software/version-changes.bro comparison between the two versions.

Zeek
1

I was going through the version-changes.bro script, thinking of adding some software
to track the version changes, but realized that there is no comparison done between the
old version tracked and the version detected in “rec: Info” of log_software event.

Hence, was thinking to add a condition to check it before the notice is raised for the version
change, like following:
( or I might be missing something regarding the functionality of the script. :/)

event log_software(rec: Info)
{
local ts = tracked[rec$host];

if ( rec$name in ts )
{
local old = ts[rec$name];

Is it a potentially interesting version change?

if ( rec$name in interesting_version_changes )
{

if (software_fmt_version(old$version) != software_fmt_version(rec$version))
{ local msg = fmt(“%.6f %s switched from %s to %s (%s)”,
network_time(), rec$software_type,
software_fmt_version(old$version),
software_fmt(rec), rec$software_type);
NOTICE([$note=Software_Version_Change, $src=rec$host,
$msg=msg, $sub=software_fmt(rec)]);
}
}
}
}

Any thoughts? anybody using this script to track software changes?

Thanks,
Fatema.

2

It looks like that script is broken :frowning: The main software script that logs new software versions does:

    ts[info$name] = info;
    Log::write(Software::LOG, info);

and then the version changes script is doing

    local old = ts[rec$name]

But at that point old and rec are the same exact thing. It's possible to fix this, it just can't use the log_software event because at that point the "old" version has already been overwritten.

Another issue with the script is that the 'tracked' variable has a create expire of only 24h, so if the host is only seen every 48 hours, or if bro is restarted it won't know the version changed.

Newer features in Broker should allow interesting version changes to be tracked using persistent data stores. That would really fix the issue. There are similar things that need to be re-written for better tracking known hosts/known services/known certs.

I added this info to the existing ticket I had for this:

https://bro-tracker.atlassian.net/browse/BIT-1521

3

Thanks Justin for an update, will be awaiting the Broker integration for the new features/scripts.