[Bro] Suppress_for issues

bernhard at ICSI.Berkeley.EDU bernhard at ICSI.Berkeley.EDU
Fri Jun 6 09:51:01 PDT 2014


Oh, yes, sorry, I probably did that on accident while moving to file 
IDs. I guess we should add the suppression back in, I will try to take a 
look at it later and hopefully it will be back in the 2.3 release...

Bernhard

On 6 Jun 2014, at 5:54, Josh Liburdi wrote:

> Looks to me like the $identifer field was dropped from those notices
> with the move to 2.3 ...
>
> Bro 2.2:
>
> else if ( cert$not_valid_after < network_time() )
> NOTICE([$note=Certificate_Expired,
>     $conn=c, $suppress_for=1day,
>     $msg=fmt("Certificate %s expired at %T", cert$subject,
> cert$not_valid_after),
>     $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]);
>
>
> Bro 2.3:
>
> else if ( cert$not_valid_after < network_time() )
> NOTICE([$note=Certificate_Expired,
>     $conn=c, $suppress_for=1day,
>     $msg=fmt("Certificate %s expired at %T", cert$subject,
> cert$not_valid_after),
>     $fuid=fuid]);
>
>
> That will break suppression.
>
> -Josh
>
> On Fri, Jun 6, 2014 at 8:35 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
>> I am having some problems (or maybe misunderstanding) of how the 
>> suppression
>> works. I haven't changed my configuration file and it was working at 
>> one
>> time.  Now after upgrading to the master branch (I was on the 
>> heartbleed) it
>> seems my suppression isn't working as I understand it.
>>
>> I have activated the SSL certificate checking as follows:
>> @load policy/protocols/ssl/expiring-certs.bro
>> redef SSL::notify_certs_expiration = ALL_HOSTS;
>>
>> now when I watch my notice log, I am seeing what appear to be LOTS of 
>> notice
>> logs for the same certificate.  I thought that perhaps just the 
>> e-mails get
>> suppressed, but after turning on e-mail notifications I get an e-mail 
>> for
>> every notice.  Plus my notice log is filling up rather quickly.
>>
>> I know this probably won't be very legible, but here is an example of 
>> just 2
>> of the notices I get from a single connection.  They look exactly the 
>> same
>> to me, and they have a time set for the suppression. I  would have 
>> expected
>> to only get one of these, but you can see the time stamp shows 
>> multiple
>> notices happening very quickly.
>>
>> #fields ts      uid     id.orig_h       id.orig_p       id.resp_h
>> id.resp_p       fuid    file_mime_type  file_desc       proto   note  
>>   msg
>> sub     src     dst     p       n       peer_descr      actions 
>> suppress_for
>> dropped remote_location.country_code    remote_location.region
>> remote_location.city    remote_location.latitude
>> remote_location.longitude
>>
>>
>> 1402057564.658489       CW6Riz4smTIRpMxWq1      1.1.1.1   51255   
>> 2.2.2.2
>> 5223    F6irMUcwkf1ZcbIok       -       -       tcp
>> SSL::Certificate_Expired        Certificate emailAddress=,CN=,OU=,O= 
>> -
>> 1.1.1.1   2.2.2.2  5223    -       bro1      Notice::ACTION_LOG
>> 86400.000000    F       -       -       -       -       -
>>
>> 1402057564.660035       CW6Riz4smTIRpMxWq1      1.1.1.1   51255   
>> 2.2.2.2
>> 5223    F6irMUcwkf1ZcbIok       -       -       tcp
>> SSL::Certificate_Expired        Certificate emailAddress=,CN=,OU=,O= 
>> -
>> 1.1.1.1   2.2.2.2  5223    -       bro1      Notice::ACTION_LOG
>> 86400.000000    F       -       -       -       -       -
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list