[Bro] Strange behavior with interesting-hostnames.bro

Fri Jul 28 10:42:49 PDT 2017

[BroControl] > deploy
checking configurations ...
installing ...
removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/site ...
removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating cluster-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
updating nodes ...
stopping ...
stopping worker-2 ...
stopping worker-1 ...
stopping proxy-1 ...
stopping manager ...
starting ...
starting manager ...
starting proxy-1 ...
starting worker-1 ...
starting worker-2 ...
[BroControl] > print SSH::interesting_hostnames
     manager   SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/
     proxy-1   SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/
    worker-1   SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/
    worker-2   SSH::interesting_hostnames = /((((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?))|(^?(^ftp[0-9]*\.)$?)/

The line for worker-2 is even formatted strangely.  There's an extra set of parentheses surrounding the string of ((dns|smtp|mail|pop|imap|www) | ftp )

>From my local.bro

# Remove match for hostname with "ftp" for the SSH login success to interesting hostname from /share/bro/policy/protocols/ssh/interesting-hostnames.bro
redef SSH::interesting_hostnames = /^d?ns[0-9]*\./ | /^smtp[0-9]*\./ | /^mail[0-9]*\./ | /^pop[0-9]*\./  | /^imap[0-9]*\./ | /^www[0-9]*\./;

Eric

----- Original Message -----
From: "Justin S Azoff" <jazoff at illinois.edu>
To: "Eric Hacecky" <hacecky at jlab.org>
Cc: bro at bro.org
Sent: Friday, July 28, 2017 11:35:18 AM
Subject: Re: [Bro] Strange behavior with interesting-hostnames.bro

> On Jul 28, 2017, at 11:22 AM, Eric Hacecky <hacecky at jlab.org> wrote:
> 
> Justin,
> 
> Yeah seems like you're right on the money.
> 
> //
> [BroControl] > print SSH::interesting_hostnames
>     manager   SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/
>     proxy-1   SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/
>    worker-1   SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/
>    worker-2   SSH::interesting_hostnames = /((((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?))|(^?(^ftp[0-9]*\.)$?)/
> //
> 
> I haven't made any changes to the other local files.  They're all empty on the manager/worker nodes.
> 
>> Did you make changes to your local.bro without restarting the entire cluster?
> 
> I've been using broctl deploy or restart mostly.  I did get a crash message from worker-2 once, where I issued broctl restart worker-2 instead of the entire cluster.
> 
> //
> 1501254343.937122 fatal error in /usr/local/bro/spool/installed-scripts-do-not-touch/site/local.bro, line 157: Val::CONST_ACCESSOR (types/string) (/(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/)
> //
> 
> Any ideas?
> 
> Eric
> 

What does a broctl deploy output at this point?  Does your local.bro currently have the redef with the {}'s?  you want it without them.

-- 
- Justin Azoff