[Bro] Something is not clear to me concerning reporting

Castle, Shane scastle at bouldercounty.org
Wed Oct 17 15:52:08 PDT 2012 

Hmmm - I'm seeing entries in the smtp.log corresponding to port 587 usage, and in ssl.log for port 993. Look for matches with the uid field.

For example:
current/conn.log:1350512176.450169      BIbdijBoxM7     192.168.56.33   53510   74.125.142.108  993     tcp     ssl     34.442713       1594    7349    SF      T       0       ShADadFf        66      5038    65      10737   (empty)
current/ssl.log:1350512176.537618       BIbdijBoxM7     192.168.56.33   53510   74.125.142.108  993     TLSv10  TLS_ECDHE_RSA_WITH_RC4_128_SHA  imap.gmail.com  -       CN=imap.gmail.com,O=Google Inc,L=Mountain View,ST=California,C=US       CN=Google Internet Authority,O=Google Inc,C=US 1347450949.000000       1370634207.000000       -       2307e65204ec0e45659b391063f0e795        ok

-- 
Shane Castle
Data Security Mgr, Boulder County IT

-----Original Message-----
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Ian Dickens
Sent: Wednesday, October 17, 2012 16:11
To: bro at bro-ids.org
Subject: Re: [Bro] Something is not clear to me concerning reporting


On Oct 17, 2012, at 5:41 PM, Ian Dickens <ian at south-border.com> wrote:

> So, lets say that I have tcp ports 587 and 993 exposed on my firewall.  I have bro running as a cluster on all interfaces.  I see logs about well known SSL/HTTP/HTTPS ports but no anomalies in the hourly summaries.  No alerts in email either (that I have seen).  Now I do need to cruise through all the rotated compressed logs to check and see if something was recorded. 
> 
> The second thing I am wondering about is that there are no references to interfaces where the traffic was seen.  For example, I have no IPv6 but I see unknown IPv6 traffic in the summary.  Tools like:
> 
> http://isc.sans.edu/tools/ipv6.html#form
> 
> can be used to attempt to glean the MAC address to some degree.  But I cannot quickly tell which interface the packet came on to help decide where the threat lies between internal/dmz/external networks.  I can make some really good guesses but it might be nice to spell it it in the logs.  
> 
> Many thanks in advance,  Sorry for rambling and if these are features in the works...
> 
> Ian
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 

Ok, I did a little looking into the 993 reporting.  Turns out there is something that shows up in the known.certs for the day but nothing else.  I think I need to be patient and do some remote testing from an external source to verify that alarms are indeed working.  Also, I did some looking for 587 and got nothing.  No connections, no state, no certs - nothing.


Ian

P.S.  the IPv6 issue stands - still cannot quickly tell where the state if the TCP connection lies without SNORT for example....
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list