zeek May 2008

zeek@lists.zeek.org

14 participants
13 discussions

[Bro] Reporting problem in http_header event

by Sanmeet Bhatia

Dear sir, I have found a bug in the event called http_header. The value : string it returns has a space at the beginning. Like "www.yahoo.com" will be returned as " www.yahoo.com". I am posting You a script where I found it @load weird @load alarm @load http global path: string; global urls: set[string] ={"www.yahoo.com","mail.google.com","www.ieee.org ","www.youtube.com","www.bro-ids.org"} ; global shanz_log = open_log_file("http") &redef; redef ignore_checksums = T; event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) { path = original_URI; } event http_header(c: connection, is_orig: bool, name: string, value: string) { if(name == "HOST" ) { local v = edit(value," "); if( v in urls) { print shanz_log, fmt("%s:%s->%s:%s",c$id$orig_h,c$id$orig_p,c$id$resp_h,c$id$resp_p); } } } If I simply compare the value it doesn't match. or even if I print the value its printing with one whitespace prefixed at the beginning. Regards, Sanmeet

13 years, 2 months

Re: [Bro] libmagic for HTTP

by Seth Hall

(I'm sending this to the list again since I sent it to the wrong list last time) On May 30, 2008, at 2:15 PM, Thomas, Eric D wrote: > Yes, please send me your Bro script. Thanks! --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721

13 years, 3 months

[Bro] Data truncated in signature_match and misc questions

by Lorenzo Cavallaro

Hi all, I'm playing a little bit with Bro and I ran into some issues and I don't know whether these are either bugs or things I don't do in the proper way. Maybe you guys can help me out :-) 1. Basically, I'm trying to do something (apparently :-)) very simple: matching any stream whose carrying a sequence of bytes of length X. For simplicity, lets say that I just want to match any stream which contains at least AAAA. Stream reassembly is very important for me, but I suppose Bro takes care of it when matching against signatures. I'm aware the data argument returned to the signature_match event handler should contain the part of the data that matched... and that's where things got weird (I would have preferred to leverage on signature_match events than instead of digging into the policy). Consider this signature: signature test-AAAA { event "sig-AAAA" payload /.*AAAA/ } and this policy file for the signature_match even handler: @load signatures #@load print-filter event signature_match(state: signature_state, msg: string, data: string) { print fmt("[+] signature_match(%s) called", msg); print fmt("payload length: %d", byte_len(data)); print fmt("payload (first 400 bytes): %s", sub_bytes(data, 0, 400)); } The output I got is the following: [+] signature_match(sig-AAAA) called payload length: 153 payload (first 400 bytes): HTTP/1.1 404 Not Found^M^JDate: Wed, 28 May 2008 22:07:28 GMT^M^JServer: Apache^M^JContent-Length: 270^M^JConnection: close^M^JContent-Type: text/html... I don't see any AAAA in there... even if that's the payload which triggered the signature of course (as shown by tcpdump as well -- not included here). The point is that I'd like to extract any matching pattern from the payload which triggered the signature. Once the pattern is extracted I'd have to iterate over each element of the string do something. This was a dead end to me (but I'm surely missing some point, tho). I also tried with a payload of /.*A{4}/ and /.*[A]{4}/ as I wanted to check whether the metacharacters {} worked properly or not. It turned out they are ok here (signatures) but they don't work, for instance, with gsub. 2. Does tcp_contents reassembles flows (I don't think so)? I'd use tcp_contents right away, but I'd just want to be sure I've no splitted matching payload (e.g., AA in one TCP segment and the next AA in the second one). That's why I wanted to go with the signature thing as this should be automatically taken care of by Bro. If the signature approach doesn't work out, tho, I've to reassemble packets by myself but it seems to me a waisting of times as Bro surely does it (or not?). 3. I'm not able to see packets that are generated by the same host Bro is running on. Is this a normal behavior (performance tuning)? If so, is there a way to disable it just for testing purposes? I double-checked that the filters were right, of course :-). I ran Bro with -f 'tcp' (I'm not concerned about UDP right now, even tho I'll consider it later on). Also, I played with capture_filters and restrict_filters variables either by refining or redefining them. Just to be sure I loaded print-filter to re-check the capture filter was indeed the one I intended to. It was (tcp). Still, I'm not able to get traffic that's sent by the same host where Bro is running on (I've a very basic configuration. Only one interface eth0 and localnets is set properly with just one local net addr, having just one physical net device). 4. Regex works weird. It seems that {} notation, especially when used in conjuction with [^] sometimes works but other doesn't. For instance, it doesn't work with gsub (if I didn't screw anything up, of course). Any ideas? For instance, something like: local tmp = gsub(payload, /[^A]{4}/, " "); doesn't work while the {} metachars worked for signature matching. I know, lots of questions :-) TIA, bye Lorenzo -- Lorenzo `Gigi Sullivan' Cavallaro <sullivan(a)cs.ucsb.edu> GPG key at http://security.dico.unimi.it/~sullivan/sullivan.asc Until I loved, life had no beauty; I did not know I lived until I had loved. (Theodor Korner) See the reality in your eyes, when the hate makes you blind. (A.H.X)

13 years, 3 months

[Bro] libmagic for HTTP

by Eric Thomas

I like FileAnalyzer and its use of libmagic. But I'd like to explore ways it can be used for protocols other than FTP, SMTP, etc. Would it be possible to expose some BIFs so that the magic number analyzer could be used elsewhere, such as http_entity_data? Or is this already there and I'm just missing it? Thanks! Eric edthoma(a)sandia.gov

13 years, 3 months

[Bro] Offline trace: segmentation fault

by Shoey Fighter

Hello. I am trying to analyze the auckland 4 trace files (http://pma.nlanr.net/Traces/long/auck4.html) in Bro. They are recorded in DAG format, so first I have to convert them to pcap. I have been trying to use libtrace which has various utilities for conversion between various formats. Also, since the auckland4 trace is split into incoming and outgoing directions (with either -0 or -1 at the end of the file), they must be merged together to encompass the complete trace. Here is what I do: tracemerge pcapfile:20010301-110023.pcap.gz legacyatm:20010301-110023-0.gz legacyatm:20010301-110023-1.gz gunzip 20010301-110023.pcap.gz /usr/local/bro/bin/bro -r 20010301-110023.pcap conn scan trw worm analy print-resources Running Bro produces a segmentation fault. It creates all of the output files for the various analyzers (e.g. conn.log), but all of the are 0 bytes. At first, I thought the issue may be due to the large file size of the merged trace (4.1G), so I tried it on just one direction as well (without trying to merge them): traceconvert legacyatm:20010301-110023-0.gz pcapfile:20010301-110023-0.pcap.gz gunzip 20010301-110023-0.pcap.gz /usr/local/bro/bin/bro -r 20010301-110023-0.pcap conn scan trw worm analy print-resources Again, this produces a segmentation fault, and the file size is now 2.0G. I also tried running it (both the merged and single) with only the connection analyzer, which is really the one I am interested in. Again, this led to a seg fault. Some other notes that may be applicable: -The trace files are stored on an nfs mounted drive -I am using bro-1.3.2 -The OS is fedora 4 (32bit), and the machine has 2gb of memory -I can successfully run Bro against the lbnl (http://www.icir.org/enterprise-tracing/download.html) traces using the analyzers from above -If I use the coral reef toolkit, I can print the contents of the converted trace files just fine, which would indicate they are converted successfully Any thoughts? Thanks.

13 years, 3 months

[Bro] Question regarding TCP behavior

by Adayadil Thomas

Greetings. I have a question about TCP. Since this is related to IDS analysis, I thought I'd ask the group. When a TCP end point (A) sends x bytes of data to the other end point (B), does B immediately ACK the received bytes or will it do so only when the data is passed to the upper layer ? Thanks Thomas

13 years, 3 months

[Bro] str_split

by Lorenzo Cavallaro

Hi, I'd like to convert a string into an array of char (or a vector) so that it's possible to iterate over it (via the for stmt). Any idea about how to do it? I'm not sure if str_split is the right function but if so, I'm not sure what to use as index_vec argument. Iterate by using a set it'd be enough if I could generate the range of indexes belonging to the string... TIA, bye Lorenzo -- Lorenzo `Gigi Sullivan' Cavallaro <sullivan(a)cs.ucsb.edu> GPG key at http://security.dico.unimi.it/~sullivan/sullivan.asc Until I loved, life had no beauty; I did not know I lived until I had loved. (Theodor Korner) See the reality in your eyes, when the hate makes you blind. (A.H.X)

13 years, 3 months

[Bro] Bro ids SSLv3 tls extension client hello patch

by rmkml

Hi, first: big thank for all contributors on this great project ! second, I have added very little patch (alpha and incomplete) on bro v1.3.28_devel for removing alert when firefox browser connect on tls (https) server with tls extension. http://www.Crusoe-Researches.com/bro1328ssltlsextension_clienthello.diff.gz remains: server side hello extension, check in extension types ... for complete information on tls extension (Jan 2006): ftp://ftp.rfc-editor.org/in-notes/rfc4366.txt Regards Rmkml Crusoe-Researches.com

13 years, 4 months

[Bro] How to use HTTP ZIP detection/conversion ?

by rmkml

Hi Bro Workers, Anyone how to extract zip on http stream and search (ids) on ? example with this link with firefox browser: http://www.milw0rm.com/exploits/5619 ... User-Agent: Mozilla/5.0 ..... ... Server: Apache Content-Encoding: gzip Vary: Accept-Encoding ... same with wget: ... User-Agent: Wget... ... Server: Apache ... example bro ids signature (snort like) work without encoding : signature sid-92912 { ip-proto == tcp event "example IE Print Table of Links" tcp-state established,responder http-body /.*[hH][rR][eE][fF]\s*=(.){0,16}[hH][tT][tT][pP]\:(.){0,49}=[^>]*<\s*([jJ][aA][vV][aA])?[sS][cC][rR][iI][pP][tT]/ } It is possible ? Regards Rmkml Crusoe-Researches.com

13 years, 4 months

[Bro] Ask for Bro Cluster source code

by LuLei

Dear Bro developers: I am a college student in China, I am studying network technology. I am interested in Bro and IDS Cluster, and I have read the RAID Paper, had a brief understanding of the general architecture. For further study, I want to know more detail about the Cluster, especially how to use Click modular router in implementation of the cluster on Linux. May I get the source code of cluster if it is possible, and how? Looking forward to hearing from you. Best wishes, Leo May 14, 2008

13 years, 4 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek May 2008