> Lot of OS probes works by sending a combination of flags like
>
> SFU12, SF12 etc and seeing how the OS behaves. I was wondering how to detect
> these kind of probes using bro .
>
> I know it can be done easily in the TCPConnection::NextPacket()
> where you have the syn,fin,rst and other flags in separate variables.
> Probably i could look for those pattern call the Weird().
>
> But is that the way to go about it ? Or should the detection be done
> at the bro-script level.
The right way to do it is either via Weird(), or (better) by introducing
a new event handler, something like:
event strange_TCP_flag_combo(c: connection, SYN: bool, FIN: bool, RST: bool, ACK: bool, PSH: bool, URG: count)
Your policy script could then decide how to react to specific combinations.
Vern
A new Bro pre-release is now available from:
ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7a73.tar.gz
The most timely change is the addition of code-red.bro, which is a
stand-alone Bro module that records instances of Code Red attacks
(just the first seen per IP) in code-red.$BRO_ID, and logs local
instances of Code Red infectees to stdout (or to log.$BRO_ID, if
you "@load log"). You need to edit code-red.bro, or provide your
own version that's loaded in addition (via $BRO_PREFIXES), in order
to define the /16 and /24 nets corresponding to your local site,
as discussed in the comments at the beginning of the file.
Keep in mind that the code-red file is block-buffered, so if you
want to watch it in real time, you need to HUP Bro so that it flushes
the file.
A summary of other changes since 0.7a61 is appended.
Vern
* There is now a mostly-done-but-not-completely-done DNS analyzer.
* Related to it, two new built-in functions for converting between
IP addresses and in-addr.arpa Domain Names: ptr_name_to_addr and
addr_to_ptr_name.
* Bro no longer dies with a libpcap error if you're running it on
an interface that doesn't have an address assigned to it.
* Some bug fixes for matching empty regular expressions.
* Hooks added to http.bro for skipping alerts for URIs that are
accessed remotely (by local clients)
* The default analysis (i.e., that in mt.bro) now includes NTP.
* skip_scan_nets_16 lets you specify /16 networks that should not
be flagged when they scan you, analogous to skip_scan_nets_24.