when the weird occurred.

      uid: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
         If a connection is associated with this weird, this will be
         the connection's unique ID.

      id: :bro:type:`conn_id` :bro:attr:`&log` :bro:attr:`&optional`
         conn_id for the optional connection.

      name: :bro:type:`string` :bro:attr:`&log`
         The name of the weird that occurred.

      addl: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
         Additional information accompanying the weird if any.

      notice: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
         Indicate if this weird was also turned into a notice.

      peer: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
         The peer that originated this weird.  This is helpful in
         cluster deployments if a particular cluster node is having
         trouble to help identify which node is having trouble.

   The record type which contains the column fields of the weird log.

Events
######
.. bro:id:: Weird::log_weird

   :Type: :bro:type:`event` (rec: :bro:type:`Weird::Info`)

   Handlers of this event are invoked once per write to the weird
   logging stream before the data is actually written.
   

   :rec: The weird columns about to be logged to the weird stream.


