[Bro] Strange behavior with interesting-hostnames.bro

Azoff, Justin S jazoff at illinois.edu
Fri Jul 28 08:02:07 PDT 2017


> On Jul 28, 2017, at 10:46 AM, Eric Hacecky <hacecky at jlab.org> wrote:
> 
> I have people connecting to an ftp server on my network via port 22, which is triggering the SSH::interesting_hostnames notice.  I'm guessing this is for sftp, but either way it's not something I'm concerned with.
> 
> Easy question:
> 
> In my local.bro  I'm trying to redef the interesting_hostnames variable to remove the ftp regex.  reference bro/share/bro/policy/protocols/ssh/interesting-hostnames.bro
> 
> //
> redef SSH::interesting_hostnames = {
>                        /^d?ns[0-9]*\./ |
>                        /^smtp[0-9]*\./ |
>                        /^mail[0-9]*\./ |
>                        /^pop[0-9]*\./  |
>                        /^imap[0-9]*\./ |
>                        /^www[0-9]*\./};
> //
> 
> I've also tried it without the brackets, {}.
> 
> Both are accepted by broctl, but neither actually seem to do anything as the script continues to match port 22 traffic to my ftp server.
> 
> Can't find much on google syntax related aside from having the -= operator available as a different way to specify it.  What's wrong here?

Without the braces is correct.  You can use

    broctl print SSH::interesting_hostnames

to see what version your cluster is using.

You can also just use a notice policy hook to ignore the notices for that specific hostname, instead of ignoring ftp logins entirely.

Your problem is probably related to the second issue you have...

> Second...and this one is strange
> 
> When the notice is generated, instead of having the note as SSH:Interesting_Hostname_Login, it's attaching a note of HTTP::SQL_Injection_Attacker.
> 
> Here's a log line
> 
> //
> 1501207574.941860	C3EEas45G6RoObEML9	7.7.7.7	46160	10.10.10.10	22	-	-	-	tcp	HTTP::SQL_Injection_Attacker	Possible SSH login involving a local server with an interesting hostname.	myftpserver.mydomain.com	Notice::ACTION_EMAIL,IPBLOCK::ACTION_IPBLOCK,Notice::ACTION_LOG	3600.000000
> //
> 
> How is Bro attaching SQL_Injection_Attacker from a completely different module as the note?

Did you make changes to your local.bro without restarting the entire cluster?  Or did you make changes to one of the local-logger.bro  local-manager.bro  local-proxy.bro  local-worker.bro files?

I believe enums being wrong is a direct result of running different policies on different boxes causing the metadata for enums to get out of sync.

Running different policies on different boxes would also explain why your changes to interesting_hostnames has not worked.


	
-- 
- Justin Azoff




More information about the Bro mailing list