[Bro] Suppress_for issues

sangdrax8 sangdrax8 at gmail.com
Fri Jun 6 05:35:07 PDT 2014 

I am having some problems (or maybe misunderstanding) of how the
suppression works. I haven't changed my configuration file and it was
working at one time.  Now after upgrading to the master branch (I was on
the heartbleed) it seems my suppression isn't working as I understand it.

I have activated the SSL certificate checking as follows:
@load policy/protocols/ssl/expiring-certs.bro
redef SSL::notify_certs_expiration = ALL_HOSTS;

now when I watch my notice log, I am seeing what appear to be LOTS of
notice logs for the same certificate.  I thought that perhaps just the
e-mails get suppressed, but after turning on e-mail notifications I get an
e-mail for every notice.  Plus my notice log is filling up rather quickly.

I know this probably won't be very legible, but here is an example of just
2 of the notices I get from a single connection.  They look exactly the
same to me, and they have a time set for the suppression. I  would have
expected to only get one of these, but you can see the time stamp shows
multiple notices happening very quickly.

#fields ts      uid     id.orig_h       id.orig_p       id.resp_h
id.resp_p       fuid    file_mime_type  file_desc       proto   note    msg
    sub     src     dst     p       n       peer_descr      actions
suppress_for    dropped remote_location.country_code
 remote_location.region   remote_location.city    remote_location.latitude
       remote_location.longitude


1402057564.658489       CW6Riz4smTIRpMxWq1      1.1.1.1   51255   2.2.2.2
 5223    F6irMUcwkf1ZcbIok       -       -       tcp
SSL::Certificate_Expired        Certificate emailAddress=,CN=,OU=,O= -
  1.1.1.1   2.2.2.2  5223    -       bro1      Notice::ACTION_LOG
 86400.000000    F       -       -       -       -       -

1402057564.660035       CW6Riz4smTIRpMxWq1      1.1.1.1   51255   2.2.2.2
 5223    F6irMUcwkf1ZcbIok       -       -       tcp
SSL::Certificate_Expired        Certificate emailAddress=,CN=,OU=,O= -
  1.1.1.1   2.2.2.2  5223    -       bro1      Notice::ACTION_LOG
 86400.000000    F       -       -       -       -       -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140606/7ed99f5e/attachment.html

More information about the Bro mailing list