Hello All:
I have been trying to port some bleeding-edge snort signatures to bro to detect bots on the network. I used s2b or snort2bro.pl script to convert these snort signatures to bro format but the script ignores pcre (perl competible regualar expression) directive and comments its out (refer the signature below)
signature sid-2001787 {
ip-proto == tcp
src-ip != local_nets
dst-ip == local_nets
# Not supported: pcre: /(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|!scan [0-9]{1,3}\.[0-9]{1,3}|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup))/i
event "BLEEDING-EDGE TROJAN IRC Bot scan/exploit command"
tcp-state established
}
How I can (or cannot) use regular expressions in payload directive in bro signatures ? Can you guys point me to a writeup or man page for this ?
I see other (converted) signatures do have payload directive which uses regualar expressions but those are fairly straight forward RE searches. Is it possible to create constructs using "or" ( "|"), "{}", "[]", () etc in payload section of signatures ? In other words, how can I port the pcre payload check (above signature) as regualar expression for payload to bro ?
Also, are RE in signatures case sensitive too ?
Thanks a lot for the help.
Aashish Sharma
Hi all,
Broccoli 0.7 is now available in tar.gz and RPM formats from
http://www.cl.cam.ac.uk/~cpk25/broccoli/index.html
The main novelty in this release is connection sharing between multiple
processes. You can now create a connection to a remote Bro in one
process and concurrently use that connection from other processes thanks
to access synchronization in shared memory. The same holds for access
from multiple threads.
Not everything is documented in the manual yet, but all the gory details
are in the ChangeLog:
http://www.cl.cam.ac.uk/~cpk25/broccoli/ChangeLog
Bug reports, patches, etc are all welcome.
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25http://www.whoop.org
Hi
Does anyone have a clou how to run Bro as a user different than root
under Linux?
Libpcap has had some buffer-overflow in the past, so it would be very
nice if we hadn't to run Bro as root.
Thanx for any help
Christoph
Vern, thank you for your quick response.
Bing
Quoting Vern Paxson <vern(a)icir.org>:
>> Does anybody know how to print time to readable format something like:
>> 04/22/2005 12:00:00 with Bro language ? I couldn't find such format in the
>> existing bro scripts. thanks.
>
> There's a "strftime(fmt: string, d: time): string" function you can call.
>
> Vern
>
> Does anybody know how to print time to readable format something like:
> 04/22/2005 12:00:00 with Bro language ? I couldn't find such format in the
> existing bro scripts. thanks.
There's a "strftime(fmt: string, d: time): string" function you can call.
Vern
Hi,
Does anybody know how to print time to readable format something like:
04/22/2005 12:00:00 with Bro language ? I couldn't find such format in the
existing bro scripts. thanks.
Bing
The Bro documentation mentions a capability for logging packets in
tcpdump format:
http://bro-ids.org/Bro-reference-manual/tcpdump-save-file-that-Bro-write
s.html
But I can't find any further references or figure out how this is done.
I looked back through the archives a bit, but don't have time to
thoroughly scour them for any reference. Can anyone help?
Thanks,
Scott
Hi Christian,
Thank you for your suggestion. I will try this way and put my
results on this
mailing list.
Bing
>
> it all depends on what kinds of events trigger updates to your
> statistical parameters, and whether those elementary events already
> exist or not. Generally a good way to find existing events is by looking
> at src/event.bif, which lists all events the core can trigger. If you
> find suitable building blocks in there, you can start with a new policy
> script that maintains state through the event handlers for event types
> you're interested in. If you cannot find anything suitable (which, at
> least for network-based events, is rather unlikely), you might have to
> extend the core to support new events to be handled by your policy
> scripts.
>
> In your case, the event types connection_attempt() and
> connection_rejected() sound ideal. In their respective handlers, you can
> maintain connection state in a number of tables to achieve what you
> want. When you notice that the rate limits you defined are exceeded, you
> can trigger an event "manually" using the event() statement, or just
> perform the corresponding action directly in the state-maintaining code.
>
> Have a look at scan.bro for an example of something that is similar what
> you want; also check out this thread in the archives:
>
> http://mailman.icsi.berkeley.edu/pipermail/bro/2005-February/001774.html
>
> Hope this helps.
>
> Cheers,
> Christian.
> --
> ________________________________________________________________________
> http://www.cl.cam.ac.uk/~cpk25
> http://www.whoop.org
>
>
>
>
> --__--__--
>
> _______________________________________________
> Bro mailing list
> Bro(a)ICSI.Berkeley.EDU
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest
>
Hi all,
I am new in Bro. I want to add new events to Bro. These events would occur
when some statistical parameters cross multiple sessions to an internal
host/network exceed their thresholds. An example event would be that the number
of connections made from external hosts to an monitored internal host exceeds
100 in last two seconds. Another example event would be that the number of
Rejected connection requests to my internal network exceeds 200 in last two
minutes. Any one knows how to create such events?
Another problem I met when I tried to run Bro (./bro.rc --start) in Fedora 3.
Success message was displayed on the screen. But when I check the status, it is
not running. After I tried to run Bro again, the following error message
appears:
=============================================================================
[root@localhost etc]# ./bro.rc --start
bro.rc: Running as non-root user root
bro.rc: Starting .........Warning: bad syntax, perhaps a bogus '-'? See
/usr/share/doc/procps-3.2.3/FAQ
bro.rc: Failed to start Bro
Error in signature (signatures:1803): unknown identifier (dataSizeG100)
Error in signature (signatures:1815): unknown identifier (dataSizeG100)
Error in signature (signatures:1838): unknown identifier (dataSizeG100)
Error in signature (signatures:1850): unknown identifier (dataSizeG100)
...................
.... FAILED
=============================================================================
I then comment out the following statements in my locat site, Bro works
properly.
redef signature_files += "sig-addendum";
redef signature_files += "signatures";
Does anyone know what's this problem?
thanks for your time
Bing