[Bro-Dev] DHCP event removal

Azoff, Justin S jazoff at illinois.edu
Fri Jun 15 14:22:45 PDT 2018


> On Jun 15, 2018, at 5:18 PM, Seth Hall <seth at corelight.com> wrote:
> 
>  On the 
> upside, you can handle both the old events and the new and they 
> shouldn't impact each other (if you want to make a script work on 
> multiple releases).

I ran into this on a script I got from somewhere, bash-cve-2014-6271.bro

The fix is a little trickier, you can't handle both events because the DHCP::Msg type no longer exists and you need to wrap the old event with

@ifdef (DHCP::Msg)
@endif

So for that script I ended up with

@ifdef (DHCP::Msg)
event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
{
	if ( options?$host_name && shellshock in options$host_name )
			NOTICE([$note=Bash::DHCP_hostname_Attack,
				$conn=c,
				$msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via dhcp hostname against %s submitting \"hostname\"=\"%s\"",c$id$orig_h, c$id$resp_h, options$host_name),
				$identifier=c$uid]);
}
@else
event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string)
{
	if ( shellshock in host_name )
			NOTICE([$note=Bash::DHCP_hostname_Attack,
				$conn=c,
				$msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via dhcp hostname against %s submitting \"hostname\"=\"%s\"",c$id$orig_h, c$id$resp_h, host_name),
				$identifier=c$uid]);
}
@endif



— 
Justin Azoff





More information about the bro-dev mailing list