[Bro] couple of questions
Christian Kreibich
christian at whoop.org
Tue Mar 21 07:32:51 PST 2006
Hi Jake,
On Tue, 2006-03-21 at 14:57 +0000, jbabbin at comcast.net wrote:
> List,
> I have a couple of questions that I can't seem to figure out.
>
> 1) Brian - Thanks for the SSL patch
> Once enabled I don't see any way of filtering out hosts from the
> non-ssl traffic alarm. For example, I have several custom applications
> that use that port for their traffic...don't ask...so I need to be
> able to filter them out of the alarms like below.
>
> "1141848057.399932 WeirdActivity ** 192.x.x.x/48612 > 206.x.x.x/https:
> SSL: Skipping connection (not an SSL connection?!)!"
>
> The problem seems to be that the detection of non-ssl traffic is done
> in the source SSLProxy engine and I don't really want to be
> recompiling every time I need to add another host. Ideas?
have a look at weird_ignore_host set, defined in weird.bro. It allows
you to filter weird-type events based on the event string and source/
destination IP addresses.
http://www.bro-ids.org/Bro-reference-manual/weird-variables.html#weird-variables
Depending on your analysis needs, you could also exclude the custom
traffic via the pcap filtering expression, though I'd imagine that
quickly gets tedious.
> 2) Is is possible in a policy file to perform a size comparison on a
> string?
> For example, if you wanted to see if a filename was longer than a
> certain length. How would you sizeof a string value?
Sure. It depends on what version of Bro you're using. In the development
releases, there's now a magnitude operator |x| that, when given a value,
returns its length, size, or whatever is most meaningful as magnitude
(vector length, table size, string length, etc). In older releases (0.9
and before), the byte_len() function returned a string's length.
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list