Adding new signatures

Though my final intention is to make the BRO-IDS support bittorrent
protocol .

If that's your goal, then you should start quite differently. For Bro,
signatures are a handy add-on, but not the heart of its analysis. Instead,
you should develop a protocol analyzer for Bro's event engine. Often a
good way to develop one of these is to start with an existing one for a
similar protocol and progressively modify it.


Though they can be used to detect the protocol in the first place,
to then trigger further analysis via a protocol-specific analyzer.


Hi Guys,
Thanks for your suggestions.

Kindly excuse me for this lenthy mail :wink: !

I have decided to take gnutella as my framework for bitorrent .

create with a frame like

      /*Intialize the msg fields*/

       /*Intialize the Origin and Responder msg states */

         /*Building the Origin and Responder Endpoints */

           /*Check for the Connection Establishment */

        /*Traversing the Packet */

A Few more API's to be defined based on the Bittorrent Protocol :wink:

A rough frame for the bittorrent.bro file will be like

redef capture_filters += { ["bittorrent"] = "port 6881 or port 6882" };
event bittorrent_text_msg(c: connection, orig: bool, headers: string)
event bittorrent_establish(....)

and a few more event defintions !!

Adding a few Coustom Signatures like this

signature bittorrent_announce {
  ip-proto == tcp
  src-port== 6881
  payload /*announce* /
  tcp-state established

Kindly let me know if a frame work like this would work for a Bittorrent
Support on BRO-IDS or do i need to dig more on BRO-IDS . All your
Suggestions are welcome !!

Between, Comming back to the question which i, posted yestrday , i m
sorry for not beign clear on my question .

For the follwing signature built-in the ../site/signatures.bro
signature s2b-719-7-BRO { /*a rename from s2b-719-7 to s2b-719-7-BRO */
  ip-proto == tcp
  src-port == 23
  event "TELNET root login"
  tcp-state established,responder
  payload /.*login\x3A root/

I could find a log in the Signatures-xxx.log

TELNET root login:t::

But when i added the following coustom signature in
i could not find a log in Signatures-xxx.log (The event occured i did a
login as anand :wink: )

/*Signature for the event when the user name is anand */
signature telnet_test{
ip-proto == tcp
src-port == 23
event "TELNET anand login"
tcp-state established,responder
payload /.*login: anand/

i did try bro -s ../site/signatures.bro ! there was no response .. i had
to do a ctrl + c !

Could someone help me on this !! :slight_smile:

Thanks ,