issues with binpac and bro 253

Zeek
1

{“ts”:1526476092.155226,“uid”:“CLBfQGYsYuPPYghW6”,“id.orig_h”:“10.171.248.5”,“id.orig_p”:59860,“id.resp_h”:“10.171.3.35”,“id.resp_p”:5901,“proto”:“tcp”,“analyzer”:“RFB”,“failure_reason”:“Binpac exception: binpac exception: out_of_bound: RFBVNCAuthenticationResponse:response: 16 > 4”}

{“ts”:1526902777.802284,“uid”:“CRbgOr2vlXZquGHbC4”,“id.orig_h”:“10.171.253.5”,“id.orig_p”:51389,“id.resp_h”:“209.208.26.64”,“id.resp_p”:1883,“proto”:“tcp”,“analyzer”:“MQTT”,“failure_reason”:“Binpac exception: binpac exception: out_of_bound: MQTT_string:str: 258 > 2”}

{“ts”:1526385277.166233,“uid”:“Cp5ewt2gFK34Hk2vSg”,“id.orig_h”:“128.154.164.150”,“id.orig_p”:59357,“id.resp_h”:“10.171.253.18”,“id.resp_p”:22,“proto”:“tcp”,“analyzer”:“SSH”,“failure_reason”:“Binpac exception: binpac exception: out_of_bound: SSH2_KEXINIT: -82 > 30”}
{“ts”:1526385276.305273,“uid”:“CEv2fC11PlksxaS5Tf”,“id.orig_h”:“128.154.164.150”,“id.orig_p”:59356,“id.resp_h”:“10.171.253.15”,“id.resp_p”:22,“proto”:“tcp”,“analyzer”:“SSH”,“failure_reason”:“Binpac exception: binpac exception: out_of_bound: SSH2_KEXINIT:cookie: 16 > 4”}
{“ts”:1526385714.957199,“uid”:“CKBKhA2vqPokc34a43”,“id.orig_h”:“128.154.164.150”,“id.orig_p”:59463,“id.resp_h”:“10.171.253.6”,“id.resp_p”:22,“proto”:“tcp”,“analyzer”:“SSH”,“failure_reason”:“Binpac exception: binpac exception: out_of_bound: SSH2_KEXINIT: -154 > 30”}

The ssh analyzer and rfb analyzer are both throwing binpac exceptions; Also, so is the newly converted MQTT plugin that Seth built. Why are these failing? I do not have pcap. I would like to know why the ssh analyzer specifically would be failing. This is a new install of bro and we do not have an old version on this network to compare dpd logs on. Thanks!

2

The general reason for those would be that the analyzer/parser was
given input that does not match its protocol definition. It's either
legitimately failing to parse malformed traffic or the analyzer has
not defined the protocol specification in a way that matches the
actual implementation/spec. It's difficult to say which case it is
without a pcap, but it's also not necessarily alarming to see these
unless there's an overwhelming amount of it or you had previous logs
to compare with and suddenly see a big difference.

- Jon