[Bro] Bitwise Operations

M K mkhan04 at gmail.com
Thu May 29 09:15:33 PDT 2014 

"Fortunately there has been work in progress for several years that should
help address points 2 and 3. ;)"

I assume you're talking about the dynamic plugin capability Robin is
working on -- or is it something else? Are there any details you can share?

"For the first case, it's possible to implement xor in scriptland (I
attached an implementation to this email).  I can't promise how well it
will perform, but it's unlikely you'd be doing it constantly either."

Although you can implement all of the bitwise operators in bro language
using arithmetic operators, it seems overly cumbersome to use them for
operators that are implemented literally using one instruction in almost
every hardware platform (that's not to say writing bro script will turn it
into one instruction, it's just to say individual math operations are
fast). And for my use case, which is specifically using it as part of the
signature framework it's probably highly likely that it would be doing it
constantly.

As an example (I wanted to make sure it would actually work), I created a
test signature that used eval to call a bro function I wrote that used the
^ and & operators to detect a specific sequence that's seen during the
handshake/setup of a piece of C2 and ran this on a canned sample pcap. It
worked and fired off a signature match event. Obviously this is more
anecdotal than anything else and would require further testing to ensure
that my code isn't a massive false positive generator and would actually
perform well on live traffic, but it shows that such operators have some
potential. At the least, if not as individual operators, it'd be beneficial
to create some built-in's that can take care of this at a lower level.

The caveat with what I've mentioned though is that all of this is just an
idea right now that I'm still formulating the extent of and there's no
actual plans for implementation anytime soon, so it's possible you guys
might add some capability in the meantime to Bro that obviates the need for
this.





On Tue, May 27, 2014 at 1:27 PM, Seth Hall <seth at icir.org> wrote:

>
> On May 27, 2014, at 12:01 PM, anthony kasza <anthony.kasza at gmail.com>
> wrote:
>
> > In my mind malware C2 communications comes in three flavors.
> >  - repurposed HTTP (RFC compliant)
> >  - modified HTTP (just enough to make it not work with Bro's HTTP
> analyzer)
> >  - custom binary
>
> Nice list.  I think you've nailed it with these.  Fortunately there has
> been work in progress for several years that should help address points 2
> and 3. ;)
>
> For the first case, it's possible to implement xor in scriptland (I
> attached an implementation to this email).  I can't promise how well it
> will perform, but it's unlikely you'd be doing it constantly either.
>
> > hooking events such as tcp_contents, the bitwise operator would be very
> handy but Bro's speed
> > would likely be compromised.
>
> Yeah, I *definitely* don't recommend that.
>
>   .Seth
>
>
>
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140529/51a7d796/attachment.html

More information about the Bro mailing list