[Bro-Dev] DHCP event removal

Vlad Grigorescu vlad at es.net
Fri Jun 15 14:38:36 PDT 2018 

Yeah, I've mainly seen it used for shellshock. On top of that, I saw some
scripts in GitHub that used it from:

- Michal:
https://github.com/michalpurzynski/bro-gramming/blob/master/dhcpr.bro
- Matthias: https://github.com/bro/bro-scripts/blob/master/roam.bro
- Grant Stavely:
https://github.com/evernote/bro-scripts/blob/master/bolo/scripts/main.bro
- Anthony: https://github.com/anthonykasza/users/blob/master/users.bro

(There were a few others, like IVRE, but they've already updated).

Even if it's not widely used, I think it'd be a nicer user experience if we
were to ship a script that handled dhcp_message, and raised the old events.
We could mark the old events as deprecated, and remove them in the next
version. That way, people have at least one cycle to upgrade.

Hopefully, as we see more published Bro packages, we have a better idea of
which events are/aren't being used.

  --Vlad

On Fri, Jun 15, 2018 at 9:22 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

> > On Jun 15, 2018, at 5:18 PM, Seth Hall <seth at corelight.com> wrote:
> >
> >  On the
> > upside, you can handle both the old events and the new and they
> > shouldn't impact each other (if you want to make a script work on
> > multiple releases).
>
> I ran into this on a script I got from somewhere, bash-cve-2014-6271.bro
>
> The fix is a little trickier, you can't handle both events because the
> DHCP::Msg type no longer exists and you need to wrap the old event with
>
> @ifdef (DHCP::Msg)
> @endif
>
> So for that script I ended up with
>
> @ifdef (DHCP::Msg)
> event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options:
> DHCP::Options)
> {
>         if ( options?$host_name && shellshock in options$host_name )
>                         NOTICE([$note=Bash::DHCP_hostname_Attack,
>                                 $conn=c,
>                                 $msg=fmt("%s may have attempted to exploit
> CVE-2014-6271, bash environment variable attack, via dhcp hostname against
> %s submitting \"hostname\"=\"%s\"",c$id$orig_h, c$id$resp_h,
> options$host_name),
>                                 $identifier=c$uid]);
> }
> @else
> event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr, router:
> dhcp_router_list, lease: interval, serv_addr: addr, host_name: string)
> {
>         if ( shellshock in host_name )
>                         NOTICE([$note=Bash::DHCP_hostname_Attack,
>                                 $conn=c,
>                                 $msg=fmt("%s may have attempted to exploit
> CVE-2014-6271, bash environment variable attack, via dhcp hostname against
> %s submitting \"hostname\"=\"%s\"",c$id$orig_h, c$id$resp_h, host_name),
>                                 $identifier=c$uid]);
> }
> @endif
>
>
>
>> Justin Azoff
>
>
>
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180615/7e457cce/attachment-0001.html

More information about the bro-dev mailing list