[Bro] Protosig question, round 2
Zeolla@GMail.com
zeolla at gmail.com
Fri Nov 4 13:59:01 PDT 2016
I have the same interests but for vxlan encapsulated traffic. Last I
heard, no luck doing this with bro. Have to decap upstream.
On Fri, Nov 4, 2016, 16:05 James Lay <jlay at slave-tothe-box.net> wrote:
> So not wanting to highjack a thread, here we have the pcap for GRE
> traffic:
>
> https://www.cloudshark.org/captures/000721f1edfb
>
> So per packet #1, src is 10.0.0.1, dst is 10.0.0.2. Packet #10 in the
> IP header is x2f or 47. I was hoping one of these would match, but they
> don't:
>
> signature protosig_gre {
> header ip[10] == 47
> event "match"
> }
>
> signature protosig_gre {
> header ip[10:1] == 47
> event "match"
> }
>
> I tested this, and oddly this didn't match either:
>
> signature protosig_gre {
> header ip[16:4] == 10.0.0.1
> event "match"
> }
>
> But THIS did:
>
> signature protosig_gre {
> header ip[16:4] == 1.1.1.1
> event "match"
> }
>
> So that tells me that bro is reading the GRE encapsulated IP header,
> which is neat. Now...how do I tell bro to NOT read the GRE encapsulated
> IP header and read the original IP header? I also tried matching on GRE
> header proper as a payload of /\x00\x00\x08\x00/:
>
> signature protosig_gre_payload {
> ip-proto == ip
> payload /\x00\x00\x08\x00/
> #payload-size == 4
> }
>
> But this didn't match either. Thank you.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Jon
Sent from my mobile device
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161104/d0464db7/attachment.html
More information about the Bro
mailing list