[Bro-Dev] [JIRA] (BIT-1488) ICMP analyser incorrectly handles ICMP connections

Oman Security Officer (JIRA) Wed, 07 Oct 2015 01:53:16 -0700

     [ 
https://bro-tracker.atlassian.net/browse/BIT-1488?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Oman Security Officer updated BIT-1488:
---------------------------------------
    Status: Merge Request  (was: Open)

> ICMP analyser incorrectly handles ICMP connections
> --------------------------------------------------
>
>                 Key: BIT-1488
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1488
>             Project: Bro Issue Tracker
>          Issue Type: New Feature
>          Components: Bro
>    Affects Versions: 2.4
>         Environment: Security Onion 12.4 (Linux 3.13.0-63-generic 
> #104~precise1-Ubuntu SMP x86_64 GNU/Linux) installed On VMware Workstation 
> (10.0.3 build-1895310) running on Windows 8.1 Enterprise
>            Reporter: Oman Security Officer
>              Labels: analyzer
>         Attachments: results.txt, test_icmp.bro
>
>
> I have been testing BRO scripts on DARPA 1998 dataset (Week 3 - Wednesday) 
> TCPDUMP 
> [https://www.ll.mit.edu/ideval/data/1998/training/week3/wednesday/tcpdump.gz].
>  This file contains a lot of ICMP packets. I was testing ICMP events in BRO 
> to understand their role. 
> * event *icmp_echo_request*(c: connection, icmp: icmp_conn, id: count, seq: 
> count, payload: string)
> * event *icmp_echo_reply*(c: connection, icmp: icmp_conn, id: count, seq: 
> count, payload: string)
> It seems that, the ICMP analyser does not handle the ICMP connections in the 
> right way. I have noticed that, when I use those 2 events the "*c: 
> connection*" variable does not return the right results. 
> For example, the mentioned DARPA file contains the following ICMP traces 
> between hosts 202.72.1.77 and 172.16.112.50. the exchanged packet are 
> summarized in the following table:
> No.   Time    Source  Destination     Protocol        Length  Info            
>         
> {color:#f6c342}28076  898088609.998513        202.72.1.77     172.16.112.50   
> ICMP    60      Echo (ping) request     id=0xf305       seq=0/0 ttl=63
> 28077 898088610.000822        172.16.112.50   202.72.1.77     ICMP    60      
> Echo (ping) reply       id=0xf305       seq=0/0 ttl=254
> 28150 898088612.998292        202.72.1.77     172.16.112.50   ICMP    60      
> Echo (ping) request     id=0xf305       seq=256/1       ttl=63
> 28151 898088612.998641        172.16.112.50   202.72.1.77     ICMP    60      
> Echo (ping) reply       id=0xf305       seq=256/1       ttl=254
> 28669 898088644.998259        202.72.1.77     172.16.112.50   ICMP    60      
> Echo (ping) request     id=0xf405       seq=0/0 ttl=63
> 28670 898088644.998652        172.16.112.50   202.72.1.77     ICMP    60      
> Echo (ping) reply       id=0xf405       seq=0/0 ttl=254
> 28682 898088647.998159        202.72.1.77     172.16.112.50   ICMP    60      
> Echo (ping) request     id=0xf405       seq=256/1       ttl=63
> 28683 898088647.998566        172.16.112.50   202.72.1.77     ICMP    60      
> Echo (ping) reply       id=0xf405       seq=256/1       ttl=254{color}
> {color:#f79232}30478  898088768.759437        202.72.1.77     172.16.112.50   
> ICMP    60      Echo (ping) request     id=0xf176       seq=0/0 ttl=63
> 30479 898088768.760917        172.16.112.50   202.72.1.77     ICMP    60      
> Echo (ping) reply       id=0xf176       seq=0/0 ttl=254
> 31016 898088797.366418        202.72.1.77     172.16.112.50   ICMP    60      
> Echo (ping) request     id=0xf276       seq=0/0 ttl=63
> 31017 898088797.366861        172.16.112.50   202.72.1.77     ICMP    60      
> Echo (ping) reply       id=0xf276       seq=0/0 ttl=254{color}
> It can be seen that, there are 6 ICMP connections by exchanging 12 packets (6 
> Echo Requests and 6 Echo Replays). Whereas, Bro will handle them as 2 
> connections only making the final results inaccurate. 
> I have found that, BRO will treat all requests and replays between timestamps 
> 898088609.998513 and 898088647.998566 as *{color:#f6c342}one 
> connection{color}* and between timestamps 898088768.759437 and 
> 898088797.366861 as *{color:#f79232}another connection{color}*.
> The results of calling events *icmp_echo_request* and *icmp_echo_reply* on 
> that file between the named hosts (202.72.1.77 and 172.16.112.50) can bee 
> found in the attached file (results.txt) as well as the script file 
> (test_icmp.bro).
> The following commands were called to obtain the results
> > wget -c 
> > https://www.ll.mit.edu/ideval/data/1998/training/week3/wednesday/tcpdump.gz
> > gzip -d < tcpdump.gz > week3_Wednesday.tcpdump
> > bro -r week3_Wednesday.tcpdump test_icmp.bro > results.txt



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1488) ICMP analyser incorrectly handles ICMP connections

Reply via email to