From rmkml at free.fr Sun Jul 3 14:03:56 2005 From: rmkml at free.fr (rmkml) Date: Sun, 3 Jul 2005 23:03:56 +0200 (CEST) Subject: [Bro] bro09a[8-9] inline libpcap 8 file pb Message-ID: Hi, First, I record pcap file idle : tcpdump -ni lo0 -w vide.pcap AND CTRL+C ! (this file size is 24 = no packet recorded, same with packet on file, bro pb is not here) ok run bro inline : export BROPATH=/bropath/policy export BRO_DNS_FAKE=1 bro -r ~/vide.pcap -r ~/vide.pcap -r ~/vide.pcap -r ~/vide.pcap -r ~/vide.pcap -r ~/vide.pcap -r ~/vide.pcap -r ~/vide.pcap bro.init mt line 1: run-time error: precompile_pcap_filter: pcap_compile(((((((((tcp port 113) or ((ip[6:2] & 0x3fff != 0) and tcp)) or (tcp[13] & 7 != 0)) or (udp port 123)) or (port finger)) or (port ftp)) or (port telnet or tcp port 513)) or (udp port 69)) or (port 111)): too many registers needed to evaluate expression can't compile filter ((((((((tcp port 113) or ((ip[6:2] & 0x3fff != 0) and tcp)) or (tcp[13] & 7 != 0)) or (udp port 123)) or (port finger)) or (port ftp)) or (port telnet or tcp port 513)) or (udp port 69)) or (port 111) bro create idle file : alarm.log conn.log ftp.log notice.log weird.log bro have 8 file, I don't have pb if only 7 pcap file Im use bro on freebsd411 plateform. Regards Rmkml From scampbell at lbl.gov Mon Jul 4 20:55:39 2005 From: scampbell at lbl.gov (scott campbell) Date: Mon, 04 Jul 2005 20:55:39 -0700 Subject: [Bro] new broshell software & docs Message-ID: <42CA04BB.8060200@lbl.gov> I put together a few more notes and redid the broshell software to make the command line work much more flexible. Some of the newer functionality has not been adequately (as in at all) tested so let the buyer beware! If there is additional functionality that people would like to see put into this, please let me know and I can give it a try. There is documentation on the generic client coming as well. see: http://www.nersc.gov/~scottc/software/bro/broshell.html for details. thanks! scott -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050704/fb9f1962/attachment.bin From sommer at in.tum.de Tue Jul 5 00:31:02 2005 From: sommer at in.tum.de (Robin Sommer) Date: Tue, 5 Jul 2005 09:31:02 +0200 Subject: [Bro] &write_expire and sets In-Reply-To: <1119894242.431.60.camel@localhost> References: <1119894242.431.60.camel@localhost> Message-ID: <20050705073102.GA21649@net.informatik.tu-muenchen.de> On Mon, Jun 27, 2005 at 10:44 -0700, Christian Kreibich wrote: > for sets, I presume write_expire means that an entry has to be re- > entered within the timeframe to avoid deletion? Oops, sorry, forgot to reply to this question. So, in case this is still unclear, the answer is: yes (with reentering meaning not to explicitly delete it first). Robin -- Robin Sommer * Room 01.08.055 * www.net.in.tum.de TU Muenchen * Phone (089) 289-18006 * sommer at in.tum.de From angelita at uol.com.br Tue Jul 5 07:07:45 2005 From: angelita at uol.com.br (=?iso-8859-1?Q?Angelita_de_C=E1ssia_Corr=EAa?=) Date: Tue, 5 Jul 2005 11:07:45 -0300 Subject: [Bro] Empty reports!! References: <42C072C0.6080808@lbl.gov> Message-ID: <009501c5816a$edbe5f00$cbd1a8c0@uolcorp.intranet> Thanks, but the reports didn't function correctly. I followed your tips. I have another doubt, now it's about the notice email. How can I do to configure to bro send to administrator an email in some critical situations? Thanks Angelita ----- Original Message ----- From: "Brian Tierney" To: "Angelita de C?ssia Corr?a" Sent: Tuesday, June 28, 2005 10:53 AM Subject: Fwd: [Bro] Empty reports!! > > a couple more suggestions from the author of the report script: > > Begin forwarded message: > > > > From: Roger Winslow > > > > > > This sounds like either the bro.cfg file is not set correctly, > > site-report.pl is not told where bro.cfg is, or no log data is > > being found. > > > > I suggest that the user run the command by hand (use -h to find > > all of the command line options) with a debug of 2 or higher and > > see what happens. The files are ouput to $BROHOME/reports/local. > > Also scan reports are still on. We left it on because there was > > too little data without it during demos. The ability to turn on/ > > off certain parts of the report are not finished yet (obviously) > > but it's about half way done. > > > > > > From BLTierney at lbl.gov Tue Jul 5 12:34:42 2005 From: BLTierney at lbl.gov (Brian Tierney) Date: Tue, 5 Jul 2005 12:34:42 -0700 Subject: [Bro] Empty reports!! In-Reply-To: <009501c5816a$edbe5f00$cbd1a8c0@uolcorp.intranet> References: <42C072C0.6080808@lbl.gov> <009501c5816a$edbe5f00$cbd1a8c0@uolcorp.intranet> Message-ID: <4A4E8F62-1825-4096-94B5-69C83FEC02D4@lbl.gov> On Jul 5, 2005, at 7:07 AM, Angelita de C?ssia Corr?a wrote: > Thanks, but the reports didn't function correctly. I followed your > tips. > If you send us the output of the report script using debug level 2, maybe we can help figure this out. > I have another doubt, now it's about the notice email. How can I do to > configure to bro send to administrator an email in some critical > situations? > This section of the manual should answer your question: http://www.bro-ids.org/Bro-user-manual/Notice-Actions.html > > Thanks > Angelita > > ----- Original Message ----- > From: "Brian Tierney" > To: "Angelita de C?ssia Corr?a" > Sent: Tuesday, June 28, 2005 10:53 AM > Subject: Fwd: [Bro] Empty reports!! > > > >> >> a couple more suggestions from the author of the report script: >> >> Begin forwarded message: >> >> >> >>> From: Roger Winslow >>> >>> >>> This sounds like either the bro.cfg file is not set correctly, >>> site-report.pl is not told where bro.cfg is, or no log data is >>> being found. >>> >>> I suggest that the user run the command by hand (use -h to find >>> all of the command line options) with a debug of 2 or higher and >>> see what happens. The files are ouput to $BROHOME/reports/local. >>> Also scan reports are still on. We left it on because there was >>> too little data without it during demos. The ability to turn on/ >>> off certain parts of the report are not finished yet (obviously) >>> but it's about half way done. >>> >>> >>> >> >> >> > > ------------------------------------------------------------------------ ------------------- Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 240-332-4065 bltierney at lbl.gov http://www-didc.lbl.gov/~tierney ------------------------------------------------------------------------ ------------------ From christian at whoop.org Tue Jul 5 14:32:59 2005 From: christian at whoop.org (Christian Kreibich) Date: Tue, 05 Jul 2005 14:32:59 -0700 Subject: [Bro] new broshell software & docs In-Reply-To: <42CA04BB.8060200@lbl.gov> References: <42CA04BB.8060200@lbl.gov> Message-ID: <1120599179.9007.105.camel@localhost> Wait -- so Broccoli made you feel suicidal? Surely not! :) Very cool, I'll check it out asap. Thanks for this! On Mon, 2005-07-04 at 20:55 -0700, scott campbell wrote: > I put together a few more notes and redid the broshell software to make > the command line work much more flexible. Some of the newer > functionality has not been adequately (as in at all) tested so let the > buyer beware! [snip] > thanks! > > scott Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From angelita at uol.com.br Wed Jul 6 12:37:01 2005 From: angelita at uol.com.br (=?iso-8859-1?Q?Angelita_de_C=E1ssia_Corr=EAa?=) Date: Wed, 6 Jul 2005 16:37:01 -0300 Subject: [Bro] Empty reports!! References: <42C072C0.6080808@lbl.gov> <009501c5816a$edbe5f00$cbd1a8c0@uolcorp.intranet> <4A4E8F62-1825-4096-94B5-69C83FEC02D4@lbl.gov> Message-ID: <00b301c58262$18c35eb0$cbd1a8c0@uolcorp.intranet> Brian, I already tested whit debug level: 3, 4 and 5. About the notice mail: I changed the notice.bro like the document says and defined the mail_dest with my email address. But I didn't received any notice mail . If I run the mail_notice.sh script I receive an email correctly, but empty. What can I do? Thanks Angelita ----- Original Message ----- From: "Brian Tierney" To: "Angelita de C?ssia Corr?a" Cc: Sent: Tuesday, July 05, 2005 4:34 PM Subject: Re: [Bro] Empty reports!! On Jul 5, 2005, at 7:07 AM, Angelita de C?ssia Corr?a wrote: > Thanks, but the reports didn't function correctly. I followed your > tips. > If you send us the output of the report script using debug level 2, maybe we can help figure this out. > I have another doubt, now it's about the notice email. How can I do to > configure to bro send to administrator an email in some critical > situations? > This section of the manual should answer your question: http://www.bro-ids.org/Bro-user-manual/Notice-Actions.html > > Thanks > Angelita > > ----- Original Message ----- > From: "Brian Tierney" > To: "Angelita de C?ssia Corr?a" > Sent: Tuesday, June 28, 2005 10:53 AM > Subject: Fwd: [Bro] Empty reports!! > > > >> >> a couple more suggestions from the author of the report script: >> >> Begin forwarded message: >> >> >> >>> From: Roger Winslow >>> >>> >>> This sounds like either the bro.cfg file is not set correctly, >>> site-report.pl is not told where bro.cfg is, or no log data is >>> being found. >>> >>> I suggest that the user run the command by hand (use -h to find >>> all of the command line options) with a debug of 2 or higher and >>> see what happens. The files are ouput to $BROHOME/reports/local. >>> Also scan reports are still on. We left it on because there was >>> too little data without it during demos. The ability to turn on/ >>> off certain parts of the report are not finished yet (obviously) >>> but it's about half way done. >>> >>> >>> >> >> >> > > ------------------------------------------------------------------------ ------------------- Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 240-332-4065 bltierney at lbl.gov http://www-didc.lbl.gov/~tierney ------------------------------------------------------------------------ ------------------ _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From zangds at netpower.com.cn Wed Jul 6 20:14:08 2005 From: zangds at netpower.com.cn (=?gb2312?B?6rC2rMvJ?=) Date: Thu, 7 Jul 2005 11:14:08 +0800 Subject: [Bro] internal warning: bad request for InternalUnsigned Message-ID: <001301c582a1$f096b000$4801a8c0@netpowerdonal> hi, When I use bro-0.9a9 on a linux system,there's lots of warnings on the screen: 1120748634.654520 (768): internal warning: bad request for InternalUnsigned 1120748634.654520 (769): internal warning: bad request for InternalUnsigned 1120748635.289065 (2): internal warning: bad request for InternalUnsigned 1120748635.289065 (768): internal warning: bad request for InternalUnsigned 1120748635.289065 (769): internal warning: bad request for InternalUnsigned 1120748635.291004 (2): internal warning: bad request for InternalUnsigned 1120748635.291004 (768): internal warning: bad request for InternalUnsigned 1120748635.291004 (769): internal warning: bad request for InternalUnsigned 1120748678.874703 (2): internal warning: bad request for InternalUnsigned 1120748678.874703 (768): internal warning: bad request for InternalUnsigned 1120748678.874703 (769): internal warning: bad request for InternalUnsigned 1120748678.876645 (2): internal warning: bad request for InternalUnsigned 1120748678.876645 (768): internal warning: bad request for InternalUnsigned 1120748678.876645 (769): internal warning: bad request for InternalUnsigned 1120748678.930197 (2): internal warning: bad request for InternalUnsigned 1120748678.930197 (768): internal warning: bad request for InternalUnsigned 1120748678.930197 (769): internal warning: bad request for InternalUnsigned some one tell me why? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050707/8eabbde6/attachment.html From vern at icir.org Wed Jul 6 22:48:04 2005 From: vern at icir.org (Vern Paxson) Date: Wed, 06 Jul 2005 22:48:04 -0700 Subject: [Bro] internal warning: bad request for InternalUnsigned In-Reply-To: Your message of Thu, 07 Jul 2005 11:14:08 +0800. Message-ID: <200507070548.j675m4WI068391@jaguar.icir.org> When reporting problems like this, if at all possible you need to include a tcpdump trace that reproduces the problem. In this case, it would also be useful to breakpoint in Val.cc where that message is generated and capture a traceback using "where" in gdb. Vern From mike.muratet at torchtechnologies.com Fri Jul 8 11:57:13 2005 From: mike.muratet at torchtechnologies.com (Mike Muratet) Date: Fri, 8 Jul 2005 13:57:13 -0500 Subject: [Bro] Re: New debug output References: <009901c5737d$335bfd20$5501a8c0@muratet> <1119317796.19544.58.camel@localhost> <1119318400.19544.62.camel@localhost> <008101c57667$7f7e2650$5501a8c0@muratet> <1119638127.2028.18.camel@localhost> Message-ID: <013c01c583ee$db2b99d0$5501a8c0@muratet> Christian > > just a little update to keep you posted. I wrote my own little test app > that subscribes to a bunch of connection_* events and then prints out > the various fields of the received connection record. > I have implemented this, but I'm still stuck (see below) > In the process I discovered at least one bug in Bro: communications can > get stuck when the Broccoli app is a pure event requester and not > sending anything. In that case, it can happen that handshake message > exchange doesn't fully complete and afterwards none of the connection > events end up being sent to the Broccoli client. > I believe I could be observing this behavior--the test script hangs. Might this be fixed in the CVS? Thanks Mike From petraschek at ftw.at Mon Jul 11 09:25:54 2005 From: petraschek at ftw.at (Martin Petraschek) Date: Mon, 11 Jul 2005 18:25:54 +0200 Subject: [Bro] unknown data link type 0xc Message-ID: Hi! When I execute bro on a sample pcap file, I get the following error: bro: problem with trace file /data/syndata/trace.cap - unknown data link type 0xc What does that mean? The pcap file is OK and can be read with tcpdump -r Thank you very much, Martin From David.Sames at sparta.com Mon Jul 11 10:11:23 2005 From: David.Sames at sparta.com (Sames, David) Date: Mon, 11 Jul 2005 13:11:23 -0400 Subject: [Bro] Test Set question Message-ID: <87CDEF0BA329934CB1B2A156A90BBF1210F5D2@coyote.columbia.ads.sparta.com> Does anyone know what the ratio of "attack traffic" to "normal traffic" is in a "representative" network? It's a pretty open-ended question, but I need to construct a (decent) data set for an internal evaluation I'm doing. I'd like to make sure (to the extent possible) that the attack data isn't unfairly represented in the set. Thanks! Dave Sames ----------------------------- SPARTA, Inc 7075 Samuel Morse Dr. Columbia, MD 21046 (P) 410.872.1515 x317 (F) 410.872.8079 ----------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050711/2dccba1f/attachment.html From David.Sames at sparta.com Mon Jul 11 10:20:51 2005 From: David.Sames at sparta.com (Sames, David) Date: Mon, 11 Jul 2005 13:20:51 -0400 Subject: [Bro] Malware collecting Message-ID: <87CDEF0BA329934CB1B2A156A90BBF1210F5D3@coyote.columbia.ads.sparta.com> One of the advantages of being at McAfee was access to their zoo/field/wild collection of malware for research. Now that our Advanced Research Group (read: DARPA/ARDA/etc contractor) has been sold, we no longer have access and must build up a collection and collecting capability on our own. I've noted that there is an "international alliance" being setup to share samples collected using the mwcollect software, and have contacted them already. There may be some sharing going on within the Honeynet project, but I haven't followed up within that arena yet. We intend to set something up similar to a honeynet for collection and research purposes as well. Additionally, I have started making contact to some universities who do research in malware who also have started collections, but haven't found any formal collaboration organization set up to develop a corpus of malware samples. The AV community obviously has a large collection, but it appears to be fairly insular sharing samples only among AV companies, and the test & evaluation companies who provide (independent) product evaluations. Do any of you have any thoughts on the subject? For the record, I've been part of the TIS/TISLabs/NAILabs/McAfeeResearch/SpartaSecurityResearchDivision group for about 7 years, doing research on distributed security, application security policies, malicious code analysis, and defense against worms. Regards, Dave Sames ----------------------------- SPARTA, Inc 7075 Samuel Morse Dr. Columbia, MD 21046 (P) 410.872.1515 x317 (F) 410.872.8079 ----------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050711/0275df31/attachment.html From angelita at uol.com.br Mon Jul 11 12:43:39 2005 From: angelita at uol.com.br (=?iso-8859-1?Q?Angelita_de_C=E1ssia_Corr=EAa?=) Date: Mon, 11 Jul 2005 16:43:39 -0300 Subject: [Bro] Email Notice References: <42C072C0.6080808@lbl.gov> <009501c5816a$edbe5f00$cbd1a8c0@uolcorp.intranet> <4A4E8F62-1825-4096-94B5-69C83FEC02D4@lbl.gov> <00b301c58262$18c35eb0$cbd1a8c0@uolcorp.intranet> Message-ID: <001501c58650$d9173690$cbd1a8c0@uolcorp.intranet> Brian, I already tested whit debug level: 3, 4 and 5. About the notice mail: I changed the notice.bro like the document says and defined the mail_dest with my email address. But I didn't received any notice mail . If I run the mail_notice.sh script I receive an email correctly, but empty. What can I do? Thanks Angelita ----- Original Message ----- From: "Brian Tierney" To: "Angelita de C?ssia Corr?a" Cc: Sent: Tuesday, July 05, 2005 4:34 PM Subject: Re: [Bro] Empty reports!! On Jul 5, 2005, at 7:07 AM, Angelita de C?ssia Corr?a wrote: > Thanks, but the reports didn't function correctly. I followed your > tips. > If you send us the output of the report script using debug level 2, maybe we can help figure this out. > I have another doubt, now it's about the notice email. How can I do to > configure to bro send to administrator an email in some critical > situations? > This section of the manual should answer your question: http://www.bro-ids.org/Bro-user-manual/Notice-Actions.html > > Thanks > Angelita > > ----- Original Message ----- > From: "Brian Tierney" > To: "Angelita de C?ssia Corr?a" > Sent: Tuesday, June 28, 2005 10:53 AM > Subject: Fwd: [Bro] Empty reports!! > > > >> >> a couple more suggestions from the author of the report script: >> >> Begin forwarded message: >> >> >> >>> From: Roger Winslow >>> >>> >>> This sounds like either the bro.cfg file is not set correctly, >>> site-report.pl is not told where bro.cfg is, or no log data is >>> being found. >>> >>> I suggest that the user run the command by hand (use -h to find >>> all of the command line options) with a debug of 2 or higher and >>> see what happens. The files are ouput to $BROHOME/reports/local. >>> Also scan reports are still on. We left it on because there was >>> too little data without it during demos. The ability to turn on/ >>> off certain parts of the report are not finished yet (obviously) >>> but it's about half way done. >>> >>> >>> >> >> >> > > ------------------------------------------------------------------------ ------------------- Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 240-332-4065 bltierney at lbl.gov http://www-didc.lbl.gov/~tierney ------------------------------------------------------------------------ ------------------ _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From christian at whoop.org Mon Jul 11 13:40:38 2005 From: christian at whoop.org (Christian Kreibich) Date: Mon, 11 Jul 2005 13:40:38 -0700 Subject: [Bro] Re: New debug output In-Reply-To: <013c01c583ee$db2b99d0$5501a8c0@muratet> References: <009901c5737d$335bfd20$5501a8c0@muratet> <1119317796.19544.58.camel@localhost> <1119318400.19544.62.camel@localhost> <008101c57667$7f7e2650$5501a8c0@muratet> <1119638127.2028.18.camel@localhost> <013c01c583ee$db2b99d0$5501a8c0@muratet> Message-ID: <1121114438.11923.7.camel@localhost> Hi Mike, On Fri, 2005-07-08 at 13:57 -0500, Mike Muratet wrote: > > > In the process I discovered at least one bug in Bro: communications can > > get stuck when the Broccoli app is a pure event requester and not > > sending anything. In that case, it can happen that handshake message > > exchange doesn't fully complete and afterwards none of the connection > > events end up being sent to the Broccoli client. > > > > I believe I could be observing this behavior--the test script hangs. Might > this be fixed in the CVS? it hasn't been fixed yet -- rather annoyingly we're all pretty short on cycles at the moment. I'll try to come up with a temporary fix tonight and will let you know how it goes. Apologies for the delay! :( Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From mike.muratet at torchtechnologies.com Mon Jul 11 13:58:26 2005 From: mike.muratet at torchtechnologies.com (Mike Muratet) Date: Mon, 11 Jul 2005 15:58:26 -0500 Subject: [Bro] Re: New debug output References: <009901c5737d$335bfd20$5501a8c0@muratet> <1119317796.19544.58.camel@localhost> <1119318400.19544.62.camel@localhost> <008101c57667$7f7e2650$5501a8c0@muratet> <1119638127.2028.18.camel@localhost> <013c01c583ee$db2b99d0$5501a8c0@muratet> <1121114438.11923.7.camel@localhost> Message-ID: <00eb01c5865b$49a2a930$5501a8c0@muratet> Christian >> >> > In the process I discovered at least one bug in Bro: communications can >> > get stuck when the Broccoli app is a pure event requester and not >> > sending anything. In that case, it can happen that handshake message >> > exchange doesn't fully complete and afterwards none of the connection >> > events end up being sent to the Broccoli client. >> > >> >> I believe I could be observing this behavior--the test script hangs. >> Might >> this be fixed in the CVS? > > it hasn't been fixed yet -- rather annoyingly we're all pretty short on > cycles at the moment. I'll try to come up with a temporary fix tonight > and will let you know how it goes. Apologies for the delay! :( > No apologies--I appreciate the help. I've been looking at the code trying to figure it out, but it's slow going. Thanks Mike From christian at whoop.org Mon Jul 11 17:11:52 2005 From: christian at whoop.org (Christian Kreibich) Date: Mon, 11 Jul 2005 17:11:52 -0700 Subject: [Bro] unknown data link type 0xc In-Reply-To: References: Message-ID: <1121127112.11923.62.camel@localhost> Hi Martin, On Mon, 2005-07-11 at 18:25 +0200, Martin Petraschek wrote: > Hi! > > When I execute bro on a sample pcap file, I get the following error: > > bro: problem with trace file /data/syndata/trace.cap - unknown data link type 0xc > > What does that mean? The pcap file is OK and can be read with tcpdump -r what Bro version are you using? 0x0C is the code for raw packet captures, starting directly with IP headers. Bro has supported these for a while now but I remember DLT_RAW being added to the codebase. Try a newer version? Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From christian at whoop.org Mon Jul 11 17:19:16 2005 From: christian at whoop.org (Christian Kreibich) Date: Mon, 11 Jul 2005 17:19:16 -0700 Subject: [Bro] Test Set question In-Reply-To: <87CDEF0BA329934CB1B2A156A90BBF1210F5D2@coyote.columbia.ads.sparta.com> References: <87CDEF0BA329934CB1B2A156A90BBF1210F5D2@coyote.columbia.ads.sparta.com> Message-ID: <1121127557.11923.67.camel@localhost> On Mon, 2005-07-11 at 13:11 -0400, Sames, David wrote: > > Does anyone know what the ratio of ?attack traffic? to ?normal > traffic? is in a ?representative? network? It?s a pretty open-ended > question, but I need to construct a (decent) data set for an internal > evaluation I?m doing. I?d like to make sure (to the extent possible) > that the attack data isn?t unfairly represented in the set. I think that really depends on way too many things (size of net, host population, IP range, background traffic, firewalling, organizational policies, the aim of your eval, etc) to be answerable in general. Try asking on SecrurityFocus' focus-ids list instead? Good luck, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From petraschek at ftw.at Tue Jul 12 00:33:40 2005 From: petraschek at ftw.at (Martin Petraschek) Date: Tue, 12 Jul 2005 09:33:40 +0200 Subject: [Bro] unknown data link type 0xc In-Reply-To: <1121127112.11923.62.camel@localhost> Message-ID: On Mon, 11 Jul 2005 17:11:52 -0700, Christian Kreibich wrote: >> When I execute bro on a sample pcap file, I get the following error: >> >> bro: problem with trace file /data/syndata/trace.cap - unknown data link type 0xc >> >> What does that mean? The pcap file is OK and can be read with tcpdump -r > >what Bro version are you using? 0x0C is the code for raw packet >captures, starting directly with IP headers. Bro has supported these for >a while now but I remember DLT_RAW being added to the codebase. Try a >newer version? > >Cheers, >Christian. I upgraded from the latest stable release (0.8a88) to the latest developer release (0.9a9), and now it works! Thanks for the hint! Martin From jmzhou.ml at gmail.com Fri Jul 15 11:54:36 2005 From: jmzhou.ml at gmail.com (Jingmin Zhou) Date: Fri, 15 Jul 2005 11:54:36 -0700 Subject: [Bro] how to run as non-root user? Message-ID: Hi, I am a new user of bro, and have recently install bro 0.9a9 on a Linux box. I have a question with bro: I want to run bro as non-root user, and have created an account for bro. However, when I try to start bro with bro.rc, it reports "problem with interface eth0 - pcap_open_live: socket: Operation not permitted". Does it mean that I need to setuid bro binary? If so, does bro drops privilege after pcap_open? (A quick grep shows that bro does not call setuid()). BTW, there is a small issue with bro.rc. It calls bro with "su -l ${alternate_user_id}...". On my system, the shell of root account is tcsh. Then when I run bro.rc from an interactive root shell, it prompts the error as follows: Unknown option: `-l' Usage: tcsh [ -bcdefilmnqstvVxX ] [ argument ... ]. To fix it, either I need to change root shell to bash (which is not preferred IMHO), or change bro.rc as "su - ${alternate_user_id}...". Thanks! Jingmin From rwinslow at lbl.gov Fri Jul 15 13:48:32 2005 From: rwinslow at lbl.gov (Roger Winslow) Date: Fri, 15 Jul 2005 13:48:32 -0700 Subject: [Bro] how to run as non-root user? In-Reply-To: References: Message-ID: <42D82120.4010407@lbl.gov> The issue you are seeing is related to how Linux does packet capture. In short Linux must have root privilages to capture packets. Sorry, but without using some of the custom kernel patches out there you must run Bro as a user that has root privs. If you want more info search for linux packet capture. As for bro.rc it was written for 'sh' and is compatible with 'bash'. That's why the bang path is #!/bin/sh. bro.rc was written to work on the widest number of systems possible and sh/bash are available everywhere. I produced a simple shell script to simulate what you are referring to but was unable to reproduce the error. brouser has a shell of /bin/tcsh and root has a shell of /bin/tcsh #!/bin/sh if [ "$1" = '1' ]; then echo DONE exit 0 fi su -l brouser -c "$0 1 < /dev/null" If you can find more info on the error I will look into it further. Roger Jingmin Zhou wrote: > Hi, > > I am a new user of bro, and have recently install bro 0.9a9 on a Linux > box. I have a question with bro: > > I want to run bro as non-root user, and have created an account for > bro. However, when I try to start bro with bro.rc, it reports "problem > with interface eth0 - pcap_open_live: socket: Operation not > permitted". Does it mean that I need to setuid bro binary? If so, does > bro drops privilege after pcap_open? (A quick grep shows that bro does > not call setuid()). > > BTW, there is a small issue with bro.rc. It calls bro with "su -l > ${alternate_user_id}...". On my system, the shell of root account is > tcsh. Then when I run bro.rc from an interactive root shell, it > prompts the error as follows: > > Unknown option: `-l' > Usage: tcsh [ -bcdefilmnqstvVxX ] [ argument ... ]. > > To fix it, either I need to change root shell to bash (which is not > preferred IMHO), or change bro.rc as "su - ${alternate_user_id}...". > > Thanks! > > Jingmin > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From casado at cs.stanford.edu Fri Jul 15 14:01:50 2005 From: casado at cs.stanford.edu (Martin Casado) Date: Fri, 15 Jul 2005 14:01:50 -0700 Subject: [Bro] Small bug in TCP_Rewriter Message-ID: <42D8243E.2020905@cs.stanford.edu> Hi, This may already be fixed but I believe there is a bug in the TCP rewriter. I'm using bro 0.9a10.5. File TCP_Rewriter.cc, Line 710: ASSERT(next_packet->AppendData(data, left)); If the ASSERT preprocessor conditional isn't enabled, the statement isn't included in the translation unit and using -A for re-writing doesn't include any payload (only headers) :( perhaps .. if(!next_packet->AppendData(data, left)) { ASSERT(0); } Plz. let me know if this isn't the appropriate forum for submitting bugs. cheers, .martin From christian at whoop.org Fri Jul 15 14:29:58 2005 From: christian at whoop.org (Christian Kreibich) Date: Fri, 15 Jul 2005 14:29:58 -0700 Subject: [Bro] how to run as non-root user? In-Reply-To: <42D82120.4010407@lbl.gov> References: <42D82120.4010407@lbl.gov> Message-ID: <1121462999.1641.59.camel@localhost> Hi there, I'm a bit puzzled about the problem as well, because according to > > Unknown option: `-l' > > Usage: tcsh [ -bcdefilmnqstvVxX ] [ argument ... ]. ^ -l should work. Also, at least with GNU coreutils it doesn't make any difference whether you use 'su -' or 'su -l'. su puts the basename of the shell of the user that is su'd to into argv[0], prefixed with '-' to indicate a login shell. Bash's and ksh's manpages mention this, tcsh's manpage is imprecise in saying argv[0] has to *be* "-" but its code only checks for the first character being '-' (or the -l flag, as the manpage says). Best, Christian. On Fri, 2005-07-15 at 13:48 -0700, Roger Winslow wrote: > > As for bro.rc it was written for 'sh' and is compatible with 'bash'. That's why > the bang path is #!/bin/sh. bro.rc was written to work on the widest number of > systems possible and sh/bash are available everywhere. > > I produced a simple shell script to simulate what you are referring to but was > unable to reproduce the error. brouser has a shell of /bin/tcsh and root has a > shell of /bin/tcsh > > #!/bin/sh > > if [ "$1" = '1' ]; then > echo DONE > exit 0 > fi > > su -l brouser -c "$0 1 < /dev/null" > > If you can find more info on the error I will look into it further. > > Roger -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From christian at whoop.org Fri Jul 15 14:36:53 2005 From: christian at whoop.org (Christian Kreibich) Date: Fri, 15 Jul 2005 14:36:53 -0700 Subject: [Bro] Small bug in TCP_Rewriter In-Reply-To: <42D8243E.2020905@cs.stanford.edu> References: <42D8243E.2020905@cs.stanford.edu> Message-ID: <1121463413.1641.64.camel@localhost> Hey Martin :) On Fri, 2005-07-15 at 14:01 -0700, Martin Casado wrote: > Hi, > > This may already be fixed but I believe there is a bug in the TCP > rewriter. I'm using > bro 0.9a10.5. > > File TCP_Rewriter.cc, Line 710: > > ASSERT(next_packet->AppendData(data, left)); > > If the ASSERT preprocessor conditional isn't enabled, the statement > isn't included in the > translation unit and using -A for re-writing doesn't include any > payload (only headers) :( Uh-oh. Smells rotten to me! > Plz. let me know if this isn't the appropriate forum for submitting bugs. Oh definitely. Keep 'em coming... Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From jrlee at lbl.gov Fri Jul 15 15:09:26 2005 From: jrlee at lbl.gov (Jason Lee) Date: Fri, 15 Jul 2005 15:09:26 -0700 Subject: [Bro] how to run as non-root user? In-Reply-To: <1121462999.1641.59.camel@localhost> References: <42D82120.4010407@lbl.gov> <1121462999.1641.59.camel@localhost> Message-ID: <42D83416.8070400@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hmmm, On my linux (debian) system, su shows this: jason at foobar[3:07pm](205)> su -l foobar su: invalid option -- l Usage: su [OPTS] [-] [username [ARGS]] - make this a login shell -c, --command= pass command to the invoked shell using its -c option -m, -p, --preserve-environment do not reset environment variables, and keep the same shell -s, --shell= use shell instead of the default in /etc/passwd Cheers, jason Christian Kreibich wrote: > Hi there, > > I'm a bit puzzled about the problem as well, because according to > > >>> Unknown option: `-l' >>> Usage: tcsh [ -bcdefilmnqstvVxX ] [ argument ... ]. > > ^ > -l should work. Also, at least with GNU coreutils it doesn't make any > difference whether you use 'su -' or 'su -l'. su puts the basename of > the shell of the user that is su'd to into argv[0], prefixed with '-' to > indicate a login shell. > > Bash's and ksh's manpages mention this, tcsh's manpage is imprecise in > saying argv[0] has to *be* "-" but its code only checks for the first > character being '-' (or the -l flag, as the manpage says). > > Best, > Christian. > > On Fri, 2005-07-15 at 13:48 -0700, Roger Winslow wrote: > >>As for bro.rc it was written for 'sh' and is compatible with 'bash'. That's why >>the bang path is #!/bin/sh. bro.rc was written to work on the widest number of >>systems possible and sh/bash are available everywhere. >> >>I produced a simple shell script to simulate what you are referring to but was >>unable to reproduce the error. brouser has a shell of /bin/tcsh and root has a >>shell of /bin/tcsh >> >>#!/bin/sh >> >>if [ "$1" = '1' ]; then >> echo DONE >> exit 0 >>fi >> >>su -l brouser -c "$0 1 < /dev/null" >> >>If you can find more info on the error I will look into it further. >> >> Roger > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC2DQW37vOcEqHLkARAuaEAJsFgHE9nKgYxD87GPFBQfaCMK5T2ACeLwMi pVZOHjzWV1ShbbGC9NqLh3M= =GSZm -----END PGP SIGNATURE----- From christian at whoop.org Fri Jul 15 15:18:55 2005 From: christian at whoop.org (Christian Kreibich) Date: Fri, 15 Jul 2005 15:18:55 -0700 Subject: [Bro] how to run as non-root user? In-Reply-To: <42D83416.8070400@lbl.gov> References: <42D82120.4010407@lbl.gov> <1121462999.1641.59.camel@localhost> <42D83416.8070400@lbl.gov> Message-ID: <1121465936.1641.68.camel@localhost> On Fri, 2005-07-15 at 15:09 -0700, Jason Lee wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hmmm, > On my linux (debian) system, su shows this: > > jason at foobar[3:07pm](205)> su -l foobar > su: invalid option -- l Cool, I guess that explains the problem then?! I had looked at coreutils 5.2.1, where su.c has -, -l, --login. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From mike.muratet at torchtechnologies.com Fri Jul 15 15:20:15 2005 From: mike.muratet at torchtechnologies.com (Mike Muratet) Date: Fri, 15 Jul 2005 17:20:15 -0500 Subject: [Bro] "Resource temporarity unavailiable" Message-ID: <00b301c5898b$60de2d80$5501a8c0@muratet> Greetings I am (still) trying to get a working connection between some code I wrote using broccoli calls and bro. (The code is part of a larger project that uses bro for an interface because bro keeps track of state. and generates events for connections.) I thought I was making some headway with understanding the event loop in bro and the reception in broccoli. I added a print statement in the broccoli method __bro_sobject_data_get to try to understand why I couldn't read the payload correctly and recompiled broccoli. Now all communication has ceased and the bro debug.log shows "Resource temporarily unavailable" which must be a system error because there is no such string in bro or broccoli. This harkens back to a problem I had when I first tried to use 'broping'. Can anyone offer me some pointers on how to track down what's causing the error? There's nothing in the system logs and I can't find any clues via google. I'm running RedHat 9 with kernel 2.4.20-6. bro and broccoli are running on the same system which is inside a firewall, so it only sees some local intranet traffic and the ssh, ftp, etc. connections I use to test from another Linux system inside the firewall. I am reaching the point where I will have to start the project over with some interface if I can't get this to work. Any help will be appreciated. Thanks Mike From rpang at cs.princeton.edu Fri Jul 15 16:32:54 2005 From: rpang at cs.princeton.edu (Ruoming Pang) Date: Fri, 15 Jul 2005 19:32:54 -0400 Subject: [Bro] Small bug in TCP_Rewriter In-Reply-To: <42D8243E.2020905@cs.stanford.edu> References: <42D8243E.2020905@cs.stanford.edu> Message-ID: Yes, thanks! This is a bug. And the fix looks right, too. Ruoming On Jul 15, 2005, at 5:01 PM, Martin Casado wrote: > Hi, > > This may already be fixed but I believe there is a bug in the TCP > rewriter. I'm using > bro 0.9a10.5. > > File TCP_Rewriter.cc, Line 710: > > ASSERT(next_packet->AppendData(data, left)); > If the ASSERT preprocessor conditional isn't enabled, the statement > isn't included in the > translation unit and using -A for re-writing doesn't include any > payload (only headers) :( > > perhaps .. > > if(!next_packet->AppendData(data, left)) > { ASSERT(0); } > > Plz. let me know if this isn't the appropriate forum for submitting > bugs. > > cheers, > .martin > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From christian at whoop.org Fri Jul 15 19:00:38 2005 From: christian at whoop.org (Christian Kreibich) Date: Fri, 15 Jul 2005 19:00:38 -0700 Subject: [Bro] "Resource temporarity unavailiable" In-Reply-To: <00b301c5898b$60de2d80$5501a8c0@muratet> References: <00b301c5898b$60de2d80$5501a8c0@muratet> Message-ID: <1121479238.1641.76.camel@localhost> Hi Mike, (apologies for still not having fixed the bug in Bro that breaks one-way event-relay functionality from a Bro node ... *sigh*.) On Fri, 2005-07-15 at 17:20 -0500, Mike Muratet wrote: > Greetings > > I am (still) trying to get a working connection between some code I wrote > using broccoli calls and bro. (The code is part of a larger project that > uses bro for an interface because bro keeps track of state. and generates > events for connections.) I thought I was making some headway with > understanding the event loop in bro and the reception in broccoli. I added a > print statement in the broccoli method __bro_sobject_data_get to try to > understand why I couldn't read the payload correctly and recompiled > broccoli. Now all communication has ceased and the bro debug.log shows > "Resource temporarily unavailable" which must be a system error because > there is no such string in bro or broccoli. This harkens back to a problem I > had when I first tried to use 'broping'. I have seen that error too (and I've filed it in the "weird symptoms" category), but I need more information to be able to help you. - Are you using SSL? Try without first, if so. - I presume you're on the latest Bro developer release? Also, I'll need to have a look at: - The Broccoli client code. - The output of the Broccoli client with call tracing and debugging output enabled. - The Bro invocation command and any policies you're running if they're non-standard. - Bro's comm.log, remote.log, and debug.log produced on a run that triggered the problem. For what it's worth, so far the problem has never been actual protocol breakage (as in Bro sending some serialized data and Broccoli being unable to parse it, and vice versa). I'll look at it asap if you send me more info, though I'll be offline over the weekend. Best of luck, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From angelita at uol.com.br Mon Jul 18 08:16:58 2005 From: angelita at uol.com.br (=?iso-8859-1?Q?Angelita_de_C=E1ssia_Corr=EAa?=) Date: Mon, 18 Jul 2005 12:16:58 -0300 Subject: [Bro] False positive References: <42D8243E.2020905@cs.stanford.edu> <1121463413.1641.64.camel@localhost> Message-ID: <01c201c58bab$c0f9ec00$cbd1a8c0@uolcorp.intranet> Sirs, What is the best form to analyse the BRO received packets? I need to calculate how many false positives bro detected in a determinated period. I didn't have success in reports, I continue receiving empty reports, then I need to analyse the logs or using other way to detect what event is a false positive and why is not. Please, can you help me? Thanks Angelita From angelita at uol.com.br Mon Jul 18 17:15:10 2005 From: angelita at uol.com.br (=?iso-8859-1?Q?Angelita_de_C=E1ssia_Corr=EAa?=) Date: Mon, 18 Jul 2005 21:15:10 -0300 Subject: [Bro] False positive Message-ID: <00ea01c58bf6$ed4f2590$761ba1c8@sargitario> I see in documentation that bro has some scripts in /usr/local/bro/bin like nf and hf, and they turn the logs human readable. How can I use this? Do I start it in underground form, after or before bro.rc? I think it can help me to analyse the logs. Do you agree ? Thanks Angelita ----- Original Message ----- From: "Jason Lee" To: "Angelita de C?ssia Corr?a" Sent: Monday, July 18, 2005 7:43 PM Subject: Re: [Bro] False positive -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I would suggest taking a 'snapshot' of known traffic (that contains 'worthy events' (attacks) and running that through bro. If your snapshot is small enough, you should be able to trace trough it to check if you are getting any 'false positives' Then perhaps running the same snapshot through several other ids's and comparing the output. This should let you know if bro is missing any events. Its a very time consuming process. Cheers, jason Angelita de C?ssia Corr?a wrote: > Sirs, > > What is the best form to analyse the BRO received packets? > I need to calculate how many false positives bro detected in a > determinated > period. > > I didn't have success in reports, I continue receiving empty reports, then > I > need to analyse the logs or using other way to detect what event is a > false > positive and why is not. > > Please, can you help me? > > Thanks > Angelita > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC3DB637vOcEqHLkARAiXsAKCCtWNTszG6GWdgT0zLDu3AmsxHBgCgvPPo m+EYLlrnPwtUaIL48V+seNc= =2Kf0 -----END PGP SIGNATURE----- From casado at cs.stanford.edu Tue Jul 19 11:31:57 2005 From: casado at cs.stanford.edu (Martin Casado) Date: Tue, 19 Jul 2005 11:31:57 -0700 Subject: [Bro] String methods Message-ID: <42DD471D.1070908@cs.stanford.edu> I'm doing a bit of string processing and would like to expose the BroString::ToUpper(..) to the script as well as provide a case insensitive string (or r.e.) matching method. Do these methods currently exist? If not, may I implement them with hopes of integrating them into the main source branch? thanks :) .martin From angelita at uol.com.br Tue Jul 19 12:21:09 2005 From: angelita at uol.com.br (=?iso-8859-1?Q?Angelita_de_C=E1ssia_Corr=EAa?=) Date: Tue, 19 Jul 2005 16:21:09 -0300 Subject: [Bro] False positive References: <42D8243E.2020905@cs.stanford.edu> <1121463413.1641.64.camel@localhost> <01c201c58bab$c0f9ec00$cbd1a8c0@uolcorp.intranet> <42DD4522.4090303@cs.stanford.edu> Message-ID: <002801c58c97$07b1cb90$cbd1a8c0@uolcorp.intranet> Martin, I pretend to see what alerts bro detects. These information are not enough to analyse if each alert is an attempt or false positive. I need alert information. Do you understand now? tks Angelita ----- Original Message ----- From: "Martin Casado" To: "Angelita de C?ssia Corr?a" Sent: Tuesday, July 19, 2005 3:23 PM Subject: Re: [Bro] False positive > > I'm having a hard time understanding your email. Could you please be > clear > about what you are trying to do? Also, what policy scripts are you > using? Are > you sure bro is the appropriate tool rather than a more straightforward > signature > detection engine such as snort? > > .m > > >Sirs, > > > >What is the best form to analyse the BRO received packets? > >I need to calculate how many false positives bro detected in a determinated > >period. > > > >I didn't have success in reports, I continue receiving empty reports, then I > >need to analyse the logs or using other way to detect what event is a false > >positive and why is not. > > > >Please, can you help me? > > > >Thanks > >Angelita > > > > > > > > > >_______________________________________________ > >Bro mailing list > >bro at bro-ids.org > >http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > > From christian at whoop.org Tue Jul 19 14:00:09 2005 From: christian at whoop.org (Christian Kreibich) Date: Tue, 19 Jul 2005 14:00:09 -0700 Subject: [Bro] String methods In-Reply-To: <42DD471D.1070908@cs.stanford.edu> References: <42DD471D.1070908@cs.stanford.edu> Message-ID: <1121806809.29159.124.camel@localhost> Hey there, distance worker! :) On Tue, 2005-07-19 at 11:31 -0700, Martin Casado wrote: > I'm doing a bit of string processing and would like to expose the > BroString::ToUpper(..) to > the script as well as provide a case insensitive string (or r.e.) > matching method. Do these > methods currently exist? bro.bif.bro has global to_lower: function(str: string): string; global to_upper: function(str: string): string; The string functions should really be renamed/namespaced to a more consistent scheme because at the moment it's unfortunately a bit of a pain to identify them. :( > If not, may I implement them with hopes of > integrating them into the main source branch? I've recently added some string algorithms to my tree too, so I'd hope there is hope! :) Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From christian at whoop.org Tue Jul 19 14:15:36 2005 From: christian at whoop.org (Christian Kreibich) Date: Tue, 19 Jul 2005 14:15:36 -0700 Subject: [Bro] String methods In-Reply-To: <1121806809.29159.124.camel@localhost> References: <42DD471D.1070908@cs.stanford.edu> <1121806809.29159.124.camel@localhost> Message-ID: <1121807736.29159.136.camel@localhost> ps: for the use of regexes check http://www.bro-ids.org/Bro-reference-manual/Patterns.html Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From adayadil.thomas at gmail.com Tue Jul 19 14:16:04 2005 From: adayadil.thomas at gmail.com (Adayadil Thomas) Date: Tue, 19 Jul 2005 17:16:04 -0400 Subject: [Bro] Protocol Detection/Decoding Message-ID: Greetings ! Does Bro do protocol detection and decoding ? .. HTTP/FTP/any other/ detection when web server/ftpserver/any server/ is running on a non standard port ? Thanks From angelita at uol.com.br Tue Jul 19 14:20:24 2005 From: angelita at uol.com.br (=?iso-8859-1?Q?Angelita_de_C=E1ssia_Corr=EAa?=) Date: Tue, 19 Jul 2005 18:20:24 -0300 Subject: [Bro] Empty reports!! References: <020801c5768f$351a3cc0$cbd1a8c0@uolcorp.intranet> <6F6476F4-4FE5-4EAB-A20D-A5AC2D56FA7C@lbl.gov> Message-ID: <004801c58ca7$afa6abd0$cbd1a8c0@uolcorp.intranet> Brian, Do you have some news about the report project ? I didn't obtain results with reports, it generates empty. :( And I need to analyse the alerts in detail. I need to identify if alerts are scan ou what kind of attacks, or if they are false positives. Do you understand me? The logs are not enough to obtain these information. Thanks Angelita ----- Original Message ----- From: "Brian Tierney" To: "Angelita de C?ssia Corr?a" Cc: ; Sent: Monday, June 27, 2005 6:21 PM Subject: Re: [Bro] Empty reports!! The report generation component of Bro is very much still in the "pre- alpha" stages, and the student who was working on this is now working on another project. I'll try to answer a couple of your questions: 1) scan reporting is off by default, the reports were too long with all the scans included (Im not sure how to turn them on) 2) by default, the report scripts look for "yesterdays" data, so you have to collect 1 days data, then run the report 3) there should be nothing in the /usr/local/bro/archive directory unless you are running the cron script: bro_log_compress.sh You'll likely need to modify the report generation scripts by hand to get them to generate exactly what you want. Hope this helps. On Jun 21, 2005, at 11:29 AM, Angelita de C?ssia Corr?a wrote: > Administrators, > > I have bro version bro-0.9a9 running. I see files in /usr/local/ > bro/logs correctly, but the reports are empty. > > The other problem is the /usr/local/bro/archive direttory is empty > too. > > What can I do to generate the correctly reports? > > I tested with one and two interfaces (etho and eth1), I'm using Red > Hat Enterprise ES 3. > > I saw the traffice using tcpdump. > > > Thanks! > Angelita > > > ------------------------------------------------------------------------ ------------------- Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 240-332-4065 bltierney at lbl.gov http://www-didc.lbl.gov/~tierney ------------------------------------------------------------------------ ------------------ _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From BLTierney at lbl.gov Wed Jul 20 14:27:36 2005 From: BLTierney at lbl.gov (Brian Tierney) Date: Wed, 20 Jul 2005 14:27:36 -0700 Subject: [Bro] Empty reports!! In-Reply-To: <004801c58ca7$afa6abd0$cbd1a8c0@uolcorp.intranet> References: <020801c5768f$351a3cc0$cbd1a8c0@uolcorp.intranet> <6F6476F4-4FE5-4EAB-A20D-A5AC2D56FA7C@lbl.gov> <004801c58ca7$afa6abd0$cbd1a8c0@uolcorp.intranet> Message-ID: <2A3AAA73-1A79-4128-89C9-569D6B38C964@lbl.gov> The reports are just a reformated version of the information in the Alarm file. There is very little new info, it is just easier to read the report. Do you have lots of entries in your alarm file? To separate "attacks" from "false positives" usually requires detailed knowledge of your traffic, and what traffic is legitimate and what is not. The reports will not help with this. Hope this helps. On Jul 19, 2005, at 2:20 PM, Angelita de C?ssia Corr?a wrote: > Brian, > > Do you have some news about the report project ? I didn't obtain > results > with reports, it generates empty. :( > > And I need to analyse the alerts in detail. I need to identify if > alerts are > scan ou what kind of attacks, or if they are false positives. Do you > understand me? > > The logs are not enough to obtain these information. > > Thanks > Angelita > > > ----- Original Message ----- > From: "Brian Tierney" > To: "Angelita de C?ssia Corr?a" > Cc: ; > Sent: Monday, June 27, 2005 6:21 PM > Subject: Re: [Bro] Empty reports!! > > > > The report generation component of Bro is very much still in the "pre- > alpha" stages, and the student > who was working on this is now working on another project. > > I'll try to answer a couple of your questions: > > 1) scan reporting is off by default, the reports were too long with > all the scans included > (Im not sure how to turn them on) > 2) by default, the report scripts look for "yesterdays" data, so you > have to collect 1 days data, > then run the report > 3) there should be nothing in the /usr/local/bro/archive directory > unless you are running > the cron script: bro_log_compress.sh > > > You'll likely need to modify the report generation scripts by hand to > get them to generate > exactly what you want. > > Hope this helps. > > > On Jun 21, 2005, at 11:29 AM, Angelita de C?ssia Corr?a wrote: > > >> Administrators, >> >> I have bro version bro-0.9a9 running. I see files in /usr/local/ >> bro/logs correctly, but the reports are empty. >> >> The other problem is the /usr/local/bro/archive direttory is empty >> too. >> >> What can I do to generate the correctly reports? >> >> I tested with one and two interfaces (etho and eth1), I'm using Red >> Hat Enterprise ES 3. >> >> I saw the traffice using tcpdump. >> >> >> Thanks! >> Angelita >> >> >> >> > > ---------------------------------------------------------------------- > -- > ------------------- > Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) > 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 > tel: 510-486-7381 fax: 510-495-2998 efax: 240-332-4065 > bltierney at lbl.gov http://www-didc.lbl.gov/~tierney > ---------------------------------------------------------------------- > -- > ------------------ > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > ------------------------------------------------------------------------ ------------------- Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 240-332-4065 bltierney at lbl.gov http://dsd.lbl.gov/~tierney ------------------------------------------------------------------------ ------------------ From angelita at uol.com.br Thu Jul 21 16:48:20 2005 From: angelita at uol.com.br (=?iso-8859-1?Q?Angelita_de_C=E1ssia_Corr=EAa?=) Date: Thu, 21 Jul 2005 20:48:20 -0300 Subject: Fw: [Bro] False positive Message-ID: <002101c58e4e$ae8481c0$cbd1a8c0@uolcorp.intranet> Hi, I saw at documentation about snort2bro, it converts Snort's signature into Bro signatures, I think using this I will analyse the alerts like I need. How can I obtain the snort2bro script to do this convertation? or Does the bro have another way to analyse de signatures? Thanks Angelita > ----- Original Message ----- > From: "Angelita de C?ssia Corr?a" > To: "Martin Casado" > Cc: > Sent: Tuesday, July 19, 2005 4:21 PM > Subject: Re: [Bro] False positive > > > Martin, > > I pretend to see what alerts bro detects. These information are not enough > to analyse if each alert is an attempt or false positive. I need alert > information. > > Do you understand now? > > tks > Angelita > > ----- Original Message ----- > From: "Martin Casado" > To: "Angelita de C?ssia Corr?a" > Sent: Tuesday, July 19, 2005 3:23 PM > Subject: Re: [Bro] False positive > > > > > > I'm having a hard time understanding your email. Could you please be > > clear > > about what you are trying to do? Also, what policy scripts are you > > using? Are > > you sure bro is the appropriate tool rather than a more straightforward > > signature > > detection engine such as snort? > > > > .m > > > > >Sirs, > > > > > >What is the best form to analyse the BRO received packets? > > >I need to calculate how many false positives bro detected in a > determinated > > >period. > > > > > >I didn't have success in reports, I continue receiving empty reports, > then I > > >need to analyse the logs or using other way to detect what event is a > false > > >positive and why is not. > > > > > >Please, can you help me? > > > > > >Thanks > > >Angelita > > > > > > > > > > > > > > >_______________________________________________ > > >Bro mailing list > > >bro at bro-ids.org > > >http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > > > > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From christian at whoop.org Thu Jul 21 17:32:59 2005 From: christian at whoop.org (Christian Kreibich) Date: Thu, 21 Jul 2005 17:32:59 -0700 Subject: Fw: [Bro] False positive In-Reply-To: <002101c58e4e$ae8481c0$cbd1a8c0@uolcorp.intranet> References: <002101c58e4e$ae8481c0$cbd1a8c0@uolcorp.intranet> Message-ID: <1121992379.20309.132.camel@localhost> Hi, On Thu, 2005-07-21 at 20:48 -0300, Angelita de C?ssia Corr?a wrote: > Hi, I saw at documentation about snort2bro, it converts Snort's signature > into Bro signatures, I think using this I will analyse the alerts like I > need. > > How can I obtain the snort2bro script to do this convertation? or Does the > bro have another way to analyse de signatures? snort2bro is contained in the latest 0.9 development release and can be found in scripts/s2b/bin/. There's also some material on it at http://www.icir.org/twiki/bin/view/Bro/SnortTwoBro However I don't know if that information is still accurate. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From angelita at uol.com.br Fri Jul 22 06:20:15 2005 From: angelita at uol.com.br (=?ISO-8859-15?Q?Angelita_de_C=E1ssia_Corr=EAa?=) Date: Fri, 22 Jul 2005 10:20:15 -0300 Subject: Fw: [Bro] False positive References: <002101c58e4e$ae8481c0$cbd1a8c0@uolcorp.intranet> <1121992379.20309.132.camel@localhost> Message-ID: <003301c58ec0$1b4a5b10$cbd1a8c0@uolcorp.intranet> Do I need to configure all configuration files like s2b.cfg, s2b-augment.cfg ? Or Do I have to execute this script with another parameters to convert de signatures? ----- Original Message ----- From: "Christian Kreibich" To: "Angelita de C?ssia Corr?a" Cc: "Bro List" Sent: Thursday, July 21, 2005 9:32 PM Subject: Re: Fw: [Bro] False positive Hi, On Thu, 2005-07-21 at 20:48 -0300, Angelita de C?ssia Corr?a wrote: > Hi, I saw at documentation about snort2bro, it converts Snort's signature > into Bro signatures, I think using this I will analyse the alerts like I > need. > > How can I obtain the snort2bro script to do this convertation? or Does the > bro have another way to analyse de signatures? snort2bro is contained in the latest 0.9 development release and can be found in scripts/s2b/bin/. There's also some material on it at http://www.icir.org/twiki/bin/view/Bro/SnortTwoBro However I don't know if that information is still accurate. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From angelita at uol.com.br Fri Jul 22 10:35:44 2005 From: angelita at uol.com.br (=?iso-8859-1?Q?Angelita_de_C=E1ssia_Corr=EAa?=) Date: Fri, 22 Jul 2005 14:35:44 -0300 Subject: [Bro] False positive References: <42D8243E.2020905@cs.stanford.edu> <1121463413.1641.64.camel@localhost> <01c201c58bab$c0f9ec00$cbd1a8c0@uolcorp.intranet> <42DC307A.1040705@lbl.gov> <00d901c58bf6$254ebce0$761ba1c8@sargitario> <42DD2D2F.5070607@lbl.gov> Message-ID: <01cd01c58ee3$cbb62740$cbd1a8c0@uolcorp.intranet> Hi Jason, I need to understand more the alert, the definition of each column. In your example, could you explain me what each column means? Sep 18 06:51:41 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 239 RSTO X %14 Sep 18 06:51:41 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 604 RSTO X %14 Sep 18 06:51:42 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 604 RSTO X %14 Sep 18 06:51:42 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 604 RSTO X %14 Date/time: Sep 18 06:51:42 Duration of de connection: 0.153497 Origin IP: 131.243.2.87 Victim IP: 131.243.2.13 Victim Protocol: http ???: 2077 Victim Port: 80 Transport Protocol: tcp ???: 66 ???: 239 *** (is this the alert SID0?) ???: RSTO ???: X ???: %14 Does the bro use SID to identify the alert description? Thanks Angelita ----- Original Message ----- From: "Jason Lee" To: "Angelita de C?ssia Corr?a" Sent: Tuesday, July 19, 2005 1:41 PM Subject: Re: [Bro] False positive > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Angelita, > > The logs are already in a human readable format, and they should look > something like (from a conn.log (with altered ips)): > > 1000821101.824702 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 239 RSTO X %14 > 1000821101.979825 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 604 RSTO X %14 > 1000821102.143502 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 604 RSTO X %14 > 1000821102.299239 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 604 RSTO X %14 > > hf just resolves the hostnames in the file: > % ./hf /tmp/foozer > 1000821101.824702 0.153497 foobar wakko http 2077 80 tcp 66 239 RSTO X %14 > 1000821101.979825 0.162454 foobar wakko http 2087 80 tcp 70 604 RSTO X %14 > 1000821102.143502 0.153911 foobar wakko http 2100 80 tcp 80 604 RSTO X %14 > 1000821102.299239 0.165501 foobar wakko http 2115 80 tcp 80 604 RSTO X %14 > > and cf just changes the unix timestamp to a more readable format: > % ./cf /tmp/foozer > Sep 18 06:51:41 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 239 RSTO X %14 > Sep 18 06:51:41 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 604 RSTO X %14 > Sep 18 06:51:42 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 604 RSTO X %14 > Sep 18 06:51:42 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 604 RSTO X %14 > > the manual explains all the various flags and the format of the log files. > > Cheers, > jason > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFC3S0u37vOcEqHLkARApnMAJ9MRFQuWpAt1F0LIdZSdoT68wwXJgCcCXCO > xGzMSjIPdY6JsUw5doh04uI= > =w4bS > -----END PGP SIGNATURE----- > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050722/298363c4/attachment.html From christian at whoop.org Fri Jul 22 12:08:13 2005 From: christian at whoop.org (Christian Kreibich) Date: Fri, 22 Jul 2005 12:08:13 -0700 Subject: [Bro] False positive In-Reply-To: <01cd01c58ee3$cbb62740$cbd1a8c0@uolcorp.intranet> References: <42D8243E.2020905@cs.stanford.edu> <1121463413.1641.64.camel@localhost> <01c201c58bab$c0f9ec00$cbd1a8c0@uolcorp.intranet> <42DC307A.1040705@lbl.gov> <00d901c58bf6$254ebce0$761ba1c8@sargitario> <42DD2D2F.5070607@lbl.gov> <01cd01c58ee3$cbb62740$cbd1a8c0@uolcorp.intranet> Message-ID: <1122059294.20309.205.camel@localhost> Hi there, On Fri, 2005-07-22 at 14:35 -0300, Angelita de C?ssia Corr?a wrote: > Hi Jason, > > I need to understand more the alert, the definition of each column. > > In your example, could you explain me what each column means? > > Sep 18 06:51:41 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 239 RSTO X %14 > Sep 18 06:51:41 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 604 RSTO X %14 > Sep 18 06:51:42 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 604 RSTO X %14 > Sep 18 06:51:42 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 604 RSTO X %14 > > Date/time: Sep 18 06:51:42 > Duration of de connection: 0.153497 > Origin IP: 131.243.2.87 > Victim IP: 131.243.2.13 > Victim Protocol: http > ???: 2077 Source port. > Victim Port: 80 > Transport Protocol: tcp > ???: 66 Bytes sent by originator. > ???: 239 *** (is this the alert SID0?) Bytes sent by responder. > ???: RSTO Connection state: http://www.bro-ids.org/Bro-reference-manual/Connection-summaries.html > ???: X Connection flags, see same URL. > ???: %14 That's additional data as reported by the analyzer, in this case, the HTTP analyzer. You can use these for correlation (a "primary key" of sorts). http://www.bro-ids.org/Bro-reference-manual/http-variables.html Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From christian at whoop.org Fri Jul 22 12:16:57 2005 From: christian at whoop.org (Christian Kreibich) Date: Fri, 22 Jul 2005 12:16:57 -0700 Subject: Fw: [Bro] False positive In-Reply-To: <003301c58ec0$1b4a5b10$cbd1a8c0@uolcorp.intranet> References: <002101c58e4e$ae8481c0$cbd1a8c0@uolcorp.intranet> <1121992379.20309.132.camel@localhost> <003301c58ec0$1b4a5b10$cbd1a8c0@uolcorp.intranet> Message-ID: <1122059817.20309.213.camel@localhost> On Fri, 2005-07-22 at 10:20 -0300, Angelita de C?ssia Corr?a wrote: > Do I need to configure all configuration files like s2b.cfg, s2b-augment.cfg > ? Or Do I have to execute this script with another parameters to convert de > signatures? See scripts/s2b/README, be creative, or better yet, read the code. :) Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From jrlee at lbl.gov Fri Jul 22 12:17:55 2005 From: jrlee at lbl.gov (Jason Lee) Date: Fri, 22 Jul 2005 12:17:55 -0700 Subject: [Bro] fields in the conn.log In-Reply-To: <01cd01c58ee3$cbb62740$cbd1a8c0@uolcorp.intranet> References: <42D8243E.2020905@cs.stanford.edu> <1121463413.1641.64.camel@localhost> <01c201c58bab$c0f9ec00$cbd1a8c0@uolcorp.intranet> <42DC307A.1040705@lbl.gov> <00d901c58bf6$254ebce0$761ba1c8@sargitario> <42DD2D2F.5070607@lbl.gov> <01cd01c58ee3$cbb62740$cbd1a8c0@uolcorp.intranet> Message-ID: <42E14663.3030501@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Angelita, http://www.bro-ids.org/Bro-reference-manual/Connection-summaries.html Explains how the fields are structured, but its a little out of date. I'll fill in the missing parts and see that the manual gets updated. Given a line like this from the conn.log: 1122055977.662564 0.105927 10.1.1.1 10.2.2.2 http 55985 80 tcp 735 12946 SF L %71 Unix Date/time: 1122055977.662564 Duration of the connection: 0.105927 Originator IP: 10.1.1.1 Responder IP: 10.2.2.2 Protocol: http Originator port: 55985 Responder port: 80 Transport Protocol: tcp Originator bytes sent: 735 Responder bytes sent: 12946 Flags: SF (Normal connection saw both SYN and FIN packets) Additional Flags: L (connection was initiated locally) Tag: %71 Now I can take my tag, and look in the http.log to find out more about that connection (i'm running the http analyzer): http.log looks like this (example): 1121793380.980924 %71 start 10.1.1.1 > 10.2.2.2 1121793380.985317 %71 GET /foo/bar/baz.html (200 "OK" [145]) Having said all this, the alarm.log is very different, its a 'tagged' format that is fairly self descriptive. This is an example from the alarm.log file: t=1000057981.940712 no=AddressScan na=NOTICE_ALARM_ALWAYS sa=10.1.1.1 sp=2222/tcp da=10.2.2.2 dp=3333/tcp msg=10.1.1.1\ has\ scanned\ 2000\ hosts\ (3333/tcp ) tag=@42 t: time no: notice na: notice action sa: source address sp: source port da: destination address dp: destination port msg: message (in this case a host has scanned 20 hosts) tag: identifier to match this to lines in notice.log and conn.log: Now you can take the tag and look in the conn.log to find the connection (with grep): 1000057956.062082 ? 10.1.1.1 10.2.2.2 other 2222 3333 tcp ? ? S0 X @142 (we can see that it didn't connect and no bytes were transfered) Also there is a good section in the manual about alarms: http://www.bro-ids.org/Bro-user-manual/Analysis-of-Incidents-and-Alarms.html#Analysis-of-Incidents-and-Alarms That should help explain the sort ids. Hope this helps. Cheers, jason Angelita de C?ssia Corr?a wrote: > Hi Jason, > > I need to understand more the alert, the definition of each column. > > In your example, could you explain me what each column means? > > *Sep 18 06:51:41 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 > 239 RSTO X %14* > Sep 18 06:51:41 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 > 604 RSTO X %14 > Sep 18 06:51:42 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 > 604 RSTO X %14 > Sep 18 06:51:42 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 > 604 RSTO X %14 > *Date/time:* Sep 18 06:51:42 > *Duration of de connection:* 0.153497 > *Origin IP*: 131.243.2.87 > *Victim IP*: 131.243.2.13 > *Victim Protocol:* http > *???: 2077* > *Victim Port:* 80 > *Transport Protocol:* tcp > *???: 66* > *???: 239 *** (is this the alert SID0?)* > *???: RSTO* > *???: X* > *???: %14* > > > Does the bro use SID to identify the alert description? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC4UZi37vOcEqHLkARAhkpAJ9kMmtwe8hrvMQ9J81Sj4x/s4Su1QCfZdVK 4LR1TMRj8dxXFplZPlZq3Ps= =2q+C -----END PGP SIGNATURE----- From antonat at ics.forth.gr Sat Jul 23 03:01:06 2005 From: antonat at ics.forth.gr (Antonatos Spiros) Date: Sat, 23 Jul 2005 13:01:06 +0300 Subject: [Bro] Question on bro anonymization In-Reply-To: <42E14663.3030501@lbl.gov> Message-ID: <200507230959.j6N9xLJC015653@webmail.ics.forth.gr> Hi, I am trying to use the anonymization features of bro but it seems that I can't enable it since no packets are written to output or log files. Is there any documentation about these features? Any example policy scripts? Thanks in advance, Antonatos Spiros From RWinslow at lbl.gov Sat Jul 23 07:44:47 2005 From: RWinslow at lbl.gov (Roger Winslow) Date: Sat, 23 Jul 2005 07:44:47 -0700 Subject: [Bro] Question on bro anonymization Message-ID: <479a964748cb.4748cb479a96@lbl.gov> Are you running on a fairly quiet link? If so it can take a long time for packets to start showing up in the logs as data is flushed to files when the handles fill, not when data arrives. Try this in your site policy @load file-flush # flush file writes at 10 second intervals This will flush data to files every ten seconds. Note that the timer used here is network_time(). This means that if no data arrives time does not increment and nothing gets flushed to files. This policy should only be used on links that are not very busy as the file flushing can get expensive the more data there is. Have you verified that Bro is actually running after you start it? Try -> "./bro.rc status" If it shows not running then take a look at syslog or the info file. Also make sure Bro is listening on the interface you expect. Check the info file for what interfaces Bro thinks it's listening on. ----- Original Message ----- From: Antonatos Spiros Date: Saturday, July 23, 2005 3:01 am Subject: [Bro] Question on bro anonymization > Hi, > I am trying to use the anonymization features of bro but it seems > that I can't enable it since no packets are written to output or > log files. > Is there any documentation about these features? Any example policy > scripts? > Thanks in advance, > Antonatos Spiros > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From antonat at ics.forth.gr Sat Jul 23 08:24:10 2005 From: antonat at ics.forth.gr (Antonatos Spiros) Date: Sat, 23 Jul 2005 18:24:10 +0300 Subject: [Bro] Question on bro anonymization In-Reply-To: <479a964748cb.4748cb479a96@lbl.gov> Message-ID: <200507231522.j6NFMQJC021913@webmail.ics.forth.gr> I read traffic from a 2GB trace but my problem is I don't have any example policy scripts that can help me write anonymization policies. Antonatos Spiros > -----Original Message----- > From: Roger Winslow [mailto:RWinslow at lbl.gov] > Sent: Saturday, July 23, 2005 5:45 PM > To: Antonatos Spiros > Cc: Bro at bro-ids.org; antonat at ics.forth.gr > Subject: Re: [Bro] Question on bro anonymization > > Are you running on a fairly quiet link? If so it can take a long time > for packets to start showing up in the logs as data is flushed to files > when the handles fill, not when data arrives. > > Try this in your site policy > @load file-flush # flush file writes at 10 second intervals > > This will flush data to files every ten seconds. Note that the timer > used here is network_time(). This means that if no data arrives time > does not increment and nothing gets flushed to files. > > This policy should only be used on links that are not very busy as the > file flushing can get expensive the more data there is. > > Have you verified that Bro is actually running after you start it? Try -> > "./bro.rc status" If it shows not running then take a look at syslog or > the info file. > > Also make sure Bro is listening on the interface you expect. Check the > info file for what interfaces Bro thinks it's listening on. > > ----- Original Message ----- > From: Antonatos Spiros > Date: Saturday, July 23, 2005 3:01 am > Subject: [Bro] Question on bro anonymization > > > Hi, > > I am trying to use the anonymization features of bro but it seems > > that I can't enable it since no packets are written to output or > > log files. > > Is there any documentation about these features? Any example policy > > scripts? > > Thanks in advance, > > Antonatos Spiros > > > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > From casado at cs.stanford.edu Sat Jul 23 13:05:29 2005 From: casado at cs.stanford.edu (Martin Casado) Date: Sat, 23 Jul 2005 13:05:29 -0700 Subject: [Bro] Question on bro anonymization In-Reply-To: <200507231522.j6NFMQJC021913@webmail.ics.forth.gr> References: <200507231522.j6NFMQJC021913@webmail.ics.forth.gr> Message-ID: <42E2A309.7090109@cs.stanford.edu> What level of anonymization are you attempting to do? If your goal is to scramble the IP addresses you can just set anonymize_ip_addr to true (see policy/anon.bro). If you are interested in saniting application level data, take a look at policy/ftp-anon.bro. Note that there is a bug in the TCP rewriter which keeps data from being written to the transformation traces (remove the assert in TCP_Rewriter.cc line 721 to change it to next_packet->AppendData(data, left); ) and .. of course for rewriting, use -A from the command line. cheers, .martin >I read traffic from a 2GB trace but my problem is I don't have any example >policy scripts that can help me write anonymization policies. > >Antonatos Spiros > > > > > >>-----Original Message----- >>From: Roger Winslow [mailto:RWinslow at lbl.gov] >>Sent: Saturday, July 23, 2005 5:45 PM >>To: Antonatos Spiros >>Cc: Bro at bro-ids.org; antonat at ics.forth.gr >>Subject: Re: [Bro] Question on bro anonymization >> >>Are you running on a fairly quiet link? If so it can take a long time >>for packets to start showing up in the logs as data is flushed to files >>when the handles fill, not when data arrives. >> >>Try this in your site policy >>@load file-flush # flush file writes at 10 second intervals >> >>This will flush data to files every ten seconds. Note that the timer >>used here is network_time(). This means that if no data arrives time >>does not increment and nothing gets flushed to files. >> >>This policy should only be used on links that are not very busy as the >>file flushing can get expensive the more data there is. >> >>Have you verified that Bro is actually running after you start it? Try -> >>"./bro.rc status" If it shows not running then take a look at syslog or >>the info file. >> >>Also make sure Bro is listening on the interface you expect. Check the >>info file for what interfaces Bro thinks it's listening on. >> >>----- Original Message ----- >>From: Antonatos Spiros >>Date: Saturday, July 23, 2005 3:01 am >>Subject: [Bro] Question on bro anonymization >> >> >> >>>Hi, >>> I am trying to use the anonymization features of bro but it seems >>>that I can't enable it since no packets are written to output or >>>log files. >>>Is there any documentation about these features? Any example policy >>>scripts? >>>Thanks in advance, >>>Antonatos Spiros >>> >>> >>>_______________________________________________ >>>Bro mailing list >>>bro at bro-ids.org >>>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>> >>> >>> > >_______________________________________________ >Bro mailing list >bro at bro-ids.org >http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > From rpang at cs.princeton.edu Sat Jul 23 17:33:31 2005 From: rpang at cs.princeton.edu (rpang at cs.princeton.edu) Date: Sat, 23 Jul 2005 20:33:31 -0400 Subject: [Bro] Question on bro anonymization In-Reply-To: <200507231522.j6NFMQJC021913@webmail.ics.forth.gr> References: <200507231522.j6NFMQJC021913@webmail.ics.forth.gr> Message-ID: <1122165211.42e2e1dbbc3f3@webmail.cs.princeton.edu> Hi, Antonatos, > I read traffic from a 2GB trace but my problem is I don't have any example > policy scripts that can help me write anonymization policies. You may want to check out ftp-anonymization.bro as an example (there is also a paper by Vern and I explaining the anonymization process). Besides, http- rewriter.bro is also an example of application level trace rewriting, though it does not attempt to anonymize the trace. I wonder what kind of anonymization you are planning to perform: 1. Do you want to keep TCP/UDP payloads? If you want to keep only the TCP/IP headers, you can use tools such as tcpdpriv or our about-to-release tool tcpmkpub. 2. If you are trying to anonymize the payloads, Bro will probably be the best tool. But which application protocol do you have in the trace? HTTP? SMTP? or something else? Thanks, Ruoming ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From antonat at ics.forth.gr Sun Jul 24 02:29:01 2005 From: antonat at ics.forth.gr (Antonatos Spiros) Date: Sun, 24 Jul 2005 12:29:01 +0300 Subject: [Bro] Question on bro anonymization In-Reply-To: <1122165211.42e2e1dbbc3f3@webmail.cs.princeton.edu> Message-ID: <200507240927.j6O9RFJC012939@webmail.ics.forth.gr> I want to make a complex policy: First of all, in the headers I want sequential numbering to integers and set the TTL and IP identification number to constant values. In case of HTTP I want to remove cookies and randomize URL. In case of FTP randomize the user name, password and file names and in all other packets just remove payload. Antonatos Spiros > -----Original Message----- > From: bro-admin at ICSI.Berkeley.EDU [mailto:bro-admin at ICSI.Berkeley.EDU] On > Behalf Of rpang at cs.princeton.edu > Sent: Sunday, July 24, 2005 3:34 AM > To: Antonatos Spiros > Cc: 'Roger Winslow'; Bro at bro-ids.org > Subject: RE: [Bro] Question on bro anonymization > > Hi, Antonatos, > > > I read traffic from a 2GB trace but my problem is I don't have any > example > > policy scripts that can help me write anonymization policies. > > You may want to check out ftp-anonymization.bro as an example (there is > also a > paper by Vern and I explaining the anonymization process). Besides, http- > rewriter.bro is also an example of application level trace rewriting, > though > it does not attempt to anonymize the trace. > > I wonder what kind of anonymization you are planning to perform: > > 1. Do you want to keep TCP/UDP payloads? If you want to keep only the > TCP/IP > headers, you can use tools such as tcpdpriv or our about-to-release tool > tcpmkpub. > > 2. If you are trying to anonymize the payloads, Bro will probably be the > best > tool. But which application protocol do you have in the trace? HTTP? SMTP? > or > something else? > > Thanks, > Ruoming > > ------------------------------------------------- > This mail sent through IMP: http://horde.org/imp/ > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From antonat at ics.forth.gr Sun Jul 24 02:44:55 2005 From: antonat at ics.forth.gr (Antonatos Spiros) Date: Sun, 24 Jul 2005 12:44:55 +0300 Subject: [Bro] Question on bro anonymization In-Reply-To: <200507240927.j6O9RFJC012939@webmail.ics.forth.gr> Message-ID: <200507240943.j6O9h9JC013230@webmail.ics.forth.gr> Antonatos Spiros > -----Original Message----- > From: bro-admin at ICSI.Berkeley.EDU [mailto:bro-admin at ICSI.Berkeley.EDU] On > Behalf Of Antonatos Spiros > Sent: Sunday, July 24, 2005 12:29 PM > To: rpang at cs.princeton.edu > Cc: 'Roger Winslow'; Bro at bro-ids.org; antonat at ics.forth.gr > Subject: RE: [Bro] Question on bro anonymization > > I want to make a complex policy: > First of all, in the headers I want sequential numbering to integers ^^^^^^^ for the IP address and > set > the TTL and IP identification number to constant values. > In case of HTTP I want to remove cookies and randomize URL. > In case of FTP randomize the user name, password and file names and in all > other packets just remove payload. > > Antonatos Spiros > > > > -----Original Message----- > > From: bro-admin at ICSI.Berkeley.EDU [mailto:bro-admin at ICSI.Berkeley.EDU] > On > > Behalf Of rpang at cs.princeton.edu > > Sent: Sunday, July 24, 2005 3:34 AM > > To: Antonatos Spiros > > Cc: 'Roger Winslow'; Bro at bro-ids.org > > Subject: RE: [Bro] Question on bro anonymization > > > > Hi, Antonatos, > > > > > I read traffic from a 2GB trace but my problem is I don't have any > > example > > > policy scripts that can help me write anonymization policies. > > > > You may want to check out ftp-anonymization.bro as an example (there is > > also a > > paper by Vern and I explaining the anonymization process). Besides, > http- > > rewriter.bro is also an example of application level trace rewriting, > > though > > it does not attempt to anonymize the trace. > > > > I wonder what kind of anonymization you are planning to perform: > > > > 1. Do you want to keep TCP/UDP payloads? If you want to keep only the > > TCP/IP > > headers, you can use tools such as tcpdpriv or our about-to-release tool > > tcpmkpub. > > > > 2. If you are trying to anonymize the payloads, Bro will probably be the > > best > > tool. But which application protocol do you have in the trace? HTTP? > SMTP? > > or > > something else? > > > > Thanks, > > Ruoming > > > > ------------------------------------------------- > > This mail sent through IMP: http://horde.org/imp/ > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From rpang at cs.princeton.edu Sun Jul 24 08:59:24 2005 From: rpang at cs.princeton.edu (Ruoming Pang) Date: Sun, 24 Jul 2005 11:59:24 -0400 Subject: [Bro] Question on bro anonymization In-Reply-To: <200507240927.j6O9RFJC012939@webmail.ics.forth.gr> References: <200507240927.j6O9RFJC012939@webmail.ics.forth.gr> Message-ID: <06edc1712fcbe07848514dbdc8294a77@cs.princeton.edu> > I want to make a complex policy: > First of all, in the headers I want sequential numbering to integers > and set > the TTL and IP identification number to constant values. > In case of HTTP I want to remove cookies and randomize URL. > In case of FTP randomize the user name, password and file names and in > all > other packets just remove payload. In case HTTP and FTP you can follow the examples in http-rewriter.bro and ftp-anonymizer.bro. However, randomizing URL may or may not be enough for anonymization, depending on your threat model. For instance, per recent discussion with Martin Casado, Scott Crosby, and Mark Allman, we are trying to find out if combinations of content-length and last-modified-on can be used to identify pages. You are welcomed to join our discussion if you are interested. For IP header fields, Bro can sequentially number the addresses and hashes IP IDs, but it does not set TTL. To do so, you can either modify the Bro code or write a program to rewrite the TTL fields in traces anonymized by Bro. I hope it helps ... Ruoming From sommer at in.tum.de Mon Jul 25 02:38:22 2005 From: sommer at in.tum.de (Robin Sommer) Date: Mon, 25 Jul 2005 11:38:22 +0200 Subject: [Bro] Protocol Detection/Decoding In-Reply-To: References: Message-ID: <20050725093822.GC8726@net.informatik.tu-muenchen.de> On Tue, Jul 19, 2005 at 17:16 -0400, Adayadil Thomas wrote: > Does Bro do protocol detection and decoding ? .. HTTP/FTP/any other/ > detection when web server/ftpserver/any server/ is running on a non > standard port ? Not yet, but we're working on it. It may take us a bit though until this is ready for productional use as it requires significant internal changes. (Doing just *detection* is rather easy using signatures; the *decoding* part is the tricky one). Robin -- Robin Sommer * Room 01.08.055 * www.net.in.tum.de TU Muenchen * Phone (089) 289-18006 * sommer at in.tum.de From mike.muratet at torchtechnologies.com Tue Jul 26 09:42:25 2005 From: mike.muratet at torchtechnologies.com (Mike Muratet) Date: Tue, 26 Jul 2005 11:42:25 -0500 Subject: [Bro] SSL for FreeBSD/bro Message-ID: <002201c59201$01f23400$5501a8c0@muratet> Greetings In an effort to get a working bro+broccoli installation, I have installed FreeBSD v5.4 on a local server. I also installed bro and broccoli. I started bro with ./bro -i xl0 -f tcp broconn.bro. (I found xl0 with ifconfig and I'm guessing it's the same thing as eth0.) I tried to run the broconn program, but it has a dependancy on libssl.so that goes wanting. I'm not trying to do secure communication, it's been tough enough without it ;-) but I'm guessing it still wants the library. I don't see anything relevant on the FreeBSD distribution disks with 'ssl' in the name. Can you point me to a source? Thanks Mike From scampbell at lbl.gov Tue Jul 26 10:24:22 2005 From: scampbell at lbl.gov (scott campbell) Date: Tue, 26 Jul 2005 10:24:22 -0700 Subject: [Bro] SSL for FreeBSD/bro In-Reply-To: <002201c59201$01f23400$5501a8c0@muratet> References: <002201c59201$01f23400$5501a8c0@muratet> Message-ID: <42E671C6.4040306@lbl.gov> Mike Muratet wrote: > Greetings > > In an effort to get a working bro+broccoli installation, I have > installed FreeBSD v5.4 on a local server. I also installed bro and > broccoli. I started bro with ./bro -i xl0 -f tcp broconn.bro. (I found > xl0 with ifconfig and I'm guessing it's the same thing as eth0.) I tried > to run the broconn program, but it has a dependancy on libssl.so that > goes wanting. I'm not trying to do secure communication, it's been tough > enough without it ;-) but I'm guessing it still wants the library. > > I don't see anything relevant on the FreeBSD distribution disks with > 'ssl' in the name. Can you point me to a source? > > Thanks > > Mike > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro It is looking for the openssl library. Try running ldd on the broconn binary: > [scottc at 8-0-46-6a-dd-e3 test]$ ldd ./broconn > libssl.so.4 => /lib/libssl.so.4 (0x00937000) > libcrypto.so.4 => /lib/libcrypto.so.4 (0x00b2d000) > libpthread.so.0 => /lib/tls/libpthread.so.0 (0x00823000) > libc.so.6 => /lib/tls/libc.so.6 (0x00111000) > libgssapi_krb5.so.2 => /usr/kerberos/lib/libgssapi_krb5.so.2 (0x00f97000) > libkrb5.so.3 => /usr/kerberos/lib/libkrb5.so.3 (0x0044c000) > libcom_err.so.3 => /usr/kerberos/lib/libcom_err.so.3 (0x004c1000) > libk5crypto.so.3 => /usr/kerberos/lib/libk5crypto.so.3 (0x002ef000) > libresolv.so.2 => /lib/libresolv.so.2 (0x003f0000) > libdl.so.2 => /lib/libdl.so.2 (0x00249000) > libz.so.1 => /usr/lib/libz.so.1 (0x008be000) > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x005fa000) now make sure that the libssl.so that it wants is actually there. The numbered version of the library (in this case 4) should be a symbolic link to the libssl.so that the application is looking for. There is a configure time option for Broccoli to set openssl location info (try ./configure --help). You may also want to make sure that the path to the library is in your LD_LIBRARY_PATH environmental variable. good luck! scott -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050726/9db72609/attachment.bin From christian at whoop.org Tue Jul 26 10:34:56 2005 From: christian at whoop.org (Christian Kreibich) Date: Tue, 26 Jul 2005 10:34:56 -0700 Subject: [Bro] SSL for FreeBSD/bro In-Reply-To: <002201c59201$01f23400$5501a8c0@muratet> References: <002201c59201$01f23400$5501a8c0@muratet> Message-ID: <1122399297.31913.50.camel@localhost> Hi Mike, On Tue, 2005-07-26 at 11:42 -0500, Mike Muratet wrote: > Greetings > > In an effort to get a working bro+broccoli installation, I have installed > FreeBSD v5.4 on a local server. I also installed bro and broccoli. I > started bro with ./bro -i xl0 -f tcp broconn.bro. (I found xl0 with ifconfig > and I'm guessing it's the same thing as eth0.) I tried to run the broconn > program, but it has a dependancy on libssl.so that goes wanting. I'm not > trying to do secure communication, it's been tough enough without it ;-) but > I'm guessing it still wants the library. > > I don't see anything relevant on the FreeBSD distribution disks with 'ssl' > in the name. Can you point me to a source? that's weird -- Broccoli's configure script does pretty detailed checks for OpenSSL (it tries to link a program using SSL_new() before it trusts libssl.so to work). Can you please send me the output of your configure run, config.log, and, as Scott suggested, the ldd output. Thanks! Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From mike.muratet at torchtechnologies.com Tue Jul 26 11:59:56 2005 From: mike.muratet at torchtechnologies.com (Mike Muratet) Date: Tue, 26 Jul 2005 13:59:56 -0500 Subject: [Bro] SSL for FreeBSD/bro References: <002201c59201$01f23400$5501a8c0@muratet> <1122399297.31913.50.camel@localhost> Message-ID: <004c01c59214$37bb2520$5501a8c0@muratet> Christian > Hi Mike, > > On Tue, 2005-07-26 at 11:42 -0500, Mike Muratet wrote: >> Greetings >> >> In an effort to get a working bro+broccoli installation, I have installed >> FreeBSD v5.4 on a local server. I also installed bro and broccoli. I >> started bro with ./bro -i xl0 -f tcp broconn.bro. (I found xl0 with >> ifconfig >> and I'm guessing it's the same thing as eth0.) I tried to run the broconn >> program, but it has a dependancy on libssl.so that goes wanting. I'm not >> trying to do secure communication, it's been tough enough without it ;-) >> but >> I'm guessing it still wants the library. >> >> I don't see anything relevant on the FreeBSD distribution disks with >> 'ssl' >> in the name. Can you point me to a source? > > that's weird -- Broccoli's configure script does pretty detailed checks > for OpenSSL (it tries to link a program using SSL_new() before it trusts > libssl.so to work). Can you please send me the output of your configure > run, config.log, and, as Scott suggested, the ldd output. Thanks! > I have some good news, and some more good news. I checked the output from ldd broconn and it wanted libssl.so.4 and I have ver 3 on the FreeBSD system. I think what happened was that I left off the necessary flag when I untar'd your broccoli snapshot into my existing directory and so I still had the version that I copied over from the Linux box. I deleted the broccoli directory on the FreeBSD machine, untar'd your snapshot and rebuilt broccoli. It executes just fine. More importantly, it now communicates with its bro peer. Outstanding. Having killed all the alligators I can now proceed to drain the swamp. Thanks for all your (and Scott and others) patient help. All I can figure is that the extra layer in Linux that gives you things like iptables fouls up the communication between bro and broccoli. I have not tried broccoli on a Linux box to the bro on the FreeBSD box, but it's really not a requirement for the experiments I'm doing. I don't get out to the Bay area much anymore, but if and when I do the first round is on me. Cheers Mike From christian at whoop.org Tue Jul 26 12:27:52 2005 From: christian at whoop.org (Christian Kreibich) Date: Tue, 26 Jul 2005 12:27:52 -0700 Subject: [Bro] SSL for FreeBSD/bro In-Reply-To: <004c01c59214$37bb2520$5501a8c0@muratet> References: <002201c59201$01f23400$5501a8c0@muratet> <1122399297.31913.50.camel@localhost> <004c01c59214$37bb2520$5501a8c0@muratet> Message-ID: <1122406072.31913.98.camel@localhost> On Tue, 2005-07-26 at 13:59 -0500, Mike Muratet wrote: > > I have some good news, and some more good news. I checked the output from Ooooh ... > ldd broconn and it wanted libssl.so.4 and I have ver 3 on the FreeBSD > system. I think what happened was that I left off the necessary flag when I > untar'd your broccoli snapshot into my existing directory and so I still had > the version that I copied over from the Linux box. I deleted the broccoli > directory on the FreeBSD machine, untar'd your snapshot and rebuilt > broccoli. It executes just fine. More importantly, it now communicates with > its bro peer. Outstanding. YAY! Excellent news. Kudos for fighting hard! :) Beware of the cache issue I pointed out the other day. Robin says he's already got a patch in the queue for it. > Having killed all the alligators I can now proceed to drain the swamp. > Thanks for all your (and Scott and others) patient help. All I can figure is > that the extra layer in Linux that gives you things like iptables fouls up > the communication between bro and broccoli. I have not tried broccoli on a > Linux box to the bro on the FreeBSD box, but it's really not a requirement > for the experiments I'm doing. Interesting. If you find out more, we'll definitely be keen to hear the details. > I don't get out to the Bay area much anymore, but if and when I do the first > round is on me. Sounds like a plan. ;) Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From jmellander at lbl.gov Tue Jul 26 14:38:17 2005 From: jmellander at lbl.gov (Jim Mellander) Date: Tue, 26 Jul 2005 14:38:17 -0700 Subject: [Bro] Notes on compiling bro for Linksys Message-ID: <42E6AD49.3040109@lbl.gov> Here's a log of my cross-compiling effort of the latest public Bro distribution to run on a linksys wireless router using the openwrt.org distribution. The goal here was not to cross compile the whole bro environment, but to create a bro binary that will function as expected on the box. The scripts, etc. are copied over from a working installation. The log appears to be one interrupted path of forward progress, whereas in reality, there were numerous false starts, blind alleys, head-scratching, and dumb luck involved. Hopefully, this will be of use to others attempting porting, etc. to odd platforms. BTW the shell used is bash, if you're using another one, YMMV Still to be compiled are utilities (cf, etc.) ====================================================================== 1. Download latest bro 0.9a9 from broids.org 2. compile for host system (linux) and save compiled program 'bifcl' away 3. delete tree & recreate from tarball (all we wanted from step 2 was bifcl) 4. Download openwrt buildroot, see http://downloads.openwrt.org/docs/buildroot-documentation.html 5. Build in home directory - we are really just interested in the cross-compile toolkit. (note: you may need to be running GNU Make 3.80, older versions sometimes fail - OTOH, this version fails in different ways - I compiled & put v3.80 in /usr/local/bin, the original make on my distro is 3.79.1 - so if strange make problems occur, try modifying PATH so that other make is found first). Note that only the cross compile tools in openwrt/staging_dir_mipsel/bin really need to be built, as well as the uclibc stuff (all should be there if you got thru most of the compile) 6. Set PATH to have /openwrt/staging_dir_mipsel/bin before other stuff, so cross compile will work. Go into that directory and run: for i in mipsel-linux-*; do ln -s $i `echo $i|sed s/mipsel-linux-//`; done to create gcc, etc. links (running the above probably isn't really necessary.) 7. go into bro directory 8. execute ./configure --build=mipsel-linux to perform cross-compile configure 9. Go into src directory, edit Makefile, comment out stuff unpacking & building libedit, edit ../config.h, uncomment line: #undef HAVE_READLINE 10. copy back in previously compiled bifcl 11. Now we a going to need libpcap - so create a new directory & download libpcap-0.8.3.tar.gz to it. unpack & go into libpcap-0.8.3 11a. Remember that PATH still needs to have the cross compile tools before compiling,etc. 12. execute: ac_cv_linux_vers=2 ./configure --host=mipsel-linux --with-pcap=linux to perform cross-compile configure 13. run make, should complete, and produce a libpcap.a 14. copy libpcap.a and *.h to bro src directory 15. go back into bro src directory, edit Makefile, modify INCLS and LIBS as follows: Original: INCLS = -I${top_srcdir}/linux-include -I${top_srcdir}/aux/libpcap-0.7.2 LIBS = $(LIBEDIT_LIBS) $(LIBIDMEF_LIBS) -L${top_srcdir}/aux/libpcap-0.7.2 -lpcap -lresolv -ltermcap -lm New: INCLS = -I${top_srcdir}/linux-include -I${top_srcdir}/src LIBS = $(LIBEDIT_LIBS) $(LIBIDMEF_LIBS) -L${top_srcdir}/src -lpcap -lresolv -ltermcap -lm 16. Now remember, you've copied in the precompiled bifcl 17. Edit SerialObj.h add line #define SIZEOF_LONG_LONG 8 before message squawking about it. 18. more modifications to Makefile: CFLAGS = -g -O2 -DRETSIGTYPE=void -DRETSIGVAL="" CXXFLAGS = -g -O2 -DRETSIGTYPE=void -DRETSIGVAL="" -static 19. In util.cc need gettimeofday() - modified code to just use /dev/urandom Orig: // Gather up some entropy. gettimeofday((struct timeval *)(buf + pos), 0); pos += sizeof(struct timeval) / sizeof(uint32); #if defined(O_NONBLOCK) int fd = open("/dev/random", O_RDONLY | O_NONBLOCK); #elif defined(O_NDELAY) int fd = open("/dev/random", O_RDONLY | O_NDELAY); #else int fd = open("/dev/random", O_RDONLY); #endif New: // Gather up some entropy. int fd = open("/dev/urandom", O_RDONLY); 19a. Change util.cc to always include sys/time.h - previous change not necessary, but not problematic either. 20 Compile continues until final link, then get error message: ld: cannot find -ledit which indicates looking for libedit which we (supposedly) disabled - edit Makefile, change LIBS, per below: #LIBS = $(LIBEDIT_LIBS) $(LIBIDMEF_LIBS) -L${top_srcdir}/src -lpcap -lresolv -ltermcap -lm LIBS = $(LIBIDMEF_LIBS) -L${top_srcdir}/src -lpcap -lresolv -ltermcap -lm Next error, cannot find -ltermcap, solution: take out of LIBS above Next error, missing Bind functions: nb_dns.o(.text+0x3f0): In function `_nb_dns_mkquery': /tmp/bro-0.9a9/src/nb_dns.c:293: undefined reference to `__res_mkquery' nb_dns.o(.text+0x9b4): In function `nb_dns_activity': /tmp/bro-0.9a9/src/nb_dns.c:476: undefined reference to `__ns_initparse' nb_dns.o(.text+0xb9c):/tmp/bro-0.9a9/src/nb_dns.c:519: undefined reference to `_ns_flagdata' nb_dns.o(.text+0xc94):/tmp/bro-0.9a9/src/nb_dns.c:561: undefined reference to `__ns_parserr' 21. Since these are name server functions, download BIND 9.3.1 source from http://www.isc.org/index.pl?/sw/bind/ to separate directory. go into lib/bind, run: ./configure --host=mipsel-linux --enable-threads --with-randomdev=/dev/urandom run make until error, go into each subdir run make until error 22. Now lets see if we have enough compiled to resolve the undefined symbols: $ find . -name '*.o'|xargs egrep -i 'res_mkquery|ns_initparse|ns_flagdata|ns_parserr' /dev/null Binary file ./nameser/ns_parse.o matches $ nm ./nameser/ns_parse.o U __dn_expand U __dn_skipname U __errno_location U _gp_disp U memset 00000000 D _ns_flagdata 000001a8 T __ns_initparse 00000000 T __ns_msg_getflag 00000384 T __ns_parserr 00000044 T __ns_skiprr 00000174 t setsection cp /home/jmel/bind/bind-9.3.1/lib/bind/nameser/ns_parse.o /tmp/bro-0.9a9/src Add ns_parse.o to LIBS in Makefile Now tackling res_mkquery, source is in lib/bind/resolv, make fails: /home/jmel/bind/bind-9.3.1/lib/bind/port_after.h:384: error: conflicting types for 'getnetgrent_r' ./../include/netdb.h:528: error: previous declaration of 'getnetgrent_r' was here in ../include/netdb.h getnetgrent_r is defined here: #ifdef __GLIBC__ int getnetgrent_r __P((char **, char **, char **, char *, size_t)); #endif Disable definition by wrapping in #if 0 / #endif Compiled far enough to compile res_mkquery, so copy res_mkquery.o to bro/src directory, and add to LIBS I actually ended up going into the top level directory of the bind build tree, and running ar rs libbind.a `find . -name '*.o' -print` ranlib libbind.a then copy into the bro/src directory, and add -lbind to LIBS Compile still fails, with missing pthread stuff, so: Building dietlibc 20. pthread & friends can be gotten from another small C library: dietlibc, so download dietlibc-0.29 (search web for location) and compile in its own dir by: make -n ARCH=mipsel CROSS=mipsel-linux- all >x edit x and globallly remove -fno-pic Also, globally modify -Os to -O0 Then 'sh x' (These steps are necessary to ensure that the code is PIC, which is how Bro is compiled, and to turn off optimization, which is buggy) cd bin-mipsel ar rs libdiet.a *.o ranlib libdiet.a Then copy libdiet.a to bro/src directory, and add to LIBS in Makefile When make is run in bro/src directory, errors in linking are: Func.o(.text+0x8798): In function `bro_system(ValPList*)': /tmp/bro-0.9a9/src/bro.bif:1138: warning: warning: system() is a security risk. Use fork and execvp instead! ../src/libdiet.a(vfscanf.o)(.text+0x24): In function `vfscanf': vfscanf.c: warning: warning: the scanf functions add several kilobytes of bloat. ../src/libdiet.a(vprintf.o)(.text+0x68): In function `vprintf': vprintf.c: warning: warning: the printf functions add several kilobytes of bloat. ../src/libdiet.a(abort.o)(.text+0x8): In function `abort': abort.c: undefined reference to `__stdio_flushall' ../src/libdiet.a(fclose.o)(.text+0x34): In function `fclose_unlocked': fclose.c: undefined reference to `__stdio_root' ../src/libdiet.a(fclose.o)(.text+0x38):fclose.c: undefined reference to `__stdio_root' ../src/libdiet.a(fclose.o)(.text+0x84):fclose.c: undefined reference to `__stdio_root' ../src/libdiet.a(fgetc_unlocked.o)(.text+0x58): In function `fgetc_unlocked': fgetc_unlocked.c: undefined reference to `__fflush4' ../src/libdiet.a(fputc_unlocked.o)(.text+0x24): In function `fputc_unlocked': fputc_unlocked.c: undefined reference to `__fflush4' ../src/libdiet.a(pthread_sys_alloc.o)(.text+0x68): In function `free': pthread_sys_alloc.c: undefined reference to `__libc_free' ../src/libdiet.a(pthread_sys_alloc.o)(.text+0x148): In function `malloc': pthread_sys_alloc.c: undefined reference to `__libc_malloc' ../src/libdiet.a(pthread_sys_alloc.o)(.text+0x23c): In function `realloc': pthread_sys_alloc.c: undefined reference to `__libc_realloc' ../src/libdiet.a(pthread_sys_sigsuspend.o)(.text+0x28): In function `sigsuspend': pthread_sys_sigsuspend.c: undefined reference to `__libc_sigsuspend' ../src/libdiet.a(localtime_r.o)(.text+0x14): In function `localtime_r': localtime_r.c: undefined reference to `__maplocaltime' ../src/libdiet.a(localtime_r.o)(.text+0x2c):localtime_r.c: undefined reference to `__tzfile_map' So, lets just delete some functions from the library, go back in dietlibc directory, then into bin/mipsel, then delete the following files: vfscanf.o vprintf.o abort.o fclose.o fgetc_unlocked.o fputc_unlocked.o pthread_sys_alloc.o pthread_sys_sigsuspend.o localtime_r.o pthread_fgetc.o inet_ntoa_r.o getopt_data.o delete libdiet.a, then rebuild libdiet.a as indicated above, copy back into bro/src directory, run make BTW- Final LIBS in Makefile is: LIBS = $(LIBIDMEF_LIBS) -L${top_srcdir}/src -lpcap -lresolv -lm -lbind -ldiet Bro compiles!! $ ls -l bro -rwxrwxr-x 1 jmel jmel 10562750 Jul 26 14:23 bro $ strip bro $ ls -l bro -rwxrwxr-x 1 jmel jmel 2722728 Jul 26 14:23 bro -- Jim Mellander Incident Response Manager Computer Protection Program Lawrence Berkeley National Laboratory (510) 486-7204 Your fortune for today is: You may be recognized soon. Hide. From mike.muratet at torchtechnologies.com Tue Jul 26 15:28:33 2005 From: mike.muratet at torchtechnologies.com (Mike Muratet) Date: Tue, 26 Jul 2005 17:28:33 -0500 Subject: [Bro] Penguins think broccoli is OK Message-ID: <00c401c59231$5d3feb10$5501a8c0@muratet> Christian I just ran your latest broccoli snapshot from a Linux box connecting to the bro peer on the FreeBSD box and got it to handshake. Cool. It must have been the Linux all along. bro works right out of the box on FreeBSD. I'll keep an eye on the cache issue. Cheers Mike From christian at whoop.org Tue Jul 26 16:54:02 2005 From: christian at whoop.org (Christian Kreibich) Date: Tue, 26 Jul 2005 16:54:02 -0700 Subject: [Bro] Penguins think broccoli is OK In-Reply-To: <00c401c59231$5d3feb10$5501a8c0@muratet> References: <00c401c59231$5d3feb10$5501a8c0@muratet> Message-ID: <1122422042.31913.191.camel@localhost> On Tue, 2005-07-26 at 17:28 -0500, Mike Muratet wrote: > Christian > > I just ran your latest broccoli snapshot from a Linux box connecting to the > bro peer on the FreeBSD box and got it to handshake. Cool. It must have been > the Linux all along. bro works right out of the box on FreeBSD. I'll keep an > eye on the cache issue. Glad to hear! :) So do I get this right: as soon as you moved Bro to a BSD host, things started to work? That's great but I'm puzzled as to why that would be the case ... Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From rmcclel at sandia.gov Tue Jul 26 15:00:04 2005 From: rmcclel at sandia.gov (Mcclelland-Bane, Randy) Date: Tue, 26 Jul 2005 15:00:04 -0700 Subject: [Bro] Alternative from addresses in emails Message-ID: <1122415204.23201.12.camel@sargasso.ran.sandia.gov> Attached are a few script changes to convert bro from using the 'mail' program to sendmail. These probably aren't for everyone, but some might find them useful. My problem was that I could not change the From: address when using 'mail.' I needed to change this because of testing on a machine with did not have a fqdn and was sending to an external email address, which blocked the invalid From: header which was created by 'mail.' Thanks, Randy -------------- next part -------------- A non-text attachment was scrubbed... Name: mail_notice.sh Type: application/x-shellscript Size: 504 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050726/8385732d/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: mail_reports.sh Type: application/x-shellscript Size: 1600 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050726/8385732d/attachment-0001.bin -------------- next part -------------- # Source file config for running bro # On a linux system this file will normally exist in /etc/sysconfig # and will have the same filename as the RC start script which calls it. # On a FreeBSD machine this file will normally reside in /usr/local/etc # and will have the same filename as the RC start script which calls it. # The following variables are exported and needed by Bro at runtime # These are mostly undocumented. arrrrrr!!!!!! # BROLOGS # BROHOME # BROPATH # host only format BRO_HOSTNAME=`hostname | awk -F. ' { print } '` # FQDN format # HOSTNAME=`hostname` # Directory containing Bro binaries BRO_BIN_DIR="${BROHOME}/bin" # Filename of the Bro start policy # START_POLICY="default.bro" BRO_START_POLICY="localhost.bro" # Directory containing Bro logs BROLOGS="${BROHOME}/logs" export BROLOGS # Log archive directory BRO_LOG_ARCHIVE="${BROHOME}/archive" # Directory containing Bro signature files BRO_SIG_DIR="${BROHOME}/site" # Bro policy paths BROPATH="${BROHOME}/policy:${BROHOME}/site" export BROPATH # Location of site specific policy and configurations BROSITE="${BROHOME}/site" # Location of host specific policy and configurations BROHOST="${BROHOME}/host" # A prefix to use when looking for local policy files to load. # BRO_PREFIX="local" # Location of the Bro executable BRO="${BRO_BIN_DIR}/bro" # Base command line options. BRO_ADD_OPTS=" -W" # Turn on Bro's Watchdog feature BRO_OPTS="${BRO_ADD_OPTS}" # Interface name to listen on. The default is to use the busiest one found. BRO_CAPTURE_INTERFACE="" # Multiple interface should be specified as a space delimited list. # Examples: # CAPTURE_INTERFACE="sk0 sk1 sk5" # CAPTURE_INTERFACE="eth0 eth3" # CAPTURE_INTERFACE="eth0" # If set to YES and there are any signature files ending with .bro in $SIG_DIR # then they will be started with bro. Set to NO to disable signatures # Set to YES to enable bro to run with 'signature matching' on (YES/NO) BRO_USE_SIGNATURES=YES # Shoud a trace (tcpdump) file be created in the log directory (YES/NO) BRO_CREATE_TRACE_FILE=NO # How long to wait during checkpointing after startin a new Bro process and # stopping the old one. This value is in seconds BRO_CHECKPOINT_OVERLAP_TIME=20 # Starting time for a report run (0001 is 12:01 am and 1201 is 12:01pm) BRO_REPORT_START_TIME=0000 # How often (in hours) to generate an activity report BRO_REPORT_INTERVAL=24 # This is the how often to rotate the logs (in hours) BRO_LOG_ROTATE_INTERVAL=24 # This is the how often to restart bro (in hours) BRO_CHECKPOINT_INTERVAL=24 # The maximum time allowed for a Bro process to cleanup and exit # This value is in seconds BRO_MAX_SHUTDOWN_TIME=$(( 60 * 60 * 2 )) # 2 hours # Use this to enable the init script to autorestart Bro in the event of an # unexpected shutdown. The value should be YES or NO BRO_ENABLE_AUTORESTART="YES" # A value less than 1 means there will be no limit to the number of restarts # Maximum times to try to auto-restart Bro before giving up. BRO_MAX_RESTART_ATTEMPTS=-1 # Location of the run-time variable directory. This is normally /var/run/bro # and contains the pidfile and other temporal data. BRO_RUNTIME_DIR="" # Email address for local reports to be mailed to BRO_EMAIL_LOCAL="bro at localhost" # Email address to send from BRO_EMAIL_FROM="bro at localhost" # Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc) BRO_EMAIL_EXTERNAL="NO" # Email address for remote reports to be mailed to BRO_EMAIL_REMOTE="BRO-IDS at bro-ids.org" # User id to install and run Bro under BRO_USER_ID="" # Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG) BRO_SITE_NAME="" # Do you want to encrypt email reports (YES/NO) BRO_ENCRYPT_EMAIL="NO" # Location of GPG binary or encrypting email BRO_GPG_BIN="/usr/local/bin/gpg" # Default BPF buffer BRO_BPF_BUFSIZE=4194304 # Do BPF bonding BRO_BPFBOND_ENABLE="NO" # Interfaces to bond BRO_BPFBOND_FLAGS="em0 em1" # diskspace management settings # Should I manage diskspace BRO_DISKSPACE_ENABLE="YES" # percent full to worry about BRO_DISKSPACE_PCT=90 # account watching disk space BRO_DISKSPACE_WATCHER="root" # days before deleting old logs BRO_DAYS_2_DELETION=45 # days before compressing logs BRO_DAYS_2_COMPRESSION=20 # Bulk data capture settings # Buld data directory BRO_BULK_DIR="${BROHOME}/bulk-trace" # Capture filter for bulk data BRO_BULK_CAPTURE_FILTER="" # days before deleting bulk data BRO_BULK_DAYS_2_DELETION=4 # days before compressing bulk data BRO_BULK_DAYS_2_COMPRESSION=2 # location of sorted log files, needed by Brooery BROOERY_LOGS="${BROHOME}/sorted-logs" -------------- next part -------------- A non-text attachment was scrubbed... Name: bro_config Type: application/x-shellscript Size: 29150 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050726/8385732d/attachment-0002.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: bro_config.in Type: application/x-shellscript Size: 29058 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050726/8385732d/attachment-0003.bin From mike.muratet at torchtechnologies.com Wed Jul 27 06:43:56 2005 From: mike.muratet at torchtechnologies.com (Mike Muratet) Date: Wed, 27 Jul 2005 08:43:56 -0500 Subject: [Bro] Penguins think broccoli is OK References: <00c401c59231$5d3feb10$5501a8c0@muratet> <1122422042.31913.191.camel@localhost> Message-ID: <00d301c592b1$3caa0810$5501a8c0@muratet> Christian >> >> I just ran your latest broccoli snapshot from a Linux box connecting to >> the >> bro peer on the FreeBSD box and got it to handshake. Cool. It must have >> been >> the Linux all along. bro works right out of the box on FreeBSD. I'll keep >> an >> eye on the cache issue. > > Glad to hear! :) > > So do I get this right: as soon as you moved Bro to a BSD host, things > started to work? That's great but I'm puzzled as to why that would be > the case ... > Yes. You'd think that at that level the operating systems should meet the same requirements, but they don't. If I had the resources, I'd try to figure out why, but I'm behind as it is. Mike From angelita at uol.com.br Wed Jul 27 06:52:20 2005 From: angelita at uol.com.br (=?iso-8859-1?Q?Angelita_de_C=E1ssia_Corr=EAa?=) Date: Wed, 27 Jul 2005 10:52:20 -0300 Subject: [Bro] fields in the conn.log Message-ID: <007f01c592b2$694b8c80$cbd1a8c0@uolcorp.intranet> ----- Original Message ----- From: "Angelita de C?ssia Corr?a" To: "Jason Lee" Cc: "Angelita" Sent: Wednesday, July 27, 2005 9:56 AM Subject: Re: [Bro] fields in the conn.log I can consider false positive when no bytes were transfered, do you agree? Like your example: 1000057956.062082 ? 10.1.1.1 10.2.2.2 other 2222 3333 tcp ? ? S0 X @142 (we can see that it didn't connect and no bytes were transfered) ----- Original Message ----- From: "Jason Lee" To: "Angelita de C?ssia Corr?a" ; Sent: Friday, July 22, 2005 4:17 PM Subject: [Bro] fields in the conn.log -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Angelita, http://www.bro-ids.org/Bro-reference-manual/Connection-summaries.html Explains how the fields are structured, but its a little out of date. I'll fill in the missing parts and see that the manual gets updated. Given a line like this from the conn.log: 1122055977.662564 0.105927 10.1.1.1 10.2.2.2 http 55985 80 tcp 735 12946 SF L %71 Unix Date/time: 1122055977.662564 Duration of the connection: 0.105927 Originator IP: 10.1.1.1 Responder IP: 10.2.2.2 Protocol: http Originator port: 55985 Responder port: 80 Transport Protocol: tcp Originator bytes sent: 735 Responder bytes sent: 12946 Flags: SF (Normal connection saw both SYN and FIN packets) Additional Flags: L (connection was initiated locally) Tag: %71 Now I can take my tag, and look in the http.log to find out more about that connection (i'm running the http analyzer): http.log looks like this (example): 1121793380.980924 %71 start 10.1.1.1 > 10.2.2.2 1121793380.985317 %71 GET /foo/bar/baz.html (200 "OK" [145]) Having said all this, the alarm.log is very different, its a 'tagged' format that is fairly self descriptive. This is an example from the alarm.log file: t=1000057981.940712 no=AddressScan na=NOTICE_ALARM_ALWAYS sa=10.1.1.1 sp=2222/tcp da=10.2.2.2 dp=3333/tcp msg=10.1.1.1\ has\ scanned\ 2000\ hosts\ (3333/tcp ) tag=@42 t: time no: notice na: notice action sa: source address sp: source port da: destination address dp: destination port msg: message (in this case a host has scanned 20 hosts) tag: identifier to match this to lines in notice.log and conn.log: Now you can take the tag and look in the conn.log to find the connection (with grep): 1000057956.062082 ? 10.1.1.1 10.2.2.2 other 2222 3333 tcp ? ? S0 X @142 (we can see that it didn't connect and no bytes were transfered) Also there is a good section in the manual about alarms: http://www.bro-ids.org/Bro-user-manual/Analysis-of-Incidents-and-Alarms.html#Analysis-of-Incidents-and-Alarms That should help explain the sort ids. Hope this helps. Cheers, jason Angelita de C?ssia Corr?a wrote: > Hi Jason, > > I need to understand more the alert, the definition of each column. > > In your example, could you explain me what each column means? > > *Sep 18 06:51:41 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 > 239 RSTO X %14* > Sep 18 06:51:41 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 > 604 RSTO X %14 > Sep 18 06:51:42 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 > 604 RSTO X %14 > Sep 18 06:51:42 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 > 604 RSTO X %14 > *Date/time:* Sep 18 06:51:42 > *Duration of de connection:* 0.153497 > *Origin IP*: 131.243.2.87 > *Victim IP*: 131.243.2.13 > *Victim Protocol:* http > *???: 2077* > *Victim Port:* 80 > *Transport Protocol:* tcp > *???: 66* > *???: 239 *** (is this the alert SID0?)* > *???: RSTO* > *???: X* > *???: %14* > > > Does the bro use SID to identify the alert description? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC4UZi37vOcEqHLkARAhkpAJ9kMmtwe8hrvMQ9J81Sj4x/s4Su1QCfZdVK 4LR1TMRj8dxXFplZPlZq3Ps= =2q+C -----END PGP SIGNATURE----- _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From sommer at in.tum.de Wed Jul 27 07:25:29 2005 From: sommer at in.tum.de (Robin Sommer) Date: Wed, 27 Jul 2005 16:25:29 +0200 Subject: [Bro] Penguins think broccoli is OK In-Reply-To: <00d301c592b1$3caa0810$5501a8c0@muratet> References: <00c401c59231$5d3feb10$5501a8c0@muratet> <1122422042.31913.191.camel@localhost> <00d301c592b1$3caa0810$5501a8c0@muratet> Message-ID: <20050727142529.GA3749@net.informatik.tu-muenchen.de> On Wed, Jul 27, 2005 at 08:43 -0500, Mike Muratet wrote: > Yes. You'd think that at that level the operating systems should meet the > same requirements, but they don't. Interesting. FWIW, I am using the communication code on both Linux and FreeBSD systems, and haven't encountered such problems yet. > If I had the resources, I'd try to figure > out why, but I'm behind as it is. Sure. Just in case you find any indication what may be going on, please let us know. Robin -- Robin Sommer * Room 01.08.055 * www.net.in.tum.de TU Muenchen * Phone (089) 289-18006 * sommer at in.tum.de From mike.muratet at torchtechnologies.com Wed Jul 27 07:37:22 2005 From: mike.muratet at torchtechnologies.com (Mike Muratet) Date: Wed, 27 Jul 2005 09:37:22 -0500 Subject: [Bro] Penguins think broccoli is OK References: <00c401c59231$5d3feb10$5501a8c0@muratet> <1122422042.31913.191.camel@localhost> <00d301c592b1$3caa0810$5501a8c0@muratet> <20050727142529.GA3749@net.informatik.tu-muenchen.de> Message-ID: <012201c592b8$b4c56400$5501a8c0@muratet> Robin > On Wed, Jul 27, 2005 at 08:43 -0500, Mike Muratet wrote: > >> Yes. You'd think that at that level the operating systems should meet the >> same requirements, but they don't. > > Interesting. FWIW, I am using the communication code on both Linux > and FreeBSD systems, and haven't encountered such problems yet. > >> If I had the resources, I'd try to figure >> out why, but I'm behind as it is. > > Sure. Just in case you find any indication what may be going on, > please let us know. > I will. Which Linux are you using? I believe that there is an extra layer in Red Hat Linux as in the iptables function (at least that's what I've been told) that gives it a built-in firewall. I have had problems with ssh/ftp/etc on another system that required me to go in and make changes to the iptables. An earlier sysadmin had apparently gone in and enabled the firewall after a hack attempt. That's where I would (will) start looking. Cheers Mike From sommer at in.tum.de Wed Jul 27 08:15:39 2005 From: sommer at in.tum.de (Robin Sommer) Date: Wed, 27 Jul 2005 17:15:39 +0200 Subject: [Bro] Penguins think broccoli is OK In-Reply-To: <012201c592b8$b4c56400$5501a8c0@muratet> References: <00c401c59231$5d3feb10$5501a8c0@muratet> <1122422042.31913.191.camel@localhost> <00d301c592b1$3caa0810$5501a8c0@muratet> <20050727142529.GA3749@net.informatik.tu-muenchen.de> <012201c592b8$b4c56400$5501a8c0@muratet> Message-ID: <20050727151539.GB3749@net.informatik.tu-muenchen.de> On Wed, Jul 27, 2005 at 09:37 -0500, Mike Muratet wrote: > I will. Which Linux are you using? I believe that there is an extra layer Primarily Debians running 2.6.x kernel; for development also SuSE systems. > in Red Hat Linux as in the iptables function (at least that's what I've That could indeed explain it. Per default, Bro/Brocolli use TCP ports 47756 (for SSL connections) and 47757 (for clear connections). If the firewall denies connections on these ports, the communication will not work. Sorry, I forgot: Do see anything in comm.log/remote.log which indicates that the connection can not be setup? Robin -- Robin Sommer * Room 01.08.055 * www.net.in.tum.de TU Muenchen * Phone (089) 289-18006 * sommer at in.tum.de From christian at whoop.org Wed Jul 27 13:34:08 2005 From: christian at whoop.org (Christian Kreibich) Date: Wed, 27 Jul 2005 13:34:08 -0700 Subject: [Bro] Penguins think broccoli is OK In-Reply-To: <012201c592b8$b4c56400$5501a8c0@muratet> References: <00c401c59231$5d3feb10$5501a8c0@muratet> <1122422042.31913.191.camel@localhost> <00d301c592b1$3caa0810$5501a8c0@muratet> <20050727142529.GA3749@net.informatik.tu-muenchen.de> <012201c592b8$b4c56400$5501a8c0@muratet> Message-ID: <1122496449.31913.249.camel@localhost> On Wed, 2005-07-27 at 09:37 -0500, Mike Muratet wrote: > > I will. Which Linux are you using? I believe that there is an extra layer in > Red Hat Linux as in the iptables function (at least that's what I've been > told) that gives it a built-in firewall. If permissible, "/etc/init.d/iptables stop" on the Linux box before the experiment might be a good idea, to see if anything changes ... Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From rmcclel at sandia.gov Wed Jul 27 19:18:23 2005 From: rmcclel at sandia.gov (Mcclelland-Bane, Randy) Date: Wed, 27 Jul 2005 19:18:23 -0700 Subject: [Bro] re: Alternative from addresses in emails (diff output, and fixed) Message-ID: <1122517103.23201.89.camel@sargasso.ran.sandia.gov> See below for diff -u output. This is based on the development branch 0.9a9. The last message I sent had a bug where the "To:" address wasn't set so sometimes the messages arrived to "Undisclosed recipients." That is fixed now. These will be helpful for those of you who want a configurable FROM: address, or the ability to send a mix of encrypted/plaintext reports. The first patch converts the bro report/notice mailing scripts and config file to use sendmail instead of mail. This allows the configuration of BRO_EMAIL_FROM in bro.cfg, which specifies the From: address on outgoing messages. The second patch expands on the first patch slightly and adds in a failover mode in the mail_reports.sh script which will send plaintext if the gpg process fails. I put this in so that you could have some copies of the reports encrypted if you had the public key for the recipient, and leave others in plaintext if the key did not exist. There should be a more elegant way to check if public key exists and do the checking that way. Right now I'm just basing it off the process failing, but it should do key checking. * Be very careful with the second patch one as you could be sending plaintext when you don't wish it if you have errors with gpg keys, etc. * You can add in the second patch on top of the first one, but don't try it by itself. To apply either of these do: cd /path/to/bro-tar-unpacked/scripts patch < patchfile Cheers, Randy ## BEGIN FIRST PATCH --- bro.cfg.example 2004-12-03 09:37:44.000000000 -0800 +++ ../../BRO/bro.cfg.example 2005-07-26 14:47:56.000000000 -0700 @@ -106,6 +106,9 @@ # Email address for local reports to be mailed to BRO_EMAIL_LOCAL="bro at localhost" +# Email address to send from +BRO_EMAIL_FROM="bro at localhost" + # Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc) BRO_EMAIL_EXTERNAL="NO" --- bro_config.in 2005-02-09 00:22:02.000000000 -0800 +++ ../../BRO/bro_config.in 2005-07-26 14:47:56.000000000 -0700 @@ -334,6 +334,9 @@ # Email address for local reports to be mailed to BRO_EMAIL_LOCAL="${BRO_EMAIL_LOCAL:-NO}" +# Email address to send from +BRO_EMAIL_FROM="${BRO_EMAIL_FROM:-$BRO_EMAIL_LOCAL}" + # Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc) BRO_EMAIL_EXTERNAL="${BRO_EMAIL_EXTERNAL:-NO}" export BRO_EMAIL_EXTERNAL --- mail_notice.sh 2004-12-17 15:03:47.000000000 -0800 +++ ../../BRO/mail_notice.sh 2005-07-27 16:59:55.000000000 -0700 @@ -2,5 +2,26 @@ # # This is a sample script to provide basic email notification for # notices marked NOTICE_EMAIL . +# Usage: mail_notice "subject" recipient (optional config path) -mail -s "Bro alarm: $1" $2 +notice="/tmp/bro.notice.$$" + +# Clean up after ourselves +trap "rm -f $notice; exit" 1 2 15 + +# where are we located +base=`dirname $0` + +#set up the environment +if [ $3 ] ; then + . $3 +else + . $base/../etc/bro.cfg +fi + +echo "From:<$BRO_EMAIL_FROM>" > $notice +echo "To:<$2>" >> $notice +echo "Subject: Bro alarm: $1" >> $notice + +cat $notice | sendmail -oi -f $BRO_EMAIL_FROM $2 +rm -f $notice --- mail_reports.sh 2004-12-09 15:26:19.000000000 -0800 +++ ../../BRO/mail_reports.sh 2005-07-27 18:40:41.000000000 -0700 @@ -6,8 +6,12 @@ # # Usage: mail_reports.sh configFile (default config file = ../etc/bro.cfg) +gpg_error="" +sent_message="" +tmp_file="/tmp/bro.report.$$" + # Clean up after ourselves -trap "rm /tmp/bro.report.$$; exit" 1 2 15 +trap "rm $tmp_file; exit" 1 2 15 # where are we located base=`dirname $0` @@ -23,25 +27,40 @@ report=`ls -1t $BRO_REPORT_DIR/local/$BRO_SITE_NAME*.rpt | head -1` report_interval=`grep Report $report | awk '{print $6,"-",$9}'` +# set up temporary report with subject line embedded +report_subject="Subject: $BRO_HOSTNAME Report: $report_interval" + # and email it # if encrypted make sure we have a good (gpg) bin and keys if [ $BRO_ENCRYPT_EMAIL = "YES" ] ; then if [ -x $BRO_GPG_BIN ] ; then - for recpt in $BRO_EMAIL_LOCAL ; do - cat $report | $BRO_GPG_BIN --yes -ea -r $recpt|mail -s "$BRO_HOSTNAME Report: $report_interval" $recpt + for recpt in $BRO_EMAIL_LOCAL ; do + echo "From: <$BRO_EMAIL_FROM>" > $tmp_file + echo "To: <$recpt>" >> $tmp_file + echo "$report_subject" >> $tmp_file + cat $report | $BRO_GPG_BIN --yes -ea -r $recpt >> $tmp_file + cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt done + sent_message="1" + rm $tmp_file else - echo "Invalid gpg bin $BRO_GPG_BIN" > /tmp/bro.report.$$ + gpg_error="1" fi -else # not ENCRYPTED - cat $report > /tmp/bro.report.$$ fi # if there was an error or we are sending unencrypted ... -if [ -r /tmp/bro.report.$$ ] ; then +if [ -z $sent_message ] ; then for recpt in $BRO_EMAIL_LOCAL ; do - cat /tmp/bro.report.$$ | mail -s "$BRO_HOSTNAME Report: $report_interval" $recpt + echo "From: <$BRO_EMAIL_FROM>" > $tmp_file + echo "To: <$recpt>" >> $tmp_file + echo "$report_subject" >> $tmp_file + cat $report >> $tmp_file + if [ $gpg_error ] ; then + echo "Invalid gpg bin $BRO_GPG_BIN" >> $tmp_file + fi + cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt done - rm /tmp/bro.report.$$ + rm $tmp_file fi exit 0 + ## BEGIN SECOND PATCH --- mail_reports.sh 2005-07-27 18:40:41.000000000 -0700 +++ mail_reportsMIX.sh 2005-07-27 18:40:29.000000000 -0700 @@ -39,6 +39,13 @@ echo "To: <$recpt>" >> $tmp_file echo "$report_subject" >> $tmp_file cat $report | $BRO_GPG_BIN --yes -ea -r $recpt >> $tmp_file + # If the encryption fails, send it unencrypted + if [ $? -ne 0 ] ; then + echo "From:<$BRO_EMAIL_FROM>" > $tmp_file + echo "To: <$recpt>" >> $tmp_file + echo "$report_subject" >> $tmp_file + cat $report >> $tmp_file + fi cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt done sent_message="1"