[Bro-Dev] DHCP event removal

Michał Purzyński michalpurzynski1 at gmail.com
Fri Jun 15 17:02:49 PDT 2018 

Hey, I use the dhcp analyzer because i cannot count on our dhcp logs. Not just that, I do some detection around it.

> On Jun 15, 2018, at 2:38 PM, Vlad Grigorescu <vlad at es.net> wrote:
> 
> Yeah, I've mainly seen it used for shellshock. On top of that, I saw some scripts in GitHub that used it from:
> 
> - Michal: https://github.com/michalpurzynski/bro-gramming/blob/master/dhcpr.bro
> - Matthias: https://github.com/bro/bro-scripts/blob/master/roam.bro
> - Grant Stavely: https://github.com/evernote/bro-scripts/blob/master/bolo/scripts/main.bro
> - Anthony: https://github.com/anthonykasza/users/blob/master/users.bro
> 
> (There were a few others, like IVRE, but they've already updated).
> 
> Even if it's not widely used, I think it'd be a nicer user experience if we were to ship a script that handled dhcp_message, and raised the old events. We could mark the old events as deprecated, and remove them in the next version. That way, people have at least one cycle to upgrade.
> 
> Hopefully, as we see more published Bro packages, we have a better idea of which events are/aren't being used.
> 
>   --Vlad
> 
>> On Fri, Jun 15, 2018 at 9:22 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
>> > On Jun 15, 2018, at 5:18 PM, Seth Hall <seth at corelight.com> wrote:
>> > 
>> >  On the 
>> > upside, you can handle both the old events and the new and they 
>> > shouldn't impact each other (if you want to make a script work on 
>> > multiple releases).
>> 
>> I ran into this on a script I got from somewhere, bash-cve-2014-6271.bro
>> 
>> The fix is a little trickier, you can't handle both events because the DHCP::Msg type no longer exists and you need to wrap the old event with
>> 
>> @ifdef (DHCP::Msg)
>> @endif
>> 
>> So for that script I ended up with
>> 
>> @ifdef (DHCP::Msg)
>> event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
>> {
>>         if ( options?$host_name && shellshock in options$host_name )
>>                         NOTICE([$note=Bash::DHCP_hostname_Attack,
>>                                 $conn=c,
>>                                 $msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via dhcp hostname against %s submitting \"hostname\"=\"%s\"",c$id$orig_h, c$id$resp_h, options$host_name),
>>                                 $identifier=c$uid]);
>> }
>> @else
>> event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string)
>> {
>>         if ( shellshock in host_name )
>>                         NOTICE([$note=Bash::DHCP_hostname_Attack,
>>                                 $conn=c,
>>                                 $msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via dhcp hostname against %s submitting \"hostname\"=\"%s\"",c$id$orig_h, c$id$resp_h, host_name),
>>                                 $identifier=c$uid]);
>> }
>> @endif
>> 
>> 
>> 
>>>> Justin Azoff
>> 
>> 
>> 
>> _______________________________________________
>> bro-dev mailing list
>> bro-dev at bro.org
>> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
> 
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180615/53737777/attachment-0001.html

More information about the bro-dev mailing list