[Bro] setting a connection "service" in a signature

Seth Hall seth at icir.org
Thu Aug 23 07:38:59 PDT 2012

On Aug 23, 2012, at 10:25 AM, Stephane Chazelas <stephane.chazelas at gmail.com> wrote:

> I copy-pasted from ssl-worm.bro in securityonion which BTW has comments like:
>        "# FIXME: Bro segfaults without the tmp variable"
> which made me try and use a tmp variable as well.

Ah, securityonion has a problem right now because they had installed 1.5 and it wasn't installed as a package so they couldn't delete the older scripts.  2.0 was installed as a package over top of it.  ssl-worm.bro is an older script that shouldn't even be there.

> After adding the ",data: string" and reverting to add
> state$conn$service, it seems not to crash, so it's probably what
> the problem was.

Yep, apparently we need to have that as a syntax error if a signature eval function doesn't have the proper syntax.  Robin, Jon, any idea of if that would be possible?

> I can't see any mention of "load-sigs" in the source. Are you
> sure it's not in a newer version.

Hah, oops.  Sorry about that.  It was added long enough ago that I thought it was in 2.0 apparently it's going to be in 2.1 though.  It will work *very* soon. :)

> I enquired about that on the list a few days ago, as I wasn't
> able to find it. Someone kindly sent me a version that was
> designed for an older version of bro, and goes far beyond what I
> need (identify those port 443 connections).

Sorry about not responding to that.  I was meaning to get back to it but I obviously didn't.  I'm actually glad everything worked out like it did though and you wrote your new script.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list