ssh alternative ports

Zeek
1

Hell all,

I'm trying to add an alternative port for ssh in my policy file, but somehow it
doesn't work. I get the following error message:

bro@nsm$ bro -r test.lpc tcp weird alarm ssh test print-filter
./test.bro, line 12 (ssh_ports): error, "redef" used but not previously defined
bro@nsm$

When I check the ssh.bro policy I can see that it is possible to redefine the
ssh_ports:
[ssh.bro]
..
global ssh_ports = { 22/tcp, } &redef;
..
[/ssh.bro]

Below is my test policy file:

[test.bro]
@load site

redef local_nets: set[subnet] = {
        10.1.1.0/24,
};

redef capture_filters += {
        ["ssh-alt"] = "tcp port 2122",
};

redef ssh_ports += {
        2122/tcp,
};
[/test.bro]

I have tried to add the module name, but no luck.

bro@nsm$ bro -r test.lpc tcp weird alarm ssh test print-filter
./test.bro, line 12 (SSH::ssh_ports): error, "redef" used but not previously
defined
bro@nsm$

With kind regards,

Robin Gruyters

2

You indeed need the SSH prefix. Using that, I get a different error
message:

# bro -r test.lpc tcp weird alarm ssh ./test.bro print-filter
./test.bro, line 11: error: identifier is not exported: SSH::ssh_ports

Which is true: the id is not exported in ssh.bro and therefore
can't be redefined (I think it should be exported though).

Robin

3

Robin,

Okay, I have attached a patch for ssh.bro, which includes exported ssh_ports and
ssh_log.

With kind regards,

Robin Gruyters

Quoting Robin Sommer <robin@icir.org>:

ssh.bro.diff (743 Bytes)

4

Hi,
If I apply your patch to policy/ssh.bro (move to export{})
and if I change policy/snort.bro (for example):
  redef SSH::ssh_ports += { 2122/tcp };
bro work, but if I have a signature use ssh_ports is not work:
  signature sid-1812 {
   ip-proto == tcp
# dst-port == ssh_ports # <-----
   event "EXPLOIT gobbles SSH exploit attempt"
   tcp-state established,originator
   payload /.*GOBBLES/
   }
brov140ipv6 error:
Error in signature (.../policy/sigs/snort-default.sig:32): unknown script-level identifier (ssh_ports)

Do you have an idea ?
Regards
Rmkml
Crusoe-Researches.com

5

Quoting rmkml <rmkml@free.fr>:

Hi Robin,
You do not export capture_filters ?
Regards
Rmkml
Crusoe-Researches.com

This is already exported by pcap.bro.

With kind regards,

Robin Gruyters

6

Have you tried SSH::ssh_ports?

Robin

7

thx for reply and sorry for delay,
ok I have changed signature to (for example):
30:signature sid-1812 {
31: ip-proto == tcp
32: dst-port == SSH::ssh_ports
33: event "EXPLOIT gobbles SSH exploit attempt"
34: tcp-state established,originator
35: payload /.*GOBBLES/
36: }
bro140ipv6 give an error:
  Error in signature (policy/sigs/snort-default.sig:32): unknown script-level identifier (SSH)
  Error in signature (policy/sigs/snort-default.sig:32): parse error
  Error in signature (policy/sigs/dpd.sig:1): parse error
dpd.sig unmodified file first line is:
  # ALS signatures for protocol detection.

another idea ?
Regards
Rmkml
Crusoe-Researches.com

8

Oh, that looks like the signature parser can actually not deal with
module prefixes. The signatures were there before we introduced
modules and it looks like that never got adapted. :frowning: Something for
the todo list.

Robin