[Bro-Dev] DHCP event removal
michalpurzynski1 at gmail.com
Fri Jun 15 17:02:49 PDT 2018
Hey, I use the dhcp analyzer because i cannot count on our dhcp logs. Not just that, I do some detection around it.
> On Jun 15, 2018, at 2:38 PM, Vlad Grigorescu <vlad at es.net> wrote:
> Yeah, I've mainly seen it used for shellshock. On top of that, I saw some scripts in GitHub that used it from:
> - Michal: https://github.com/michalpurzynski/bro-gramming/blob/master/dhcpr.bro
> - Matthias: https://github.com/bro/bro-scripts/blob/master/roam.bro
> - Grant Stavely: https://github.com/evernote/bro-scripts/blob/master/bolo/scripts/main.bro
> - Anthony: https://github.com/anthonykasza/users/blob/master/users.bro
> (There were a few others, like IVRE, but they've already updated).
> Even if it's not widely used, I think it'd be a nicer user experience if we were to ship a script that handled dhcp_message, and raised the old events. We could mark the old events as deprecated, and remove them in the next version. That way, people have at least one cycle to upgrade.
> Hopefully, as we see more published Bro packages, we have a better idea of which events are/aren't being used.
>> On Fri, Jun 15, 2018 at 9:22 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
>> > On Jun 15, 2018, at 5:18 PM, Seth Hall <seth at corelight.com> wrote:
>> > On the
>> > upside, you can handle both the old events and the new and they
>> > shouldn't impact each other (if you want to make a script work on
>> > multiple releases).
>> I ran into this on a script I got from somewhere, bash-cve-2014-6271.bro
>> The fix is a little trickier, you can't handle both events because the DHCP::Msg type no longer exists and you need to wrap the old event with
>> @ifdef (DHCP::Msg)
>> So for that script I ended up with
>> @ifdef (DHCP::Msg)
>> event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
>> if ( options?$host_name && shellshock in options$host_name )
>> $msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via dhcp hostname against %s submitting \"hostname\"=\"%s\"",c$id$orig_h, c$id$resp_h, options$host_name),
>> event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string)
>> if ( shellshock in host_name )
>> $msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via dhcp hostname against %s submitting \"hostname\"=\"%s\"",c$id$orig_h, c$id$resp_h, host_name),
>> Justin Azoff
>> bro-dev mailing list
>> bro-dev at bro.org
> bro-dev mailing list
> bro-dev at bro.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bro-dev