[security-onion] Bro IDS: binapc exception in dpd.log

Zeek
1

Cross-posting over to bro list... I took a look on my own Bro cluster
built from git master 2.4-10 on RHEL 6.6, and I am seeing similar binpac
errors in dpd.log. Probably worthy of an issue report to the Bro team.

Also, it seems odd to see binpac error messages in dpd.log. This seems
more like something that would be in reporter.log, so I wonder if that
is intended? I also see some binpac errors for rdp, and SSL IN dpd.log.

Here are some more samples:

1439952507.945287 C0Zth33h2gy9HEGM4k 10.10.250.141 5070
10.10.146.171 5060 udp SIP Binpac exception: binpac
exception: string mismatch at
/nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected
pattern: ":"\x0aactual data: " 1702356679 1793741124 IN IP4
10.10.250.141\x0d\x0as=sipcli\x0d\x0ac=IN IP4 10.10.250.141\x0d\x0at=0
0\x0d\x0am=audio 5072 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101
0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0
PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101
telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"

1439952508.235601 CfnJdC2wJa7QObDdK7 10.10.250.141 5110
10.10.146.171 5060 udp SIP Binpac exception: binpac
exception: string mismatch at
/nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected
pattern: ":"\x0aactual data: " 2046637637 2105833686 IN IP4
10.10.250.141\x0d\x0as=sipcli\x0d\x0ac=IN IP4 10.10.250.141\x0d\x0at=0
0\x0d\x0am=audio 5111 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101
0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0
PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101
telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"

1439952508.245335 CfnJdC2wJa7QObDdK7 10.10.250.141 5110
10.10.146.171 5060 udp SIP Binpac exception: binpac
exception: string mismatch at
/nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected
pattern: ":"\x0aactual data: " 2046637637 2105833686 IN IP4
10.10.250.141\x0d\x0as=sipcli\x0d\x0ac=IN IP4 10.10.250.141\x0d\x0at=0
0\x0d\x0am=audio 5111 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101
0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0
PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101
telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a"

1439952508.597857 C2vuSQ3duZlPtt6Njl 10.10.44.245 5060
10.10.7.100 5060 udp SIP Binpac exception: binpac
exception: string mismatch at
/nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected
pattern: ":"\x0aactual data: " version='1.0'
encoding='UTF-8'?><!--PUA--><presence
xmlns='urn:ietf:params:xml:ns:pidf'
xmlns:dm='urn:ietf:params:xml:ns:pidf:data-model'
xmlns:rpid='urn:ietf:params:xml:ns:pidf:rpid'
xmlns:c='urn:ietf:params:xml:ns:pidf:cipid'
entity='sip:CIO-EX90@EXAMPLE.COM '><tuple
id='f71ad0ae-dc51-4be2-977d-39c9ccc2d29b'><status><basic>open</basic></status></tuple></presence>"

2

Can you tell us what kind of error code you have in sip.log for this connection id?

I have similar errors, with user agent sipcli/v1.8 and result 401 Unauthorized so that’s a scan of some kind.

I’ve filed a Bro bug

https://bro-tracker.atlassian.net/browse/BIT-1458

We might consider moving discussion to the Bro mailing list and/or BIT-1458, as the problem is not SO specific.

3

Yes, the corresponding entries in sip.log are for sipcli/v1.8, but with
result 404 Not Found. I am seeing a lot of repeating source addresses,
so could very likely be a scanner.