[Bro] The code for "weird" logging activity.

fatema bannatwala fatema.bannatwala at gmail.com
Mon Oct 16 13:11:38 PDT 2017


Hah, there's a reason we have -i option with grep *facepalm* :) (could have
saved me lot of time).
Thanks Justin for the quick response. Appreciate it!

Yay!
Fatema.

On Mon, Oct 16, 2017 at 4:01 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On Oct 16, 2017, at 3:58 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > Hey All,
> >
> > So, I was going through the weird.log file generated by bro every hour,
> > and found lot of activity that I would like to suppress, and for some
> > activity I would like to know the source (i.e. what part of bro code is
> raising those
> > "weird" activity logs in the weird.log) to analyse whether it's legit or
> can be suppressed.
> >
> > For example, I would like to suppress "DNS_RR_unknown_type 46", as it's ,
> > I think, is not an unknown-type, it's defined in RFC 4034 as "RRSIG"
> (and some other similar weird activity.)
> >
> > Hence, wanted to see what code during packet analysis might have raised
> one of the *_weird events to log that connection.
> >
> > I was searching for the string "weird" in an effort to find the Bro
> scripts
> > that either load weird or create a log stream in weird.log, but couldn't
> find the code/script
> > that is responsible for those notices in weird.log
>
> Ah.. it's also 'Weird' inside of analyzers, so 'weird' would not have
> found it:
>
> $ git grep DNS_RR_unknown_type
> CHANGES:  * DNS: Log the type number for the DNS_RR_unknown_type weird.
> (Vlad Grigorescu)
> scripts/base/frameworks/notice/weird.bro:
>  ["DNS_RR_unknown_type"]                 = ACTION_LOG,
> src/analyzer/protocol/dns/DNS.cc:
>  analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype));
> testing/btest/Baseline/scripts.base.protocols.dns.
> duplicate-reponses/weird.log:1363716396.798286        CHhAvVGS1DHFjwGM9
>      55.247.223.174  27285   222.195.43.124  53      DNS_RR_unknown_type
>  46      F       bro
> $ git grep 'analyzer->Weird'
> src/analyzer/protocol/dnp3/DNP3.cc:
>  analyzer->Weird("dnp3_header_lacks_magic");
> src/analyzer/protocol/dnp3/DNP3.cc:
>  analyzer->Weird("dnp3_unexpected_flow_direction");
> src/analyzer/protocol/dnp3/DNP3.cc:
>  analyzer->Weird("dnp3_negative_or_zero_length_link_layer");
> src/analyzer/protocol/dnp3/DNP3.cc:
>  analyzer->Weird("dnp3_first_application_layer_chunk_missing");
> src/analyzer/protocol/dnp3/DNP3.cc:     analyzer->Weird(fmt("dnp3_corrupt_%s_checksum",
> where));
> src/analyzer/protocol/dns/DNS.cc:               analyzer->Weird("DNS_
> truncated_len_lt_hdr_len");
> src/analyzer/protocol/dns/DNS.cc:               analyzer->Weird("DNS_Conn_
> count_too_large");
> src/analyzer/protocol/dns/DNS.cc:               analyzer->Weird("DNS_
> truncated_quest_too_short");
> src/analyzer/protocol/dns/DNS.cc:               analyzer->Weird("DNS_
> truncated_ans_too_short");
> src/analyzer/protocol/dns/DNS.cc:               analyzer->Weird("DNS_
> truncated_RR_rdlength_lt_len");
> src/analyzer/protocol/dns/DNS.cc:
>  analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype));
> src/analyzer/protocol/dns/DNS.cc:
>  analyzer->Weird("DNS_NAME_too_long");
> src/analyzer/protocol/dns/DNS.cc:
>  analyzer->Weird("DNS_label_forward_compress_offset");
> src/analyzer/protocol/dns/DNS.cc:
>  analyzer->Weird("DNS_label_len_gt_pkt");
> src/analyzer/protocol/dns/DNS.cc:
>  analyzer->Weird("DNS_label_too_long");
> src/analyzer/protocol/dns/DNS.cc:
>  analyzer->Weird("DNS_label_len_gt_name_len");
> src/analyzer/protocol/dns/DNS.cc:               analyzer->Weird("DNS_RR_
> length_mismatch");
> src/analyzer/protocol/dns/DNS.cc:               analyzer->Weird("DNS_RR_
> length_mismatch");
> src/analyzer/protocol/dns/DNS.cc:               analyzer->Weird("DNS_RR_
> length_mismatch");
> src/analyzer/protocol/dns/DNS.cc:               analyzer->Weird("DNS_RR_
> length_mismatch");
> src/analyzer/protocol/dns/DNS.cc:
>  analyzer->Weird("DNS_RR_bad_length");
> src/analyzer/protocol/dns/DNS.cc:
>  analyzer->Weird("DNS_AAAA_neg_length");
> src/analyzer/protocol/dns/DNS.cc:
>  analyzer->Weird("DNS_A6_neg_length");
> src/analyzer/protocol/dns/DNS.cc:
>  analyzer->Weird("DNS_TXT_char_str_past_rdlen");
> src/analyzer/protocol/dns/DNS.cc:
>  analyzer->Weird("DNS_CAA_char_str_past_rdlen");
> src/analyzer/protocol/http/HTTP.cc:     analyzer->Weird(msg);
> src/analyzer/protocol/http/HTTP.cc:
>  analyzer->Weird("illegal_%_at_end_of_URI");
> src/analyzer/protocol/http/HTTP.cc:
>  analyzer->Weird("partial_escape_at_end_of_URI");
> src/analyzer/protocol/http/HTTP.cc:
>  analyzer->Weird("double_%_in_URI");
> src/analyzer/protocol/http/HTTP.cc:
>  analyzer->Weird("unescaped_%_in_URI");
> src/analyzer/protocol/ncp/NCP.cc:
>  analyzer->Weird(e.msg().c_str());
> src/analyzer/protocol/netbios/NetbiosSSN.cc:
> analyzer->Weird(fmt("unknown_netbios_type: 0x%x", type));
> src/analyzer/protocol/netbios/NetbiosSSN.cc:
> analyzer->Weird(fmt("excess_netbios_hdr_len (%d > %d)",
> src/analyzer/protocol/netbios/NetbiosSSN.cc:
> analyzer->Weird("deficit_netbios_hdr_len");
> src/analyzer/protocol/netbios/NetbiosSSN.cc:
> analyzer->Weird(fmt("excess_netbios_hdr_len (%d > %d)",
> src/analyzer/protocol/netbios/NetbiosSSN.cc:
> analyzer->Weird(fmt("deficit_netbios_hdr_len (%d < %d)",
> src/analyzer/protocol/netbios/NetbiosSSN.cc:
> analyzer->Weird("netbios_raw_session_msg");
> src/analyzer/protocol/netbios/NetbiosSSN.cc:
> analyzer->Weird("no_smb_session_using_parsesambamsg");
> src/analyzer/protocol/netbios/NetbiosSSN.cc:
> analyzer->Weird("netbios_server_session_request");
> src/analyzer/protocol/netbios/NetbiosSSN.cc:
> analyzer->Weird("netbios_client_session_reply");
> src/analyzer/protocol/netbios/NetbiosSSN.cc:
> analyzer->Weird("netbios_client_session_reply");
> src/analyzer/protocol/netbios/NetbiosSSN.cc:
> analyzer->Weird("netbios_client_session_reply");
> src/analyzer/protocol/rpc/RPC.cc:       analyzer->Weird(msg);
> src/analyzer/protocol/tcp/TCP_Reassembler.cc:
>  tcp_analyzer->Weird("above_hole_data_without_any_acks");
> src/analyzer/protocol/tcp/TCP_Reassembler.cc:
>  tcp_analyzer->Weird("excessive_data_without_further_acks");
> src/analyzer/protocol/teredo/Teredo.h:          { analyzer->Weird(name); }
> $
>
>> Justin Azoff
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171016/62b814c1/attachment-0001.html 


More information about the Bro mailing list