[Bro] couple of questions
jbabbin at comcast.net
jbabbin at comcast.net
Thu Mar 23 19:47:57 PST 2006
I had another question that should hopefully be simple.
1) In the DNS policy file there is an event for "dns_EDNS_addl" what part of the packet is this field in a DNS connection and what is the "pldsize" value from? Is there a way to break out the data from this field?
2) When a DNS record has "DNS_SEC_OK" What is that from the packet connection?
-------------- Original message ----------------------
From: Christian Kreibich <christian at whoop.org>
> Hi Jake,
> On Tue, 2006-03-21 at 14:57 +0000, jbabbin at comcast.net wrote:
> > List,
> > I have a couple of questions that I can't seem to figure out.
> > 1) Brian - Thanks for the SSL patch
> > Once enabled I don't see any way of filtering out hosts from the
> > non-ssl traffic alarm. For example, I have several custom applications
> > that use that port for their traffic...don't ask...so I need to be
> > able to filter them out of the alarms like below.
> > "1141848057.399932 WeirdActivity ** 192.x.x.x/48612 > 206.x.x.x/https:
> > SSL: Skipping connection (not an SSL connection?!)!"
> > The problem seems to be that the detection of non-ssl traffic is done
> > in the source SSLProxy engine and I don't really want to be
> > recompiling every time I need to add another host. Ideas?
> have a look at weird_ignore_host set, defined in weird.bro. It allows
> you to filter weird-type events based on the event string and source/
> destination IP addresses.
> Depending on your analysis needs, you could also exclude the custom
> traffic via the pcap filtering expression, though I'd imagine that
> quickly gets tedious.
> > 2) Is is possible in a policy file to perform a size comparison on a
> > string?
> > For example, if you wanted to see if a filename was longer than a
> > certain length. How would you sizeof a string value?
> Sure. It depends on what version of Bro you're using. In the development
> releases, there's now a magnitude operator |x| that, when given a value,
> returns its length, size, or whatever is most meaningful as magnitude
> (vector length, table size, string length, etc). In older releases (0.9
> and before), the byte_len() function returned a string's length.
> Bro mailing list
> bro at bro-ids.org
More information about the Bro