[Bro] couple of questions

jbabbin at comcast.net jbabbin at comcast.net
Thu Mar 23 19:47:57 PST 2006 

Hi Christian, 
I had another question that should hopefully be simple. 
1) In the DNS policy file there is an event for "dns_EDNS_addl"  what part of the packet is this field in a DNS connection and what is the "pldsize" value from? Is there a way to break out the data from this field? 
2) When a DNS record has "DNS_SEC_OK" What is that from the packet connection? 

Thanks, 
Jake 




 -------------- Original message ----------------------
From: Christian Kreibich <christian at whoop.org>
> Hi Jake,
> 
> On Tue, 2006-03-21 at 14:57 +0000, jbabbin at comcast.net wrote:
> > List, 
> > I have a couple of questions that I can't seem to figure out. 
> > 
> > 1) Brian - Thanks for the SSL patch 
> >    Once enabled I don't see any way of filtering out hosts from the
> > non-ssl traffic alarm. For example, I have several custom applications
> > that use that port for their traffic...don't ask...so I need to be
> > able to filter them out of the alarms like below. 
> > 
> > "1141848057.399932 WeirdActivity ** 192.x.x.x/48612 > 206.x.x.x/https:
> > SSL: Skipping connection (not an SSL connection?!)!" 
> > 
> > The problem seems to be that the detection of non-ssl traffic is done
> > in the source SSLProxy engine and I don't really want to be
> > recompiling every time I need to add another host. Ideas? 
> 
> have a look at weird_ignore_host set, defined in weird.bro. It allows
> you to filter weird-type events based on the event string and source/
> destination IP addresses.
> 
> http://www.bro-ids.org/Bro-reference-manual/weird-variables.html#weird-variables
> 
> Depending on your analysis needs, you could also exclude the custom
> traffic via the pcap filtering expression, though I'd imagine that
> quickly gets tedious.
> 
> > 2) Is is possible in a policy file to perform a size comparison on a
> > string? 
> > For example, if you wanted to see if a filename was longer than a
> > certain length. How would you sizeof a string value? 
> 
> Sure. It depends on what version of Bro you're using. In the development
> releases, there's now a magnitude operator |x| that, when given a value,
> returns its length, size, or whatever is most meaningful as magnitude
> (vector length, table size, string length, etc). In older releases (0.9
> and before), the byte_len() function returned a string's length.
> 
> Cheers,
> Christian.
> -- 
> ________________________________________________________________________
>                                           http://www.cl.cam.ac.uk/~cpk25
>                                                     http://www.whoop.org
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list