Suppress_for issues

I am having some problems (or maybe misunderstanding) of how the suppression works. I haven’t changed my configuration file and it was working at one time. Now after upgrading to the master branch (I was on the heartbleed) it seems my suppression isn’t working as I understand it.

I have activated the SSL certificate checking as follows:

@load policy/protocols/ssl/expiring-certs.bro
redef SSL::notify_certs_expiration = ALL_HOSTS;

now when I watch my notice log, I am seeing what appear to be LOTS of notice logs for the same certificate. I thought that perhaps just the e-mails get suppressed, but after turning on e-mail notifications I get an e-mail for every notice. Plus my notice log is filling up rather quickly.

I know this probably won’t be very legible, but here is an example of just 2 of the notices I get from a single connection. They look exactly the same to me, and they have a time set for the suppression. I would have expected to only get one of these, but you can see the time stamp shows multiple notices happening very quickly.

#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude

1402057564.658489 CW6Riz4smTIRpMxWq1 1.1.1.1 51255 2.2.2.2 5223 F6irMUcwkf1ZcbIok - - tcp SSL::Certificate_Expired Certificate emailAddress=,CN=,OU=,O= - 1.1.1.1 2.2.2.2 5223 - bro1 Notice::ACTION_LOG 86400.000000 F - - - - -

1402057564.660035 CW6Riz4smTIRpMxWq1 1.1.1.1 51255 2.2.2.2 5223 F6irMUcwkf1ZcbIok - - tcp SSL::Certificate_Expired Certificate emailAddress=,CN=,OU=,O= - 1.1.1.1 2.2.2.2 5223 - bro1 Notice::ACTION_LOG 86400.000000 F - - - - -

Looks to me like the $identifer field was dropped from those notices
with the move to 2.3 ...

Bro 2.2:

else if ( cert$not_valid_after < network_time() )
NOTICE([$note=Certificate_Expired,
       $conn=c, $suppress_for=1day,
       $msg=fmt("Certificate %s expired at %T", cert$subject,
cert$not_valid_after),
       $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]);

Bro 2.3:

else if ( cert$not_valid_after < network_time() )
NOTICE([$note=Certificate_Expired,
       $conn=c, $suppress_for=1day,
       $msg=fmt("Certificate %s expired at %T", cert$subject,
cert$not_valid_after),
       $fuid=fuid]);

That will break suppression.

-Josh

I was just trying to move back from the heartbleed branch in git to the current “stable.” Should I be checking out something other than master to make the move back from the heartbleed branch to stable branch?

For now, I have just added my own identifier back to the ssl check, so I can stay on master with the Heartbleed code. Maybe by the time I run another update from git this will have been fixed and losing my own changes will be irrelevant.

Thank you!

Oh, yes, sorry, I probably did that on accident while moving to file IDs. I guess we should add the suppression back in, I will try to take a look at it later and hopefully it will be back in the 2.3 release...

Johanna