Recategorized syn/ack to DoS + Backscatter

3e8b7bc5 · Pavel Kácha · 7773bdde · 3e8b7bc5
Commit 3e8b7bc5 authored 7 years ago by Pavel Kácha
--- a/warden3/contrib/connectors/hp-labrea/labrea-idea.py
+++ b/warden3/contrib/connectors/hp-labrea/labrea-idea.py
@@ -265,10 +265,12 @@ class IdeaGen(object):
                "note": "Ping requests from remote host to never assigned IP"
            },
            "synack": {
-                "category": ["Recon.Scanning"],
+                "category": ["Availability.DoS"],
                "description": "SYN/ACK connections/scan",
                "template": "labrea-003",
-                "note": "Unsolicited SYN/ACK packet received from remote host to never assigned IP"
+                "note": "Unsolicited SYN/ACK packet received from remote host to never assigned IP",
+                "source_type": ["Backscatter"],
+                "source_to_target": True
            }
        }

@@ -281,6 +283,8 @@ class IdeaGen(object):
            "IP6" if ":" in src else "IP4": [src],
            "Proto": ["tcp"]
        }
+        if "source_type" in tmpl:
+            isource["Type"] = tmpl["source_type"]
        if src_ports:
            isource["Port"] = [int(port) for port in src_ports]
        # Fold multiple IPs with the same portset
@@ -317,10 +321,13 @@ class IdeaGen(object):
            "_CESNET": {
                "EventTemplate": tmpl["template"],
            },
-            "Source": [isource],
            "Target": itargets,
            "Node": [inode]
        }
+        if tmpl.get("source_to_target", False):
+            idea["Target"].append(isource)
+        else:
+            idea["Source"] = [isource]
        return idea