[Bro] Strange behavior with interesting-hostnames.bro

Eric Hacecky hacecky at jlab.org
Fri Jul 28 07:46:07 PDT 2017


I have people connecting to an ftp server on my network via port 22, which is triggering the SSH::interesting_hostnames notice.  I'm guessing this is for sftp, but either way it's not something I'm concerned with.

Easy question:

In my local.bro  I'm trying to redef the interesting_hostnames variable to remove the ftp regex.  reference bro/share/bro/policy/protocols/ssh/interesting-hostnames.bro

//
redef SSH::interesting_hostnames = {
                        /^d?ns[0-9]*\./ |
                        /^smtp[0-9]*\./ |
                        /^mail[0-9]*\./ |
                        /^pop[0-9]*\./  |
                        /^imap[0-9]*\./ |
                        /^www[0-9]*\./};
//

I've also tried it without the brackets, {}.

Both are accepted by broctl, but neither actually seem to do anything as the script continues to match port 22 traffic to my ftp server.

Can't find much on google syntax related aside from having the -= operator available as a different way to specify it.  What's wrong here?

==========

Second...and this one is strange

When the notice is generated, instead of having the note as SSH:Interesting_Hostname_Login, it's attaching a note of HTTP::SQL_Injection_Attacker.

Here's a log line

//
1501207574.941860	C3EEas45G6RoObEML9	7.7.7.7	46160	10.10.10.10	22	-	-	-	tcp	HTTP::SQL_Injection_Attacker	Possible SSH login involving a local server with an interesting hostname.	myftpserver.mydomain.com	Notice::ACTION_EMAIL,IPBLOCK::ACTION_IPBLOCK,Notice::ACTION_LOG	3600.000000
//

How is Bro attaching SQL_Injection_Attacker from a completely different module as the note?

Thanks,
Eric


More information about the Bro mailing list