From jh0u at hotmail.com Mon Jun 3 14:49:23 2002 From: jh0u at hotmail.com (jd ls) Date: Mon, 03 Jun 2002 14:49:23 -0700 Subject: bro ntp attack Message-ID: hi, can someone please describe and explain how the ntp attack works? bro has it under it's "example attacks" directory... thanks in advance _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com From yxr72 at 371.net Wed Jun 12 20:46:42 2002 From: yxr72 at 371.net (yxr72 at 371.net) Date: Thu, 13 Jun 2002 11:46:42 +0800 (CST) Subject: how to realize alert in real time Message-ID: <6529751.1023940002648.NetDao.naisamail@app2> hello, every body here, I am a beginner of Bro, I have a question,hope some one can help me.Thanks. According to some literature, "bro can make intrusion announcement in real time", but when I try to run bro, I don't find how to realize this function, I only can create some logfiles. And, if it do this as said, what is the form of alert? Thank you very much. sara young ????? http://www.zz.ha.cn 371???? http://www.371.net From vern at icir.org Fri Jun 21 22:52:00 2002 From: vern at icir.org (Vern Paxson) Date: Fri, 21 Jun 2002 22:52:00 -0700 Subject: bro ntp attack In-Reply-To: Your message of Mon, 03 Jun 2002 14:49:23 PDT. Message-ID: <200206220552.g5M5q0O86548@yak.icir.org> [sorry this took me so long to reply to] > hi, can someone please describe and explain how the ntp attack works? bro > has it under it's "example attacks" directory... It's a buffer overflow attack. The common NTP implementation has an upper bound on the size of a message it expects to receive. Vern From vern at icir.org Fri Jun 21 23:39:40 2002 From: vern at icir.org (Vern Paxson) Date: Fri, 21 Jun 2002 23:39:40 -0700 Subject: how to realize alert in real time In-Reply-To: Your message of Thu, 13 Jun 2002 11:46:42 +0800. Message-ID: <200206220639.g5M6deO87464@yak.icir.org> > According to some literature, "bro can make intrusion announcement in > real time", but when I try to run bro, I don't find how to realize this > function, I only can create some logfiles. The "log" statement logs a string via syslog(). The system() function invokes an arbitrary shell command. > And, if it do this as said, > what is the form of alert? Just a string. Recently, Umesh Shankar has added a framework of "attributes", i.e., additional information associated with values, and the main impetus behind this has been to add structure to Bro alerts, since that's really needed so they can be better filtered/post-processed/etc. It will be in the next major release of Bro, which I'm aiming to have out in August. Vern From crd at cert.org Fri Jun 28 14:40:02 2002 From: crd at cert.org (Chad Dougherty) Date: Fri, 28 Jun 2002 17:40:02 -0400 Subject: CERT Advisory CA-2002-19 Message-ID: <3D1CD7B2.18C56D4@cert.org> just a heads-up, Since Bro includes resolver code from the BIND distribution, I believe it will need to pick up patches for the vulnerabilities described in http://www.cert.org/advisories/CA-2002-19.html -Chad