[Bro] software/version-changes.bro comparison between the two versions.

fatema bannatwala fatema.bannatwala at gmail.com
Tue Feb 21 11:32:52 PST 2017 

Thanks Justin for an update, will be awaiting the Broker integration for
the new features/scripts.

On Tue, Feb 21, 2017 at 1:55 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

> It looks like that script is broken :-(  The main software script that
> logs new software versions does:
>
>     ts[info$name] = info;
>     Log::write(Software::LOG, info);
>
> and then the version changes script is doing
>
>     local old = ts[rec$name]
>
> But at that point old and rec are the same exact thing.  It's possible to
> fix this, it just can't use the log_software event because at that point
> the "old" version has already been overwritten.
>
> Another issue with the script is that the 'tracked' variable has a create
> expire of only 24h, so if the host is only seen every 48 hours, or if bro
> is restarted it won't know the version changed.
>
> Newer features in Broker should allow interesting version changes to be
> tracked using persistent data stores.  That would really fix the issue.
> There are similar things that need to be re-written for better tracking
> known hosts/known services/known certs.
>
> I added this info to the existing ticket I had for this:
>
> https://bro-tracker.atlassian.net/browse/BIT-1521
>
>
>
> --
> - Justin Azoff
>
> > On Feb 21, 2017, at 12:50 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > I was going through the version-changes.bro script, thinking of adding
> some software
> > to track the version changes, but realized that there is no comparison
> done between the
> > old version tracked and the version detected in "rec: Info" of
> log_software event.
> >
> > Hence, was thinking to add a condition to check it before the notice is
> raised for the version
> > change, like following:
> > ( or I might be missing something regarding the functionality of the
> script. :/)
> >
> > event log_software(rec: Info)
> >       {
> >       local ts = tracked[rec$host];
> >
> >       if ( rec$name in ts )
> >               {
> >               local old = ts[rec$name];
> >
> >               # Is it a potentially interesting version change?
> >               if ( rec$name in interesting_version_changes )
> >                       {
> >
> >                          if (software_fmt_version(old$version) !=
> software_fmt_version(rec$version))
> >                            {  local msg = fmt("%.6f %s switched from %s
> to %s (%s)",
> >                                       network_time(), rec$software_type,
> >                                       software_fmt_version(old$version),
> >                                       software_fmt(rec),
> rec$software_type);
> >                           NOTICE([$note=Software_Version_Change,
> $src=rec$host,
> >                               $msg=msg, $sub=software_fmt(rec)]);
> >                            }
> >                       }
> >               }
> >       }
> >
> > Any thoughts? anybody using this script to track software changes?
> >
> > Thanks,
> > Fatema.
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170221/8919813c/attachment.html

More information about the Bro mailing list