[Bro] software.log

[Vlad Grigorescu]

John,

Have you looked at policy/frameworks/software/vulnerable.bro[1]? It seems like it implements what you're looking to do. For example, here's what I have in my local.bro:

> @load frameworks/software/vulnerable
> global java_1_6_vuln: Software::VulnerableVersionRange = [$max=[$major=1,$minor=6,$minor2=0,$minor3=48]];
> global java_1_7_vuln: Software::VulnerableVersionRange = [$min=[$major=1,$minor=7], $max=[$major=1,$minor=7,$minor2=0,$minor3=22]];
> 
> redef Software::vulnerable_versions += {
>         ["Java"] = set(java_1_6_vuln, java_1_7_vuln)
> };

See also: https://github.com/bro/bro/blob/master/NEWS#L313

What this does is define two ranges of vulnerable Java versions. The first is anything prior to 1.6.0.48 (including 1.5, 1.4, etc.). The second is anything between 1.7.0.0 and 1.7.0.22.

Of course, if you only care about 1.7.0.40, you can just define that as the min/max.

Does that help? Or was that not the functionality you were looking for?

  --Vlad

[1] - <https://github.com/bro/bro/blob/master/scripts/policy/frameworks/software/vulnerable.bro>

On Dec 4, 2013, at 11:12 AM, John Babio <jbabio at po-box.esu.edu> wrote:

> Here is what I have so far. It is working but I don’t know if it is written correctly.
> 
> 
> @load base/frameworks/notice
> 
> @load base/frameworks/software
> 
> 
> module OLD_JAVA;
> 
> 
> module HTTP;
> 
> 
> export {
> 
>        redef enum Notice::Type += {
> 
>                OLD_JAVA::Java_seen,
> 
>        };
> 
> }
> 
> 
> event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=2
> 
>        {
> 
> 
>        if ( Software::found(c$id, [$unparsed_version="Java/1.7.0_40", $host=c$id$orig_h]));
> 
>                {
> 
>                NOTICE([$note=OLD_JAVA::Java_seen, $msg=fmt("Old Java Seen")]);
> 
>                }
> 
>        }
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro