policy for IMAP signatures

Nimit Sawhney nimits at cmu.edu
Thu Nov 13 13:44:27 PST 2003


Hi,

I am attempting to write a policy script for IMAP signatures
adapted from Snort using 'snort2bro'. Is this the right way
to write a policy script for the sample signatures below? I
am not sure how to treat the 'tcp-state' part? Also, is it
neccessary to use 'eval' each time?

Suggestions/Pointers??

Thanks,
-N*

---------------------------------------------
## imap.bro
@load signatures
@load software
@load log

redef capture_filter +=
        "tcp port 143 and (src net 10.0)";

event bro_init()
        {
        set_buf(sig_file, F);
        set_buf(bro_log_file, F);
        set_buf(software_file, F);
	}

function has_imapauthoverflow_been_attempted(state: signature_state): bool
        {
        local result =
                has_signature_matched("sid-1930",
                        state$conn$id$orig_h, state$conn$id$resp_h);
        return result;
        }

function has_imaplsublitof_been_attempted(state: signature_state): bool
        {
        ## do I need to use 'has_signature_matched here'??
	## is there an alternative way of detecting signatures?
        return T;
        }
----------------------------------------------------------------

======sample signature file====
signature sid-1930 {
  header ip[9:1] == 6
  header ip[12:4] == 10.0.2.1
  header ip[16:4] == 10.0.1.1
  header tcp[2:2] == 143
  payload /.* [aA][uU][tT][hH]/
  payload /.*\{/
  event "IMAP auth overflow attempt"
  tcp-state established,originator
  }

signature imap_auth_overflow {
  requires-signature sid-1930
  eval has_imapauthoverflow_been_attempted
  event "Host may have been probed for IMAP auth overflow"
  }


signature sid-1902 {
  header ip[9:1] == 6
  header ip[12:4] == 10.0.2.1
  header ip[16:4] == 10.0.1.1
  header tcp[2:2] == 143
  payload /.* LSUB \x22/
  payload /.*\x22 \{/
  event "IMAP lsub literal overflow attempt"
  }

signature imap_lsublit_overflow {
  requires-signature sid-1902
  eval has_imaplsublitof_been_attempted
  event "Host may have been probed for IMAP lsub literal overflow"
  }
---------------------------------------------



More information about the Bro mailing list