Bro: File downloads cause "possible_split_routing" and "data_before_routing" entries in weird.log
883 views
Skip to first unread message
riema...@gmail.com
Aug 18, 2015, 7:00:28 PM8/18/15
to security-onion
TL;DR Most (non-SSL) EXE downloads aren't logged in files.log, or extracted and result in "possible_split_routing" and "data_before_routing" entries in weird.log.
...
I started out installing Bro on Debian after taking a course with Liam at Critical Stack, but moved to Security Onion hoping to resolve this problem. Unfortunately, I'm having the same issue with Bro on SO, so I thought I'd throw this out there and see if anyone has any ideas:
I'm running SO on VMWare with two physical NICs (on mgmt and one monitor), eight cores, plenty of memory, etc. The monitor interface is listening to a SPAN port on the core switch. When running "sudo sostat" it appears I have zero packet loss with Bro, and no loss with PF_RING. We use an inline web filter to monitor HTTP traffic, but it's not doing any sort of SSL MiTM proxying.
So the issue is, when I go to download an EXE (for example), nothing is recorded in files.log, and nothing is extracted (I'm running file extraction as configured in Setup). I can see the GET request for the EXE in http.log. If I grep the current logs for the UID value it shows entries in weird.log: "possible_split_routing" and "data_before_established." Every once in a while an EXE is captured, but there are few and far between.
I would like to be able to extract EXEs and a few other file types, but I can't seem to figure this one out-completely stuck. Thanks in advance for any help/ideas/knowledge you have to offer.
Regards.
...
I started out installing Bro on Debian after taking a course with Liam at Critical Stack, but moved to Security Onion hoping to resolve this problem. Unfortunately, I'm having the same issue with Bro on SO, so I thought I'd throw this out there and see if anyone has any ideas:
I'm running SO on VMWare with two physical NICs (on mgmt and one monitor), eight cores, plenty of memory, etc. The monitor interface is listening to a SPAN port on the core switch. When running "sudo sostat" it appears I have zero packet loss with Bro, and no loss with PF_RING. We use an inline web filter to monitor HTTP traffic, but it's not doing any sort of SSL MiTM proxying.
So the issue is, when I go to download an EXE (for example), nothing is recorded in files.log, and nothing is extracted (I'm running file extraction as configured in Setup). I can see the GET request for the EXE in http.log. If I grep the current logs for the UID value it shows entries in weird.log: "possible_split_routing" and "data_before_established." Every once in a while an EXE is captured, but there are few and far between.
I would like to be able to extract EXEs and a few other file types, but I can't seem to figure this one out-completely stuck. Thanks in advance for any help/ideas/knowledge you have to offer.
Regards.
Doug Burks
Aug 18, 2015, 7:04:01 PM8/18/15
to securit...@googlegroups.com
Hi riemann913,
Please run the following command:
sudo sostat-redacted
There will be a lot of output, so you may need to increase your
terminal's scroll buffer OR redirect the output of the command to a
file:
sudo sostat-redacted > sostat-redacted.txt 2>&1
sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses,
but there may be additional sensitive info that you still need to
redact manually.
Attach the output to your email in plain text format (.txt) OR use a
service likehttp://pastebin.com.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Please run the following command:
sudo sostat-redacted
There will be a lot of output, so you may need to increase your
terminal's scroll buffer OR redirect the output of the command to a
file:
sudo sostat-redacted > sostat-redacted.txt 2>&1
sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses,
but there may be additional sensitive info that you still need to
redact manually.
Attach the output to your email in plain text format (.txt) OR use a
service likehttp://pastebin.com.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Doug Burks
Aug 19, 2015, 9:56:08 AM8/19/15
to securit...@googlegroups.com
Your sostat output shows that eth1 is dropping packets:
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:858043494 errors:0 dropped:603028 overruns:0 frame:0
eth1 Link encap:Ethernet HWaddr MM:MM:MM:MM:MM:MM
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:858043494 errors:0 dropped:603028 overruns:0 frame:0
riema...@gmail.com
Aug 31, 2015, 6:00:18 PM8/31/15
to security-onion
Sorry for the delayed follow-up. Additional troubleshooting on our end determined we were dropping packets based on how the span port on the switch was configured. File extraction is now working. Thanks for your help!
Reply all
Reply to author
Forward
0 new messages