[Bro] [security-onion] Bro IDS: binapc exception in dpd.log
Michał Purzyński
michalpurzynski1 at gmail.com
Tue Aug 18 21:23:33 PDT 2015
Can you tell us what kind of error code you have in sip.log for this
connection id?
I have similar errors, with user agent sipcli/v1.8 and result 401
Unauthorized so that's a scan of some kind.
I've filed a Bro bug
https://bro-tracker.atlassian.net/browse/BIT-1458
We might consider moving discussion to the Bro mailing list and/or
BIT-1458, as the problem is not SO specific.
On Tue, Aug 18, 2015 at 8:00 PM, Gary Faulkner <gfaulkner.nsm at gmail.com>
wrote:
> Cross-posting over to bro list... I took a look on my own Bro cluster
> built from git master 2.4-10 on RHEL 6.6, and I am seeing similar binpac
> errors in dpd.log. Probably worthy of an issue report to the Bro team.
>
> Also, it seems odd to see binpac error messages in dpd.log. This seems
> more like something that would be in reporter.log, so I wonder if that
> is intended? I also see some binpac errors for rdp, and SSL IN dpd.log.
>
> Here are some more samples:
>
> 1439952507.945287 C0Zth33h2gy9HEGM4k 10.10.250.141 5070
> 10.10.146.171 5060 udp SIP Binpac exception: binpac
> exception: string mismatch at
> /nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70:
\x0aexpected
> pattern: ":"\x0aactual data: " 1702356679 1793741124 IN IP4
> 10.10.250.141\x0d\x0as=sipcli\x0d\x0ac=IN IP4 10.10.250.141\x0d\x0at=0
> 0\x0d\x0am=audio 5072 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101
> 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0
> PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101
> telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"
>
> 1439952508.235601 CfnJdC2wJa7QObDdK7 10.10.250.141 5110
> 10.10.146.171 5060 udp SIP Binpac exception: binpac
> exception: string mismatch at
> /nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70:
\x0aexpected
> pattern: ":"\x0aactual data: " 2046637637 2105833686 IN IP4
> 10.10.250.141\x0d\x0as=sipcli\x0d\x0ac=IN IP4 10.10.250.141\x0d\x0at=0
> 0\x0d\x0am=audio 5111 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101
> 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0
> PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101
> telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"
>
> 1439952508.245335 CfnJdC2wJa7QObDdK7 10.10.250.141 5110
> 10.10.146.171 5060 udp SIP Binpac exception: binpac
> exception: string mismatch at
> /nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70:
\x0aexpected
> pattern: ":"\x0aactual data: " 2046637637 2105833686 IN IP4
> 10.10.250.141\x0d\x0as=sipcli\x0d\x0ac=IN IP4 10.10.250.141\x0d\x0at=0
> 0\x0d\x0am=audio 5111 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101
> 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0
> PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101
> telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"
>
> 1439952508.597857 C2vuSQ3duZlPtt6Njl 10.10.44.245 5060
> 10.10.7.100 5060 udp SIP Binpac exception: binpac
> exception: string mismatch at
> /nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70:
\x0aexpected
> pattern: ":"\x0aactual data: " version='1.0'
> encoding='UTF-8'?><!--PUA--><presence
> xmlns='urn:ietf:params:xml:ns:pidf'
> xmlns:dm='urn:ietf:params:xml:ns:pidf:data-model'
> xmlns:rpid='urn:ietf:params:xml:ns:pidf:rpid'
> xmlns:c='urn:ietf:params:xml:ns:pidf:cipid'
> entity='sip:CIO-EX90 at EXAMPLE.COM '><tuple
>
id='f71ad0ae-dc51-4be2-977d-39c9ccc2d29b'><status><basic>open</basic></status></tuple></presence>"
>
> On 8/18/2015 6:26 PM, Doug Burks wrote:
>> Hi Tommy,
>>
>> My guess is that this isn't strictly related to Security Onion, as we
>> have a fairly standard build of Bro. The reason for the
>>
"/build/securityonion-bro-C1BIlk/securityonion-bro-2.4/src/analyzer/protocol/sip/sip-protocol.pac"
>> is that that's the build directory where the Ubuntu Launchpad build
>> server builds our binaries.
>>
>> I would take a look at the actual traffic and see if it's valid SIP or
>> perhaps just a scan or some other kind of traffic.
>>
>> On Tue, Aug 18, 2015 at 5:59 PM, <tommydew at gmail.com> wrote:
>>> While looking through the 'dpd.log' in '/nsm/bro/logs/current/', I
found several log entries that reported 'Binapc exception'. Here's a sample
with redacted IPs:
>>>
>>> 1439934408.353389 CMUcGx4TXPPDGCIb65 xxx.xxx.xxx.xxx 40046
xxx.xxx.xxx.xxx 5060 udp SIP Binpac exception: binpac exception:
string mismatch at
/build/securityonion-bro-C1BIlk/securityonion-bro-2.4/src/analyzer/protocol/sip/sip-protocol.pac:34:
\x0aexpected pattern: "[[:alnum:]@[:punct:]]+"\x0aactual data: ""
>>>
>>> It appears that the issue may be related to Security Onion, but I can
always move this to the Bro IDS mailing list if it's specific to Bro. I'll
try to see what could be causing the exception, but I was curious if anyone
else had any ideas.
>>>
>>> Thanks.
>>>
>>> --
>>> Tommy
>>>
>>> --
>>> You received this message because you are subscribed to the Google
Groups "security-onion" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
an email to security-onion+unsubscribe at googlegroups.com.
>>> To post to this group, send email to security-onion at googlegroups.com.
>>> Visit this group at http://groups.google.com/group/security-onion.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>
> --
> You received this message because you are subscribed to the Google Groups
"security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to security-onion+unsubscribe at googlegroups.com.
> To post to this group, send email to security-onion at googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150818/9711d27e/attachment-0001.html
More information about the Bro
mailing list