[Bro] signatures

Seth Hall seth at icir.org
Fri Feb 4 09:59:03 PST 2011


On Feb 4, 2011, at 12:02 PM, Dop wrote:

> signature s2b-1939-4 {
>  ip-proto == udp
>  dst-port == 67
>  # Not supported: byte_test: 1,>,6,2
>  event "MISC bootp hardware address length overflow"
>  payload /\x01/
> }
> 
> signature s2b-1940-3 {
>  ip-proto == udp
>  dst-port == 67
>  # Not supported: byte_test: 1,>,7,1
>  event "MISC bootp invalid hardware type"
>  payload /\x01/
> }
> 
> We see both of them (which I'm about to ignore), but I don't understand
> why one is triggered over the other.


It's definitely best to get rid of both of those signatures.  They aren't even matching what they claim to be matching because of those "Not supported" lines.  It's just an internal implementation detail as to which one gets triggered because the signature engine is going to look to see which one matched and it will trigger the first one that it finds and then stop.

Pretty much anything that says "s2b" (snort2bro) will be gone from the next release and can even currently can be ignored.  The snort2bro code has already been completely removed from the work repository

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list