[Bro] Suppress_for issues

Josh Liburdi liburdi.joshua at gmail.com
Fri Jun 6 05:54:19 PDT 2014


Looks to me like the $identifer field was dropped from those notices
with the move to 2.3 ...

Bro 2.2:

else if ( cert$not_valid_after < network_time() )
NOTICE([$note=Certificate_Expired,
       $conn=c, $suppress_for=1day,
       $msg=fmt("Certificate %s expired at %T", cert$subject,
cert$not_valid_after),
       $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]);


Bro 2.3:

else if ( cert$not_valid_after < network_time() )
NOTICE([$note=Certificate_Expired,
       $conn=c, $suppress_for=1day,
       $msg=fmt("Certificate %s expired at %T", cert$subject,
cert$not_valid_after),
       $fuid=fuid]);


That will break suppression.

-Josh

On Fri, Jun 6, 2014 at 8:35 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
> I am having some problems (or maybe misunderstanding) of how the suppression
> works. I haven't changed my configuration file and it was working at one
> time.  Now after upgrading to the master branch (I was on the heartbleed) it
> seems my suppression isn't working as I understand it.
>
> I have activated the SSL certificate checking as follows:
> @load policy/protocols/ssl/expiring-certs.bro
> redef SSL::notify_certs_expiration = ALL_HOSTS;
>
> now when I watch my notice log, I am seeing what appear to be LOTS of notice
> logs for the same certificate.  I thought that perhaps just the e-mails get
> suppressed, but after turning on e-mail notifications I get an e-mail for
> every notice.  Plus my notice log is filling up rather quickly.
>
> I know this probably won't be very legible, but here is an example of just 2
> of the notices I get from a single connection.  They look exactly the same
> to me, and they have a time set for the suppression. I  would have expected
> to only get one of these, but you can see the time stamp shows multiple
> notices happening very quickly.
>
> #fields ts      uid     id.orig_h       id.orig_p       id.resp_h
> id.resp_p       fuid    file_mime_type  file_desc       proto   note    msg
> sub     src     dst     p       n       peer_descr      actions suppress_for
> dropped remote_location.country_code    remote_location.region
> remote_location.city    remote_location.latitude
> remote_location.longitude
>
>
> 1402057564.658489       CW6Riz4smTIRpMxWq1      1.1.1.1   51255   2.2.2.2
> 5223    F6irMUcwkf1ZcbIok       -       -       tcp
> SSL::Certificate_Expired        Certificate emailAddress=,CN=,OU=,O= -
> 1.1.1.1   2.2.2.2  5223    -       bro1      Notice::ACTION_LOG
> 86400.000000    F       -       -       -       -       -
>
> 1402057564.660035       CW6Riz4smTIRpMxWq1      1.1.1.1   51255   2.2.2.2
> 5223    F6irMUcwkf1ZcbIok       -       -       tcp
> SSL::Certificate_Expired        Certificate emailAddress=,CN=,OU=,O= -
> 1.1.1.1   2.2.2.2  5223    -       bro1      Notice::ACTION_LOG
> 86400.000000    F       -       -       -       -       -
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list