[Bro] Signtaure Match for TCP packets.
Robin Sommer
robin at icir.org
Wed Nov 7 21:55:02 PST 2007
On Wed, Nov 07, 2007 at 09:56 +0530, you wrote:
> signature tcp_http {
> dst-port == 80
> event "HTTP Packet"
> }
>
> This should match all packets sent to port 80 including the handshake
> packets. But no match was happening when I sent HTTP traffic.
Just tried it and it works for me.
How exactly are you starting Bro? One random guess: is the packet
filter including HTTP packets? Try running with "-f tcp".
> In RuleMatcher::InitEndpoint, the DO_MATCH_OR is called only if 'ip' (IP_Hdr
> *ip) is not NULL. For a TCP packet, the
> PIA_TCP::DeliverStream calls DoMatch with ip set to 0.
Without double-checking the code, the important thing here is that
for TCP only the first packet of each connection is matched against
the header conditions. This is because the payload-conditions match
streamwise and semantics would be unclear if we'd match against all
packet headers (e.g., what happens if a payload match crosses a
packet boundary but the header-conditions only match one of the two
packets?). So the basic model is that the header conditions pick out
the *connections* on which then payload matching is performed.
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list