[Bro] Several protosig questions

James Lay jlay at slave-tothe-box.net
Mon Oct 24 12:53:56 PDT 2016 

On 2016-10-24 12:51, Robin Sommer wrote:
> On Fri, Oct 21, 2016 at 17:38 -0600, you wrote:
> 
>> However if I have a generic ntp rule, either before or after the
>> ntp_apple, I only get the ntp match:
> 
> Let me clarify one thing:
> 
>>   eval ProtoSig::match
> 
> "eval" is not for flagging a match. It's a condition by itself that
> influences the matching of the signature. To learn about a match use
> "event" instead and then hook into the "signature_event" event. If I
> do that, things seem to work for me correctly with the sig-fixes
> branch:

Ok first off thanks for that test setup...now I can just test a sig vs. 
a pcap, so that's tight.  My results:

[13:36:27 @tester:~/dev/bro$] bro -s ./test.sig  -r pcaps/ntp-1.pcap 
./test.bro
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple

So it does indeed match...however in the official conn.log, this is what 
I get:

[13:36:32 @tester:~/dev/bro$] ./testhome pcaps/ntp-1.pcap
[13:36:37 @tester:~/dev/bro$] cat conn.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   conn
#open   2016-10-24-13-36-37
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       
id.resp_p       proto   service duration        orig_bytes      
resp_bytes      conn_state      local_orig      local_resp      
missed_bytes    history orig_pkts       orig_ip_bytes   resp_pkts    
resp_ip_bytes   tunnel_parents  protosig
#types  time    string  addr    port    addr    port    enum    string  
interval        count   count   string  bool    bool    count   string  
count   count   count   count   set[string]     string
1476535656.489094       ClixtHWwLmpBYkZRh       192.168.1.95    123     
17.253.4.253    123     udp     -       0.040715        48      48      
SF      T       F       0       Dd      1       76      1       76      
(empty) ntp
1476535656.533910       CJFnxQiLgFYwVcEFi       192.168.1.95    123     
17.253.4.125    123     udp     -       0.040804        48      48      
SF      T       F       0       Dd      1       76      1       76      
(empty) ntp
1476535657.111868       Cds9uP3GtXbb1jHh3d      192.168.1.95    123     
17.253.26.253   123     udp     -       0.037826        48      48      
SF      T       F       0       Dd      1       76      1       76      
(empty) ntp
1476535738.400766       CTkIhX1qHjadF6iple      192.168.1.100   123     
17.253.4.253    123     udp     -       0.040577        48      48      
SF      T       F       0       Dd      1       76      1       76      
(empty) ntp
1476535738.360132       Chm9Q6WalLZnpFx4g       192.168.1.100   123     
17.253.26.253   123     udp     -       0.037825        48      48      
SF      T       F       0       Dd      1       76      1       76      
(empty) ntp
1476535739.752622       CRWW8j41rCTK6gYZSk      192.168.1.100   123     
17.253.4.125    123     udp     -       0.040857        48      48      
SF      T       F       0       Dd      1       76      1       76      
(empty) ntp
#close  2016-10-24-13-36-37

Swapping which sig is first gets me this:

[13:46:24 @tester:~/dev/bro$] bro -s ./test.sig  -r pcaps/ntp-1.pcap 
./test.bro
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp

But the same results as above in conn.log.  So I guess that's a feature 
request?  To hard define either a first rule that matches gets logged, 
or the last rule that matches gets logged.  This will allow granular 
flow identification..which, to be honest, is the whole reason I'm doing 
this in the first place :)  Thanks again Robin.

> 
>     # cat test.sig
>     signature protosig_ntp {
>       ip-proto == udp
>       dst-port == 123
>       payload /.*\x00/
>       payload-size == 48
>       event "match"
> 
>     }
>     signature protosig_ntp_apple {
>       dst-ip == 17.0.0.0/8
>       ip-proto == udp
>       dst-port == 123
>       payload /.*\x00/
>       payload-size == 48
>       event "match"
>     }
> 
>     # cat test.bro
>     event signature_match(state: signature_state, msg: string, data: 
> string)
>             {
>             print "signature match", state$sig_id;
>             }
> 
>     # bro -s ./test.sig -r ntp-1.pcap ./test.bro
>     signature match, protosig_ntp
>     signature match, protosig_ntp_apple
>     signature match, protosig_ntp
>     signature match, protosig_ntp_apple
>     signature match, protosig_ntp
>     signature match, protosig_ntp_apple
>     signature match, protosig_ntp
>     signature match, protosig_ntp_apple
>     signature match, protosig_ntp
>     signature match, protosig_ntp_apple
>     signature match, protosig_ntp
>     signature match, protosig_ntp_apple
> 
> 
> If I add "eval", I do see it execute for both signatures, though more
> often for the generic one. That's probably an artefact of the order in
> which conditions are run internally; having the dst-ip in there may
> change that.
> 
> Btw, the order of matches is undefined, and might have well changed
> since 2.4.
> 
> Robin
> 
> --
> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin

More information about the Bro mailing list