Hey, I use the dhcp analyzer because i cannot count on our dhcp logs. Not just that, I do some detection around it.
> On Jun 15, 2018, at 2:38 PM, Vlad Grigorescu <v...@es.net> wrote: > > Yeah, I've mainly seen it used for shellshock. On top of that, I saw some > scripts in GitHub that used it from: > > - Michal: > https://github.com/michalpurzynski/bro-gramming/blob/master/dhcpr.bro > - Matthias: https://github.com/bro/bro-scripts/blob/master/roam.bro > - Grant Stavely: > https://github.com/evernote/bro-scripts/blob/master/bolo/scripts/main.bro > - Anthony: https://github.com/anthonykasza/users/blob/master/users.bro > > (There were a few others, like IVRE, but they've already updated). > > Even if it's not widely used, I think it'd be a nicer user experience if we > were to ship a script that handled dhcp_message, and raised the old events. > We could mark the old events as deprecated, and remove them in the next > version. That way, people have at least one cycle to upgrade. > > Hopefully, as we see more published Bro packages, we have a better idea of > which events are/aren't being used. > > --Vlad > >> On Fri, Jun 15, 2018 at 9:22 PM, Azoff, Justin S <jaz...@illinois.edu> wrote: >> > On Jun 15, 2018, at 5:18 PM, Seth Hall <s...@corelight.com> wrote: >> > >> > On the >> > upside, you can handle both the old events and the new and they >> > shouldn't impact each other (if you want to make a script work on >> > multiple releases). >> >> I ran into this on a script I got from somewhere, bash-cve-2014-6271.bro >> >> The fix is a little trickier, you can't handle both events because the >> DHCP::Msg type no longer exists and you need to wrap the old event with >> >> @ifdef (DHCP::Msg) >> @endif >> >> So for that script I ended up with >> >> @ifdef (DHCP::Msg) >> event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: >> DHCP::Options) >> { >> if ( options?$host_name && shellshock in options$host_name ) >> NOTICE([$note=Bash::DHCP_hostname_Attack, >> $conn=c, >> $msg=fmt("%s may have attempted to exploit >> CVE-2014-6271, bash environment variable attack, via dhcp hostname against >> %s submitting \"hostname\"=\"%s\"",c$id$orig_h, c$id$resp_h, >> options$host_name), >> $identifier=c$uid]); >> } >> @else >> event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr, router: >> dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) >> { >> if ( shellshock in host_name ) >> NOTICE([$note=Bash::DHCP_hostname_Attack, >> $conn=c, >> $msg=fmt("%s may have attempted to exploit >> CVE-2014-6271, bash environment variable attack, via dhcp hostname against >> %s submitting \"hostname\"=\"%s\"",c$id$orig_h, c$id$resp_h, host_name), >> $identifier=c$uid]); >> } >> @endif >> >> >> >> — >> Justin Azoff >> >> >> >> _______________________________________________ >> bro-dev mailing list >> bro-dev@bro.org >> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > > _______________________________________________ > bro-dev mailing list > bro-dev@bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
_______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
