[Bro] [security-onion] Bro IDS: binapc exception in dpd.log
Gary Faulkner
gfaulkner.nsm at gmail.com
Tue Aug 18 20:00:11 PDT 2015
Cross-posting over to bro list... I took a look on my own Bro cluster
built from git master 2.4-10 on RHEL 6.6, and I am seeing similar binpac
errors in dpd.log. Probably worthy of an issue report to the Bro team.
Also, it seems odd to see binpac error messages in dpd.log. This seems
more like something that would be in reporter.log, so I wonder if that
is intended? I also see some binpac errors for rdp, and SSL IN dpd.log.
Here are some more samples:
1439952507.945287 C0Zth33h2gy9HEGM4k 10.10.250.141 5070
10.10.146.171 5060 udp SIP Binpac exception: binpac
exception: string mismatch at
/nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected
pattern: ":"\x0aactual data: " 1702356679 1793741124 IN IP4
10.10.250.141\x0d\x0as=sipcli\x0d\x0ac=IN IP4 10.10.250.141\x0d\x0at=0
0\x0d\x0am=audio 5072 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101
0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0
PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101
telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"
1439952508.235601 CfnJdC2wJa7QObDdK7 10.10.250.141 5110
10.10.146.171 5060 udp SIP Binpac exception: binpac
exception: string mismatch at
/nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected
pattern: ":"\x0aactual data: " 2046637637 2105833686 IN IP4
10.10.250.141\x0d\x0as=sipcli\x0d\x0ac=IN IP4 10.10.250.141\x0d\x0at=0
0\x0d\x0am=audio 5111 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101
0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0
PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101
telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"
1439952508.245335 CfnJdC2wJa7QObDdK7 10.10.250.141 5110
10.10.146.171 5060 udp SIP Binpac exception: binpac
exception: string mismatch at
/nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected
pattern: ":"\x0aactual data: " 2046637637 2105833686 IN IP4
10.10.250.141\x0d\x0as=sipcli\x0d\x0ac=IN IP4 10.10.250.141\x0d\x0at=0
0\x0d\x0am=audio 5111 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101
0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0
PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101
telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"
1439952508.597857 C2vuSQ3duZlPtt6Njl 10.10.44.245 5060
10.10.7.100 5060 udp SIP Binpac exception: binpac
exception: string mismatch at
/nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected
pattern: ":"\x0aactual data: " version='1.0'
encoding='UTF-8'?><!--PUA--><presence
xmlns='urn:ietf:params:xml:ns:pidf'
xmlns:dm='urn:ietf:params:xml:ns:pidf:data-model'
xmlns:rpid='urn:ietf:params:xml:ns:pidf:rpid'
xmlns:c='urn:ietf:params:xml:ns:pidf:cipid'
entity='sip:CIO-EX90 at EXAMPLE.COM '><tuple
id='f71ad0ae-dc51-4be2-977d-39c9ccc2d29b'><status><basic>open</basic></status></tuple></presence>"
On 8/18/2015 6:26 PM, Doug Burks wrote:
> Hi Tommy,
>
> My guess is that this isn't strictly related to Security Onion, as we
> have a fairly standard build of Bro. The reason for the
> "/build/securityonion-bro-C1BIlk/securityonion-bro-2.4/src/analyzer/protocol/sip/sip-protocol.pac"
> is that that's the build directory where the Ubuntu Launchpad build
> server builds our binaries.
>
> I would take a look at the actual traffic and see if it's valid SIP or
> perhaps just a scan or some other kind of traffic.
>
> On Tue, Aug 18, 2015 at 5:59 PM, <tommydew at gmail.com> wrote:
>> While looking through the 'dpd.log' in '/nsm/bro/logs/current/', I found several log entries that reported 'Binapc exception'. Here's a sample with redacted IPs:
>>
>> 1439934408.353389 CMUcGx4TXPPDGCIb65 xxx.xxx.xxx.xxx 40046 xxx.xxx.xxx.xxx 5060 udp SIP Binpac exception: binpac exception: string mismatch at /build/securityonion-bro-C1BIlk/securityonion-bro-2.4/src/analyzer/protocol/sip/sip-protocol.pac:34: \x0aexpected pattern: "[[:alnum:]@[:punct:]]+"\x0aactual data: ""
>>
>> It appears that the issue may be related to Security Onion, but I can always move this to the Bro IDS mailing list if it's specific to Bro. I'll try to see what could be causing the exception, but I was curious if anyone else had any ideas.
>>
>> Thanks.
>>
>> --
>> Tommy
>>
>> --
>> You received this message because you are subscribed to the Google Groups "security-onion" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe at googlegroups.com.
>> To post to this group, send email to security-onion at googlegroups.com.
>> Visit this group at http://groups.google.com/group/security-onion.
>> For more options, visit https://groups.google.com/d/optout.
>
>
More information about the Bro
mailing list