From kong at etexchina.com Thu Aug 5 18:49:16 2004 From: kong at etexchina.com (kong) Date: Fri, 6 Aug 2004 09:49:16 +0800 Subject: [Bro] how to call a external command Message-ID: <1606959224.20040806094916@etexchina.com> hello: when a event happpend ,how to make its event handler to call a external command?For example , call a alarm program to alert administrator or call a external command like iptables to respond the attack event? Is there a function like "exec()" in C? -- Best regards, kong mailto:kong at etexchina.com From JRLee at lbl.gov Fri Aug 6 09:22:20 2004 From: JRLee at lbl.gov (Jason Lee) Date: Fri, 06 Aug 2004 09:22:20 -0700 Subject: [Bro] how to call a external command In-Reply-To: <1606959224.20040806094916@etexchina.com> References: <1606959224.20040806094916@etexchina.com> Message-ID: <4113B03C.40303@lbl.gov> I believe that its fairly easy to do: function foo(a: addr) { system(fmt("%s %s", "/path/to/my/script" , a)) } kong wrote: > hello: > > when a event happpend ,how to make its event handler to call a > external command?For example , call a alarm program to alert > administrator or call a external command like iptables to respond the > attack event? > > Is there a function like "exec()" in C? > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3796 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20040806/79852f79/attachment.bin From christian at whoop.org Fri Aug 6 14:34:40 2004 From: christian at whoop.org (Christian Kreibich) Date: Fri, 06 Aug 2004 14:34:40 -0700 Subject: [Bro] [Fwd: Re: snort tamandua or prelude ids plus bro?] Message-ID: <1091828080.31921.758.camel@localhost.localdomain> Hey, a bit of motivation to get the documentation up to speed :) Cheers, Christian. -----Forwarded Message----- > From: Lee Sheng > To: focus-ids at securityfocus.com > Subject: Re: snort tamandua or prelude ids plus bro? > Date: Fri, 06 Aug 2004 22:46:53 +0800 > > rmkml, > > Actually i'm thinking of adding bro too, but the thing is lack of > documentation on Bro, can you point me out where can i find useful > whitepaper or guides on deploying Bro cause I got no time to start > everything from scratch. > > Thanks. > > > Regards, > Lee > > > >From: rmkml > >To: Lee Sheng > >Subject: Re: snort tamandua or prelude ids > >Date: Fri, 6 Aug 2004 16:32:49 +0200 (CEST) > > > >Hi Lee, > > > >add bro in possible choice ? > > > >Regards > > > >Rmkml at Wanadoo.fr > > > > > >On Fri, 6 Aug 2004, Lee Sheng wrote: > > > >>Date: Fri, 06 Aug 2004 18:37:16 +0800 > >>From: Lee Sheng > >>To: focus-ids at securityfocus.com > >>Subject: snort tamandua or prelude ids > >> > >>All, > >> > >>Thanks to all of you who have answered my question, it's so nice to get so > >>many suggestions nad helps from the community. > >> > >>My another question is no doubt the snort is one of the best ids compare > >>to other ids. However I really interested in the tamandua ids which > >>implementing the boolean layer to detect the patent of the attack(less > >>alse postive). Anyone have experiences in deploying tamandua ids and I > >>would like to know whether tamandua ids is still active or the development > >>of tamandua ids is already dead. If you have experience on deploying, > >>hopefully you guys can share expericience with me. Then about the prelude > >>IDS, prelude ids seems very complicated and I still not sure where to > >>start. Anyone have any ideas cause now I still in the way of thinking > >>which ids to deploy for the company. Snort, tamandua or prelude? > >>Prelude seems more in depth on tracking what attacker try to do with HIDS > >>as well. I've one and half years experience in snort (not in transparent > >>mode of course). If I want to save my time, sure I will choose snort, > >>however I would like to hear from you all. Thanks again. > >> > >> > >>Regards, > >>Lee > >> -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From dracula at sh163b.sta.net.cn Thu Aug 12 23:33:50 2004 From: dracula at sh163b.sta.net.cn (kong) Date: Fri, 13 Aug 2004 14:33:50 +0800 Subject: [Bro] how can I find the rst utility Message-ID: <465674339.20040813143350@sh163b.sta.net.cn> In Bro Manual ,when discuss the "terminate connection (c: connection)" function ,it metioned a "rst utility" can terminate the connection. where can I find the "rst utility"? From JRLee at lbl.gov Fri Aug 13 11:24:45 2004 From: JRLee at lbl.gov (Jason Lee) Date: Fri, 13 Aug 2004 11:24:45 -0700 Subject: [Bro] how can I find the rst utility In-Reply-To: <465674339.20040813143350@sh163b.sta.net.cn> References: <465674339.20040813143350@sh163b.sta.net.cn> Message-ID: <411D076D.7060508@lbl.gov> I'm not sure about the 'rst utility', but I think you can use hping2 (http://www.hping.org) instead. (if you don't want to code your own :) I believe that something along the lines of: hping2 -R --tcpseq seqnum -s srcport -d dstport -a srchost dsthost or some such should work, you'll have to play with it, but I'd be intrested in the results. Anyone else using something similar to this in bro currently? Or is everyone 'rolling their own' ?? Cheers, jason kong wrote: > In Bro Manual ,when discuss the "terminate connection (c: > connection)" function ,it metioned a "rst utility" can terminate the > connection. > > where can I find the "rst utility"? > > _______________________________________________ > Bro mailing list > Bro at ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3796 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20040813/aca48d58/attachment.bin