Hi,
Bro ids is very good idps project !
Im work on adding snort/trons rules on bro, but I have little pb please.
ok first look one bro signature : (mysnortrules file)
signature sid-1812 {
ip-proto == tcp
dst-port == ssh_ports
event "EXPLOIT gobbles SSH exploit attempt"
tcp-state established,originator
payload /.*GOBBLES/
}
Im start bro with:
bro -C -r exploit_sshgobbles22.pcap -s mysnortrules -f 'ip or tcp or udp' bro.init mt
mt.bro contains dpd, snort... (not dyn-disable.bro)
Joigned two pcap file:
a)exploit_sshgobbles22.pcap
b)exploit_sshgobbles22000.pcap
bro with dpd detect ssh connect (client and server) but mysnortrules not work, if I comment (#dst-port == ssh_ports) bro alert (bro use default ssh port {22})
if I replace (dst-port == 22) bro alert
1) It is possible detect GOBBLES alert without fix tcp port ? (and use dpd)
2) if I replace 'payload /.*GOBBLES/' to 'ssh /.*GOBBLES/', bro stop and alert: parse error (on this line)
-> maybe in next bro releases ? (like http payload)
My test are on bro v1.3.2 with ipv6 enabled on linux fedora core 7 i386 plateform.
2) if I replace 'payload /.*GOBBLES/' to 'ssh /.*GOBBLES/', bro stop and alert: parse error (on this line)
-> maybe in next bro releases ? (like http payload)
What exactly do you want the "ssh" to keyword to do? As most of a
ssh session in encrypted, it could match only on the first--which is
just what payload is doing as well (note that Bro stops processing
SSH content after the first line, i.e., payload is not doing any
further matching).
thx for reply Robin,
ok my mt.bro contains in this example: @load alarm @load dns-lookup @load hot @load frag @load tcp @load scan @load weird @load finger @load ident @load ftp @load login @load portmapper @load ntp @load tftp @load dpd @load ssh @load irc-bot
#@load dyn-disable @load detect-protocols @load site @load snort
ok I understand my pb, on my signature example, I have missed dst-port, ok please test with this signature :
signature sid-1812 {
ip-proto == tcp
dst-port == ssh_ports
event "EXPLOIT gobbles SSH exploit attempt"
tcp-state established,originator
payload /.*GOBBLES/
}
this example NOT work on two pcap file,
ok change dst-port :
signature sid-1812 {
ip-proto == tcp
dst-port == 22
event "EXPLOIT gobbles SSH exploit attempt"
tcp-state established,originator
payload /.*GOBBLES/
}
this example WORK on pcap file and ssh on port 22/tcp,
but why ssh_ports not work ? (ssh.log contains ssh_version client/server on two example pcap file)