Implementing a new script

Howdy all,

I recently began poking around Bro and had my first attempt of writing a script. The purpose of it was to detect whether or not traffic on port 443 used SSL, the moment I implemented the script my CPU usage was at 100% and the same happened to my memory. Without the script enabled, the machine runs fine and bro only uses about 50-60% of the resources. I also tried to turn off every other thing in local.bro but it was the same result. The code is as follows (be warned its pretty rough):

@load base/protocols/ssl
@load base/frameworks/notice
@load base/protocols/conn
@load base/utils/directions-and-hosts

module conn;

export {
redef enum Notice::Type += {
Unencrypted_Traffic
};

const List_of_Hosts = LOCAL_HOSTS &redef;
const Encryption = “SSL” &redef;
}

event new_connection(c: connection) &priority=3
{
if ( ! addr_matches_host(c$id$resp_h, List_of_Hosts) )
return;

local port_number=c$conn$id$resp_p;
local ip_address=c$conn$id$resp_h;
local encrypted=c$conn$service;

if ( port_number != 443/tcp )
return;

if ( encrypted != Encryption )
NOTICE([$note=Unencrypted_Traffic,
$msg=fmt(“Unencrypted traffic”),
$conn=c,
$identifier=cat(c$id$resp_h, c$id$resp_p)
]);
}

It is probably something I am not catching in my code or a limited knowledge of bro, but any help is much appreciated.

Thanks

Connor

Hi Connor,

This is a nice job at a first script. I'll point out a few issues I noticed with it, but generally I think you got pretty close to what you wanted.

Bro won't have detected the protocol in the connection yet in the new_connection event. Generally you can assume that no payload has been seen when the new_connection event is generated which means that we don't yet know if the traffic is encrypted or not. :slight_smile: You could use the protocol_violation event to watch for the SSL analyzer to be violated. Port 443/tcp always gets the SSL analyzer attached as a heuristic but it will fail if the traffic is not actually SSL. This might actually be the most straightforward mechanism.
  https://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html#id-protocol_violation

One other tiny mistake is that you're comparing the c$conn$service field against "SSL" but the value in the service field will be "ssl". You just need to fix your casing.

Nice script!

  .Seth