[Bro-Dev] DHCP event removal
Azoff, Justin S
jazoff at illinois.edu
Fri Jun 15 14:22:45 PDT 2018
> On Jun 15, 2018, at 5:18 PM, Seth Hall <seth at corelight.com> wrote:
>
> On the
> upside, you can handle both the old events and the new and they
> shouldn't impact each other (if you want to make a script work on
> multiple releases).
I ran into this on a script I got from somewhere, bash-cve-2014-6271.bro
The fix is a little trickier, you can't handle both events because the DHCP::Msg type no longer exists and you need to wrap the old event with
@ifdef (DHCP::Msg)
@endif
So for that script I ended up with
@ifdef (DHCP::Msg)
event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
{
if ( options?$host_name && shellshock in options$host_name )
NOTICE([$note=Bash::DHCP_hostname_Attack,
$conn=c,
$msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via dhcp hostname against %s submitting \"hostname\"=\"%s\"",c$id$orig_h, c$id$resp_h, options$host_name),
$identifier=c$uid]);
}
@else
event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string)
{
if ( shellshock in host_name )
NOTICE([$note=Bash::DHCP_hostname_Attack,
$conn=c,
$msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via dhcp hostname against %s submitting \"hostname\"=\"%s\"",c$id$orig_h, c$id$resp_h, host_name),
$identifier=c$uid]);
}
@endif
—
Justin Azoff
More information about the bro-dev
mailing list