[Bro] ssh alternative ports

rmkml rmkml at free.fr
Wed Nov 12 00:50:53 PST 2008


Hi,
If I apply your patch to policy/ssh.bro (move to export{})
and if I change policy/snort.bro (for example):
  redef SSH::ssh_ports += { 2122/tcp };
bro work, but if I have a signature use ssh_ports is not work:
  signature sid-1812 {
   ip-proto == tcp
#  dst-port == ssh_ports # <-----
   event "EXPLOIT gobbles SSH exploit attempt"
   tcp-state established,originator
   payload /.*GOBBLES/
   }
brov140ipv6 error:
Error in signature (.../policy/sigs/snort-default.sig:32): unknown script-level identifier (ssh_ports)

Do you have an idea ?
Regards
Rmkml
Crusoe-Researches.com


On Wed, 12 Nov 2008, Robin Gruyters wrote:

> Date: Wed, 12 Nov 2008 09:23:32 +0100
> From: Robin Gruyters <r.gruyters at snow.nl>
> To: Robin Sommer <robin at icir.org>
> Cc: bro at bro-ids.org, bro at ICSI.Berkeley.EDU
> Subject: Re: [Bro] ssh alternative ports
> 
> Robin,
>
> Okay, I have attached a patch for ssh.bro, which includes exported ssh_ports and
> ssh_log.
>
> With kind regards,
>
> Robin Gruyters
>
>
> Quoting Robin Sommer <robin at icir.org>:
>
>>
>> On Tue, Nov 11, 2008 at 09:21 +0100, you wrote:
>>
>>> bro at nsm$ bro -r test.lpc tcp weird alarm ssh test print-filter
>>> ./test.bro, line 12 (SSH::ssh_ports): error, "redef" used but not
>> previously defined
>>
>> You indeed need the SSH prefix. Using that, I get a different error
>> message:
>>
>> # bro -r test.lpc tcp weird alarm ssh ./test.bro print-filter
>> ./test.bro, line 11: error: identifier is not exported: SSH::ssh_ports
>>
>> Which is true: the id is not exported in ssh.bro and therefore
>> can't be redefined (I think it should be exported though).
>>
>> Robin
>>
>> --
>> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
>> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>>
>



More information about the Bro mailing list