policy for IMAP signatures
Nimit Sawhney
nimits at cmu.edu
Thu Nov 13 13:44:27 PST 2003
Hi,
I am attempting to write a policy script for IMAP signatures
adapted from Snort using 'snort2bro'. Is this the right way
to write a policy script for the sample signatures below? I
am not sure how to treat the 'tcp-state' part? Also, is it
neccessary to use 'eval' each time?
Suggestions/Pointers??
Thanks,
-N*
---------------------------------------------
## imap.bro
@load signatures
@load software
@load log
redef capture_filter +=
"tcp port 143 and (src net 10.0)";
event bro_init()
{
set_buf(sig_file, F);
set_buf(bro_log_file, F);
set_buf(software_file, F);
}
function has_imapauthoverflow_been_attempted(state: signature_state): bool
{
local result =
has_signature_matched("sid-1930",
state$conn$id$orig_h, state$conn$id$resp_h);
return result;
}
function has_imaplsublitof_been_attempted(state: signature_state): bool
{
## do I need to use 'has_signature_matched here'??
## is there an alternative way of detecting signatures?
return T;
}
----------------------------------------------------------------
======sample signature file====
signature sid-1930 {
header ip[9:1] == 6
header ip[12:4] == 10.0.2.1
header ip[16:4] == 10.0.1.1
header tcp[2:2] == 143
payload /.* [aA][uU][tT][hH]/
payload /.*\{/
event "IMAP auth overflow attempt"
tcp-state established,originator
}
signature imap_auth_overflow {
requires-signature sid-1930
eval has_imapauthoverflow_been_attempted
event "Host may have been probed for IMAP auth overflow"
}
signature sid-1902 {
header ip[9:1] == 6
header ip[12:4] == 10.0.2.1
header ip[16:4] == 10.0.1.1
header tcp[2:2] == 143
payload /.* LSUB \x22/
payload /.*\x22 \{/
event "IMAP lsub literal overflow attempt"
}
signature imap_lsublit_overflow {
requires-signature sid-1902
eval has_imaplsublitof_been_attempted
event "Host may have been probed for IMAP lsub literal overflow"
}
---------------------------------------------
More information about the Bro
mailing list