From andersonlee2002 at hotmail.com Fri Jan 3 07:00:11 2003 From: andersonlee2002 at hotmail.com (Anderson Lee) Date: Fri, 03 Jan 2003 23:00:11 +0800 Subject: about Message-ID: Happy new year! I ran "bro -i eth0 mt", I get the output like below,the connection records to/from my host(10.1.2.233) can be correctly shown. While the connection between other hosts(also in my network) can not show all information, such as src_bytes and dst_bytes, instead of number it show "?". Could anybody help me about this? Thanks. 1041604868.758042 3.79266 http 451 2395 218.28.2.42 10.1.2.233 SF X 1041604872.295685 1.86815 http 280 755 218.28.2.42 10.1.2.233 SF X 1041604881.820833 1.68025 http 599 1080 218.28.2.42 10.1.2.233 SF X 1041604883.506178 1.72534 http 349 1511 218.28.2.42 10.1.2.233 SF X 1041604588.107852 ? ftp ? ? 10.1.2.251 10.1.2.28 S0 X ~~~ ~~~~~ 1041604885.235685 3.36285 http 496 25088 218.28.2.42 10.1.2.233 SF X 1041604888.655954 2.02467 http 282 755 218.28.2.42 10.1.2.233 SF X 1041604600.325944 ? http ? ? 10.1.2.168 10.1.201.128 S0 X ~~ ~~~~ _________________________________________________________________ The new MSN 8 is here: Try it free* for 2 months http://join.msn.com/?page=dept/dialup From vern at icir.org Fri Jan 3 10:02:49 2003 From: vern at icir.org (Vern Paxson) Date: Fri, 03 Jan 2003 10:02:49 -0800 Subject: about In-Reply-To: Your message of Fri, 03 Jan 2003 23:00:11 +0800. Message-ID: <200301031802.h03I2n3I061610@jaguar.icir.org> > While the connection > between other hosts(also in my network) can not show all information, such > as src_bytes and dst_bytes, instead of number it show "?". The key for those connections is their status. In this case, it is S0: > 1041604588.107852 ? ftp ? ? 10.1.2.251 10.1.2.28 S0 X > ~~~ ~~~~~ ^^ which (as explained in doc/conn-logs) means "no answer". Because there was no answer, the connection does not have a meaningful duration, or volume of bytes sent in either direction. Vern From andersonlee2002 at hotmail.com Fri Jan 3 21:04:28 2003 From: andersonlee2002 at hotmail.com (Anderson Lee) Date: Sat, 04 Jan 2003 13:04:28 +0800 Subject: about Message-ID: Thank your answer, Mr. Paxon! However, I am still can't understand why all the status of connection not from/to my host is "S0", which means "no answer", while my host's connections were all right. In my network, my computer was running Redhat7.3, others windows. As I known, Bro is a network IDS, I think it should moniter all packets in my network. It is unbleveable that all other connections were not finished succesfully. Waiting for your answer. Thank you! Anderson Lee 4/1/2003 >From: Vern Paxson >To: "Anderson Lee" >CC: bro at lbl.gov >Subject: Re: about Date: Fri, 03 Jan 2003 10:02:49 -0800 > > > While the connection > > between other hosts(also in my network) can not show all information, >such > > as src_bytes and dst_bytes, instead of number it show "?". > >The key for those connections is their status. In this case, it is S0: > > > 1041604588.107852 ? ftp ? ? 10.1.2.251 10.1.2.28 S0 X > > ~~~ ~~~~~ > ^^ > >which (as explained in doc/conn-logs) means "no answer". Because there >was no answer, the connection does not have a meaningful duration, or >volume of bytes sent in either direction. > > Vern _________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail From vern at icir.org Fri Jan 3 23:18:04 2003 From: vern at icir.org (Vern Paxson) Date: Fri, 03 Jan 2003 23:18:04 -0800 Subject: about In-Reply-To: Your message of Sat, 04 Jan 2003 13:04:28 +0800. Message-ID: <200301040718.h047I43I070825@jaguar.icir.org> > However, I am still can't understand why all the status of connection not > from/to my host is "S0", which means "no answer", while my host's > connections were all right. That's very strange, unless in your setup Bro is massively dropping packets. So the next thing to do is use Bro's "-w tracefile" option to record the packets it's analyzing. Next time you find an S0 FTP session which you're sure was successful, extract the corresponding packets from the trace. If there are just initial SYNs and nothing else, then Bro was correct, and you were mistaken regarding that particular session being successful. If on the other hand there's an initial SYN, no SYN-ACK, but a bunch of subsequent packets related to the connection, then Bro is dropping packets. I can help with this analysis (send me the trace off-line) if needed. Vern From athomas at cc.gatech.edu Fri Jan 3 23:25:00 2003 From: athomas at cc.gatech.edu (Ashley Thomas) Date: Sat, 04 Jan 2003 02:25:00 -0500 Subject: about References: <200301040718.h047I43I070825@jaguar.icir.org> Message-ID: <3E168C4C.9000103@cc.gatech.edu> You could also just watch the variable 'drop' returned by pcap_stats( ) to see if there are drops. pcap_stats is called by bro in the HeartBeat function, i guess. This is *assuming* pcap is giving the drops value correctly. I remember, there was bug on some OSs. -ashley Vern Paxson wrote: >>However, I am still can't understand why all the status of connection not >>from/to my host is "S0", which means "no answer", while my host's >>connections were all right. >> >> > >That's very strange, unless in your setup Bro is massively dropping packets. >So the next thing to do is use Bro's "-w tracefile" option to record the >packets it's analyzing. Next time you find an S0 FTP session which you're >sure was successful, extract the corresponding packets from the trace. >If there are just initial SYNs and nothing else, then Bro was correct, and >you were mistaken regarding that particular session being successful. >If on the other hand there's an initial SYN, no SYN-ACK, but a bunch of >subsequent packets related to the connection, then Bro is dropping packets. >I can help with this analysis (send me the trace off-line) if needed. > > Vern > -- Ashley Thomas Research scientist College of Computing Georgia Tech. From vern at icir.org Fri Jan 3 23:31:38 2003 From: vern at icir.org (Vern Paxson) Date: Fri, 03 Jan 2003 23:31:38 -0800 Subject: about In-Reply-To: Your message of Sat, 04 Jan 2003 02:25:00 EST. Message-ID: <200301040731.h047Vc3I071072@jaguar.icir.org> > You could also just watch the variable 'drop' returned by pcap_stats( > ) to see if there are drops. Yes, but only on some systems, and for some types of drops. As you mention, on some systems it's not accurate, due to kernel bookkeeping deficiencies, or because loss occurs on the NIC (which can't always correctly report it) or at the tap rather than in the kernel. Vern From athomas at cc.gatech.edu Sun Jan 5 20:55:40 2003 From: athomas at cc.gatech.edu (Ashley Thomas) Date: Sun, 05 Jan 2003 23:55:40 -0500 Subject: HTTP methods References: <200212280744.gBS7iS3I072791@jaguar.icir.org> Message-ID: <3E190C4C.6090301@cc.gatech.edu> Hi, I can see that Bro supports HTTP methods - GET, HEAD and POST. But in between i see entries in weird.log saying - 1041827706.208639 128.61.74.29/2254 > *.*.*.*/http: HTTP_unknown_method I am using bro 0.7a90 and was wondering if analysis of other methods are being done with latest version ...? -Ashley From vern at icir.org Sun Jan 5 23:27:49 2003 From: vern at icir.org (Vern Paxson) Date: Sun, 05 Jan 2003 23:27:49 -0800 Subject: HTTP methods In-Reply-To: Your message of Sun, 05 Jan 2003 23:55:40 EST. Message-ID: <200301060727.h067Rn3I096771@jaguar.icir.org> > I can see that Bro supports HTTP methods - GET, HEAD and POST. > But in between i see entries in weird.log saying - > 1041827706.208639 128.61.74.29/2254 > *.*.*.*/http: HTTP_unknown_method > > I am using bro 0.7a90 and was wondering if analysis of other methods are > being done > with latest version ...? There's no analysis of additional methods in 0.8, but it knows about (= won't complain about) the following additional methods: "OPTIONS", "PUT", "DELETE", "TRACE", "CONNECT", "PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT", "COPY", "MOVE", "LOCK", "UNLOCK", - Vern From wsffree at hotmail.com Mon Jan 6 00:03:57 2003 From: wsffree at hotmail.com (Wang Shaofu) Date: Mon, 06 Jan 2003 16:03:57 +0800 Subject: HTTP methods Message-ID: >I am using bro 0.7a90 and was wondering if analysis of other methods >are being done >with latest version ...? It seems a great different has been done. You better read http-detail.bro http-reply.bro http-request.bro . Cloud _________________________________________________________________ ???? MSN Explorer: http://explorer.msn.com/lccn From athomas at cc.gatech.edu Mon Jan 13 12:28:04 2003 From: athomas at cc.gatech.edu (Ashley Thomas) Date: Mon, 13 Jan 2003 15:28:04 -0500 Subject: Slapper signature Message-ID: <3E232154.2000603@cc.gatech.edu> Hi all, Does Bro have 'slapper worm' related signatures ? ( for matching the slapper scan, broadcasts etc) thanks, -- Ashley Thomas Research scientist College of Computing Georgia Tech. From sommer at in.tum.de Tue Jan 14 01:30:10 2003 From: sommer at in.tum.de (Robin Sommer) Date: Tue, 14 Jan 2003 10:30:10 +0100 Subject: Slapper signature In-Reply-To: <3E232154.2000603@cc.gatech.edu> References: <3E232154.2000603@cc.gatech.edu> Message-ID: <20030114093010.GB5072@net.informatik.tu-muenchen.de> On Mon, Jan 13, 2003 at 15:28 -0500, Ashley Thomas wrote: > Does Bro have 'slapper worm' related signatures ? ( for matching the > slapper scan, broadcasts etc) There's some proof-of-concept code for slapper demonstrating Bro's signature engine in the current development version. It's not very sophisticated, though. Robin -- Robin Sommer * Room 01.08.055 * www.net.in.tum.de TU Munich * Phone (089) 289-18006 * sommer at in.tum.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030114/9465e98a/attachment.bin From virtserv at brfree.com.br Wed Jan 22 06:42:34 2003 From: virtserv at brfree.com.br (Virtualserv) Date: Wed, 22 Jan 2003 06:42:34 -0800 (PST) Subject: Hospedagem profissional de domínios e sites Message-ID: <200301221442.h0MEgXM17894@postal1.lbl.gov> HOSPEDAGEM PROFISSIONAL DE DOM?NIOS E SITES A VirtualServ oferece o mais completo plano de hospedagem profissional do mercado. Todas as possibilidades dispon?veis hoje na WEB num s? plano. O melhor servidor, a melhor conex?o, o melhor suporte e recursos ilimitados. Nosso servi?o ? top de linha entre os melhores servidores e temos como objetivo a sua satisfa??o e confian?a. Visite-nos: http://virtualserv.com _________________________________________ PAINEL DE CONTROLE - CPANEL O painel de controle oferecido pela VirtualServ simplifica todos os comandos Unix em uma interface gr?fica intuitiva e f?cil de usar, agilizando a manuten??o de sua conta. Disponibilizamos essa ferramenta para todos os clientes. _________________________________________ LOJA VIRTUAL GR?TIS Adquirindo o plano de hospedagem profissional da VirtualServ, voc? ganha uma Loja virtual Gr?tis totalmente automatizada e com e-commerce*. Voc? pode oferecer qualquer produto ou servi?o que quiser com divulga??o permanente na internet. Voc? tamb?m pode modific?-la de acordo com suas necessidades. Na loja, voc? pode receber pelos seus produtos ou servi?os atrav?s de dep?sito banc?rio, boleto ou cart?o de cr?dito. _________________________________________ Plano profissional de hospedagem com recursos ilimitados VirtualServ Valor Mensal - R$ 21,00 Taxa ?nica de Setup - R$: 15,00 Espa?o em Disco 100 MB (ampli?vel) Transfer?ncia Mensal 2 GB Contas de E-mail POP3 personalizadas com anti-v?rus - ilimitadas Subdom?nios - ilimitados Redirecionamento de dom?nios - ilimitados Contas de FTP individuais - ilimitadas Bancos de Dados MY SQL 3.45 - ilimitados Painel de Controle CPANEL - Sim Diret?rio CGI-BIN - Sim Estat?sticas Completas - Sim Loja Virtual GR?TIS - Sim ASP e tarefas CRON - Sim Suporte T?cnico - Sim Software para e-commerce - Sim Divulga??o permanente na internet - Sim ________________________________ N?o perca tempo, entre hoje mesmo para a VirtualServ e obtenha o servi?o mais completo do mercado ! Visite nosso site: http://www.virtualserv.com Suporte online: suporte at virtualserv.com - Fones: (11)6567-3684 ou (11)9443-4276 - h/c - ICQ-141826334 From saq66 at umkc.edu Mon Jan 27 15:59:21 2003 From: saq66 at umkc.edu (Ayyasamy, Senthilkumar (UMKC-Student)) Date: Mon, 27 Jan 2003 17:59:21 -0600 Subject: slammer Message-ID: <5EF7D95E17BDAD4A968C812E5ABC390B02CF4D@KC-MAIL4.kc.umkc.edu> Is slammer worm's signature added to Bro? If not, how to go about adding? or any clue about its signature? From Jukka.Juslin at cern.ch Tue Jan 28 00:52:51 2003 From: Jukka.Juslin at cern.ch (Jukka JUSLIN) Date: Tue, 28 Jan 2003 09:52:51 +0100 (CET) Subject: slammer In-Reply-To: <5EF7D95E17BDAD4A968C812E5ABC390B02CF4D@KC-MAIL4.kc.umkc.edu> Message-ID: On Mon, 27 Jan 2003, Ayyasamy, Senthilkumar (UMKC-Student) wrote: > Is slammer worm's signature added to Bro? > If not, how to go about adding? or any > clue about its signature? > The signature of slammer is quite straightforward, see the packet captures from securityfocus. Snort had ready and tested signatures available since Saturday. Jukka From sommer at in.tum.de Wed Jan 29 01:29:42 2003 From: sommer at in.tum.de (Robin Sommer) Date: Wed, 29 Jan 2003 10:29:42 +0100 Subject: slammer In-Reply-To: <5EF7D95E17BDAD4A968C812E5ABC390B02CF4D@KC-MAIL4.kc.umkc.edu> References: <5EF7D95E17BDAD4A968C812E5ABC390B02CF4D@KC-MAIL4.kc.umkc.edu> Message-ID: <20030129092942.GA29135@net.informatik.tu-muenchen.de> On Mon, Jan 27, 2003 at 17:59 -0600, Ayyasamy, Senthilkumar (UMKC-Student) wrote: > Is slammer worm's signature added to Bro? Using snort2bro, I've converted some of the various Snort signatures flyring around to Bro's syntax (of course, you've to replace 192.168.0.1/16 with your subnet(s)): ----- cut ------------------------------------------------------------ signature slammer1 { ip-proto == udp src-ip == 192.168.0.1/16 dst-ip != 192.168.0.1/16 dst-port == 1434 event "SQLSLAMMER" payload /.*dllhel32hkernQhounthickChGetTf/ } signature slammer2 { ip-proto == udp src-ip != 192.168.0.1/16 dst-ip == 192.168.0.1/16 dst-port == 1434 event "HELL-SQL Worm Scan" payload /.*\x68\x47\x65\x74\x54\x66\xb9\x6c\x6c/ } signature slammer3 { ip-proto == udp src-ip != 192.168.0.1/16 dst-ip == 192.168.0.1/16 dst-port == 1434 event "MS-SQL Slammer Worm Activity" payload /.*\x04\x01\x01\x01\x01\x01\x01\x01/ } signature slammer4 { ip-proto == udp src-ip != 192.168.0.1/16 dst-ip == 192.168.0.1/16 dst-port == 1434 event "W32.SQLEXP.Wormpropagation" payload /.*\x68\x2E\x64\x6C\x6C\x68\x65\x6C\x33\x32\x68\x6B\x65\x72\x6E/ payload /\x04/ } signature slammer5 { ip-proto == udp src-ip != 192.168.0.1/16 dst-ip == 192.168.0.1/16 dst-port == 1434 event "MS-SQL Slammer WormActivity" payload /.*\x81\xf1\x03\x01\x04\x9b\x81\xf1\x01/ } ----- cut ------------------------------------------------------------ Robin -- Robin Sommer * Room 01.08.055 * www.net.in.tum.de TU Munich * Phone (089) 289-18006 * sommer at in.tum.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030129/2f5cb5d0/attachment.bin From Jukka.Juslin at cern.ch Wed Jan 29 01:46:54 2003 From: Jukka.Juslin at cern.ch (Jukka JUSLIN) Date: Wed, 29 Jan 2003 10:46:54 +0100 (CET) Subject: slammer In-Reply-To: <20030129092942.GA29135@net.informatik.tu-muenchen.de> Message-ID: Which one is better, the hexa or clear text payload matching? I suppose the hexa is at least faster and all standard snort signatures are matching hexadecimal. I just looked at your signatures and the first one was the cleartext, it didn't work for me with snort. Jukka On Wed, 29 Jan 2003, Robin Sommer wrote: > > On Mon, Jan 27, 2003 at 17:59 -0600, Ayyasamy, Senthilkumar (UMKC-Student) wrote: > > > Is slammer worm's signature added to Bro? > > Using snort2bro, I've converted some of the various Snort > signatures flyring around to Bro's syntax (of course, you've to > replace 192.168.0.1/16 with your subnet(s)): > > ----- cut ------------------------------------------------------------ > signature slammer1 { > ip-proto == udp > src-ip == 192.168.0.1/16 > dst-ip != 192.168.0.1/16 > dst-port == 1434 > event "SQLSLAMMER" > payload /.*dllhel32hkernQhounthickChGetTf/ > } > > signature slammer2 { > ip-proto == udp > src-ip != 192.168.0.1/16 > dst-ip == 192.168.0.1/16 > dst-port == 1434 > event "HELL-SQL Worm Scan" > payload /.*\x68\x47\x65\x74\x54\x66\xb9\x6c\x6c/ > } > > signature slammer3 { > ip-proto == udp > src-ip != 192.168.0.1/16 > dst-ip == 192.168.0.1/16 > dst-port == 1434 > event "MS-SQL Slammer Worm Activity" > payload /.*\x04\x01\x01\x01\x01\x01\x01\x01/ > } > > signature slammer4 { > ip-proto == udp > src-ip != 192.168.0.1/16 > dst-ip == 192.168.0.1/16 > dst-port == 1434 > event "W32.SQLEXP.Wormpropagation" > payload /.*\x68\x2E\x64\x6C\x6C\x68\x65\x6C\x33\x32\x68\x6B\x65\x72\x6E/ > payload /\x04/ > } > > signature slammer5 { > ip-proto == udp > src-ip != 192.168.0.1/16 > dst-ip == 192.168.0.1/16 > dst-port == 1434 > event "MS-SQL Slammer WormActivity" > payload /.*\x81\xf1\x03\x01\x04\x9b\x81\xf1\x01/ > } > ----- cut ------------------------------------------------------------ > > > Robin > > -- > Robin Sommer * Room 01.08.055 * www.net.in.tum.de > TU Munich * Phone (089) 289-18006 * sommer at in.tum.de > From sommer at in.tum.de Wed Jan 29 02:13:16 2003 From: sommer at in.tum.de (Robin Sommer) Date: Wed, 29 Jan 2003 11:13:16 +0100 Subject: slammer In-Reply-To: References: <20030129092942.GA29135@net.informatik.tu-muenchen.de> Message-ID: <20030129101316.GB29333@net.informatik.tu-muenchen.de> On Wed, Jan 29, 2003 at 10:46 +0100, Jukka JUSLIN wrote: > Which one is better, the hexa or clear text payload matching? I suppose At least from Bro's point of view, there's no difference between giving patterns in clear text or hex. Robin -- Robin Sommer * Room 01.08.055 * www.net.in.tum.de TU Munich * Phone (089) 289-18006 * sommer at in.tum.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030129/2b102670/attachment.bin From jwiens at nersp.nerdc.ufl.edu Wed Jan 29 06:04:43 2003 From: jwiens at nersp.nerdc.ufl.edu (Jordan K Wiens) Date: Wed, 29 Jan 2003 09:04:43 -0500 (EST) Subject: slammer In-Reply-To: Message-ID: However from a practical point of view, the hex matching at the bottom is probably much better. It might result in more false positives, however, it will (unaltered) catch more variants of the worm than the other signatures will. On a different ids we run, for example, we had an existing signature long before the worm that matched /04/(ANY 60 bytes of padding) that was created for the original exploit and detected the worm without any modification. Very convienant. -- Jordan Wiens UF Network Incident Response Team (352)392-2061 On Wed, 29 Jan 2003, Jukka JUSLIN wrote: > > Which one is better, the hexa or clear text payload matching? I suppose > the hexa is at least faster and all standard snort signatures are matching > hexadecimal. I just looked at your signatures and the first one was the > cleartext, it didn't work for me with snort. > > Jukka > > On Wed, 29 Jan 2003, Robin Sommer wrote: > > > > > On Mon, Jan 27, 2003 at 17:59 -0600, Ayyasamy, Senthilkumar (UMKC-Student) wrote: > > > > > Is slammer worm's signature added to Bro? > > > > Using snort2bro, I've converted some of the various Snort > > signatures flyring around to Bro's syntax (of course, you've to > > replace 192.168.0.1/16 with your subnet(s)): > > > > ----- cut ------------------------------------------------------------ > > signature slammer1 { > > ip-proto == udp > > src-ip == 192.168.0.1/16 > > dst-ip != 192.168.0.1/16 > > dst-port == 1434 > > event "SQLSLAMMER" > > payload /.*dllhel32hkernQhounthickChGetTf/ > > } > > > > signature slammer2 { > > ip-proto == udp > > src-ip != 192.168.0.1/16 > > dst-ip == 192.168.0.1/16 > > dst-port == 1434 > > event "HELL-SQL Worm Scan" > > payload /.*\x68\x47\x65\x74\x54\x66\xb9\x6c\x6c/ > > } > > > > signature slammer3 { > > ip-proto == udp > > src-ip != 192.168.0.1/16 > > dst-ip == 192.168.0.1/16 > > dst-port == 1434 > > event "MS-SQL Slammer Worm Activity" > > payload /.*\x04\x01\x01\x01\x01\x01\x01\x01/ > > } > > > > signature slammer4 { > > ip-proto == udp > > src-ip != 192.168.0.1/16 > > dst-ip == 192.168.0.1/16 > > dst-port == 1434 > > event "W32.SQLEXP.Wormpropagation" > > payload /.*\x68\x2E\x64\x6C\x6C\x68\x65\x6C\x33\x32\x68\x6B\x65\x72\x6E/ > > payload /\x04/ > > } > > > > signature slammer5 { > > ip-proto == udp > > src-ip != 192.168.0.1/16 > > dst-ip == 192.168.0.1/16 > > dst-port == 1434 > > event "MS-SQL Slammer WormActivity" > > payload /.*\x81\xf1\x03\x01\x04\x9b\x81\xf1\x01/ > > } > > ----- cut ------------------------------------------------------------ > > > > > > Robin > > > > -- > > Robin Sommer * Room 01.08.055 * www.net.in.tum.de > > TU Munich * Phone (089) 289-18006 * sommer at in.tum.de > > > >