[Bro] Help with requires-reverse-signature

Josh Guild josh.guild at morphick.com
Fri Jul 17 07:42:01 PDT 2015


Hi there,

I'm having a little trouble with the requires-reverse-signature condition.
Is this able to call its own <id> as the condition for the parameter
or does it have to be imbedded within a signature that references another
signature?

I'm looking for a keep-alive connection and want the alert to ONLY fire if
it sees the request and response.

What I have so far is:

signature foo {
    #Author: Josh Guild
    #source: Morphick
    #version: 1
    ip-proto == tcp
    payload /byte string/
    payload size == number
}

paired with:

signature bar {
    #Author: Josh Guild
    #source: Morphick
    #version: 1
    ip-proto == tcp
    payload /byte string/
    payload size == number
    requires-reverse-signature foo
    event "foobar"
}

I'm working with a pcap that I KNOW the condition exists and should fire
the alert. I am able to get the first portion to fire off but not the
conditional alert. I've also tried to mess with the tcp-state condition as
well to no avail.

Any advice you can throw my way would be much appreciated!

Josh

-- 
Josh Guild
Lead Network Intelligence Analyst
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150717/258a2a47/attachment.html 


More information about the Bro mailing list