[Bro] Duqu script

Daniel Guerra daniel.guerra69 at gmail.com
Sat Nov 28 14:14:30 PST 2015


Or you could use this

from line 77
if ( c$id$orig_h in duqus && c$http?$resp_mime_types )
{
            local mime_num:count;
            for (mime_num in c$http$resp_mime_types) {
              if ( duqus[c$id$orig_h] == JPEG_REQUEST &&
                 c$http$status_code == 200 &&
                 /image\/jpeg/ in c$http$resp_mime_types[mime_num] )
                {
                duqus[c$id$orig_h] = JPEG_REPLY;
                NOTICE([$note=Potential_Duqu_Infection,
                        $msg=fmt("Initial Duqu JPEG exchange"),
                        $conn=c]);
                }
              else
                  delete duqus[c$id$orig_h]; # Purge unnecessary state early.
             }
}
> On 27 Nov 2015, at 13:10, Jan Grashofer <jan.grashofer at cern.ch> wrote:
> 
> Hi Zied,
>  
> while mime_types was a string, resp_mime_types is a vector of strings. If I am not mistaken it contains all matching mime types ordered by probability. Unfortunately I am not able to find proof for this in the documentation. However, to fix your issue you could loop through the vector or just use the first element resp_mime_types[0].
>  
> Best regards,
> Jan
>  
> From: bro-bounces at bro.org [bro-bounces at bro.org] on behalf of Zied Turki [zied.turki at outlook.com]
> Sent: Friday, November 27, 2015 11:54
> To: bro at bro.org
> Subject: [Bro] Duqu script
> 
> Dear all,
> 
> I tried to test the bro script to log the Duqu attack published through Github.  The broctl check failed and here below the output :
> 
> "error in /usr/local/bro/share/bro/policy/bro-scripts/duqu.bro, line 81: no such field in record (HTTP::c$http$mime_types)"
> 
> I've understood that $mime_type has changed in the new bro version and I've tried to change it in the script with "resp_mime_types" . Here below the new output :
> 
> error in /usr/local/bro/share/bro/base/protocols/http/./entities.bro, line 27 and /usr/local/bro/share/bro/policy/bro-scripts/duqu.bro, line 81: pattern requires string index (vector of string and /^?(image\/jpeg)$?/)
> 
> I am new to bro scripts. Please, I need your help to understand how to manage this kind of errors. Anyone could help please ? 
> 
> Please find below the link to the original script :
>  <https://github.com/mavam/brospects/blob/master/bro/duqu.bro>https://github.com/mavam/brospects/blob/master/bro/duqu.bro <https://github.com/mavam/brospects/blob/master/bro/duqu.bro>
> 
> 
> Many thanks,
> 
> BR,
> Zied 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151128/5f6cb85a/attachment.html 


More information about the Bro mailing list