[Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data

Justin Azoff (JIRA) jira at bro-tracker.atlassian.net
Thu Jan 14 11:46:00 PST 2016


    [ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23826#comment-23826 ] 

Justin Azoff commented on BIT-1521:
-----------------------------------

Ah, yes that helped the protocol detection.. though I think it shows a bug in known services in general:

{code}
$ bro -r ~/src/bro/testing/btest//Traces/globus-url-copy.trace local base/protocols/ftp/gridftp  'Known::service_tracking=ALL_HOSTS' 'GridFTP::size_threshold=1'
WARNING: No Site::local_nets have been defined.  It's usually a good idea to define your local networks.

$ cat conn.log |bro-cut id.orig_h id.orig_p id.resp_h id.resp_p service192.168.57.103	60108	192.168.57.101	2811	gridftp,ssl,ftp
192.168.57.103	35391	192.168.57.101	55968	ssl,gridftp-data

$ cat known_services.log |bro-cut  host port_num service
192.168.57.101	2811	FTP
192.168.57.101	55968	SSL
{code}

Some of this is due to how it keeps track of services by ip,port.  Since ssl is always detected first, that is the one that gets logged.

It looks even if it was changed to ip,port,service gridftp may not show up because it never makes it into known services.

The gridftp analyzer does

{code}
    add c$service["gridftp-data"];
{code}

But this doesn't trigger a protocol_confirmation (even though it would be too late anyway). since the (ip,port) would have been logged as ssl.

So, I think known-services:

* Needs to keep track of things by (ip,port,service)
* Should possibly wait until a connection is closed and it has all the facts before trying to log the service.

If I remove the protocol_confirmation event and use simply:

{code}
event connection_state_remove(c: connection) &priority=-5
    {
    known_services_done(c);
    }
{code}

It mostly works:

{code}
$ cat known_services.log |bro-cut  host port_num service
192.168.57.101	2811	FTP,SSL,gridftp
192.168.57.101	55968	gridftp-data,SSL
{code}

I'm not sure if it should log them once per line, and if we should do something about the mismatch in case.

> known services should probably ignore gridftp-data
> --------------------------------------------------
>
>                 Key: BIT-1521
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1521
>             Project: Bro Issue Tracker
>          Issue Type: Improvement
>          Components: Bro
>    Affects Versions: 2.4
>            Reporter: Justin Azoff
>            Assignee: Justin Azoff
>            Priority: Low
>
> known services script does
> {code}
>         if ( ! addr_matches_host(id$resp_h, service_tracking) ||
>              "ftp-data" in c$service || # don't include ftp data sessions
>              ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks.
>                 return;
> {code}
> but should probably also ignore gridftp-data.  Probably a good idea to add a set of services that behave like ftp for it to check.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-04-012#71001)


More information about the bro-dev mailing list