[Bro] grp ports variable and dpd on bro not work ?
rmkml
rmkml at free.fr
Fri Feb 29 04:49:31 PST 2008
thx for reply Robin,
ok my mt.bro contains in this example:
@load alarm
@load dns-lookup
@load hot
@load frag
@load tcp
@load scan
@load weird
@load finger
@load ident
@load ftp
@load login
@load portmapper
@load ntp
@load tftp
@load dpd
@load ssh
@load irc-bot
#@load dyn-disable
@load detect-protocols
@load site
@load snort
ok I understand my pb, on my signature example, I have missed dst-port, ok
please test with this signature :
signature sid-1812 {
ip-proto == tcp
dst-port == ssh_ports
event "EXPLOIT gobbles SSH exploit attempt"
tcp-state established,originator
payload /.*GOBBLES/
}
this example NOT work on two pcap file,
ok change dst-port :
signature sid-1812 {
ip-proto == tcp
dst-port == 22
event "EXPLOIT gobbles SSH exploit attempt"
tcp-state established,originator
payload /.*GOBBLES/
}
this example WORK on pcap file and ssh on port 22/tcp,
but why ssh_ports not work ? (ssh.log contains ssh_version client/server
on two example pcap file)
grep ssh_ports policy/* # default conf :
policy/ssh.bro:global ssh_ports = { 22/tcp } &redef;
policy/ssh.bro:redef dpd_config += { [ANALYZER_SSH] = [$ports = ssh_ports] };
for second question, thx for your comments.
Regards
Rmkml
On Fri, 29 Feb 2008, Robin Sommer wrote:
> Date: Fri, 29 Feb 2008 08:52:58 -0800
> From: Robin Sommer <robin at icir.org>
> To: rmkml <rmkml at free.fr>
> Cc: bro at bro-ids.org
> Subject: Re: [Bro] grp ports variable and dpd on bro not work ?
>
>
> On Wed, Feb 27, 2008 at 10:46 +0100, you wrote:
>
>> 1) It is possible detect GOBBLES alert without fix tcp port ? (and use dpd)
>
> This works fine for me:
>
>> cat test.sig
> signature sid-1812 {
> ip-proto == tcp
> event "EXPLOIT gobbles SSH exploit attempt"
> tcp-state established,originator
> payload /.*GOBBLES/
> }
>> bro -C -r exploit_sshgobbles22000.pcap -s ./test.sig -f tcp tcp signatures dpd
> 1204117394.397943 SensitiveSignature 10.100.11.49: EXPLOIT gobbles SSH exploit attempt
>
> How does your mt.bro look?
>
>> 2) if I replace 'payload /.*GOBBLES/' to 'ssh /.*GOBBLES/', bro stop and alert: parse error (on this line)
>> -> maybe in next bro releases ? (like http payload)
>
> What exactly do you want the "ssh" to keyword to do? As most of a
> ssh session in encrypted, it could match only on the first--which is
> just what payload is doing as well (note that Bro stops processing
> SSH content after the first line, i.e., payload is not doing any
> further matching).
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
>
More information about the Bro
mailing list