[Bro] Something is not clear to me concerning reporting

Wed Oct 17 15:11:09 PDT 2012

On Oct 17, 2012, at 5:41 PM, Ian Dickens <ian at south-border.com> wrote:

> So, lets say that I have tcp ports 587 and 993 exposed on my firewall.  I have bro running as a cluster on all interfaces.  I see logs about well known SSL/HTTP/HTTPS ports but no anomalies in the hourly summaries.  No alerts in email either (that I have seen).  Now I do need to cruise through all the rotated compressed logs to check and see if something was recorded. 
> 
> The second thing I am wondering about is that there are no references to interfaces where the traffic was seen.  For example, I have no IPv6 but I see unknown IPv6 traffic in the summary.  Tools like:
> 
> http://isc.sans.edu/tools/ipv6.html#form
> 
> can be used to attempt to glean the MAC address to some degree.  But I cannot quickly tell which interface the packet came on to help decide where the threat lies between internal/dmz/external networks.  I can make some really good guesses but it might be nice to spell it it in the logs.  
> 
> Many thanks in advance,  Sorry for rambling and if these are features in the works…
> 
> Ian
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 

Ok, I did a little looking into the 993 reporting.  Turns out there is something that shows up in the known.certs for the day but nothing else.  I think I need to be patient and do some remote testing from an external source to verify that alarms are indeed working.  Also, I did some looking for 587 and got nothing.  No connections, no state, no certs - nothing.

Ian

P.S.  the IPv6 issue stands - still cannot quickly tell where the state if the TCP connection lies without SNORT for example….