[Bro] Event connection_established not working as expected
Robert Young
rfjl12345 at gmail.com
Fri Jul 17 14:22:59 PDT 2015
Hi Guys, I am trying to detect when a remote location attempts to connect
to a device and the TCP 3-way handshake has completed. In this case I am
looking for the remote to initiate the connection, not the local machine.
I have configured using the following snippet
event connection_established(c: connection)
if ((c$id$resp_h in interesting_hosts1)||(c$id$resp_h in
interesting_hosts2)||(c$id$resp_h in interesting_hosts3))
and it seems to work when the 3-way connection is completed,
But for the following case it gives a false positive and I am not sure
why. Pretty new to using bro but was hoping someone might have an idea ?
The remote sends a “syn” to the local host and it reply’s back with a
[RST,ACK](this is supposed to reply with this) and the event is matched.
As you can see in the connection log you do not see any indication of a
normal 3-way handshake has occurred I have attached a anonymolized packet
capture and the full config
1437160813.520265 CIqWv01Vb9vHN2vWo2 85.229.5.218 50664
110.162.75.227 445 tcp - 0.015001 0 0
RSTR F T 0 Shr 1 76 2 88
(empty)
1437160814.132934 CVbOXi5l0Vm42iSa5 85.229.5.218 50664
110.162.75.227 445 tcp - 0.014947 0 0
RSTR F T 0 Shr 1 76 2 88
(empty)
1437160820.133261 CU5LPc2t6UbgTgX43i 85.229.5.218 50664
110.162.75.227 445 tcp - 0.024566 0 0
RSTR F T 0 Shr 1 76 2 88
(empty)
Thanks,
Robert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150717/3657c5ae/attachment.html
-------------- next part --------------
module UNAUTH;
export {
# Create an ID for the our new stream. By convention, this is
# called "LOG".
redef enum Log::ID += { LOG };
redef enum Notice::Type += {
## Generated if a login attempt to one of our hosts and our host resposnds.
Attempted_Logon
};
# Define the fields. By convention, the type is called "Info".
type Info: record {
ts: time &log;
id: conn_id &log;
# proto: transport_proto &log &optional;
# service: string &log &optional;
duration: interval &log &optional;
};
# Define a hook event. By convention, this is called
# "log_<stream>".
global log_unuath: event(rec: Info);
#global interesting_hosts = set(172.16.1.25, 172.16.1.13);
#global interesting_ports = set(22/tcp, 23/tcp, 80/tcp, 443/tcp, 2001/tcp, 28171/tcp);
#global interesting_ports = set(22/tcp, 23/tcp, 80/tcp, 443/tcp, 2001/tcp, 28171/tcp);
##NOTE set must have an even numbers of entries or formating won't work
global interesting_hosts1 = set(110.162.75.227/32)
global interesting_hosts2 = set(111.162.75.227/32)
global interesting_hosts3 = set(112.162.75.227/32)
hook Notice::policy(n: Notice::Info)
{
if ( n$note == UNAUTH::Attempted_Logon )
add n$actions[Notice::ACTION_EMAIL];
}
}
redef record connection += {
unuath: Info &optional;
};
event bro_init() &priority=5 {
# Create the stream. This also adds a default filter automatically.
Log::create_stream(UNAUTH::LOG, [$columns=Info, $ev=log_unuath]);
}
event connection_established(c: connection)
{
# if (c$id$resp_p in interesting_ports && c$id$resp_h in interesting_hosts)
if ((c$id$resp_h in interesting_hosts1)||(c$id$resp_h in interesting_hosts2)||(c$id$resp_h in interesting_hosts3))
{
print fmt("connection established");
print c;
print fmt("---------------------------");
local rec: UNAUTH::Info = [$ts=network_time(), $id=c$id, $duration=c$duration];
c$unuath = rec;
Log::write(UNAUTH::LOG, c);
NOTICE([$note=UNAUTH::Attempted_Logon,$msg=fmt("WARINING! Login Attempt from host %s to %s %s .",c$id$orig_h,c$id$resp_h, c$id$resp_p),$conn=c,$suppress_for=5min]);
}
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: port 445_anon.pcapng
Type: application/octet-stream
Size: 812 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150717/3657c5ae/attachment.obj
More information about the Bro
mailing list