[Bro] grp ports variable and dpd on bro not work ?
Robin Sommer
robin at icir.org
Fri Feb 29 08:52:58 PST 2008
On Wed, Feb 27, 2008 at 10:46 +0100, you wrote:
> 1) It is possible detect GOBBLES alert without fix tcp port ? (and use dpd)
This works fine for me:
> cat test.sig
signature sid-1812 {
ip-proto == tcp
event "EXPLOIT gobbles SSH exploit attempt"
tcp-state established,originator
payload /.*GOBBLES/
}
> bro -C -r exploit_sshgobbles22000.pcap -s ./test.sig -f tcp tcp signatures dpd
1204117394.397943 SensitiveSignature 10.100.11.49: EXPLOIT gobbles SSH exploit attempt
How does your mt.bro look?
> 2) if I replace 'payload /.*GOBBLES/' to 'ssh /.*GOBBLES/', bro stop and alert: parse error (on this line)
> -> maybe in next bro releases ? (like http payload)
What exactly do you want the "ssh" to keyword to do? As most of a
ssh session in encrypted, it could match only on the first--which is
just what payload is doing as well (note that Bro stops processing
SSH content after the first line, i.e., payload is not doing any
further matching).
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list