[Bro] Several protosig questions
James Lay
jlay at slave-tothe-box.net
Sat Oct 15 09:52:19 PDT 2016
On Sat, 2016-10-15 at 10:48 -0600, James Lay wrote:
> Wow...so here's my sig:
>
> signature protosig_ntp_apple {
> dst-ip == 17.0.0.0/8
> ip-proto == udp
> dst-port == 123
> payload /.*\x00/
> payload-size == 48
> eval ProtoSig::match
> }
>
> First, IP is 192.168.1.95 -> 17.253.4.253 udp port 123.
>
> Issue #1: CIDR doesn't appear to work..with the above dst-ip entry
> this fails to identify ntp_apple, commenting out the dst-ip the line
> matches.
> Issue #2: Payload-size; of interest, if you don't set a payload
> entry, then setting payload-size with ">" and "==" won't match, but
> ANY number with "<" fired off. Ironically I could set payload-size <
> 1 and this would fire.
>
> this is using latest beta. Thank you.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
Also if interest, header ip[16:4] == 17.0.0.0/8 DOES in fact work, so I
believe there's an issue with the dst-ip item.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161015/a8b9c970/attachment.html
More information about the Bro
mailing list