getting raw bytes?

OK, this is possibly a dumb question, but I can't find it in
documentation or existing scripts. How can I grab a few specific
bytes from a connection? E.g., if I want to look for successful X11
connections, I expect to see the following immediately after the TCP
header: 0100 0b00 0000. How do I write something like:

if (c$id$resp_p == 6000)
  if (first_6_bytes_after_tcp_header == 01000b000000)
    do something

?
Thanks. Sorry for the noob questions.
Dan

You are just looking to write a signature...

==== x11.sigs =====
signature x11_6_special_bytes {
  ip-proto == tcp
  dst-port == 6000
  payload /\x01\x00\x0b\x00\x00\x00/
  tcp-state responder
}
====== end x11.sigs ===========

==== start x11.bro =======
redef signature_files += "x11.sigs";

event signature_match(state: signature_state, msg: string, data: string)
  {
  if ( state$sig_id == "x11_6_special_bytes" )
    {
    # do something.
    }
  }
=======end x11.bro==========

Make sure both of those are in your BROPATH and load the x11.bro script.

  .Seth

You are just looking to write a signature...

More info on signatures:
http://www.bro-ids.org/documentation/signatures.html

==== x11.sigs =====
signature x11_6_special_bytes {
   ip-proto == tcp
   dst-port == 6000
   payload /\x01\x00\x0b\x00\x00\x00/
   tcp-state responder

      event "foo"

is missing here.

cu
Gregor

Thanks Seth. If I read this right, this line:
payload /\x01\x00\x0b\x00\x00\x00/

will match that byte pattern anywhere in the packet, no? Is it
possible to give it a specific position / offset? E.g., with regex:
/^\x01/
to specify the first byte must be x01, or
/.{8}\x01/
would match it at the 9th byte.

But I think this will match from the beginning of the packet, if it
works at all. I'll test it.

Anyway, I'm on the right path now, thanks!
Dan

Signatures are implicitly anchored at the beginning of the stream. :slight_smile:

I could have anchored it myself like you were thinking, but I just chose not to since it's implicit anyway.

  .Seth

Awesome! Regex on binary data, I love it! Thanks Seth.

BTW, everyone, I used Bro to process wifi traffic at DefCon this past
weekend and got almost as many questions about Bro as I did about my
viz software. I expect you'll see a bunch of downloads this week....
:slight_smile:

Dan

Awesome! Thanks.

  .Seth