Coustom Signatures

Zeek
1

Hi all,

For the following signature built-in the ../site/signatures.bro
signature s2b-719-7-BRO { /*a rename from s2b-719-7 to s2b-719-7-BRO */
  ip-proto == tcp
  src-port == 23
  event "TELNET root login"
  tcp-state established,responder
  payload /.*login\x3A root/
}

I could find a log in the Signatures-xxx.log

1151508123.667965:SensitiveSignature:10.50.27.117:23/tcp:10.50.25.122:2089/tcp:s2b-719-7-BRO:10.50.27.117:
TELNET root login:t::

But when i added the following coustom signature in
../site/signatures.bro
i could not find a log in Signatures-xxx.log (The event occured i did a
login as anand )

/*Signature for the event when the user name is anand */
signature telnet_test{
ip-proto == tcp
src-port == 23
event "TELNET anand login"
tcp-state established,responder
payload /.*login: anand/
}

i did try bro -s ../site/signatures.bro ! there was no response .. i had
to do a ctrl + c !

Could someone help me on this !!

Thanks ,
Anand

2

Not sure I understand what you did. Where you running Bro on live
traffic (then I suppose you also gave it the interface to listen
on), or on a trace (then, similarly, the command line needs to
include the trace file).

In general, the best way to debug such signature problems is to
capture a small trace on which the signature should match and then
first make sure that the packets' content indeed look like what the
signature expects (e.g., using tcpdump). If it does, then making the
signature less and less restrictive until it finally matches often
helps to understand what the problem actually is.

Robin