Dear sir,
I have found a bug in the event called http_header. The value : string it
returns has a space at the beginning. Like "www.yahoo.com" will be
returned as " www.yahoo.com".
I am posting You a script where I found it
@load weird
@load alarm
@load http
global path: string;
global urls: set[string] ={"www.yahoo.com","mail.google.com","www.ieee.org
","www.youtube.com","www.bro-ids.org"} ;
global shanz_log = open_log_file("http") &redef;
redef ignore_checksums = T;
event http_request(c: connection, method: string, original_URI: string,
unescaped_URI: string, version: string)
{
path = original_URI;
}
event http_header(c: connection, is_orig: bool, name: string, value: string)
{
if(name == "HOST" )
{
local v = edit(value," ");
if( v in urls)
{
print shanz_log,
fmt("%s:%s->%s:%s",c$id$orig_h,c$id$orig_p,c$id$resp_h,c$id$resp_p);
}
}
}
If I simply compare the value it doesn't match. or even if I print the value
its printing with one whitespace prefixed at the beginning.
Regards,
Sanmeet
(I'm sending this to the list again since I sent it to the wrong list
last time)
On May 30, 2008, at 2:15 PM, Thomas, Eric D wrote:
> Yes, please send me your Bro script. Thanks!
---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
Hi all,
I'm playing a little bit with Bro and I ran into some issues and I
don't know whether these are either bugs or things I don't do in the
proper way. Maybe you guys can help me out :-)
1. Basically, I'm trying to do something (apparently :-)) very
simple: matching any stream whose carrying a sequence of bytes
of length X. For simplicity, lets say that I just want to match
any stream which contains at least AAAA.
Stream reassembly is very important for me, but I suppose Bro
takes care of it when matching against signatures.
I'm aware the data argument returned to the signature_match event
handler should contain the part of the data that matched... and
that's where things got weird (I would have preferred to leverage
on signature_match events than instead of digging into the
policy).
Consider this signature:
signature test-AAAA
{
event "sig-AAAA"
payload /.*AAAA/
}
and this policy file for the signature_match even handler:
@load signatures
#@load print-filter
event signature_match(state: signature_state, msg: string, data:
string)
{
print fmt("[+] signature_match(%s) called", msg);
print fmt("payload length: %d", byte_len(data));
print fmt("payload (first 400 bytes): %s", sub_bytes(data, 0, 400));
}
The output I got is the following:
[+] signature_match(sig-AAAA) called
payload length: 153
payload (first 400 bytes): HTTP/1.1 404 Not Found^M^JDate: Wed, 28
May 2008 22:07:28 GMT^M^JServer: Apache^M^JContent-Length:
270^M^JConnection: close^M^JContent-Type: text/html...
I don't see any AAAA in there... even if that's the payload which
triggered the signature of course (as shown by tcpdump as well -- not
included here).
The point is that I'd like to extract any matching pattern from the
payload which triggered the signature. Once the pattern is extracted
I'd have to iterate over each element of the string do something.
This was a dead end to me (but I'm surely missing some point,
tho).
I also tried with a payload of /.*A{4}/ and /.*[A]{4}/ as I wanted
to check whether the metacharacters {} worked properly or not. It
turned out they are ok here (signatures) but they don't work, for
instance, with gsub.
2. Does tcp_contents reassembles flows (I don't think so)? I'd use
tcp_contents right away, but I'd just want to be sure I've no
splitted matching payload (e.g., AA in one TCP segment and the
next AA in the second one). That's why I wanted to go with the
signature thing as this should be automatically taken care of by
Bro. If the signature approach doesn't work out, tho, I've to
reassemble packets by myself but it seems to me a waisting of
times as Bro surely does it (or not?).
3. I'm not able to see packets that are generated by the same host
Bro is running on. Is this a normal behavior (performance tuning)?
If so, is there a way to disable it just for testing purposes?
I double-checked that the filters were right, of course :-). I ran
Bro with -f 'tcp' (I'm not concerned about UDP right now, even tho
I'll consider it later on). Also, I played with capture_filters
and restrict_filters variables either by refining or redefining
them.
Just to be sure I loaded print-filter to re-check the capture
filter was indeed the one I intended to. It was (tcp). Still, I'm
not able to get traffic that's sent by the same host where Bro is
running on (I've a very basic configuration. Only one interface
eth0 and localnets is set properly with just one local net addr,
having just one physical net device).
4. Regex works weird. It seems that {} notation, especially when
used in conjuction with [^] sometimes works but other doesn't. For
instance, it doesn't work with gsub (if I didn't screw anything
up, of course). Any ideas? For instance, something like:
local tmp = gsub(payload, /[^A]{4}/, " ");
doesn't work while the {} metachars worked for signature matching.
I know, lots of questions :-)
TIA, bye
Lorenzo
--
Lorenzo `Gigi Sullivan' Cavallaro <sullivan(a)cs.ucsb.edu>
GPG key at http://security.dico.unimi.it/~sullivan/sullivan.asc
Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)
See the reality in your eyes, when the hate makes you blind. (A.H.X)
I like FileAnalyzer and its use of libmagic. But I'd like to explore ways
it can be used for protocols other than FTP, SMTP, etc. Would it be
possible to expose some BIFs so that the magic number analyzer could be
used elsewhere, such as http_entity_data? Or is this already there and I'm
just missing it? Thanks!
Eric
edthoma(a)sandia.gov
Hello.
I am trying to analyze the auckland 4 trace files
(http://pma.nlanr.net/Traces/long/auck4.html) in Bro. They are
recorded in DAG format, so first I have to convert them to pcap.
I have been trying to use libtrace which has various utilities for
conversion between various formats. Also, since the auckland4 trace is
split into incoming and outgoing directions (with either -0 or -1 at
the end of the file), they must be merged together to encompass the
complete trace.
Here is what I do:
tracemerge pcapfile:20010301-110023.pcap.gz
legacyatm:20010301-110023-0.gz legacyatm:20010301-110023-1.gz
gunzip 20010301-110023.pcap.gz
/usr/local/bro/bin/bro -r 20010301-110023.pcap conn scan trw worm
analy print-resources
Running Bro produces a segmentation fault. It creates all of the
output files for the various analyzers (e.g. conn.log), but all of the
are 0 bytes.
At first, I thought the issue may be due to the large file size of the
merged trace (4.1G), so I tried it on just one direction as well
(without trying to merge them):
traceconvert legacyatm:20010301-110023-0.gz pcapfile:20010301-110023-0.pcap.gz
gunzip 20010301-110023-0.pcap.gz
/usr/local/bro/bin/bro -r 20010301-110023-0.pcap conn scan trw worm
analy print-resources
Again, this produces a segmentation fault, and the file size is now 2.0G.
I also tried running it (both the merged and single) with only the
connection analyzer, which is really the one I am interested in.
Again, this led to a seg fault.
Some other notes that may be applicable:
-The trace files are stored on an nfs mounted drive
-I am using bro-1.3.2
-The OS is fedora 4 (32bit), and the machine has 2gb of memory
-I can successfully run Bro against the lbnl
(http://www.icir.org/enterprise-tracing/download.html) traces using
the analyzers from above
-If I use the coral reef toolkit, I can print the contents of the
converted trace files just fine, which would indicate they are
converted successfully
Any thoughts?
Thanks.
Greetings.
I have a question about TCP. Since this is related to IDS analysis, I
thought I'd ask the group.
When a TCP end point (A) sends x bytes of data to the other end point (B),
does B immediately ACK the received bytes or will it do so only when the data
is passed to the upper layer ?
Thanks
Thomas
Hi,
I'd like to convert a string into an array of char (or a vector) so
that it's possible to iterate over it (via the for stmt). Any idea
about how to do it?
I'm not sure if str_split is the right function but if so, I'm not
sure what to use as index_vec argument. Iterate by using a set it'd
be enough if I could generate the range of indexes belonging to the
string...
TIA, bye
Lorenzo
--
Lorenzo `Gigi Sullivan' Cavallaro <sullivan(a)cs.ucsb.edu>
GPG key at http://security.dico.unimi.it/~sullivan/sullivan.asc
Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)
See the reality in your eyes, when the hate makes you blind. (A.H.X)
Hi Bro Workers,
Anyone how to extract zip on http stream and search (ids) on ?
example with this link with firefox browser:
http://www.milw0rm.com/exploits/5619
...
User-Agent: Mozilla/5.0 .....
...
Server: Apache
Content-Encoding: gzip
Vary: Accept-Encoding
...
same with wget:
...
User-Agent: Wget...
...
Server: Apache
...
example bro ids signature (snort like) work without encoding :
signature sid-92912 {
ip-proto == tcp
event "example IE Print Table of Links"
tcp-state established,responder
http-body /.*[hH][rR][eE][fF]\s*=(.){0,16}[hH][tT][tT][pP]\:(.){0,49}=[^>]*<\s*([jJ][aA][vV][aA])?[sS][cC][rR][iI][pP][tT]/
}
It is possible ?
Regards
Rmkml
Crusoe-Researches.com
Dear Bro developers:
I am a college student in China, I am studying network technology. I am interested in Bro and IDS Cluster, and I have read the RAID Paper, had a brief understanding of the general architecture. For further study, I want to know more detail about the Cluster, especially how to use Click modular router in implementation of the cluster on Linux. May I get the source code of cluster if it is possible, and how?
Looking forward to hearing from you.
Best wishes,
Leo
May 14, 2008