[Bro] grp ports variable and dpd on bro not work ?
rmkml
rmkml at free.fr
Wed Feb 27 01:46:21 PST 2008
Hi,
Bro ids is very good idps project !
Im work on adding snort/trons rules on bro, but I have little pb please.
ok first look one bro signature : (mysnortrules file)
signature sid-1812 {
ip-proto == tcp
dst-port == ssh_ports
event "EXPLOIT gobbles SSH exploit attempt"
tcp-state established,originator
payload /.*GOBBLES/
}
Im start bro with:
bro -C -r exploit_sshgobbles22.pcap -s mysnortrules -f 'ip or tcp or udp' bro.init mt
mt.bro contains dpd, snort... (not dyn-disable.bro)
Joigned two pcap file:
a)exploit_sshgobbles22.pcap
b)exploit_sshgobbles22000.pcap
bro with dpd detect ssh connect (client and server) but mysnortrules not work,
if I comment (#dst-port == ssh_ports) bro alert (bro use default ssh port {22})
if I replace (dst-port == 22) bro alert
1) It is possible detect GOBBLES alert without fix tcp port ? (and use dpd)
2) if I replace 'payload /.*GOBBLES/' to 'ssh /.*GOBBLES/', bro stop and alert: parse error (on this line)
-> maybe in next bro releases ? (like http payload)
My test are on bro v1.3.2 with ipv6 enabled on linux fedora core 7 i386 plateform.
Thx for any help or comments.
Best Regards
Rmkml
Crusoe Researches
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exploit_sshgobbles22.pcap
Type: application/octet-stream
Size: 725 bytes
Desc:
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080227/6fd0baaa/attachment.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exploit_sshgobbles22000.pcap
Type: application/octet-stream
Size: 1076 bytes
Desc:
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080227/6fd0baaa/attachment-0001.obj
More information about the Bro
mailing list