[Bro] Bro scripts
seth at icir.org
Thu Oct 28 20:23:03 PDT 2010
On Oct 28, 2010, at 9:48 PM, Martin Holste wrote:
> That's pretty cool! I do have one suggestion, though: Instead of
> tracking by IP, how about one cookie per user agent? That will help
> catch the side jacking when used under a NAT.
Good point! Changing the tracking global from...
global cookies: table[string] of set[addr]
global cookies: table[string] of set[addr, string]
and then storing the user-agent in the last string would take care of that.
I think your point about NAT gets to a more general point of what techniques could we use to detect NAT? I know that there are a lot of little indicators of addresses that are doing NAT, but I think it could be really worthwhile to organize them all and then write a script to implement all of them so that we can get reliable NAT detection with Bro. I can start with a few thoughts.
* Multiple web browser user-agents at a single address
- Must match some regex for a "real" browser so that weird applications throwing junk in the user-agent don't trigger this.
- Must be closely together in time.
Over the past several years I've had a lot of ideas for detecting NATs, but they have all completely escaped me. Anyone else have thoughts to add to this?
More information about the Bro