From abinmoozhiyil at tataelxsi.co.in Sun Feb 3 22:25:33 2008 From: abinmoozhiyil at tataelxsi.co.in (Abin Moozhiyil) Date: Mon, 4 Feb 2008 11:55:33 +0530 Subject: [Bro] Profilers for Bro Message-ID: <002101c866f6$bf5de990$3521320a@telxsi.com> Hai, Currently I'm on analysis of pattern matching of Bro ids s/w. I came across several files such as RE.cc, RuleMatcher.cc, PIA.cc etc. But at this point I can't corelate them. Can anybody help out with the pattern matching in Bro. I shall be much obliged to you even if you send me some documents regarding pattern matching in Bro. Thank you, Abin C. M. - The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments contained in it. Contact your Administrator for further information. From kelvin at projectrialto.com Fri Feb 8 12:14:41 2008 From: kelvin at projectrialto.com (Kelvin Edmison) Date: Fri, 8 Feb 2008 15:14:41 -0500 Subject: [Bro] http-protocol.pac parsing error on HTTP 1.1 folded headers Message-ID: I've found an interesting binpac parse error when parsing http headers from www.golfsmith.com using http-protocol.pac. The problem is that the golfsmith server is replying with a header that http-protocol.pac is interpreting as corrupt. Here's an example of the golfsmith.com headers HTTP/1.1 200 OK Date: Fri, 01 Feb 2008 17:10:30 GMT Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 DAV/2 PHP/5.2.5 X-Powered-By: PHP/5.2.5 Content-Type: text/html Note the line DAV/2 that is started with a space. That's where the parsing error occurs. However, it seems like this may actually be legal according to the standards. RFC2616 section 2.2 indicates that "HTTP/1.1 header field values can be folded onto multiple lines if the continuation line begins with a space or horizontal tab. All linear white space, including folding, has the same semantics as SP. A recipient MAY replace any linear white space with a single SP before interpreting the field value or forwarding the message downstream." According to this section, the www.golfsmith.com header "Server:" is broken across the two lines, and it's value is actually "Apache/2.2.6 (Unix) mod_ssl/2.2.6DAV/2 PHP/5.2.5" Does anyone have ideas on how http-protocol.pac should be modified to handle this situation? Thanks, Kelvin Edmison -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080208/29a529fe/attachment.html From rmkml at free.fr Sun Feb 10 19:54:40 2008 From: rmkml at free.fr (rmkml) Date: Mon, 11 Feb 2008 04:54:40 +0100 (CET) Subject: [Bro] Bro132ipv6 SegFault with binpac and dns enabled Message-ID: Hi, When start bro v1.3.2IPv6 with binpac and dns option = SegFault. ~/bro132ipv6 --use-binpac -r ~/brodnsbinpacsegfault.pcap bro.init dns Erreur de segmentation Joigned pcap file (yes first packet is bad cksum). Platform: Linux Redhat FedoraCore 7 i386 kernel 2.6.23.8-34.fc7 Regards Rmkml -------------- next part -------------- A non-text attachment was scrubbed... Name: brodnsbinpacsegfault.pcap Type: application/octet-stream Size: 210 bytes Desc: Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080211/f9070cab/attachment.obj From rmkml at free.fr Mon Feb 18 01:21:35 2008 From: rmkml at free.fr (rmkml) Date: Mon, 18 Feb 2008 10:21:35 +0100 (CET) Subject: [Bro] Adding single byte test length on bro Message-ID: Hi, Adding single byte test length on bro (like byte_test on snort), example: snort: byte_test:1,>,2,0; (offset:0 {last arg}, search in 1 byte, if is more than 2) bro pcre posix sigs: payload /^[\x03-\xff]/ work only with '<' '>' '=' byte test (other like &^ not work) and only check in one byte. Anyone comments ? Anyone addind this option on snort2bro script ? Regards Rmkml Crusoe Researches From ahutton at lbl.gov Tue Feb 19 11:10:27 2008 From: ahutton at lbl.gov (Anne Hutton) Date: Tue, 19 Feb 2008 11:10:27 -0800 Subject: [Bro] bro on freebsd 7-RC1 Message-ID: <47BB29A3.8050508@lbl.gov> is anyone using bro on freebsd 7-RC1? thanks, Anne -- Anne Hutton Computer Protection Program Lawrence Berkeley National Laboratory (510) 495-2681 From rmkml at free.fr Thu Feb 21 01:27:39 2008 From: rmkml at free.fr (rmkml) Date: Thu, 21 Feb 2008 10:27:39 +0100 (CET) Subject: [Bro] Bro132ipv6 can't detect data on tcp Syn ? Message-ID: Hi, Im playing with bro, but Im not event if tcp Syn contains Data, run bro with: ./bro132ipv6 -C -r broexampletcpsyncontainsdata.pcap -f 'ip or tcp or udp' bro.init weird weird.log (and notice.log) file is created but zero size, Anyone test with joigned pcap file please ? Im tested with another pcap file and weird event (another event than "SYN_with_data") Bro v1.3.2 (w or w/o ipv6) on linux redhat fedora core 7 i386. Regards Rmkml -------------- next part -------------- A non-text attachment was scrubbed... Name: broexampletcpsyncontainsdata.pcap Type: application/octet-stream Size: 112 bytes Desc: Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080221/4d343f8d/attachment.obj From vern at icir.org Thu Feb 21 08:17:58 2008 From: vern at icir.org (Vern Paxson) Date: Thu, 21 Feb 2008 08:17:58 -0800 Subject: [Bro] Bro132ipv6 can't detect data on tcp Syn ? In-Reply-To: (Thu, 21 Feb 2008 10:27:39 +0100). Message-ID: <200802211618.m1LGI3Qj004215@pork.ICSI.Berkeley.EDU> > weird.log (and notice.log) file is created but zero size, Looks like this is a bug in the connection compressor. If you run with use_connection_compressor=F then the weird is correctly generated. Vern From robin at icir.org Sat Feb 23 11:07:00 2008 From: robin at icir.org (Robin Sommer) Date: Sat, 23 Feb 2008 11:07:00 -0800 Subject: [Bro] Adding single byte test length on bro In-Reply-To: References: Message-ID: <20080223190700.GB4368@icir.org> On Mon, Feb 18, 2008 at 10:21 +0100, rmkml wrote: > Anyone addind this option on snort2bro script ? There are actually quite a few newer Snort options which snort2bro doesn't understand as we don't maintain the script anymore. If anyone is game to update the script, that'd be appreciated. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From rmcclel at sandia.gov Sat Feb 23 22:10:36 2008 From: rmcclel at sandia.gov (Mcclelland-Bane, Randy) Date: Sat, 23 Feb 2008 23:10:36 -0700 Subject: [Bro] Copying bpf buffers into multiple locations Message-ID: Has any work been done by the bro team (or others) on copying a single bpf stream into multiple locations with *BSD? ie - one stream of incoming packets from a NIC gets copied into several virtual locations instead of just your standard "em0" etc. kernel locations. I've been googling for a bit and can't find anything substantial. I've seen some products/vendors that do this on linux, but nothing for BSD. There used to be the FreeBSD 4.x patches out there for bro, but if I remember correctly those enabled bonding and didn't try to do any copying like I'm describing. With the advent of more and more processors in multicore silicon, it seems that the bpf buffers could be a bottleneck to multiprocess/thread or "multi-instance" designs. This could enable us to run more cpu intensive instances of bro on a second cpu while the first handles most of the routine traffic on a single machine without getting major packet loss. Thanks, Randy From jean-philippe.luiggi at didconcept.com Sun Feb 24 16:58:59 2008 From: jean-philippe.luiggi at didconcept.com (jean-philippe luiggi) Date: Sun, 24 Feb 2008 19:58:59 -0500 Subject: [Bro] Copying bpf buffers into multiple locations In-Reply-To: References: Message-ID: <20080224195859.6a3d6105@mygw.didconcept.com> On Sat, 23 Feb 2008 23:10:36 -0700 "Mcclelland-Bane, Randy" wrote: > Has any work been done by the bro team (or others) on copying a > single bpf stream into multiple locations with *BSD? ie - one stream > of incoming packets from a NIC gets copied into several virtual > locations instead of just your standard "em0" etc. kernel locations. > I've been googling for a bit and can't find anything substantial. > I've seen some products/vendors that do this on linux, but nothing > for BSD. > > There used to be the FreeBSD 4.x patches out there for bro, but if I > remember correctly those enabled bonding and didn't try to do any > copying like I'm describing. > > With the advent of more and more processors in multicore silicon, it > seems that the bpf buffers could be a bottleneck to > multiprocess/thread or "multi-instance" designs. This could enable us > to run more cpu intensive instances of bro on a second cpu while the > first handles most of the routine traffic on a single machine without > getting major packet loss. > > Thanks, > > Randy > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro Hello, Perhaps "honeymole" will be a solution for you. It's a tool from Honeynet-PT : http://www.honeynet.org.pt/index.php/HoneyMole Here is a brief description : Secure Ethernet Bridge over TCP/IP The main goal of this tool is to act as a completely Secure Ethernet Bridge over TCP/IP, tunneling in a transparent, safe and easy way, network traffic to a remote location without the need of any kernel patches or modules, or even the need to hide routing in the honeypots. It can be used to easily deploy honeypot farms of distributed honeypots, transporting network traffic to a central honeypot architecture where data collection and analysis will be done. It can also be used as a very simple and efficient VPN (Virtual Private Network) for any other purposes. Home this will help. With regards, Jean-Philippe. From rmkml at free.fr Wed Feb 27 01:46:21 2008 From: rmkml at free.fr (rmkml) Date: Wed, 27 Feb 2008 10:46:21 +0100 (CET) Subject: [Bro] grp ports variable and dpd on bro not work ? Message-ID: Hi, Bro ids is very good idps project ! Im work on adding snort/trons rules on bro, but I have little pb please. ok first look one bro signature : (mysnortrules file) signature sid-1812 { ip-proto == tcp dst-port == ssh_ports event "EXPLOIT gobbles SSH exploit attempt" tcp-state established,originator payload /.*GOBBLES/ } Im start bro with: bro -C -r exploit_sshgobbles22.pcap -s mysnortrules -f 'ip or tcp or udp' bro.init mt mt.bro contains dpd, snort... (not dyn-disable.bro) Joigned two pcap file: a)exploit_sshgobbles22.pcap b)exploit_sshgobbles22000.pcap bro with dpd detect ssh connect (client and server) but mysnortrules not work, if I comment (#dst-port == ssh_ports) bro alert (bro use default ssh port {22}) if I replace (dst-port == 22) bro alert 1) It is possible detect GOBBLES alert without fix tcp port ? (and use dpd) 2) if I replace 'payload /.*GOBBLES/' to 'ssh /.*GOBBLES/', bro stop and alert: parse error (on this line) -> maybe in next bro releases ? (like http payload) My test are on bro v1.3.2 with ipv6 enabled on linux fedora core 7 i386 plateform. Thx for any help or comments. Best Regards Rmkml Crusoe Researches -------------- next part -------------- A non-text attachment was scrubbed... Name: exploit_sshgobbles22.pcap Type: application/octet-stream Size: 725 bytes Desc: Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080227/6fd0baaa/attachment.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: exploit_sshgobbles22000.pcap Type: application/octet-stream Size: 1076 bytes Desc: Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080227/6fd0baaa/attachment-0001.obj From robin at icir.org Fri Feb 29 08:52:58 2008 From: robin at icir.org (Robin Sommer) Date: Fri, 29 Feb 2008 08:52:58 -0800 Subject: [Bro] grp ports variable and dpd on bro not work ? In-Reply-To: References: Message-ID: <20080229165258.GC46099@icir.org> On Wed, Feb 27, 2008 at 10:46 +0100, you wrote: > 1) It is possible detect GOBBLES alert without fix tcp port ? (and use dpd) This works fine for me: > cat test.sig signature sid-1812 { ip-proto == tcp event "EXPLOIT gobbles SSH exploit attempt" tcp-state established,originator payload /.*GOBBLES/ } > bro -C -r exploit_sshgobbles22000.pcap -s ./test.sig -f tcp tcp signatures dpd 1204117394.397943 SensitiveSignature 10.100.11.49: EXPLOIT gobbles SSH exploit attempt How does your mt.bro look? > 2) if I replace 'payload /.*GOBBLES/' to 'ssh /.*GOBBLES/', bro stop and alert: parse error (on this line) > -> maybe in next bro releases ? (like http payload) What exactly do you want the "ssh" to keyword to do? As most of a ssh session in encrypted, it could match only on the first--which is just what payload is doing as well (note that Bro stops processing SSH content after the first line, i.e., payload is not doing any further matching). Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From rmkml at free.fr Fri Feb 29 04:49:31 2008 From: rmkml at free.fr (rmkml) Date: Fri, 29 Feb 2008 13:49:31 +0100 (CET) Subject: [Bro] grp ports variable and dpd on bro not work ? In-Reply-To: <20080229165258.GC46099@icir.org> References: <20080229165258.GC46099@icir.org> Message-ID: thx for reply Robin, ok my mt.bro contains in this example: @load alarm @load dns-lookup @load hot @load frag @load tcp @load scan @load weird @load finger @load ident @load ftp @load login @load portmapper @load ntp @load tftp @load dpd @load ssh @load irc-bot #@load dyn-disable @load detect-protocols @load site @load snort ok I understand my pb, on my signature example, I have missed dst-port, ok please test with this signature : signature sid-1812 { ip-proto == tcp dst-port == ssh_ports event "EXPLOIT gobbles SSH exploit attempt" tcp-state established,originator payload /.*GOBBLES/ } this example NOT work on two pcap file, ok change dst-port : signature sid-1812 { ip-proto == tcp dst-port == 22 event "EXPLOIT gobbles SSH exploit attempt" tcp-state established,originator payload /.*GOBBLES/ } this example WORK on pcap file and ssh on port 22/tcp, but why ssh_ports not work ? (ssh.log contains ssh_version client/server on two example pcap file) grep ssh_ports policy/* # default conf : policy/ssh.bro:global ssh_ports = { 22/tcp } &redef; policy/ssh.bro:redef dpd_config += { [ANALYZER_SSH] = [$ports = ssh_ports] }; for second question, thx for your comments. Regards Rmkml On Fri, 29 Feb 2008, Robin Sommer wrote: > Date: Fri, 29 Feb 2008 08:52:58 -0800 > From: Robin Sommer > To: rmkml > Cc: bro at bro-ids.org > Subject: Re: [Bro] grp ports variable and dpd on bro not work ? > > > On Wed, Feb 27, 2008 at 10:46 +0100, you wrote: > >> 1) It is possible detect GOBBLES alert without fix tcp port ? (and use dpd) > > This works fine for me: > >> cat test.sig > signature sid-1812 { > ip-proto == tcp > event "EXPLOIT gobbles SSH exploit attempt" > tcp-state established,originator > payload /.*GOBBLES/ > } >> bro -C -r exploit_sshgobbles22000.pcap -s ./test.sig -f tcp tcp signatures dpd > 1204117394.397943 SensitiveSignature 10.100.11.49: EXPLOIT gobbles SSH exploit attempt > > How does your mt.bro look? > >> 2) if I replace 'payload /.*GOBBLES/' to 'ssh /.*GOBBLES/', bro stop and alert: parse error (on this line) >> -> maybe in next bro releases ? (like http payload) > > What exactly do you want the "ssh" to keyword to do? As most of a > ssh session in encrypted, it could match only on the first--which is > just what payload is doing as well (note that Bro stops processing > SSH content after the first line, i.e., payload is not doing any > further matching). > > Robin > > -- > Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org >