[Bro] Adding new signatures

Anandraj anandrajm at fastmail.fm
Wed Jun 28 09:04:43 PDT 2006 

Hi Guys,
Thanks for your suggestions.

Kindly excuse me for this lenthy mail ;-) !

I have decided to take gnutella as my framework for bitorrent .

create bittorrent.cc with a frame like 

BittorrentMsgState::BittorrentMsgState()
{
      /*Intialize the msg fields*/
}

BittorrentConn::BittorrentConn(....)
 {
       /*Intialize the Origin and Responder msg states */
 }

BittorrentConn::BuildEndpoints()
        {
         /*Building the Origin and Responder Endpoints  */
        }


BittorrentConn::Done()
 {
           /*Check for the Connection Establishment  */
 }

BittorrentConn::NextLine()
{
        /*Traversing the Packet */
}


A Few more API's to be defined based on the Bittorrent Protocol ;-)



A rough frame for the bittorrent.bro file will be like

redef capture_filters += { ["bittorrent"] = "port 6881 or port 6882" };
event bittorrent_text_msg(c: connection, orig: bool, headers: string)
event bittorrent_establish(....)

and a few more event defintions !!

Adding a few Coustom Signatures like this 

signature bittorrent_announce {
  ip-proto == tcp
  src-port== 6881
  payload /*announce* /
  tcp-state established
}

Kindly let me know if a frame work like this would work for a Bittorrent
Support on BRO-IDS or do i need to dig more on  BRO-IDS . All your
Suggestions are welcome !!

Between, Comming back to the question which i, posted yestrday , i m
sorry for not beign clear on my question .

For the follwing signature built-in the ../site/signatures.bro
signature s2b-719-7-BRO { /*a rename from s2b-719-7 to s2b-719-7-BRO  */
  ip-proto == tcp
  src-port == 23
  event "TELNET root login"
  tcp-state established,responder
  payload /.*login\x3A root/
}

I could find a log in the Signatures-xxx.log

1151508123.667965:SensitiveSignature:10.50.27.117:23/tcp:10.50.25.122:2089/tcp:s2b-719-7-BRO:10.50.27.117:
TELNET root login:t::

But when i added the following coustom signature in
../site/signatures.bro
i could not find a log in Signatures-xxx.log (The event occured i did a
login as anand ;-) )

/*Signature for the event when the user name is anand */
signature telnet_test{
 ip-proto == tcp
 src-port == 23
 event "TELNET anand login"
 tcp-state established,responder
 payload /.*login: anand/
}

i did try bro -s ../site/signatures.bro ! there was no response .. i had
to do a ctrl + c !

Could someone help me on this !! :-)

Thanks ,
Anand


-- 
http://www.fastmail.fm - Or how I learned to stop worrying and
                          love email again

More information about the Bro mailing list