[Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data
Justin Azoff (JIRA)
jira at bro-tracker.atlassian.net
Thu Jan 14 11:46:00 PST 2016
[ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23826#comment-23826 ]
Justin Azoff commented on BIT-1521:
-----------------------------------
Ah, yes that helped the protocol detection.. though I think it shows a bug in known services in general:
{code}
$ bro -r ~/src/bro/testing/btest//Traces/globus-url-copy.trace local base/protocols/ftp/gridftp 'Known::service_tracking=ALL_HOSTS' 'GridFTP::size_threshold=1'
WARNING: No Site::local_nets have been defined. It's usually a good idea to define your local networks.
$ cat conn.log |bro-cut id.orig_h id.orig_p id.resp_h id.resp_p service192.168.57.103 60108 192.168.57.101 2811 gridftp,ssl,ftp
192.168.57.103 35391 192.168.57.101 55968 ssl,gridftp-data
$ cat known_services.log |bro-cut host port_num service
192.168.57.101 2811 FTP
192.168.57.101 55968 SSL
{code}
Some of this is due to how it keeps track of services by ip,port. Since ssl is always detected first, that is the one that gets logged.
It looks even if it was changed to ip,port,service gridftp may not show up because it never makes it into known services.
The gridftp analyzer does
{code}
add c$service["gridftp-data"];
{code}
But this doesn't trigger a protocol_confirmation (even though it would be too late anyway). since the (ip,port) would have been logged as ssl.
So, I think known-services:
* Needs to keep track of things by (ip,port,service)
* Should possibly wait until a connection is closed and it has all the facts before trying to log the service.
If I remove the protocol_confirmation event and use simply:
{code}
event connection_state_remove(c: connection) &priority=-5
{
known_services_done(c);
}
{code}
It mostly works:
{code}
$ cat known_services.log |bro-cut host port_num service
192.168.57.101 2811 FTP,SSL,gridftp
192.168.57.101 55968 gridftp-data,SSL
{code}
I'm not sure if it should log them once per line, and if we should do something about the mismatch in case.
> known services should probably ignore gridftp-data
> --------------------------------------------------
>
> Key: BIT-1521
> URL: https://bro-tracker.atlassian.net/browse/BIT-1521
> Project: Bro Issue Tracker
> Issue Type: Improvement
> Components: Bro
> Affects Versions: 2.4
> Reporter: Justin Azoff
> Assignee: Justin Azoff
> Priority: Low
>
> known services script does
> {code}
> if ( ! addr_matches_host(id$resp_h, service_tracking) ||
> "ftp-data" in c$service || # don't include ftp data sessions
> ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks.
> return;
> {code}
> but should probably also ignore gridftp-data. Probably a good idea to add a set of services that behave like ftp for it to check.
--
This message was sent by Atlassian JIRA
(v7.1.0-OD-04-012#71001)
More information about the bro-dev
mailing list