[Bro] NAT detection (was: Re: Bro scripts)

Gregor Maier gregor at icir.org
Sun Oct 31 15:38:46 PDT 2010 

Hi,

I've played around with NAT detection based on user-agent strings and IP
TTL.
See http://www.icir.org/gregor/papers/gregor-phd.pdf, Chapter 4


cu
gregor

On 10/28/10 18:48 , Martin Holste wrote:
> That's pretty cool!  I do have one suggestion, though:  Instead of
> tracking by IP, how about one cookie per user agent?  That will help
> catch the side jacking when used under a NAT.
> 
> On Thursday, October 28, 2010, Matthias Vallentin <vallentin at icir.org> wrote:
>>> I'm doing work on Bro's policy scripts for the next release and I want
>>> to find policy scripts floating around that can be shared and any
>>> helpful code snippets.  Anything you can contribute would be greatly
>>> appreciated, thanks!
>>
>> The whole buzz about Firesheep caused me to hack up a sidejacking
>> detector. I haven't tested it because I literally wrote it 5 minutes
>> ago.
>>
>>    Matthias
>>
>> Here is the code:
>>
>>     @load http-request
>>     @load http-reply
>>
>>     module HTTP;
>>
>>     export
>>     {
>>         redef enum Notice += { CookieReuse };
>>
>>         # Number of cookies per client.
>>         const max_cookies = 1 &redef;
>>
>>         # The time after when we expiring entries.
>>         const cookie_expiration = 1 hr &redef;
>>     }
>>
>>
>>     # Count the number of cookies per client.
>>     global cookies: table[string] of set[addr] &write_expire = cookie_expiration;
>>
>>     event http_header(c: connection, is_orig: bool, name: string, value: string)
>>     {
>>         # We are only looking for session IDs in the client cookie header.
>>         if (! (is_orig && name == /[cC][oO][oO][kK][iI][eE]/))
>>             return;
>>
>>         local client = c$id$orig_h;
>>         if (value !in cookies)
>>             cookies[value] = set();
>>         else
>>             add cookies[value][client];
>>
>>         if (|cookies[value]| <= max_cookies)
>>             return;
>>
>>         local s = lookup_http_request_stream(c);
>>         NOTICE([$note=CookieReuse, $src=client,
>>                 $msg=fmt("potential sidejacking by %s: cookie used by %d addresses",
>>                 client, |cookies[value]|)]);
>>     }
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


-- 
Gregor Maier                                             gregor at icir.org
Int. Computer Science Institute (ICSI)          gregor at icsi.berkeley.edu
1947 Center St., Ste. 600                    http://www.icir.org/gregor/
Berkeley, CA 94704
USA

More information about the Bro mailing list