[Bro] grp ports variable and dpd on bro not work ?

rmkml rmkml at free.fr
Wed Feb 27 01:46:21 PST 2008


Hi,
Bro ids is very good idps project !
Im work on adding snort/trons rules on bro, but I have little pb please.
ok first look one bro signature : (mysnortrules file)
signature sid-1812 {
   ip-proto == tcp
   dst-port == ssh_ports
   event "EXPLOIT gobbles SSH exploit attempt"
   tcp-state established,originator
   payload /.*GOBBLES/
   }
Im start bro with:
  bro -C -r exploit_sshgobbles22.pcap -s mysnortrules -f 'ip or tcp or udp' bro.init mt
mt.bro contains dpd, snort... (not dyn-disable.bro)
Joigned two pcap file:
a)exploit_sshgobbles22.pcap
b)exploit_sshgobbles22000.pcap

bro with dpd detect ssh connect (client and server) but mysnortrules not work, 
if I comment (#dst-port == ssh_ports) bro alert (bro use default ssh port {22})
if I replace (dst-port == 22) bro alert

1) It is possible detect GOBBLES alert without fix tcp port ? (and use dpd)

2) if I replace 'payload /.*GOBBLES/' to 'ssh /.*GOBBLES/', bro stop and alert: parse error  (on this line)
  -> maybe in next bro releases ? (like http payload)

My test are on bro v1.3.2 with ipv6 enabled on linux fedora core 7 i386 plateform.

Thx for any help or comments.

Best Regards
Rmkml
Crusoe Researches
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exploit_sshgobbles22.pcap
Type: application/octet-stream
Size: 725 bytes
Desc: 
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080227/6fd0baaa/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exploit_sshgobbles22000.pcap
Type: application/octet-stream
Size: 1076 bytes
Desc: 
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080227/6fd0baaa/attachment-0001.obj 


More information about the Bro mailing list