[Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data

Wed, 17 Feb 2016 09:22:11 -0800 

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24200#comment-24200
 ] 

Justin Azoff commented on BIT-1521:
-----------------------------------

topic/jazoff/ticket1521 contains a branch that I believe fixes most of the 
issues with known-services.

I think there may still be one outstanding bug (but it is something that is 
broken worse in the current code).

The current code tracks services by (addr,port).  If no service is detected on 
a port it will log it as (ip, port, empty).  If a service is later detected on 
that port, nothing will be logged.

This branch WILL log it, but it will also log twice in the opposite order, 
which is possibly not desired.

So, this will work and is an improvement:
{code}
ip, port, empty
# time passes
ip, port, HTTP
{code}

But it may also log

{code}
ip, port, HTTP
# time passes
ip, port, empty
{code}

To fix that it would need to keep track of a separate (ip, port) set that had a 
non empty service detected.  Once something like HTTP was detected the (ip, 
port) would be added, and then it would skip logging (ip, port, empty)

> known services should probably ignore gridftp-data
> --------------------------------------------------
>
>                 Key: BIT-1521
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1521
>             Project: Bro Issue Tracker
>          Issue Type: Improvement
>          Components: Bro
>    Affects Versions: 2.4
>            Reporter: Justin Azoff
>            Assignee: Justin Azoff
>            Priority: Low
>             Fix For: 2.5
>
>
> known services script does
> {code}
>         if ( ! addr_matches_host(id$resp_h, service_tracking) ||
>              "ftp-data" in c$service || # don't include ftp data sessions
>              ("DNS" in c$service && c$resp$size == 0) ) # for dns, require 
> that the server talks.
>                 return;
> {code}
> but should probably also ignore gridftp-data.  Probably a good idea to add a 
> set of services that behave like ftp for it to check.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-01-031#72000)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to