[Bro] Adding new signatures

Anandraj anandrajm at fastmail.fm
Tue Jun 27 08:01:40 PDT 2006


Hi all,
I am trying to define and add new signatures to the BRO-IDS ( bro-1.1 ).

I tried adding a simple signature like the following in
site/signatures.bro

/*Signature for the event when the user name is anand */
signature telnet_test{
 ip-proto == tcp
 src-port == 23
 event "TELNET anand login"
 tcp-state established,responder
 payload /.*login: anand/
}

/*Signature for the event when the user name is root */

signature ssh_test{
 ip-proto == tcp
 src-port == 22
 event "SSH root login"
 tcp-state established,responder
 payload /.*login: root/
}

following was the additional change made to policy/backdoor.bro
from 

const ssh_sig_disabled                  = F &redef;

to 

const ssh_sig_disabled                  = T &redef;


Following change was also made to policy/sig-action.bro

["telnet_test"] = SIG_FILE,
["ssh_test"] = SIG_FILE,

find that these signature begin detected .. as i added some print
statements in policy/backdoor.bro for the following functions 

function signature_found(c: connection, sig_disabled: bool, sig_name:
string)

event ssh_signature_found(c: connection, is_orig: bool)

event telnet_signature_found(c: connection, is_orig: bool, len: count)

I did a rename of the existing signatures in site/signatures.bro

signature s2b-719-7-BRO { /*a rename from s2b-719-7 to s2b-719-7-BRO  */
  ip-proto == tcp
  src-port == 23
  event "TELNET root login"
  tcp-state established,responder
  payload /.*login\x3A root/
}

It did work for root ..telnet login .. and it was logged to the
signature-0.... log file.

Could somebody shed some light on this , please correct me if i m wrong
in the process of adding the signatures or, my understanding since ,i m
a newbie.

Though my final intention is to make the BRO-IDS support bittorrent
protocol . Any suggestion is welcomed.

TIA ,
Anand

-- 
http://www.fastmail.fm - Send your email first class




More information about the Bro mailing list