<div dir="ltr"><div><div><div>Yeah, I&#39;ve mainly seen it used for shellshock. On top of that, I saw some scripts in GitHub that used it from:<br><br>- Michal: <a href="https://github.com/michalpurzynski/bro-gramming/blob/master/dhcpr.bro">https://github.com/michalpurzynski/bro-gramming/blob/master/dhcpr.bro</a><br></div><div>- Matthias: <a href="https://github.com/bro/bro-scripts/blob/master/roam.bro">https://github.com/bro/bro-scripts/blob/master/roam.bro</a><br></div><div>- Grant Stavely: <a href="https://github.com/evernote/bro-scripts/blob/master/bolo/scripts/main.bro">https://github.com/evernote/bro-scripts/blob/master/bolo/scripts/main.bro</a><br></div><div>- Anthony: <a href="https://github.com/anthonykasza/users/blob/master/users.bro">https://github.com/anthonykasza/users/blob/master/users.bro</a><br></div><div><br></div><div>(There were a few others, like IVRE, but they&#39;ve already updated).<br></div><div><br></div>Even if it&#39;s not widely used, I think it&#39;d be a nicer user experience if we were to ship a script that handled dhcp_message, and raised the old events. We could mark the old events as deprecated, and remove them in the next version. That way, people have at least one cycle to upgrade.<br><br></div>Hopefully, as we see more published Bro packages, we have a better idea of which events are/aren&#39;t being used.<br><br></div>  --Vlad<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jun 15, 2018 at 9:22 PM, Azoff, Justin S <span dir="ltr">&lt;<a href="mailto:jazoff@illinois.edu" target="_blank">jazoff@illinois.edu</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">&gt; On Jun 15, 2018, at 5:18 PM, Seth Hall &lt;<a href="mailto:seth@corelight.com">seth@corelight.com</a>&gt; wrote:<br>
&gt; <br>
&gt;  On the <br>
&gt; upside, you can handle both the old events and the new and they <br>
&gt; shouldn&#39;t impact each other (if you want to make a script work on <br>
&gt; multiple releases).<br>
<br>
</span>I ran into this on a script I got from somewhere, bash-cve-2014-6271.bro<br>
<br>
The fix is a little trickier, you can&#39;t handle both events because the DHCP::Msg type no longer exists and you need to wrap the old event with<br>
<br>
@ifdef (DHCP::Msg)<br>
@endif<br>
<br>
So for that script I ended up with<br>
<br>
@ifdef (DHCP::Msg)<br>
event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)<br>
{<br>
        if ( options?$host_name &amp;&amp; shellshock in options$host_name )<br>
                        NOTICE([$note=Bash::DHCP_<wbr>hostname_Attack,<br>
                                $conn=c,<br>
                                $msg=fmt(&quot;%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via dhcp hostname against %s submitting \&quot;hostname\&quot;=\&quot;%s\&quot;&quot;,c$id$<wbr>orig_h, c$id$resp_h, options$host_name),<br>
                                $identifier=c$uid]);<br>
}<br>
@else<br>
event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string)<br>
{<br>
        if ( shellshock in host_name )<br>
                        NOTICE([$note=Bash::DHCP_<wbr>hostname_Attack,<br>
                                $conn=c,<br>
                                $msg=fmt(&quot;%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via dhcp hostname against %s submitting \&quot;hostname\&quot;=\&quot;%s\&quot;&quot;,c$id$<wbr>orig_h, c$id$resp_h, host_name),<br>
                                $identifier=c$uid]);<br>
}<br>
@endif<br>
<br>
<br>
<br>
— <br>
<span class="HOEnZb"><font color="#888888">Justin Azoff<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
<br>
______________________________<wbr>_________________<br>
bro-dev mailing list<br>
<a href="mailto:bro-dev@bro.org">bro-dev@bro.org</a><br>
<a href="http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev" rel="noreferrer" target="_blank">http://mailman.icsi.berkeley.<wbr>edu/mailman/listinfo/bro-dev</a><br>
</div></div></blockquote></div><br></div>