[Bro] Help
rahul rakesh
rahulbroids at gmail.com
Mon Jun 25 05:19:42 PDT 2018
Dear Team,
I am trying to achieve functionality of the following snort signatures
using bro scripts
signature are -
Rule to set the flowbit from snort backdoor.rules
alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"BACKDOOR NetBus Pro
2.0 connection request"; flow:to_server,established; content:"BN |00 02
00|"; depth:6; content:"|05 00|"; depth:2; offset:8;
flowbits:set,backdoor.netbus_2.connect; flowbits:noalert;
classtype:misc-activity; sid:3009; rev:2;)
Rule to check for the flowbit
alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR NetBus Pro
2.0 connection established"; flow:from_server,established;
flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|";
depth:6; content:"|05 00|"; depth:2; offset:8; classtype:misc-activity;
sid:115; rev:9;)
First one sets a flowbit which is used by second rule for detection
i wrote following script that may help me for the first one
@load base/protocols/conn
event
tcp_packet(c:connection,is_orig:bool,flags:string,seq:count,ack:count,len:count,payload:string)
{
const content1 = /.*(BN\x00\x02\x00)/
const content2 =/.*(\x05\x00)/
if(c$id$resp_p==20034/tcp)
{
local c1 = sub_bytes(payload,1,6)
if(content1 in c1)
{
local c2 = sub_bytes(payload,9,2)
if(content2 in c2)
{
### sid 3009 match flow-bit set
}
}
}
}
So my problem here is how can i do something in bro like setting flowbit in
snort that will help me to correlate and detect.
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180625/30f33f85/attachment.html
More information about the Bro
mailing list