[Bro] The code for "weird" logging activity.
Azoff, Justin S
jazoff at illinois.edu
Mon Oct 16 13:01:44 PDT 2017
> On Oct 16, 2017, at 3:58 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>
> Hey All,
>
> So, I was going through the weird.log file generated by bro every hour,
> and found lot of activity that I would like to suppress, and for some
> activity I would like to know the source (i.e. what part of bro code is raising those
> "weird" activity logs in the weird.log) to analyse whether it's legit or can be suppressed.
>
> For example, I would like to suppress "DNS_RR_unknown_type 46", as it's ,
> I think, is not an unknown-type, it's defined in RFC 4034 as "RRSIG" (and some other similar weird activity.)
>
> Hence, wanted to see what code during packet analysis might have raised one of the *_weird events to log that connection.
>
> I was searching for the string "weird" in an effort to find the Bro scripts
> that either load weird or create a log stream in weird.log, but couldn't find the code/script
> that is responsible for those notices in weird.log
Ah.. it's also 'Weird' inside of analyzers, so 'weird' would not have found it:
$ git grep DNS_RR_unknown_type
CHANGES: * DNS: Log the type number for the DNS_RR_unknown_type weird. (Vlad Grigorescu)
scripts/base/frameworks/notice/weird.bro: ["DNS_RR_unknown_type"] = ACTION_LOG,
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype));
testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log:1363716396.798286 CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 DNS_RR_unknown_type 46 F bro
$ git grep 'analyzer->Weird'
src/analyzer/protocol/dnp3/DNP3.cc: analyzer->Weird("dnp3_header_lacks_magic");
src/analyzer/protocol/dnp3/DNP3.cc: analyzer->Weird("dnp3_unexpected_flow_direction");
src/analyzer/protocol/dnp3/DNP3.cc: analyzer->Weird("dnp3_negative_or_zero_length_link_layer");
src/analyzer/protocol/dnp3/DNP3.cc: analyzer->Weird("dnp3_first_application_layer_chunk_missing");
src/analyzer/protocol/dnp3/DNP3.cc: analyzer->Weird(fmt("dnp3_corrupt_%s_checksum", where));
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_truncated_len_lt_hdr_len");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_Conn_count_too_large");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_truncated_quest_too_short");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_truncated_ans_too_short");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_truncated_RR_rdlength_lt_len");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype));
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_NAME_too_long");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_label_forward_compress_offset");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_label_len_gt_pkt");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_label_too_long");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_label_len_gt_name_len");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_RR_length_mismatch");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_RR_length_mismatch");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_RR_length_mismatch");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_RR_length_mismatch");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_RR_bad_length");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_AAAA_neg_length");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_A6_neg_length");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_TXT_char_str_past_rdlen");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_CAA_char_str_past_rdlen");
src/analyzer/protocol/http/HTTP.cc: analyzer->Weird(msg);
src/analyzer/protocol/http/HTTP.cc: analyzer->Weird("illegal_%_at_end_of_URI");
src/analyzer/protocol/http/HTTP.cc: analyzer->Weird("partial_escape_at_end_of_URI");
src/analyzer/protocol/http/HTTP.cc: analyzer->Weird("double_%_in_URI");
src/analyzer/protocol/http/HTTP.cc: analyzer->Weird("unescaped_%_in_URI");
src/analyzer/protocol/ncp/NCP.cc: analyzer->Weird(e.msg().c_str());
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird(fmt("unknown_netbios_type: 0x%x", type));
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird(fmt("excess_netbios_hdr_len (%d > %d)",
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird("deficit_netbios_hdr_len");
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird(fmt("excess_netbios_hdr_len (%d > %d)",
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird(fmt("deficit_netbios_hdr_len (%d < %d)",
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird("netbios_raw_session_msg");
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird("no_smb_session_using_parsesambamsg");
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird("netbios_server_session_request");
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird("netbios_client_session_reply");
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird("netbios_client_session_reply");
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird("netbios_client_session_reply");
src/analyzer/protocol/rpc/RPC.cc: analyzer->Weird(msg);
src/analyzer/protocol/tcp/TCP_Reassembler.cc: tcp_analyzer->Weird("above_hole_data_without_any_acks");
src/analyzer/protocol/tcp/TCP_Reassembler.cc: tcp_analyzer->Weird("excessive_data_without_further_acks");
src/analyzer/protocol/teredo/Teredo.h: { analyzer->Weird(name); }
$
—
Justin Azoff
More information about the Bro
mailing list