search

initconf / CVE-2017-5638_struts

detection for Apache Struts recon and compromise
Other
8 stars 2 forks source link

Errors in reporter.log #2

Closed faulkga closed 7 years ago

faulkga commented 7 years ago

Reporter::ERROR orphan field "do_notice" in initialization ([source=Struts_Script, do_notice=T])

I corrected this for my install by adding: @load policy/frameworks/intel/do_notice

The next might not be related to the Struts script, but seemed to crop up after loading do_notice: Reporter::ERROR no such index (Cluster::nodes[Intel::p$descr]) /bro/share/bro/base/frameworks/intel/./cluster.bro, line 35

I correct this for my install by adding: @load policy/frameworks/intel/seen

Also seeing a couple other errors, which I haven't corrected for my install yet:

Reporter::ERROR no such index (Struts::parts[2]) /bro/spool/installed-scripts-do-not-touch/site/CVE-2017-5638_struts-cluster.bro, line 97

Reporter::WARNING non-void function returns without a value: Struts::extract_host (empty)

Reporter::ERROR Bad IP address: aaa.linuxa.club (empty)

The last type of error seems to crop up repeatedly with some of the domains seen in the Struts attempts. The example domain does return an IP for me.

faulkga commented 7 years ago

Line numbers might be slightly off due to adding the 2 @load statements.

initconf commented 7 years ago

I was anticipating this error - Reporter::ERROR Bad IP address: aaa.linuxa.club (empty)

Actually initial wgets in HTTP request only had IPs but it was matter of time that they'd have domains in their. I am missing is this function: is_valid_ip

I'll update soon and revise a bit more.

initconf commented 7 years ago

@faulkga now I have fixed the issues reported above. Also cleaned up how IP/domains get added to the intel framework from inside.

Please update again.

I just need to check on one more clusterization issue in how domains are resolved and if we can track the resolved IP to alert on files download. I'll notify you once thats double checked.

As of now script should not give any of these reporter errors anymore.

faulkga commented 7 years ago

Looks like still seeing the following two errors:

Reporter::ERROR no such index (Struts::parts[2]) /bro/spool/installed-scripts-do-not-touch/site/CVE-2017-5638_struts-cluster.bro, line 95

Reporter::WARNING non-void function returns without a value: Struts::extract_host (empty)