From anandrajm at fastmail.fm Tue Aug 1 08:59:57 2006 From: anandrajm at fastmail.fm (Anandraj) Date: Tue, 01 Aug 2006 08:59:57 -0700 Subject: [Bro] IPS Functionality in BRO Message-ID: <1154447997.28228.267383104@webmail.messagingengine.com> Hi, I was just goin through the BRO USER Manual and Found that BRO does some amount of Prevention . I did try "IPS" by adding the following in hot.bro . const terminate_successful_inbound_service: table[port] of string = { [22/tcp] = "SSH", } &redef; also i did change the ssh.bro to the following . redef restrict_filters += { ["ssh"] = "port 22" }; But in vain , i could NOT prevent the ssh traffic. I was able to ssh to other machines and also other machines were able to ssh to my machine. Could somebody shed some light on this? Any pointers about the BRO with IPS would be really helpful . Thanks, Anand -- http://www.fastmail.fm - Access all of your messages and folders wherever you are From vern at icir.org Tue Aug 1 23:00:06 2006 From: vern at icir.org (Vern Paxson) Date: Tue, 01 Aug 2006 23:00:06 -0700 Subject: [Bro] IPS Functionality in BRO In-Reply-To: <1154447997.28228.267383104@webmail.messagingengine.com> (Tue, 01 Aug 2006 08:59:57 PDT). Message-ID: <200608020600.k72606YF080654@jaguar.icir.org> > const terminate_successful_inbound_service: table[port] of string = { > [22/tcp] = "SSH", > } &redef; > > also i did change the ssh.bro to the following . > > redef restrict_filters += { ["ssh"] = "port 22" }; > > But in vain , i could NOT prevent the ssh traffic. Do you get any output? Is the "rst" tool in your path and setuid root so it can forge tear-down traffic? Vern From James.Collins at lackland.af.mil Wed Aug 2 08:42:04 2006 From: James.Collins at lackland.af.mil (Collins James C GG-13 AFIWC/IOZS) Date: Wed, 2 Aug 2006 10:42:04 -0500 Subject: [Bro] Closed Network Configuration Message-ID: <5C9C2541E47D3E49B84F5B7C3821F9BB021BF8BA@lakml06636p2.lackland.aetc.ds.af.mil> Greetings, Quick issue on initial set up. As I am setting up the system on a closed network (no Internet) the system fails to start with a DNS failure to connect error. Any way to configure BRO to operate without having to use DNS lookups? Jim James Collins, DAF GG-13 Electronics Engineer, MSEE, CISSP Air Force Information Warfare Center Future Capabilities Division, Solutions Branch (210) 977-6398 DSN 969 From vern at icir.org Wed Aug 2 08:46:59 2006 From: vern at icir.org (Vern Paxson) Date: Wed, 02 Aug 2006 08:46:59 -0700 Subject: [Bro] Closed Network Configuration In-Reply-To: <5C9C2541E47D3E49B84F5B7C3821F9BB021BF8BA@lakml06636p2.lackland.aetc.ds.af.mil> (Wed, 02 Aug 2006 10:42:04 CDT). Message-ID: <200608021546.k72FkxGM001549@jaguar.icir.org> > Any way to configure BRO to operate without having to use DNS lookups? Yes, set the environment variable $BRO_DNS_FAKE. Vern From jaideep.chandrashekar at intel.com Wed Aug 2 14:37:49 2006 From: jaideep.chandrashekar at intel.com (Jaideep Chandrashekar) Date: Wed, 02 Aug 2006 14:37:49 -0700 Subject: [Bro] can't get the http analyzer to print anything Message-ID: <1154554669.32363.18.camel@jchandr1-desk.sc.intel.com> Folks, I'm having trouble running the http analyzer (in Bro 1-1) and would appreciate any help. Running bro in offline mode with tcpdump file (contains several sessions on port 80) as % bro -r trace_incl-http.pcap http this creates an empty http log. NO http sessions show up! When I run bro with -t, the tracefile generated does not have any http events logged. Digging deeper, I see that in Sessions.cc; NetSessions::NewConn(..) //----snip-----// case 1080: case 3128: // Default port of Squid Proxy Cache. case 8000: case 8080: case 8888: if ( http_request || http_reply ) c = new HTTP_Conn(this, k, t, id, tp); //-----snip----// the condition in the _if_ always evaluates to a false. *question*: Are http_request and http_reply, which are called here, defined somewhere? I couldn't grep for them in src/ I'm probably doing something very silly, but non-obvious:) Any pointers to what I might be missing/doing wrong? The pcap file and the (-t) trace file are attached. If it helps, I've attached the tracefile and also the connection log (by running the conn analyzer; this clearly shows http flows) cheers, -jc -------------- next part -------------- 0.000000 /local/bro/policy/bro.init:271 function called: open_log_file(tag = 'notice') 0.000000 /local/bro/policy/bro.init:266 function called: log_file_name(tag = 'notice') 0.000000 /local/bro/policy/bro.init:265 Builtin Function called: getenv(var = 'BRO_LOG_SUFFIX') 0.000000 /local/bro/policy/bro.init:265 Function return: 0.000000 /local/bro/policy/bro.init:266 Builtin Function called: fmt(va_args = '%s.%s', vararg0 = 'notice', vararg1 = 'log') 0.000000 /local/bro/policy/bro.init:266 Function return: notice.log 0.000000 /local/bro/policy/bro.init:266 Function return: notice.log 0.000000 /local/bro/policy/bro.init:271 Builtin Function called: open(f = 'notice.log') 0.000000 /local/bro/policy/bro.init:271 Function return: 0.000000 /local/bro/policy/bro.init:271 Function return: 0.000000 /local/bro/policy/bro.init:271 function called: open_log_file(tag = 'http') 0.000000 /local/bro/policy/bro.init:266 function called: log_file_name(tag = 'http') 0.000000 /local/bro/policy/bro.init:265 Builtin Function called: getenv(var = 'BRO_LOG_SUFFIX') 0.000000 /local/bro/policy/bro.init:265 Function return: 0.000000 /local/bro/policy/bro.init:266 Builtin Function called: fmt(va_args = '%s.%s', vararg0 = 'http', vararg1 = 'log') 0.000000 /local/bro/policy/bro.init:266 Function return: http.log 0.000000 /local/bro/policy/bro.init:266 Function return: http.log 0.000000 /local/bro/policy/bro.init:271 Builtin Function called: open(f = 'http.log') 0.000000 /local/bro/policy/bro.init:271 Function return: 0.000000 /local/bro/policy/bro.init:271 Function return: 0.000000 /local/bro/policy/pcap.bro:99 event called: bro_init() 0.000000 /local/bro/policy/pcap.bro:94 function called: update_default_pcap_filter() 0.000000 /local/bro/policy/pcap.bro:68 function called: build_default_pcap_filter() 0.000000 /local/bro/policy/pcap.bro:42 function called: join_filters(capture_filter = '', restrict_filter = '') 0.000000 /local/bro/policy/pcap.bro:42 Function return: tcp or udp or icmp 0.000000 /local/bro/policy/pcap.bro:68 Function return: tcp or udp or icmp 0.000000 /local/bro/policy/pcap.bro:88 Builtin Function called: precompile_pcap_filter(id = 'DefaultPcapFilter', s = 'tcp or udp or icmp') 0.000000 /local/bro/policy/pcap.bro:88 Function return: T 0.000000 /local/bro/policy/pcap.bro:79 function called: install_default_pcap_filter() 0.000000 /local/bro/policy/pcap.bro:73 Builtin Function called: install_pcap_filter(id = 'DefaultPcapFilter') 0.000000 /local/bro/policy/pcap.bro:73 Function return: T 1154393297.261665 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=28181/tcp, resp_h=10.3.254.131, resp_p=911/tcp], orig=[size=1342, state=5], resp=[size=900, state=5], start_time=1154393291.88183, duration=5.37856197357178, service=, addl=, hot=0, history=ShADadfF]') 1154393304.677602 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=28182/tcp, resp_h=10.3.254.131, resp_p=911/tcp], orig=[size=4031, state=5], resp=[size=4670, state=5], start_time=1154393292.12069, duration=12.5566198825836, service=, addl=, hot=0, history=ShADadfF]') 1154393304.677983 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=28183/tcp, resp_h=10.3.254.131, resp_p=911/tcp], orig=[size=1956, state=5], resp=[size=25693, state=5], start_time=1154393292.74115, duration=11.9364769458771, service=, addl=, hot=0, history=ShADadfF]') 1154393304.679720 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28182/tcp], orig=[size=0, state=6], resp=[size=0, state=0], start_time=1154393304.67961, duration=0.0, service=, addl=, hot=0, history=R]') 1154393304.679730 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28182/tcp], orig=[size=0, state=6], resp=[size=0, state=0], start_time=1154393304.67972, duration=0.0, service=, addl=, hot=0, history=R]') 1154393304.679852 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28183/tcp], orig=[size=0, state=6], resp=[size=0, state=0], start_time=1154393304.67973, duration=0.0, service=, addl=, hot=0, history=R]') 1154393304.679970 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28183/tcp], orig=[size=0, state=6], resp=[size=0, state=0], start_time=1154393304.67985, duration=0.0, service=, addl=, hot=0, history=R]') 1154393309.939261 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=28184/tcp, resp_h=10.3.254.131, resp_p=911/tcp], orig=[size=1242, state=6], resp=[size=3764, state=4], start_time=1154393299.47172, duration=4.93907022476196, service=, addl=, hot=0, history=ShADadFR]') 1154393312.232257 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=10.232.10.253, orig_p=3778/tcp, resp_h=143.183.247.174, resp_p=139/tcp], orig=[size=479, state=5], resp=[size=475, state=5], start_time=1154393312.10328, duration=0.128950119018555, service=, addl=, hot=0, history=ShDadFf]') 1154393312.251645 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=14747/tcp, resp_h=192.168.74.50, resp_p=445/tcp], orig=[size=275, state=5], resp=[size=260, state=5], start_time=1154393312.13517, duration=0.116455078125, service=, addl=, hot=0, history=ShADdFf]') 1154393317.231650 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=7031/tcp, resp_h=10.18.20.236, resp_p=80/tcp], orig=[size=2114, state=5], resp=[size=10815, state=5], start_time=1154393316.98869, duration=0.242847919464111, service=, addl=, hot=0, history=ShADdfF]') 1154393317.266156 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=7032/tcp, resp_h=10.18.20.236, resp_p=80/tcp], orig=[size=697, state=5], resp=[size=329, state=5], start_time=1154393317.23165, duration=0.027965784072876, service=, addl=, hot=0, history=ShADdfF]') 1154393320.583759 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=28185/tcp, resp_h=10.3.254.131, resp_p=911/tcp], orig=[size=4532, state=5], resp=[size=2831, state=5], start_time=1154393304.67798, duration=15.9043388366699, service=, addl=, hot=0, history=ShADadfF]') 1154393320.583785 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28185/tcp], orig=[size=0, state=6], resp=[size=0, state=0], start_time=1154393320.58376, duration=0.0, service=, addl=, hot=0, history=R]') 1154393323.055784 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28185/tcp], orig=[size=0, state=6], resp=[size=0, state=0], start_time=1154393320.58379, duration=0.0, service=, addl=, hot=0, history=R]') 1154393342.506722 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=20569/tcp, resp_h=143.183.93.145, resp_p=80/tcp], orig=[size=360, state=6], resp=[size=1976, state=4], start_time=1154393342.46757, duration=0.0390548706054688, service=, addl=, hot=0, history=ShADdR]') 1154393342.647980 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=20570/tcp, resp_h=143.183.93.145, resp_p=80/tcp], orig=[size=366, state=6], resp=[size=1976, state=4], start_time=1154393342.48488, duration=0.0218410491943359, service=, addl=, hot=0, history=ShADdR]') 1154393347.479410 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=28191/tcp, resp_h=10.3.254.131, resp_p=911/tcp], orig=[size=4873, state=5], resp=[size=3140, state=5], start_time=1154393323.31368, duration=24.1652369499207, service=, addl=, hot=0, history=ShADadfF]') 1154393347.480561 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28191/tcp], orig=[size=0, state=6], resp=[size=0, state=0], start_time=1154393347.48054, duration=0.0, service=, addl=, hot=0, history=R]') 1154393347.480662 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28191/tcp], orig=[size=0, state=6], resp=[size=0, state=0], start_time=1154393347.48056, duration=0.0, service=, addl=, hot=0, history=R]') 1154393347.743616 /local/bro/policy/bro.init:251 event called: net_done(t = '1154393347.74362') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=7032/tcp, resp_h=10.18.20.236, resp_p=80/tcp], orig=[size=0, state=0], resp=[size=0, state=3], start_time=1154393317.26616, duration=0.0, service=, addl=, hot=0, history=a]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=28196/tcp, resp_h=10.3.254.131, resp_p=911/tcp], orig=[size=2623, state=4], resp=[size=2522, state=4], start_time=1154393347.47941, duration=0.264206171035767, service=, addl=, hot=0, history=ShADad]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=7029/tcp, resp_h=10.18.20.236, resp_p=80/tcp], orig=[size=8915, state=4], resp=[size=441245, state=4], start_time=1154393309.96173, duration=8.02717185020447, service=, addl=, hot=0, history=ShADd]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28181/tcp], orig=[size=0, state=3], resp=[size=0, state=0], start_time=1154393297.26167, duration=0.0, service=, addl=, hot=0, history=A]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=7031/tcp, resp_h=10.18.20.236, resp_p=80/tcp], orig=[size=0, state=0], resp=[size=0, state=3], start_time=1154393317.25091, duration=0.0, service=, addl=, hot=0, history=a]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=1536/tcp, resp_h=143.183.249.156, resp_p=445/tcp], orig=[size=0, state=3], resp=[size=1, state=3], start_time=1154393304.25443, duration=2.19345092773438e-05, service=, addl=, hot=0, history=dA]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=14747/tcp, resp_h=192.168.74.50, resp_p=445/tcp], orig=[size=0, state=3], resp=[size=0, state=0], start_time=1154393312.25165, duration=0.0, service=, addl=, hot=0, history=A]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=20567/tcp, resp_h=143.183.93.145, resp_p=80/tcp], orig=[size=4245, state=4], resp=[size=17176, state=4], start_time=1154393332.92553, duration=9.72245192527771, service=, addl=, hot=0, history=ShADda]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=20568/tcp, resp_h=143.183.93.145, resp_p=80/tcp], orig=[size=951, state=4], resp=[size=3952, state=4], start_time=1154393339.53645, duration=3.11155009269714, service=, addl=, hot=0, history=ShADda]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=10.232.10.253, orig_p=3778/tcp, resp_h=143.183.247.174, resp_p=139/tcp], orig=[size=0, state=3], resp=[size=0, state=0], start_time=1154393312.24013, duration=0.0, service=, addl=, hot=0, history=A]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=7033/tcp, resp_h=10.18.20.236, resp_p=80/tcp], orig=[size=2477, state=4], resp=[size=45169, state=4], start_time=1154393317.38439, duration=1.60171699523926, service=, addl=, hot=0, history=ShADd]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.227, orig_p=138/udp, resp_h=143.183.247.255, resp_p=138/udp], orig=[size=201, state=1], resp=[size=0, state=0], start_time=1154393342.22207, duration=0.0, service=, addl=, hot=0, history=D]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.253, orig_p=123/udp, resp_h=255.255.255.255, resp_p=123/udp], orig=[size=48, state=1], resp=[size=0, state=0], start_time=1154393314.27148, duration=0.0, service=, addl=, hot=0, history=D]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.252, orig_p=123/udp, resp_h=255.255.255.255, resp_p=123/udp], orig=[size=48, state=1], resp=[size=0, state=0], start_time=1154393307.13687, duration=0.0, service=, addl=, hot=0, history=D]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=1796/udp, resp_h=143.183.12.72, resp_p=53/udp], orig=[size=31, state=1], resp=[size=0, state=0], start_time=1154393327.90552, duration=0.0, service=, addl=, hot=0, history=D]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=1797/udp, resp_h=143.183.12.72, resp_p=53/udp], orig=[size=93, state=1], resp=[size=378, state=1], start_time=1154393332.92462, duration=9.33905792236328, service=, addl=, hot=0, history=Dd]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=1797/udp, resp_h=143.183.2.105, resp_p=53/udp], orig=[size=63, state=1], resp=[size=591, state=1], start_time=1154393329.5832, duration=3.34128999710083, service=, addl=, hot=0, history=Dd]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.200, orig_p=138/udp, resp_h=143.183.247.255, resp_p=138/udp], orig=[size=201, state=1], resp=[size=0, state=0], start_time=1154393305.2836, duration=0.0, service=, addl=, hot=0, history=D]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.175, orig_p=138/udp, resp_h=143.183.247.255, resp_p=138/udp], orig=[size=201, state=1], resp=[size=0, state=0], start_time=1154393311.48765, duration=0.0, service=, addl=, hot=0, history=D]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=1795/udp, resp_h=143.183.2.105, resp_p=53/udp], orig=[size=32, state=1], resp=[size=115, state=1], start_time=1154393323.98926, duration=0.592603921890259, service=, addl=, hot=0, history=Dd]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=123/udp, resp_h=143.183.2.48, resp_p=123/udp], orig=[size=48, state=1], resp=[size=48, state=1], start_time=1154393343.71241, duration=0.00535297393798828, service=, addl=, hot=0, history=Dd]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.111, orig_p=2150/udp, resp_h=255.255.255.255, resp_p=1211/udp], orig=[size=270, state=1], resp=[size=0, state=0], start_time=1154393302.90632, duration=40.2833030223846, service=, addl=, hot=0, history=D]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=1794/udp, resp_h=143.183.12.72, resp_p=53/udp], orig=[size=223, state=1], resp=[size=1296, state=1], start_time=1154393290.78435, duration=28.204824924469, service=, addl=, hot=0, history=Dd]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=1795/udp, resp_h=143.183.12.72, resp_p=53/udp], orig=[size=32, state=1], resp=[size=0, state=0], start_time=1154393324.58206, duration=0.0, service=, addl=, hot=0, history=D]') 1154393347.743616 /local/bro/policy/http.bro:233 event called: connection_state_remove(c = '[id=[orig_h=143.183.247.186, orig_p=138/udp, resp_h=143.183.247.255, resp_p=138/udp], orig=[size=201, state=1], resp=[size=0, state=0], start_time=1154393305.40284, duration=0.0, service=, addl=, hot=0, history=D]') 1154393347.743616 /local/bro/policy/notice.bro:143 event called: bro_done() -------------- next part -------------- A non-text attachment was scrubbed... Name: conn.log Type: text/x-log Size: 3970 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060802/823e9ee5/attachment.bin From vern at icir.org Wed Aug 2 15:58:04 2006 From: vern at icir.org (Vern Paxson) Date: Wed, 02 Aug 2006 15:58:04 -0700 Subject: [Bro] can't get the http analyzer to print anything In-Reply-To: <1154554669.32363.18.camel@jchandr1-desk.sc.intel.com> (Wed, 02 Aug 2006 14:37:49 PDT). Message-ID: <200608022258.k72Mw46Y011690@jaguar.icir.org> > % bro -r trace_incl-http.pcap http Confusingly, you need to use % bro -r trace_incl-http.pcap http-request to see requests or % bro -r trace_incl-http.pcap http-reply to see requests & replies. You're not the first person to find this confusing, so I think for 1.2 we should change the scripts around so just using http pulls in full analysis. Vern From jaideep.chandrashekar at intel.com Wed Aug 2 18:47:36 2006 From: jaideep.chandrashekar at intel.com (Jaideep Chandrashekar) Date: Wed, 02 Aug 2006 18:47:36 -0700 Subject: [Bro] can't get the http analyzer to print anything In-Reply-To: <200608022258.k72Mw46Y011690@jaguar.icir.org> References: <200608022258.k72Mw46Y011690@jaguar.icir.org> Message-ID: <1154569656.32363.41.camel@jchandr1-desk.sc.intel.com> Vern, Thanks for the quick turn-around. Unfortunately, your suggestion doesn't seem to fix it! % bro -r trace_incl-http.pcap http-request also creates an empty http.log file (so also using http-reply) [your mail clarified things somewhat] I see a ... print http_log fmt(... connection...) in http-request.bro which should log the request in http.log However, i still don't see http-request events being generated in the (generated with -t) trace file. Also, here's a transcript of running in the debugger (the "new connection created" is printed in Sessions.cc, when the HTTP_Conn constructor is called). // ----- % bro -d -r trace_incl-http.pcap http-request Policy file debugging ON. In bro_init() at /local/bro/policy/pcap.bro:99 99 update_default_pcap_filter(); (Bro [0]) break http_request Setting breakpoint on http_request: Breakpoint 1 set at http_request at /local/bro/policy/http-request.bro:60 (Bro [1]) continue Continuing. new connection created new connection created % // ----- [end]---- No http_request events triggered. Any leads as to what I can try? Also, could you tell me exactly how "events" are called in the source code (a pointer to an instance where this is done would be great). I'm a little hazy about how the arguments are passed to the event handler. Is there an implicit mechanism to pass args? My confusion stems from http_request being defined as taking 4 args (http-rw.bif.func_def: run_time("http_request() takes exactly 4 argument(s)")), but I don't see the explicit call anywhere. cheers, -jc On Wed, 2006-08-02 at 15:58 -0700, Vern Paxson wrote: > > % bro -r trace_incl-http.pcap http > > Confusingly, you need to use > > % bro -r trace_incl-http.pcap http-request > > to see requests or > > % bro -r trace_incl-http.pcap http-reply > > to see requests & replies. > > You're not the first person to find this confusing, so I think for 1.2 we > should change the scripts around so just using http pulls in full analysis. > > Vern From jaideep.chandrashekar at intel.com Thu Aug 3 10:45:52 2006 From: jaideep.chandrashekar at intel.com (Chandrashekar, Jaideep) Date: Thu, 3 Aug 2006 10:45:52 -0700 Subject: [Bro] can't get the http analyzer to print anything Message-ID: <5461330FA59EDB46BE9AB8AAF2C431ADE0F86B@scsmsx412.amr.corp.intel.com> Hi, This was resolved (the omission was on my part) by using full packet traces, rather than packet fragments. So, http-reply on works on traces collected with the -s 0 option in tcpdump. cheers, -jc -----Original Message----- From: Vern Paxson [mailto:vern at icir.org] Sent: Wednesday, August 02, 2006 3:58 PM To: Chandrashekar, Jaideep Cc: bro at ICSI.Berkeley.EDU Subject: Re: [Bro] can't get the http analyzer to print anything > % bro -r trace_incl-http.pcap http Confusingly, you need to use % bro -r trace_incl-http.pcap http-request to see requests or % bro -r trace_incl-http.pcap http-reply to see requests & replies. You're not the first person to find this confusing, so I think for 1.2 we should change the scripts around so just using http pulls in full analysis. Vern From anandrajm at fastmail.fm Fri Aug 4 06:16:42 2006 From: anandrajm at fastmail.fm (Anandraj) Date: Fri, 04 Aug 2006 06:16:42 -0700 Subject: [Bro] Debug Enabling Message-ID: <1154697402.26646.267635768@webmail.messagingengine.com> hi , Can someone help me on how to turn the DEBUG Messages in BRO-0.911 Current Release . I did try ./configure --enable-debug and also by defining #define DEBUG in main.cc . But i could not find the Debug Messages. I was playing around the code to Drop the Telnet Packets based on Connections. But BRO gets Autorestarted or Stoped at a time when the timer gets invoked seems to be Expiry Timer .. which invokes ConnCompress::Remove() and finally landing in tcp_conns.RemoveEntry(k) which lands in this debug msg -> internal_error(fmt("connection missing")) Could somebody shed some light on this ? Thanks, Anand -- http://www.fastmail.fm - The way an email service should be From robin at icir.org Fri Aug 4 14:29:06 2006 From: robin at icir.org (Robin Sommer) Date: Fri, 4 Aug 2006 14:29:06 -0700 Subject: [Bro] Debug Enabling In-Reply-To: <1154697402.26646.267635768@webmail.messagingengine.com> References: <1154697402.26646.267635768@webmail.messagingengine.com> Message-ID: <20060804212906.GA19291@icir.org> On Fri, Aug 04, 2006 at 06:16 -0700, Anandraj wrote: > I did try ./configure --enable-debug and also by defining #define DEBUG > in main.cc . Compiling with --enable-debug activcates the "-B " command-line option in which is a list of comma-seperated tags activating different kinds of debugging output. There's no documentation of the tags yet but you can find a list of them in src/DebugLogger.cc. The output will be written to debug.log That said, this logging framework is one of the more recent developments and not yet consistently used across the whole system. Older parts of code for debugging output usually depend on setting some special flag somewhere (often inside the code plus recompile) to activate (and they still require --enable-debug to be compiled in). > I was playing around the code to Drop the Telnet Packets based on > Connections. But BRO gets Autorestarted or Stoped at a time when the > timer gets invoked seems to be Expiry Timer .. which invokes > ConnCompress::Remove() Sorry, I don't really understand this... Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org From xajhzhqxl at sohu.com Wed Aug 9 19:42:07 2006 From: xajhzhqxl at sohu.com (=?gb2312?B?xuvQ8cHB?=) Date: Thu, 10 Aug 2006 10:42:07 +0800 Subject: [Bro] Question Please! Message-ID: <20060810024254.770C50016D16@smtp128.sohu.com> Hello!Bro Version: 0.8a88 Question: While make install,report a error as follow # make install bro /usr/local/sbin input in flex scanner failed make: *** [install] Error 2 Thanks very much! ???????? XuLiang Qi ????????xajhzhqxl at sohu.com ??????????2006-08-10 From christian at whoop.org Fri Aug 11 14:08:27 2006 From: christian at whoop.org (Christian Kreibich) Date: Fri, 11 Aug 2006 14:08:27 -0700 Subject: [Bro] Question Please! In-Reply-To: <20060810024254.770C50016D16@smtp128.sohu.com> References: <20060810024254.770C50016D16@smtp128.sohu.com> Message-ID: <1155330508.7728.63.camel@strangepork> Hi there, On Thu, 2006-08-10 at 10:42 +0800, ??? wrote: > Hello!Bro > > Version: 0.8a88 > Question: While make install,report a error as follow > > # make install > bro /usr/local/sbin > input in flex scanner failed > make: *** [install] Error 2 > > Thanks very much! please use a newer version unless you have a particular reason why you want to use such an old one -- the latest available release can be found at http://www.bro-ids.org/download.html . Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From mysurface at gmail.com Fri Aug 11 18:21:05 2006 From: mysurface at gmail.com (Ong hean kuan) Date: Sat, 12 Aug 2006 09:21:05 +0800 Subject: [Bro] make error at FC5 Message-ID: version: 0.9a11 OS: FC5 kernal: 2.6.17-1.2157_FC5 i686 GCC: gcc version 4.1.1 20060525 (Red Hat 4.1.1-1) ./configure checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking target system type... i686-pc-linux-gnu checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets ${MAKE}... yes checking for style of include used by make... GNU checking for gcc... gcc checking for C compiler default output... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking dependency style of gcc... gcc3 checking for flex... flex checking for flex... (cached) flex checking for yywrap in -lfl... yes checking lex output file root... lex.yy checking whether yytext is a pointer... yes checking for bison... bison -y checking for g++... g++ checking whether we are using the GNU C++ compiler... yes checking whether g++ accepts -g... yes checking dependency style of g++... gcc3 checking for a BSD-compatible install... /usr/bin/install -c checking whether make sets ${MAKE}... (cached) yes checking for gzip... gzip checking for OPENSSL_add_all_algorithms_conf in -lcrypto... yes checking for SSL_new in -lssl... yes checking whether OPENSSL_add_all_algorithms_conf is declared... yes checking for OpenSSL >= 0.9.7... yes checking for perl5... no checking for perl... /usr/bin/perl checking for chown... /bin/chown checking Linux kernel version... 2 checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... 64 checking for _LARGE_FILES value needed for large files... no checking how to run the C preprocessor... gcc -E checking for ANSI C header files... yes checking return type of signal handlers... void checking for sigset... yes checking for int32_t using gcc... yes checking for u_int32_t using gcc... yes checking for u_int16_t using gcc... yes checking for u_int8_t using gcc... yes checking whether time.h and sys/time.h may both be included... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking for memory.h... (cached) yes checking netinet/in.h usability... yes checking netinet/in.h presence... yes checking for netinet/in.h... yes checking socket.h usability... no checking socket.h presence... no checking for socket.h... no checking for net/ethernet.h... yes checking for netinet/ether.h... yes checking for netinet/if_ether.h... yes checking for netinet/ip6.h... yes checking for socklen_t... yes checking if syslog returns int... no checking if we should declare socket and friends... no checking for working memcmp... yes checking for strftime... yes checking for strerror... yes checking for strsep... yes checking for mallinfo... yes checking for library containing inet_aton... none required checking for ns_initparse in -lresolv... no checking for ns_initparse in resolver... yes checking for tgetnum in -ltermcap... yes checking readline/readline.h usability... yes checking readline/readline.h presence... yes checking for readline/readline.h... yes checking whether byte ordering is bigendian... no checking for ns_msg... yes checking for res_mkquery... yes checking for union semun... no checking for struct sembuf... yes checking for struct sockaddr_in.sin_len... no checking for long long... yes checking size of long long... 8 checking for long int... yes checking size of long int... 4 checking for void *... yes checking size of void *... 4 Using shipped pcap configure: creating ./config.status config.status: creating Makefile config.status: creating src/Makefile config.status: creating doc/Makefile config.status: creating doc/ref-manual/Makefile config.status: creating doc/quick-start/Makefile config.status: creating doc/user-manual/Makefile config.status: creating aux/adtrace/Makefile config.status: creating aux/cf/Makefile config.status: creating aux/hf/Makefile config.status: creating aux/scripts/Makefile config.status: creating aux/bdcat/Makefile config.status: creating aux/rst/Makefile config.status: creating aux/Makefile config.status: creating policy/Makefile config.status: creating policy/sigs/Makefile config.status: creating scripts/Makefile config.status: creating scripts/bro_config config.status: creating scripts/bro.rc config.status: creating scripts/localnetMAC.pl config.status: creating scripts/s2b/Makefile config.status: creating scripts/s2b/bro-include/Makefile config.status: creating scripts/s2b/example_bro_files/Makefile config.status: creating scripts/s2b/etc/Makefile config.status: creating scripts/s2b/bin/Makefile config.status: creating scripts/s2b/pm/Makefile config.status: creating scripts/s2b/snort_rules2.2/Makefile config.status: creating config.h config.status: config.h is unchanged config.status: executing default-1 commands config.status: executing default commands Using install prefix /usr/local/bro Compiling Bro with OpenSSL support: Yes Using perl /usr/bin/perl Using non-blocking main loop: No ==================================================== make Making all in bdcat make[4]: Entering directory `/home/hkong/download/bro-0.9a11/aux/bdcat' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/home/hkong/download/bro-0.9a11/aux/bdcat' make[4]: Entering directory `/home/hkong/download/bro-0.9a11/aux' make[4]: Nothing to be done for `all-am'. make[4]: Leaving directory `/home/hkong/download/bro-0.9a11/aux' make[3]: Leaving directory `/home/hkong/download/bro-0.9a11/aux' make[2]: Leaving directory `/home/hkong/download/bro-0.9a11/aux' Making all in src make[2]: Entering directory `/home/hkong/download/bro-0.9a11/src' make all-am make[3]: Entering directory `/home/hkong/download/bro-0.9a11/src' source='main.cc' object='main.o' libtool=no \ depfile='.deps/main.Po' tmpdepfile='.deps/main.TPo' \ depmode=gcc3 /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src -I. -I.. -Ilibedit -I../linux-include -I../aux/libpcap-0.7.2 -O -g -O2 -c -o main.o `test -f main.cc || echo './'`main.cc RE.h:224: error: extra qualification 'RE_Matcher::' on member 'Serialize' RE.h:225: error: extra qualification 'RE_Matcher::' on member 'Unserialize' Conn.h:64: error: extra qualification 'ConnID::' on member 'BuildConnKey' make[3]: *** [main.o] Error 1 make[3]: Leaving directory `/home/hkong/download/bro-0.9a11/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/hkong/download/bro-0.9a11/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/hkong/download/bro-0.9a11' make: *** [all] Error 2 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060812/7d507cc0/attachment.html From christian at whoop.org Mon Aug 14 13:01:50 2006 From: christian at whoop.org (Christian Kreibich) Date: Mon, 14 Aug 2006 13:01:50 -0700 Subject: [Bro] make error at FC5 In-Reply-To: References: Message-ID: <1155585710.7728.189.camel@strangepork> Hi, see http://mailman.icsi.berkeley.edu/pipermail/bro/2006-June/002459.html On Sat, 2006-08-12 at 09:21 +0800, Ong hean kuan wrote: > version: 0.9a11 > OS: FC5 > kernal: 2.6.17-1.2157_FC5 i686 > GCC: gcc version 4.1.1 20060525 (Red Hat 4.1.1-1) > > ./configure [...] Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From xajhzhqxl at sohu.com Tue Aug 15 00:55:12 2006 From: xajhzhqxl at sohu.com (=?gb2312?B?xuvQ8cHB?=) Date: Tue, 15 Aug 2006 15:55:12 +0800 Subject: [Bro] Can't run /usr/local/bro/bin/bro correctly Message-ID: <20060815075609.23062017185A@smtp128.sohu.com> Hi there, Thanks I have download ,and install it. My OS is RedHat Linux 9.0,I enter a new terminal with user bro, typing: bro.rc start,it will run successfully, if I just run /usr/local/bro/bin/bro,it will report a error:Line 1:error:can't open bro.init I can't understand them. help me ????????xajhzhqxl at sohu.com ??????????2006-08-15 From vallentin at ICSI.Berkeley.EDU Tue Aug 15 01:18:56 2006 From: vallentin at ICSI.Berkeley.EDU (Matthias Vallentin) Date: Tue, 15 Aug 2006 01:18:56 -0700 Subject: [Bro] Can't run /usr/local/bro/bin/bro correctly In-Reply-To: <20060815075609.23062017185A@smtp128.sohu.com> References: <20060815075609.23062017185A@smtp128.sohu.com> Message-ID: <20060815081856.GA17724@icsi.berkeley.edu> Hello ! On Tue, Aug 15, 2006 at 03:55:12PM +0800, ?????? wrote: > I have download ,and install it. Please use the latest version, unless you have a specific reason not to do so. You can get the lastest version from: ftp://bro-ids.org/bro-1.X-current.tar.gz > if I just run /usr/local/bro/bin/bro,it will report a error:Line 1:error:can't open bro.init You have to set the environment variable $BROPATH pointing to your policy directory. E.g. export BROPATH=/usr/local/bro/policy:/my/other/policy/directories/ Bro can then find bro.init which is located in the policy directory. Matthias -- Matthias Vallentin vallentin at icsi.berkeley.edu pgp/gpg: 0x37F34C16 From Stephen.Smith at dodig.mil Wed Aug 16 11:37:21 2006 From: Stephen.Smith at dodig.mil (Smith, Stephen G., OIG DoD) Date: Wed, 16 Aug 2006 14:37:21 -0400 Subject: [Bro] how many sensitive domains? Message-ID: <6E3798E4162B36459A2ED20EC5F17236063CF979@01A017MH_A.dodig.mil> A non-text attachment was scrubbed... Name: smime.p7m Type: application/x-pkcs7-mime Size: 8629 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060816/799ce422/attachment.bin From scampbell at lbl.gov Wed Aug 16 12:40:03 2006 From: scampbell at lbl.gov (scott campbell) Date: Wed, 16 Aug 2006 12:40:03 -0700 Subject: [Bro] how many sensitive domains? In-Reply-To: <6E3798E4162B36459A2ED20EC5F17236063CF979@01A017MH_A.dodig.mil> References: <6E3798E4162B36459A2ED20EC5F17236063CF979@01A017MH_A.dodig.mil> Message-ID: <44E37493.6020009@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Smith, Stephen G., OIG DoD wrote: > I'm looking at needing to put ~400 entries in the sensitive lookup table. > Does anyone know whether Bro will be able to handle this without freaking, > and has anyone done this many on their own system? > > > > Thanks, > > Steve > > > > -- > > Stephen G. Smith > > DODIG NETSEC Division > > stephen.smith at dodig.mil > > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro I have an instance of bro with a table that contains O(22k) entries, and there seems to be no ill effect on the system at all. As this table is part of the bottom half of the main loop in the check_scan() function, it is exercised well. good luck! scott -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFE43STK2Plq8B7ZBwRAgssAKCcqWsJSREc6+otd1xWKdHAHI+aBwCfa7+f VFv4//r+R3XmAdPwvSXoHwg= =cbSH -----END PGP SIGNATURE----- From seth at net.ohio-state.edu Tue Aug 22 21:36:57 2006 From: seth at net.ohio-state.edu (Seth Hall) Date: Wed, 23 Aug 2006 00:36:57 -0400 Subject: [Bro] Ruby bindings for Broccoli Message-ID: <61F60D14-3268-4857-8FA1-FBBA33DDA029@net.ohio-state.edu> Today, I released the first version of broccoli ruby bindings I've been working on. Most things work correctly, but I'd like to hear if anyone finds things that don't seem to be working. Limited API docs are here: http://rbroccoli.rubyforge.org/ Project page is here: http://rubyforge.org/projects/rbroccoli/ To install the bindings... 1. Install rubygems (http://rubygems.org) 2. Make sure that broccoli-config is in your path 3. Run this command: sudo gem install rbroccoli If you want to see some example applications, download the rbroccoli source tarball from here: http://rubyforge.org/frs/download.php/12615/rbroccoli-1.1.0.tgz The "examples" directory has three scripts that demonstrate the API. Better documentation is forthcoming. Have fun! .Seth From shine_qi at sina.com Wed Aug 23 20:26:55 2006 From: shine_qi at sina.com (Shine Qi) Date: Thu, 24 Aug 2006 11:26:55 +0800 Subject: [Bro] how to set the permission of network interface about pcap_open_live Message-ID: <20060824032801.7A49D5DCE82@smtp.sina.com.cn> Hi,everybody: I just install bro program,while I run it with "bro -i eth0 mt",many warning message occured,they like followed: /usr/local/bro/policy/hot.bro,line 30:warning:no such host:ph33r.the.eleet.com /usr/local/bro/policy/scan.bro,line 104:warning:no such host:scooter2.sv.av.com /usr/local/bro/policy/scan.bro,line 133:warning:no such host:b.root-servers.net at last,have a error message:problem with eth0 - pcap_open_live:socker:Operation not permitted what should I do? thanks very much! cheers ???????? Shine Qi ????????shine_qi at sina.com ??????????2006-08-24 From robin at icir.org Wed Aug 23 21:22:12 2006 From: robin at icir.org (Robin Sommer) Date: Wed, 23 Aug 2006 21:22:12 -0700 Subject: [Bro] how to set the permission of network interface about pcap_open_live In-Reply-To: <20060824032801.7A49D5DCE82@smtp.sina.com.cn> References: <20060824032801.7A49D5DCE82@smtp.sina.com.cn> Message-ID: <20060824042212.GB16859@icir.org> On Thu, Aug 24, 2006 at 11:26 +0800, Shine Qi wrote: > /usr/local/bro/policy/scan.bro,line 133:warning:no such host:b.root-servers.net Is DNS working on that system? > at last,have a error message:problem with eth0 - pcap_open_live:socker:Operation not permitted You don't have sufficient privileges to capture packets. I presume this is Linux? Then you need to run Bro as root (or apply a kernel patch: http://www.icir.org/robin/patches/capture_group.html) Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org From kitamura.shinichi at lab.ntt.co.jp Fri Aug 25 00:12:07 2006 From: kitamura.shinichi at lab.ntt.co.jp (=?ISO-2022-JP?B?GyRCS0xCPCEhPz8wbBsoQg==?=) Date: Fri, 25 Aug 2006 16:12:07 +0900 Subject: [Bro] Can Bro detect some attacks against Microsoft OS vulnerability? Message-ID: <44EEA2C7.2060508@lab.ntt.co.jp> Hello, all. I have a question about Bro rules. Does Bro have some rules of detecting attacks against Microsoft OS vulnerability? I attempted to attack against MS03-026 vulnerability of Windows_XP_SP1 on the VMware using Dcom attack code. Though, Bro does not detect this attack. If you have a lot of infomation relating to these problem, could you give me advice? Thank you. From jp.luiggi at free.fr Fri Aug 25 06:31:17 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Fri, 25 Aug 2006 09:31:17 -0400 Subject: [Bro] Can Bro detect some attacks against Microsoft OS vulnerability? In-Reply-To: <44EEA2C7.2060508@lab.ntt.co.jp> References: <44EEA2C7.2060508@lab.ntt.co.jp> Message-ID: <20060825133117.GA19193@armada.mynetwork.local> Hello, As far i know, "Bro" relies on specific network patterns to detect bad things, as soon as there's one that match, the IDS will fire up an alarm. So if "Bro" knows about the DCOM attack, it'll send a notification. Best regards. On Fri, Aug 25, 2006 at 04:12:07PM +0900, ?$BKLB Hello, all. > > I have a question about Bro rules. > Does Bro have some rules of detecting attacks against Microsoft OS > vulnerability? > > I attempted to attack against MS03-026 vulnerability of Windows_XP_SP1 > on the VMware using Dcom attack code. > Though, Bro does not detect this attack. > > If you have a lot of infomation relating to these problem, could you > give me advice? > > Thank you. > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From mysurface at gmail.com Sat Aug 26 04:27:20 2006 From: mysurface at gmail.com (Ong hean kuan) Date: Sat, 26 Aug 2006 19:27:20 +0800 Subject: [Bro] did my signature in site loaded? Message-ID: I am a new user here, I have doubt. I have a signature.sig in site folder and my site/mydomain.bro looks as bellow, # Make any changes to policy starting HERE: # To run signatures, uncomment the following line. # @load brolite-sigs @ifdef ( use_signatures ) # Load Bro signatures. This is the default file containing Bro # signatures. redef signature_files += "signatures"; @endif Did my signature loaded? it seems that # @load brolite-sigs is commented How to ensure which signature is loaded and which is not? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060826/f8590cec/attachment.html From robin at icir.org Mon Aug 28 20:53:03 2006 From: robin at icir.org (Robin Sommer) Date: Mon, 28 Aug 2006 20:53:03 -0700 Subject: [Bro] did my signature in site loaded? In-Reply-To: References: Message-ID: <20060829035303.GC31924@icir.org> On Sat, Aug 26, 2006 at 19:27 +0800, Ong hean kuan wrote: > # @load brolite-sigs > > @ifdef ( use_signatures ) > # Load Bro signatures. This is the default file containing Bro > # signatures. > redef signature_files += "signatures"; > @endif "use_signatures" is only defined when brolite-sigs is loaded so, no, the signatures are not used in this case. The most direct way to make sure that a signature file is loaded, is to use the "redef" line just by itself: redef signature_files += "signatures"; I.e., no @ifdef/@endif around it. Hope this helps, Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org