[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated

Vlad Grigorescu (JIRA) jira at bro-tracker.atlassian.net
Mon Apr 20 09:12:00 PDT 2015 

    [ https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20401#comment-20401 ] 

Vlad Grigorescu commented on BIT-1365:
--------------------------------------

> Any reason why local-local couldn't be set to INTERNAL? and I suppose remote-remote set to EXTERNAL?

Hmm. I don't think those are quite right. The biggest issue is that they're technically not directions, just endpoint attributes. It does simplify some searches, but it still leaves something to be desired there (e.g. if I want to see all SSH connections to systems on my network, I need to search for INBOUND || INTERNAL).

I agree that there's a better solution out there, but I think this exposes a larger issue. There are some open questions about local_nets - should RFC-1918 space be in there, or just public space? Should connections from neighbor nets be denoted in the logs as well? What if IP space alone isn't enough to denote my local networks, what if I need, say, VLAN IDs?

What might make sense is just to split this into two fields that denote where orig_h and resp_h are, in the order PRIVATE, LOCAL, NEIGHBOR, EXTERNAL (i.e. if is_private_addr return PRIVATE; else if is_local_addr return LOCAL...).

We can leave this ticket open to discuss better options down the line - this is marked as a TODO in the script.

> direction field of SSH::Info no longer populated
> ------------------------------------------------
>
>                 Key: BIT-1365
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1365
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Jon Siwek
>             Fix For: 2.4
>
>
> Here's the bug report:
> {quote}
> Reporter::ERROR	field value missing
> [SSH::c$ssh$direction]	/usr/local/bro/share/bro/policy/protocols/ssh/geo-da
> ta.bro, line 29
> Reporter::WARNING	non-void function returns without a value:
> SSH::get_location	(empty)
> Tracing this back, it looks like the SSH::c$ssh$direction is not being
> populated. I checked the /base/protocols/ssh/main.bro file and it looks
> like the function is missing.
> Looking at https://www.bro.org/sphinx/_downloads/main32.bro and
> https://github.com/bro/bro/blob/master/scripts/base/protocols/ssh/main.bro
> it looks like the function that determined the direction was removed at
> one point, which looks like it causes the
> /usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro script to fail
> {quote}



--
This message was sent by Atlassian JIRA
(v6.5-OD-01-120#65000)

More information about the bro-dev mailing list