[Bro] Something is not clear to me concerning reporting
ian
ian at south-border.com
Thu Oct 18 05:06:16 PDT 2012
On 2012-10-17 18:40, Vlad Grigorescu wrote:
> Hi, Ian.
<snip just to reduce the size>
> Are you referring to the connection summary e-mails? Notices are not
> reported there.
>
> I think there's some difference in terminology. In Bro-land, scripts
> can generate notices. These vary in severity from informative (e.g.
> an
> MD5 hash was calculated for a file downloaded over HTTP) to critical
> (e.g. Bro just saw a social security number cross the wire in
> plaintext). Notices that are deemed particularly important are
> associated with the alarm action, which sends them to the alarm file.
>
> You can customize what actions should be taken when a notice is
> generated. By default, though, notices just get logged to notice.log
> in your log directory (usually /usr/local/bro/logs). Similarly,
> connections get logged to conn.log, SMTP messages get logged to
> smtp.log, etc. If you'd like to be e-mailed when a particular notice
> occurs, you can redefine Notice::emailed_types in your local.bro
> (usually at: /usr/local/bro/share/bro/site/local.bro).
>
> For example:
>
> redef Notice::emailed_types += {
> SSH::Password_Guessing,
> };
>
Thanks, I will look into that. I think the non-standard cluster
configuration I have running (one worker per interface with distinct
names) seems to be working for my dmz/internet works. I really need to
sit down and review the all the logs for the specific worker associated
with my external interface and see what is there. That will be
tonight’s job. I may have to do as you suggest and look into the
scripts. I have only been running bro for a couple of days now to get
familiar with it.
>>> The second thing I am wondering about is that there are no
>>> references to interfaces where the traffic was seen. For example, I
>>> have no IPv6 but I see unknown IPv6 traffic in the summary. Tools
>>> like:
>>>
>>> http://isc.sans.edu/tools/ipv6.html#form
>>>
>>> can be used to attempt to glean the MAC address to some degree.
>>> But I cannot quickly tell which interface the packet came on to help
>>> decide where the threat lies between internal/dmz/external networks.
>>> I can make some really good guesses but it might be nice to spell it
>>> it in the logs.
>
> This is a fairly non-standard setup. The more common setup that I'm
> aware of is running Bro at a single network boundary - generally at
> the border. That being said, what you could do is setup your workers
> so that each set monitors a type of interface (e.g. worker-dmz-01,
> worker-internal-01…worker-internal-03, etc.). One thing to keep in
> mind is that you'll see packets multiple times.
>
>> Ok, I did a little looking into the 993 reporting. Turns out there
>> is something that shows up in the known.certs for the day but nothing
>> else. I think I need to be patient and do some remote testing from an
>> external source to verify that alarms are indeed working. Also, I did
>> some looking for 587 and got nothing. No connections, no state, no
>> certs - nothing.
>
> I'm not really sure what you're expecting to see if you just monitor
> 993 and 587. You won't see more than connections and SSL certificate
> information. What alarms are you expecting to receive?
To be fair – it was late for me. I just did a quick unpacking of the
logs and grep’ed.
Well, what I am really trying to do is log all connections to
particular ports on a particular interface which I deem is of critical
importance. This might be a scripting lesson for me to tackle (assuming
the connections are not currently being recorded for whatever reason) or
alarm modification. I can also depend on pf to keep doing this – it
probably makes more sense just to keep pf doing this as it does
currently for me. I was just concerned (confused) because the summary
is listing connections to/from the internal/dmz networks for DNS, OSSEC,
standard proxy/WWW ports but not for the external interface (or so it
seems) and I wondered why. I should say that I am seeing incoming
connection reports for HTTP/HTTPS in the summary – just not the rest.
>
>> P.S. the IPv6 issue stands - still cannot quickly tell where the
>> state if the TCP connection lies without SNORT for example….
>
> Have you looked in conn.log? You should be able to see information
> for both sides of the v6 connection, and that should at least tell
> you
> if you're dealing with link-local, expected v6 space on your network,
> or something else.
I will.
Thanks,
Ian
More information about the Bro
mailing list