Script conversion to 2.6.2

Zeek
1

Hello everyone,

I am trying to convert a chunk of bro scripting code to the new version, but, despite reading the documentation, I don’t know what to precisely replace.

event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr)
{

Store info from the DHCP acknowledgment, to create a mapping between SHA and assigned IP

DHCP_state[dhcp_msg$h_addr] = dhcp_msg$yiaddr;
}

Apparently, the dhcp_ack event has to be replaced by the dhcp_message equivalent, with a syntax similar to (?) the following:
event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options).

I am not sure if it is correct and what I should include in the DHCP::Msg and DHCP::Options parts in order to construct an ack.
Moreover, by what should the dhcp_msg be replaced in the following function? (DHCP_state[dhcp_msg$h_addr] = dhcp_msg$yiaddr;)

Excuse my ignorance; These are my first bro tryouts.
Best regards,
TB

2

While not quite providing the answer to your question, this might help a bit.

https://github.com/bro/bro/blob/master/NEWS

It tells me that there is a script
"policy/protocols/dhcp/deprecated_events.bro" that can bring back your
old events back from the new dhcp_message() only.

You might take a look at what it does and how it constructs the
dhcp_ack from the dhcp_message()

It takes the dhcp_message(c: connection, is_orig: bool, msg:
DHCP::Msg, options: DHCP::Options)

checks for the type of the DHCP message

switch ( DHCP::message_types[msg$m_type] )
case "ACK":

calls an artificially built event - event dhcp_ack(c, old_msg, sm,
routers, le, sa, hn)

This should get you started. Welcome to the community, please come
back and ask more questions.

3

I finally managed to address the issue, by replacing the equivalent values for the following:

event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
{# Store info from the DHCP acknowledgment, to create a mapping between SHA and assigned IP
DHCP_state[msg$chaddr] = msg$yiaddr;
}

and I was able to replicate an arp poisoning attack and get it detected in the bro -C -i <path_to_script> mode.

However, when i integrated the script in the broctl infrastructure, it didn’t detect the attack, by producing the equivalent log file.

I have configured the local.bro and respective configuration files correctly but the attack is not getting detected and no arp spoofing log file is generated.