policy for IMAP signatures

Nimit Sawhney nimits at cmu.edu
Thu Nov 13 15:46:53 PST 2003

> Robin Sommer wrote:
> As written this signature will match for a given connection if (1)
> signature sid-1930 matches for the same connection, and if (2) the
> function "has_imapauthoverflow_been_attempted" evaluates to true.
> The latter happens if the same signature sid-1930 has already
> matched for any connection between the originator and the
> responder. I guess this is not what you had intended, is it?

You are right. Simply speaking, I would like to do this:
When an IMAP signature-A is detected, I would like to trigger
an external program/function-B which performs some defensive
measures (like updating the router to block any more requests
from the offending client IP). It looks now that the 'eval'
function is not the right place to do something like this. I
guess I need to define an event handler instead?

> With respect to tcp-state: Actually, this is currently ignored. The
> code is implemented, but it turned out that using it made it even
> more difficult to compare Bro's matches with those from Snort (which
> isn't a problem of Bro as its TCP state decoding is actually quite
> sophisticated). Eventually, we will change this.

Thanks for the update on the tcp-state stuff.


More information about the Bro mailing list