Dear all,
I tried to test the bro script to log the Duqu attack published through Github. The broctl check failed and here below the output :
“error in /usr/local/bro/share/bro/policy/bro-scripts/duqu.bro, line 81: no such field in record (HTTP::c$http$mime_types)”
I’ve understood that $mime_type has changed in the new bro version and I’ve tried to change it in the script with “resp_mime_types” . Here below the new output :
error in /usr/local/bro/share/bro/base/protocols/http/./entities.bro, line 27 and /usr/local/bro/share/bro/policy/bro-scripts/duqu.bro, line 81: pattern requires string index (vector of string and /^?(image/jpeg)$?/)
I am new to bro scripts. Please, I need your help to understand how to manage this kind of errors. Anyone could help please ?
Please find below the link to the original script :
https://github.com/mavam/brospects/blob/master/bro/duqu.bro
Many thanks,
BR,
Zied
Hi Zied,
while mime_types was a string, resp_mime_types is a vector of strings. If I am not mistaken it contains all matching mime types ordered by probability. Unfortunately I am not able to find proof for this in the documentation. However, to fix your issue you could loop through the vector or just use the first element resp_mime_types[0].
Best regards,
Jan
Or you could use this
from line 77
if ( c$id$orig_h in duqus && c$http?$resp_mime_types )
{
local mime_num:count;
for (mime_num in c$http$resp_mime_types) {
if ( duqus[c$id$orig_h] == JPEG_REQUEST &&
c$http$status_code == 200 &&
/image/jpeg/ in c$http$resp_mime_types[mime_num] )
{
duqus[c$id$orig_h] = JPEG_REPLY;
NOTICE([$note=Potential_Duqu_Infection,
$msg=fmt(“Initial Duqu JPEG exchange”),
$conn=c]);
}
else
delete duqus[c$id$orig_h]; # Purge unnecessary state early.
}
}
Hello,
Thank you for your help, I prefer your version.
Many thanks,
BR,
Zied