Pattern matching ?
vern at ee.lbl.gov
Mon Jan 8 00:57:26 PST 2001
(Sorry it took me so long to reply - your mail slipped between the cracks
during the holidays)
> It seem to be hard to do pattern-matching in Bro to find out a pattern in
> normal packets (packets that don't init/terminate an event; or aren't in
> part of protocol's command like "STOR xxx" in FTP but in content of file
> xxx). For example, I want to alert any attemp of using command "su" on a
> Telnet session; alert if any file uploaded via FTP that contains pattern of
> a Worm...
For Telnet sessions, this is easy - do the matching in login_input_line
or login_output_line. For files uploaded via FTP, this isn't in general
possible, since Bro relies significantly on filtering to reduce its
processing load, and to capture uploaded files would require processing
nearly the entire traffic stream.
More information about the Bro