[Discussion] Text in Msgs

• Previous message (by thread): [Discussion] Text in Msgs
• Next message (by thread): [Discussion] Text in Msgs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Oct 27, 2008, at 1:41 PM, John Pritchard wrote:

> For example, the returned "match" could be sent on to additional tasks
> that would either additionally validate the alarm or invoke some other
> automated form of action.

This is exactly how Bro works.  There is a notice framework that  
basically allows you to write code where you can define how you'd like  
to handle a notice after it has already been thrown (e.g. email, don't  
email, run some shell command, etc.).

> Take a signature designed to detect possible credit card patterns.
> Once a potential pattern match is caught, the string could then be
> passed to other processes to further validate or refute the trigger.
> For a VISA credit card sig, the initial match might simply be on a 16
> digit number sequence beginning with a "four" (which would be highly
> prone to false positives). But, once "matched" the string could be
> passed to another process to run a Luhn checksum algorithm on the
> string; thereby, providing a significantly higher measure of
> confidence whether the initial alert was "real" or just "noise".

Assuming that we already have something raising a notice named  
"CC_VISA_Number" and a function named "check_luhn", this would more-or- 
less look like this...

redef notice_policy += {
	[$pred(n: notice_info) = {
		return (n$note == CC_VISA_Number &&
		        check_luhn(n$sub));
	 },
	 $result = NOTICE_EMAIL],
};

This is saying that if the notice type being processed is  
CC_VISA_Number and the "sub" field (where I'm assuming the potential  
card number would be placed) passes the luhn check, send the notice in  
an email.  From my own personal experience, there is really something  
to be said for being able to so much aggregation and correlation in a  
single language and with a single tool.

For more information about the notice framework in Bro, you can refer  
to this post on the ICIR blog by Robin Sommer:
    http://blog.icir.org/2008/03/telling-bro-what-important.html

   .Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

• Previous message (by thread): [Discussion] Text in Msgs
• Next message (by thread): [Discussion] Text in Msgs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]