[Bro] Strange behavior with interesting-hostnames.bro
Eric Hacecky
hacecky at jlab.org
Fri Jul 28 07:46:07 PDT 2017
I have people connecting to an ftp server on my network via port 22, which is triggering the SSH::interesting_hostnames notice. I'm guessing this is for sftp, but either way it's not something I'm concerned with.
Easy question:
In my local.bro I'm trying to redef the interesting_hostnames variable to remove the ftp regex. reference bro/share/bro/policy/protocols/ssh/interesting-hostnames.bro
//
redef SSH::interesting_hostnames = {
/^d?ns[0-9]*\./ |
/^smtp[0-9]*\./ |
/^mail[0-9]*\./ |
/^pop[0-9]*\./ |
/^imap[0-9]*\./ |
/^www[0-9]*\./};
//
I've also tried it without the brackets, {}.
Both are accepted by broctl, but neither actually seem to do anything as the script continues to match port 22 traffic to my ftp server.
Can't find much on google syntax related aside from having the -= operator available as a different way to specify it. What's wrong here?
==========
Second...and this one is strange
When the notice is generated, instead of having the note as SSH:Interesting_Hostname_Login, it's attaching a note of HTTP::SQL_Injection_Attacker.
Here's a log line
//
1501207574.941860 C3EEas45G6RoObEML9 7.7.7.7 46160 10.10.10.10 22 - - - tcp HTTP::SQL_Injection_Attacker Possible SSH login involving a local server with an interesting hostname. myftpserver.mydomain.com Notice::ACTION_EMAIL,IPBLOCK::ACTION_IPBLOCK,Notice::ACTION_LOG 3600.000000
//
How is Bro attaching SQL_Injection_Attacker from a completely different module as the note?
Thanks,
Eric
More information about the Bro
mailing list