[Bro] teamcymru alerts

Allen, Brian brianallen at wustl.edu
Thu Jun 12 07:38:24 PDT 2014


Hi,

I'm using the TeamCymru alerts in the notice.log file, but I was wondering
if someone could help interpret the specific field: file_desc which is
listed as "Additional context for file, if available"?

Normally that field will list a website, presumably where the file was
downloaded from and it looks like this <sanitized>:

"http://d pullupdate com/ius/Setup.exe"

Which is extremely useful.  But there are some alerts in that field, which
are going to port 25, where it lists email addresses like this:

"<liuyp1952 at 163.com> -> <french_a at kids.wustl.edu>: Mail Delivery
(failur..."

That's the exact content of the field including the ... at the end.

I assume this is an alert for an email that went from that 163.com account
to the french_a at kids account and the malicious file BRO detected was
attached.  

Do I have this right?  What about that Mail Delivery (failur... at the end?
Thanks,
-Brian

Brian Allen
Network Security Analyst
Washington University





-----Original Message-----
From: <Kellogg>, "Brian D   (OLN)" <bkellogg at dresser-rand.com>
Date: Wednesday, June 11, 2014 4:25 PM
To: bro <bro at bro.org>
Subject: [Bro] Bro hanging on some sensors

I have several SecurityOnion sensors and most are working ok.  There are a
couple that I see the below problem on with Bro.

The /nsm/bro/spool/manager/communication.log file shows the below in it on
each of the problem sensors:
    1402520922.886012   manager parent  -       -       -       info
warning: cannot increase SO_SNDBUF socket buffer size from 16384K (1024K
was requested)
    1402520922.886012   manager parent  -       -       -       info
warning: cannot increase SO_RCVBUF socket buffer size from 16384K (1024K
was requested)
    1402520922.886012   manager parent  -       -       -       info
warning: cannot increase SO_SNDBUF socket buffer size from 16384K (1024K
was requested)
    1402520922.886012   manager parent  -       -       -       info
warning: cannot increase SO_RCVBUF socket buffer size from 16384K (1024K
was requested)
    1402520922.886012   manager parent  -       -       -       info
communication started, parent pid is 3646, child pid is 3660

I only ever see these files created in the Bro log working directory:
    communication.log
    loaded_scripts.log
    eporter.log
    stderr.log
    stdout.log

Most of the sensors are configured exactly the same both software and
hardware wise; so I'm not seeing a correlation there as yet.  I've tried
rebooting and using broctl commands and so far no resolution.  Many time
"broctl check" will hang.  I have all the latest patches on SO installed.
Any help would be appreciated.

The only major change I've made in the last month is to add a few Intel
feeds.


Thanks,
Brian


_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro





More information about the Bro mailing list