Signtaure Match for TCP packets.

Zeek
1

Hi,

I have problems in signature matching. I have a signature like:

signature tcp_http {
  dst-port == 80
  event "HTTP Packet"
}

This should match all packets sent to port 80 including the handshake
packets. But no match was happening when I sent HTTP traffic.

In RuleMatcher::InitEndpoint, the DO_MATCH_OR is called only if 'ip' (IP_Hdr
*ip) is not NULL. For a TCP packet, the
PIA_TCP::DeliverStream calls DoMatch with ip set to 0. This makes sure that
the match doesn't happen for TCP packets with signatures only with
destination ports. Is there any reason for passing a NULL as the last
parameter for DoMatch?

Thanks,
Dhanesh.

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments contained in it.

Contact your Administrator for further information.

2

signature tcp_http {
  dst-port == 80
  event "HTTP Packet"
}

This should match all packets sent to port 80 including the handshake
packets. But no match was happening when I sent HTTP traffic.

Just tried it and it works for me.

How exactly are you starting Bro? One random guess: is the packet
filter including HTTP packets? Try running with "-f tcp".

In RuleMatcher::InitEndpoint, the DO_MATCH_OR is called only if 'ip' (IP_Hdr
*ip) is not NULL. For a TCP packet, the
PIA_TCP::DeliverStream calls DoMatch with ip set to 0.

Without double-checking the code, the important thing here is that
for TCP only the first packet of each connection is matched against
the header conditions. This is because the payload-conditions match
streamwise and semantics would be unclear if we'd match against all
packet headers (e.g., what happens if a payload match crosses a
packet boundary but the header-conditions only match one of the two
packets?). So the basic model is that the header conditions pick out
the *connections* on which then payload matching is performed.

Robin