Something is not clear to me concerning reporting

So, lets say that I have tcp ports 587 and 993 exposed on my firewall. I have bro running as a cluster on all interfaces. I see logs about well known SSL/HTTP/HTTPS ports but no anomalies in the hourly summaries. No alerts in email either (that I have seen). Now I do need to cruise through all the rotated compressed logs to check and see if something was recorded.

The second thing I am wondering about is that there are no references to interfaces where the traffic was seen. For example, I have no IPv6 but I see unknown IPv6 traffic in the summary. Tools like:

http://isc.sans.edu/tools/ipv6.html#form

can be used to attempt to glean the MAC address to some degree. But I cannot quickly tell which interface the packet came on to help decide where the threat lies between internal/dmz/external networks. I can make some really good guesses but it might be nice to spell it it in the logs.

Many thanks in advance, Sorry for rambling and if these are features in the works…

Ian

Ok, I did a little looking into the 993 reporting. Turns out there is something that shows up in the known.certs for the day but nothing else. I think I need to be patient and do some remote testing from an external source to verify that alarms are indeed working. Also, I did some looking for 587 and got nothing. No connections, no state, no certs - nothing.

Ian

P.S. the IPv6 issue stands - still cannot quickly tell where the state if the TCP connection lies without SNORT for example….

Hi, Ian.

So, lets say that I have tcp ports 587 and 993 exposed on my firewall. I have bro running as a cluster on all interfaces. I see logs about well known SSL/HTTP/HTTPS ports but no anomalies in the hourly summaries. No alerts in email either (that I have seen). Now I do need to cruise through all the rotated compressed logs to check and see if something was recorded.

Are you referring to the connection summary e-mails? Notices are not reported there.

I think there's some difference in terminology. In Bro-land, scripts can generate notices. These vary in severity from informative (e.g. an MD5 hash was calculated for a file downloaded over HTTP) to critical (e.g. Bro just saw a social security number cross the wire in plaintext). Notices that are deemed particularly important are associated with the alarm action, which sends them to the alarm file.

You can customize what actions should be taken when a notice is generated. By default, though, notices just get logged to notice.log in your log directory (usually /usr/local/bro/logs). Similarly, connections get logged to conn.log, SMTP messages get logged to smtp.log, etc. If you'd like to be e-mailed when a particular notice occurs, you can redefine Notice::emailed_types in your local.bro (usually at: /usr/local/bro/share/bro/site/local.bro).

For example:

redef Notice::emailed_types += {
      SSH::Password_Guessing,
};

The second thing I am wondering about is that there are no references to interfaces where the traffic was seen. For example, I have no IPv6 but I see unknown IPv6 traffic in the summary. Tools like:

http://isc.sans.edu/tools/ipv6.html#form

can be used to attempt to glean the MAC address to some degree. But I cannot quickly tell which interface the packet came on to help decide where the threat lies between internal/dmz/external networks. I can make some really good guesses but it might be nice to spell it it in the logs.

This is a fairly non-standard setup. The more common setup that I'm aware of is running Bro at a single network boundary - generally at the border. That being said, what you could do is setup your workers so that each set monitors a type of interface (e.g. worker-dmz-01, worker-internal-01…worker-internal-03, etc.). One thing to keep in mind is that you'll see packets multiple times.

Ok, I did a little looking into the 993 reporting. Turns out there is something that shows up in the known.certs for the day but nothing else. I think I need to be patient and do some remote testing from an external source to verify that alarms are indeed working. Also, I did some looking for 587 and got nothing. No connections, no state, no certs - nothing.

I'm not really sure what you're expecting to see if you just monitor 993 and 587. You won't see more than connections and SSL certificate information. What alarms are you expecting to receive?

P.S. the IPv6 issue stands - still cannot quickly tell where the state if the TCP connection lies without SNORT for example….

Have you looked in conn.log? You should be able to see information for both sides of the v6 connection, and that should at least tell you if you're dealing with link-local, expected v6 space on your network, or something else.

Hope that helps,

  --Vlad

Hmmm - I'm seeing entries in the smtp.log corresponding to port 587 usage, and in ssl.log for port 993. Look for matches with the uid field.

For example:
current/conn.log:1350512176.450169 BIbdijBoxM7 192.168.56.33 53510 74.125.142.108 993 tcp ssl 34.442713 1594 7349 SF T 0 ShADadFf 66 5038 65 10737 (empty)
current/ssl.log:1350512176.537618 BIbdijBoxM7 192.168.56.33 53510 74.125.142.108 993 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA imap.gmail.com - CN=imap.gmail.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority,O=Google Inc,C=US 1347450949.000000 1370634207.000000 - 2307e65204ec0e45659b391063f0e795 ok

Hi, Ian.

<snip just to reduce the size>

Are you referring to the connection summary e-mails? Notices are not
reported there.

I think there's some difference in terminology. In Bro-land, scripts
can generate notices. These vary in severity from informative (e.g. an
MD5 hash was calculated for a file downloaded over HTTP) to critical
(e.g. Bro just saw a social security number cross the wire in
plaintext). Notices that are deemed particularly important are
associated with the alarm action, which sends them to the alarm file.

You can customize what actions should be taken when a notice is
generated. By default, though, notices just get logged to notice.log
in your log directory (usually /usr/local/bro/logs). Similarly,
connections get logged to conn.log, SMTP messages get logged to
smtp.log, etc. If you'd like to be e-mailed when a particular notice
occurs, you can redefine Notice::emailed_types in your local.bro
(usually at: /usr/local/bro/share/bro/site/local.bro).

For example:

redef Notice::emailed_types += {
      SSH::Password_Guessing,
};

Thanks, I will look into that. I think the non-standard cluster configuration I have running (one worker per interface with distinct names) seems to be working for my dmz/internet works. I really need to sit down and review the all the logs for the specific worker associated with my external interface and see what is there. That will be tonight’s job. I may have to do as you suggest and look into the scripts. I have only been running bro for a couple of days now to get familiar with it.

The second thing I am wondering about is that there are no references to interfaces where the traffic was seen. For example, I have no IPv6 but I see unknown IPv6 traffic in the summary. Tools like:

http://isc.sans.edu/tools/ipv6.html#form

can be used to attempt to glean the MAC address to some degree. But I cannot quickly tell which interface the packet came on to help decide where the threat lies between internal/dmz/external networks. I can make some really good guesses but it might be nice to spell it it in the logs.

This is a fairly non-standard setup. The more common setup that I'm
aware of is running Bro at a single network boundary - generally at
the border. That being said, what you could do is setup your workers
so that each set monitors a type of interface (e.g. worker-dmz-01,
worker-internal-01…worker-internal-03, etc.). One thing to keep in
mind is that you'll see packets multiple times.

Ok, I did a little looking into the 993 reporting. Turns out there is something that shows up in the known.certs for the day but nothing else. I think I need to be patient and do some remote testing from an external source to verify that alarms are indeed working. Also, I did some looking for 587 and got nothing. No connections, no state, no certs - nothing.

I'm not really sure what you're expecting to see if you just monitor
993 and 587. You won't see more than connections and SSL certificate
information. What alarms are you expecting to receive?

To be fair – it was late for me. I just did a quick unpacking of the logs and grep’ed.

Well, what I am really trying to do is log all connections to particular ports on a particular interface which I deem is of critical importance. This might be a scripting lesson for me to tackle (assuming the connections are not currently being recorded for whatever reason) or alarm modification. I can also depend on pf to keep doing this – it probably makes more sense just to keep pf doing this as it does currently for me. I was just concerned (confused) because the summary is listing connections to/from the internal/dmz networks for DNS, OSSEC, standard proxy/WWW ports but not for the external interface (or so it seems) and I wondered why. I should say that I am seeing incoming connection reports for HTTP/HTTPS in the summary – just not the rest.

P.S. the IPv6 issue stands - still cannot quickly tell where the state if the TCP connection lies without SNORT for example….

Have you looked in conn.log? You should be able to see information
for both sides of the v6 connection, and that should at least tell you
if you're dealing with link-local, expected v6 space on your network,
or something else.

I will.

Thanks,

Ian

If I understood you right from the earlier email, you are seeing IPv6 in your conn.log which you aren't expecting to see. Is that right? If it is, could you send some of these unexpected log lines containing IPv6 address space? There are a couple of things I could imagine that are going on here which could cause that.

Thanks,

  .Seth

<trimming the logs>

This is link-local multicast traffic. It's just a host or hosts on your network looking around for other hosts using a neighbor solicitation ICMP message. This is totally unrelated to if you "have" IPv6 or not since it's only intended for other hosts on your local network and have nothing to do with your gateway.

Anyway, moving forward, I went back and read your initial message and I think you might be a little confused about what Bro is doing and what it's intended to do. Could you try clarifying your questions and better explain the output you are looking for?

Thanks,
  .Seth