[Bro] bro_beacons.bro - bad conversion to count
Johanna Amann
johanna at icir.org
Tue Jun 13 10:11:13 PDT 2017
The problem is that a negative number was passed to double_to_count; count
is an unsigned integer value and cannot represent that.
On a first glance, I am not quite sure why all those conversions take
place in the first place - it seems to convert from an interval to double,
then to count, and then back to interval. I would just try to either skip
the conversions altogether, or if the idea is to get rid of the positions
after the decimal place, to convert to int instead.
I hope that helps,
Johanna
On Tue, Jun 13, 2017 at 08:59:34PM +0530, Vikram Basu wrote:
> Hi,
>
> I am using the bro_beacons.bro script and it generating multiple errors like
>
> 1486782334.477425 error in /usr/local/bro/share/bro/site/bro_beacons.bro, line 46: bad conversion to count (double_to_count(interval_to_double(BEACON::collection[BEACON::i + (coerce 1 to int)] - BEACON::collection[BEACON::i])) and -3.57259)
>
> Here is the script in question
>
>
> #Author: Nick Hoffman / securitykitten.github.io / @infoseckitten
> #Description: A bro script to find beacons
>
> module BEACON;
>
> @load base/protocols/http
>
> #this is our master collection, we'll use this to store all our information
> global master_collection: table[addr,addr] of vector of time &synchronized;
>
> export {
> redef enum Log::ID += { LOG };
> type Info: record {
> ts: time &log;
> #id: conn_id &log;
> local_host: addr &log;
> remote_host: addr &log;
> entropy: double &log;
> };
> global log_beacon: event(rec: Info);
>
> # Add hosts to ignore with:
> # redef BEACON::whitelist += {192.168.0.1/32, 192.168.1.0/24}
> const whitelist: set [subnet] = set() &redef;
>
> }
> event bro_init()
> {
> Log::create_stream(BEACON::LOG, [$columns=Info, $ev=log_beacon]);
> }
>
> function calculate_entropy(host: addr, server: addr): double
> {
> local collection = master_collection[host,server];
> local entropy: count;
> local length = |collection|;
> local intervals = vector();
> local pmf: table[time] of double;
> local probs: table[time] of double;
> local sum: double;
> sum = 0;
> for (i in collection) {
> if ( i+1 >= length )
> break;
> else {
> intervals[i] = double_to_interval(double_to_count(interval_to_double(collection[i+1] - collection[i])));
> }
> }
>
> #i don't like this solution, oh well
> for (i in intervals) {
> if ( intervals[i] !in pmf )
> pmf[intervals[i]] = 1;
> else
> pmf[intervals[i]] += 1;
> }
> #calculate the probabilities
> for (i in intervals) {
> probs[intervals[i]] = pmf[intervals[i]] / |intervals|;
> }
> for (k in probs) {
> sum += probs[k] * (log10(probs[k]) / log10(2.0));
> }
> if (double_to_time(0.0) in probs) {
> if (probs[double_to_time(0.0)] > 0.3)
> sum = 4;
> }
> #debug statement
> #print fmt("host:%s,server:%s,entropy:%s,interval:%s",host,server,|sum|,intervals);
> return |sum|;
> }
>
> #we'll start with http posts, in the case that
> event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) {
> #declare variables
> local host: addr;
> local server: addr;
> local ts: time;
> local uid: string;
> local entropy_result: double;
>
> for (sn in whitelist) {
> if (c$id$resp_h in sn || c$id$orig_h in sn )
> return;
> }
>
> if ( method == "POST" || method == "GET" ) {
> #grab the relevant information
> host = c$id$orig_h;
> server = c$id$resp_h;
> ts = c$start_time;
> uid = c$uid;
> if ( [host,server] !in master_collection ){
> master_collection[host,server] = vector(ts) ;
> }
> else {
> master_collection[host,server][|master_collection[host,server]|] = ts;
> if ( |master_collection[host,server]| > 12) {
> entropy_result = calculate_entropy(host,server);
> if (entropy_result < 0.75 ) {
> print fmt("%s - beacon %s and %s", ts, host, server);
> local rec: BEACON::Info = [$ts=ts, $entropy=entropy_result,$local_host=host,$remote_host=server];
> Log::write(BEACON::LOG, rec);
> }
> master_collection[host,server] = vector();
> }
> }
> }
> }
>
>
>
> Can anyone tell me how to solve this ?
>
> The issue seems to be this line
> intervals[i] = double_to_interval(double_to_count(interval_to_double(collection[i+1] - collection[i])));
>
> Help?
>
> Regards
>
> Vikram Basu
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list