Bro: detectiong OS probes

Vern · July 18, 2001, 7:25am

Lot of OS probes works by sending a combination of flags like

SFU12, SF12 etc and seeing how the OS behaves. I was wondering how to detect
these kind of probes using bro .

I know it can be done easily in the TCPConnection::NextPacket()
where you have the syn,fin,rst and other flags in separate variables.
Probably i could look for those pattern call the Weird().

But is that the way to go about it ? Or should the detection be done
at the bro-script level.

The right way to do it is either via Weird(), or (better) by introducing
a new event handler, something like:

event strange_TCP_flag_combo(c: connection, SYN: bool, FIN: bool, RST: bool, ACK: bool, PSH: bool, URG: count)

Your policy script could then decide how to react to specific combinations.

Vern

Trinh_Anh_Tuan · November 6, 2001, 9:35am

Hello,

I would like to have reports cyclically of my network usage beside the
intrusion detection, so I have a short script like the attached file.
Unfortunatelly, bro seems do nothing with reporting. It isn't documented, so
can you draw me a way of doing that?

Cordially,

ShowFilter.bro (686 Bytes)

Topic		Replies	Views
Bro detection scripts Zeek	2	59	May 6, 2022
some puzzles about the usage of bro Zeek	2	44	May 6, 2022
intrusion detection Zeek	2	66	May 6, 2022
Bro scripts to detect network attacks Zeek	2	125	May 6, 2022
Pattern matching ? Zeek	1	65	May 6, 2022

Bro: detectiong OS probes

Related Topics