[Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data

Justin Azoff (JIRA) jira at bro-tracker.atlassian.net
Wed Feb 17 09:14:00 PST 2016 

    [ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24200#comment-24200 ] 

Justin Azoff commented on BIT-1521:
-----------------------------------

topic/jazoff/ticket1521 contains a branch that I believe fixes most of the issues with known-services.

I think there may still be one outstanding bug (but it is something that is broken worse in the current code).

The current code tracks services by (addr,port).  If no service is detected on a port it will log it as (ip, port, empty).  If a service is later detected on that port, nothing will be logged.

This branch WILL log it, but it will also log twice in the opposite order, which is possibly not desired.

So, this will work and is an improvement:
{code}
ip, port, empty
# time passes
ip, port, HTTP
{code}

But it may also log

{code}
ip, port, HTTP
# time passes
ip, port, empty
{code}

To fix that it would need to keep track of a separate (ip, port) set that had a non empty service detected.  Once something like HTTP was detected the (ip, port) would be added, and then it would skip logging (ip, port, empty)

> known services should probably ignore gridftp-data
> --------------------------------------------------
>
>                 Key: BIT-1521
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1521
>             Project: Bro Issue Tracker
>          Issue Type: Improvement
>          Components: Bro
>    Affects Versions: 2.4
>            Reporter: Justin Azoff
>            Assignee: Justin Azoff
>            Priority: Low
>             Fix For: 2.5
>
>
> known services script does
> {code}
>         if ( ! addr_matches_host(id$resp_h, service_tracking) ||
>              "ftp-data" in c$service || # don't include ftp data sessions
>              ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks.
>                 return;
> {code}
> but should probably also ignore gridftp-data.  Probably a good idea to add a set of services that behave like ftp for it to check.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-01-031#72000)

More information about the bro-dev mailing list