[Bro] [security-onion] Bro IDS: binapc exception in dpd.log

Gary Faulkner gfaulkner.nsm at gmail.com
Tue Aug 18 21:39:31 PDT 2015 

Yes, the corresponding entries in sip.log are for sipcli/v1.8, but with
result 404 Not Found. I am seeing a lot of repeating source addresses,
so could very likely be a scanner.

On 8/18/2015 11:23 PM, Michał Purzyński wrote:
> Can you tell us what kind of error code you have in sip.log for this
> connection id?
>
> I have similar errors, with user agent sipcli/v1.8 and result 401
> Unauthorized so that's a scan of some kind.
>
> I've filed a Bro bug
>
> https://bro-tracker.atlassian.net/browse/BIT-1458
>
> We might consider moving discussion to the Bro mailing list and/or
> BIT-1458, as the problem is not SO specific.
>
>
> On Tue, Aug 18, 2015 at 8:00 PM, Gary Faulkner <gfaulkner.nsm at gmail.com>
> wrote:
>> Cross-posting over to bro list... I took a look on my own Bro cluster
>> built from git master 2.4-10 on RHEL 6.6, and I am seeing similar binpac
>> errors in dpd.log. Probably worthy of an issue report to the Bro team.
>>
>> Also, it seems odd to see binpac error messages in dpd.log. This seems
>> more like something that would be in reporter.log, so I wonder if that
>> is intended? I also see some binpac errors for rdp, and SSL IN dpd.log.
>>
>> Here are some more samples:
>>
>> 1439952507.945287       C0Zth33h2gy9HEGM4k      10.10.250.141  5070
>> 10.10.146.171  5060    udp     SIP     Binpac exception: binpac
>> exception: string mismatch at
>> /nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70:
> \x0aexpected
>> pattern: ":"\x0aactual data: " 1702356679 1793741124 IN IP4
>> 10.10.250.141\x0d\x0as=sipcli\x0d\x0ac=IN IP4 10.10.250.141\x0d\x0at=0
>> 0\x0d\x0am=audio 5072 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101
>> 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0
>> PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101
>> telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"
>>
>> 1439952508.235601       CfnJdC2wJa7QObDdK7      10.10.250.141  5110
>> 10.10.146.171  5060    udp     SIP     Binpac exception: binpac
>> exception: string mismatch at
>> /nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70:
> \x0aexpected
>> pattern: ":"\x0aactual data: " 2046637637 2105833686 IN IP4
>> 10.10.250.141\x0d\x0as=sipcli\x0d\x0ac=IN IP4 10.10.250.141\x0d\x0at=0
>> 0\x0d\x0am=audio 5111 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101
>> 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0
>> PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101
>> telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"
>>
>> 1439952508.245335       CfnJdC2wJa7QObDdK7      10.10.250.141  5110
>> 10.10.146.171  5060    udp     SIP     Binpac exception: binpac
>> exception: string mismatch at
>> /nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70:
> \x0aexpected
>> pattern: ":"\x0aactual data: " 2046637637 2105833686 IN IP4
>> 10.10.250.141\x0d\x0as=sipcli\x0d\x0ac=IN IP4 10.10.250.141\x0d\x0at=0
>> 0\x0d\x0am=audio 5111 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101
>> 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0
>> PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101
>> telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"
>>
>> 1439952508.597857       C2vuSQ3duZlPtt6Njl      10.10.44.245  5060
>> 10.10.7.100    5060    udp     SIP     Binpac exception: binpac
>> exception: string mismatch at
>> /nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70:
> \x0aexpected
>> pattern: ":"\x0aactual data: " version='1.0'
>> encoding='UTF-8'?><!--PUA--><presence
>> xmlns='urn:ietf:params:xml:ns:pidf'
>> xmlns:dm='urn:ietf:params:xml:ns:pidf:data-model'
>> xmlns:rpid='urn:ietf:params:xml:ns:pidf:rpid'
>> xmlns:c='urn:ietf:params:xml:ns:pidf:cipid'
>> entity='sip:CIO-EX90 at EXAMPLE.COM    '><tuple
>>
> id='f71ad0ae-dc51-4be2-977d-39c9ccc2d29b'><status><basic>open</basic></status></tuple></presence>"
>> On 8/18/2015 6:26 PM, Doug Burks wrote:
>>> Hi Tommy,
>>>
>>> My guess is that this isn't strictly related to Security Onion, as we
>>> have a fairly standard build of Bro.  The reason for the
>>>
> "/build/securityonion-bro-C1BIlk/securityonion-bro-2.4/src/analyzer/protocol/sip/sip-protocol.pac"
>>> is that that's the build directory where the Ubuntu Launchpad build
>>> server builds our binaries.
>>>
>>> I would take a look at the actual traffic and see if it's valid SIP or
>>> perhaps just a scan or some other kind of traffic.
>>>
>>> On Tue, Aug 18, 2015 at 5:59 PM,  <tommydew at gmail.com> wrote:
>>>> While looking through the 'dpd.log' in '/nsm/bro/logs/current/', I
> found several log entries that reported 'Binapc exception'. Here's a sample
> with redacted IPs:
>>>> 1439934408.353389       CMUcGx4TXPPDGCIb65      xxx.xxx.xxx.xxx 40046
> xxx.xxx.xxx.xxx 5060    udp     SIP     Binpac exception: binpac exception:
> string mismatch at
> /build/securityonion-bro-C1BIlk/securityonion-bro-2.4/src/analyzer/protocol/sip/sip-protocol.pac:34:
> \x0aexpected pattern: "[[:alnum:]@[:punct:]]+"\x0aactual data: ""
>>>> It appears that the issue may be related to Security Onion, but I can
> always move this to the Bro IDS mailing list if it's specific to Bro. I'll
> try to see what could be causing the exception, but I was curious if anyone
> else had any ideas.
>>>> Thanks.
>>>>
>>>> --
>>>> Tommy
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
> Groups "security-onion" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
> an email to security-onion+unsubscribe at googlegroups.com.
>>>> To post to this group, send email to security-onion at googlegroups.com.
>>>> Visit this group at http://groups.google.com/group/security-onion.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onion+unsubscribe at googlegroups.com.
>> To post to this group, send email to security-onion at googlegroups.com.
>> Visit this group at http://groups.google.com/group/security-onion.
>> For more options, visit https://groups.google.com/d/optout.

More information about the Bro mailing list