Yeah, I've mainly seen it used for shellshock. On top of that, I saw some scripts in GitHub that used it from:
- Michal: https://github.com/michalpurzynski/bro-gramming/blob/master/dhcpr.bro - Matthias: https://github.com/bro/bro-scripts/blob/master/roam.bro - Grant Stavely: https://github.com/evernote/bro-scripts/blob/master/bolo/scripts/main.bro - Anthony: https://github.com/anthonykasza/users/blob/master/users.bro (There were a few others, like IVRE, but they've already updated). Even if it's not widely used, I think it'd be a nicer user experience if we were to ship a script that handled dhcp_message, and raised the old events. We could mark the old events as deprecated, and remove them in the next version. That way, people have at least one cycle to upgrade. Hopefully, as we see more published Bro packages, we have a better idea of which events are/aren't being used. --Vlad On Fri, Jun 15, 2018 at 9:22 PM, Azoff, Justin S <[email protected]> wrote: > > On Jun 15, 2018, at 5:18 PM, Seth Hall <[email protected]> wrote: > > > > On the > > upside, you can handle both the old events and the new and they > > shouldn't impact each other (if you want to make a script work on > > multiple releases). > > I ran into this on a script I got from somewhere, bash-cve-2014-6271.bro > > The fix is a little trickier, you can't handle both events because the > DHCP::Msg type no longer exists and you need to wrap the old event with > > @ifdef (DHCP::Msg) > @endif > > So for that script I ended up with > > @ifdef (DHCP::Msg) > event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: > DHCP::Options) > { > if ( options?$host_name && shellshock in options$host_name ) > NOTICE([$note=Bash::DHCP_hostname_Attack, > $conn=c, > $msg=fmt("%s may have attempted to exploit > CVE-2014-6271, bash environment variable attack, via dhcp hostname against > %s submitting \"hostname\"=\"%s\"",c$id$orig_h, c$id$resp_h, > options$host_name), > $identifier=c$uid]); > } > @else > event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr, router: > dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) > { > if ( shellshock in host_name ) > NOTICE([$note=Bash::DHCP_hostname_Attack, > $conn=c, > $msg=fmt("%s may have attempted to exploit > CVE-2014-6271, bash environment variable attack, via dhcp hostname against > %s submitting \"hostname\"=\"%s\"",c$id$orig_h, c$id$resp_h, host_name), > $identifier=c$uid]); > } > @endif > > > > — > Justin Azoff > > > > _______________________________________________ > bro-dev mailing list > [email protected] > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev >
_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
