policy for IMAP signatures

Robin Sommer robin at icir.org
Thu Nov 13 15:05:50 PST 2003

On Thu, Nov 13, 2003 at 16:44 -0500, Nimit Sawhney wrote:

> I am attempting to write a policy script for IMAP signatures
> adapted from Snort using 'snort2bro'. Is this the right way
> to write a policy script for the sample signatures below? I

I'm not exactly sure what you would like to achieve. If you just
want to get the same functionality that Snort provides for these
cases, you can just use the converted sid-1930/sid-1902 signatures.
No additional signatures are needed then.

If you want to enhance the Snort signatures, you can write
additional Bro signatures which take some more context into account.
If this is the case, perhaps could describe a little bit more what
you would like to do?

> signature imap_auth_overflow {
>   requires-signature sid-1930
>   eval has_imapauthoverflow_been_attempted
>   event "Host may have been probed for IMAP auth overflow"
>   }

As written this signature will match for a given connection if (1)
signature sid-1930 matches for the same connection, and if (2) the
function "has_imapauthoverflow_been_attempted" evaluates to true.
The latter happens if the same signature sid-1930 has already
matched for any connection between the originator and the 
responder. I guess this is not what you had intended, is it?

With respect to tcp-state: Actually, this is currently ignored. The
code is implemented, but it turned out that using it made it even
more difficult to compare Bro's matches with those from Snort (which
isn't a problem of Bro as its TCP state decoding is actually quite
sophisticated). Eventually, we will change this.


Robin Sommer * Room        01.08.055 * www.net.in.tum.de
TU Munich    * Phone (089) 289-18006 *  sommer at in.tum.de 

More information about the Bro mailing list