[Bro] setting a connection "service" in a signature

Stephane Chazelas stephane.chazelas at gmail.com
Wed Aug 22 13:44:24 PDT 2012


Hiya,

I thought I'd share a way to mark the fake HTTPS connections
done by skype as such in conn.log. We've been seeing connections
to various IP addresses around the world sending hundreds of
megabytes of data and wanted to make sure it wasn't any
information leak. Most of the time, it is skype traffic but we
wanted a way to automatically determine it was the case.

Here is a simple way. It just uses the "service" flag of a bro
"connection" to mark the fact it is skype traffic.

It detects skype traffic by looking at the fake SSL
"ServerHello" that skype responders send. (basically, they send
a fixed "random data" with a date in 2004 where a normal SSL
server would send the current date and a truly random data, I
suspect it is designed that way to help recognise skype traffic
easily).

I've got in my local.bro:

function mark_conn_as_skype(state: signature_state): bool
        {
        add state$conn$service["skype"];
        return T;
        }
redef signature_files += "skype-detect.sig";

(change to "return F" to avoid the alarm in notice.log)

And in skype-detect.sig

signature skype_fake_https {
  ip-proto == tcp
  tcp-state established,responder
  event "Skype fake HTTPS connection"
  src-port == 443
  payload /\x16\x03\x01\x00\x4a\x02\x00\x00\x46\x03\x01\x40\x1b\xe4\x86\x02\xad\xe0\x29\xe1\x77\x74\xe5\x44\xb9\xc9\x9c\xb4\x31\x31\x5e\x02\xdd\x77\x9d\x15\x4a\x96\x09\xba\x5d\xa8\x70/
  eval mark_conn_as_skype
}

Then you'll see "skype" in the "service" column for those
connections and need worry less when you see 200MB of data being
sent to Ukraine or any country you usually don't do business
with.

-- 
Stephane




More information about the Bro mailing list