[Bro] getting raw bytes?

Dan Klinedinst dklinedinst at lbl.gov
Wed Aug 10 09:00:35 PDT 2011


Thanks Seth.  If I read this right, this line:
payload /\x01\x00\x0b\x00\x00\x00/

will match that byte pattern anywhere in the packet, no?  Is it
possible to give it a specific position / offset?  E.g., with regex:
/^\x01/
to specify the first byte must be x01, or
/.{8}\x01/
would match it at the 9th byte.

But I think this will match from the beginning of the packet, if it
works at all. I'll test it.

Anyway, I'm on the right path now, thanks!
Dan


On Wed, Aug 10, 2011 at 11:08 AM, Seth Hall <seth at icir.org> wrote:
>
> On Aug 10, 2011, at 10:57 AM, Dan Klinedinst wrote:
>
>> if (c$id$resp_p == 6000)
>>  if (first_6_bytes_after_tcp_header == 01000b000000)
>>    do something
>
>
> You are just looking to write a signature...
>
> ==== x11.sigs =====
> signature x11_6_special_bytes {
>  ip-proto == tcp
>  dst-port == 6000
>  payload /\x01\x00\x0b\x00\x00\x00/
>  tcp-state responder
> }
> ====== end x11.sigs ===========
>
> ==== start x11.bro =======
> redef signature_files += "x11.sigs";
>
> event signature_match(state: signature_state, msg: string, data: string)
>        {
>        if ( state$sig_id == "x11_6_special_bytes" )
>                {
>                # do something.
>                }
>        }
> =======end x11.bro==========
>
> Make sure both of those are in your BROPATH and load the x11.bro script.
>
>  .Seth
>
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>



-- 
Dan Klinedinst
Lawrence Berkeley National Laboratory
510.486.4219
dklinedinst at lbl.gov




More information about the Bro mailing list