Hey All,
So, I was going through the weird.log file generated by bro every hour,
and found lot of activity that I would like to suppress, and for some
activity I would like to know the source (i.e. what part of bro code is raising those
“weird” activity logs in the weird.log) to analyse whether it’s legit or can be suppressed.
For example, I would like to suppress “DNS_RR_unknown_type 46”, as it’s ,
I think, is not an unknown-type, it’s defined in RFC 4034 as “RRSIG” (and some other similar weird activity.)
Hence, wanted to see what code during packet analysis might have raised one of the *_weird events to log that connection.
I was searching for the string “weird” in an effort to find the Bro scripts
that either load weird or create a log stream in weird.log, but couldn’t find the code/script
that is responsible for those notices in weird.log
P.S: I know about the weird.bro in notice framework, I am searching for part of the code that would use *_weird events to log weird activity in weird.log.
Checked policy/base dirs :
policy]$ find . -type f -exec cat {} + | grep “weird”
##! This script handles core generated connection related “weird” events to
##! push weird information about connections into the weird framework.
This is weird beause it would mean that someone didn’t
event conn_weird(“smb_pipe_request_missing_uuid”, c, “”);
This is weird: the inquirer must also be providing answers in
Any pointers to the right direction would be really appreciated
Thanks,
Fatema.
Ah.. it's also 'Weird' inside of analyzers, so 'weird' would not have found it:
$ git grep DNS_RR_unknown_type
CHANGES: * DNS: Log the type number for the DNS_RR_unknown_type weird. (Vlad Grigorescu)
scripts/base/frameworks/notice/weird.bro: ["DNS_RR_unknown_type"] = ACTION_LOG,
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype));
testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log:1363716396.798286 CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 DNS_RR_unknown_type 46 F bro
$ git grep 'analyzer->Weird'
src/analyzer/protocol/dnp3/DNP3.cc: analyzer->Weird("dnp3_header_lacks_magic");
src/analyzer/protocol/dnp3/DNP3.cc: analyzer->Weird("dnp3_unexpected_flow_direction");
src/analyzer/protocol/dnp3/DNP3.cc: analyzer->Weird("dnp3_negative_or_zero_length_link_layer");
src/analyzer/protocol/dnp3/DNP3.cc: analyzer->Weird("dnp3_first_application_layer_chunk_missing");
src/analyzer/protocol/dnp3/DNP3.cc: analyzer->Weird(fmt("dnp3_corrupt_%s_checksum", where));
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_truncated_len_lt_hdr_len");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_Conn_count_too_large");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_truncated_quest_too_short");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_truncated_ans_too_short");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_truncated_RR_rdlength_lt_len");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype));
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_NAME_too_long");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_label_forward_compress_offset");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_label_len_gt_pkt");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_label_too_long");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_label_len_gt_name_len");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_RR_length_mismatch");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_RR_length_mismatch");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_RR_length_mismatch");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_RR_length_mismatch");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_RR_bad_length");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_AAAA_neg_length");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_A6_neg_length");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_TXT_char_str_past_rdlen");
src/analyzer/protocol/dns/DNS.cc: analyzer->Weird("DNS_CAA_char_str_past_rdlen");
src/analyzer/protocol/http/HTTP.cc: analyzer->Weird(msg);
src/analyzer/protocol/http/HTTP.cc: analyzer->Weird("illegal_%_at_end_of_URI");
src/analyzer/protocol/http/HTTP.cc: analyzer->Weird("partial_escape_at_end_of_URI");
src/analyzer/protocol/http/HTTP.cc: analyzer->Weird("double_%_in_URI");
src/analyzer/protocol/http/HTTP.cc: analyzer->Weird("unescaped_%_in_URI");
src/analyzer/protocol/ncp/NCP.cc: analyzer->Weird(e.msg().c_str());
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird(fmt("unknown_netbios_type: 0x%x", type));
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird(fmt("excess_netbios_hdr_len (%d > %d)",
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird("deficit_netbios_hdr_len");
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird(fmt("excess_netbios_hdr_len (%d > %d)",
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird(fmt("deficit_netbios_hdr_len (%d < %d)",
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird("netbios_raw_session_msg");
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird("no_smb_session_using_parsesambamsg");
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird("netbios_server_session_request");
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird("netbios_client_session_reply");
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird("netbios_client_session_reply");
src/analyzer/protocol/netbios/NetbiosSSN.cc: analyzer->Weird("netbios_client_session_reply");
src/analyzer/protocol/rpc/RPC.cc: analyzer->Weird(msg);
src/analyzer/protocol/tcp/TCP_Reassembler.cc: tcp_analyzer->Weird("above_hole_data_without_any_acks");
src/analyzer/protocol/tcp/TCP_Reassembler.cc: tcp_analyzer->Weird("excessive_data_without_further_acks");
src/analyzer/protocol/teredo/Teredo.h: { analyzer->Weird(name); }
$
Hah, there’s a reason we have -i option with grep facepalm (could have saved me lot of time).
Thanks Justin for the quick response. Appreciate it!
Yay!
Fatema.