Strange behavior with interesting-hostnames.bro

Eric_Hacecky · July 28, 2017, 2:46pm

I have people connecting to an ftp server on my network via port 22, which is triggering the SSH::interesting_hostnames notice. I'm guessing this is for sftp, but either way it's not something I'm concerned with.

Easy question:

In my local.bro I'm trying to redef the interesting_hostnames variable to remove the ftp regex. reference bro/share/bro/policy/protocols/ssh/interesting-hostnames.bro

//
redef SSH::interesting_hostnames = {
                        /^d?ns[0-9]*\./ |
                        /^smtp[0-9]*\./ |
                        /^mail[0-9]*\./ |
                        /^pop[0-9]*\./ |
                        /^imap[0-9]*\./ |
                        /^www[0-9]*\./};
//

I've also tried it without the brackets, {}.

Both are accepted by broctl, but neither actually seem to do anything as the script continues to match port 22 traffic to my ftp server.

Can't find much on google syntax related aside from having the -= operator available as a different way to specify it. What's wrong here?

Azoff_Justin_S · July 28, 2017, 3:02pm

I have people connecting to an ftp server on my network via port 22, which is triggering the SSH::interesting_hostnames notice. I'm guessing this is for sftp, but either way it's not something I'm concerned with.

Easy question:

In my local.bro I'm trying to redef the interesting_hostnames variable to remove the ftp regex. reference bro/share/bro/policy/protocols/ssh/interesting-hostnames.bro

//
redef SSH::interesting_hostnames = {
                       /^d?ns[0-9]*\./ |
                       /^smtp[0-9]*\./ |
                       /^mail[0-9]*\./ |
                       /^pop[0-9]*\./ |
                       /^imap[0-9]*\./ |
                       /^www[0-9]*\./};
//

I've also tried it without the brackets, {}.

Both are accepted by broctl, but neither actually seem to do anything as the script continues to match port 22 traffic to my ftp server.

Can't find much on google syntax related aside from having the -= operator available as a different way to specify it. What's wrong here?

Without the braces is correct. You can use

broctl print SSH::interesting_hostnames

to see what version your cluster is using.

You can also just use a notice policy hook to ignore the notices for that specific hostname, instead of ignoring ftp logins entirely.

Your problem is probably related to the second issue you have...

Second...and this one is strange

When the notice is generated, instead of having the note as SSH:Interesting_Hostname_Login, it's attaching a note of HTTP::SQL_Injection_Attacker.

Here's a log line

//
1501207574.941860 C3EEas45G6RoObEML9 7.7.7.7 46160 10.10.10.10 22 - - - tcp HTTP::SQL_Injection_Attacker Possible SSH login involving a local server with an interesting hostname. myftpserver.mydomain.com Notice::ACTION_EMAIL,IPBLOCK::ACTION_IPBLOCK,Notice::ACTION_LOG 3600.000000
//

How is Bro attaching SQL_Injection_Attacker from a completely different module as the note?

Did you make changes to your local.bro without restarting the entire cluster? Or did you make changes to one of the local-logger.bro local-manager.bro local-proxy.bro local-worker.bro files?

I believe enums being wrong is a direct result of running different policies on different boxes causing the metadata for enums to get out of sync.

Running different policies on different boxes would also explain why your changes to interesting_hostnames has not worked.

Eric_Hacecky · July 28, 2017, 3:22pm

Justin,

Yeah seems like you're right on the money.

I haven't made any changes to the other local files. They're all empty on the manager/worker nodes.

Did you make changes to your local.bro without restarting the entire cluster?

I've been using broctl deploy or restart mostly. I did get a crash message from worker-2 once, where I issued broctl restart worker-2 instead of the entire cluster.

//
1501254343.937122 fatal error in /usr/local/bro/spool/installed-scripts-do-not-touch/site/local.bro, line 157: Val::CONST_ACCESSOR (types/string) (/(((((^?(^d?ns[0-9]*\.)?\)|$^?\(^smtp\[0\-9\]\*\\\.$?))|(^?(^mail[0-9]*\.)?\)\)|$^?\(^pop\[0\-9\]\*\\\.$?))|(^?(^imap[0-9]*\.)?\)\)|$^?\(^www\[0\-9\]\*\\\.$?)/)
//

Any ideas?

Eric

Azoff_Justin_S · July 28, 2017, 3:35pm

What does a broctl deploy output at this point? Does your local.bro currently have the redef with the {}'s? you want it without them.

Eric_Hacecky · July 28, 2017, 5:42pm

[BroControl] > deploy
checking configurations ...
installing ...
removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/site ...
removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating cluster-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
updating nodes ...
stopping ...
stopping worker-2 ...
stopping worker-1 ...
stopping proxy-1 ...
stopping manager ...
starting ...
starting manager ...
starting proxy-1 ...
starting worker-1 ...
starting worker-2 ...
[BroControl] > print SSH::interesting_hostnames
     manager SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)?\)|$^?\(^smtp\[0\-9\]\*\\\.$?))|(^?(^mail[0-9]*\.)?\)\)|$^?\(^pop\[0\-9\]\*\\\.$?))|(^?(^imap[0-9]*\.)?\)\)|$^?\(^www\[0\-9\]\*\\\.$?)/
     proxy-1 SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)?\)|$^?\(^smtp\[0\-9\]\*\\\.$?))|(^?(^mail[0-9]*\.)?\)\)|$^?\(^pop\[0\-9\]\*\\\.$?))|(^?(^imap[0-9]*\.)?\)\)|$^?\(^www\[0\-9\]\*\\\.$?)/
    worker-1 SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)?\)|$^?\(^smtp\[0\-9\]\*\\\.$?))|(^?(^mail[0-9]*\.)?\)\)|$^?\(^pop\[0\-9\]\*\\\.$?))|(^?(^imap[0-9]*\.)?\)\)|$^?\(^www\[0\-9\]\*\\\.$?)/
    worker-2 SSH::interesting_hostnames = /((((((^?(^d?ns[0-9]*\.)?\)|$^?\(^smtp\[0\-9\]\*\\\.$?))|(^?(^mail[0-9]*\.)?\)\)|$^?\(^pop\[0\-9\]\*\\\.$?))|(^?(^imap[0-9]*\.)?\)\)|$^?\(^www\[0\-9\]\*\\\.$?))|(^?(^ftp[0-9]*\.)$?)/

The line for worker-2 is even formatted strangely. There's an extra set of parentheses surrounding the string of ((dns|smtp|mail|pop|imap|www) | ftp )

From my local.bro

# Remove match for hostname with "ftp" for the SSH login success to interesting hostname from /share/bro/policy/protocols/ssh/interesting-hostnames.bro
redef SSH::interesting_hostnames = /^d?ns[0-9]*\./ | /^smtp[0-9]*\./ | /^mail[0-9]*\./ | /^pop[0-9]*\./ | /^imap[0-9]*\./ | /^www[0-9]*\./;

Eric

Azoff_Justin_S · July 28, 2017, 6:06pm

[BroControl] > deploy
checking configurations ...
installing ...
removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/site ...
removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating cluster-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
updating nodes ...
stopping ...
stopping worker-2 ...
stopping worker-1 ...
stopping proxy-1 ...
stopping manager ...
starting ...
starting manager ...
starting proxy-1 ...
starting worker-1 ...
starting worker-2 ...
[BroControl] > print SSH::interesting_hostnames
    manager SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)?\)|$^?\(^smtp\[0\-9\]\*\\\.$?))|(^?(^mail[0-9]*\.)?\)\)|$^?\(^pop\[0\-9\]\*\\\.$?))|(^?(^imap[0-9]*\.)?\)\)|$^?\(^www\[0\-9\]\*\\\.$?)/
    proxy-1 SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)?\)|$^?\(^smtp\[0\-9\]\*\\\.$?))|(^?(^mail[0-9]*\.)?\)\)|$^?\(^pop\[0\-9\]\*\\\.$?))|(^?(^imap[0-9]*\.)?\)\)|$^?\(^www\[0\-9\]\*\\\.$?)/
   worker-1 SSH::interesting_hostnames = /(((((^?(^d?ns[0-9]*\.)?\)|$^?\(^smtp\[0\-9\]\*\\\.$?))|(^?(^mail[0-9]*\.)?\)\)|$^?\(^pop\[0\-9\]\*\\\.$?))|(^?(^imap[0-9]*\.)?\)\)|$^?\(^www\[0\-9\]\*\\\.$?)/
   worker-2 SSH::interesting_hostnames = /((((((^?(^d?ns[0-9]*\.)?\)|$^?\(^smtp\[0\-9\]\*\\\.$?))|(^?(^mail[0-9]*\.)?\)\)|$^?\(^pop\[0\-9\]\*\\\.$?))|(^?(^imap[0-9]*\.)?\)\)|$^?\(^www\[0\-9\]\*\\\.$?))|(^?(^ftp[0-9]*\.)$?)/

The line for worker-2 is even formatted strangely. There's an extra set of parentheses surrounding the string of ((dns|smtp|mail|pop|imap|www) | ftp )

Ah.. that's normal It's actually more like.. so one extra item will have one extra parens added.

((((dns) |smtp) |mail) |pop) |imap)

From my local.bro

# Remove match for hostname with "ftp" for the SSH login success to interesting hostname from /share/bro/policy/protocols/ssh/interesting-hostnames.bro
redef SSH::interesting_hostnames = /^d?ns[0-9]*\./ | /^smtp[0-9]*\./ | /^mail[0-9]*\./ | /^pop[0-9]*\./ | /^imap[0-9]*\./ | /^www[0-9]*\./;

Eric

I bet you have a half broken process for worker-2 lying around from when it had an issue. It may not have completely crashed. .. if you run

broctl stop

and then

btoctl ps.bro

Are any bro processes returned related to worker-2? Ensure that every bro process is stopped and then do a new deploy, that should clear things up.

Eric_Hacecky · July 28, 2017, 6:13pm

Yep that was it.

//
[BroControl] > stop
stopping worker-2 ...
stopping worker-1 ...
stopping proxy-1 ...
stopping manager ...
[BroControl] > ps.bro
USER PID PPID %CPU %MEM VSZ RSS TT S STARTED TIME COMMAND

worker-2

(-) root 29973 29967 36.8 1.8 2580256 2458068 ? S Jul 25 1-02:41:59 bro
(-) root 29974 29973 0.2 0.2 387928 328412 ? S Jul 25 00:11:20 bro
//

Cleaned it up and now the output for print matches across them.

Well done, thanks again.

Eric

Azoff_Justin_S · July 28, 2017, 6:17pm

Awesome! One of the things in the works for broctl is a better mechanism for process supervision which will help prevent this exact problem.

Topic		Replies	Views
Filtering out hosts from notices Zeek	1	69	May 6, 2022
[Bro-Commits] [git/bro] topic/dnthayer/ftp-ipv6: Add a test for FTP over IPv6 (278704f) Development development	1	86	May 6, 2022
remote.bro problem? Zeek	2	119	May 6, 2022
unusual_http_methods.bro script error Zeek	1	64	May 6, 2022
bro scripting issue Zeek	3	78	May 6, 2022

Strange behavior with interesting-hostnames.bro

Related topics