[Bro] three things
Mike Dopheide
dopheide at ncsa.uiuc.edu
Mon Feb 5 09:42:48 PST 2007
My previous code sample was incomplete, here's an accurate bro script to
go along with my trace if anyone wants to try it out.
redef udp_content_delivery_ports_orig = { [88/udp] = T };
redef udp_content_delivery_ports_resp = { [88/udp] = T };
global dop = open_log_file("dop") &redef;
global realm = "NCSA.EDU";
event udp_contents(u: connection, is_orig: bool, contents: string)
{
local number = strstr(contents,realm);
local mystring: string = sub_bytes(contents,47,(number+8-47));
print dop, fmt("%s",mystring);
if(mystring == /.*NCSA.*/ ){
print dop, fmt("YAY");
}
}
Mike Dopheide wrote:
> The packet you have printed is part of a DNS request (I think). I've
> been having problems specifically with the kerberos AS_REQ packets also
> included in the trace file that apparently have different special
> characters. (I apologize if that wasn't clear.)
>
> Instead of:
> udp_content_deliver_all_orig = T;
>
> Try:
> redef udp_content_delivery_ports_orig = { [88/udp] = T };
> redef udp_content_delivery_ports_resp = { [88/udp] = T };
>
> event udp_contents(u: connection, is_orig: bool, contents: string)
> {
> local mystring: string = sub_bytes(contents,47,(number+8-47));
> print dop, fmt("%s",mystring);
> if(mystring == /.*NCSA.*/ ){
> print dop, fmt("YAY");
> }
> }
>
> I'm expecting your output to be:
> dopheide\xa2^J\x1b^HNCSA.EDU
> afsman\xa2^J\x1b^HNCSA.EDU
>
> Rather than:
> dopheide\xa2^J\x1b^HNCSA.EDU
> YAY
> afsman\xa2^J\x1b^HNCSA.EDU
> YAY
>
> -Mike
>
> Robin Sommer wrote:
>> On Wed, Jan 31, 2007 at 18:01 -0600, Mike Dopheide wrote:
>>
>>> Trace attached. You'll need to run bro with -C to ignore checksum errors.
>> Works for me:
>>
>> \xab\xf2^A\0\0^A\0\0\0\0\0\0^P_kerberos-master^D_udp^DNCSA^CEDU\0\0!\0^A
>> T
>>
>> With this script again:
>>
>> redef udp_content_deliver_all_orig = T;
>>
>> event udp_contents(u: connection, is_orig: bool, contents: string)
>> {
>> print contents;
>> print /NCSA/ in contents;
>> }
>>
>> So, how does your script look like?
>>
>> Robin
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
More information about the Bro
mailing list