TRW Scan feature suggestion

Hello, the honeypot specification for my site is much more complex than can
be expressed as a set of addresses. And unfortunately this is significantly
skewing my TRW scan results.

Might I suggest a small but permanent change to the TRW algorithm: instead
of using a set lookup (the honeypot global) to determine whether a
connection is related to a honeypot, let there be a function variable that
gets set to a function which takes a connection record as input and returns
a boolean. The return value specifies T/F whether the connection is
associated with a honeypot. This function is called in check_TRW_scan
(trw-impl.bro) instead of the set lookup in honeypot.

The default function would do the simple set lookup, as is done now. But it
allows others to create a function that performs more complex operations.


Eric Thomas
Sandia National Laboratories

Hi all,

I have a clarification regarding writing signatures. I want to check only
the first
4 bytes of the tcp payload.

I tried using
signature payload-3 {
  ip-proto == tcp
  event "First three bytes matched"

This signature didn't match. Can anyone suggest how to compare the first 'n'
bytes of
the payload?

I also saw patterns like payload/{4}reg-exp/ in signatures file. What do
they imply?



That should actually work. Can you send me the packets of a
connection which should match this signature and the exact
command-line you are using to start Bro?

I also saw patterns like payload /{4}reg-exp/ in signatures file.

That looks like a syntax error and should not compile. Where did you
see it?