From moskahn at hotmail.com Sun Nov 2 20:05:59 2003 From: moskahn at hotmail.com (Moss de Kahn) Date: Sun, 2 Nov 2003 23:05:59 -0500 Subject: Trouble compiling Bro release 0.8a48 on OpenBSD3.3 Message-ID: I get the following errors when I try to compile Bro on OpenBSD 3.3. =============================================== gcc -I. -Ilibedit -O -c nb_dns.c nb_dns.c:81: `NS_MAXDNAME' undeclared here (not in a function) nb_dns.c:81: size of array `name' has non-integer type nb_dns.c: In function `_nb_dns_mkquery': nb_dns.c:274: `NS_INADDRSZ' undeclared (first use in this function) nb_dns.c:274: (Each undeclared identifier is reported only once nb_dns.c:274: for each function it appears in.) nb_dns.c:279: `NS_IN6ADDRSZ' undeclared (first use in this function) nb_dns.c:291: `ns_o_query' undeclared (first use in this function) nb_dns.c:293: `ns_c_in' undeclared (first use in this function) nb_dns.c: In function `nb_dns_addr_request2': nb_dns.c:376: `NS_MAXDNAME' undeclared (first use in this function) nb_dns.c:376: size of array `name' has non-integer type nb_dns.c:394: `NS_IN6ADDRSZ' undeclared (first use in this function) nb_dns.c: In function `nb_dns_activity': nb_dns.c:457: syntax error before `handle' nb_dns.c:473: `handle' undeclared (first use in this function) nb_dns.c:516: `ns_f_rcode' undeclared (first use in this function) nb_dns.c:518: `ns_r_nxdomain' undeclared (first use in this function) nb_dns.c:523: `ns_r_servfail' undeclared (first use in this function) nb_dns.c:528: `ns_r_noerror' undeclared (first use in this function) nb_dns.c:531: `ns_r_formerr' undeclared (first use in this function) nb_dns.c:532: `ns_r_notimpl' undeclared (first use in this function) nb_dns.c:533: `ns_r_refused' undeclared (first use in this function) nb_dns.c:519: warning: unreachable code at beginning of switch statement nb_dns.c:541: `rr' undeclared (first use in this function) nb_dns.c:556: `ns_s_an' undeclared (first use in this function) nb_dns.c:572: warning: assignment makes pointer from integer without a cast *** Error code 1 Stop in /home/bro/bro-pub-0.8a48 (line 509 of Makefile). ====================================================== Any ideas? The last Bro version I was able to compile on OpenBSD was 0.8a32. Thanks MdK From vern at icir.org Sun Nov 2 23:05:22 2003 From: vern at icir.org (Vern Paxson) Date: Sun, 02 Nov 2003 23:05:22 -0800 Subject: Trouble compiling Bro release 0.8a48 on OpenBSD3.3 In-Reply-To: Your message of Sun, 02 Nov 2003 23:05:59 EST. Message-ID: <200311030705.hA375MgT020984@jaguar.icir.org> > I get the following errors when I try to compile Bro on > OpenBSD 3.3. > > =============================================== > gcc -I. -Ilibedit -O -c nb_dns.c > nb_dns.c:81: `NS_MAXDNAME' undeclared here (not in a function) A work-around for this is to edit config.h and #undef HAVE_NB_DNS, and also remove nb_dns.o from the generated Makefile. (I have the same problem building on Mac OS X; and also have to turn off HAVE_READLINE.) I haven't figured out how to get autoconf to do this automagically - if someone could contribute that, that would be great. Vern From moskahn at hotmail.com Sun Nov 9 10:15:46 2003 From: moskahn at hotmail.com (Mossad Kahn) Date: Sun, 09 Nov 2003 13:15:46 -0500 Subject: Trouble compiling Bro release 0.8a48 on OpenBSD3.3 Message-ID: Thanks - now I am able to compile but when I run Bro, it dumps core. ----------------------------------------------------------------------------------------- bash-2.05b# ./bro -F -i fxp0 -s policy/sigs/ex.web-rules.sig -S mt policy/scan.bro, line 61: internal error: can't find DNS entry for scooter.pa-x.dec.com in cache Abort trap (core dumped) ----------------------------------------------------------------------------------------- Is this due to the HAVE_NB_DNS being commented out? or is something else missing? -MdK >From: Vern Paxson >To: "Moss de Kahn" >CC: bro at lbl.gov >Subject: Re: Trouble compiling Bro release 0.8a48 on OpenBSD3.3 >Date: Sun, 02 Nov 2003 23:05:22 -0800 > > > I get the following errors when I try to compile Bro on > > OpenBSD 3.3. > > > > =============================================== > > gcc -I. -Ilibedit -O -c nb_dns.c > > nb_dns.c:81: `NS_MAXDNAME' undeclared here (not in a function) > >A work-around for this is to edit config.h and #undef HAVE_NB_DNS, >and also remove nb_dns.o from the generated Makefile. (I have the same >problem building on Mac OS X; and also have to turn off HAVE_READLINE.) >I haven't figured out how to get autoconf to do this automagically - if >someone could contribute that, that would be great. > > Vern _________________________________________________________________ Great deals on high-speed Internet access as low as $26.95. https://broadband.msn.com (Prices may vary by service area.) From vern at icir.org Sun Nov 9 10:24:00 2003 From: vern at icir.org (Vern Paxson) Date: Sun, 09 Nov 2003 10:24:00 -0800 Subject: Trouble compiling Bro release 0.8a48 on OpenBSD3.3 In-Reply-To: Your message of Sun, 09 Nov 2003 13:15:46 EST. Message-ID: <200311091824.hA9IO0gT089167@jaguar.icir.org> > bash-2.05b# ./bro -F -i fxp0 -s policy/sigs/ex.web-rules.sig -S mt > policy/scan.bro, line 61: internal error: can't find DNS entry for > scooter.pa-x.dec.com in cache Don't use -F - it tells Bro to require all DNS names to be present in the cache. Vern From moskahn at hotmail.com Sun Nov 9 11:10:08 2003 From: moskahn at hotmail.com (Moss de Kahn) Date: Sun, 09 Nov 2003 14:10:08 -0500 Subject: Trouble compiling Bro release 0.8a48 on OpenBSD3.3 Message-ID: Oops..sorry missed that option completely!! I get a segmentation fault now :(... Do I need to load some additional files to process the signature rules converted from Snort? ----------------------------------------------------------------- bash-2.05b# ./bro -i fxp0 -s policy/sigs/ex.web-rules.sig -S mt Segmentation fault (core dumped) bash-2.05b# !gdb gdb -c bro.core -s bro GNU gdb 4.16.1 This GDB was configured as "i386-unknown-openbsd3.3"... Core was generated by `bro'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/libexec/ld.so...done. Reading symbols from /usr/lib/libcrypto.so.9.0...done. Reading symbols from /usr/lib/libssl.so.7.0...done. Reading symbols from /usr/lib/libtermcap.so.9.0...done. Reading symbols from /usr/lib/libpcap.so.2.0...done. Reading symbols from /usr/lib/libstdc++.so.31.0...done. Reading symbols from /usr/lib/libm.so.1.0...done. Reading symbols from /usr/lib/libc.so.29.0...done. #0 0x13e2a1 in md5_process () (gdb) bt #0 0x13e2a1 in md5_process () Cannot access memory at address 0x13e298. (gdb) i f 0 Cannot access memory at address 0x13e298. --------------------------------------------------------------------------------------- Similar error for the ssl-worm sig. bash-2.05b# ./bro -i fxp0 -s policy/sigs/ssl-worm.sig -S mt Segmentation fault (core dumped) --------------------------------------------------------------------------------------- Thanks, -MdK Quoting..... Vern Paxson > > > bash-2.05b# ./bro -F -i fxp0 -s policy/sigs/ex.web-rules.sig -S mt > > policy/scan.bro, line 61: internal error: can't find DNS entry for > > scooter.pa-x.dec.com in cache > >Don't use -F - it tells Bro to require all DNS names to be present in >the cache. > > Vern _________________________________________________________________ MSN Shopping upgraded for the holidays! Snappier product search... http://shopping.msn.com From kps at ucsb.edu Sun Nov 9 11:55:05 2003 From: kps at ucsb.edu (Kevin Schmidt) Date: Sun, 9 Nov 2003 11:55:05 -0800 Subject: Bro with 802.1Q vlans? Message-ID: <20031109115505.0a0483be.kps@ucsb.edu> Hello all, Is there a trick/option to make bro work with 802.1Q-tagged VLANs? I have an interface that receives tagged frames, but it appears bro does not reliably use the correct frame offsets. I suspect this may be an artifact of the way libpcap handles vlans, but that's just a guess. Perhaps I'm missing something obvious, so any suggestions are welcome. Thanks, Kevin Schmidt kps at ucsb.edu Campus Network Programmer (805) 893-7779 Office of Information Technology (805) 893-5051 FAX University of California, Santa Barbara North Hall 2124 Santa Barbara, CA 93106-3201 From vern at icir.org Sun Nov 9 23:09:14 2003 From: vern at icir.org (Vern Paxson) Date: Sun, 09 Nov 2003 23:09:14 -0800 Subject: Trouble compiling Bro release 0.8a48 on OpenBSD3.3 In-Reply-To: Your message of Sun, 09 Nov 2003 14:10:08 EST. Message-ID: <200311100709.hAA79EgT001729@jaguar.icir.org> > I get a segmentation fault now :(... Do I need to load some > additional files to process the signature rules converted from > Snort? Yes, per the comment in policy/sigs/ex.web-rules.sig, you need to also load snort.bro and signatures.bro (as well as mt.bro). When I do this, it works for me; but I don't get a core dump if I leave them off, either. In general, when reporting Bro bugs it really helps if you can include a tcpdump trace (perhaps generated using bro -w) that reproduces the problem. Vern From vern at icir.org Sun Nov 9 23:12:17 2003 From: vern at icir.org (Vern Paxson) Date: Sun, 09 Nov 2003 23:12:17 -0800 Subject: Bro with 802.1Q vlans? In-Reply-To: Your message of Sun, 09 Nov 2003 11:55:05 PST. Message-ID: <200311100712.hAA7CHgT002053@jaguar.icir.org> > Is there a trick/option to make bro work with 802.1Q-tagged VLANs? Your diagnosis is correct, the problem is that libpcap doesn't set up the offset correctly. Vinod Yegneswaran has contributed a patch to support tunnel offsets. I'm aiming to include it in the next public release. If you want it early, let me know and I'll send it to you (not yet integrated), though with the caveat that it was actually developed for IP-in-UDP tunneling as opposed to VLAN tunneling, though in principle it should work for either. Vern From moskahn at hotmail.com Mon Nov 10 09:24:03 2003 From: moskahn at hotmail.com (Moss de Kahn) Date: Mon, 10 Nov 2003 12:24:03 -0500 Subject: Serious problem running bro-pub-0.8a48 on OpenBSD 3.3 Message-ID: Hi All, I keep getting segmentation faults while I attempt to run Bro 0.8a48 on OpenBSD3.3. I've gone back and tried some older versions and the last version I can run without seg faults is 0.8a32. None of the versions after that one seem to work for me. Has anyone faced this problem before?? - I am running this on a P3-600 MHz, 200 MB memory system. Is that too slow? - The size of the 'bro.core' file upon the seg-fault is of the order of 500 MB. Isn't that weird? The response time of my system also increases drastically when I start Bro (other than version 0.8a32 - where it remains very normal). ---------------------------------------------------------------------------------------------------------- bash-2.05b# ./bro -i fxp0 -t trace.txt -w dump.txt -S mt Execution tracing ON. Segmentation fault (core dumped) -------------trace.txt is appended at the end of this mail-------------------- bash-2.05b# ls -la bro.core -rw------- 1 root wheel 536426260 Nov 10 12:08 bro.core ----------------------------------------------------------------------------------------------------------- - I tried without the '-S' option but that didn't help either. - attaching a gdb snapshot below. Each time I've seen some or the other function related to 'md5' here. The bro src. file 'md5.c' hasn't changed in a while. What's causing this? -------------------------------------------------------------------------------------------------------------- bash-2.05b# gdb -c bro.core -s bro GNU gdb 4.16.1 Copyright 1996 Free Software Foundation, Inc. This GDB was configured as "i386-unknown-openbsd3.3"... Core was generated by `bro'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/libexec/ld.so...done. Reading symbols from /usr/lib/libcrypto.so.9.0...done. Reading symbols from /usr/lib/libssl.so.7.0...done. Reading symbols from /usr/lib/libtermcap.so.9.0...done. Reading symbols from /usr/lib/libpcap.so.2.0...done. Reading symbols from /usr/lib/libpthread.so.1.0...done. Reading symbols from /usr/lib/libstdc++.so.31.0...done. Reading symbols from /usr/lib/libm.so.1.0...done. Reading symbols from /usr/lib/libc.so.29.0...done. #0 0x13e2a1 in md5_process () (gdb) bt #0 0x13e2a1 in md5_process () Cannot access memory at address 0x13e298. (gdb) i r eax 0xcf3fe178 -817897096 ecx 0x0 0 edx 0x8 8 ebx 0xcf3fe160 -817897120 esp 0xcf3fe000 0xcf3fe000 ebp 0xcf3fe0ac 0xcf3fe0ac esi 0x38 56 edi 0x0 0 eip 0x13e2a1 0x13e2a1 eflags 0x10286 66182 cs 0x1f 31 ss 0x27 39 ds 0x27 39 es 0x27 39 fs 0x27 39 gs 0x27 39 (gdb) q ---------------------------------------------------------------------------------------------------------- - Could it be a problem with the glibc on my system (it's a standard install). ? Whats so different after version 0.8a32 so as to cause this? Any help is greatly appreciated. thanks, -MdK -------trace.txt---------- 0.000000 :0 function called: open_log_file(tag = 'log') 0.000000 :0 function called: log_file_name(tag = 'log') 0.000000 policy/bro.init:195 Builtin Function called: getenv(var = ' BRO_ID') 0.000000 policy/bro.init:195 Function return: 0.000000 policy/bro.init:196 Builtin Function called: fmt(va_args = '%s.%s', vararg0 = 'log', vararg1 = 'log') 0.000000 policy/bro.init:196 Function return: log.log 0.000000 policy/bro.init:196 Function return: log.log 0.000000 policy/bro.init:201 Builtin Function called: open(f = 'log.log') 0.000000 policy/bro.init:201 Function return: 0.000000 policy/bro.init:201 Function return: 0.000000 :0 function called: open_log_file(tag = 'alert') 0.000000 :0 function called: log_file_name(tag = 'alert') 0.000000 policy/bro.init:195 Builtin Function called: getenv(var = ' BRO_ID') 0.000000 policy/bro.init:195 Function return: 0.000000 policy/bro.init:196 Builtin Function called: fmt(va_args = '%s.%s', vararg0 = 'alert', vararg1 = 'log') 0.000000 policy/bro.init:196 Function return: alert.log 0.000000 policy/bro.init:196 Function return: alert.log 0.000000 policy/bro.init:201 Builtin Function called: open(f = 'alert.log') 0.000000 policy/bro.init:201 Function return: 0.000000 policy/bro.init:201 Function return: -----end of trace------- _________________________________________________________________ Is your computer infected with a virus? Find out with a FREE computer virus scan from McAfee. Take the FreeScan now! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 From nimits at cmu.edu Tue Nov 11 06:23:42 2003 From: nimits at cmu.edu (Nimit Sawhney) Date: Tue, 11 Nov 2003 09:23:42 -0500 (EST) Subject: Serious problem running bro-pub-0.8a48 on OpenBSD 3.3 In-Reply-To: References: Message-ID: <23170.209.94.146.96.1068560622.squirrel@webmail.andrew.cmu.edu> I have the same problem with 0.8a48 and 0.8a37 on OBsd3.3 Vern, any suggestions? /Nimit > Hi All, > > I keep getting segmentation faults while I attempt to run Bro 0.8a48 on > OpenBSD3.3. > I've gone back and tried some older versions and the last version I can > run > without > seg faults is 0.8a32. None of the versions after that one seem to work for > me. Has > anyone faced this problem before?? > > - I am running this on a P3-600 MHz, 200 MB memory system. Is that too > slow? > > - The size of the 'bro.core' file upon the seg-fault is of the order of > 500 > MB. > Isn't that weird? The response time of my system also increases > drastically > when I start Bro (other than version 0.8a32 - where it remains very > normal). > > ---------------------------------------------------------------------------------------------------------- > bash-2.05b# ./bro -i fxp0 -t trace.txt -w dump.txt -S mt > Execution tracing ON. > Segmentation fault (core dumped) > -------------trace.txt is appended at the end of this > mail-------------------- > bash-2.05b# ls -la bro.core > -rw------- 1 root wheel 536426260 Nov 10 12:08 bro.core > ----------------------------------------------------------------------------------------------------------- > > - I tried without the '-S' option but that didn't help either. > > - attaching a gdb snapshot below. Each time I've seen some or the other > function > related to 'md5' here. The bro src. file 'md5.c' hasn't changed in a > while. > What's > causing this? > -------------------------------------------------------------------------------------------------------------- > bash-2.05b# gdb -c bro.core -s bro > GNU gdb 4.16.1 > Copyright 1996 Free Software Foundation, Inc. > This GDB was configured as "i386-unknown-openbsd3.3"... > Core was generated by `bro'. > Program terminated with signal 11, Segmentation fault. > Reading symbols from /usr/libexec/ld.so...done. > Reading symbols from /usr/lib/libcrypto.so.9.0...done. > Reading symbols from /usr/lib/libssl.so.7.0...done. > Reading symbols from /usr/lib/libtermcap.so.9.0...done. > Reading symbols from /usr/lib/libpcap.so.2.0...done. > Reading symbols from /usr/lib/libpthread.so.1.0...done. > Reading symbols from /usr/lib/libstdc++.so.31.0...done. > Reading symbols from /usr/lib/libm.so.1.0...done. > Reading symbols from /usr/lib/libc.so.29.0...done. > #0 0x13e2a1 in md5_process () > (gdb) bt > #0 0x13e2a1 in md5_process () > Cannot access memory at address 0x13e298. > (gdb) i r > eax 0xcf3fe178 -817897096 > ecx 0x0 0 > edx 0x8 8 > ebx 0xcf3fe160 -817897120 > esp 0xcf3fe000 0xcf3fe000 > ebp 0xcf3fe0ac 0xcf3fe0ac > esi 0x38 56 > edi 0x0 0 > eip 0x13e2a1 0x13e2a1 > eflags 0x10286 66182 > cs 0x1f 31 > ss 0x27 39 > ds 0x27 39 > es 0x27 39 > fs 0x27 39 > gs 0x27 39 > (gdb) q > ---------------------------------------------------------------------------------------------------------- > > - Could it be a problem with the glibc on my system (it's a standard > install). ? > > Whats so different after version 0.8a32 so as to cause this? > Any help is greatly appreciated. > > thanks, > -MdK > > -------trace.txt---------- > 0.000000 :0 function called: open_log_file(tag = > 'log') > 0.000000 :0 function called: log_file_name(tag > = > 'log') > 0.000000 policy/bro.init:195 Builtin Function called: > getenv(var = ' > BRO_ID') > 0.000000 policy/bro.init:195 Function return: > 0.000000 policy/bro.init:196 Builtin Function called: > fmt(va_args = > '%s.%s', vararg0 = 'log', vararg1 = 'log') > 0.000000 policy/bro.init:196 Function return: log.log > 0.000000 policy/bro.init:196 Function return: log.log > 0.000000 policy/bro.init:201 Builtin Function called: open(f = > 'log.log') > 0.000000 policy/bro.init:201 Function return: description> > 0.000000 policy/bro.init:201 Function return: > 0.000000 :0 function called: open_log_file(tag = > 'alert') > 0.000000 :0 function called: log_file_name(tag > = > 'alert') > 0.000000 policy/bro.init:195 Builtin Function called: > getenv(var = ' > BRO_ID') > 0.000000 policy/bro.init:195 Function return: > 0.000000 policy/bro.init:196 Builtin Function called: > fmt(va_args = > '%s.%s', vararg0 = 'alert', vararg1 = 'log') > 0.000000 policy/bro.init:196 Function return: alert.log > 0.000000 policy/bro.init:196 Function return: alert.log > 0.000000 policy/bro.init:201 Builtin Function called: open(f = > 'alert.log') > 0.000000 policy/bro.init:201 Function return: description> > 0.000000 policy/bro.init:201 Function return: > -----end of trace------- > From hxin at anr.mcnc.org Tue Nov 11 08:33:54 2003 From: hxin at anr.mcnc.org (Hongjie Xin) Date: Tue, 11 Nov 2003 11:33:54 -0500 Subject: Bro log into MySQL In-Reply-To: <20031109115505.0a0483be.kps@ucsb.edu> References: <20031109115505.0a0483be.kps@ucsb.edu> Message-ID: <1068568434.12969.11.camel@kira.anr.mcnc.org> Hello all, I am wondering whether anyone has tried direct bro log into mysql table or not. If there's one available, I would like to share from you. Otherwise I will create simple perl/DBI interface by myself. Thanks, Hongjie From anton at netForensics.com Tue Nov 11 09:21:45 2003 From: anton at netForensics.com (Anton Chuvakin, Ph.D.) Date: Tue, 11 Nov 2003 12:21:45 -0500 (EST) Subject: Bro log into MySQL In-Reply-To: <1068568434.12969.11.camel@kira.anr.mcnc.org> References: <20031109115505.0a0483be.kps@ucsb.edu> <1068568434.12969.11.camel@kira.anr.mcnc.org> Message-ID: >I am wondering whether anyone has tried direct bro log into mysql table or not. Well, what do you mean by "log"? All contents of all files or alert.log contents only? I was thinking of doing the same thing for MySQL logging, but there seems to be little value in that: the logs are pretty much free form text and no sensible schema can be designed. RDBMS will be just as good as a plain text file... >Otherwise I will create simple perl/DBI interface by myself. Do share the code, if/when its created. -- Anton Chuvakin, Ph.D., GCIA, GCIH Senior Security Analyst Product Management Group netForensics - http://www.netForensics.com 732-393-6071 From j.green at ukerna.ac.uk Tue Nov 11 09:33:04 2003 From: j.green at ukerna.ac.uk (John Green) Date: Tue, 11 Nov 2003 17:33:04 +0000 Subject: Bro log into MySQL In-Reply-To: <1068568434.12969.11.camel@kira.anr.mcnc.org> References: <20031109115505.0a0483be.kps@ucsb.edu> <1068568434.12969.11.camel@kira.anr.mcnc.org> Message-ID: <3FB11D50.5090600@ukerna.ac.uk> Hongjie Xin wrote: > Hello all, > > I am wondering whether anyone has tried direct bro log into mysql table or not. > If there's one available, I would like to share from you. > Otherwise I will create simple perl/DBI interface by myself. > > Thanks, > > Hongjie Hi, There is a patch for bro to get it to interoperate with prelude (which logs to a sql database). Never tried it though. John Google found: http://sylvain.detilly.free.fr/ids/download/ From nimits at cmu.edu Thu Nov 13 13:44:27 2003 From: nimits at cmu.edu (Nimit Sawhney) Date: Thu, 13 Nov 2003 16:44:27 -0500 (EST) Subject: policy for IMAP signatures Message-ID: <33292.65.114.45.227.1068759867.squirrel@webmail.andrew.cmu.edu> Hi, I am attempting to write a policy script for IMAP signatures adapted from Snort using 'snort2bro'. Is this the right way to write a policy script for the sample signatures below? I am not sure how to treat the 'tcp-state' part? Also, is it neccessary to use 'eval' each time? Suggestions/Pointers?? Thanks, -N* --------------------------------------------- ## imap.bro @load signatures @load software @load log redef capture_filter += "tcp port 143 and (src net 10.0)"; event bro_init() { set_buf(sig_file, F); set_buf(bro_log_file, F); set_buf(software_file, F); } function has_imapauthoverflow_been_attempted(state: signature_state): bool { local result = has_signature_matched("sid-1930", state$conn$id$orig_h, state$conn$id$resp_h); return result; } function has_imaplsublitof_been_attempted(state: signature_state): bool { ## do I need to use 'has_signature_matched here'?? ## is there an alternative way of detecting signatures? return T; } ---------------------------------------------------------------- ======sample signature file==== signature sid-1930 { header ip[9:1] == 6 header ip[12:4] == 10.0.2.1 header ip[16:4] == 10.0.1.1 header tcp[2:2] == 143 payload /.* [aA][uU][tT][hH]/ payload /.*\{/ event "IMAP auth overflow attempt" tcp-state established,originator } signature imap_auth_overflow { requires-signature sid-1930 eval has_imapauthoverflow_been_attempted event "Host may have been probed for IMAP auth overflow" } signature sid-1902 { header ip[9:1] == 6 header ip[12:4] == 10.0.2.1 header ip[16:4] == 10.0.1.1 header tcp[2:2] == 143 payload /.* LSUB \x22/ payload /.*\x22 \{/ event "IMAP lsub literal overflow attempt" } signature imap_lsublit_overflow { requires-signature sid-1902 eval has_imaplsublitof_been_attempted event "Host may have been probed for IMAP lsub literal overflow" } --------------------------------------------- From robin at icir.org Thu Nov 13 15:05:50 2003 From: robin at icir.org (Robin Sommer) Date: Fri, 14 Nov 2003 00:05:50 +0100 Subject: policy for IMAP signatures In-Reply-To: <33292.65.114.45.227.1068759867.squirrel@webmail.andrew.cmu.edu> References: <33292.65.114.45.227.1068759867.squirrel@webmail.andrew.cmu.edu> Message-ID: <20031113230550.GA9480@net.informatik.tu-muenchen.de> On Thu, Nov 13, 2003 at 16:44 -0500, Nimit Sawhney wrote: > I am attempting to write a policy script for IMAP signatures > adapted from Snort using 'snort2bro'. Is this the right way > to write a policy script for the sample signatures below? I I'm not exactly sure what you would like to achieve. If you just want to get the same functionality that Snort provides for these cases, you can just use the converted sid-1930/sid-1902 signatures. No additional signatures are needed then. If you want to enhance the Snort signatures, you can write additional Bro signatures which take some more context into account. If this is the case, perhaps could describe a little bit more what you would like to do? > signature imap_auth_overflow { > requires-signature sid-1930 > eval has_imapauthoverflow_been_attempted > event "Host may have been probed for IMAP auth overflow" > } As written this signature will match for a given connection if (1) signature sid-1930 matches for the same connection, and if (2) the function "has_imapauthoverflow_been_attempted" evaluates to true. The latter happens if the same signature sid-1930 has already matched for any connection between the originator and the responder. I guess this is not what you had intended, is it? With respect to tcp-state: Actually, this is currently ignored. The code is implemented, but it turned out that using it made it even more difficult to compare Bro's matches with those from Snort (which isn't a problem of Bro as its TCP state decoding is actually quite sophisticated). Eventually, we will change this. Robin -- Robin Sommer * Room 01.08.055 * www.net.in.tum.de TU Munich * Phone (089) 289-18006 * sommer at in.tum.de From nimits at cmu.edu Thu Nov 13 15:46:53 2003 From: nimits at cmu.edu (Nimit Sawhney) Date: Thu, 13 Nov 2003 18:46:53 -0500 (EST) Subject: policy for IMAP signatures In-Reply-To: <20031113230550.GA9480@net.informatik.tu-muenchen.de> References: <33292.65.114.45.227.1068759867.squirrel@webmail.andrew.cmu.edu> <20031113230550.GA9480@net.informatik.tu-muenchen.de> Message-ID: <34914.65.114.45.227.1068767213.squirrel@webmail.andrew.cmu.edu> > Robin Sommer wrote: > > As written this signature will match for a given connection if (1) > signature sid-1930 matches for the same connection, and if (2) the > function "has_imapauthoverflow_been_attempted" evaluates to true. > The latter happens if the same signature sid-1930 has already > matched for any connection between the originator and the > responder. I guess this is not what you had intended, is it? You are right. Simply speaking, I would like to do this: When an IMAP signature-A is detected, I would like to trigger an external program/function-B which performs some defensive measures (like updating the router to block any more requests from the offending client IP). It looks now that the 'eval' function is not the right place to do something like this. I guess I need to define an event handler instead? > > With respect to tcp-state: Actually, this is currently ignored. The > code is implemented, but it turned out that using it made it even > more difficult to compare Bro's matches with those from Snort (which > isn't a problem of Bro as its TCP state decoding is actually quite > sophisticated). Eventually, we will change this. Thanks for the update on the tcp-state stuff. best, -Nimit From robin at icir.org Thu Nov 13 16:18:24 2003 From: robin at icir.org (Robin Sommer) Date: Fri, 14 Nov 2003 01:18:24 +0100 Subject: policy for IMAP signatures In-Reply-To: <34914.65.114.45.227.1068767213.squirrel@webmail.andrew.cmu.edu> References: <33292.65.114.45.227.1068759867.squirrel@webmail.andrew.cmu.edu> <20031113230550.GA9480@net.informatik.tu-muenchen.de> <34914.65.114.45.227.1068767213.squirrel@webmail.andrew.cmu.edu> Message-ID: <20031114001824.GA9574@net.informatik.tu-muenchen.de> On Thu, Nov 13, 2003 at 18:46 -0500, Nimit Sawhney wrote: > I guess I need to define an event handler instead? Yes, right. Define a signature_match() handler and check if the triggering signature is one of those for which you would like the action to be taken. Actually, for things like this it would be better if you could specify some other handler than signature_match() within signature. I will probably add this eventually. Robin -- Robin Sommer * Room 01.08.055 * www.net.in.tum.de TU Munich * Phone (089) 289-18006 * sommer at in.tum.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20031114/65fa0314/attachment.bin From manux at rstack.org Fri Nov 14 08:58:16 2003 From: manux at rstack.org (manu) Date: Fri, 14 Nov 2003 17:58:16 +0100 Subject: Bro log into MySQL Message-ID: <200311141658.RAA04049@styx.bruyeres.cea.fr> You can find a patch for the bro "CURRENT" release which enables you to log in a MySQL database at http://manux.rstack.org/bro_mysql. It requires the library MySQL++. It uses a new bro bif called log_external which logs alerts according to a method passed as an argument. With this patch the only supported method is ALERT_LOG_EXTERNAL_SQL which logs in a MySQL database. A basic bro script that uses this method is given as an example (policy/test.bro). For instance: [paul at duncan bro-pub-0.8a48.dev-mysql]$ ./bro -r example-attacks/ftp-site-exec.trace test 976284129.459304 0.91239 other-3914 431 0 38.33.11.127 131.243.169.116 SF X 976284140.775142 0.567636 other-3915 304 0 38.33.11.127 131.243.169.116 SF X ... mysql> select * from conn_bro; +-----+------------------+----------+-----------------+-----------------+-----------+-----------+--------------+-----------+-----------+-----------+-------+------+------+ | cid | start_time | duration | orig_addr | resp_addr | orig_port | resp_port | addl | conn_type | orig_size | resp_size | state | type | code | +-----+------------------+----------+-----------------+-----------------+-----------+-----------+--------------+-----------+-----------+-----------+-------+------+------+ | 1 | 976284129.459304 | 1 | 38.33.11.127 | 131.243.169.116 | 20/tcp | 3914/tcp | Hello world! | 0 | 431 | 0 | SF | 0 | 0 | | 2 | 976284140.775142 | 1 | 38.33.11.127 | 131.243.169.116 | 20/tcp | 3915/tcp | Hello world! | 0 | 304 | 0 | SF | ... Other methods should come out : RRD and SPOs(Snort Plugin Output); If anyone has already done that, I would like to share from you. Feed back would be appreciated. Manu "Anton Chuvakin, Ph.D." wrote: > > >I am wondering whether anyone has tried direct bro log into mysql table or not. > Well, what do you mean by "log"? All contents of all files or alert.log > contents only? > > I was thinking of doing the same thing for MySQL logging, but there seems > to be little value in that: the logs are pretty much free form text and no > sensible schema can be designed. RDBMS will be just as good as a plain > text file... > > >Otherwise I will create simple perl/DBI interface by myself. > Do share the code, if/when its created. > > -- > Anton Chuvakin, Ph.D., GCIA, GCIH > Senior Security Analyst > Product Management Group > netForensics - http://www.netForensics.com > 732-393-6071 From hxin at anr.mcnc.org Fri Nov 14 11:03:17 2003 From: hxin at anr.mcnc.org (Hongjie Xin) Date: Fri, 14 Nov 2003 14:03:17 -0500 Subject: Bro log into MySQL In-Reply-To: <200311141658.RAA04049@styx.bruyeres.cea.fr> References: <200311141658.RAA04049@styx.bruyeres.cea.fr> Message-ID: <1068836597.12969.22.camel@kira.anr.mcnc.org> Manu, Thanks for sharing the code. Attached is my simple perl/DBI script(dbi-bro.pl) without change original bro code. Just pipe the log output to dbi-bro.pl, such as # bro -r trace.1 ./mypolicy.bro | dbi-bro.pl But when I use live traffic, I can't pipe or redirect the log output to the script, even a file. I don't know why. :( Hongjie == dbi-bro.pl #! /usr/bin/perl use DBI; # configuration variables $dbhost='localhost'; $dbname='dbname'; $dbuser='username'; $dbpass='passwd'; $table='tablename'; $dsn = "DBI:mysql:dbname=$dbname;host=$dbhost"; $dbh = DBI->connect($dsn, $dbuser, $dbpass) || die "database error: $DBI::errstr" ; $sth = $dbh->prepare("INSERT INTO $table VALUES (?,?,?,?,?,?,?,?,?,?)"); $PerlParsingFormat="([\\d|-]+)\.([\\d|-]+) ([^ ]+) ([^ ]+) ([\\d|-]+) ([\\d|-]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+)"; while (<>) { @field=map(/^$PerlParsingFormat/,$_); $sth->execute(@field) ; } # #create the table in mysql # #CREATE TABLE log_bro ( #SECONDS int( 10) NOT NULL , #MICROS int( 6) NOT NULL , #DURATION NUMERIC( 20, 10 ) NOT NULL , #PROTO VARCHAR( 10 ) NOT NULL , #ORIGBYTES int( 20) NOT NULL , #RESPBYTES int( 20) NOT NULL , #LOCALHOST VARCHAR( 100 ) NOT NULL , #REMOTEHOST VARCHAR( 100 ) NOT NULL , #STATE VARCHAR( 5 ) NOT NULL , #FLAGS VARCHAR( 10 ) #) On Fri, 2003-11-14 at 11:58, manu wrote: > You can find a patch for the bro "CURRENT" release which enables you to > log in a MySQL database at http://manux.rstack.org/bro_mysql. > > It requires the library MySQL++. > It uses a new bro bif called log_external which logs alerts according to > a method passed as an argument. > > With this patch the only supported method is ALERT_LOG_EXTERNAL_SQL > which logs in a MySQL database. > > A basic bro script that uses this method is given as an example > (policy/test.bro). > > For instance: > [paul at duncan bro-pub-0.8a48.dev-mysql]$ ./bro -r > example-attacks/ftp-site-exec.trace test > 976284129.459304 0.91239 other-3914 431 0 38.33.11.127 131.243.169.116 SF X > 976284140.775142 0.567636 other-3915 304 0 38.33.11.127 131.243.169.116 SF X > ... > > mysql> select * from conn_bro; > +-----+------------------+----------+-----------------+-----------------+-----------+-----------+--------------+-----------+-----------+-----------+-------+------+------+ > | cid | start_time | duration | orig_addr | resp_addr > | orig_port | resp_port | addl | conn_type | orig_size | > resp_size | state | type | code | > +-----+------------------+----------+-----------------+-----------------+-----------+-----------+--------------+-----------+-----------+-----------+-------+------+------+ > | 1 | 976284129.459304 | 1 | 38.33.11.127 | 131.243.169.116 > | 20/tcp | 3914/tcp | Hello world! | 0 | 431 | > 0 | SF | 0 | 0 | > | 2 | 976284140.775142 | 1 | 38.33.11.127 | 131.243.169.116 > | 20/tcp | 3915/tcp | Hello world! | 0 | 304 | > 0 | SF | > ... > > Other methods should come out : RRD and SPOs(Snort Plugin Output); If > anyone has already done that, I would like to share from you. > > Feed back would be appreciated. > > Manu > > > "Anton Chuvakin, Ph.D." wrote: > > > > >I am wondering whether anyone has tried direct bro log into mysql > table or not. > > Well, what do you mean by "log"? All contents of all files or alert.log > > contents only? > > > > I was thinking of doing the same thing for MySQL logging, but there seems > > to be little value in that: the logs are pretty much free form text > and no > > sensible schema can be designed. RDBMS will be just as good as a plain > > text file... > > > > >Otherwise I will create simple perl/DBI interface by myself. > > Do share the code, if/when its created. > > > > -- > > Anton Chuvakin, Ph.D., GCIA, GCIH > > Senior Security Analyst > > Product Management Group > > netForensics - http://www.netForensics.com > > 732-393-6071 > From wutntfeze at msn.com Sun Nov 16 14:30:06 2003 From: wutntfeze at msn.com (Aber Gaston) Date: Sun, 16 Nov 2003 14:30:06 -0800 Subject: Installation Message-ID: Is there any documents that will help install Bro on Red Hat Linux. Thanks Abera Gaston _________________________________________________________________ Is your computer infected with a virus? Find out with a FREE computer virus scan from McAfee. Take the FreeScan now! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 From rpang at CS.Princeton.EDU Sun Nov 16 17:38:14 2003 From: rpang at CS.Princeton.EDU (Ruoming Pang) Date: Sun, 16 Nov 2003 20:38:14 -0500 (EST) Subject: Installation In-Reply-To: References: Message-ID: Aber, The installation is in the same as on BSD. The only problem I met with Redhat 9 was: ... I met the same problem with RH9. The short answer is "krb5.h" is in /usr/kerberos/include and therefore is not found in standard include path. More details are discussed at: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=82 You can either add /usr/kerberos/include to the include path, or apply the following patch and run autoconf before running ./configure: *** bro-pub-0.8a48/configure.ac 2003-10-16 14:17:12.000000000 -0400 --- bro/configure.ac 2003-10-25 01:07:07.000000000 -0400 *************** *** 62,67 **** --- 62,73 ---- with_openssl="No" ) + if test "$with_openssl" != "No"; then + openssl_incl=`pkg-config --cflags openssl` + echo "OpenSSL CFLAGS: ${openssl_incl}" + V_INCLS="${V_INCLS} ${openssl_incl}" + fi + case "$target_os" in linux*) -Ruoming On Sun, 16 Nov 2003, Aber Gaston wrote: > Is there any documents that will help install Bro on Red Hat Linux. Thanks > Abera Gaston > > _________________________________________________________________ > Is your computer infected with a virus? Find out with a FREE computer virus > scan from McAfee. Take the FreeScan now! > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > From vern at icir.org Sun Nov 16 23:51:25 2003 From: vern at icir.org (Vern Paxson) Date: Sun, 16 Nov 2003 23:51:25 -0800 Subject: Bro log into MySQL In-Reply-To: Your message of Fri, 14 Nov 2003 14:03:17 EST. Message-ID: <200311170751.hAH7pPgB042350@jaguar.icir.org> > # bro -r trace.1 ./mypolicy.bro | dbi-bro.pl > > But when I use live traffic, I can't pipe or redirect the log output to > the script, even a file. I don't know why. :( Could it simply be due to buffering? Bro's stdout is block-buffered unless you add a call to flush_all() in your policy script. Vern From vern at icir.org Sun Nov 16 23:50:41 2003 From: vern at icir.org (Vern Paxson) Date: Sun, 16 Nov 2003 23:50:41 -0800 Subject: Installation In-Reply-To: Your message of Sun, 16 Nov 2003 14:30:06 PST. Message-ID: <200311170750.hAH7ofgB042318@jaguar.icir.org> > Is there any documents that will help install Bro on Red Hat Linux. Thanks The only documentation is the stuff that comes with it, the user manual and auxiliary documents in doc/. What problems are you running into? Vern From vern at icir.org Sun Nov 16 23:51:19 2003 From: vern at icir.org (Vern Paxson) Date: Sun, 16 Nov 2003 23:51:19 -0800 Subject: Bro log into MySQL In-Reply-To: Your message of Tue, 11 Nov 2003 12:21:45 EST. Message-ID: <200311170751.hAH7pJgB042342@jaguar.icir.org> > I was thinking of doing the same thing for MySQL logging, but there seems > to be little value in that: the logs are pretty much free form text and no > sensible schema can be designed. Note that with Bro 0.8's "ALERT" framework, there's an opportunity to now define such schemas. That indeed was one of the motivations behind instituting it, though the policy scripts don't yet make full use of it. Vern