getting raw bytes?

Dan_Klinedinst · August 10, 2011, 2:57pm

OK, this is possibly a dumb question, but I can't find it in
documentation or existing scripts. How can I grab a few specific
bytes from a connection? E.g., if I want to look for successful X11
connections, I expect to see the following immediately after the TCP
header: 0100 0b00 0000. How do I write something like:

if (c$id$resp_p == 6000)
if (first_6_bytes_after_tcp_header == 01000b000000)
do something

?
Thanks. Sorry for the noob questions.
Dan

Seth_Hall3 · August 10, 2011, 3:08pm

You are just looking to write a signature...

==== x11.sigs =====
signature x11_6_special_bytes {
  ip-proto == tcp
  dst-port == 6000
  payload /\x01\x00\x0b\x00\x00\x00/
  tcp-state responder
}
====== end x11.sigs ===========

==== start x11.bro =======
redef signature_files += "x11.sigs";

event signature_match(state: signature_state, msg: string, data: string)
  {
  if ( state$sig_id == "x11_6_special_bytes" )
    {
    # do something.
    }
  }
=======end x11.bro==========

Make sure both of those are in your BROPATH and load the x11.bro script.

.Seth

Gregor_Maier · August 10, 2011, 3:57pm

You are just looking to write a signature...

More info on signatures:
http://www.bro-ids.org/documentation/signatures.html

==== x11.sigs =====
signature x11_6_special_bytes {
   ip-proto == tcp
   dst-port == 6000
   payload /\x01\x00\x0b\x00\x00\x00/
   tcp-state responder

event "foo"

is missing here.

cu
Gregor

Dan_Klinedinst · August 10, 2011, 4:00pm

Thanks Seth. If I read this right, this line:
payload /\x01\x00\x0b\x00\x00\x00/

will match that byte pattern anywhere in the packet, no? Is it
possible to give it a specific position / offset? E.g., with regex:
/^\x01/
to specify the first byte must be x01, or
/.{8}\x01/
would match it at the 9th byte.

But I think this will match from the beginning of the packet, if it
works at all. I'll test it.

Anyway, I'm on the right path now, thanks!
Dan

Seth_Hall3 · August 10, 2011, 4:39pm

Signatures are implicitly anchored at the beginning of the stream.

I could have anchored it myself like you were thinking, but I just chose not to since it's implicit anyway.

.Seth

Dan_Klinedinst · August 10, 2011, 4:50pm

Awesome! Regex on binary data, I love it! Thanks Seth.

BTW, everyone, I used Bro to process wifi traffic at DefCon this past
weekend and got almost as many questions about Bro as I did about my
viz software. I expect you'll see a bunch of downloads this week....

Dan

Seth_Hall3 · August 10, 2011, 4:57pm

Awesome! Thanks.

.Seth

system · May 6, 2022, 3:39pm