Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bro 2.6.3 #1603

Closed
dougburks opened this issue Aug 9, 2019 · 3 comments

Comments

@dougburks
Copy link
Contributor

commented Aug 9, 2019

From https://github.com/zeek/zeek/blob/release/NEWS:

Bro 2.6.3
=========

This is a security patch release to address potential Denial of Service
vulnerabilities:

- Null pointer dereference in the RPC analysis code. RPC analyzers
  (e.g. MOUNT or NFS) are not enabled in the default configuration.

- Signed integer overflow in BinPAC-generated parser code.  The result
  of this is Undefined Behavior with respect to the array bounds
  checking conditions that BinPAC generates, so it's unpredictable
  what an optimizing compiler may actually do under the assumption
  that signed integer overlows should never happen.  The specific
  symptom which lead to finding this issue was with the PE analyzer
  causing out-of-memory crashes due to large allocations that were
  otherwise prevented when the array bounds checking logic was changed
  to prevent any possible signed integer overlow.

@dougburks dougburks self-assigned this Aug 9, 2019

@dougburks dougburks added this to To do in 16.04.6.2 via automation Aug 9, 2019

@dougburks

This comment has been minimized.

Copy link
Contributor Author

commented Aug 9, 2019

The following packages are now ready for testing:

securityonion-bro - 2.6.3-1ubuntu1securityonion1
securityonion-bro-afpacket - 1.3.0-1ubuntu1securityonion12
securityonion-bro-scripts - 20121004-0ubuntu0securityonion72

Please test/verify as follows (watch out for line wrapping):

  • install the current 16.04 ISO image

  • snapshot the VM if possible

  • add the test PPA:

sudo add-apt-repository -y ppa:securityonion/test
  • update:
sudo soup
  • verify that the package installation scripts display a message about checking configuration and adding back any local customizations and then restarting Bro.

  • verify that Bro packages were upgraded and new securityonion-bro-afpacket package was installed:

dpkg -l |grep securityonion-bro
  • if new installation, run through Setup

  • verify that the package installation scripts backed up the following with a _pre-2.6.3 extension:
    /opt/bro/etc/
    /opt/bro/share/bro/site/local.bro

  • verify that StatusCmdShowAll has been set to 0 in /opt/bro/etc/broctl.cfg:

grep StatusCmdShowAll /opt/bro/etc/broctl.cfg
  • verify that "lb_custom.InterfacePrefix=af_packet::" has been added to /opt/bro/etc/broctl.cfg:
grep af_packet /opt/bro/etc/broctl.cfg
  • Restart Bro as noted by package installation:
sudo so-bro-restart
  • check status:
sudo so-status
  • check Bro startup logs for any warnings/errors out of the ordinary:
cat /nsm/bro/logs/current/reporter.log
cat /nsm/bro/logs/current/stdout.log
cat /nsm/bro/logs/current/stderr.log
  • replay LOTS of traffic:
sudo so-test
  • verify that files are extracted to /nsm/bro/extracted:
ls -alh /nsm/bro/extracted
  • verify that /nsm/bro/logs/current/conn.log contains the proper sensorname at the end of each log entry:
cat /nsm/bro/logs/current/conn.log
  • verify that Bro logs are in the format as they were pre-upgrade (should be JSON by default).

  • verify that the Elastic Stack is parsing and displaying logs properly

  • verify that you can pivot to CapMe for both TCP and UDP traffic

  • check sostat output for anything out of the ordinary (specifically, check the pf_ring and bro sections for packet loss)

  • verify that Bro ja3 script is loaded and logging:

grep ja3 /nsm/bro/logs/current/
  • verify that Bro hassh script is loaded and logging:
grep hassh /nsm/bro/logs/current/
  • verify that everything else works properly with no regressions

  • reboot and make sure everything still works properly

Please test in as many different combinations as possible:

  • Evaluation Mode (Bro Standalone mode) vs Production Mode (Bro cluster mode)

  • single sniffing interface vs multiple sniffing interfaces

  • file extraction enabled or disabled

  • json-logs enabled or disabled

  • traffic without vlan tags vs traffic with vlan tags

  • new installation vs upgrade

  • Bro cluster mode - PF_RING (lb_method=pf_ring) vs AF_PACKET (lb_method=custom)

Anything else we missed?

Please record all test results on this github issue. If everything works correctly, please record that. If not, please include detailed information about what you're experiencing.

Thanks in advance for your time and effort!

@dougburks dougburks moved this from To do to In Testing in 16.04.6.2 Aug 9, 2019

@weslambert

This comment has been minimized.

Copy link
Collaborator

commented Aug 12, 2019

Looks good from my testing 👍 No issues testing per the above instructions.

@dougburks

This comment has been minimized.

@dougburks dougburks closed this Aug 13, 2019

16.04.6.2 automation moved this from In Testing to Done Aug 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
2 participants
You can’t perform that action at this time.