[Bro] Help
Drew Dixon
dwdixon at umich.edu
Mon Jun 25 07:26:33 PDT 2018
Hi Rahul,
While there are certainly others on the list that could and may answer your
question with more specifics, I at least wanted to point out the bro
signature framework doc page that should be helpful to you, assuming you
are not already aware of it:
https://www.bro.org/sphinx/frameworks/signatures.html
-Drew
On Mon, Jun 25, 2018 at 8:20 AM rahul rakesh <rahulbroids at gmail.com> wrote:
> Dear Team,
>
> I am trying to achieve functionality of the following snort signatures
> using bro scripts
>
> signature are -
>
> Rule to set the flowbit from snort backdoor.rules
> alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"BACKDOOR NetBus Pro
> 2.0 connection request"; flow:to_server,established; content:"BN |00 02
> 00|"; depth:6; content:"|05 00|"; depth:2; offset:8;
> flowbits:set,backdoor.netbus_2.connect; flowbits:noalert;
> classtype:misc-activity; sid:3009; rev:2;)
>
>
> Rule to check for the flowbit
> alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR NetBus Pro
> 2.0 connection established"; flow:from_server,established;
> flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|";
> depth:6; content:"|05 00|"; depth:2; offset:8; classtype:misc-activity;
> sid:115; rev:9;)
>
> First one sets a flowbit which is used by second rule for detection
>
> i wrote following script that may help me for the first one
>
>
> @load base/protocols/conn
>
> event
> tcp_packet(c:connection,is_orig:bool,flags:string,seq:count,ack:count,len:count,payload:string)
> {
> const content1 = /.*(BN\x00\x02\x00)/
> const content2 =/.*(\x05\x00)/
> if(c$id$resp_p==20034/tcp)
> {
> local c1 = sub_bytes(payload,1,6)
> if(content1 in c1)
> {
> local c2 = sub_bytes(payload,9,2)
> if(content2 in c2)
> {
> ### sid 3009 match flow-bit set
>
> }
> }
> }
> }
>
>
> So my problem here is how can i do something in bro like setting flowbit
> in snort that will help me to correlate and detect.
>
> Thanks!
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180625/8e5a7c68/attachment.html
More information about the Bro
mailing list