Hi all,
I am trying to define and add new signatures to the BRO-IDS ( bro-1.1 ).
I tried adding a simple signature like the following in
site/signatures.bro
/*Signature for the event when the user name is anand */
signature telnet_test{
ip-proto == tcp
src-port == 23
event "TELNET anand login"
tcp-state established,responder
payload /.*login: anand/
}
/*Signature for the event when the user name is root */
signature ssh_test{
ip-proto == tcp
src-port == 22
event "SSH root login"
tcp-state established,responder
payload /.*login: root/
}
following was the additional change made to policy/backdoor.bro
from
const ssh_sig_disabled = F &redef;
to
const ssh_sig_disabled = T &redef;
Following change was also made to policy/sig-action.bro
["telnet_test"] = SIG_FILE,
["ssh_test"] = SIG_FILE,
find that these signature begin detected .. as i added some print
statements in policy/backdoor.bro for the following functions
function signature_found(c: connection, sig_disabled: bool, sig_name:
string)
event ssh_signature_found(c: connection, is_orig: bool)
event telnet_signature_found(c: connection, is_orig: bool, len: count)
I did a rename of the existing signatures in site/signatures.bro
signature s2b-719-7-BRO { /*a rename from s2b-719-7 to s2b-719-7-BRO */
ip-proto == tcp
src-port == 23
event "TELNET root login"
tcp-state established,responder
payload /.*login\x3A root/
}
It did work for root ..telnet login .. and it was logged to the
signature-0.... log file.
Could somebody shed some light on this , please correct me if i m wrong
in the process of adding the signatures or, my understanding since ,i m
a newbie.
Though my final intention is to make the BRO-IDS support bittorrent
protocol . Any suggestion is welcomed.
TIA ,
Anand