Hi,
I am attempting to write a policy script for IMAP signatures
adapted from Snort using 'snort2bro'. Is this the right way
to write a policy script for the sample signatures below? I
am not sure how to treat the 'tcp-state' part? Also, is it
neccessary to use 'eval' each time?
Suggestions/Pointers??
Thanks,
-N*
I am attempting to write a policy script for IMAP signatures
adapted from Snort using 'snort2bro'. Is this the right way
to write a policy script for the sample signatures below? I
I'm not exactly sure what you would like to achieve. If you just
want to get the same functionality that Snort provides for these
cases, you can just use the converted sid-1930/sid-1902 signatures.
No additional signatures are needed then.
If you want to enhance the Snort signatures, you can write
additional Bro signatures which take some more context into account.
If this is the case, perhaps could describe a little bit more what
you would like to do?
signature imap_auth_overflow {
requires-signature sid-1930
eval has_imapauthoverflow_been_attempted
event "Host may have been probed for IMAP auth overflow"
}
As written this signature will match for a given connection if (1)
signature sid-1930 matches for the same connection, and if (2) the
function "has_imapauthoverflow_been_attempted" evaluates to true.
The latter happens if the same signature sid-1930 has already
matched for any connection between the originator and the
responder. I guess this is not what you had intended, is it?
With respect to tcp-state: Actually, this is currently ignored. The
code is implemented, but it turned out that using it made it even
more difficult to compare Bro's matches with those from Snort (which
isn't a problem of Bro as its TCP state decoding is actually quite
sophisticated). Eventually, we will change this.
Robin
Robin Sommer wrote:
As written this signature will match for a given connection if (1)
signature sid-1930 matches for the same connection, and if (2) the
function "has_imapauthoverflow_been_attempted" evaluates to true.
The latter happens if the same signature sid-1930 has already
matched for any connection between the originator and the
responder. I guess this is not what you had intended, is it?
You are right. Simply speaking, I would like to do this:
When an IMAP signature-A is detected, I would like to trigger
an external program/function-B which performs some defensive
measures (like updating the router to block any more requests
from the offending client IP). It looks now that the 'eval'
function is not the right place to do something like this. I
guess I need to define an event handler instead?
With respect to tcp-state: Actually, this is currently ignored. The
code is implemented, but it turned out that using it made it even
more difficult to compare Bro's matches with those from Snort (which
isn't a problem of Bro as its TCP state decoding is actually quite
sophisticated). Eventually, we will change this.
Thanks for the update on the tcp-state stuff.
best,
-Nimit
Yes, right. Define a signature_match() handler
and check if the triggering signature is one of those for which you
would like the action to be taken.
Actually, for things like this it would be better if you could
specify some other handler than signature_match() within signature.
I will probably add this eventually.
Robin