Dear Team,
I am trying to achieve functionality of the following snort signatures using bro scripts
signature are -
Rule to set the flowbit from snort backdoor.rules
alert tcp $EXTERNAL_NET any → $HOME_NET 20034 (msg:“BACKDOOR NetBus Pro 2.0 connection request”; flow:to_server,established; content:“BN |00 02 00|”; depth:6; content:"|05 00|"; depth:2; offset:8; flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; classtype:misc-activity; sid:3009; rev:2;)
Rule to check for the flowbit
alert tcp $HOME_NET 20034 → $EXTERNAL_NET any (msg:“BACKDOOR NetBus Pro 2.0 connection established”; flow:from_server,established; flowbits:isset,backdoor.netbus_2.connect; content:“BN|10 00 02 00|”; depth:6; content:"|05 00|"; depth:2; offset:8; classtype:misc-activity; sid:115; rev:9;)
First one sets a flowbit which is used by second rule for detection
i wrote following script that may help me for the first one
@load base/protocols/conn
event tcp_packet(c:connection,is_orig:bool,flags:string,seq:count,ack:count,len:count,payload:string)
{
const content1 = /.(BN\x00\x02\x00)/
const content2 =/.(\x05\x00)/
if(c$id$resp_p==20034/tcp)
{
local c1 = sub_bytes(payload,1,6)
if(content1 in c1)
{
local c2 = sub_bytes(payload,9,2)
if(content2 in c2)
{
sid 3009 match flow-bit set
}
}
}
}
So my problem here is how can i do something in bro like setting flowbit in snort that will help me to correlate and detect.
Thanks!