simple pattern question
Terry Barker
Terry.Barker at sas.com
Mon Jul 12 10:18:01 PDT 2004
I'm a Bro newbie, so please forgive me if this is a trivial question. I'm experimenting with the signature module and did the following simple test: Using the file "ntp-attack.trace" in the example-attacks directory in the bro-pub-0.8a86 release. I used this signature file
_________________________
signature testsig {
payload /version/
event "signature_match"
}
_________________________
The word "version" occurs several times in the payloads in this file, as can be seen using tcpdump -X.
This is the policy file I used (simplified from signatures.bro in the policy directory).
_________________________
global sig_file = open_log_file("signatures");
event signature_match(state: signature_state, msg: string, data: string)
{
local id = state$id;
local esc = escape_string(data);
if ( byte_len(esc) > 20 )
esc = fmt( "%s...", sub_bytes(esc, 0, 20) );
print sig_file, fmt("SIGFILE %f %s/%d %s %s/%d %s %s [%s] %s", network_time(),
state$conn$id$orig_h, state$conn$id$orig_p, state$is_orig ? ">" : "<",
state$conn$id$resp_h, state$conn$id$resp_p, state$id, msg, esc, data );
print fmt("SIGH %f %s [%s] %s", network_time(), msg, esc, data );
}
_________________________
When I run Bro with these files (and with no other policy files), there appear to be no matches. If instead, I match on the dst-ip, , i.e. using this signature file
_________________________
signature testsig {
dst-ip == 128.3.9.239
event "signature_match"
}
_________________________
I get the desired result (the correct connections are caught). Is something else required for the pattern feature?
Thanks,
Terry Barker
More information about the Bro
mailing list