[Bro] Help

Drew Dixon dwdixon at umich.edu
Mon Jun 25 07:26:33 PDT 2018 

Hi Rahul,

While there are certainly others on the list that could and may answer your
question with more specifics, I at least wanted to point out the bro
signature framework doc page that should be helpful to you, assuming you
are not already aware of it:

https://www.bro.org/sphinx/frameworks/signatures.html

-Drew

On Mon, Jun 25, 2018 at 8:20 AM rahul rakesh <rahulbroids at gmail.com> wrote:

> Dear Team,
>
> I am trying to achieve functionality of the following snort signatures
> using bro scripts
>
> signature are -
>
> Rule to set the flowbit from snort backdoor.rules
> alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"BACKDOOR NetBus Pro
> 2.0 connection request"; flow:to_server,established; content:"BN |00 02
> 00|"; depth:6; content:"|05 00|"; depth:2; offset:8;
> flowbits:set,backdoor.netbus_2.connect; flowbits:noalert;
> classtype:misc-activity; sid:3009; rev:2;)
>
>
> Rule to check for the flowbit
> alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR NetBus Pro
> 2.0 connection established"; flow:from_server,established;
> flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|";
> depth:6; content:"|05 00|"; depth:2; offset:8; classtype:misc-activity;
> sid:115; rev:9;)
>
> First one sets a flowbit which is used by second rule for detection
>
> i wrote following script that may help me for the first one
>
>
> @load base/protocols/conn
>
> event
> tcp_packet(c:connection,is_orig:bool,flags:string,seq:count,ack:count,len:count,payload:string)
> {
>         const content1 = /.*(BN\x00\x02\x00)/
>         const content2 =/.*(\x05\x00)/
>         if(c$id$resp_p==20034/tcp)
>         {
>                 local c1 = sub_bytes(payload,1,6)
>                 if(content1 in c1)
>                 {
>                         local c2 = sub_bytes(payload,9,2)
>                         if(content2 in c2)
>                         {
>                                 ### sid 3009 match flow-bit set
>
>                         }
>                 }
>         }
> }
>
>
> So my problem here is how can i do something in bro like setting flowbit
> in snort  that will help me to correlate and detect.
>
> Thanks!
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180625/8e5a7c68/attachment.html

More information about the Bro mailing list