[Bro] Bro Digest, Vol 92, Issue 4

John Babio jbabio at po-box.esu.edu
Wed Dec 4 12:23:17 PST 2013 

Add this to local.bro. Works awesome! Courtesy of Vlad.
I wish I new it was as easy as this. :)



@load frameworks/software/vulnerable
global java_1_6_vuln: Software::VulnerableVersionRange =
[$max=[$major=1,$minor=6,$minor2=0,$minor3=48]];
global java_1_7_vuln: Software::VulnerableVersionRange =
[$min=[$major=1,$minor=7], $max=[$major=1,$minor=7,$minor2=0,$minor3=22]];
redef Software::vulnerable_versions += {
 ["Java"] = set(java_1_6_vuln, java_1_7_vuln)
};

See also: https://github.com/bro/bro/blob/master/NEWS#L313

What this does is define two ranges of vulnerable Java versions. The first
is anything prior to 1.6.0.48 (including 1.5, 1.4, etc.). The second is
anything between 1.7.0.0 and 1.7.0.22.

Of course, if you only care about 1.7.0.40, you can just define that as
the min/max.

Does that help? Or was that not the functionality you were looking for?



On 12/4/13, 3:00 PM, "bro-request at bro.org" <bro-request at bro.org> wrote:

>Send Bro mailing list submissions to
>	bro at bro.org
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>or, via email, send a message with subject or body 'help' to
>	bro-request at bro.org
>
>You can reach the person managing the list at
>	bro-owner at bro.org
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Bro digest..."
>
>
>Today's Topics:
>
>   1. Re: software.log (John Babio)
>   2. Re: software.log (Justin Azoff)
>   3. Re: software.log (James Lay)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Wed, 4 Dec 2013 16:40:23 +0000
>From: John Babio <jbabio at po-box.esu.edu>
>Subject: Re: [Bro] software.log
>To: Vlad Grigorescu <vladg at cmu.edu>
>Cc: "bro at bro.org" <bro at bro.org>
>Message-ID: <CEC4C50C.88F3%jbabio at po-box.esu.edu>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Yes This is exactly what I was looking for. I just didn?t know how to go
>about it. Thank you Vlad!
>
>
>
>
>------------------------------
>
>Message: 2
>Date: Wed, 4 Dec 2013 11:43:49 -0500
>From: Justin Azoff <JAzoff at albany.edu>
>Subject: Re: [Bro] software.log
>To: John Babio <jbabio at po-box.esu.edu>
>Cc: "bro at bro.org" <bro at bro.org>
>Message-ID: <20131204164349.GG12701 at datacomm.albany.edu>
>Content-Type: text/plain; charset=us-ascii
>
>On Wed, Dec 04, 2013 at 04:12:25PM +0000, John Babio wrote:
>>                 NOTICE([$note=OLD_JAVA::Java_seen, $msg=fmt("Old Java
>>Seen")]);
>
>You want to add $conn=c to the notice, otherwise it won't contain the
>address information.
>
>-- 
>-- Justin Azoff
>
>
>------------------------------
>
>Message: 3
>Date: Wed, 04 Dec 2013 09:44:38 -0700
>From: James Lay <jlay at slave-tothe-box.net>
>Subject: Re: [Bro] software.log
>To: <bro at bro.org>
>Message-ID: <db87a1427017b7eb923e8ef4a7c77fe2 at localhost>
>Content-Type: text/plain; charset=UTF-8; format=flowed
>
>On 2013-12-04 09:40, John Babio wrote:
>> Yes This is exactly what I was looking for. I just didn?t know how to
>> go
>> about it. Thank you Vlad!
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>Care to send it to the list?  I'd like to see it myself...thank you.
>
>James
>
>
>------------------------------
>
>_______________________________________________
>Bro mailing list
>Bro at bro.org
>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>End of Bro Digest, Vol 92, Issue 4
>**********************************

More information about the Bro mailing list