Friday, September 21, 2007

Bro - Signature Testing

Unlike snort, Bro-Nids is not signature centric NIDS, however it does offer certain level of signature capability in order to be more comprehensive in event detection. Following is the example of Bro signature in detecting one of trojan -

signature thinstall_trojan
ip-proto == tcp
dst-port == http_ports
http /[pP][oO][sS][tT]\x20{1,}\/bi\/servlet\/ThinstallPre/
tcp-state established,originator
event "ThinstallPre Adware Trojan, personal and machine data theft, successful"
# reference:

It looks pretty straight forward comparing to snort sigs as I would admit snort offers more powerful and flexible capability for sig rule writing. Again we see regular expressions(regex) here. I can't recall how many times I have told about the important of regex to network security analyzt.


What if I want to test the signature on the fly, here's what I do. Write the signature that based on the standard format above and save it as testing.sig, then -

Export bro environment variables -

shell>cd /usr/local/bro

shell>. etc/bro.cfg

Test it with the packet capture data(holycow.pcap) with -s option, and remember to load the other analyzer or policy scripts such as tcp, udp, icmp, http and signatures. All of them can be found under policy directory with .bro suffix. Then execute -

shell>bro -s testing.sig -r holycow.pcap \
tcp udp icmp http signatures

If there's traffic that matching the signature, it will be logged to signatures log file. I will write more tips and tricks about Bro-Nids in future when possible especially at

Cheers (;])

No comments: