From joncarlo at ucdavis.edu Fri Apr 1 07:29:05 2005 From: joncarlo at ucdavis.edu (Joncarlo Ruggieri) Date: Fri, 1 Apr 2005 07:29:05 -0800 (PST) Subject: [Bro] Getting Started w/Bro Message-ID: Hi, I am trying to run Bro v.9a8 on RedHat Enterprise Linux 4. I have had to modify a few things to get this to run properly, and I'm not certain everything is working. Does anyone have instructions for installing bro on RedHat? Or should I just use FreeBSD instead? Also, I am trying to use newer Snort signatures but am not sure just how to do so. I had to grab snort2bro from bro v.8a88, since I didn't find the script in v.9a8. I was able to create a converted file of signatures, but I'm not sure what to do with it, or how to get it loaded. My questions are: 1) should this be named *.sig or *.bro 2) where should the file be placed? /usr/local/bro/site/ ? 3) what do I modify (and how) so that these signatures are loaded/used? Any help would be greatly appreciated. Thanks! Joncarlo Ruggieri University of CA, Davis Data Center & Client Services 530-752-3963 jruggieri at ucdavis.edu From berry1.0 at gmail.com Tue Apr 5 01:32:46 2005 From: berry1.0 at gmail.com (Dana Zhang) Date: Tue, 5 Apr 2005 18:32:46 +1000 Subject: [Bro] Bro on other Packet Trace Dumps. In-Reply-To: <6cfa3946370b381ec1ed61b5d1e54fbe@dcs.gla.ac.uk> References: <1111496096.424015a02f60e@email.ee.ethz.ch> <58dff9ecfb3680a0a37c64c009c9942d@dcs.gla.ac.uk> <6cfa3946370b381ec1ed61b5d1e54fbe@dcs.gla.ac.uk> Message-ID: Woops. I'll CC it now On Apr 5, 2005 6:26 PM, Jonathan Paisley wrote: > On 5 Apr 2005, at 9:11, Dana Zhang wrote: > > > Can I assume that dagconvert comes with endace and I can not actually > > download it from the web anywhere? I did not capture the packets > > myself so I not actually have an Endace monitoring card. > > Ah, you're right. dagconvert is part of the dag driver package, which > is only available with the card. > > > I downloaded dagtools from http://dag.cs.waikato.ac.nz/ (thanks > > christoph) and used dagbpf to convert form my format to tcpdump. > > Unfortunately I am still unable to run bro. Bro gives me this error: > > > > bro: problem with trace file 19991120-124258-0TCP - unknown data link > > type 0xb > > I suspect dagbpf only works with old-format DAG trace files, and as a > result is producing nonsense pcap files. > > Recent versions of ethereal support reading ERF format traces. As a > result, you can use the command line 'tethereal' to convert: > > $ tethereal -r dagtrace -w pcaptrace > > It's not very fast, however. > > If it's okay with you, please CC- any replies back to the bro list so > this can go in the archives. > > Thanks. > > From bchen at cs.ucf.edu Wed Apr 6 14:16:26 2005 From: bchen at cs.ucf.edu (bchen at cs.ucf.edu) Date: Wed, 6 Apr 2005 17:16:26 -0400 Subject: [Bro] how to add new event to Bro Message-ID: <20050406171626.9311zsg28cg00kgs@mail.cs.ucf.edu> Hi all, I am new in Bro. I want to add new events to Bro. These events would occur when some statistical parameters cross multiple sessions to an internal host/network exceed their thresholds. An example event would be that the number of connections made from external hosts to an monitored internal host exceeds 100 in last two seconds. Another example event would be that the number of Rejected connection requests to my internal network exceeds 200 in last two minutes. Any one knows how to create such events? Another problem I met when I tried to run Bro (./bro.rc --start) in Fedora 3. Success message was displayed on the screen. But when I check the status, it is not running. After I tried to run Bro again, the following error message appears: ============================================================================= [root at localhost etc]# ./bro.rc --start bro.rc: Running as non-root user root bro.rc: Starting .........Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ bro.rc: Failed to start Bro Error in signature (signatures:1803): unknown identifier (dataSizeG100) Error in signature (signatures:1815): unknown identifier (dataSizeG100) Error in signature (signatures:1838): unknown identifier (dataSizeG100) Error in signature (signatures:1850): unknown identifier (dataSizeG100) ................... .... FAILED ============================================================================= I then comment out the following statements in my locat site, Bro works properly. redef signature_files += "sig-addendum"; redef signature_files += "signatures"; Does anyone know what's this problem? thanks for your time Bing From joncarlo at ucdavis.edu Wed Apr 6 14:37:17 2005 From: joncarlo at ucdavis.edu (Joncarlo Ruggieri) Date: Wed, 6 Apr 2005 14:37:17 -0700 (PDT) Subject: [Bro] how to add new event to Bro In-Reply-To: <20050406171626.9311zsg28cg00kgs@mail.cs.ucf.edu> References: <20050406171626.9311zsg28cg00kgs@mail.cs.ucf.edu> Message-ID: Hi, I'm running Bro on Red Hat Enteprise Linux 4. I too had the error below regarding a bogus '-' The culprit was bro.rc. In this subroutine: pidisrunning() { else # the rest of *NIX _running_pid=`ps -o "pid,command" -ax | grep "${_pid}.*${_cmd_line}" | grep -v "grep ${_pid}.*${_cmd_line}"` fi remove the "-" from "-ax" for the "ps" command. The revised line would be: _running_pid=`ps -o "pid,command" ax | grep Hope that helps! Joncarlo Ruggieri University of CA, Davis On Wed, 6 Apr 2005 bchen at cs.ucf.edu wrote: > Hi all, > I am new in Bro. I want to add new events to Bro. These events would occur > when some statistical parameters cross multiple sessions to an internal > host/network exceed their thresholds. An example event would be that the number > of connections made from external hosts to an monitored internal host exceeds > 100 in last two seconds. Another example event would be that the number of > Rejected connection requests to my internal network exceeds 200 in last two > minutes. Any one knows how to create such events? > Another problem I met when I tried to run Bro (./bro.rc --start) in Fedora 3. > Success message was displayed on the screen. But when I check the status, it is > not running. After I tried to run Bro again, the following error message > appears: > ============================================================================= > [root at localhost etc]# ./bro.rc --start > bro.rc: Running as non-root user root > bro.rc: Starting .........Warning: bad syntax, perhaps a bogus '-'? See > /usr/share/doc/procps-3.2.3/FAQ > bro.rc: Failed to start Bro > Error in signature (signatures:1803): unknown identifier (dataSizeG100) > Error in signature (signatures:1815): unknown identifier (dataSizeG100) > Error in signature (signatures:1838): unknown identifier (dataSizeG100) > Error in signature (signatures:1850): unknown identifier (dataSizeG100) > ................... > .... FAILED > ============================================================================= > > I then comment out the following statements in my locat site, Bro works > properly. > > redef signature_files += "sig-addendum"; > redef signature_files += "signatures"; > > Does anyone know what's this problem? > > thanks for your time > > Bing > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From aashish at uiuc.edu Wed Apr 6 14:49:10 2005 From: aashish at uiuc.edu (Aashish Sharma) Date: Wed, 6 Apr 2005 16:49:10 -0500 Subject: [Bro] how to add new event to Bro In-Reply-To: <20050406171626.9311zsg28cg00kgs@mail.cs.ucf.edu> Message-ID: <20050406214910.GA13286@uiuc.edu> Your second question : I think due to interdependency of signature related policy files they all need to be loaded or (not loaded) together. You need to define use_signatures variable in ../policy/brolite.bro as T (true) for enabling all the signature related policy files to be loaded. Aashish Sharma On Wed, Apr 06, 2005 at 05:16:26PM -0400, bchen at cs.ucf.edu wrote: > Another problem I met when I tried to run Bro (./bro.rc --start) in Fedora 3. > Success message was displayed on the screen. But when I check the status, it is > not running. After I tried to run Bro again, the following error message > appears: > ============================================================================= > [root at localhost etc]# ./bro.rc --start > bro.rc: Running as non-root user root > bro.rc: Starting .........Warning: bad syntax, perhaps a bogus '-'? See > /usr/share/doc/procps-3.2.3/FAQ > bro.rc: Failed to start Bro > Error in signature (signatures:1803): unknown identifier (dataSizeG100) > Error in signature (signatures:1815): unknown identifier (dataSizeG100) > Error in signature (signatures:1838): unknown identifier (dataSizeG100) > Error in signature (signatures:1850): unknown identifier (dataSizeG100) > ................... > .... FAILED > ============================================================================= > > I then comment out the following statements in my locat site, Bro works > properly. > > redef signature_files += "sig-addendum"; > redef signature_files += "signatures"; > > Does anyone know what's this problem? > > thanks for your time > > Bing > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From bchen at cs.ucf.edu Wed Apr 6 18:17:05 2005 From: bchen at cs.ucf.edu (bchen at cs.ucf.edu) Date: Wed, 6 Apr 2005 21:17:05 -0400 Subject: [Bro] how to add new event to Bro In-Reply-To: References: <20050406171626.9311zsg28cg00kgs@mail.cs.ucf.edu> Message-ID: <20050406211705.1jcgwt33nkw4o0sg@mail.cs.ucf.edu> Thanks. that helps. Bing Quoting Joncarlo Ruggieri : > Hi, > > I'm running Bro on Red Hat Enteprise Linux 4. > > I too had the error below regarding a bogus '-' > > The culprit was bro.rc. > > In this subroutine: > > pidisrunning() { > > else > # the rest of *NIX > _running_pid=`ps -o "pid,command" -ax | grep > "${_pid}.*${_cmd_line}" | grep -v "grep ${_pid}.*${_cmd_line}"` > fi > > > remove the "-" from "-ax" for the "ps" command. The revised line would > be: > > _running_pid=`ps -o "pid,command" ax | grep > > > > > Hope that helps! > > Joncarlo Ruggieri > University of CA, Davis > > > > On Wed, 6 Apr 2005 bchen at cs.ucf.edu wrote: > >> Hi all, >> I am new in Bro. I want to add new events to Bro. These events >> would occur >> when some statistical parameters cross multiple sessions to an internal >> host/network exceed their thresholds. An example event would be that >> the number >> of connections made from external hosts to an monitored internal >> host exceeds >> 100 in last two seconds. Another example event would be that the number of >> Rejected connection requests to my internal network exceeds 200 in last two >> minutes. Any one knows how to create such events? >> Another problem I met when I tried to run Bro (./bro.rc --start) >> in Fedora 3. >> Success message was displayed on the screen. But when I check the >> status, it is >> not running. After I tried to run Bro again, the following error message >> appears: >> ============================================================================= >> [root at localhost etc]# ./bro.rc --start >> bro.rc: Running as non-root user root >> bro.rc: Starting .........Warning: bad syntax, perhaps a bogus '-'? See >> /usr/share/doc/procps-3.2.3/FAQ >> bro.rc: Failed to start Bro >> Error in signature (signatures:1803): unknown identifier (dataSizeG100) >> Error in signature (signatures:1815): unknown identifier (dataSizeG100) >> Error in signature (signatures:1838): unknown identifier (dataSizeG100) >> Error in signature (signatures:1850): unknown identifier (dataSizeG100) >> ................... >> .... FAILED >> ============================================================================= >> >> I then comment out the following statements in my locat site, Bro works >> properly. >> >> redef signature_files += "sig-addendum"; >> redef signature_files += "signatures"; >> >> Does anyone know what's this problem? >> >> thanks for your time >> >> Bing >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > From bchen at cs.ucf.edu Wed Apr 6 18:23:49 2005 From: bchen at cs.ucf.edu (bchen at cs.ucf.edu) Date: Wed, 6 Apr 2005 21:23:49 -0400 Subject: [Bro] how to add new event to Bro In-Reply-To: <20050406214910.GA13286@uiuc.edu> References: <20050406214910.GA13286@uiuc.edu> Message-ID: <20050406212349.4vagsc89wk00kso8@mail.cs.ucf.edu> Hi Aashish, Thanks. That helps. Any thought about my first question? Bing Quoting Aashish Sharma : > Your second question : > > I think due to interdependency of signature related policy files they > all need to be loaded or (not loaded) together. > > You need to define use_signatures variable in ../policy/brolite.bro > as T (true) for enabling all the signature related policy files to be > loaded. > > Aashish Sharma > > > > On Wed, Apr 06, 2005 at 05:16:26PM -0400, bchen at cs.ucf.edu wrote: >> Another problem I met when I tried to run Bro (./bro.rc --start) >> in Fedora 3. >> Success message was displayed on the screen. But when I check the >> status, it is >> not running. After I tried to run Bro again, the following error message >> appears: >> ============================================================================= >> [root at localhost etc]# ./bro.rc --start >> bro.rc: Running as non-root user root >> bro.rc: Starting .........Warning: bad syntax, perhaps a bogus '-'? See >> /usr/share/doc/procps-3.2.3/FAQ >> bro.rc: Failed to start Bro >> Error in signature (signatures:1803): unknown identifier (dataSizeG100) >> Error in signature (signatures:1815): unknown identifier (dataSizeG100) >> Error in signature (signatures:1838): unknown identifier (dataSizeG100) >> Error in signature (signatures:1850): unknown identifier (dataSizeG100) >> ................... >> .... FAILED >> ============================================================================= >> >> I then comment out the following statements in my locat site, Bro works >> properly. >> >> redef signature_files += "sig-addendum"; >> redef signature_files += "signatures"; >> >> Does anyone know what's this problem? >> >> thanks for your time >> >> Bing >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From sommer at in.tum.de Thu Apr 7 00:02:17 2005 From: sommer at in.tum.de (Robin Sommer) Date: Thu, 7 Apr 2005 09:02:17 +0200 Subject: [Bro] Re: Bro Packet Trace Dumps. In-Reply-To: <20050330202421.GA4119@uiuc.edu> References: <5D84748D74FD05FF879D8BFC@[192.168.0.2]> <20050330202421.GA4119@uiuc.edu> Message-ID: <20050407070216.GA32289@net.informatik.tu-muenchen.de> On Wed, Mar 30, 2005 at 14:24 -0600, aashish at uiuc.edu wrote: > Is it possible to set up bro to define the size at which bulk trace file should roll over > and not have any other log files roll over (even if the bulk trace files roll over at 2G) ? Not right now. You can have the bulk trace file rolled over by setting log_max_size and adding its filename to RotateLogs::aux_files (see rotate-logs.bro). But then log_max_size affects all log files for which no explicit size has been defined with &rotate_size. Robin -- Robin Sommer * Room 01.08.055 * www.net.in.tum.de TU Muenchen * Phone (089) 289-18006 * sommer at in.tum.de From christian at whoop.org Thu Apr 7 18:28:02 2005 From: christian at whoop.org (Christian Kreibich) Date: Fri, 08 Apr 2005 02:28:02 +0100 Subject: [Bro] how to add new event to Bro In-Reply-To: <20050406171626.9311zsg28cg00kgs@mail.cs.ucf.edu> References: <20050406171626.9311zsg28cg00kgs@mail.cs.ucf.edu> Message-ID: <1112923683.12366.144.camel@localhost> Hi Bing, On Wed, 2005-04-06 at 17:16 -0400, bchen at cs.ucf.edu wrote: > Hi all, > I am new in Bro. I want to add new events to Bro. These events would occur > when some statistical parameters cross multiple sessions to an internal > host/network exceed their thresholds. An example event would be that the number > of connections made from external hosts to an monitored internal host exceeds > 100 in last two seconds. Another example event would be that the number of > Rejected connection requests to my internal network exceeds 200 in last two > minutes. Any one knows how to create such events? it all depends on what kinds of events trigger updates to your statistical parameters, and whether those elementary events already exist or not. Generally a good way to find existing events is by looking at src/event.bif, which lists all events the core can trigger. If you find suitable building blocks in there, you can start with a new policy script that maintains state through the event handlers for event types you're interested in. If you cannot find anything suitable (which, at least for network-based events, is rather unlikely), you might have to extend the core to support new events to be handled by your policy scripts. In your case, the event types connection_attempt() and connection_rejected() sound ideal. In their respective handlers, you can maintain connection state in a number of tables to achieve what you want. When you notice that the rate limits you defined are exceeded, you can trigger an event "manually" using the event() statement, or just perform the corresponding action directly in the state-maintaining code. Have a look at scan.bro for an example of something that is similar what you want; also check out this thread in the archives: http://mailman.icsi.berkeley.edu/pipermail/bro/2005-February/001774.html Hope this helps. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From bchen at cs.ucf.edu Fri Apr 8 14:14:38 2005 From: bchen at cs.ucf.edu (bchen at cs.ucf.edu) Date: Fri, 8 Apr 2005 17:14:38 -0400 Subject: [Bro] Re: how to add new event to Bro In-Reply-To: <200504081901.j38J1ASO025906@fruitcake.ICSI.Berkeley.EDU> References: <200504081901.j38J1ASO025906@fruitcake.ICSI.Berkeley.EDU> Message-ID: <20050408171438.i2gu4xjxogww8wgc@mail.cs.ucf.edu> Hi Christian, Thank you for your suggestion. I will try this way and put my results on this mailing list. Bing > > it all depends on what kinds of events trigger updates to your > statistical parameters, and whether those elementary events already > exist or not. Generally a good way to find existing events is by looking > at src/event.bif, which lists all events the core can trigger. If you > find suitable building blocks in there, you can start with a new policy > script that maintains state through the event handlers for event types > you're interested in. If you cannot find anything suitable (which, at > least for network-based events, is rather unlikely), you might have to > extend the core to support new events to be handled by your policy > scripts. > > In your case, the event types connection_attempt() and > connection_rejected() sound ideal. In their respective handlers, you can > maintain connection state in a number of tables to achieve what you > want. When you notice that the rate limits you defined are exceeded, you > can trigger an event "manually" using the event() statement, or just > perform the corresponding action directly in the state-maintaining code. > > Have a look at scan.bro for an example of something that is similar what > you want; also check out this thread in the archives: > > http://mailman.icsi.berkeley.edu/pipermail/bro/2005-February/001774.html > > Hope this helps. > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > > > > > --__--__-- > > _______________________________________________ > Bro mailing list > Bro at ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > End of Bro Digest > From SKelly at facetime.com Fri Apr 15 09:56:08 2005 From: SKelly at facetime.com (Scott Kelly) Date: Fri, 15 Apr 2005 09:56:08 -0700 Subject: [Bro] question about tcpdump logging Message-ID: <2793827F112DA440B3565E936098BF28067E7878@mailman.facetime.com> The Bro documentation mentions a capability for logging packets in tcpdump format: http://bro-ids.org/Bro-reference-manual/tcpdump-save-file-that-Bro-write s.html But I can't find any further references or figure out how this is done. I looked back through the archives a bit, but don't have time to thoroughly scour them for any reference. Can anyone help? Thanks, Scott From christian at whoop.org Fri Apr 15 12:23:58 2005 From: christian at whoop.org (Christian Kreibich) Date: Fri, 15 Apr 2005 20:23:58 +0100 Subject: [Bro] question about tcpdump logging In-Reply-To: <2793827F112DA440B3565E936098BF28067E7878@mailman.facetime.com> References: <2793827F112DA440B3565E936098BF28067E7878@mailman.facetime.com> Message-ID: <1113593038.26893.51.camel@localhost> Hi Scott, check out the -w flag as described on http://www.bro-ids.org/Bro-reference-manual/Flags.html#Flags Cheers, Christian. On Fri, 2005-04-15 at 09:56 -0700, Scott Kelly wrote: > The Bro documentation mentions a capability for logging packets in > tcpdump format: > > http://bro-ids.org/Bro-reference-manual/tcpdump-save-file-that-Bro-write > s.html > > But I can't find any further references or figure out how this is done. > I looked back through the archives a bit, but don't have time to > thoroughly scour them for any reference. Can anyone help? > > Thanks, > > Scott -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From bchen at cs.ucf.edu Fri Apr 22 15:45:32 2005 From: bchen at cs.ucf.edu (bchen at cs.ucf.edu) Date: Fri, 22 Apr 2005 18:45:32 -0400 Subject: [Bro] time format In-Reply-To: <200504161903.j3GJ3WSO015571@fruitcake.ICSI.Berkeley.EDU> References: <200504161903.j3GJ3WSO015571@fruitcake.ICSI.Berkeley.EDU> Message-ID: <20050422184532.7woq72rry8wcsgc4@mail.cs.ucf.edu> Hi, Does anybody know how to print time to readable format something like: 04/22/2005 12:00:00 with Bro language ? I couldn't find such format in the existing bro scripts. thanks. Bing From vern at icir.org Fri Apr 22 16:00:15 2005 From: vern at icir.org (Vern Paxson) Date: Fri, 22 Apr 2005 16:00:15 -0700 Subject: [Bro] time format In-Reply-To: Your message of Fri, 22 Apr 2005 18:45:32 EDT. Message-ID: <200504222300.j3MN0FLX023476@jaguar.icir.org> > Does anybody know how to print time to readable format something like: > 04/22/2005 12:00:00 with Bro language ? I couldn't find such format in the > existing bro scripts. thanks. There's a "strftime(fmt: string, d: time): string" function you can call. Vern From bchen at cs.ucf.edu Fri Apr 22 19:55:07 2005 From: bchen at cs.ucf.edu (bchen at cs.ucf.edu) Date: Fri, 22 Apr 2005 22:55:07 -0400 Subject: [Bro] time format Message-ID: <20050422225507.had1673lcswk8gss@mail.cs.ucf.edu> Vern, thank you for your quick response. Bing Quoting Vern Paxson : >> Does anybody know how to print time to readable format something like: >> 04/22/2005 12:00:00 with Bro language ? I couldn't find such format in the >> existing bro scripts. thanks. > > There's a "strftime(fmt: string, d: time): string" function you can call. > > Vern > From goeldich at ee.ethz.ch Mon Apr 25 06:25:01 2005 From: goeldich at ee.ethz.ch (Christoph Goeldi) Date: Mon, 25 Apr 2005 15:25:01 +0200 Subject: [Bro] Running Bro NOT as root under Linux Message-ID: <426CEFAD.9020909@ee.ethz.ch> Hi Does anyone have a clou how to run Bro as a user different than root under Linux? Libpcap has had some buffer-overflow in the past, so it would be very nice if we hadn't to run Bro as root. Thanx for any help Christoph From sommer at in.tum.de Mon Apr 25 06:57:55 2005 From: sommer at in.tum.de (Robin Sommer) Date: Mon, 25 Apr 2005 15:57:55 +0200 Subject: [Bro] Running Bro NOT as root under Linux In-Reply-To: <426CEFAD.9020909@ee.ethz.ch> References: <426CEFAD.9020909@ee.ethz.ch> Message-ID: <20050425135755.GC16861@net.informatik.tu-muenchen.de> On Mon, Apr 25, 2005 at 15:25 +0200, Christoph Goeldi wrote: > Does anyone have a clou how to run Bro as a user different than root > under Linux? On Linux, that's not possible without modifying the kernel. However, if patching the kernel is an option, here's a patch: http://www.net.informatik.tu-muenchen.de/~robin/patches/capture_group.html (Note that this is an *ugly* hack...) Robin -- Robin Sommer * Room 01.08.055 * www.net.in.tum.de TU Muenchen * Phone (089) 289-18006 * sommer at in.tum.de From zreimer2 at unlnotes.unl.edu Mon Apr 25 12:15:38 2005 From: zreimer2 at unlnotes.unl.edu (Zachary P Reimer) Date: Mon, 25 Apr 2005 14:15:38 -0500 Subject: [Bro] Zachary P Reimer/IS/UNL/UNEBR is out of the office. Message-ID: I will be out of the office starting 04/24/2005 and will not return until 04/29/2005. I will be checking messages occasionally through the week. From christian at whoop.org Thu Apr 28 07:53:57 2005 From: christian at whoop.org (Christian Kreibich) Date: Thu, 28 Apr 2005 15:53:57 +0100 Subject: [Bro] Broccoli 0.7 released Message-ID: <1114700037.14197.363.camel@localhost> Hi all, Broccoli 0.7 is now available in tar.gz and RPM formats from http://www.cl.cam.ac.uk/~cpk25/broccoli/index.html The main novelty in this release is connection sharing between multiple processes. You can now create a connection to a remote Bro in one process and concurrently use that connection from other processes thanks to access synchronization in shared memory. The same holds for access from multiple threads. Not everything is documented in the manual yet, but all the gory details are in the ChangeLog: http://www.cl.cam.ac.uk/~cpk25/broccoli/ChangeLog Bug reports, patches, etc are all welcome. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From aashish at uiuc.edu Fri Apr 29 12:46:46 2005 From: aashish at uiuc.edu (Aashish Sharma) Date: Fri, 29 Apr 2005 14:46:46 -0500 Subject: [Bro] regular expressions in bro signatures (payload) Message-ID: <20050429194646.GA4558@uiuc.edu> Hello All: I have been trying to port some bleeding-edge snort signatures to bro to detect bots on the network. I used s2b or snort2bro.pl script to convert these snort signatures to bro format but the script ignores pcre (perl competible regualar expression) directive and comments its out (refer the signature below) signature sid-2001787 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets # Not supported: pcre: /(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|!scan [0-9]{1,3}\.[0-9]{1,3}|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup))/i event "BLEEDING-EDGE TROJAN IRC Bot scan/exploit command" tcp-state established } How I can (or cannot) use regular expressions in payload directive in bro signatures ? Can you guys point me to a writeup or man page for this ? I see other (converted) signatures do have payload directive which uses regualar expressions but those are fairly straight forward RE searches. Is it possible to create constructs using "or" ( "|"), "{}", "[]", () etc in payload section of signatures ? In other words, how can I port the pcre payload check (above signature) as regualar expression for payload to bro ? Also, are RE in signatures case sensitive too ? Thanks a lot for the help. Aashish Sharma -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050429/9bfef2e2/attachment.bin From sommer at in.tum.de Sat Apr 30 01:25:09 2005 From: sommer at in.tum.de (Robin Sommer) Date: Sat, 30 Apr 2005 10:25:09 +0200 Subject: [Bro] regular expressions in bro signatures (payload) In-Reply-To: <20050429194646.GA4558@uiuc.edu> References: <20050429194646.GA4558@uiuc.edu> Message-ID: <20050430082509.GB12007@net.informatik.tu-muenchen.de> On Fri, Apr 29, 2005 at 14:46 -0500, you wrote: > How I can (or cannot) use regular expressions in payload directive > in bro signatures ? The payload directive supports all of Bro's usual regular expression operators. IIRC, there's a section on patterns in Bro's manual (Bro uses the same syntax for regexps than flex). You're right, snort2bro does not support pcre yet. There's an experimental version which does but that isn't finished yet. (Btw, Bro's signatures supported regular expressions even before Snort got pcre. :-) > Also, are RE in signatures case sensitive too ? Yes, they are. Robin -- Robin Sommer * Room 01.08.055 * www.net.in.tum.de TU Muenchen * Phone (089) 289-18006 * sommer at in.tum.de