[Bro] issues with binpac and bro 253

Jon Siwek jsiwek at corelight.com
Fri May 25 13:26:09 PDT 2018 

On Fri, May 25, 2018 at 11:35 AM, erik clark <philosnef at gmail.com> wrote:
> {"ts":1526476092.155226,"uid":"CLBfQGYsYuPPYghW6","id.orig_h":"10.171.248.5","id.orig_p":59860,"id.resp_h":"10.171.3.35","id.resp_p":5901,"proto":"tcp","analyzer":"RFB","failure_reason":"Binpac
> exception: binpac exception: out_of_bound:
> RFBVNCAuthenticationResponse:response: 16 > 4"}
> {"ts":1526902777.802284,"uid":"CRbgOr2vlXZquGHbC4","id.orig_h":"10.171.253.5","id.orig_p":51389,"id.resp_h":"209.208.26.64","id.resp_p":1883,"proto":"tcp","analyzer":"MQTT","failure_reason":"Binpac
> exception: binpac exception: out_of_bound: MQTT_string:str: 258 > 2"}
> {"ts":1526385277.166233,"uid":"Cp5ewt2gFK34Hk2vSg","id.orig_h":"128.154.164.150","id.orig_p":59357,"id.resp_h":"10.171.253.18","id.resp_p":22,"proto":"tcp","analyzer":"SSH","failure_reason":"Binpac
> exception: binpac exception: out_of_bound: SSH2_KEXINIT: -82 > 30"}
> {"ts":1526385276.305273,"uid":"CEv2fC11PlksxaS5Tf","id.orig_h":"128.154.164.150","id.orig_p":59356,"id.resp_h":"10.171.253.15","id.resp_p":22,"proto":"tcp","analyzer":"SSH","failure_reason":"Binpac
> exception: binpac exception: out_of_bound: SSH2_KEXINIT:cookie: 16 > 4"}
> {"ts":1526385714.957199,"uid":"CKBKhA2vqPokc34a43","id.orig_h":"128.154.164.150","id.orig_p":59463,"id.resp_h":"10.171.253.6","id.resp_p":22,"proto":"tcp","analyzer":"SSH","failure_reason":"Binpac
> exception: binpac exception: out_of_bound: SSH2_KEXINIT: -154 > 30"}
>
>
> The ssh analyzer and rfb analyzer are both throwing binpac exceptions; Also,
> so is the newly converted MQTT plugin that Seth built. Why are these
> failing? I do not have pcap. I would like to know why the ssh analyzer
> specifically would be failing. This is a new install of bro and we do not
> have an old version on this network to compare dpd logs on. Thanks!

The general reason for those would be that the analyzer/parser was
given input that does not match its protocol definition.  It's either
legitimately failing to parse malformed traffic or the analyzer has
not defined the protocol specification in a way that matches the
actual implementation/spec.  It's difficult to say which case it is
without a pcap, but it's also not necessarily alarming to see these
unless there's an overwhelming amount of it or you had previous logs
to compare with and suddenly see a big difference.

- Jon

More information about the Bro mailing list