[Bro] Field value missing

Mike Dopheide dopheide at gmail.com
Mon Mar 30 12:06:25 PDT 2015 

There's a couple things going on that make this tricky.

1)  First, the SSH::Password_Guessing notice is built up using SumStats in:
share/bro/policy/protocols/ssh/detect-bruteforcing.bro

It's only keeping track of 5 sample targets and the default limit to cause
a notice is 30 attempts (which you can change).

2)  The other problem is that a notice line with a connection identifier
(c$id) can only have one connection id that populates orig_h, resp_h, etc.
For the code that creates SSH::Password_Guessing, you're dealing with lots
of different connections.

...

However, with Bro, most things are typically possible, we just need to
think about it in a roundabout sort of way.  My two immediate thoughts are
you could write your own policies that keeps all of the target information
(more memory intensive) and write out the c$id info for each target, or you
can get more aggressive with your guess limit and just set the limit at 5.
Then the notice subject sample size will (usually?) be all of your targets.
That'd be something like this in your local.bro:

redef SSH::password_guesses_limit = 5;

-Dop




On Mon, Mar 30, 2015 at 12:10 PM, Javier Richard Quinto Ancieta <
richardqa at gmail.com> wrote:

> Hi,
>
> Thank you for your answers, clarify part of my doubt. I got successful
> results using the two methods:
>
> e.g.,
>
> if (n$note == SSH::Password_Guessing && \11\.1\.1\.7/ in n$sub)
>    print fmt ("testing1");
>
> or
>
> if (n$note == SSH::Password_Guessing && n$src = <attacker IP> )
>    print fmt ("testing2");
>
> I also saw logs notice.log and I understand because I get these values
> (sub, src).
>
> But, I'd like to understand because the notice.log dont populate fields
> "id.orig_h, id.resp_h".
>
> You told me that "the connection 'id' itself isn't populated, so the n$id
> isn't there to reference n$id$resp_h from"
> but I wonder if there is some way to populate these fields (id.orig_h,
> id.resp_h, ...) ? for this type of event (SSH::Password_Guessing).
>
> Thank you,
> Javier
>
> 2015-03-30 12:49 GMT-03:00 Mike Dopheide <dopheide at gmail.com>:
>
> Javier,
>>
>> To add to what Jon said...
>>
>> In this case you're hitting a situation where not all Notices are created
>> equal.
>>
>> I believe, for SSH::Password_Guessing, the connection 'id' itself isn't
>> populated, so the n$id isn't there to reference n$id$resp_h from.  It will
>> have an n$src if you wanted the originator, but for recipient you need to
>> look at the notice subject (see Jon's message).  The recipients listed
>> there are a sampled set.
>>
>> -Dop
>>
>>
>>
>>
>> On Sun, Mar 29, 2015 at 10:55 PM, Javier Richard Quinto Ancieta <
>> richardqa at gmail.com> wrote:
>>
>>> Greetings all,
>>>
>>> I am new to Bro, and I hope you can help me.
>>>
>>> I read the following  documentation:
>>> https://www.bro.org/sphinx-git/frameworks/notice.html
>>>
>>> Exactly, this part of the code:
>>>
>>> ...
>>> hook Notice::policy(n: Notice::Info)
>>>   {
>>>   if
>>> ( n$note == SSH::Password_Guessing  && n$id$resp_h == 10.0.0.1
>>> )
>>>     add  n$actions[Notice::ACTION_EMAIL];
>>> }
>>> ...
>>>
>>> And write it in the file ../local.bro
>>>
>>> But, when I generate an attack to IP (10.0.0.1), and I got an error:  "*field
>>> value missing [n$id]*" .
>>>
>>> I use  *bro -i eth0 local *to debug logs in live
>>>
>>> I did many changes, also I use "$id?$resp_h" to check errors, and i got
>>> the same error. I am sorry but I am new with Bro and I would like to know
>>> How can I fix that?.
>>>
>>> Thank you
>>> Javier
>>>
>>> --
>>> Saludos Cordiales
>>> Javier
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>>
>
>
> --
> Saludos Cordiales
> Javier Richard Quinto Ancieta
> Est. maestría en Ing. de Computación-UNICAMP Br
> http://www.linkedin.com/in/richardqa
> CELL: +51 972205099 (Lima), +55 19 99033699 (Campinas-SP)
> Fingerprint: 52C8 9361 B7B1 0CDE A7FF 0AAF 6911 459E F588 ACFD
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150330/092ec702/attachment.html

More information about the Bro mailing list