From joey at SiliconDefense.com Mon Oct 4 09:49:08 1999 From: joey at SiliconDefense.com (Joey McAlerney) Date: Mon, 04 Oct 1999 17:49:08 +0100 Subject: Bro 0.6 and empty const values Message-ID: <37F8DA84.B88584F4@SiliconDefense.com> Hello, I am working with Bro 0.6 at the moment, and have ran into an issue. In the policy scripts, there are a number of const values that contain machines that do not exist in our network, or machines that we are not interested in (e.g., non_ASCII_hosts in login.bro). Is there a way to specify that the const value is empty where it is declared? For example, if our network does not have a ftp_server running, can we assign a value to the line, const ftp_servers = { ??? }; that will allow Bro to run, and avoid parsing errors? I bring this up, because currently I am commenting some const values out, and any reference to them in the scripts that depend on them. My intuition tells me there must be another way. One more thing. I was unable to subscribe to this mailing list via bro-subscribe at lbl.gov. lbl.gov responds with a "use unknown" reply. If anyone knows why this is, I would appreciate the information. Thanks, -- Joey McAlerney Silicon Defense From vern at ee.lbl.gov Tue Oct 5 10:50:06 1999 From: vern at ee.lbl.gov (Vern Paxson) Date: Tue, 05 Oct 1999 10:50:06 PDT Subject: Bro 0.6 and empty const values In-Reply-To: Your message of Mon, 04 Oct 1999 17:49:08 PDT. Message-ID: <199910051750.KAA28754@daffy.ee.lbl.gov> > Is there a way to > specify that the const value is empty where it is declared? Yes, but in that case you have to specify a type for the variable, too, since Bro can't infer it. So, for example: const ftp_servers: set[addr]; With the 0.7 release, there will be significantly smoother support for defining things like the above and overriding them. For example, you'll be able to do: const ftp_servers: set[addr] &redef; # &redef = it's okay to redefine ... const ftp_servers += { webfarm.myorg.org, webfarm2.myorg.org }; ... const ftp_servers += { departmental.ftp.myorg.org }; ... # Don't consider webfarm.myorg.org an FTP server for our particular # local policy. const ftp_servers -= { webfarm.myorg.org }; and at the end of this ftp_servers is initialized to { webfarm2.myorg.org, departmental.ftp.myorg.org }. > One more thing. I was unable to subscribe to this mailing list via > bro-subscribe at lbl.gov. lbl.gov responds with a "use unknown" reply. If > anyone knows why this is, I would appreciate the information. The mailing list is now run by majordomo. To get on it, send a message to majordomo at listserv.lbl.gov with the *body* "subscribe bro". If you found stale information somewhere that said to try bro-subscribe at llb.gov, please let me know. Vern From genie at qsar.chem.msu.su Tue Oct 5 13:40:01 1999 From: genie at qsar.chem.msu.su (Eugene Radchenko) Date: Wed, 6 Oct 1999 00:40:01 +0400 Subject: Event signatures References: <199910051750.KAA28754@daffy.ee.lbl.gov> Message-ID: <027501bf0f7c$4c3709e0$ae30fa9e@genie> Hi! I wonder if there is a repository of attack signatures (e.g., for various NetBIOS/SMB-based attacks) that can be added to Bro. If not, maybe we should start one? Thanks a lot Genie From joey at SiliconDefense.com Tue Oct 5 07:19:15 1999 From: joey at SiliconDefense.com (Joey McAlerney) Date: Tue, 05 Oct 1999 15:19:15 +0100 Subject: bro: pcap_complile: parse error Message-ID: <37FA08E3.5D9B2C0E@SiliconDefense.com> Hello, I am having some trouble tracking down the source of this error. It occurs when I run Bro 0.6 like so: bro-pub-0.6% bro -f "myFilter" -i lo mt bro: pcap_compile: parse error bro-pub-0.6% The parse error is coming from libpcap's grammar.c, but the reason for the parse error is unknown. The contents of "myFilter" is the standard filter that was described in the README of Bro 06. I have tried many other simple filters, but none seem to work. Bro will run without the -f option, but of course, it won't pick anything up. Can anyone explain what is going on, or suggest a place I could try looking? Thank you very much for any help. -- Joey McAlerney Silicon Defense http://www.silicondefense.com From vern at ee.lbl.gov Tue Oct 5 16:40:56 1999 From: vern at ee.lbl.gov (Vern Paxson) Date: Tue, 05 Oct 1999 16:40:56 PDT Subject: bro: pcap_complile: parse error In-Reply-To: Your message of Tue, 05 Oct 1999 15:19:15 PDT. Message-ID: <199910052340.QAA00641@daffy.ee.lbl.gov> > bro-pub-0.6% bro -f "myFilter" -i lo mt -f specifies the filter itself, not a file containing the filter. Vern From vern at ee.lbl.gov Wed Oct 6 01:46:41 1999 From: vern at ee.lbl.gov (Vern Paxson) Date: Wed, 06 Oct 1999 01:46:41 PDT Subject: Event signatures In-Reply-To: Your message of Wed, 06 Oct 1999 00:40:01 PDT. Message-ID: <199910060846.BAA02582@daffy.ee.lbl.gov> > I wonder if there is a repository of attack signatures (e.g., for various > NetBIOS/SMB-based attacks) that can be added to Bro. > If not, maybe we should start one? Bro isn't quite attack-signature based but rather event-pattern based, but modulo that nit, the only such repository right now is embodied in the sample policy scripts distributed with the alpha release. It would be terrific if the community starts working on sets of Bro attack patterns - that's long been my hope, though I've realized it won't really start until there's a user manual (which I'm working on but is very slow in coming). Vern From iss at giasbg01.vsnl.net.in Tue Oct 19 02:16:27 1999 From: iss at giasbg01.vsnl.net.in (Intelligent Software Solutions Pvt.Ltd) Date: Tue, 19 Oct 1999 14:16:27 +0500 Subject: "subscribe" Message-ID: <3.0.2.32.19991019141627.006ae9ec@giasbg01.vsnl.net.in> Sir, This is a request for enrolling us into the mailing list for the BRO package. Thank You. Regards, gurucharan [for ISS] From iss at giasbg01.vsnl.net.in Tue Oct 19 02:26:20 1999 From: iss at giasbg01.vsnl.net.in (Intelligent Software Solutions Pvt.Ltd) Date: Tue, 19 Oct 1999 14:26:20 +0500 Subject: Regarding: Documentation on the BRO package. Message-ID: <3.0.2.32.19991019142620.00687e2c@giasbg01.vsnl.net.in> Sir, We have installed BRO package on our Solaris system. We have a "bro-usenix98-revised2.ps" file. Please let us know if there is any more documentation for the BRO package. Thank You. Regards, ISS From vern at ee.lbl.gov Tue Oct 19 16:41:31 1999 From: vern at ee.lbl.gov (Vern Paxson) Date: Tue, 19 Oct 1999 16:41:31 PDT Subject: Regarding: Documentation on the BRO package. In-Reply-To: Your message of Tue, 19 Oct 1999 14:26:20 PDT. Message-ID: <199910192341.QAA02697@daffy.ee.lbl.gov> > We have installed BRO package on our Solaris system. We have a > "bro-usenix98-revised2.ps" file. Please let us know if there is any more > documentation for the BRO package. All the available document is included with the distribution. Vern From vlad at cipher.kiev.ua Mon Oct 25 07:21:59 1999 From: vlad at cipher.kiev.ua (Vlad Kushka) Date: Mon, 25 Oct 1999 16:21:59 +0200 Subject: hostname Message-ID: <38146787.79491083@cipher.kiev.ua> Hello, all! I think that ther should be some way to localize information about hostnames of machines involved into the policies. It is rather difficult to navigate through lots of policies-files. Qest: How can I know that bro works properly? As far as I remember, I didn't install additional required libs, but it works. After checking policy-files, it told that it's lissening on interface ed0.Can I be sure that it is true. Vlad Kushka From vern at ee.lbl.gov Mon Oct 25 22:42:06 1999 From: vern at ee.lbl.gov (Vern Paxson) Date: Mon, 25 Oct 1999 22:42:06 PDT Subject: hostname In-Reply-To: Your message of Mon, 25 Oct 1999 16:21:59 PDT. Message-ID: <199910260542.WAA24934@daffy.ee.lbl.gov> > I think that ther should be some way to localize information about > hostnames of machines involved into the policies. It is rather difficult > to navigate through lots of policies-files. Yes, I strongly agree. There will be features in the 0.7 release for doing just this. > Qest: How can I know that bro works properly? As far as I remember, I > didn't install additional required libs, but it works. Many systems come with the required library (libpcap) already installed. > After checking > policy-files, it told that it's lissening on interface ed0.Can I be sure > that it is true. You can believe the interface it claims to be listening on, that code is copied straight from tcpdump. To test it, create a connection that should be observed from the interface, terminate it, and see if Bro records it in the red.* output file. Vern