[Bro] three things

Mike Dopheide dopheide at ncsa.uiuc.edu
Mon Feb 5 09:42:48 PST 2007 

My previous code sample was incomplete, here's an accurate bro script to 
go along with my trace if anyone wants to try it out.

redef udp_content_delivery_ports_orig = { [88/udp] = T };
redef udp_content_delivery_ports_resp = { [88/udp] = T };

global dop = open_log_file("dop") &redef;
global realm = "NCSA.EDU";

event udp_contents(u: connection, is_orig: bool, contents: string)
{

        local number = strstr(contents,realm);
        local mystring: string = sub_bytes(contents,47,(number+8-47));
        print dop, fmt("%s",mystring);
        if(mystring == /.*NCSA.*/ ){
                print dop, fmt("YAY");
        }
}

Mike Dopheide wrote:
> The packet you have printed is part of a DNS request (I think).  I've 
> been having problems specifically with the kerberos AS_REQ packets also 
> included in the trace file that apparently have different special 
> characters.  (I apologize if that wasn't clear.)
> 
> Instead of:
> udp_content_deliver_all_orig = T;
> 
> Try:
> redef udp_content_delivery_ports_orig = { [88/udp] = T };
> redef udp_content_delivery_ports_resp = { [88/udp] = T };
> 
> event udp_contents(u: connection, is_orig: bool, contents: string)
> {
>         local mystring: string = sub_bytes(contents,47,(number+8-47));
>         print dop, fmt("%s",mystring);
>         if(mystring == /.*NCSA.*/ ){
>                 print dop, fmt("YAY");
>         }
> }
> 
> I'm expecting your output to be:
> dopheide\xa2^J\x1b^HNCSA.EDU
> afsman\xa2^J\x1b^HNCSA.EDU
> 
> Rather than:
> dopheide\xa2^J\x1b^HNCSA.EDU
> YAY
> afsman\xa2^J\x1b^HNCSA.EDU
> YAY
> 
> -Mike
> 
> Robin Sommer wrote:
>> On Wed, Jan 31, 2007 at 18:01 -0600, Mike Dopheide wrote:
>>
>>> Trace attached.  You'll need to run bro with -C to ignore checksum errors.
>> Works for me:
>>
>>       \xab\xf2^A\0\0^A\0\0\0\0\0\0^P_kerberos-master^D_udp^DNCSA^CEDU\0\0!\0^A
>>       T
>>
>> With this script again:
>>
>>       redef udp_content_deliver_all_orig = T;
>>
>>       event udp_contents(u: connection, is_orig: bool, contents: string)
>>       {
>>          print contents;
>>          print /NCSA/ in contents;
>>       }
>>
>> So, how does your script look like?      
>>
>> Robin
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
>

More information about the Bro mailing list