[Bro] Bro scripts

Seth Hall seth at icir.org
Thu Oct 28 20:23:03 PDT 2010

On Oct 28, 2010, at 9:48 PM, Martin Holste wrote:

> That's pretty cool!  I do have one suggestion, though:  Instead of
> tracking by IP, how about one cookie per user agent?  That will help
> catch the side jacking when used under a NAT.

Good point!  Changing the tracking global from...

global cookies: table[string] of set[addr]
global cookies: table[string] of set[addr, string]

and then storing the user-agent in the last string would take care of that.

I think your point about NAT gets to a more general point of what techniques could we use to detect NAT?  I know that there are a lot of little indicators of addresses that are doing NAT, but I think it could be really worthwhile to organize them all and then write a script to implement all of them so that we can get reliable NAT detection with Bro.  I can start with a few thoughts.

* Multiple web browser user-agents at a single address
    - Must match some regex for a "real" browser so that weird applications throwing junk in the user-agent don't trigger this.
    - Must be closely together in time.

Over the past several years I've had a lot of ideas for detecting NATs, but they have all completely escaped me.  Anyone else have thoughts to add to this?


More information about the Bro mailing list