[Bro] Script conversion to 2.6.2

Tina Barbatsalou tbarbatsalou at gmail.com
Fri Nov 9 06:50:49 PST 2018 

I finally managed to address the issue, by replacing the equivalent values
for the following:

event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options:
DHCP::Options)
       {# Store info from the DHCP acknowledgment, to create a mapping
between SHA and assigned IP
           DHCP_state[msg$chaddr] = msg$yiaddr;
      }

and I was able to replicate an arp poisoning attack and get it detected in
the bro -C -i <interface> <path_to_script> mode.

However, when i integrated the script in the broctl infrastructure, it
didn't detect the attack, by producing the equivalent log file.

I have configured the local.bro and respective configuration files
correctly but the attack is not getting detected and no arp spoofing log
file is generated.

On Fri, Nov 9, 2018 at 11:57 AM Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:

> While not quite providing the answer to your question, this might help a
> bit.
>
> https://github.com/bro/bro/blob/master/NEWS
>
> It tells me that there is a script
> "policy/protocols/dhcp/deprecated_events.bro" that can bring back your
> old events back from the new dhcp_message() only.
>
> You might take a look at what it does and how it constructs the
> dhcp_ack from the dhcp_message()
>
> It takes the dhcp_message(c: connection, is_orig: bool, msg:
> DHCP::Msg, options: DHCP::Options)
>
> checks for the type of the DHCP message
>
> switch ( DHCP::message_types[msg$m_type] )
> case "ACK":
>
> calls an artificially built event - event dhcp_ack(c, old_msg, sm,
> routers, le, sa, hn)
>
> This should get you started. Welcome to the community, please come
> back and ask more questions.
>
>
> On Fri, Nov 9, 2018 at 1:06 AM Tina Barbatsalou <tbarbatsalou at gmail.com>
> wrote:
> >
> > Hello everyone,
> >
> > I am trying to convert a chunk of bro scripting code to the new version,
> but, despite reading the documentation, I don't know what to precisely
> replace.
> >
> > event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router:
> dhcp_router_list, lease: interval, serv_addr: addr)
> >       {
> >           # Store info from the DHCP acknowledgment, to create a mapping
> between SHA and assigned IP
> >           DHCP_state[dhcp_msg$h_addr] = dhcp_msg$yiaddr;
> >       }
> >
> > Apparently, the dhcp_ack event has to be replaced by the dhcp_message
> equivalent, with a syntax similar to (?) the following:
> > event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg,
> options: DHCP::Options).
> >
> > I am not sure if it is correct and what I should include in the
> DHCP::Msg and DHCP::Options parts in order to construct an ack.
> > Moreover, by what should the dhcp_msg be replaced in the following
> function? (DHCP_state[dhcp_msg$h_addr] = dhcp_msg$yiaddr;)
> >
> > Excuse my ignorance; These are my first bro tryouts.
> > Best regards,
> > TB
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181109/18a23188/attachment.html

More information about the Bro mailing list