[Bro] Strange behavior with interesting-hostnames.bro

Azoff, Justin S jazoff at illinois.edu
Fri Jul 28 11:06:50 PDT 2017 

> On Jul 28, 2017, at 1:42 PM, Eric Hacecky <hacecky at jlab.org> wrote:
> 
> [BroControl] > deploy
> checking configurations ...
> installing ...
> removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/site ...
> removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/auto ...
> creating policy directories ...
> installing site policies ...
> generating cluster-layout.bro ...
> generating local-networks.bro ...
> generating broctl-config.bro ...
> generating broctl-config.sh ...
> updating nodes ...
> stopping ...
> stopping worker-2 ...
> stopping worker-1 ...
> stopping proxy-1 ...
> stopping manager ...
> starting ...
> starting manager ...
> starting proxy-1 ...
> starting worker-1 ...
> starting worker-2 ...
> [BroControl] > print SSH::interesting_hostnames
>     manager   SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/
>     proxy-1   SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/
>    worker-1   SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?)/
>    worker-2   SSH::interesting_hostnames = /((((((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))|(^?(^mail[0-9]*\.)$?))|(^?(^pop[0-9]*\.)$?))|(^?(^imap[0-9]*\.)$?))|(^?(^www[0-9]*\.)$?))|(^?(^ftp[0-9]*\.)$?)/
> 
> The line for worker-2 is even formatted strangely.  There's an extra set of parentheses surrounding the string of ((dns|smtp|mail|pop|imap|www) | ftp )
> 
Ah.. that's normal  It's actually more like.. so one extra item will have one extra parens added.

((((dns) |smtp) |mail) |pop) |imap)

> From my local.bro
> 
> 
> # Remove match for hostname with "ftp" for the SSH login success to interesting hostname from /share/bro/policy/protocols/ssh/interesting-hostnames.bro
> redef SSH::interesting_hostnames = /^d?ns[0-9]*\./ | /^smtp[0-9]*\./ | /^mail[0-9]*\./ | /^pop[0-9]*\./  | /^imap[0-9]*\./ | /^www[0-9]*\./;
> 
> Eric
> 

I bet you have a half broken process for worker-2 lying around from when it had an issue.  It may not have completely crashed. .. if you run

    broctl stop

and then

    btoctl ps.bro

Are any bro processes returned related to worker-2?  Ensure that every bro process is stopped and then do a new deploy, that should clear things up.

-- 
- Justin Azoff

More information about the Bro mailing list