[Bro] Protosig question, round 2

James Lay jlay at slave-tothe-box.net
Fri Nov 4 12:57:42 PDT 2016


So not wanting to highjack a thread, here we have the pcap for GRE 
traffic:

https://www.cloudshark.org/captures/000721f1edfb

So per packet #1, src is 10.0.0.1, dst is 10.0.0.2.  Packet #10 in the 
IP header is x2f or 47.  I was hoping one of these would match, but they 
don't:

signature protosig_gre {
    header ip[10] == 47
    event "match"
}

signature protosig_gre {
    header ip[10:1] == 47
    event "match"
}

I tested this, and oddly this didn't match either:

signature protosig_gre {
   header ip[16:4] == 10.0.0.1
   event "match"
}

But THIS did:

signature protosig_gre {
   header ip[16:4] == 1.1.1.1
   event "match"
}

So that tells me that bro is reading the GRE encapsulated IP header, 
which is neat.  Now...how do I tell bro to NOT read the GRE encapsulated 
IP header and read the original IP header?  I also tried matching on GRE 
header proper as a payload of /\x00\x00\x08\x00/:

signature protosig_gre_payload {
   ip-proto == ip
   payload /\x00\x00\x08\x00/
   #payload-size == 4
}

But this didn't match either.  Thank you.

James


More information about the Bro mailing list