grp ports variable and dpd on bro not work ?

Zeek
1

Hi,
Bro ids is very good idps project !
Im work on adding snort/trons rules on bro, but I have little pb please.
ok first look one bro signature : (mysnortrules file)
signature sid-1812 {
   ip-proto == tcp
   dst-port == ssh_ports
   event "EXPLOIT gobbles SSH exploit attempt"
   tcp-state established,originator
   payload /.*GOBBLES/
   }
Im start bro with:
  bro -C -r exploit_sshgobbles22.pcap -s mysnortrules -f 'ip or tcp or udp' bro.init mt
mt.bro contains dpd, snort... (not dyn-disable.bro)
Joigned two pcap file:
a)exploit_sshgobbles22.pcap
b)exploit_sshgobbles22000.pcap

bro with dpd detect ssh connect (client and server) but mysnortrules not work, if I comment (#dst-port == ssh_ports) bro alert (bro use default ssh port {22})
if I replace (dst-port == 22) bro alert

1) It is possible detect GOBBLES alert without fix tcp port ? (and use dpd)

2) if I replace 'payload /.*GOBBLES/' to 'ssh /.*GOBBLES/', bro stop and alert: parse error (on this line)
  -> maybe in next bro releases ? (like http payload)

My test are on bro v1.3.2 with ipv6 enabled on linux fedora core 7 i386 plateform.

Thx for any help or comments.

Best Regards
Rmkml
Crusoe Researches

exploit_sshgobbles22.pcap (725 Bytes)

exploit_sshgobbles22000.pcap (1.05 KB)

2

1) It is possible detect GOBBLES alert without fix tcp port ? (and use dpd)

This works fine for me:

cat test.sig

signature sid-1812 {
  ip-proto == tcp
  event "EXPLOIT gobbles SSH exploit attempt"
  tcp-state established,originator
  payload /.*GOBBLES/
  }

bro -C -r exploit_sshgobbles22000.pcap -s ./test.sig -f tcp tcp signatures dpd

1204117394.397943 SensitiveSignature 10.100.11.49: EXPLOIT gobbles SSH exploit attempt

How does your mt.bro look?

2) if I replace 'payload /.*GOBBLES/' to 'ssh /.*GOBBLES/', bro stop and alert: parse error (on this line)
-> maybe in next bro releases ? (like http payload)

What exactly do you want the "ssh" to keyword to do? As most of a
ssh session in encrypted, it could match only on the first--which is
just what payload is doing as well (note that Bro stops processing
SSH content after the first line, i.e., payload is not doing any
further matching).

Robin

3

thx for reply Robin,
ok my mt.bro contains in this example:
  @load alarm
  @load dns-lookup
  @load hot
  @load frag
  @load tcp
  @load scan
  @load weird
  @load finger
  @load ident
  @load ftp
  @load login
  @load portmapper
  @load ntp
  @load tftp
  @load dpd
  @load ssh
  @load irc-bot
  #@load dyn-disable
  @load detect-protocols
  @load site
  @load snort
ok I understand my pb, on my signature example, I have missed dst-port, ok please test with this signature :
  signature sid-1812 {
   ip-proto == tcp
   dst-port == ssh_ports
   event "EXPLOIT gobbles SSH exploit attempt"
   tcp-state established,originator
   payload /.*GOBBLES/
   }
this example NOT work on two pcap file,

ok change dst-port :
  signature sid-1812 {
   ip-proto == tcp
   dst-port == 22
   event "EXPLOIT gobbles SSH exploit attempt"
   tcp-state established,originator
   payload /.*GOBBLES/
   }
this example WORK on pcap file and ssh on port 22/tcp,

but why ssh_ports not work ? (ssh.log contains ssh_version client/server on two example pcap file)

grep ssh_ports policy/* # default conf :
policy/ssh.bro:global ssh_ports = { 22/tcp } &redef;
policy/ssh.bro:redef dpd_config += { [ANALYZER_SSH] = [$ports = ssh_ports] };

for second question, thx for your comments.
Regards
Rmkml