[Bro] Notice and Sumstats and how to whitelist IPs

Dillon Murphy DMurphy at lfcu.com
Thu Sep 6 13:02:30 PDT 2018


Hey Justin,

I thought the same thing, but I rechecked the IP over and over again and it is correct. I’ve also added the whitelist to the script in many different ways, but still had no luck. I’ve been able to get this to work easily on all scripts that don’t load the sumstats framework. I’ve rewritten the scripts multiple times, tested them out in try.bro.org and my tool and nothing has worked to stop the notices. I’ve tried to break and return in functions and events, but that didn’t work.

I’ve even contacted our vendor for my tool who originally added some of the scripts and their head engineer has not been able to solve it yet. It seems to just keep continuing to keep track of the intervals and sends the data to the notice, even if the IP matches what’s in the white list. I’m no major bro scripting expert, but my vendors engineer is a well-known bro scripter, and if they had no luck, my chances are slim.

It seems that it should be as easy as returning on any matching IP, but I guess not. I don’t know what I’m missing, and I’m running out of ideas.

If you have any questions, please let me know.

Thank you for looking at my post!

---------------------------------------------------------------
Dillon Murphy ▪ Information Security Operations Analyst I
Logix Federal Credit Union
P.O. Box 6759 ▪ Burbank, CA 91510
(818) 565-2547 Direct
(888) 718-5328 ext. 2547 Toll Free
dmurphy at lfcu.com<mailto:dmurphy at lfcu.com> ▪ www.lfcu.com<http://www.lfcu.com/>

[Logo-Blue]

From: Azoff, Justin S <jazoff at illinois.edu>
Sent: Thursday, September 06, 2018 6:41 AM
To: Dillon Murphy <DMurphy at lfcu.com>
Cc: bro at bro.org
Subject: Re: [Bro] Notice and Sumstats and how to whitelist IPs


> On Sep 5, 2018, at 6:18 PM, Dillon Murphy <DMurphy at lfcu.com<mailto:DMurphy at lfcu.com>> wrote:
>
> Hello everyone,
>
> I can’t seem to figure out how to break out of scripts that trigger notices based on a sumstats function. I have a few Exfiltration scripts and my network scanner triggers many alerts. I only encounter this problem when sumstats is involved.
>
>
> @load base/frameworks/sumstats
> @load base/frameworks/notice
>
> module Exfiltration;
>
> export {
> redef enum Notice::Type += {
> notice::icmp_data_exfil,
> };
>
> const frequent_icmp_senders: set[subnet] {192.168.0.1/32}<http://192.168.0.1/32}> &redef;
> const icmp_interval = 2min &redef;
> const icmp_per_query_interval = 120.0 &redef;
> }
>
> function check_icmp(c:connection)
> {
> if (c$id$orig_h in frequent_icmp_senders) return;
> if (c$id$resp_h in frequent_icmp_senders) return;
>
> SumStats::observe("Messages",
> SumStats::Key($host=c$id$orig_h),
> SumStats::Observation($num=1));
> }
>

That looks right to me.
If the orig or resp hosts are in frequent_icmp_senders observe() will never be called
and the connections will be effectively ignored.

This issue wouldn't have anything to do with sumstats.. if there is a problem it would be with the
logic in how observe() is called initially. It could be as simple as a typo of the IP in the frequent senders set.

—
Justin Azoff

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180906/1b9642e9/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 7514 bytes
Desc: image001.png
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180906/1b9642e9/attachment-0001.bin 


More information about the Bro mailing list