List,
I have a couple of questions that I can't seem to figure out.
1) Brian - Thanks for the SSL patch
Once enabled I don't see any way of filtering out hosts from the non-ssl traffic alarm. For example, I have several custom applications that use that port for their traffic...don't ask...so I need to be able to filter them out of the alarms like below.
"1141848057.399932 WeirdActivity ** 192.x.x.x/48612 > 206.x.x.x/https: SSL: Skipping connection (not an SSL connection?!)!"
The problem seems to be that the detection of non-ssl traffic is done in the source SSLProxy engine and I don't really want to be recompiling every time I need to add another host. Ideas?
2) Is is possible in a policy file to perform a size comparison on a string?
For example, if you wanted to see if a filename was longer than a certain length. How would you sizeof a string value?
Thanks in advance,
Jake Babbin
Hi Jake,
List,
I have a couple of questions that I can't seem to figure out.
1) Brian - Thanks for the SSL patch
Once enabled I don't see any way of filtering out hosts from the
non-ssl traffic alarm. For example, I have several custom applications
that use that port for their traffic...don't ask...so I need to be
able to filter them out of the alarms like below.
"1141848057.399932 WeirdActivity ** 192.x.x.x/48612 > 206.x.x.x/https:
SSL: Skipping connection (not an SSL connection?!)!"
The problem seems to be that the detection of non-ssl traffic is done
in the source SSLProxy engine and I don't really want to be
recompiling every time I need to add another host. Ideas?
have a look at weird_ignore_host set, defined in weird.bro. It allows
you to filter weird-type events based on the event string and source/
destination IP addresses.
http://www.bro-ids.org/Bro-reference-manual/weird-variables.html#weird-variables
Depending on your analysis needs, you could also exclude the custom
traffic via the pcap filtering expression, though I'd imagine that
quickly gets tedious.
2) Is is possible in a policy file to perform a size comparison on a
string?
For example, if you wanted to see if a filename was longer than a
certain length. How would you sizeof a string value?
Sure. It depends on what version of Bro you're using. In the development
releases, there's now a magnitude operator |x| that, when given a value,
returns its length, size, or whatever is most meaningful as magnitude
(vector length, table size, string length, etc). In older releases (0.9
and before), the byte_len() function returned a string's length.
Cheers,
Christian.
2) Is is possible in a policy file to perform a size comparison on a string?
For example, if you wanted to see if a filename was longer than a certain length. How would you sizeof a string value?
local filename = "foobar"
if ( byte_len(filename) > n ) ...
Mark