[Bro] Dealing with tcp-based Unknown Protocols

Shuai Hao haoscs at gmail.com
Tue Dec 12 21:20:44 PST 2017


Thanks, Jan and Jon! I noticed that the "Analyzers of Last Resort" is very
useful for our case and PacketSled would like to share this part with
community. I cannot find the email addresses of speakers from PacketSled,
anyone can help?

Also, following Jon's suggestion with the solution of script level, we
write a sample code as follows for testing. We here assume that anytime we
capture a protocol_confirmation from any analyzer, there is an available
analyzer responsible for the stream so we disable the Unknown_Protocol
analyzer which matches anything.

>
> event bro_init () {
>     Log::create_stream(Unknown:LOG, ....)
> }
>
> hook disable_unknown() {
>     Analyzer::disable_analyzer(Analyzer::ANALYZER_UNKNOWN)
> }
>
> event protocol_confirmation(c: connection, atype: Analyzer:Tag, aid:
count) {
>    hook disable_unknown();
> }
>
> event Unknown_event(c: connection) {
>    // unknown protocol process
> }
>

If we test with uncommon protocol trace and there is no corresponding
protocol analyzer, the Unknown_Protocol Analyzer successfully captures the
stream. However, this Analyzer::disable_analyzer() doesn't work here. With
normal protocol traces, we still see the analyzer is processing the stream
and produce the logs.

Any ideas how this Analyzer::disable_analyzer() should be used in such
scenario?

In addition, the Log::disable_stream() works here if we only terminate the
log stream for the Unknown Protocol analyzer. However, we essentially would
like to disable the process of analysis instead of only closing the log
stream.

Thanks a lot.


On Mon, Dec 11, 2017 at 12:24 PM, Jan Grashöfer <jan.grashoefer at gmail.com>
wrote:

> On 11/12/17 07:45, Shuai Hao wrote:
> > I wonder that does anyone have experience to tackle the "unknown
> protocol"
> > when DPD cannot recognize the protocol and/or all existing analyzers
> fail.
>
> Maybe the "Analyzers of Last Resort" Leo and Aaron talked about in their
> BroCon'17 Lightning-Talks is what you are looking for:
> https://www.bro.org/brocon2017/slides/2017_lightning_talk.pdf
>
> Jan
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171213/bc87988c/attachment.html 


More information about the Bro mailing list