Field value missing

Greetings all,

I am new to Bro, and I hope you can help me.

I read the following documentation:
https://www.bro.org/sphinx-git/frameworks/notice.html

Exactly, this part of the code:


hook Notice::policy(n: Notice::Info)
{
if
( n$note == SSH::Password_Guessing && n$id$resp_h == 10.0.0.1
)
add n$actions[Notice::ACTION_EMAIL];
}

And write it in the file …/local.bro

But, when I generate an attack to IP (10.0.0.1), and I got an error: “field value missing [n$id]” .

I use bro -i eth0 local to debug logs in live

I did many changes, also I use “$id?$resp_h” to check errors, and i got the same error. I am sorry but I am new with Bro and I would like to know How can I fix that?.

Thank you
Javier

Sorry, the documentation here is out of date. The SSH::Password_Guessing notice now seems able to track a guesser across multiple servers, so in order to check if they attempted a certain server, you’d have to inspect the value of n$sub to see if it’s mentioned there. E.g.:

hook Notice::policy(n: Notice::Info)
    {
    if ( n$note == SSH::Password_Guessing && /10\.0\.0\.1/ in n$sub )
        add n$actions[Notice::ACTION_EMAIL];
    }

- Jon

Javier,

To add to what Jon said…

In this case you’re hitting a situation where not all Notices are created equal.

I believe, for SSH::Password_Guessing, the connection ‘id’ itself isn’t populated, so the n$id isn’t there to reference n$id$resp_h from. It will have an n$src if you wanted the originator, but for recipient you need to look at the notice subject (see Jon’s message). The recipients listed there are a sampled set.

-Dop

Hi,

Thank you for your answers, clarify part of my doubt. I got successful results using the two methods:

e.g.,

if (n$note == SSH::Password_Guessing && \11.1.1.7/ in n$sub)
print fmt (“testing1”);

or

if (n$note == SSH::Password_Guessing && n$src = )
print fmt (“testing2”);

I also saw logs notice.log and I understand because I get these values (sub, src).

But, I’d like to understand because the notice.log dont populate fields “id.orig_h, id.resp_h”.

You told me that “the connection ‘id’ itself isn’t populated, so the n$id isn’t there to reference n$id$resp_h from”
but I wonder if there is some way to populate these fields (id.orig_h, id.resp_h, …) ? for this type of event (SSH::Password_Guessing).

Thank you,
Javier

There’s a couple things going on that make this tricky.

  1. First, the SSH::Password_Guessing notice is built up using SumStats in:

share/bro/policy/protocols/ssh/detect-bruteforcing.bro

It’s only keeping track of 5 sample targets and the default limit to cause a notice is 30 attempts (which you can change).

  1. The other problem is that a notice line with a connection identifier (c$id) can only have one connection id that populates orig_h, resp_h, etc. For the code that creates SSH::Password_Guessing, you’re dealing with lots of different connections.

However, with Bro, most things are typically possible, we just need to think about it in a roundabout sort of way. My two immediate thoughts are you could write your own policies that keeps all of the target information (more memory intensive) and write out the c$id info for each target, or you can get more aggressive with your guess limit and just set the limit at 5. Then the notice subject sample size will (usually?) be all of your targets. That’d be something like this in your local.bro:

redef SSH::password_guesses_limit = 5;

-Dop