> On Jun 15, 2018, at 5:18 PM, Seth Hall <s...@corelight.com> wrote:
>
> On the
> upside, you can handle both the old events and the new and they
> shouldn't impact each other (if you want to make a script work on
> multiple releases).
I ran into this on a script I got from somewhere, bash-cve-2014-6271.bro
The fix is a little trickier, you can't handle both events because the
DHCP::Msg type no longer exists and you need to wrap the old event with
@ifdef (DHCP::Msg)
@endif
So for that script I ended up with
@ifdef (DHCP::Msg)
event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options:
DHCP::Options)
{
if ( options?$host_name && shellshock in options$host_name )
NOTICE([$note=Bash::DHCP_hostname_Attack,
$conn=c,
$msg=fmt("%s may have attempted to exploit
CVE-2014-6271, bash environment variable attack, via dhcp hostname against %s
submitting \"hostname\"=\"%s\"",c$id$orig_h, c$id$resp_h, options$host_name),
$identifier=c$uid]);
}
@else
event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr, router:
dhcp_router_list, lease: interval, serv_addr: addr, host_name: string)
{
if ( shellshock in host_name )
NOTICE([$note=Bash::DHCP_hostname_Attack,
$conn=c,
$msg=fmt("%s may have attempted to exploit
CVE-2014-6271, bash environment variable attack, via dhcp hostname against %s
submitting \"hostname\"=\"%s\"",c$id$orig_h, c$id$resp_h, host_name),
$identifier=c$uid]);
}
@endif
—
Justin Azoff
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
