[Bro] getting raw bytes?
Seth Hall
seth at icir.org
Wed Aug 10 08:08:20 PDT 2011
On Aug 10, 2011, at 10:57 AM, Dan Klinedinst wrote:
> if (c$id$resp_p == 6000)
> if (first_6_bytes_after_tcp_header == 01000b000000)
> do something
You are just looking to write a signature...
==== x11.sigs =====
signature x11_6_special_bytes {
ip-proto == tcp
dst-port == 6000
payload /\x01\x00\x0b\x00\x00\x00/
tcp-state responder
}
====== end x11.sigs ===========
==== start x11.bro =======
redef signature_files += "x11.sigs";
event signature_match(state: signature_state, msg: string, data: string)
{
if ( state$sig_id == "x11_6_special_bytes" )
{
# do something.
}
}
=======end x11.bro==========
Make sure both of those are in your BROPATH and load the x11.bro script.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list