[Bro] setting a connection "service" in a signature

Stephane Chazelas stephane.chazelas at gmail.com
Wed Aug 22 13:44:24 PDT 2012


I thought I'd share a way to mark the fake HTTPS connections
done by skype as such in conn.log. We've been seeing connections
to various IP addresses around the world sending hundreds of
megabytes of data and wanted to make sure it wasn't any
information leak. Most of the time, it is skype traffic but we
wanted a way to automatically determine it was the case.

Here is a simple way. It just uses the "service" flag of a bro
"connection" to mark the fact it is skype traffic.

It detects skype traffic by looking at the fake SSL
"ServerHello" that skype responders send. (basically, they send
a fixed "random data" with a date in 2004 where a normal SSL
server would send the current date and a truly random data, I
suspect it is designed that way to help recognise skype traffic

I've got in my local.bro:

function mark_conn_as_skype(state: signature_state): bool
        add state$conn$service["skype"];
        return T;
redef signature_files += "skype-detect.sig";

(change to "return F" to avoid the alarm in notice.log)

And in skype-detect.sig

signature skype_fake_https {
  ip-proto == tcp
  tcp-state established,responder
  event "Skype fake HTTPS connection"
  src-port == 443
  payload /\x16\x03\x01\x00\x4a\x02\x00\x00\x46\x03\x01\x40\x1b\xe4\x86\x02\xad\xe0\x29\xe1\x77\x74\xe5\x44\xb9\xc9\x9c\xb4\x31\x31\x5e\x02\xdd\x77\x9d\x15\x4a\x96\x09\xba\x5d\xa8\x70/
  eval mark_conn_as_skype

Then you'll see "skype" in the "service" column for those
connections and need worry less when you see 200MB of data being
sent to Ukraine or any country you usually don't do business


More information about the Bro mailing list