From trinhtuan at hn.vnn.vn Tue Nov 6 01:35:54 2001 From: trinhtuan at hn.vnn.vn (Trinh Anh Tuan) Date: Tue, 6 Nov 2001 16:35:54 +0700 Subject: How can I do report cyclically References: <200107180725.f6I7PH106093@daffy.ee.lbl.gov> Message-ID: <001201c166a6$a1d54f00$051a19ac@cfti.edu.vn> Hello, I would like to have reports cyclically of my network usage beside the intrusion detection, so I have a short script like the attached file. Unfortunatelly, bro seems do nothing with reporting. It isn't documented, so can you draw me a way of doing that? Cordially, ---------------------------------------------------------------------------- ----- Trinh Anh Tuan - CMO/CFTI Ministry of Science, Technologies and Environment 25 Le Thanh Tong Str., Tel.: (84-4) 8541197 -- Fax: (84-4) 8548187 Handphone: (84-4) 913-323266 ---------------------------------------------------------------------------- ----- -------------- next part -------------- A non-text attachment was scrubbed... Name: ShowFilter.bro Type: application/octet-stream Size: 686 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20011106/f554804a/attachment.obj From vern at aciri.org Fri Nov 9 00:49:08 2001 From: vern at aciri.org (Vern Paxson) Date: Fri, 09 Nov 2001 00:49:08 -0800 Subject: How can I do report cyclically In-Reply-To: Your message of Tue, 06 Nov 2001 16:35:54 +0700. Message-ID: <200111090849.fA98n8l71638@yak.aciri.org> > I would like to have reports cyclically of my network usage beside the > intrusion detection, so I have a short script like the attached file. > Unfortunatelly, bro seems do nothing with reporting. It isn't documented, so > can you draw me a way of doing that? Your script has the right idea. The main thing missing is that "schedule" only schedules an event to occur once, so you need to reschedule it if you want it to repeat. So change: event report_status() { local res = resource_usage(); log fmt("Up time: %s; Max used memory ..." } to: event report_status() { local res = resource_usage(); log fmt("Up time: %s; Max used memory ..." schedule +1min { report_status() }; } The other problem you may be running into is that Bro uses the timestamps of the incoming packet stream as its clock. So if the packet filter isn't accepting any packets, then "time" doesn't in fact advance, and timers don't expire. (Clearly, this is a deficiency.) So that may be why you never got any output at all. Also, a note. You extended the existing bro_init() to schedule the event: event bro_init() { if ( restrict_filter == "" && capture_filter == "" ) print "tcp or not tcp"; else if ( restrict_filter == "" ) print capture_filter; else if ( capture_filter == "" ) print restrict_filter; else print fmt("(%s) and (%s)", capture_filter, restrict_filter); schedule +1 min { report_status() }; } but it works just as well to instead define a *new* bro_init event handler: event bro_init() { schedule +1 min { report_status() }; } This handler will be invoked *in addition* to the already existing one. Vern From zhangtao at cc.gatech.edu Mon Nov 12 10:49:27 2001 From: zhangtao at cc.gatech.edu (Tao Zhang) Date: Mon, 12 Nov 2001 13:49:27 -0500 Subject: evaluation of bro Message-ID: <01fc01c16baa$c1fb78a0$7fc3acac@warmice> Hi, folks: I am in a project in which we will do experiments and evaluate bro's performance. I think many of you have done the similiar work, could you give me some useful pointers and references? So I can continue my work on the base of others'. Many thanks!. Tao Zhang From zhangtao at cc.gatech.edu Mon Nov 19 17:36:56 2001 From: zhangtao at cc.gatech.edu (Tao Zhang) Date: Mon, 19 Nov 2001 20:36:56 -0500 (EST) Subject: finger and port scan test to bro Message-ID: Hi, folks: I have installed Bro and done some experiments on it. I connected my desktop adn laptop then setuped a tiny LAN network. Bro runs on the laptop (RH7.1) and I use the desktop (windows2000) to attack Bro. I tried to perform finger test to Bro (running with policy file finger.bro) . I sent finger requests to the laptop under that desktop , but Bro gave out no notification on the screen even when I fingered some hot names. Like finger root at 192.168.1.2 And, I tried to perform a port scan to bro too, it gave out no notification either ( running with the policy file scan.bro) . I think it should according to the documentation. Could anybody give some possible reasons ? Many thanks. Tao Zhang -Tao Zhang (zhangtao at cc.gatech.edu) From vern at aciri.org Tue Nov 20 00:03:41 2001 From: vern at aciri.org (Vern Paxson) Date: Tue, 20 Nov 2001 00:03:41 -0800 Subject: finger and port scan test to bro In-Reply-To: Your message of Mon, 19 Nov 2001 20:36:56 EST. Message-ID: <200111200803.fAK83fl02228@yak.aciri.org> The most likely problem is that you're not specifying what network interface to read from, using either -i or the "interfaces" policy variable. If you don't, then Bro doesn't read any network traffic. If you are, then the next thing to do is to record the network traffic using tcpdump -s 8192 -w trace.file and then (once you verify that the traffic was properly captured) running Bro from that file using bro -r trace.file mt.bro - Vern From pierfrancesco_porcu at libero.it Tue Nov 20 06:24:24 2001 From: pierfrancesco_porcu at libero.it (=?utf-8?Q?pierfrancesco=5Fporcu@libero.it?=) Date: Tue, 20 Nov 2001 15:24:24 +0100 Subject: =?iso-8859-1?Q?missing_documentation?= Message-ID: Hi, I'm using bro version 07a90 .I have read the documentation to know how the scripts work, and make some change to adapt the analyzers to the net configuration.But the documentation is missing for 4 script: code-red,backdoor,stepping and intercon. The first and the second are enough easy to understand,for the third i found in internet a your documet "Detecting Stepping Stones" i think may help me. The problem is the fourth, what does what it serve? and how work? Thanks. Pierfrancesco Porcu. From vern at aciri.org Sat Nov 24 00:11:20 2001 From: vern at aciri.org (Vern Paxson) Date: Sat, 24 Nov 2001 00:11:20 -0800 Subject: missing_documentation Message-ID: <200111240811.fAO8BKl87265@yak.aciri.org> > I'm using bro version 07a90 .I have read the documentation to know how > the scripts work, and make some change to adapt the analyzers to the net > configuration.But the documentation is missing for 4 script: > code-red,backdoor,stepping and intercon. code-red (which is renamed "worm" in subsequent releases, but 0.7a90 is still the latest public release) was added recently, and hasn't yet been documented. backdoor, stepping, and interconn are experimental Bro features (corresponding to the "Detecting Backdoors" and "Detecting Stepping Stones" papers in doc/), which likewise haven't yet been documented. > The problem is the fourth, what does what it serve? and how > work? interconn implements the generic "interactive connection" backdoor detector described in the Detecting Backdoors paper. It's not supported. If you want to play with it, "@load interconn" should suffice to activate it, and it will log apparent interactive backdoors to interconn.$BRO_ID. I don't currently use it operationally (I do use code-red, backdoor, and stepping), so it may not work properly due to bit-rot. Vern