[Bro] setting a connection "service" in a signature
seth at icir.org
Thu Aug 23 07:38:59 PDT 2012
On Aug 23, 2012, at 10:25 AM, Stephane Chazelas <stephane.chazelas at gmail.com> wrote:
> I copy-pasted from ssl-worm.bro in securityonion which BTW has comments like:
> "# FIXME: Bro segfaults without the tmp variable"
> which made me try and use a tmp variable as well.
Ah, securityonion has a problem right now because they had installed 1.5 and it wasn't installed as a package so they couldn't delete the older scripts. 2.0 was installed as a package over top of it. ssl-worm.bro is an older script that shouldn't even be there.
> After adding the ",data: string" and reverting to add
> state$conn$service, it seems not to crash, so it's probably what
> the problem was.
Yep, apparently we need to have that as a syntax error if a signature eval function doesn't have the proper syntax. Robin, Jon, any idea of if that would be possible?
> I can't see any mention of "load-sigs" in the source. Are you
> sure it's not in a newer version.
Hah, oops. Sorry about that. It was added long enough ago that I thought it was in 2.0 apparently it's going to be in 2.1 though. It will work *very* soon. :)
> I enquired about that on the list a few days ago, as I wasn't
> able to find it. Someone kindly sent me a version that was
> designed for an older version of bro, and goes far beyond what I
> need (identify those port 443 connections).
Sorry about not responding to that. I was meaning to get back to it but I obviously didn't. I'm actually glad everything worked out like it did though and you wrote your new script.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro