[Bro] setting a connection "service" in a signature

Seth Hall seth at icir.org
Thu Aug 23 06:56:17 PDT 2012 

On Aug 22, 2012, at 4:44 PM, Stephane Chazelas <stephane.chazelas at gmail.com> wrote:

> It detects skype traffic by looking at the fake SSL
> "ServerHello" that skype responders send. (basically, they send
> a fixed "random data" with a date in 2004 where a normal SSL
> server would send the current date and a truly random data, I
> suspect it is designed that way to help recognise skype traffic
> easily).

Cool technique!  Thanks for sharing.  Do these connections show up in ssl.log or generate the ssl_server_hello event?  It would probably be better to detect them through the SSL analyzer if possible.

> function mark_conn_as_skype(state: signature_state): bool
>        {
>        add state$conn$service["skype"];
>        return T;
>        }
> redef signature_files += "skype-detect.sig";


I have a couple of comments here…

The prototype for your function should be: 
	function cond(state: signature_state, data: string): bool;

You are missing the data variable which could be partly what's contributing to the crash you are seeing.  I'll try and look into this more closely soon to see what exactly we need to fix (something here needs fixed, I'm just not sure what it is yet).  

Additionally, beginning with 2.0 you can use the @load-sigs directive which gives you relative path loading so you can distribute your protocol detection script as a "module" and it doesn't matter where people put it on the BROPATH the skype-detect.sig signatures would still be find-able.  The following example will look for the signature file in the same directory of the script that called @load-sigs.

	@load-sigs ./skype-detect.sig

One other comment, we do have a Skype analyzer that is currently not enabled in the script-land.  That should detect and log Skype connections as well (the base scripts need to be written for it still).

Again, thanks for sending that in!  Definitely a cool trick.  Do you think you could package it up in a git repository like I've been doing with my recent scripts?  The ssn-exposure script even has an example of @load-sigs

	https://github.com/sethhall/ssn-exposure
	https://github.com/sethhall/relog

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/

More information about the Bro mailing list