[Bro] Suppress_for issues
Josh Liburdi
liburdi.joshua at gmail.com
Fri Jun 6 05:54:19 PDT 2014
Looks to me like the $identifer field was dropped from those notices
with the move to 2.3 ...
Bro 2.2:
else if ( cert$not_valid_after < network_time() )
NOTICE([$note=Certificate_Expired,
$conn=c, $suppress_for=1day,
$msg=fmt("Certificate %s expired at %T", cert$subject,
cert$not_valid_after),
$identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]);
Bro 2.3:
else if ( cert$not_valid_after < network_time() )
NOTICE([$note=Certificate_Expired,
$conn=c, $suppress_for=1day,
$msg=fmt("Certificate %s expired at %T", cert$subject,
cert$not_valid_after),
$fuid=fuid]);
That will break suppression.
-Josh
On Fri, Jun 6, 2014 at 8:35 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
> I am having some problems (or maybe misunderstanding) of how the suppression
> works. I haven't changed my configuration file and it was working at one
> time. Now after upgrading to the master branch (I was on the heartbleed) it
> seems my suppression isn't working as I understand it.
>
> I have activated the SSL certificate checking as follows:
> @load policy/protocols/ssl/expiring-certs.bro
> redef SSL::notify_certs_expiration = ALL_HOSTS;
>
> now when I watch my notice log, I am seeing what appear to be LOTS of notice
> logs for the same certificate. I thought that perhaps just the e-mails get
> suppressed, but after turning on e-mail notifications I get an e-mail for
> every notice. Plus my notice log is filling up rather quickly.
>
> I know this probably won't be very legible, but here is an example of just 2
> of the notices I get from a single connection. They look exactly the same
> to me, and they have a time set for the suppression. I would have expected
> to only get one of these, but you can see the time stamp shows multiple
> notices happening very quickly.
>
> #fields ts uid id.orig_h id.orig_p id.resp_h
> id.resp_p fuid file_mime_type file_desc proto note msg
> sub src dst p n peer_descr actions suppress_for
> dropped remote_location.country_code remote_location.region
> remote_location.city remote_location.latitude
> remote_location.longitude
>
>
> 1402057564.658489 CW6Riz4smTIRpMxWq1 1.1.1.1 51255 2.2.2.2
> 5223 F6irMUcwkf1ZcbIok - - tcp
> SSL::Certificate_Expired Certificate emailAddress=,CN=,OU=,O= -
> 1.1.1.1 2.2.2.2 5223 - bro1 Notice::ACTION_LOG
> 86400.000000 F - - - - -
>
> 1402057564.660035 CW6Riz4smTIRpMxWq1 1.1.1.1 51255 2.2.2.2
> 5223 F6irMUcwkf1ZcbIok - - tcp
> SSL::Certificate_Expired Certificate emailAddress=,CN=,OU=,O= -
> 1.1.1.1 2.2.2.2 5223 - bro1 Notice::ACTION_LOG
> 86400.000000 F - - - - -
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list