[Bro] raw bytes question
Seth Hall
hall.692 at osu.edu
Thu Apr 16 10:19:07 PDT 2009
Hi Tim,
On Apr 16, 2009, at 12:13 PM, Tim Rupp wrote:
> Is there an event I can hook that would allow me to do a regex on the
> raw bytes of a packet if I knew the hex pattern of the bytes I want to
> match?
If you want an example of working with signatures and policy script, I
went ahead and added a script for detecting SSN leakage that works by
having a signature that is subsequently handled in policy script. It
uses a list of known US SSNs for your organization and filters out
false positives by using that list. We've caught quite a few minor
violations with this script since we started running it.
Here's the policy script:
http://github.com/sethhall/bro_scripts/blob/819d078ad9cf59d9f594f2682fcd6d3c8b89d6ad/ssn-exposure.bro
The corresponding signature definition file is here:
http://github.com/sethhall/bro_scripts/blob/819d078ad9cf59d9f594f2682fcd6d3c8b89d6ad/ssn.sig
Let me know if you have any problems understanding what's happening
between the signature definition and the policy script. That simple
interaction is a little muddied by the rest of the script.
.Seth
---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
More information about the Bro
mailing list