[Bro] Several protosig questions
James Lay
jlay at slave-tothe-box.net
Mon Oct 17 14:08:01 PDT 2016
On 2016-10-17 14:31, Robin Sommer wrote:
> Do you have a trace that you can send demonstrating the two issues?
>
> Robin
Included! Sigs below (in 2.4.1 order mattered..I think last matched
gets the protosig tag, but I've swapped these around with the same
results)..in either case only ntp matches, not ntp_apple. Maybe it's a
beta thing?
signature protosig_ntp {
ip-proto == udp
dst-port == 123
payload /.*\x00/
payload-size == 48
eval ProtoSig::match
}
signature protosig_ntp_apple {
#header ip[16:4] == 17.0.0.0/8
dst-ip = = 17.0.0.0/8
ip-proto == udp
dst-port == 123
payload /.*\x00/
payload-size == 48
eval ProtoSig::match
}
Thank you.
James
>
> On Sat, Oct 15, 2016 at 10:52 -0600, James Lay wrote:
>
>> On Sat, 2016-10-15 at 10:48 -0600, James Lay wrote:
>> > Wow...so here's my sig:
>> >
>> > signature protosig_ntp_apple {
>> > dst-ip == 17.0.0.0/8
>> > ip-proto == udp
>> > dst-port == 123
>> > payload /.*\x00/
>> > payload-size == 48
>> > eval ProtoSig::match
>> > }
>> >
>> > First, IP is 192.168.1.95 -> 17.253.4.253 udp port 123.
>> >
>> > Issue #1: CIDR doesn't appear to work..with the above dst-ip entry
>> > this fails to identify ntp_apple, commenting out the dst-ip the line
>> > matches.
>> > Issue #2: Payload-size; of interest, if you don't set a payload
>> > entry, then setting payload-size with ">" and "==" won't match, but
>> > ANY number with "<" fired off. Ironically I could set payload-size <
>> > 1 and this would fire.
>> >
>> > this is using latest beta. Thank you.
>> >
>> > James
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> Also if interest, header ip[16:4] == 17.0.0.0/8 DOES in fact work, so
>> I
>> believe there's an issue with the dst-ip item.
>> James
>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/vnd.tcpdump.pcap
Size: 1296 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161017/9d5a7db6/attachment.bin
More information about the Bro
mailing list