[Bro] Several protosig questions
James Lay
jlay at slave-tothe-box.net
Mon Oct 24 12:53:56 PDT 2016
On 2016-10-24 12:51, Robin Sommer wrote:
> On Fri, Oct 21, 2016 at 17:38 -0600, you wrote:
>
>> However if I have a generic ntp rule, either before or after the
>> ntp_apple, I only get the ntp match:
>
> Let me clarify one thing:
>
>> eval ProtoSig::match
>
> "eval" is not for flagging a match. It's a condition by itself that
> influences the matching of the signature. To learn about a match use
> "event" instead and then hook into the "signature_event" event. If I
> do that, things seem to work for me correctly with the sig-fixes
> branch:
Ok first off thanks for that test setup...now I can just test a sig vs.
a pcap, so that's tight. My results:
[13:36:27 @tester:~/dev/bro$] bro -s ./test.sig -r pcaps/ntp-1.pcap
./test.bro
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
So it does indeed match...however in the official conn.log, this is what
I get:
[13:36:32 @tester:~/dev/bro$] ./testhome pcaps/ntp-1.pcap
[13:36:37 @tester:~/dev/bro$] cat conn.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2016-10-24-13-36-37
#fields ts uid id.orig_h id.orig_p id.resp_h
id.resp_p proto service duration orig_bytes
resp_bytes conn_state local_orig local_resp
missed_bytes history orig_pkts orig_ip_bytes resp_pkts
resp_ip_bytes tunnel_parents protosig
#types time string addr port addr port enum string
interval count count string bool bool count string
count count count count set[string] string
1476535656.489094 ClixtHWwLmpBYkZRh 192.168.1.95 123
17.253.4.253 123 udp - 0.040715 48 48
SF T F 0 Dd 1 76 1 76
(empty) ntp
1476535656.533910 CJFnxQiLgFYwVcEFi 192.168.1.95 123
17.253.4.125 123 udp - 0.040804 48 48
SF T F 0 Dd 1 76 1 76
(empty) ntp
1476535657.111868 Cds9uP3GtXbb1jHh3d 192.168.1.95 123
17.253.26.253 123 udp - 0.037826 48 48
SF T F 0 Dd 1 76 1 76
(empty) ntp
1476535738.400766 CTkIhX1qHjadF6iple 192.168.1.100 123
17.253.4.253 123 udp - 0.040577 48 48
SF T F 0 Dd 1 76 1 76
(empty) ntp
1476535738.360132 Chm9Q6WalLZnpFx4g 192.168.1.100 123
17.253.26.253 123 udp - 0.037825 48 48
SF T F 0 Dd 1 76 1 76
(empty) ntp
1476535739.752622 CRWW8j41rCTK6gYZSk 192.168.1.100 123
17.253.4.125 123 udp - 0.040857 48 48
SF T F 0 Dd 1 76 1 76
(empty) ntp
#close 2016-10-24-13-36-37
Swapping which sig is first gets me this:
[13:46:24 @tester:~/dev/bro$] bro -s ./test.sig -r pcaps/ntp-1.pcap
./test.bro
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
But the same results as above in conn.log. So I guess that's a feature
request? To hard define either a first rule that matches gets logged,
or the last rule that matches gets logged. This will allow granular
flow identification..which, to be honest, is the whole reason I'm doing
this in the first place :) Thanks again Robin.
>
> # cat test.sig
> signature protosig_ntp {
> ip-proto == udp
> dst-port == 123
> payload /.*\x00/
> payload-size == 48
> event "match"
>
> }
> signature protosig_ntp_apple {
> dst-ip == 17.0.0.0/8
> ip-proto == udp
> dst-port == 123
> payload /.*\x00/
> payload-size == 48
> event "match"
> }
>
> # cat test.bro
> event signature_match(state: signature_state, msg: string, data:
> string)
> {
> print "signature match", state$sig_id;
> }
>
> # bro -s ./test.sig -r ntp-1.pcap ./test.bro
> signature match, protosig_ntp
> signature match, protosig_ntp_apple
> signature match, protosig_ntp
> signature match, protosig_ntp_apple
> signature match, protosig_ntp
> signature match, protosig_ntp_apple
> signature match, protosig_ntp
> signature match, protosig_ntp_apple
> signature match, protosig_ntp
> signature match, protosig_ntp_apple
> signature match, protosig_ntp
> signature match, protosig_ntp_apple
>
>
> If I add "eval", I do see it execute for both signatures, though more
> often for the generic one. That's probably an artefact of the order in
> which conditions are run internally; having the dst-ip in there may
> change that.
>
> Btw, the order of matches is undefined, and might have well changed
> since 2.4.
>
> Robin
>
> --
> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
More information about the Bro
mailing list