[Bro] setting a connection "service" in a signature

Stephane Chazelas stephane.chazelas at gmail.com
Thu Aug 23 07:25:59 PDT 2012


2012-08-23 09:56:17 -0400, Seth Hall:
> 
> On Aug 22, 2012, at 4:44 PM, Stephane Chazelas <stephane.chazelas at gmail.com> wrote:
> 
> > It detects skype traffic by looking at the fake SSL
> > "ServerHello" that skype responders send. (basically, they send
> > a fixed "random data" with a date in 2004 where a normal SSL
> > server would send the current date and a truly random data, I
> > suspect it is designed that way to help recognise skype traffic
> > easily).
> 
> Cool technique!  Thanks for sharing.  Do these connections
> show up in ssl.log or generate the ssl_server_hello event?  It
> would probably be better to detect them through the SSL
> analyzer if possible.

Hi Seth, thanks.

It's not real SSL, though some of them do show up occasionally
as "ssl" and some of them cause some errors. The packets past
the ServerHello, are not SSL packets.

> > function mark_conn_as_skype(state: signature_state): bool
> >        {
> >        add state$conn$service["skype"];
> >        return T;
> >        }
> > redef signature_files += "skype-detect.sig";
> 
> 
> I have a couple of comments here…
> 
> The prototype for your function should be: 
> 	function cond(state: signature_state, data: string): bool;
> 
> You are missing the data variable which could be partly what's
> contributing to the crash you are seeing.

I copy-pasted from ssl-worm.bro in securityonion which BTW has comments like:
        "# FIXME: Bro segfaults without the tmp variable"
which made me try and use a tmp variable as well.

After adding the ",data: string" and reverting to add
state$conn$service, it seems not to crash, so it's probably what
the problem was.


[...]
> Additionally, beginning with 2.0 you can use the @load-sigs
> directive which gives you relative path loading so you can
> distribute your protocol detection script as a "module" and it
> doesn't matter where people put it on the BROPATH the
> skype-detect.sig signatures would still be find-able.  The
> following example will look for the signature file in the same
> directory of the script that called @load-sigs.
> 
> 	@load-sigs ./skype-detect.sig

It didn't like it:
   error in /usr/local/share/bro/site/local.bro, line 90: unrecognized character - @
   error in /usr/local/share/bro/site/local.bro, line 90: unknown identifier load, at or near "load"

I can't see any mention of "load-sigs" in the source. Are you
sure it's not in a newer version.

> One other comment, we do have a Skype analyzer that is
> currently not enabled in the script-land.  That should detect
> and log Skype connections as well (the base scripts need to be
> written for it still).

I enquired about that on the list a few days ago, as I wasn't
able to find it. Someone kindly sent me a version that was
designed for an older version of bro, and goes far beyond what I
need (identify those port 443 connections).

> Again, thanks for sending that in!  Definitely a cool trick.
> Do you think you could package it up in a git repository like
> I've been doing with my recent scripts?  The ssn-exposure
> script even has an example of @load-sigs
> 
> 	https://github.com/sethhall/ssn-exposure
> 	https://github.com/sethhall/relog
[...]

I'll have a look.

-- 
Stephane



More information about the Bro mailing list