[Bro] Field value missing

Javier Richard Quinto Ancieta richardqa at gmail.com
Mon Mar 30 10:10:24 PDT 2015 

Hi,

Thank you for your answers, clarify part of my doubt. I got successful
results using the two methods:

e.g.,

if (n$note == SSH::Password_Guessing && \11\.1\.1\.7/ in n$sub)
   print fmt ("testing1");

or

if (n$note == SSH::Password_Guessing && n$src = <attacker IP> )
   print fmt ("testing2");

I also saw logs notice.log and I understand because I get these values
(sub, src).

But, I'd like to understand because the notice.log dont populate fields
"id.orig_h, id.resp_h".

You told me that "the connection 'id' itself isn't populated, so the n$id
isn't there to reference n$id$resp_h from"
but I wonder if there is some way to populate these fields (id.orig_h,
id.resp_h, ...) ? for this type of event (SSH::Password_Guessing).

Thank you,
Javier

2015-03-30 12:49 GMT-03:00 Mike Dopheide <dopheide at gmail.com>:

> Javier,
>
> To add to what Jon said...
>
> In this case you're hitting a situation where not all Notices are created
> equal.
>
> I believe, for SSH::Password_Guessing, the connection 'id' itself isn't
> populated, so the n$id isn't there to reference n$id$resp_h from.  It will
> have an n$src if you wanted the originator, but for recipient you need to
> look at the notice subject (see Jon's message).  The recipients listed
> there are a sampled set.
>
> -Dop
>
>
>
>
> On Sun, Mar 29, 2015 at 10:55 PM, Javier Richard Quinto Ancieta <
> richardqa at gmail.com> wrote:
>
>> Greetings all,
>>
>> I am new to Bro, and I hope you can help me.
>>
>> I read the following  documentation:
>> https://www.bro.org/sphinx-git/frameworks/notice.html
>>
>> Exactly, this part of the code:
>>
>> ...
>> hook Notice::policy(n: Notice::Info)
>>   {
>>   if
>> ( n$note == SSH::Password_Guessing  && n$id$resp_h == 10.0.0.1
>> )
>>     add  n$actions[Notice::ACTION_EMAIL];
>> }
>> ...
>>
>> And write it in the file ../local.bro
>>
>> But, when I generate an attack to IP (10.0.0.1), and I got an error:  "*field
>> value missing [n$id]*" .
>>
>> I use  *bro -i eth0 local *to debug logs in live
>>
>> I did many changes, also I use "$id?$resp_h" to check errors, and i got
>> the same error. I am sorry but I am new with Bro and I would like to know
>> How can I fix that?.
>>
>> Thank you
>> Javier
>>
>> --
>> Saludos Cordiales
>> Javier
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>


-- 
Saludos Cordiales
Javier Richard Quinto Ancieta
Est. maestría en Ing. de Computación-UNICAMP Br
http://www.linkedin.com/in/richardqa
CELL: +51 972205099 (Lima), +55 19 99033699 (Campinas-SP)
Fingerprint: 52C8 9361 B7B1 0CDE A7FF 0AAF 6911 459E F588 ACFD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150330/2c7e0dc0/attachment.html

More information about the Bro mailing list