[Bro] Protosig question, round 2
James Lay
jlay at slave-tothe-box.net
Fri Nov 4 12:57:42 PDT 2016
So not wanting to highjack a thread, here we have the pcap for GRE
traffic:
https://www.cloudshark.org/captures/000721f1edfb
So per packet #1, src is 10.0.0.1, dst is 10.0.0.2. Packet #10 in the
IP header is x2f or 47. I was hoping one of these would match, but they
don't:
signature protosig_gre {
header ip[10] == 47
event "match"
}
signature protosig_gre {
header ip[10:1] == 47
event "match"
}
I tested this, and oddly this didn't match either:
signature protosig_gre {
header ip[16:4] == 10.0.0.1
event "match"
}
But THIS did:
signature protosig_gre {
header ip[16:4] == 1.1.1.1
event "match"
}
So that tells me that bro is reading the GRE encapsulated IP header,
which is neat. Now...how do I tell bro to NOT read the GRE encapsulated
IP header and read the original IP header? I also tried matching on GRE
header proper as a payload of /\x00\x00\x08\x00/:
signature protosig_gre_payload {
ip-proto == ip
payload /\x00\x00\x08\x00/
#payload-size == 4
}
But this didn't match either. Thank you.
James
More information about the Bro
mailing list