[Bro] [security-onion] Bro IDS: binapc exception in dpd.log

Gary Faulkner gfaulkner.nsm at gmail.com
Tue Aug 18 20:00:11 PDT 2015 

Cross-posting over to bro list... I took a look on my own Bro cluster
built from git master 2.4-10 on RHEL 6.6, and I am seeing similar binpac
errors in dpd.log. Probably worthy of an issue report to the Bro team.

Also, it seems odd to see binpac error messages in dpd.log. This seems
more like something that would be in reporter.log, so I wonder if that
is intended? I also see some binpac errors for rdp, and SSL IN dpd.log.

Here are some more samples:

1439952507.945287       C0Zth33h2gy9HEGM4k      10.10.250.141  5070   
10.10.146.171  5060    udp     SIP     Binpac exception: binpac
exception: string mismatch at
/nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected
pattern: ":"\x0aactual data: " 1702356679 1793741124 IN IP4
10.10.250.141\x0d\x0as=sipcli\x0d\x0ac=IN IP4 10.10.250.141\x0d\x0at=0
0\x0d\x0am=audio 5072 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101
0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0
PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101
telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"

1439952508.235601       CfnJdC2wJa7QObDdK7      10.10.250.141  5110   
10.10.146.171  5060    udp     SIP     Binpac exception: binpac
exception: string mismatch at
/nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected
pattern: ":"\x0aactual data: " 2046637637 2105833686 IN IP4
10.10.250.141\x0d\x0as=sipcli\x0d\x0ac=IN IP4 10.10.250.141\x0d\x0at=0
0\x0d\x0am=audio 5111 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101
0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0
PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101
telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"

1439952508.245335       CfnJdC2wJa7QObDdK7      10.10.250.141  5110   
10.10.146.171  5060    udp     SIP     Binpac exception: binpac
exception: string mismatch at
/nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected
pattern: ":"\x0aactual data: " 2046637637 2105833686 IN IP4
10.10.250.141\x0d\x0as=sipcli\x0d\x0ac=IN IP4 10.10.250.141\x0d\x0at=0
0\x0d\x0am=audio 5111 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101
0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0
PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101
telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"

1439952508.597857       C2vuSQ3duZlPtt6Njl      10.10.44.245  5060   
10.10.7.100    5060    udp     SIP     Binpac exception: binpac
exception: string mismatch at
/nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected
pattern: ":"\x0aactual data: " version='1.0'
encoding='UTF-8'?><!--PUA--><presence
xmlns='urn:ietf:params:xml:ns:pidf'
xmlns:dm='urn:ietf:params:xml:ns:pidf:data-model'
xmlns:rpid='urn:ietf:params:xml:ns:pidf:rpid'
xmlns:c='urn:ietf:params:xml:ns:pidf:cipid'
entity='sip:CIO-EX90 at EXAMPLE.COM    '><tuple
id='f71ad0ae-dc51-4be2-977d-39c9ccc2d29b'><status><basic>open</basic></status></tuple></presence>"

On 8/18/2015 6:26 PM, Doug Burks wrote:
> Hi Tommy,
>
> My guess is that this isn't strictly related to Security Onion, as we
> have a fairly standard build of Bro.  The reason for the
> "/build/securityonion-bro-C1BIlk/securityonion-bro-2.4/src/analyzer/protocol/sip/sip-protocol.pac"
> is that that's the build directory where the Ubuntu Launchpad build
> server builds our binaries.
>
> I would take a look at the actual traffic and see if it's valid SIP or
> perhaps just a scan or some other kind of traffic.
>
> On Tue, Aug 18, 2015 at 5:59 PM,  <tommydew at gmail.com> wrote:
>> While looking through the 'dpd.log' in '/nsm/bro/logs/current/', I found several log entries that reported 'Binapc exception'. Here's a sample with redacted IPs:
>>
>> 1439934408.353389       CMUcGx4TXPPDGCIb65      xxx.xxx.xxx.xxx 40046   xxx.xxx.xxx.xxx 5060    udp     SIP     Binpac exception: binpac exception: string mismatch at /build/securityonion-bro-C1BIlk/securityonion-bro-2.4/src/analyzer/protocol/sip/sip-protocol.pac:34: \x0aexpected pattern: "[[:alnum:]@[:punct:]]+"\x0aactual data: ""
>>
>> It appears that the issue may be related to Security Onion, but I can always move this to the Bro IDS mailing list if it's specific to Bro. I'll try to see what could be causing the exception, but I was curious if anyone else had any ideas.
>>
>> Thanks.
>>
>> --
>> Tommy
>>
>> --
>> You received this message because you are subscribed to the Google Groups "security-onion" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe at googlegroups.com.
>> To post to this group, send email to security-onion at googlegroups.com.
>> Visit this group at http://groups.google.com/group/security-onion.
>> For more options, visit https://groups.google.com/d/optout.
>
>

More information about the Bro mailing list