[Bro] Several protosig questions

James Lay jlay at slave-tothe-box.net
Mon Oct 24 11:58:08 PDT 2016 

On 2016-10-24 12:51, Robin Sommer wrote:
> On Fri, Oct 21, 2016 at 17:38 -0600, you wrote:
> 
>> However if I have a generic ntp rule, either before or after the
>> ntp_apple, I only get the ntp match:
> 
> Let me clarify one thing:
> 
>>   eval ProtoSig::match
> 
> "eval" is not for flagging a match. It's a condition by itself that
> influences the matching of the signature. To learn about a match use
> "event" instead and then hook into the "signature_event" event. If I
> do that, things seem to work for me correctly with the sig-fixes
> branch:

Ok cool...I've just been going per the docs here:

https://github.com/broala/bro-protosigs

"You must add the eval ProtoSig::match condition into your signature 
that does the final match. That call is what ties the signature match 
into the protosigs Bro scripts."

I'll give event a go and report my findings.  Thanks so much Robin!

James

> 
>     # cat test.sig
>     signature protosig_ntp {
>       ip-proto == udp
>       dst-port == 123
>       payload /.*\x00/
>       payload-size == 48
>       event "match"
> 
>     }
>     signature protosig_ntp_apple {
>       dst-ip == 17.0.0.0/8
>       ip-proto == udp
>       dst-port == 123
>       payload /.*\x00/
>       payload-size == 48
>       event "match"
>     }
> 
>     # cat test.bro
>     event signature_match(state: signature_state, msg: string, data: 
> string)
>             {
>             print "signature match", state$sig_id;
>             }
> 
>     # bro -s ./test.sig -r ntp-1.pcap ./test.bro
>     signature match, protosig_ntp
>     signature match, protosig_ntp_apple
>     signature match, protosig_ntp
>     signature match, protosig_ntp_apple
>     signature match, protosig_ntp
>     signature match, protosig_ntp_apple
>     signature match, protosig_ntp
>     signature match, protosig_ntp_apple
>     signature match, protosig_ntp
>     signature match, protosig_ntp_apple
>     signature match, protosig_ntp
>     signature match, protosig_ntp_apple
> 
> 
> If I add "eval", I do see it execute for both signatures, though more
> often for the generic one. That's probably an artefact of the order in
> which conditions are run internally; having the dst-ip in there may
> change that.
> 
> Btw, the order of matches is undefined, and might have well changed
> since 2.4.
> 
> Robin
> 
> --
> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin

More information about the Bro mailing list