[Bro] Several protosig questions

Robin Sommer robin at icir.org
Mon Oct 17 13:31:47 PDT 2016


Do you have a trace that you can send demonstrating the two issues?

Robin

On Sat, Oct 15, 2016 at 10:52 -0600, James Lay wrote:

> On Sat, 2016-10-15 at 10:48 -0600, James Lay wrote:
> > Wow...so here's my sig:
> > 
> > signature protosig_ntp_apple {
> >   dst-ip == 17.0.0.0/8
> >   ip-proto == udp
> >   dst-port == 123
> >   payload /.*\x00/
> >   payload-size == 48
> >   eval ProtoSig::match
> > }
> > 
> > First, IP is 192.168.1.95 -> 17.253.4.253 udp port 123.
> > 
> > Issue #1:  CIDR doesn't appear to work..with the above dst-ip entry
> > this fails to identify ntp_apple, commenting out the dst-ip the line
> > matches.
> > Issue #2:  Payload-size; of interest, if you don't set a payload
> > entry, then setting payload-size with ">" and "==" won't match, but
> > ANY number with "<" fired off. Ironically I could set payload-size <
> > 1 and this would fire.
> > 
> > this is using latest beta.  Thank you.
> > 
> > James
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> Also if interest, header ip[16:4] == 17.0.0.0/8 DOES in fact work, so I
> believe there's an issue with the dst-ip item.
> James

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin


More information about the Bro mailing list