-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvnc_scanner_recognition.lua
76 lines (64 loc) · 2.34 KB
/
vnc_scanner_recognition.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
local COUNT = 5 -- Number of observations required for a match
local SECONDS = 60 -- Number of seconds in which the observations are to be seen
local CLEANUP = 120 -- Number of seconds inbetween cleanups to reduce memory usage and keep speed adequate
local scanner_table = {} -- Maps IP addresses to a sequence of timestamps
local last_cleanup = nil
function init (args)
-- Required function by Suricata Syntax, but not used for this script.
local needs = {}
return needs
end
function cleanup()
-- Cleanup for every IP address
for j, w in ipairs(scanner_table) do
new_sub_table = {}
hits = 0
for i,v in ipairs(scanner_table[srcip]) do
if v > last_time - SECONDS then
table.insert(new_sub_table, v)
hits = hits + 1
end
end
if hits == 0 then
scanner_table[srcip] = nil
else
scanner_table[srcip] = new_sub_table
end
end
end
function match(args)
-- Retrieve srcip and determine if it is a scanning IP
ipver, srcip, dstip, proto, sp, dp = SCPacketTuple()
-- If the IP has not yet been observed, create an empty table
if scanner_table[srcip] == nil then
scanner_table[srcip] = {}
end
-- Determine timestamp of new observation and add it to the sequence
last_time = os.time()
table.insert(scanner_table[srcip], last_time)
-- Count the number of observations within the SECONDS time window and prepare cleanup for this IP
new_sub_table = {}
hits = 0
for i,v in ipairs(scanner_table[srcip]) do
if v > last_time - SECONDS then
table.insert(new_sub_table, v)
hits = hits + 1
end
end
-- Every CLEANUP seconds, we should iterate over all IP addresses to perform cleanup and remove outdated entries
if last_cleanup == nil or last_cleanup + CLEANUP < last_time then
if last_cleanup ~= nil then
cleanup()
end
last_cleanup = last_time
else
-- Even if CLEANUP has not yet been exceeded, we can easily clean up the currently investigated IP sequence
scanner_table[srcip] = new_sub_table
end
-- Return a positive match if COUNT observations are made within SECONDS seconds
if hits >= COUNT then
return 1
end
-- Return a negative match otherwise
return 0
end