Bro-Nids: Pads Signatures Conversion

Computer and Network Security, Mamak Style



< Bro + Afterglow == Flow Insight with Link Graph | HITBSecConf2007 Daemon Writeups >

Sunday, September 23. 2007

Bro-Nids: Pads Signatures Conversion

    (Posted by geek00l)
I learned about Pads when Bamm decided to integrate it to Sguil, it is the automated tool to asist in network asset discovery passively. Unfortunately, PADS is no longer maintained by its author and hopefully someone will pick it up(Hanashi maybe ;P).

PADS has its own set of signature to identify the network services by examining the application layer in the packet, we have thought of integrating Pads capability to Bro-Nids, first thing to do would be converting the Pads signatures to Bro compatible signatures. The Pads signatures looks like this:
ssh,v/OpenSSH/$2/Protocol $1/,SSH-([.\d]+)-OpenSSH[_-](\S+)
ssh,v/Cisco SSH/$2/Protocol $1/,SSH-([.\d]+)-Cisco[_-](\S+)
www,v/Apache/$1//,Server: Apache\/([\S]+)[\r\n]
www,v/Apache/$1/$2/,Server: Apache\/([\S]+)[\s]+\((.*)\)

It has following format

# Format:
# <service>,<version info>,<signature>



In order to convert it, we had figured the way with the sed and awk madness. Here's the one liner -


shell>egrep -v '(^#|^ +*$)' pads-signature-list | \ 
awk -F "," '{ 
    printf "signature %s\n", $1; 
    printf "{\n"; printf "\tipproto == tcp\n"; 
    printf "\tsrc-ip != local_nets\n"; 
    printf "\tdst-ip == local_nets\n"; 
    printf "\tpayload /%s/\n", $3; 
    printf "\ttcp-state established\n"; 
    printf "\tevent \"%s\"\n", $2; printf "}\n"; printf "\n" }' | \
sed -e 's/v\///g; s/\$[0-9]//g; s/\/\{3\}//g'


After the conversion, the one of the signature looks like this -


signature ssh
{
    ipproto == tcp
    src-ip != local_nets
    dst-ip == local_nets
    payload /SSH-([.\d]+)-OpenSSH[_-](\S+)/
    tcp-state established
    event "OpenSSH//Protocol /"
}

The conversion is not done perfectly but it is really helpful as I need to sharpen on the signature replacement only because most of the stuffs are formatted accordingly. What todo next, testing round for the signature I guess.

Enjoy (;])

Posted by geek00l at 01:20 | Comments (5) | Trackbacks (0)
Defined tags for this entry:
Related entries by tags:
Br 1.4 Released!
Bro Communication - Receiving all events
Running and Installing pybroccoli for Bro 1.4
Installing Bro 1.4 Pre-release on FreeBSD 7
Bro Communication
1041 hits
Bookmark Bro-Nids: Pads Signatures Conversion at del.icio.us Digg Bro-Nids: Pads Signatures Conversion Bookmark Bro-Nids: Pads Signatures Conversion at Furl.net Bookmark Bro-Nids: Pads Signatures Conversion at reddit.com Stumble It!



Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Great article and great tip!

But if you going to use sed/awk anyway, maybe it would be easier to use Perl. (also easier to read)

Here is an example

#!/usr/bin/perl -w

use strict;

my ($srv, $ver, $sig);

while () {
next if ( /^(#|\s+$)/);
($srv, $ver, $sig) = split(/,/);
chomp($sig);

$ver =~ s/\$\d//g;
$ver =~ s/^v\/(.*)\/\/(?:.*)?\//$1/;

print "signature $srv\n{\n";
print "\tipproto == tcp\n";
print "\tsrc-ip != local_nets\n";
print "\tdst-ip == local_nets\n";
print "\tpayload /$sig/\n";
print "\ttcp-state established\n";
print "\tevent \"$ver\"\n}\n";
}

Use the command as "perl pads-signature-list"

Anyway good story, keep it coming!
#1 R Gruyters (Homepage) on 2007-09-23 20:01 (Reply)
Hmm, it removed some characters from my posting. Here is another go.

#!/usr/bin/perl -w

use strict;

my ($srv, $ver, $sig);

while (&lt;&gt;) {
next if ( /^(#|\s+$)/);
($srv, $ver, $sig) = split(/,/);
chomp($sig);

$ver =~ s/\$\d//g;
$ver =~ s/^v\/(.*)\/\/(?:.*)?\//$1/;

print "signature $srv\n{\n";
print "\tipproto == tcp\n";
print "\tsrc-ip != local_nets\n";
print "\tdst-ip == local_nets\n";
print "\tpayload /$sig/\n";
print "\ttcp-state established\n";
print "\tevent \"$ver\"\n}\n";
}

As I said, use the command as: "perl &lt;script&gt; pads-signature-list".

Hopefully in the (near) future bro will be included into Sguil.
#1.1 R Gruyters (Homepage) on 2007-09-23 20:09 (Reply)
Hi Robin.G,

Guess I'm too used to sed and awk

Now we have another converter in Perl ;-)

Cheers ;]
#1.1.1 geek00l (Homepage) on 2007-09-24 21:16 (Reply)
Well, I have posted an article on my site about your point of view, together with an updated (alpha) release of the Perl script.
The Perl script will create for each signature an unique id (e.g. ssh-001, ssh-002, www-001, etc)
#2 R Gruyters (Homepage) on 2007-09-25 17:22 (Reply)
Sorry if this has been addressed before. But I'm in search of a secondary IDS and had a few questions regarding Bro NIDS. I'm looking to deploy in a large environment, but wanted to learn some things before commencing to test.

1. How easy is it to deploy compared to Snort?
2. What would be the learning curve for someone to build/deploy/configure/tune BRO who has built/deployed/configured/tuned Snort?
3. Does it easily accept all of the existing Snort signatures?
4. What is the recommended hardware for a sensor sniffing 200 MB of traffic? 1-2 gig of traffic on a 1 gig switch uplink span port?
5. Is the proprietary Bro language difficult to master in order to create new scripts?
6. What would be a good compliment to the Bro IDS (a primary commercial IDS that works well with Bro)?
#3 Mike Ramos on 2007-12-04 22:52 (Reply)

Add Comment


Before you post a comment, please take note of the following guidelines:
  1. Commenting is provided as a courtesy only.
  2. Please be brief and relevant to the post.
  3. Please be polite even in disagreement with us or others.
  4. Support claims you wish to make using sources and links.
  5. No personal attacks, name calling, or commercial commenting.
  6. Anyone creating false or multiple identities will be banned.
  7. If you don't have a cogent argument, you will be censored.
  8. If you are purposefully deceptive, you will be censored.
  9. No spamming or flooding.
We appreciate your time and effort in contributing to security.org.my
Comment policy copied and modified from Spin Hunters.

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
 
 

DISCLAIMER

All data and information provided on this site is for informational purposes and on an *as-is* basis.

This weblog does not represent the thoughts, intentions, plans or strategies of our employers. It is solely our opinion and views as security professionals.

Feel free to challenge us, disagree with us, or even tell us that we are a complete mindless and brainless monkeys in the comment section of the blog entry.

Report Defacements of Malaysian Website

Report web defacements so that we all can keep track of them! Information here. You can view the reported defacements here.

Tags

Recent Entries

Defaced - http://www.masjidannur.com.my
March 24 2010

Defaced - http://orogenic.com.my/ - http://orogenicgroup.com/
March 24 2010

Defaced - http://www.kedairakyat.com
March 24 2010

Defaced - http://andamansetipengantin.com
March 24 2010

Defaced - http://klse.info/.~x/
March 24 2010

Defaced - http://{www,ict,akademik}.kedah.edu.my/
March 24 2010

www.mampu.gov.my - hacked or misconfigured?
March 12 2010

UMNO spends RM300 million hiring hackers to stop PKR for the next general election
March 12 2010

Defaced - http://www.politeknik.edu.my
March 4 2010

Defaced - http://ncer.com.my
March 4 2010

Archives

July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
Recent...
Older...
Friends

The Harimau Watchlist
raWPacket Project
Malaysia Honeynet Project
Hack In The Box
geek00l's Blog

Syndicate This Blog


Creative Commons

Creative Commons License - Some Rights Reserved
Original content in this work is licensed under a Creative Commons License