[
https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20401#comment-20401
]
Vlad Grigorescu commented on BIT-1365:
--------------------------------------
> Any reason why local-local couldn't be set to INTERNAL? and I suppose
> remote-remote set to EXTERNAL?
Hmm. I don't think those are quite right. The biggest issue is that they're
technically not directions, just endpoint attributes. It does simplify some
searches, but it still leaves something to be desired there (e.g. if I want to
see all SSH connections to systems on my network, I need to search for INBOUND
|| INTERNAL).
I agree that there's a better solution out there, but I think this exposes a
larger issue. There are some open questions about local_nets - should RFC-1918
space be in there, or just public space? Should connections from neighbor nets
be denoted in the logs as well? What if IP space alone isn't enough to denote
my local networks, what if I need, say, VLAN IDs?
What might make sense is just to split this into two fields that denote where
orig_h and resp_h are, in the order PRIVATE, LOCAL, NEIGHBOR, EXTERNAL (i.e. if
is_private_addr return PRIVATE; else if is_local_addr return LOCAL...).
We can leave this ticket open to discuss better options down the line - this is
marked as a TODO in the script.
> direction field of SSH::Info no longer populated
> ------------------------------------------------
>
> Key: BIT-1365
> URL: https://bro-tracker.atlassian.net/browse/BIT-1365
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master
> Reporter: Jon Siwek
> Fix For: 2.4
>
>
> Here's the bug report:
> {quote}
> Reporter::ERROR field value missing
> [SSH::c$ssh$direction]
> /usr/local/bro/share/bro/policy/protocols/ssh/geo-da
> ta.bro, line 29
> Reporter::WARNING non-void function returns without a value:
> SSH::get_location (empty)
> Tracing this back, it looks like the SSH::c$ssh$direction is not being
> populated. I checked the /base/protocols/ssh/main.bro file and it looks
> like the function is missing.
> Looking at https://www.bro.org/sphinx/_downloads/main32.bro and
> https://github.com/bro/bro/blob/master/scripts/base/protocols/ssh/main.bro
> it looks like the function that determined the direction was removed at
> one point, which looks like it causes the
> /usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro script to fail
> {quote}
--
This message was sent by Atlassian JIRA
(v6.5-OD-01-120#65000)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
