[Bro] Logging TCP server banners
Christian Kreibich
christian at corelight.com
Wed Feb 14 14:20:08 PST 2018
Hi Pierre,
On 02/08/2018 11:06 AM, Pierre LALET wrote:
> event tcp_contents(c: connection, is_orig: bool, seq: count, contents: string)
> {
> if (! is_orig && seq == 1 && c$orig$num_pkts == 2)
> {
> Log::write(PassiveRecon::LOG, [$ts=c$start_time,
> $host=c$id$resp_h,
> $srvport=c$id$resp_p,
> $recon_type=TCP_SERVER_BANNER,
> $value=contents]);
> }
> }
I'd recommend a different approach, namely to keep additional state for
each connection to indicate whether you've seen contents from the
respective endpoints. That way, when you see contents arrive from the
responder you can check directly whether you've previously seen anything
from the originator, and if so, ignore the responder's content.
> wrpcap("test.cap", [
> Ether() / IP(dst="1.2.3.4", src="5.6.7.8") /
> TCP(dport=80, sport=5678, flags="S", ack=0, seq=555678),
> Ether() / IP(src="1.2.3.4", dst="5.6.7.8") /
> TCP(sport=80, dport=5678, flags="SA", seq=111234, ack=555679),
> # Ether() / IP(dst="1.2.3.4", src="5.6.7.8") /
> # TCP(dport=80, sport=5678, flags="A", ack=111235, seq=555679),
> Ether() / IP(dst="1.2.3.4", src="5.6.7.8") /
> TCP(dport=80, sport=5678, flags="PA", ack=111235, seq=555679) / "DATA",
> Ether() / IP(src="1.2.3.4", dst="5.6.7.8") /
> TCP(sport=80, dport=5678, flags="PA", seq=111235, ack=555683) / "DATA"
> ])
(With the commented-out line this is missing the pure TCP ACK packet
that completes the TCP handshake, so may not be a good test case.)
Best,
Christian
More information about the Bro
mailing list