From joduart at alumni.uv.es Tue Mar 2 08:23:31 2004 From: joduart at alumni.uv.es (Jose M Duart) Date: Tue, 2 Mar 2004 17:23:31 +0100 Subject: Syntax error in policy Message-ID: <200403021611.i22GBfhO018303@listserv.lbl.gov> Hello all, i'm trying to use Bro as a prelude sensor. There is a patch for Bro 8a20 and i adapted the changes on the source to Bro8a70. Bro compiled fine but there is a problem with when i try to execute it, fails with this syntax error: # bro -i eth0 ./policy/prelude.bro ./policy/prelude.bro, line 50: error: syntax error, at or near "log_prelude" The affected lines are: 47: local msg = a ?$ sub ? fmt("msg: %s -- sub: %s", a$ msg, a$ sub) : a$ msg; 48: local log_msg = fmt("alert: %s -- %s", msg, addl); 50: log_prelude( ip_src, port_src, ip_dst, port_dst, proto, log_msg ) ; 51: } # end of function This policy file worked fine with versions 8a20 and 8a34. Any ideas? If anyone is interested in the full modified source, i put it in http://pikachute.uv.es/elas/bro-prelude.tgz Thanks in advance Jose M Duart From sommer at in.tum.de Wed Mar 3 01:46:38 2004 From: sommer at in.tum.de (Robin Sommer) Date: Wed, 3 Mar 2004 10:46:38 +0100 Subject: Syntax error in policy In-Reply-To: <200403021611.i22GBfhO018303@listserv.lbl.gov> References: <200403021611.i22GBfhO018303@listserv.lbl.gov> Message-ID: <20040303094638.GA707@net.informatik.tu-muenchen.de> On Tue, Mar 02, 2004 at 17:23 +0100, Jose M Duart wrote: > 50: log_prelude( ip_src, port_src, ip_dst, port_dst, proto, log_msg ) ; "log_prelude" seems to be a new keyword. In parse.in the token TOK_LOG_PRELUDE is defined, but it's not contained in any grammar rule. Is it possible that there's a part of the patch missing? Robin -- Robin Sommer * Room 01.08.055 * www.net.in.tum.de TU Munich * Phone (089) 289-18006 * sommer at in.tum.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20040303/7840fe48/attachment.bin From joduart at alumni.uv.es Wed Mar 3 13:02:38 2004 From: joduart at alumni.uv.es (Jose M Duart) Date: Wed, 3 Mar 2004 22:02:38 +0100 Subject: Syntax error in policy In-Reply-To: <20040303094638.GA707@net.informatik.tu-muenchen.de> References: <200403021611.i22GBfhO018303@listserv.lbl.gov> <20040303094638.GA707@net.informatik.tu-muenchen.de> Message-ID: <200403032050.i23KojhO010101@listserv.lbl.gov> You are correct, thank you very much. "log_prelude" is a new keyword and is like the "log" keyword (with small differences). I was adapting the 8a20 patch searching for TOK_LOG and adding the Prelude code. I don't know why but i've missed this change :( I've added these lines to parse.in | TOK_LOG_PRELUDE '(' expr_list ')' ';' { $$ = new LogPreludeStmt($3); } and Bro run successfully. I'm going to test it a while and if it works fine i will post the patch. Thanks again. Regards. Jose M Duart Robin Sommer va escriure: > > On Tue, Mar 02, 2004 at 17:23 +0100, Jose M Duart wrote: > > > 50: log_prelude( ip_src, port_src, ip_dst, port_dst, proto, log_msg ) ; > > "log_prelude" seems to be a new keyword. In parse.in the token > TOK_LOG_PRELUDE is defined, but it's not contained in any grammar > rule. Is it possible that there's a part of the patch missing? > > Robin > > -- > Robin Sommer * Room 01.08.055 * www.net.in.tum.de > TU Munich * Phone (089) 289-18006 * sommer at in.tum.de > From buraglio at ncsa.uiuc.edu Fri Mar 5 11:17:46 2004 From: buraglio at ncsa.uiuc.edu (Nick Buraglio) Date: Fri, 5 Mar 2004 13:17:46 -0600 Subject: make error question Message-ID: I'm attempting to build bro-pub-0.8a70 and receiving some make errors. The system is FreeBSD 4.2. I have successfully built on FreeBSD 4.9, but this older install generates this error. Can anyone shed any insight on my error? This machine currently runs an older version or bro which I did not install. Thanks, nb bro1# make g++ -I. -Ilibedit -O -c File.cc File.cc: In method `int BroFile::Write(const char *, int = 0)': File.cc:719: void value not ignored as it ought to be File.cc:719: in argument to unary ! *** Error code 1 It then ceases to build. From etu87 at sina.com Thu Mar 11 21:51:40 2004 From: etu87 at sina.com (=?gb2312?B?y87KwL3c?=) Date: Fri, 12 Mar 2004 13:51:40 +0800 Subject: ask for information Message-ID: Hi Vern, Could you give me some information of introducting source code like *.cc. I could not understand the function and the relation of these code. thanks etu87 at sina.com From etu87 at sina.com Thu Mar 11 22:05:57 2004 From: etu87 at sina.com (ฐขอม87) Date: Fri, 12 Mar 2004 14:05:57 +0800 Subject: ask for information Message-ID: <20040312060557.11848.qmail@sina.com> Hi Vern, Could you give me some information of introducting source code like *.cc. I could not understand the function and the relation of these code. thanks etu87 at sina.com ______________________________________ ????????9???????????? http://mail.sina.com.cn/chooseMode.html ?? =================================================================== ????????"????????"?????????????????????? (http://ad4.sina.com.cn/shc/zhuiyu_hprefresh1.html) From etu87 at sina.com Sun Mar 14 16:09:27 2004 From: etu87 at sina.com (=?gb2312?B?y87KwL3c?=) Date: Mon, 15 Mar 2004 08:09:27 +0800 Subject: ask for help Message-ID: Hi Vern, Could you give me some information of introducting source code like *.cc. I could not understand the function and the relation of these code. thanks etu87 From songkai725 at hotmail.com Sun Mar 14 21:03:16 2004 From: songkai725 at hotmail.com (songkai) Date: Mon, 15 Mar 2004 05:03:16 +0000 (UTC) Subject: why this command can't work? Message-ID: kill 'cat /home/bro/bro.pid'; when i run this command,it says: kill:cat /home/bro/bro.pid no such pid what should i do?! about bro.pid: ./bro -i eth0 mt @; echo $! References: Message-ID: <20040315020440.37511d7f@bogomips.optonline.net> On Mon, 15 Mar 2004 05:03:16 +0000 (UTC) songkai wrote: > kill 'cat /home/bro/bro.pid'; > > when i run this command,it says: > kill:cat /home/bro/bro.pid no such pid There are 2 types of single quotes in Unix/Linux the single quote aka ' and the back quote aka ` > > what should i do?! use back quotes instead of single quotes. look at the difference between the two in your shell. echo 'cat /home/bro/bro.pid'; echo `cat /home/bro/bro.pid`; marc > > about bro.pid: > ./bro -i eth0 mt @; > echo $! From rpang at CS.Princeton.EDU Mon Mar 15 11:03:08 2004 From: rpang at CS.Princeton.EDU (Ruoming Pang) Date: Mon, 15 Mar 2004 14:03:08 -0500 (EST) Subject: why this command can't work? In-Reply-To: References: Message-ID: Hi, The problem may be that the quotation marks should be ` rather than ', i.e. you should use: kill `cat /home/bro/bro.pid`; rather than > kill 'cat /home/bro/bro.pid'; > > when i run this command,it says: > kill:cat /home/bro/bro.pid no such pid Does this solve the problem? Ruoming From zwei03 at citiz.net Mon Mar 15 19:09:24 2004 From: zwei03 at citiz.net (Cliff) Date: Tue, 16 Mar 2004 11:09:24 +0800 Subject: list Message-ID: <002901c40b04$1656d2a0$0300a8c0@cliff> get bro archive From songkai725 at hotmail.com Mon Mar 15 20:32:36 2004 From: songkai725 at hotmail.com (songkai) Date: Tue, 16 Mar 2004 04:32:36 +0000 (UTC) Subject: why this command can't work? References: <20040315020440.37511d7f@bogomips.optonline.net> Message-ID: yes , it now works correctly,thanks for your help ! then i have another question:) i want to add a GUI to my bro with java,so i can start,close,config bro in windows conveniently. the problem is, how can i run a shell command in java program? thanks again! From vern at icir.org Sat Mar 20 15:10:01 2004 From: vern at icir.org (Vern Paxson) Date: Sat, 20 Mar 2004 15:10:01 -0800 Subject: Bro signature for detecting hosts infected with "Witty" Message-ID: <200403202310.i2KNA1mO028707@jaguar.icir.org> Here's a signature to detect the Witty worm that's going around today: signature witty-worm { header udp[0:2] == 4000 payload /.*insert witty message here/ event "Source infected with Witty" } If you put that in "witty.sig" then the appended script will generate RemoteWittyInfectee for non-local infected hosts and LocalWittyInfectee for local ones. Vern @load log @load site @load alert redef signature_files += "witty.sig"; redef enum Alert += { RemoteWittyInfectee, LocalWittyInfectee }; redef capture_filters = { ["witty"] = "udp src port 4000" }; # Keep track of each infection spotted. global witty_infectees: table[addr] of count &default = 0; event signature_match(state: signature_state, msg: string, data: string) { local infectee = state$conn$id$orig_h; if ( ++witty_infectees[infectee] == 1 ) ALERT([$alert = is_local_addr(infectee) ? LocalWittyInfectee : RemoteWittyInfectee, $conn=state$conn, $msg=fmt("source %s infected by Witty", infectee)]); } From vern at icir.org Tue Mar 23 13:45:23 2004 From: vern at icir.org (Vern Paxson) Date: Tue, 23 Mar 2004 13:45:23 -0800 Subject: bro@lbl.gov is now subscriber-only posting ... Message-ID: <200403232145.i2NLjNmO058280@jaguar.icir.org> ... due to the incessant spam and viruses that the open configuration allowed. I also went through the archive and removed a bunch of spam and addresses from it. (This had gotten to the point where the archive couldn't be retrieved because it was blocked outbound by LBL's viruswall! It's now retrievable again.) Vern From vern at icir.org Thu Mar 25 09:25:39 2004 From: vern at icir.org (Vern Paxson) Date: Thu, 25 Mar 2004 09:25:39 -0800 Subject: new bro "CURRENT" release - 0.8a79 Message-ID: <200403251725.i2PHPdCq024443@jaguar.icir.org> An updated "CURRENT" version of Bro is now available from the usual location: ftp://ftp.ee.lbl.gov/bro-pub-0.8-current.tar.gz This version has a lot of changes, including new analyzers, documentation, language features, VLAN support, and the beginnings of IDMEF support. I've appended the changes since the last "CURRENT" version (0.8a70). Vern -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0.8a79 Wed Mar 24 22:02:53 PST 2004 - Bro now has an SSL analyzer, written by Michael Kuhn and Benedikt Ostermaier, with further development by Scott Campbell. It generates the following events: event process_X509_extensions(c: connection, ex: X509_extension) event ssl_X509_error(c: connection, err: int, err_string: string) event ssl_certificate(c: connection, cert: X509, is_server: bool) event ssl_certificate_seen(c: connection, is_server: bool) event ssl_conn_alert(c: connection, version: count, level: count, description: count) event ssl_conn_attempt(c: connection, version: int) event ssl_conn_established(c: connection, version: int, cipher_suite: count) event ssl_conn_reused(c: connection, session_id: sessionID) event ssl_conn_server_reply(c: connection, version: int) event ssl_conn_weak(name: string, c: connection) event ssl_session_insertion(c: connection, id: sessionID) Note, it still has a lot of rough edges; particularly, handling non-conformant input. It also generates unnecessary ContentGap alerts due to the way it runs multiple analyzers (SSLv2 and SSLv3) on a single connection. This will be fixed in the fairly near-term future. - The manual has been updated with chapters on signatures (Robin Sommer) and using the interactive debugger (Umesh Shankar), along with a partial description of the new SSL analyzer (Michael Kuhn and Benedikt Ostermaier) and a number of updates to the documentation of built-in functions (Umesh Shankar), though this latter is still not complete since Umesh actually contributed this quite a while ago. - Ruoming Pang has contributed a crude analyzer for DCE/RPC (used for Windows). It generates simple dce_rpc_request and dce_rpc_reply events. It should not be considered stable. - The traditional connection logging format (traditional_conn_format) is no longer the default. The 0.8a70 release notes stated that this was the case but this time it really is :-). - An experimental "vector" type has been added (Umesh Shankar). A vector is an aggregate type. For example: local suspect_hosts: vector of addr; You can randomly access elements starting with the first as 1, e.g., suspect_hosts[1] = 10.0.0.8; and can also add elements at later postions even if there are gaps: suspect_hosts[31337] = 10.0.0.9; *The semantics and capabilities of vectors will be changing considerably.* - Umesh Shankar has developed a framework for generating IDMEF messages. Currently it needs a modified version of libidmef, which is not included in this distribution. Contact me or Umesh if you want a copy. - A new attribute &synchronized causes the given global variable to be *synchronized* across concurrent instances of Bro (which are intercommunicating via remote.bro). Any change made by one of them to the variable will be reflected (soon after) in the copy at the others. A new event remote_state_inconsistency is generated if two instances both change the value before they're synchronized. (Contributed by Robin Sommer.) - trw.bro implements a new scan detection algorithm, Threshold Random Walk (Jaeyeon Jung). It's described in an upcoming IEEE S&P symposium paper. The analyzer generates two events: TRWAddressScan, # source flagged as scanner by TRW algorithm TRWScanSummary, # summary of scanning activities reported by TRW TRW is generally much more sensitive than Bro's regular detection algorithm. - vlan.bro provides support for VLAN encapsulation. More generally, Bro now has support for any sort of constant-offset encapsulation (Vinod Yegneswaran). You specify the header size by redef'ing encap_hdr_size. You can also redef tunnel_port to be a UDP port which Bro treats as being the encapsulation (in the packet stream - not addressed to it) rather than all traffic. - If you turn on statistics (i.e., via @load statistics) and also redef segment_profiling to T, then Bro will generate to the statistics file a trace of its "segment" processing. A segment is a unit of internal execution. Profiles look like: 1058517499.615430 segment-processing-packet dt=0.000013 dmem=0 1058517499.615430 segment-draining-events dt=0.000012 dmem=0 1058517499.615671 segment-expiring-timers dt=0.000010 dmem=0 1058517499.615671 segment-processing-packet dt=0.000010 dmem=0 1058517499.615671 segment-draining-events dt=0.000012 dmem=0 1058517499.615671 segment-policy/conn.bro:282 dt=0.000011 dmem=0 1058517499.615671 segment-policy/conn.bro:253 dt=0.000012 dmem=0 The first line states that at the given (packet) timestamp, the event engine processed a packet, taking 13 usec of CPU time to do so, and not consuming any memory (from the kernel's perspective; this is *not* fine-grained memory consumption). The next lines indicate 12 usec were spent draining events and 10 usec expiring timers. The last two lines indicate that the functions at lines 282 and 253 in conn.bro were executed, requiring 11 usec and 12 usec, respectively. Note #1: timings are just what rusage() reports, so not necessarily very accurate for small times. Note #2: there's a bug in tracking function line numbers that hasn't been ferreted out yet, so they're only roughly correct. - The inactivity_timeout global has been split into tcp_inactivity_timeout/ udp_inactivity_timeout/icmp_inactivity_timeout (Robin Sommer). Using this, the default inactivity timeouts for UDP and ICMP have been changed from "no timeout" to 10 seconds. This is needed because otherwise analyzing a stream of UDP or ICMP traffic generally gobbles up memory quickly and never recovers it; and there's seems little point in trying to consolidate long-lived-but-often-inactive UDP/ICMP streams. - The new policy script cpu-adapt.bro is an extension to load-levels.bro (see CHANGES for 0.8a37 below) to adapt the packet filter based on the current CPU load. If the load is below cpu_lower_limit (default 40%), the load-level is decreased. If it's above cpu_upper_limit (default 90%), it's increased. (Robin Sommer) - The new policy script hand-over.bro can be used for a new running instance of Bro to smoothly take over operation from an old instance, i.e., it implements hand-over of state between two Bro instances when checkpointing (Robin Sommer). First, all persistent data (i.e. variables declared &persistent and connections for which make_connection_persistent() has been called) is transferred from the old instance to the new instance. Then the old instance terminates itself and the new one starts processing. The host from which we want to take over the state has to be added to remote_peers_clear (or remote_peers_ssl), setting hand_over to T. The host which is allowed to perform a hand-over with us has to be added with a port of 0/tcp and hand_over=T. An example for a handover between two instances on the same machine: @load hand-over redef remote_peers_clear += { [127.0.0.1, 47756/tcp] = [$hand_over = T], [127.0.0.1, 0/tcp] = [$hand_over = T] }; (This interface may be subject to change in the future.) - New script functions (Robin Sommer): function terminate() Terminates Bro via SIGTERM. function dump_config() Dumps Bro's full configuration into state_dir (one file per variable/type/function, etc.) function send_state(ip: addr, p: port) Send all of persistent state to the remote host. function set_accept_state(ip: addr, p: port, accept: bool) If accept is true, state sent by the given host will be accepted (default: false) function make_connection_persistent(c: connection) Declare the given connection state to be persistent (i.e. to be saved upon termination and exchanged by send_state). checkpoint.bro uses this to declare some services to be persistent by default. function is_local_interface(ip: addr): bool Returns true if the given address is assigned to a local interface. - Printing of sets and tables now includes timestamps indicating when the element was added (Robin Sommer): ID did_ssh_version = { [129.187.20.9, F] = 1 @11/01-15:55, [212.144.77.26, T] = 2 @11/01-15:55, [141.84.116.26, T] = 10 @11/01-15:55, [217.232.245.249, T] = 1 @11/01-15:55, [217.235.217.149, T] = 1 @11/01-15:55, [129.187.39.13, F] = 2 @11/01-15:55, [129.187.208.139, F] = 1 @11/01-15:55, } The format may change in the future, and will probably be made an option. - Similarly, you can print functions to get both a timestamp of the last time the given block was executed and a count of how often (Robin Sommer): ID record_connection = record_connection (@11/01-16:03 #6549) { id = c$id; local_init = is_local_addr(id$orig_h); local_addr = local_init ? id$orig_h : id$resp_h; remote_addr = local_init ? id$resp_h : id$orig_h; flags = local_init ? "L" : ""; if (remote_addr in neighbor_nets) (@ #0) flags = cat(flags, "U"); if ("" == flags) (@11/01-16:03 #2110) flags = "X"; is_tcp = is_tcp_port(id$orig_p); ; if (is_tcp) (@11/01-16:03 #6549) { if (c$orig$state in conn_closed || c$resp$state in conn_closed ) (@11/01-16:03 #4739) duration = fmt("%.6g", c$duration); else (@11/01-16:03 #1810) duration = "?"; [...] - You can now specify numbers using hex constants, e.g., 0xabcd = 43981 (Michael Kuhn and Benedikt Ostermaier). - A new function, join_string_array(sep: string, a: string_array) concatenates strings in 'a' and inserts 'sep' between every two adjacent elements (Ruoming Pang). E.g., join_string_array("", {"a", "b", "c"}) returns "a b c", and join_string_array("", a) is the same as cat_string_array(a). - checkpoint.bro now makes some services persistent by default (Robin Sommer). - The new_packet event now includes both the associated connection and a pkt_hdr describing the packet (Robin Sommer). - The functions functions connect_ssl() and connect_clear() have been replaced by a single connect() function taking an additional parameter to differentiate the types (Robin Sommer). - The new function stop_listening() unbinds the listen port (Robin Sommer). - A new flag packet_filter_default says whether the Bro-level packet-filter will by default accept all or reject everything (Robin Sommer). - Function calls can now be sent to remote Bro's, though there isn't yet an interface for accessing this from the script level (Robin Sommer). - Bro now has an generalized internal framework for serializing objects and monitoring access to state (Robin Sommer). - Better memory allocation accounting (Robin Sommer). - A minor tweak to the output generated by statistics.bro. - Improved localization of source code for functions in messages (but there are still some bug). - Autoconf looks for -ltermcap (Robin Sommer). - Fixes for bugs in the management of table expiration values (Chema Gonzalez). - A bug in printing "void" values has been fixed (Chema Gonzalez). - -t bug fixed (Chema Gonzalez). - A bug has been fixed in which sometimes "expression value ignored" was erroneously generated. - A bug with packet_contents and UDP packets with checksum errors has been fixed (Ruoming Pang). - A memory leak in packet timestamp sorting via packet_sort_window has been fixed (Ruoming Pang). - A bug has been fixed in expanding NULs when printing strings (Ruoming Pang). - Bug fixes for extracting connection contents via contents.bro (Ruoming Pang). - Bogus error message "Can't install default pcap filter" when using -F removed. From anton at netForensics.com Thu Mar 25 09:33:40 2004 From: anton at netForensics.com (Anton Chuvakin, Ph.D.) Date: Thu, 25 Mar 2004 12:33:40 -0500 (EST) Subject: new bro "CURRENT" release - 0.8a79 In-Reply-To: <200403251725.i2PHPdCq024443@jaguar.icir.org> References: <200403251725.i2PHPdCq024443@jaguar.icir.org> Message-ID: >and the beginnings of IDMEF support. Just curious, what is the motivation for IDMEF support? Just to be consistent with industry "standard" or something else? Basically, I am asking how users are supposed to use IDMEF in production enviorment. Best, -- Anton Chuvakin, Ph.D., GCIA, GCIH - http://www.info-secure.org Author of "Security Warrior" from O'Reilly - http://www.securitywarrior.com Senior Security Analyst Product Management Group netForensics - http://www.netForensics.com From mspitze1 at optonline.net Thu Mar 25 10:19:37 2004 From: mspitze1 at optonline.net (Marc Spitzer) Date: Thu, 25 Mar 2004 13:19:37 -0500 Subject: new bro "CURRENT" release - 0.8a79 In-Reply-To: <200403251725.i2PHPdCq024443@jaguar.icir.org> References: <200403251725.i2PHPdCq024443@jaguar.icir.org> Message-ID: <20040325131937.1810aae3@bogomips.optonline.net> This really blows snort out of the water. Thank you, marc On Thu, 25 Mar 2004 09:25:39 -0800 Vern Paxson wrote: > An updated "CURRENT" version of Bro is now available from the usual > location: > > ftp://ftp.ee.lbl.gov/bro-pub-0.8-current.tar.gz > > This version has a lot of changes, including new analyzers, > documentation, language features, VLAN support, and the beginnings of > IDMEF support. I've appended the changes since the last "CURRENT" > version (0.8a70). > > Vern > > > -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > +-+ > > > 0.8a79 Wed Mar 24 22:02:53 PST 2004 > > - Bro now has an SSL analyzer, written by Michael Kuhn and Benedikt > Ostermaier, > with further development by Scott Campbell. It generates the > following events: > > event process_X509_extensions(c: connection, ex: X509_extension) > event ssl_X509_error(c: connection, err: int, err_string: > string) event ssl_certificate(c: connection, cert: X509, > is_server: bool) event ssl_certificate_seen(c: connection, > is_server: bool) event ssl_conn_alert(c: connection, version: > count, level: count, > description: count) > event ssl_conn_attempt(c: connection, version: int) > event ssl_conn_established(c: connection, version: int, > cipher_suite: count) > event ssl_conn_reused(c: connection, session_id: sessionID) > event ssl_conn_server_reply(c: connection, version: int) > event ssl_conn_weak(name: string, c: connection) > event ssl_session_insertion(c: connection, id: sessionID) > > Note, it still has a lot of rough edges; particularly, handling > non-conformant input. It also generates unnecessary ContentGap > alerts due to the way it runs multiple analyzers (SSLv2 and SSLv3) > on a single connection. This will be fixed in the fairly near-term > future. > > - The manual has been updated with chapters on signatures (Robin > Sommer) > and using the interactive debugger (Umesh Shankar), along with a > partial description of the new SSL analyzer (Michael Kuhn and > Benedikt Ostermaier) and a number of updates to the documentation of > built-in functions (Umesh Shankar), though this latter is still not > complete since Umesh actually contributed this quite a while ago. > > - Ruoming Pang has contributed a crude analyzer for DCE/RPC (used for > Windows). > It generates simple dce_rpc_request and dce_rpc_reply events. It > should not be considered stable. > > - The traditional connection logging format (traditional_conn_format) > is no longer the default. The 0.8a70 release notes stated that this > was the case but this time it really is :-). > > - An experimental "vector" type has been added (Umesh Shankar). A > vector > is an aggregate type. For example: > > local suspect_hosts: vector of addr; > > You can randomly access elements starting with the first as 1, e.g., > > suspect_hosts[1] = 10.0.0.8; > > and can also add elements at later postions even if there are gaps: > > suspect_hosts[31337] = 10.0.0.9; > > *The semantics and capabilities of vectors will be changing > considerably.* > > - Umesh Shankar has developed a framework for generating IDMEF > messages. > Currently it needs a modified version of libidmef, which is not > included in this distribution. Contact me or Umesh if you want a > copy. > > - A new attribute &synchronized causes the given global variable to > be *synchronized* across concurrent instances of Bro (which are > intercommunicating via remote.bro). Any change made by one of them > to the variable will be reflected (soon after) in the copy at > the others. A new event remote_state_inconsistency is generated > if two instances both change the value before they're synchronized. > (Contributed by Robin Sommer.) > > - trw.bro implements a new scan detection algorithm, Threshold Random > Walk > (Jaeyeon Jung). It's described in an upcoming IEEE S&P symposium > paper. The analyzer generates two events: > > TRWAddressScan, # source flagged as scanner by TRW algorithm > TRWScanSummary, # summary of scanning activities reported by TRW > > TRW is generally much more sensitive than Bro's regular detection > algorithm. > > - vlan.bro provides support for VLAN encapsulation. More generally, > Bro > now has support for any sort of constant-offset encapsulation (Vinod > Yegneswaran). You specify the header size by redef'ing > encap_hdr_size. You can also redef tunnel_port to be a UDP port > which Bro treats as being the encapsulation (in the packet stream - > not addressed to it) rather than all traffic. > > - If you turn on statistics (i.e., via @load statistics) and also > redef > segment_profiling to T, then Bro will generate to the statistics > file a trace of its "segment" processing. A segment is a unit of > internal execution. Profiles look like: > > 1058517499.615430 segment-processing-packet dt=0.000013 dmem=0 > 1058517499.615430 segment-draining-events dt=0.000012 dmem=0 > 1058517499.615671 segment-expiring-timers dt=0.000010 dmem=0 > 1058517499.615671 segment-processing-packet dt=0.000010 dmem=0 > 1058517499.615671 segment-draining-events dt=0.000012 dmem=0 > 1058517499.615671 segment-policy/conn.bro:282 dt=0.000011 dmem=0 > 1058517499.615671 segment-policy/conn.bro:253 dt=0.000012 dmem=0 > > The first line states that at the given (packet) timestamp, the > event engine processed a packet, taking 13 usec of CPU time to do > so, and not consuming any memory (from the kernel's perspective; > this is *not* fine-grained memory consumption). The next lines > indicate 12 usec were spent draining events and 10 usec expiring > timers. The last two lines indicate that the functions at lines 282 > and 253 in conn.bro were executed, requiring 11 usec and 12 usec, > respectively. > > Note #1: timings are just what rusage() reports, so not necessarily > very accurate for small times. > > Note #2: there's a bug in tracking function line numbers that hasn't > been ferreted out yet, so they're only roughly correct. > > - The inactivity_timeout global has been split into > tcp_inactivity_timeout/ > udp_inactivity_timeout/icmp_inactivity_timeout (Robin Sommer). > Using this, the default inactivity timeouts for UDP and ICMP have > been changed from "no timeout" to 10 seconds. This is needed > because otherwise analyzing a stream of UDP or ICMP traffic > generally gobbles up memory quickly and never recovers it; and > there's seems little point in trying to consolidate > long-lived-but-often-inactive UDP/ICMP streams. > > - The new policy script cpu-adapt.bro is an extension to > load-levels.bro > (see CHANGES for 0.8a37 below) to adapt the packet filter based on > the current CPU load. If the load is below cpu_lower_limit (default > 40%), the load-level is decreased. If it's above cpu_upper_limit > (default 90%), it's increased. (Robin Sommer) > > - The new policy script hand-over.bro can be used for a new running > instance of Bro to smoothly take over operation from an old > instance, i.e., it implements hand-over of state between two Bro > instances when checkpointing (Robin Sommer). First, all persistent > data (i.e. variables declared &persistent and connections for which > make_connection_persistent() has been called) is transferred from > the old instance to the new instance. Then the old instance > terminates itself and the new one starts processing. > > The host from which we want to take over the state has to be added > to remote_peers_clear (or remote_peers_ssl), setting hand_over to T. > The host which is allowed to perform a hand-over with us has to be > added with a port of 0/tcp and hand_over=T. An example for a > handover between two instances on the same machine: > > @load hand-over > redef remote_peers_clear += { > [127.0.0.1, 47756/tcp] = [$hand_over = T], > [127.0.0.1, 0/tcp] = [$hand_over = T] > }; > > (This interface may be subject to change in the future.) > > - New script functions (Robin Sommer): > > function terminate() > Terminates Bro via SIGTERM. > > function dump_config() > Dumps Bro's full configuration into state_dir (one file per > variable/type/function, etc.) > > function send_state(ip: addr, p: port) > Send all of persistent state to the remote host. > > function set_accept_state(ip: addr, p: port, accept: bool) > If accept is true, state sent by the given host will be > accepted (default: false) > > function make_connection_persistent(c: connection) > Declare the given connection state to be persistent (i.e. > to be saved upon termination and exchanged by send_state). > checkpoint.bro uses this to declare some services to be > persistent by default. > > function is_local_interface(ip: addr): bool > Returns true if the given address is assigned to a local > interface. > > - Printing of sets and tables now includes timestamps indicating when > the > element was added (Robin Sommer): > > ID did_ssh_version = { > [129.187.20.9, F] = 1 @11/01-15:55, > [212.144.77.26, T] = 2 @11/01-15:55, > [141.84.116.26, T] = 10 @11/01-15:55, > [217.232.245.249, T] = 1 @11/01-15:55, > [217.235.217.149, T] = 1 @11/01-15:55, > [129.187.39.13, F] = 2 @11/01-15:55, > [129.187.208.139, F] = 1 @11/01-15:55, > } > > The format may change in the future, and will probably be made an > option. > > - Similarly, you can print functions to get both a timestamp of the > last > time the given block was executed and a count of how often (Robin > Sommer): > > ID record_connection = record_connection > (@11/01-16:03 #6549) > { > id = c$id; > local_init = is_local_addr(id$orig_h); > local_addr = local_init ? id$orig_h : id$resp_h; > remote_addr = local_init ? id$resp_h : id$orig_h; > flags = local_init ? "L" : ""; > if (remote_addr in neighbor_nets) > (@ #0) > flags = cat(flags, "U"); > > if ("" == flags) > (@11/01-16:03 #2110) > flags = "X"; > > is_tcp = is_tcp_port(id$orig_p); > ; > if (is_tcp) > (@11/01-16:03 #6549) > { > if (c$orig$state in conn_closed || c$resp$state in > conn_closed > ) > (@11/01-16:03 #4739) > duration = fmt("%.6g", c$duration); > else > (@11/01-16:03 #1810) > duration = "?"; > [...] > > - You can now specify numbers using hex constants, e.g., 0xabcd = > 43981 > (Michael Kuhn and Benedikt Ostermaier). > > - A new function, join_string_array(sep: string, a: string_array) > concatenates > strings in 'a' and inserts 'sep' between every two adjacent elements > (Ruoming Pang). E.g., join_string_array("", {"a", "b", "c"}) > returns"a b c", and join_string_array("", a) is the same as > cat_string_array(a). > > - checkpoint.bro now makes some services persistent by default > (Robin Sommer). > > - The new_packet event now includes both the associated connection > and a pkt_hdr describing the packet (Robin Sommer). > > - The functions functions connect_ssl() and connect_clear() have been > replaced > by a single connect() function taking an additional parameter to > differentiate the types (Robin Sommer). > > - The new function stop_listening() unbinds the listen port (Robin > Sommer). > > - A new flag packet_filter_default says whether the Bro-level > packet-filter > will by default accept all or reject everything (Robin Sommer). > > - Function calls can now be sent to remote Bro's, though there isn't > yet > an interface for accessing this from the script level (Robin > Sommer). > > - Bro now has an generalized internal framework for serializing > objects > and monitoring access to state (Robin Sommer). > > - Better memory allocation accounting (Robin Sommer). > > - A minor tweak to the output generated by statistics.bro. > > - Improved localization of source code for functions in messages (but > there are still some bug). > > - Autoconf looks for -ltermcap (Robin Sommer). > > - Fixes for bugs in the management of table expiration values (Chema > Gonzalez). > > - A bug in printing "void" values has been fixed (Chema Gonzalez). > > - -t bug fixed (Chema Gonzalez). > > - A bug has been fixed in which sometimes "expression value ignored" > was erroneously generated. > > - A bug with packet_contents and UDP packets with checksum errors > has been fixed (Ruoming Pang). > > - A memory leak in packet timestamp sorting via packet_sort_window > has been fixed (Ruoming Pang). > > - A bug has been fixed in expanding NULs when printing strings > (Ruoming Pang). > > - Bug fixes for extracting connection contents via contents.bro > (Ruoming Pang). > > - Bogus error message "Can't install default pcap filter" when using > -F > removed. From bpatters at fit.edu Thu Mar 25 10:30:43 2004 From: bpatters at fit.edu (Bryan) Date: Thu, 25 Mar 2004 13:30:43 -0500 Subject: Bryan's test Message-ID: <1080239443.6671.12.camel@localhost.localdomain> First time here, just testing! Bryan From bpatters at fit.edu Thu Mar 25 10:52:44 2004 From: bpatters at fit.edu (Bryan Patterson) Date: Thu, 25 Mar 2004 13:52:44 -0500 Subject: An easier way to look at the "get bro archive" file from Majordomo@lbl.gov... Message-ID: <1080240764.6671.19.camel@localhost.localdomain> Hello all, I wrote a little program in Java to browse the Bro archive. It takes the archive file that is sent with the "get bro archive" command and parses it into individual html files that each contain a single posting. You can download it from http://my.fit.edu/~bpatters/BroArchiveParser.tgz It contains the source code for the parser and a readme file. Sorry, it's not in C/C++. Java is my strongest language at the present time. Use it as you wish. Let me know what you think. I can adjust it if you would like me to. Bryan Patterson Florida Tech From anton at netForensics.com Thu Mar 25 13:39:56 2004 From: anton at netForensics.com (Anton Chuvakin, Ph.D.) Date: Thu, 25 Mar 2004 16:39:56 -0500 (EST) Subject: release - 0.8a79: compile problems In-Reply-To: <200403251725.i2PHPdCq024443@jaguar.icir.org> References: <200403251725.i2PHPdCq024443@jaguar.icir.org> Message-ID: 0. cat /etc/redhat-release Red Hat Linux release 7.3 (Valhalla) 1. ./configure --disable-openssl 2. make g++ -o bro main.o net_util.o util.o parse.o scan.o re-parse.o re-scan.o rule-parse.o rule-scan.o Act ive.o Anon.o Attr.o BackDoor.o Base64.o BroString.o CCL.o ChunkedIO.o CompHash.o Conn.o DCE_RPC.o DF A.o DNS.o DNS_Mgr.o DbgBreakpoint.o DbgHelp.o DbgWatch.o Debug.o DebugCmds.o Desc.o Dict.o Discard.o EquivClass.o Event.o EventHandler.o EventRegistry.o Expr.o FTP.o File.o Finger.o Frag.o Frame.o Func.o Gnutella.o HTTP.o Hash.o ICMP.o ID.o Ident.o IntSet.o InterConn.o List.o Logger.o Login.o MIME.o NFA.o NTP.o NVT.o Net.o NetVar.o NetbiosSSN.o Obj.o PacketFilter.o PacketSort.o PktSrc.o PolicyFile .o Portmap.o PrefixTable.o PriorityQueue.o Queue.o RE.o RPC.o Reassem.o RemoteSerializer.o Rlogin.o Rule.o RuleAction.o RuleCondition.o RuleMatcher.o SMTP.o SSH.o Scope.o SerializationFormat.o SerialO bj.o Serializer.o Sessions.o StateAccess.o Stats.o SteppingStone.o Stmt.o TCP.o TCP_Contents.o TCP_E ndpoint.o TCP_Rewriter.o Telnet.o Timer.o Type.o UDP.o Val.o Var.o XDR.o cq.o md5.o patricia.o setsi gnal.o version.o nb_dns.o -Llibedit -ledit -lresolv -lpcap -lpcap /usr/lib/libresolv.a -ltermca p -lm Sessions.o: In function `NetSessions::NewConn(HashKey *, double, ConnID const *, tcphdr const *)': Sessions.o(.text+0x41a4): undefined reference to `SSL_ConnectionProxy::SSL_ConnectionProxy(NetSessio ns *, HashKey *, double, ConnID const *, tcphdr const *)' collect2: ld returned 1 exit status make: *** [bro] Error 1 Any ideas? Same error happens if ssl is not disabled. -- Anton Chuvakin, Ph.D., GCIA, GCIH - http://www.info-secure.org Author of "Security Warrior" from O'Reilly - http://www.securitywarrior.com Senior Security Analyst Product Management Group netForensics - http://www.netForensics.com From vern at icir.org Thu Mar 25 13:53:40 2004 From: vern at icir.org (Vern Paxson) Date: Thu, 25 Mar 2004 13:53:40 -0800 Subject: release - 0.8a79: compile problems In-Reply-To: Your message of Thu, 25 Mar 2004 16:39:56 EST. Message-ID: <200403252153.i2PLreCq075626@jaguar.icir.org> > Sessions.o(.text+0x41a4): undefined reference to > `SSL_ConnectionProxy::SSL_ConnectionProxy(NetSessio > ns *, HashKey *, double, ConnID const *, tcphdr const *)' > collect2: ld returned 1 exit status > make: *** [bro] Error 1 > > > Any ideas? > > Same error happens if ssl is not disabled. Oops. Try the appended patch for use in the --disable-openssl case. Vern --- Sessions.cc.ORIG 2004/03/21 17:23:25 1.97 +++ Sessions.cc 2004/03/25 21:53:03 @@ -944,6 +944,7 @@ c = new TCP_NetbiosSSN(this, k, t, id, tp); break; +#ifdef USE_OPENSSL case 443: // https case 563: // nntps case 585: // imap4-ssl (old, use imaps) @@ -959,6 +960,7 @@ ssl_conn_attempt || ssl_conn_server_reply || ssl_conn_established || ssl_conn_reused || ssl_conn_alert) c = new SSL_ConnectionProxy(this, k, t, id, tp); +#endif break; case 6346: @@ -1045,6 +1047,7 @@ case 6346: case 8436: +#ifdef USE_OPENSSL // SSL-relatd ports: case 443: case 563: @@ -1057,6 +1060,7 @@ case 993: case 994: case 995: +#endif // Not analyzed (yet), but give a hint which side the server is. case 110: From mspitze1 at optonline.net Sat Mar 27 12:40:43 2004 From: mspitze1 at optonline.net (Marc Spitzer) Date: Sat, 27 Mar 2004 15:40:43 -0500 Subject: Fw: list Message-ID: <20040327154043.34e63619@bogomips.optonline.net> get bro archive