[Bro] Something is not clear to me concerning reporting
Castle, Shane
scastle at bouldercounty.org
Wed Oct 17 15:52:08 PDT 2012
Hmmm - I'm seeing entries in the smtp.log corresponding to port 587 usage, and in ssl.log for port 993. Look for matches with the uid field.
For example:
current/conn.log:1350512176.450169 BIbdijBoxM7 192.168.56.33 53510 74.125.142.108 993 tcp ssl 34.442713 1594 7349 SF T 0 ShADadFf 66 5038 65 10737 (empty)
current/ssl.log:1350512176.537618 BIbdijBoxM7 192.168.56.33 53510 74.125.142.108 993 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA imap.gmail.com - CN=imap.gmail.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority,O=Google Inc,C=US 1347450949.000000 1370634207.000000 - 2307e65204ec0e45659b391063f0e795 ok
--
Shane Castle
Data Security Mgr, Boulder County IT
-----Original Message-----
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Ian Dickens
Sent: Wednesday, October 17, 2012 16:11
To: bro at bro-ids.org
Subject: Re: [Bro] Something is not clear to me concerning reporting
On Oct 17, 2012, at 5:41 PM, Ian Dickens <ian at south-border.com> wrote:
> So, lets say that I have tcp ports 587 and 993 exposed on my firewall. I have bro running as a cluster on all interfaces. I see logs about well known SSL/HTTP/HTTPS ports but no anomalies in the hourly summaries. No alerts in email either (that I have seen). Now I do need to cruise through all the rotated compressed logs to check and see if something was recorded.
>
> The second thing I am wondering about is that there are no references to interfaces where the traffic was seen. For example, I have no IPv6 but I see unknown IPv6 traffic in the summary. Tools like:
>
> http://isc.sans.edu/tools/ipv6.html#form
>
> can be used to attempt to glean the MAC address to some degree. But I cannot quickly tell which interface the packet came on to help decide where the threat lies between internal/dmz/external networks. I can make some really good guesses but it might be nice to spell it it in the logs.
>
> Many thanks in advance, Sorry for rambling and if these are features in the works...
>
> Ian
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
Ok, I did a little looking into the 993 reporting. Turns out there is something that shows up in the known.certs for the day but nothing else. I think I need to be patient and do some remote testing from an external source to verify that alarms are indeed working. Also, I did some looking for 587 and got nothing. No connections, no state, no certs - nothing.
Ian
P.S. the IPv6 issue stands - still cannot quickly tell where the state if the TCP connection lies without SNORT for example....
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list