Hi all,<br><br>We are trying to write the simple script where it will check if the udp reply is 18 bytes and will return the src ip, dst ip as well as its bytes exchanges as illustrate as below<br><br>src ip ------> dst ip
<br>src ip <----- dst ip (18 bytes)<br><br>It is pretty simple and works well to detect the udp probing, and we are happy with it but when we test it on one of the packet capture which supposingly having 3 udp packets with 18 bytes return, it only detects one of it but didn't see the rest. And running through tcpdump, we figure this -
<br> <br>2007-09-13 07:32:30.298295 IP 192.168.0.185.63025 > 210.79.186.143.23074: UDP, length 22<br>2007-09-13 07:32:30.566344 IP 210.79.186.143.23074 > 192.168.0.185.63025: UDP, length 18<br>2007-09-13 07:32:34.790093
IP 192.168.0.185.63025 > 89.37.157.114.28763: UDP, length 41<br>2007-09-13 07:32:34.791688 IP 192.168.0.185.63025 > 200.83.176.80.49847: UDP, length 41<br>2007-09-13 07:32:34.809467 IP 192.168.0.185.63025 > 89.37.157.114.28763
: UDP, length 33<br>2007-09-13 07:32:34.809531 IP 192.168.0.185.63025 > 200.83.176.80.49847: UDP, length 33<br>2007-09-13 07:32:35.331256 IP 200.83.176.80.49847 > 192.168.0.185.63025: UDP, length 19<br><strong>2007-09-13 07:32:
35.350840 IP 200.83.176.80.49847 > 192.168.0.185.63025: UDP, length 18</strong><br>2007-09-13 07:32:35.403002 IP 89.37.157.114.28763 > 192.168.0.185.63025: UDP, length 19<br><strong>2007-09-13 07:32:35.407810 IP 89.37.157.114.28763
> 192.168.0.185.63025: UDP, length 18</strong><strong><br></strong><br>The script can locate the <a href="http://210.79.186.143">210.79.186.143</a> but not <a href="http://200.83.176.80">200.83.176.80</a> and <a href="http://89.37.157.114">
89.37.157.114</a>. That lead us to believe that bro understand the flow in semantic level. In fact if we do the matching to 18+19 = 37 bytes, it detects the other 2. And just learn about the trace feature from scott, we immediately tried the trace and we found this -
<br><br>1189639955.350840 /usr/local/stow/bro-1.3.2/policy/hot.bro:153 function called: check_hot(c = '[id=[orig_h=<a href="http://192.168.0.185">192.168.0.185</a>, orig_p=6302<br>5/udp, resp_h=<a href="http://200.83.176.80">
200.83.176.80</a>, resp_p=49847/udp], orig=[size=74, state=1], resp=[<strong>size=37</strong>, state=1], start_time=1189639954.79169, duration=0.559152126312256, service=, addl=, hot=0, history=Dd]', state = '2')
<br>.....blablabla another one<br><br>Here's our simple and shameful script -<br><br><i>@load udp-common<br><br>redef capture_filters += { ["udp"] = "udp" };<br><br>redef local_nets: set[subnet] = {
<br> <a href="http://192.168.0.0/24">192.168.0.0/24</a><br>};<br></i><i><br>event udp_reply(u: connection)<br>{<br> local orig = u$id$orig_h;<br> local resp = u$id$resp_h;<br> local origs = u$orig$size;
<br> local resps = u$resp$size;<br> if ( u$resp$size == 18)<br> {<br> print ("Suspected udp probe");<br> print fmt("%20s %5s %5s %5s", orig, resp, origs, resps);
<br> }</i><br>}<br><br>I don't see we can use udp time out for this as the interval of return packet is too low. Or is there workaround to examine the first corresponding udp reply packet size.<br><br>Thanks!<br>
<br>-- <br>Best Regards,<br><br>CS Lee<geekooL[at]gmail.com>