[Zeek] Help to detect CVE-2019-11479

Matt Trostel tet68mt at gmail.com
Mon Jul 1 16:47:28 PDT 2019 

It just dawned on me. I did this for CVE-2019-11477 the other day. The below should add “mss” and “sack_ok” fields to your CONN log for all TCP connections.
I’m not great at Zeek scripting, so take this with some caution. I’m sure there are folks here on the list that could better optimize this. :)



	redef record Conn::Info += {
		mss: count &optional &log;
		sack_ok: bool &optional &log;
	};
	
	redef record connection += {
		mss: count &optional &log;
		sack_ok: bool &optiional &log;
	};

	event connection_SYN_packet(c: connection, pkt: SYN_packet) {
		c$mss = pkt$MSS;
		c$sack_ok = pkt$SACK_OK;
	}

	event connection_state_remove(c: connection) {
		if ( c ?$ mss )
			c$conn$mss = c$mss;

		if (c ?$ sack_ok )
			c$conn$sack_ok = c$sack_ok;
	}



> On Jul 1, 2019, at 18:33, Matt Trostel <tet68mt at gmail.com> wrote:
> 
> Hi Zer0d0y,
> 
> You should be able to pull these values from the connection_SYN_packet event (https://docs.zeek.org/en/stable/script-reference/proto-analyzers.html#id-connection_SYN_packet <https://docs.zeek.org/en/stable/script-reference/proto-analyzers.html#id-connection_SYN_packet>).
> 
> The SYN packet (https://docs.zeek.org/en/stable/scripts/base/init-bare.bro.html#type-SYN_packet <https://docs.zeek.org/en/stable/scripts/base/init-bare.bro.html#type-SYN_packet>) contains the MSS value.
> 
> I hope this helps.
> 
> - Matt
> 
> 
>> On Jul 1, 2019, at 10:19, Zer0d0y <zer0d0y at foxmail.com <mailto:zer0d0y at foxmail.com>> wrote:
>> 
>> Hi all,
>>     Recently,Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. (#CVE-2019-11479 : Excess Resource Consumption Due to Low MSS Values (all Linux versions)
>> 
>>     We want to detecting this flaw with Zeek,but looks like there's no way to get the MSS(Maximum segment size) value of TCP Option,any ideas?
>> 
>> Thanks,
>> 
>> ------------------
>> 
>> Zer0d0y
>> Threat Detection & Hunting
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org <mailto:zeek at zeek.org>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190701/88c346b0/attachment-0001.html

More information about the Zeek mailing list