logo       

simple pattern question: msg#00013

security.detection.bro

Subject: simple pattern question


I'm a Bro newbie, so please forgive me if this is a trivial question. I'm
experimenting with the signature module and did the following simple test:
Using the file "ntp-attack.trace" in the example-attacks directory in the
bro-pub-0.8a86 release. I used this signature file

_________________________
signature testsig {
payload /version/
event "signature_match"
}

_________________________

The word "version" occurs several times in the payloads in this file, as can be
seen using tcpdump -X.

This is the policy file I used (simplified from signatures.bro in the policy
directory).

_________________________

global sig_file = open_log_file("signatures");

event signature_match(state: signature_state, msg: string, data: string)
{
local id = state$id;
local esc = escape_string(data);

if ( byte_len(esc) > 20 )
esc = fmt( "%s...", sub_bytes(esc, 0, 20) );

print sig_file, fmt("SIGFILE %f %s/%d %s %s/%d %s %s [%s] %s",
network_time(),
state$conn$id$orig_h, state$conn$id$orig_p, state$is_orig ? ">" : "<",
state$conn$id$resp_h, state$conn$id$resp_p, state$id, msg, esc, data );
print fmt("SIGH %f %s [%s] %s", network_time(), msg, esc, data );
}

_________________________


When I run Bro with these files (and with no other policy files), there appear
to be no matches. If instead, I match on the dst-ip, , i.e. using this
signature file
_________________________

signature testsig {
dst-ip == 128.3.9.239
event "signature_match"
}
_________________________

I get the desired result (the correct connections are caught). Is something
else required for the pattern feature?
Thanks,
Terry Barker







<Prev in Thread] Current Thread [Next in Thread>
Google Custom Search

News | FAQ | advertise