setting a connection "service" in a signature

Hiya,

I thought I'd share a way to mark the fake HTTPS connections
done by skype as such in conn.log. We've been seeing connections
to various IP addresses around the world sending hundreds of
megabytes of data and wanted to make sure it wasn't any
information leak. Most of the time, it is skype traffic but we
wanted a way to automatically determine it was the case.

Here is a simple way. It just uses the "service" flag of a bro
"connection" to mark the fact it is skype traffic.

It detects skype traffic by looking at the fake SSL
"ServerHello" that skype responders send. (basically, they send
a fixed "random data" with a date in 2004 where a normal SSL
server would send the current date and a truly random data, I
suspect it is designed that way to help recognise skype traffic
easily).

I've got in my local.bro:

function mark_conn_as_skype(state: signature_state): bool
        {
        add state$conn$service["skype"];
        return T;
        }
redef signature_files += "skype-detect.sig";

(change to "return F" to avoid the alarm in notice.log)

And in skype-detect.sig

signature skype_fake_https {
  ip-proto == tcp
  tcp-state established,responder
  event "Skype fake HTTPS connection"
  src-port == 443
  payload /\x16\x03\x01\x00\x4a\x02\x00\x00\x46\x03\x01\x40\x1b\xe4\x86\x02\xad\xe0\x29\xe1\x77\x74\xe5\x44\xb9\xc9\x9c\xb4\x31\x31\x5e\x02\xdd\x77\x9d\x15\x4a\x96\x09\xba\x5d\xa8\x70/
  eval mark_conn_as_skype
}

Then you'll see "skype" in the "service" column for those
connections and need worry less when you see 200MB of data being
sent to Ukraine or any country you usually don't do business
with.

2012-08-22 21:44:24 +0100, Stephane Chazelas:
[...]

Here is a simple way. It just uses the "service" flag of a bro
"connection" to mark the fact it is skype traffic.

[...]

Oh well, sorry, I spoke too soon. That makes bro crash in

#1 0x081d5ee8 in BroFunc::Call(ValPList*, Frame*) const ()
#2 0x0824e677 in RuleConditionEval::DoMatch(Rule*, RuleEndpointState*, unsigned char const*, int) ()
#3 0x0824f2b4 in RuleMatcher::EvalRuleConditions(Rule*, RuleEndpointState*, unsigned char const*, int, bool) ()
#4 0x08250adc in RuleMatcher::Match(RuleEndpointState*, Rule::PatternType, unsigned char const*, int, bool, bool, bool) ()
#5 0x08234eac in PIA_TCP::DeliverStream(int, unsigned char const*, bool) ()
#6 0x0814966f in Analyzer::NextStream(int, unsigned char const*, bool) ()
#7 0x08149d2d in Analyzer::ForwardStream(int, unsigned char const*, bool) ()
#8 0x08283bef in TCP_Reassembler::DeliverBlock(int, int, unsigned char const*) ()
#9 0x08283f2e in TCP_Reassembler::BlockInserted(DataBlock*) ()
#10 0x08282b0f in TCP_Reassembler::DataSent(double, int, int, unsigned char const*, bool) ()
#11 0x082823c2 in TCP_Endpoint::DataSent(double, int, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) ()
#12 0x08281873 in TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#13 0x08149821 in Analyzer::NextPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#14 0x08163131 in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) ()
#15 0x082698dd in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int) ()
#16 0x08269eae in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int, PacketSortElement*) ()
#17 0x08222d2f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*, PacketSortElement*) ()
#18 0x08223013 in net_packet_arrival(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*) ()
#19 0x0823288b in PktSrc::Process() ()
#20 0x082230a3 in net_run() ()
#21 0x0814423a in main ()

with frames above that varying:

$ for f (**/core(m-1)) gdb -core $f =bro --batch -ex bt
[New Thread 29511]
Core was generated by `/usr/local/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p standalone -p'.
Program terminated with signal 6, Aborted.
#0 0xb777b430 in __kernel_vsyscall ()
#0 0xb777b430 in __kernel_vsyscall ()
#1 0xb72d2651 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0xb72d5a82 in *__GI_abort () at abort.c:92
#3 0x08209367 in Reporter::InternalError(char const*, ...) ()
#4 0x0822bdb2 in bad_ref(int) ()
#5 0x081d6142 in BroFunc::Call(ValPList*, Frame*) const ()
#6 0x0824e677 in RuleConditionEval::DoMatch(Rule*, RuleEndpointState*, unsigned char const*, int) ()
#7 0x0824f2b4 in RuleMatcher::EvalRuleConditions(Rule*, RuleEndpointState*, unsigned char const*, int, bool) ()
#8 0x08250adc in RuleMatcher::Match(RuleEndpointState*, Rule::PatternType, unsigned char const*, int, bool, bool, bool) ()
#9 0x08234eac in PIA_TCP::DeliverStream(int, unsigned char const*, bool) ()
#10 0x0814966f in Analyzer::NextStream(int, unsigned char const*, bool) ()
#11 0x08149d2d in Analyzer::ForwardStream(int, unsigned char const*, bool) ()
#12 0x08283bef in TCP_Reassembler::DeliverBlock(int, int, unsigned char const*) ()
#13 0x08283f2e in TCP_Reassembler::BlockInserted(DataBlock*) ()
#14 0x08282b0f in TCP_Reassembler::DataSent(double, int, int, unsigned char const*, bool) ()
#15 0x082823c2 in TCP_Endpoint::DataSent(double, int, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) ()
#16 0x08281873 in TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#17 0x08149821 in Analyzer::NextPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#18 0x08163131 in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) ()
#19 0x082698dd in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int) ()
#20 0x08269eae in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int, PacketSortElement*) ()
#21 0x08222d2f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*, PacketSortElement*) ()
#22 0x08223013 in net_packet_arrival(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*) ()
#23 0x0823288b in PktSrc::Process() ()
#24 0x082230a3 in net_run() ()
#25 0x0814423a in main ()
[New Thread 10653]
Core was generated by `/usr/local/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p standalone -p'.
Program terminated with signal 11, Segmentation fault.
#0 0x081d5ec3 in BroFunc::Call(ValPList*, Frame*) const ()
#0 0x081d5ec3 in BroFunc::Call(ValPList*, Frame*) const ()
#1 0x0824e677 in RuleConditionEval::DoMatch(Rule*, RuleEndpointState*, unsigned char const*, int) ()
#2 0x0824f2b4 in RuleMatcher::EvalRuleConditions(Rule*, RuleEndpointState*, unsigned char const*, int, bool) ()
#3 0x08250adc in RuleMatcher::Match(RuleEndpointState*, Rule::PatternType, unsigned char const*, int, bool, bool, bool) ()
#4 0x08234eac in PIA_TCP::DeliverStream(int, unsigned char const*, bool) ()
#5 0x0814966f in Analyzer::NextStream(int, unsigned char const*, bool) ()
#6 0x08149d2d in Analyzer::ForwardStream(int, unsigned char const*, bool) ()
#7 0x08283bef in TCP_Reassembler::DeliverBlock(int, int, unsigned char const*) ()
#8 0x08283f2e in TCP_Reassembler::BlockInserted(DataBlock*) ()
#9 0x08282b0f in TCP_Reassembler::DataSent(double, int, int, unsigned char const*, bool) ()
#10 0x082823c2 in TCP_Endpoint::DataSent(double, int, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) ()
#11 0x08281873 in TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#12 0x08149821 in Analyzer::NextPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#13 0x08163131 in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) ()
#14 0x082698dd in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int) ()
#15 0x08269eae in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int, PacketSortElement*) ()
#16 0x08222d2f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*, PacketSortElement*) ()
#17 0x08223013 in net_packet_arrival(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*) ()
#18 0x0823288b in PktSrc::Process() ()
#19 0x082230a3 in net_run() ()
#20 0x0814423a in main ()
[New Thread 21546]
Core was generated by `/usr/local/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p standalone -p'.
Program terminated with signal 11, Segmentation fault.
#0 0xb73cc300 in tmpnam_buffer () from /lib/tls/i686/cmov/libc.so.6
#0 0xb73cc300 in tmpnam_buffer () from /lib/tls/i686/cmov/libc.so.6
#1 0x081d5ee8 in BroFunc::Call(ValPList*, Frame*) const ()
#2 0x0824e677 in RuleConditionEval::DoMatch(Rule*, RuleEndpointState*, unsigned char const*, int) ()
#3 0x0824f2b4 in RuleMatcher::EvalRuleConditions(Rule*, RuleEndpointState*, unsigned char const*, int, bool) ()
#4 0x08250adc in RuleMatcher::Match(RuleEndpointState*, Rule::PatternType, unsigned char const*, int, bool, bool, bool) ()
#5 0x08234eac in PIA_TCP::DeliverStream(int, unsigned char const*, bool) ()
#6 0x0814966f in Analyzer::NextStream(int, unsigned char const*, bool) ()
#7 0x08149d2d in Analyzer::ForwardStream(int, unsigned char const*, bool) ()
#8 0x08283bef in TCP_Reassembler::DeliverBlock(int, int, unsigned char const*) ()
#9 0x08283f2e in TCP_Reassembler::BlockInserted(DataBlock*) ()
#10 0x08282b0f in TCP_Reassembler::DataSent(double, int, int, unsigned char const*, bool) ()
#11 0x082823c2 in TCP_Endpoint::DataSent(double, int, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) ()
#12 0x08281873 in TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#13 0x08149821 in Analyzer::NextPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#14 0x08163131 in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) ()
#15 0x082698dd in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int) ()
#16 0x08269eae in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int, PacketSortElement*) ()
#17 0x08222d2f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*, PacketSortElement*) ()
#18 0x08223013 in net_packet_arrival(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*) ()
#19 0x0823288b in PktSrc::Process() ()
#20 0x082230a3 in net_run() ()
#21 0x0814423a in main ()
[New Thread 27005]
Core was generated by `/usr/local/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p standalone -p'.
Program terminated with signal 6, Aborted.
#0 0xb7754430 in __kernel_vsyscall ()
#0 0xb7754430 in __kernel_vsyscall ()
#1 0xb72ab651 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0xb72aea82 in *__GI_abort () at abort.c:92
#3 0xb72e206d in __libc_message (do_abort=2, fmt=0xb73b6f78 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#4 0xb72ec161 in malloc_printerr (action=<value optimized out>, str=0x6 <Address 0x6 out of bounds>, ptr=0xa5f9e50) at malloc.c:6266
#5 0xb72ef2e0 in _int_malloc (av=<value optimized out>, bytes=<value optimized out>) at malloc.c:4308
#6 0xb72f0b6c in *__GI___libc_malloc (bytes=5) at malloc.c:3660
#7 0xb74ddc07 in operator new(unsigned int) () from /usr/lib/libstdc++.so.6
#8 0xb74ddd3d in operator new[](unsigned int) () from /usr/lib/libstdc++.so.6
#9 0x081f7437 in HashKey::CopyKey(void const*, int) const ()
#10 0x081f7496 in HashKey::TakeKey() ()
#11 0x0829ebf3 in TableVal::Assign(Val*, HashKey*, Val*, Opcode) ()
#12 0x0829f28e in TableVal::Assign(Val*, Val*, Opcode) ()
#13 0x081c1041 in IndexExpr::Add(Frame*) ()
#14 0x08273191 in AddStmt::Exec(Frame*, stmt_flow_type&) const ()
#15 0x08273d4f in StmtList::Exec(Frame*, stmt_flow_type&) const ()
#16 0x081d5f69 in BroFunc::Call(ValPList*, Frame*) const ()
#17 0x0824e677 in RuleConditionEval::DoMatch(Rule*, RuleEndpointState*, unsigned char const*, int) ()
#18 0x0824f2b4 in RuleMatcher::EvalRuleConditions(Rule*, RuleEndpointState*, unsigned char const*, int, bool) ()
#19 0x08250adc in RuleMatcher::Match(RuleEndpointState*, Rule::PatternType, unsigned char const*, int, bool, bool, bool) ()
#20 0x08234eac in PIA_TCP::DeliverStream(int, unsigned char const*, bool) ()
#21 0x0814966f in Analyzer::NextStream(int, unsigned char const*, bool) ()
#22 0x08149d2d in Analyzer::ForwardStream(int, unsigned char const*, bool) ()
#23 0x08283bef in TCP_Reassembler::DeliverBlock(int, int, unsigned char const*) ()
#24 0x08283f2e in TCP_Reassembler::BlockInserted(DataBlock*) ()
#25 0x08282b0f in TCP_Reassembler::DataSent(double, int, int, unsigned char const*, bool) ()
#26 0x082823c2 in TCP_Endpoint::DataSent(double, int, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) ()
#27 0x08281873 in TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#28 0x08149821 in Analyzer::NextPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#29 0x08163131 in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) ()
#30 0x082698dd in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int) ()
#31 0x08269eae in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int, PacketSortElement*) ()
#32 0x08222d2f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*, PacketSortElement*) ()
#33 0x08223013 in net_packet_arrival(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*) ()
#34 0x0823288b in PktSrc::Process() ()
#35 0x082230a3 in net_run() ()
#36 0x0814423a in main ()
[New Thread 28453]
Core was generated by `/usr/local/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p standalone -p'.
Program terminated with signal 6, Aborted.
#0 0xb76e4430 in __kernel_vsyscall ()
#0 0xb76e4430 in __kernel_vsyscall ()
#1 0xb723b651 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0xb723ea82 in *__GI_abort () at abort.c:92
#3 0x08209367 in Reporter::InternalError(char const*, ...) ()
#4 0x0822bdb2 in bad_ref(int) ()
#5 0x081d6142 in BroFunc::Call(ValPList*, Frame*) const ()
#6 0x0824e677 in RuleConditionEval::DoMatch(Rule*, RuleEndpointState*, unsigned char const*, int) ()
#7 0x0824f2b4 in RuleMatcher::EvalRuleConditions(Rule*, RuleEndpointState*, unsigned char const*, int, bool) ()
#8 0x08250adc in RuleMatcher::Match(RuleEndpointState*, Rule::PatternType, unsigned char const*, int, bool, bool, bool) ()
#9 0x08234eac in PIA_TCP::DeliverStream(int, unsigned char const*, bool) ()
#10 0x0814966f in Analyzer::NextStream(int, unsigned char const*, bool) ()
#11 0x08149d2d in Analyzer::ForwardStream(int, unsigned char const*, bool) ()
#12 0x08283bef in TCP_Reassembler::DeliverBlock(int, int, unsigned char const*) ()
#13 0x08283f2e in TCP_Reassembler::BlockInserted(DataBlock*) ()
#14 0x08282b0f in TCP_Reassembler::DataSent(double, int, int, unsigned char const*, bool) ()
#15 0x082823c2 in TCP_Endpoint::DataSent(double, int, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) ()
#16 0x08281873 in TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#17 0x08149821 in Analyzer::NextPacket(int, unsigned char const*, bool, int, IP_Hdr const*, int) ()
#18 0x08163131 in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) ()
#19 0x082698dd in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int) ()
#20 0x08269eae in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int, PacketSortElement*) ()
#21 0x08222d2f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*, PacketSortElement*) ()
#22 0x08223013 in net_packet_arrival(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*) ()
#23 0x0823288b in PktSrc::Process() ()
#24 0x082230a3 in net_run() ()
#25 0x0814423a in main ()

stderr.log had once:

*** glibc detected *** /usr/local/bin/bro: malloc(): smallbin double linked list corrupted: 0x0a5f9e50 ***

I suppose it doesn't like me adding a service in that context.

Anybody got a better idea on how to make it work?

(that's the bro 2.0 in securityonion)

2012-08-23 11:11:30 +0100, Stephane Chazelas:

2012-08-22 21:44:24 +0100, Stephane Chazelas:
[...]
> Here is a simple way. It just uses the "service" flag of a bro
> "connection" to mark the fact it is skype traffic.
[...]

Oh well, sorry, I spoke too soon. That makes bro crash.

If I change it to:

function mark_conn_as_skype(state: signature_state): bool
        {
  # use a temp var to prevent bro from crashing
        local srv = state$conn$service;
        add srv["skype"];
        return T;
        }

Then, it longer crashes and seems to work fine.

It detects skype traffic by looking at the fake SSL
"ServerHello" that skype responders send. (basically, they send
a fixed "random data" with a date in 2004 where a normal SSL
server would send the current date and a truly random data, I
suspect it is designed that way to help recognise skype traffic
easily).

Cool technique! Thanks for sharing. Do these connections show up in ssl.log or generate the ssl_server_hello event? It would probably be better to detect them through the SSL analyzer if possible.

function mark_conn_as_skype(state: signature_state): bool
       {
       add state$conn$service["skype"];
       return T;
       }
redef signature_files += "skype-detect.sig";

I have a couple of comments here…

The prototype for your function should be:
  function cond(state: signature_state, data: string): bool;

You are missing the data variable which could be partly what's contributing to the crash you are seeing. I'll try and look into this more closely soon to see what exactly we need to fix (something here needs fixed, I'm just not sure what it is yet).

Additionally, beginning with 2.0 you can use the @load-sigs directive which gives you relative path loading so you can distribute your protocol detection script as a "module" and it doesn't matter where people put it on the BROPATH the skype-detect.sig signatures would still be find-able. The following example will look for the signature file in the same directory of the script that called @load-sigs.

  @load-sigs ./skype-detect.sig

One other comment, we do have a Skype analyzer that is currently not enabled in the script-land. That should detect and log Skype connections as well (the base scripts need to be written for it still).

Again, thanks for sending that in! Definitely a cool trick. Do you think you could package it up in a git repository like I've been doing with my recent scripts? The ssn-exposure script even has an example of @load-sigs

  https://github.com/sethhall/ssn-exposure
  https://github.com/sethhall/relog

  .Seth

2012-08-23 09:56:17 -0400, Seth Hall:

> It detects skype traffic by looking at the fake SSL
> "ServerHello" that skype responders send. (basically, they send
> a fixed "random data" with a date in 2004 where a normal SSL
> server would send the current date and a truly random data, I
> suspect it is designed that way to help recognise skype traffic
> easily).

Cool technique! Thanks for sharing. Do these connections
show up in ssl.log or generate the ssl_server_hello event? It
would probably be better to detect them through the SSL
analyzer if possible.

Hi Seth, thanks.

It's not real SSL, though some of them do show up occasionally
as "ssl" and some of them cause some errors. The packets past
the ServerHello, are not SSL packets.

> function mark_conn_as_skype(state: signature_state): bool
> {
> add state$conn$service["skype"];
> return T;
> }
> redef signature_files += "skype-detect.sig";

I have a couple of comments here…

The prototype for your function should be:
  function cond(state: signature_state, data: string): bool;

You are missing the data variable which could be partly what's
contributing to the crash you are seeing.

I copy-pasted from ssl-worm.bro in securityonion which BTW has comments like:
        "# FIXME: Bro segfaults without the tmp variable"
which made me try and use a tmp variable as well.

After adding the ",data: string" and reverting to add
state$conn$service, it seems not to crash, so it's probably what
the problem was.

[...]

Additionally, beginning with 2.0 you can use the @load-sigs
directive which gives you relative path loading so you can
distribute your protocol detection script as a "module" and it
doesn't matter where people put it on the BROPATH the
skype-detect.sig signatures would still be find-able. The
following example will look for the signature file in the same
directory of the script that called @load-sigs.

  @load-sigs ./skype-detect.sig

It didn't like it:
   error in /usr/local/share/bro/site/local.bro, line 90: unrecognized character - @
   error in /usr/local/share/bro/site/local.bro, line 90: unknown identifier load, at or near "load"

I can't see any mention of "load-sigs" in the source. Are you
sure it's not in a newer version.

One other comment, we do have a Skype analyzer that is
currently not enabled in the script-land. That should detect
and log Skype connections as well (the base scripts need to be
written for it still).

I enquired about that on the list a few days ago, as I wasn't
able to find it. Someone kindly sent me a version that was
designed for an older version of bro, and goes far beyond what I
need (identify those port 443 connections).

Again, thanks for sending that in! Definitely a cool trick.
Do you think you could package it up in a git repository like
I've been doing with my recent scripts? The ssn-exposure
script even has an example of @load-sigs

  https://github.com/sethhall/ssn-exposure
  https://github.com/sethhall/relog

[...]

I'll have a look.

I copy-pasted from ssl-worm.bro in securityonion which BTW has comments like:
       "# FIXME: Bro segfaults without the tmp variable"
which made me try and use a tmp variable as well.

Ah, securityonion has a problem right now because they had installed 1.5 and it wasn't installed as a package so they couldn't delete the older scripts. 2.0 was installed as a package over top of it. ssl-worm.bro is an older script that shouldn't even be there.

After adding the ",data: string" and reverting to add
state$conn$service, it seems not to crash, so it's probably what
the problem was.

Yep, apparently we need to have that as a syntax error if a signature eval function doesn't have the proper syntax. Robin, Jon, any idea of if that would be possible?

I can't see any mention of "load-sigs" in the source. Are you
sure it's not in a newer version.

Hah, oops. Sorry about that. It was added long enough ago that I thought it was in 2.0 apparently it's going to be in 2.1 though. It will work *very* soon. :slight_smile:

I enquired about that on the list a few days ago, as I wasn't
able to find it. Someone kindly sent me a version that was
designed for an older version of bro, and goes far beyond what I
need (identify those port 443 connections).

Sorry about not responding to that. I was meaning to get back to it but I obviously didn't. I'm actually glad everything worked out like it did though and you wrote your new script.

  .Seth

Yep, apparently we need to have that as a syntax error if a signature eval function doesn't have the proper syntax. Robin, Jon, any idea of if that would be possible?

Yes, fixed on fastpath branch now.

    Jon

Wha!? Awesome! I didn't expect to see that fixed yet. As always, thanks Jon!

  .Seth

2012-08-23 09:56:17 -0400, Seth Hall:
[...]

Again, thanks for sending that in! Definitely a cool trick.
Do you think you could package it up in a git repository like
I've been doing with my recent scripts? The ssn-exposure
script even has an example of @load-sigs

  https://github.com/sethhall/ssn-exposure
  https://github.com/sethhall/relog

[...]

Here you go:
https://github.com/stephane-chazelas/bro-skype-fake-https-detect

unfortunately, I couldn't test it. The bro I compiled from the
git head doesn't detect TCP connections properly (all marked as
OTH even after I disable NIC offloads), and I don't have any
time to look at it in any more detail.

Cool, thanks!

  .Seth