[Bro] UDP contents
Mike Dopheide
dopheide at ncsa.uiuc.edu
Mon Jan 29 12:22:26 PST 2007
I'm having a slight problem getting the contents of Kerberos UDP
packets. This is my first attempt at Bro so hopefully my error is
something simple.
Bro version 1.1d
When a client requests an initial kerberos ticket it sends a request to
the server (AS_REQ) and the server reply is usually either the ticket or
an error. I want to watch the initial AS_REQ, but all I'm seeing is the
response from the server.
In this case, /tmp/trace2.out is a tcpdump of a couple kerberos requests
from the client's perspective and the AS_REQ's are there when looking
at the dump via ethereal.
/usr/local/bro/bin/bro -r /tmp/trace2.out hostname.bro
====== policy/bro.init =============
...
const udp_content_deliver_all_orig = T &redef;
const udp_content_deliver_all_resp = T &redef;
...
====== site/hostname.bro ========
@prefixes = local
@load site
@load conn.bro # not really needed
global dop = open_log_file("dop") &redef;
event udp_contents(u: connection, is_orig: bool, contents: string){
local id = u$id;
print dop, fmt("KDC %s %s",id$orig_p,id$resp_p);
print dop, fmt("contents %s",contents);
}
===========================
Sample output from one of the requests, this is the server responding
back to the client. Again, Bro is running on the client.
KDC 32898/udp 88/udp
contents
~\x82^A^I0\x82^A^E\xa0^C^B^A^E\xa1^C^B^A\x1e\xa2^Q^X^O20070125213047Z\xa4^Q^X^O20070125213048Z\xa5^E^B^C^F\x80\xb5\xa6^C^B^A^Y\xa7^J\x1b^HNCSA.EDU\xa8^U0^S\xa0^C^B^A^A\xa1^L0^J\x1b^Hdopheide\xa9^J\x1b^HNCSA.EDU\xaa\x1d0\x1b\xa0^C^B^A\0\xa1^T0^R\x1b^Fkrbtgt\x1b^HNCSA.EDU\xab^Q\x1b^ONEEDED_PREAUTH\0\xacf^Dd0b0^I\xa1^C^B^A^B\xa2^B^D\00J\xa1^C^B^A^S\xa2C^DA0?0^E\xa0^C^B^A^R0^E\xa0^C^B^A^P0^E\xa0^C^B^A^A0^E\xa0^C^B^A^C0^I\xa0^C^B^A^A\xa1^B\x1b\00^V\xa0^C^B^A^A\xa1^J\x1b^HNCSA.EDU\xa2^C^D^A^A0^I\xa1^C^B^A^M\xa2^B^D\0
Any thoughts? Is it just because the AS_REQ is outgoing on the system
where Bro is running? (And why would that matter?)
-Mike
More information about the Bro
mailing list