[
https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23826#comment-23826
]
Justin Azoff commented on BIT-1521:
-----------------------------------
Ah, yes that helped the protocol detection.. though I think it shows a bug in
known services in general:
{code}
$ bro -r ~/src/bro/testing/btest//Traces/globus-url-copy.trace local
base/protocols/ftp/gridftp 'Known::service_tracking=ALL_HOSTS'
'GridFTP::size_threshold=1'
WARNING: No Site::local_nets have been defined. It's usually a good idea to
define your local networks.
$ cat conn.log |bro-cut id.orig_h id.orig_p id.resp_h id.resp_p
service192.168.57.103 60108 192.168.57.101 2811 gridftp,ssl,ftp
192.168.57.103 35391 192.168.57.101 55968 ssl,gridftp-data
$ cat known_services.log |bro-cut host port_num service
192.168.57.101 2811 FTP
192.168.57.101 55968 SSL
{code}
Some of this is due to how it keeps track of services by ip,port. Since ssl is
always detected first, that is the one that gets logged.
It looks even if it was changed to ip,port,service gridftp may not show up
because it never makes it into known services.
The gridftp analyzer does
{code}
add c$service["gridftp-data"];
{code}
But this doesn't trigger a protocol_confirmation (even though it would be too
late anyway). since the (ip,port) would have been logged as ssl.
So, I think known-services:
* Needs to keep track of things by (ip,port,service)
* Should possibly wait until a connection is closed and it has all the facts
before trying to log the service.
If I remove the protocol_confirmation event and use simply:
{code}
event connection_state_remove(c: connection) &priority=-5
{
known_services_done(c);
}
{code}
It mostly works:
{code}
$ cat known_services.log |bro-cut host port_num service
192.168.57.101 2811 FTP,SSL,gridftp
192.168.57.101 55968 gridftp-data,SSL
{code}
I'm not sure if it should log them once per line, and if we should do something
about the mismatch in case.
> known services should probably ignore gridftp-data
> --------------------------------------------------
>
> Key: BIT-1521
> URL: https://bro-tracker.atlassian.net/browse/BIT-1521
> Project: Bro Issue Tracker
> Issue Type: Improvement
> Components: Bro
> Affects Versions: 2.4
> Reporter: Justin Azoff
> Assignee: Justin Azoff
> Priority: Low
>
> known services script does
> {code}
> if ( ! addr_matches_host(id$resp_h, service_tracking) ||
> "ftp-data" in c$service || # don't include ftp data sessions
> ("DNS" in c$service && c$resp$size == 0) ) # for dns, require
> that the server talks.
> return;
> {code}
> but should probably also ignore gridftp-data. Probably a good idea to add a
> set of services that behave like ftp for it to check.
--
This message was sent by Atlassian JIRA
(v7.1.0-OD-04-012#71001)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
