[Bro] getting raw bytes?
Dan Klinedinst
dklinedinst at lbl.gov
Wed Aug 10 09:00:35 PDT 2011
Thanks Seth. If I read this right, this line:
payload /\x01\x00\x0b\x00\x00\x00/
will match that byte pattern anywhere in the packet, no? Is it
possible to give it a specific position / offset? E.g., with regex:
/^\x01/
to specify the first byte must be x01, or
/.{8}\x01/
would match it at the 9th byte.
But I think this will match from the beginning of the packet, if it
works at all. I'll test it.
Anyway, I'm on the right path now, thanks!
Dan
On Wed, Aug 10, 2011 at 11:08 AM, Seth Hall <seth at icir.org> wrote:
>
> On Aug 10, 2011, at 10:57 AM, Dan Klinedinst wrote:
>
>> if (c$id$resp_p == 6000)
>> if (first_6_bytes_after_tcp_header == 01000b000000)
>> do something
>
>
> You are just looking to write a signature...
>
> ==== x11.sigs =====
> signature x11_6_special_bytes {
> ip-proto == tcp
> dst-port == 6000
> payload /\x01\x00\x0b\x00\x00\x00/
> tcp-state responder
> }
> ====== end x11.sigs ===========
>
> ==== start x11.bro =======
> redef signature_files += "x11.sigs";
>
> event signature_match(state: signature_state, msg: string, data: string)
> {
> if ( state$sig_id == "x11_6_special_bytes" )
> {
> # do something.
> }
> }
> =======end x11.bro==========
>
> Make sure both of those are in your BROPATH and load the x11.bro script.
>
> .Seth
>
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
--
Dan Klinedinst
Lawrence Berkeley National Laboratory
510.486.4219
dklinedinst at lbl.gov
More information about the Bro
mailing list