[Bro] software/version-changes.bro comparison between the two versions.

Azoff, Justin S jazoff at illinois.edu
Tue Feb 21 10:55:48 PST 2017


It looks like that script is broken :-(  The main software script that logs new software versions does:

    ts[info$name] = info;
    Log::write(Software::LOG, info);

and then the version changes script is doing

    local old = ts[rec$name]

But at that point old and rec are the same exact thing.  It's possible to fix this, it just can't use the log_software event because at that point the "old" version has already been overwritten.

Another issue with the script is that the 'tracked' variable has a create expire of only 24h, so if the host is only seen every 48 hours, or if bro is restarted it won't know the version changed.

Newer features in Broker should allow interesting version changes to be tracked using persistent data stores.  That would really fix the issue.  There are similar things that need to be re-written for better tracking known hosts/known services/known certs.

I added this info to the existing ticket I had for this:

https://bro-tracker.atlassian.net/browse/BIT-1521



-- 
- Justin Azoff

> On Feb 21, 2017, at 12:50 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
> 
> I was going through the version-changes.bro script, thinking of adding some software
> to track the version changes, but realized that there is no comparison done between the
> old version tracked and the version detected in "rec: Info" of log_software event.
> 
> Hence, was thinking to add a condition to check it before the notice is raised for the version
> change, like following:
> ( or I might be missing something regarding the functionality of the script. :/)
> 
> event log_software(rec: Info)
> 	{
> 	local ts = tracked[rec$host];
> 	
> 	if ( rec$name in ts )
> 		{
> 		local old = ts[rec$name];
> 	
> 		# Is it a potentially interesting version change?
> 		if ( rec$name in interesting_version_changes )
> 			{  
> 			   
> 			   if (software_fmt_version(old$version) != software_fmt_version(rec$version))
> 		             {	local msg = fmt("%.6f %s switched from %s to %s (%s)",
> 					network_time(), rec$software_type,
> 					software_fmt_version(old$version),
> 					software_fmt(rec), rec$software_type);
> 		    	    NOTICE([$note=Software_Version_Change, $src=rec$host,
> 			        $msg=msg, $sub=software_fmt(rec)]);
> 		             }
> 			}
> 		}
> 	}
> 
> Any thoughts? anybody using this script to track software changes?
> 
> Thanks,
> Fatema.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list