[Zeek] Help to detect CVE-2019-11479
Matt Trostel
tet68mt at gmail.com
Mon Jul 1 16:47:28 PDT 2019
It just dawned on me. I did this for CVE-2019-11477 the other day. The below should add “mss” and “sack_ok” fields to your CONN log for all TCP connections.
I’m not great at Zeek scripting, so take this with some caution. I’m sure there are folks here on the list that could better optimize this. :)
redef record Conn::Info += {
mss: count &optional &log;
sack_ok: bool &optional &log;
};
redef record connection += {
mss: count &optional &log;
sack_ok: bool &optiional &log;
};
event connection_SYN_packet(c: connection, pkt: SYN_packet) {
c$mss = pkt$MSS;
c$sack_ok = pkt$SACK_OK;
}
event connection_state_remove(c: connection) {
if ( c ?$ mss )
c$conn$mss = c$mss;
if (c ?$ sack_ok )
c$conn$sack_ok = c$sack_ok;
}
> On Jul 1, 2019, at 18:33, Matt Trostel <tet68mt at gmail.com> wrote:
>
> Hi Zer0d0y,
>
> You should be able to pull these values from the connection_SYN_packet event (https://docs.zeek.org/en/stable/script-reference/proto-analyzers.html#id-connection_SYN_packet <https://docs.zeek.org/en/stable/script-reference/proto-analyzers.html#id-connection_SYN_packet>).
>
> The SYN packet (https://docs.zeek.org/en/stable/scripts/base/init-bare.bro.html#type-SYN_packet <https://docs.zeek.org/en/stable/scripts/base/init-bare.bro.html#type-SYN_packet>) contains the MSS value.
>
> I hope this helps.
>
> - Matt
>
>
>> On Jul 1, 2019, at 10:19, Zer0d0y <zer0d0y at foxmail.com <mailto:zer0d0y at foxmail.com>> wrote:
>>
>> Hi all,
>> Recently,Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. (#CVE-2019-11479 : Excess Resource Consumption Due to Low MSS Values (all Linux versions)
>>
>> We want to detecting this flaw with Zeek,but looks like there's no way to get the MSS(Maximum segment size) value of TCP Option,any ideas?
>>
>> Thanks,
>>
>> ------------------
>>
>> Zer0d0y
>> Threat Detection & Hunting
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org <mailto:zeek at zeek.org>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190701/88c346b0/attachment-0001.html
More information about the Zeek
mailing list