osdir.com
mailing list archive

Subject: simple pattern question - msg#00013

List: security.detection.bro

Date: Prev Next Index Thread: Prev Next Index

I'm a Bro newbie, so please forgive me if this is a trivial question. I'm
experimenting with the signature module and did the following simple test:
Using the file "ntp-attack.trace" in the example-attacks directory in the
bro-pub-0.8a86 release. I used this signature file

_________________________
signature testsig {
payload /version/
event "signature_match"
}

_________________________

The word "version" occurs several times in the payloads in this file, as can be
seen using tcpdump -X.

This is the policy file I used (simplified from signatures.bro in the policy
directory).

_________________________

global sig_file = open_log_file("signatures");

event signature_match(state: signature_state, msg: string, data: string)
{
local id = state$id;
local esc = escape_string(data);

if ( byte_len(esc) > 20 )
esc = fmt( "%s...", sub_bytes(esc, 0, 20) );

print sig_file, fmt("SIGFILE %f %s/%d %s %s/%d %s %s [%s] %s",
network_time(),
state$conn$id$orig_h, state$conn$id$orig_p, state$is_orig ? ">" : "<",
state$conn$id$resp_h, state$conn$id$resp_p, state$id, msg, esc, data );
print fmt("SIGH %f %s [%s] %s", network_time(), msg, esc, data );
}

_________________________


When I run Bro with these files (and with no other policy files), there appear
to be no matches. If instead, I match on the dst-ip, , i.e. using this
signature file
_________________________

signature testsig {
dst-ip == 128.3.9.239
event "signature_match"
}
_________________________

I get the desired result (the correct connections are caught). Is something
else required for the pattern feature?
Thanks,
Terry Barker







Was this page helpful?
Yes No
Thread at a glance:

Previous Message by Date: click to view message preview

new Bro releases

New CURRENT (0.9a3) and STABLE (0.8a87) releases are now available from: ftp://bro-ids.org/bro-pub-0.9-current.tar.gz ftp://bro-ids.org/bro-pub-0.8-stable.tar.gz The most significant changes are to ICMP procssing, including ICMP scan detection. The STABLE release fixes a bug: > - Fixed broken VLAN support (integration of original patch was incomplete). per the appended patch. Vern -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0.9a3 Wed Jul 7 22:06:26 PDT 2004 - Improved ICMP processing, including scan detection (Scott Campbell). - ICMP "connections" are now considered unidirectional. - Fixed broken VLAN support (integration of original patch was incomplete). - Fixed a bug in erroneously generating additional "ContentGap" alerts after an initial one. - Connection durations are now always reported as floating-point decimal, never in exponential notation. - Removed unused time parameter from a bunch of internal calls. - Fixed some compilation warnings. - "make clean" now removes generated policy/*.bif.bro files (Christian Kreibich). -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ diff -ru bro-pub-0.8a86/CHANGES bro-pub-0.8a87/CHANGES --- bro-pub-0.8a86/CHANGES Fri Jun 11 01:01:53 2004 +++ bro-pub-0.8a87/CHANGES Sun Jul 11 10:26:36 2004 @@ -1,6 +1,11 @@ -@(#) $Id: CHANGES,v 1.2 2004/06/06 17:42:53 vern Exp $ (LBL) +@(#) $Id: CHANGES,v 1.1 2004/07/11 17:25:57 vern Exp vern $ (LBL) -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + +0.8a87 Sun Jul 11 10:26:35 PDT 2004 + +- Fixed broken VLAN support (integration of original patch was incomplete). 0.8a86 Fri Jun 11 01:01:49 PDT 2004 diff -ru bro-pub-0.8a86/Net.cc bro-pub-0.8a87/Net.cc --- bro-pub-0.8a86/Net.cc Sun Mar 21 09:23:38 2004 +++ bro-pub-0.8a87/Net.cc Sun Jul 11 10:24:48 2004 @@ -1,4 +1,4 @@ -// $Id: Net.cc,v 1.52 2004/03/21 17:23:25 vern Exp $ +// $Id: Net.cc,v 1.1 2004/07/11 17:24:11 vern Exp vern $ // // Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002 // The Regents of the University of California. All rights reserved. @@ -271,6 +271,30 @@ current_pktsrc = soonest_ps; pkt = soonest_ps->NextPacket(hdr); hdr_size = soonest_ps->HdrSize(); + + if ( encap_hdr_size > 0 ) + { + // We're doing tunnel encapsulation. Check whether there's + // a particular associated port. + if ( tunnel_port > 0 ) + { + struct ip* ip_hdr = (struct ip*) (pkt + hdr_size); + if ( ip_hdr->ip_p == IPPROTO_UDP ) + { + struct udphdr* udp_hdr = (struct udphdr*) + (pkt + hdr_size + ip_hdr->ip_hl * 4); + + if ( ntohs(udp_hdr->uh_dport) == tunnel_port ) + // A match. + hdr_size += encap_hdr_size; + } + } + + else + // Blanket encapsulation. + hdr_size += encap_hdr_size; + } + ts = soonest; if ( ! pkt ) diff -ru bro-pub-0.8a86/VERSION bro-pub-0.8a87/VERSION --- bro-pub-0.8a86/VERSION Fri Jun 11 00:58:49 2004 +++ bro-pub-0.8a87/VERSION Sun Jul 11 10:23:57 2004 @@ -1 +1 @@ -0.8a86 +0.8a87

Next Message by Date: click to view message preview

Re: Question about Val serialization

On Fri, Jul 09, 2004 at 11:34 -0700, you wrote: > My question is, why is it necessary to send the full type details along > with the val, and not just an identifier of the type? It seems to me There are two main reasons: - there isn't any direct assocation between types and identifiers; while for a given id you can see whether it's a type, it doesn't work the other way round: a type does not need to have a name (and even if it has, it may be hard to get access to it). - the value serialization is part of the larger picture which is serializing a full Bro configuration. In this context a certain type does not need to be known on the receiving side. > So, is there any chance that sending the type along will be optional in > the new serialization protocol? Actually, I've now completely removed the possibility to send a value w/o a type (as you have seen in the old code it was possible given that the receiving side could deduce the type somehow). Given the caching this works pretty good and makes things considerably cleaner. On the other hand, I can very well imagine a format in which, alternatively, a type can be specified by a string (e.g. which would then be looked up in the global ID space. Bro would probably not sent something like this itself but receiving it from Broccolli should be easy. So, the answer is yes. I'll add it. Robin -- Robin Sommer * Room 01.08.055 * www.net.in.tum.de TU Muenchen * Phone (089) 289-18006 * sommer@xxxxxxxxx

Previous Message by Thread: click to view message preview

new Bro releases

New CURRENT (0.9a3) and STABLE (0.8a87) releases are now available from: ftp://bro-ids.org/bro-pub-0.9-current.tar.gz ftp://bro-ids.org/bro-pub-0.8-stable.tar.gz The most significant changes are to ICMP procssing, including ICMP scan detection. The STABLE release fixes a bug: > - Fixed broken VLAN support (integration of original patch was incomplete). per the appended patch. Vern -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0.9a3 Wed Jul 7 22:06:26 PDT 2004 - Improved ICMP processing, including scan detection (Scott Campbell). - ICMP "connections" are now considered unidirectional. - Fixed broken VLAN support (integration of original patch was incomplete). - Fixed a bug in erroneously generating additional "ContentGap" alerts after an initial one. - Connection durations are now always reported as floating-point decimal, never in exponential notation. - Removed unused time parameter from a bunch of internal calls. - Fixed some compilation warnings. - "make clean" now removes generated policy/*.bif.bro files (Christian Kreibich). -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ diff -ru bro-pub-0.8a86/CHANGES bro-pub-0.8a87/CHANGES --- bro-pub-0.8a86/CHANGES Fri Jun 11 01:01:53 2004 +++ bro-pub-0.8a87/CHANGES Sun Jul 11 10:26:36 2004 @@ -1,6 +1,11 @@ -@(#) $Id: CHANGES,v 1.2 2004/06/06 17:42:53 vern Exp $ (LBL) +@(#) $Id: CHANGES,v 1.1 2004/07/11 17:25:57 vern Exp vern $ (LBL) -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + +0.8a87 Sun Jul 11 10:26:35 PDT 2004 + +- Fixed broken VLAN support (integration of original patch was incomplete). 0.8a86 Fri Jun 11 01:01:49 PDT 2004 diff -ru bro-pub-0.8a86/Net.cc bro-pub-0.8a87/Net.cc --- bro-pub-0.8a86/Net.cc Sun Mar 21 09:23:38 2004 +++ bro-pub-0.8a87/Net.cc Sun Jul 11 10:24:48 2004 @@ -1,4 +1,4 @@ -// $Id: Net.cc,v 1.52 2004/03/21 17:23:25 vern Exp $ +// $Id: Net.cc,v 1.1 2004/07/11 17:24:11 vern Exp vern $ // // Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002 // The Regents of the University of California. All rights reserved. @@ -271,6 +271,30 @@ current_pktsrc = soonest_ps; pkt = soonest_ps->NextPacket(hdr); hdr_size = soonest_ps->HdrSize(); + + if ( encap_hdr_size > 0 ) + { + // We're doing tunnel encapsulation. Check whether there's + // a particular associated port. + if ( tunnel_port > 0 ) + { + struct ip* ip_hdr = (struct ip*) (pkt + hdr_size); + if ( ip_hdr->ip_p == IPPROTO_UDP ) + { + struct udphdr* udp_hdr = (struct udphdr*) + (pkt + hdr_size + ip_hdr->ip_hl * 4); + + if ( ntohs(udp_hdr->uh_dport) == tunnel_port ) + // A match. + hdr_size += encap_hdr_size; + } + } + + else + // Blanket encapsulation. + hdr_size += encap_hdr_size; + } + ts = soonest; if ( ! pkt ) diff -ru bro-pub-0.8a86/VERSION bro-pub-0.8a87/VERSION --- bro-pub-0.8a86/VERSION Fri Jun 11 00:58:49 2004 +++ bro-pub-0.8a87/VERSION Sun Jul 11 10:23:57 2004 @@ -1 +1 @@ -0.8a86 +0.8a87

Next Message by Thread: click to view message preview

Re: simple pattern question

On Mon, Jul 12, 2004 at 13:18 -0400, you wrote: > payload /version/ Try using /.*version/. The regexp is matched starting with the first byte of the payload. Robin -- Robin Sommer * Room 01.08.055 * www.net.in.tum.de TU Muenchen * Phone (089) 289-18006 * sommer@xxxxxxxxx
Loading Comments...
Home | News | Patents | Sitemap | FAQ | advertise

Advertising by