[Bro] grp ports variable and dpd on bro not work ?

rmkml rmkml at free.fr
Fri Feb 29 04:49:31 PST 2008 

thx for reply Robin,
ok my mt.bro contains in this example:
  @load alarm
  @load dns-lookup
  @load hot
  @load frag
  @load tcp
  @load scan
  @load weird
  @load finger
  @load ident
  @load ftp
  @load login
  @load portmapper
  @load ntp
  @load tftp
  @load dpd
  @load ssh
  @load irc-bot
  #@load dyn-disable
  @load detect-protocols
  @load site
  @load snort
ok I understand my pb, on my signature example, I have missed dst-port, ok 
please test with this signature :
  signature sid-1812 {
   ip-proto == tcp
   dst-port == ssh_ports
   event "EXPLOIT gobbles SSH exploit attempt"
   tcp-state established,originator
   payload /.*GOBBLES/
   }
this example NOT work on two pcap file,

ok change dst-port :
  signature sid-1812 {
   ip-proto == tcp
   dst-port == 22
   event "EXPLOIT gobbles SSH exploit attempt"
   tcp-state established,originator
   payload /.*GOBBLES/
   }
this example WORK on pcap file and ssh on port 22/tcp,

but why ssh_ports not work ? (ssh.log contains ssh_version client/server 
on two example pcap file)

grep ssh_ports policy/*    # default conf :
policy/ssh.bro:global ssh_ports = { 22/tcp } &redef;
policy/ssh.bro:redef dpd_config += { [ANALYZER_SSH] = [$ports = ssh_ports] };

for second question, thx for your comments.
Regards
Rmkml


On Fri, 29 Feb 2008, Robin Sommer wrote:

> Date: Fri, 29 Feb 2008 08:52:58 -0800
> From: Robin Sommer <robin at icir.org>
> To: rmkml <rmkml at free.fr>
> Cc: bro at bro-ids.org
> Subject: Re: [Bro] grp ports variable and dpd on bro not work ?
> 
>
> On Wed, Feb 27, 2008 at 10:46 +0100, you wrote:
>
>> 1) It is possible detect GOBBLES alert without fix tcp port ? (and use dpd)
>
> This works fine for me:
>
>> cat test.sig
> signature sid-1812 {
>  ip-proto == tcp
>  event "EXPLOIT gobbles SSH exploit attempt"
>  tcp-state established,originator
>  payload /.*GOBBLES/
>  }
>> bro -C -r exploit_sshgobbles22000.pcap -s ./test.sig -f tcp tcp signatures dpd
> 1204117394.397943 SensitiveSignature 10.100.11.49: EXPLOIT gobbles SSH exploit attempt
>
> How does your mt.bro look?
>
>> 2) if I replace 'payload /.*GOBBLES/' to 'ssh /.*GOBBLES/', bro stop and alert: parse error  (on this line)
>>  -> maybe in next bro releases ? (like http payload)
>
> What exactly do you want the "ssh" to keyword to do? As most of a
> ssh session in encrypted, it could match only on the first--which is
> just what payload is doing as well (note that Bro stops processing
> SSH content after the first line, i.e., payload is not doing any
> further matching).
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>

More information about the Bro mailing list