[Bro] Suppress_for issues
bernhard at ICSI.Berkeley.EDU
bernhard at ICSI.Berkeley.EDU
Fri Jun 6 09:51:01 PDT 2014
Oh, yes, sorry, I probably did that on accident while moving to file
IDs. I guess we should add the suppression back in, I will try to take a
look at it later and hopefully it will be back in the 2.3 release...
Bernhard
On 6 Jun 2014, at 5:54, Josh Liburdi wrote:
> Looks to me like the $identifer field was dropped from those notices
> with the move to 2.3 ...
>
> Bro 2.2:
>
> else if ( cert$not_valid_after < network_time() )
> NOTICE([$note=Certificate_Expired,
> $conn=c, $suppress_for=1day,
> $msg=fmt("Certificate %s expired at %T", cert$subject,
> cert$not_valid_after),
> $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]);
>
>
> Bro 2.3:
>
> else if ( cert$not_valid_after < network_time() )
> NOTICE([$note=Certificate_Expired,
> $conn=c, $suppress_for=1day,
> $msg=fmt("Certificate %s expired at %T", cert$subject,
> cert$not_valid_after),
> $fuid=fuid]);
>
>
> That will break suppression.
>
> -Josh
>
> On Fri, Jun 6, 2014 at 8:35 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
>> I am having some problems (or maybe misunderstanding) of how the
>> suppression
>> works. I haven't changed my configuration file and it was working at
>> one
>> time. Now after upgrading to the master branch (I was on the
>> heartbleed) it
>> seems my suppression isn't working as I understand it.
>>
>> I have activated the SSL certificate checking as follows:
>> @load policy/protocols/ssl/expiring-certs.bro
>> redef SSL::notify_certs_expiration = ALL_HOSTS;
>>
>> now when I watch my notice log, I am seeing what appear to be LOTS of
>> notice
>> logs for the same certificate. I thought that perhaps just the
>> e-mails get
>> suppressed, but after turning on e-mail notifications I get an e-mail
>> for
>> every notice. Plus my notice log is filling up rather quickly.
>>
>> I know this probably won't be very legible, but here is an example of
>> just 2
>> of the notices I get from a single connection. They look exactly the
>> same
>> to me, and they have a time set for the suppression. I would have
>> expected
>> to only get one of these, but you can see the time stamp shows
>> multiple
>> notices happening very quickly.
>>
>> #fields ts uid id.orig_h id.orig_p id.resp_h
>> id.resp_p fuid file_mime_type file_desc proto note
>> msg
>> sub src dst p n peer_descr actions
>> suppress_for
>> dropped remote_location.country_code remote_location.region
>> remote_location.city remote_location.latitude
>> remote_location.longitude
>>
>>
>> 1402057564.658489 CW6Riz4smTIRpMxWq1 1.1.1.1 51255
>> 2.2.2.2
>> 5223 F6irMUcwkf1ZcbIok - - tcp
>> SSL::Certificate_Expired Certificate emailAddress=,CN=,OU=,O=
>> -
>> 1.1.1.1 2.2.2.2 5223 - bro1 Notice::ACTION_LOG
>> 86400.000000 F - - - - -
>>
>> 1402057564.660035 CW6Riz4smTIRpMxWq1 1.1.1.1 51255
>> 2.2.2.2
>> 5223 F6irMUcwkf1ZcbIok - - tcp
>> SSL::Certificate_Expired Certificate emailAddress=,CN=,OU=,O=
>> -
>> 1.1.1.1 2.2.2.2 5223 - bro1 Notice::ACTION_LOG
>> 86400.000000 F - - - - -
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list