[Bro] Suppress_for issues
sangdrax8
sangdrax8 at gmail.com
Fri Jun 6 07:55:18 PDT 2014
For now, I have just added my own identifier back to the ssl check, so I
can stay on master with the Heartbleed code. Maybe by the time I run
another update from git this will have been fixed and losing my own changes
will be irrelevant.
Thank you!
On Fri, Jun 6, 2014 at 9:03 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
> I was just trying to move back from the heartbleed branch in git to the
> current "stable." Should I be checking out something other than master to
> make the move back from the heartbleed branch to stable branch?
>
>
> On Fri, Jun 6, 2014 at 8:54 AM, Josh Liburdi <liburdi.joshua at gmail.com>
> wrote:
>
>> Looks to me like the $identifer field was dropped from those notices
>> with the move to 2.3 ...
>>
>> Bro 2.2:
>>
>> else if ( cert$not_valid_after < network_time() )
>> NOTICE([$note=Certificate_Expired,
>> $conn=c, $suppress_for=1day,
>> $msg=fmt("Certificate %s expired at %T", cert$subject,
>> cert$not_valid_after),
>> $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]);
>>
>>
>> Bro 2.3:
>>
>> else if ( cert$not_valid_after < network_time() )
>> NOTICE([$note=Certificate_Expired,
>> $conn=c, $suppress_for=1day,
>> $msg=fmt("Certificate %s expired at %T", cert$subject,
>> cert$not_valid_after),
>> $fuid=fuid]);
>>
>>
>> That will break suppression.
>>
>> -Josh
>>
>> On Fri, Jun 6, 2014 at 8:35 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
>> > I am having some problems (or maybe misunderstanding) of how the
>> suppression
>> > works. I haven't changed my configuration file and it was working at one
>> > time. Now after upgrading to the master branch (I was on the
>> heartbleed) it
>> > seems my suppression isn't working as I understand it.
>> >
>> > I have activated the SSL certificate checking as follows:
>> > @load policy/protocols/ssl/expiring-certs.bro
>> > redef SSL::notify_certs_expiration = ALL_HOSTS;
>> >
>> > now when I watch my notice log, I am seeing what appear to be LOTS of
>> notice
>> > logs for the same certificate. I thought that perhaps just the e-mails
>> get
>> > suppressed, but after turning on e-mail notifications I get an e-mail
>> for
>> > every notice. Plus my notice log is filling up rather quickly.
>> >
>> > I know this probably won't be very legible, but here is an example of
>> just 2
>> > of the notices I get from a single connection. They look exactly the
>> same
>> > to me, and they have a time set for the suppression. I would have
>> expected
>> > to only get one of these, but you can see the time stamp shows multiple
>> > notices happening very quickly.
>> >
>> > #fields ts uid id.orig_h id.orig_p id.resp_h
>> > id.resp_p fuid file_mime_type file_desc proto note
>> msg
>> > sub src dst p n peer_descr actions
>> suppress_for
>> > dropped remote_location.country_code remote_location.region
>> > remote_location.city remote_location.latitude
>> > remote_location.longitude
>> >
>> >
>> > 1402057564.658489 CW6Riz4smTIRpMxWq1 1.1.1.1 51255
>> 2.2.2.2
>> > 5223 F6irMUcwkf1ZcbIok - - tcp
>> > SSL::Certificate_Expired Certificate emailAddress=,CN=,OU=,O= -
>> > 1.1.1.1 2.2.2.2 5223 - bro1 Notice::ACTION_LOG
>> > 86400.000000 F - - - - -
>> >
>> > 1402057564.660035 CW6Riz4smTIRpMxWq1 1.1.1.1 51255
>> 2.2.2.2
>> > 5223 F6irMUcwkf1ZcbIok - - tcp
>> > SSL::Certificate_Expired Certificate emailAddress=,CN=,OU=,O= -
>> > 1.1.1.1 2.2.2.2 5223 - bro1 Notice::ACTION_LOG
>> > 86400.000000 F - - - - -
>> >
>> >
>> >
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140606/812838df/attachment.html
More information about the Bro
mailing list