[Bro] Bro scripts
mcholste at gmail.com
Thu Oct 28 21:50:26 PDT 2010
I think that will definitely work for detecting NAT's if you stick to
regexing the variants on the major browsers. As we've all seen, most
browser plugins have their own UA, so you're bound to get many UA's
out of a single computer naturally, but they should not all be for
Internet Explorer, for example. I think scoping to IE, FF, and Webkit
engines would be good enough to be effective.
One other point, once a NAT is detected, would it be possible to
exclude that IP from future detection to save resources? I'm a bit
concerned with memory utilization for all of these state tables.
On Thu, Oct 28, 2010 at 10:23 PM, Seth Hall <seth at icir.org> wrote:
> On Oct 28, 2010, at 9:48 PM, Martin Holste wrote:
>> That's pretty cool! I do have one suggestion, though: Instead of
>> tracking by IP, how about one cookie per user agent? That will help
>> catch the side jacking when used under a NAT.
> Good point! Changing the tracking global from...
> global cookies: table[string] of set[addr]
> global cookies: table[string] of set[addr, string]
> and then storing the user-agent in the last string would take care of that.
> I think your point about NAT gets to a more general point of what techniques could we use to detect NAT? I know that there are a lot of little indicators of addresses that are doing NAT, but I think it could be really worthwhile to organize them all and then write a script to implement all of them so that we can get reliable NAT detection with Bro. I can start with a few thoughts.
> * Multiple web browser user-agents at a single address
> - Must match some regex for a "real" browser so that weird applications throwing junk in the user-agent don't trigger this.
> - Must be closely together in time.
> Over the past several years I've had a lot of ideas for detecting NATs, but they have all completely escaped me. Anyone else have thoughts to add to this?
More information about the Bro