[Bro] Several protosig questions

James Lay jlay at slave-tothe-box.net
Mon Oct 17 14:11:27 PDT 2016


On 2016-10-17 15:08, James Lay wrote:
> On 2016-10-17 14:31, Robin Sommer wrote:
>> Do you have a trace that you can send demonstrating the two issues?
>> 
>> Robin
> 
> Included!  Sigs below (in 2.4.1 order mattered..I think last matched
> gets the protosig tag, but I've swapped these around with the same
> results)..in either case only ntp matches, not ntp_apple.  Maybe it's
> a beta thing?
> 
> signature protosig_ntp {
>   ip-proto == udp
>   dst-port == 123
>   payload /.*\x00/
>   payload-size == 48
>   eval ProtoSig::match
> }
> 
> signature protosig_ntp_apple {
>   #header ip[16:4] == 17.0.0.0/8
->  dst-ip == 17.0.0.0/8
>   ip-proto == udp
>   dst-port == 123
>   payload /.*\x00/
>   payload-size == 48
>   eval ProtoSig::match
> }
> 
> Thank you.
> 
> James
> 
>> 
>> On Sat, Oct 15, 2016 at 10:52 -0600, James Lay wrote:
>> 
>>> On Sat, 2016-10-15 at 10:48 -0600, James Lay wrote:
>>> > Wow...so here's my sig:
>>> >
>>> > signature protosig_ntp_apple {
>>> >   dst-ip == 17.0.0.0/8
>>> >   ip-proto == udp
>>> >   dst-port == 123
>>> >   payload /.*\x00/
>>> >   payload-size == 48
>>> >   eval ProtoSig::match
>>> > }
>>> >
>>> > First, IP is 192.168.1.95 -> 17.253.4.253 udp port 123.
>>> >
>>> > Issue #1:  CIDR doesn't appear to work..with the above dst-ip entry
>>> > this fails to identify ntp_apple, commenting out the dst-ip the line
>>> > matches.
>>> > Issue #2:  Payload-size; of interest, if you don't set a payload
>>> > entry, then setting payload-size with ">" and "==" won't match, but
>>> > ANY number with "<" fired off. Ironically I could set payload-size <
>>> > 1 and this would fire.
>>> >
>>> > this is using latest beta.  Thank you.
>>> >
>>> > James
>>> > _______________________________________________
>>> > Bro mailing list
>>> > bro at bro-ids.org
>>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>> Also if interest, header ip[16:4] == 17.0.0.0/8 DOES in fact work, so 
>>> I
>>> believe there's an issue with the dst-ip item.
>>> James
>> 
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


More information about the Bro mailing list