From Stephan at rheoli.net Fri Dec 1 01:30:41 2006 From: Stephan at rheoli.net (Stephan) Date: Fri, 1 Dec 2006 10:30:41 +0100 Subject: [Bro] Bro 1.2 under Solaris 8 In-Reply-To: <20061130025811.GD8909@icir.org> References: <20061129073110.GA16863@rheoli.net> <20061130025811.GD8909@icir.org> Message-ID: <20061201093041.GA14454@rheoli.net> Hi Robin On Wed, Nov 29, 2006 at 06:58:11PM -0800, Robin Sommer wrote: > > On Wed, Nov 29, 2006 at 08:31 +0100, Stephan wrote: > ... > > > I can compile it after some patching but it always core dump (as > > more traffic is on the wire a faster it core dump). > > It's supposed to compile on Solaris without requiring patches. Can > you send us the error messages as well as which tweaks you did to > get it to compile? You are right there only some small patches for library problems (see attachment). > > Regarding the core dumps, can you compile a debug version (configure > --enable-debug) and send a stack backtrace? (And one thing also > worth trying is reading a larger trace instead of running live, > which as said I've never tried on Solaris). > After compiling bro with --enable-debug the pstack output from a core dump looks the following: --------------- core 'core' of 2012: bin/bro -i qfe0 mt 0003d610 _ZN11TransientIDC1Ev (afecb4, 1376, 1, 400, 0, 0) + 38 000c7c18 _ZN10ConnectionC1EP11NetSessionsP7HashKeydPK6ConnID (afeca4, afd6e0, afffe8, 41d15bfc, f69522c4, ffbef1a4) + 48 00234fb8 _ZN11NetSessions7NewConnEP7HashKeydPK6ConnIDPKhi (afd6e0, afffe8, 41d15bfc, f69522c4, ffbef26c, aee1fc) + 1ec 000cee78 _ZN14ConnCompressor11InstantiateEdP7HashKeyPK6IP_Hdr (ae88e8, 41d15bfc, f69522c4, afffe8, ffbef5a0, 0) + b8 000d185c _ZN14ConnCompressor13FirstFromOrigEdP7HashKeyPK6IP_HdrPK6tcphdr (ae88e8, 41d15bfc, f69522c4, afffe8, ffbef5a0, aee1fc) + 70 000d21e8 _ZN14ConnCompressor10NextPacketEdP7HashKeyPK6IP_HdrPK11pcap_pkthdrPKh (ae88e8, 41d15bfc, f69522c4, afffe8, ffbef5a0, aed1f8) + 7a0 002358c0 _ZN11NetSessions12DoNextPacketEdPK11pcap_pkthdrPK6IP_HdrPKhi (afd6e0, 41d15bfc, f69522c4, aed1f8, ffbef5a0, aee1da) + 828 00235f34 _ZN11NetSessions10NextPacketEdPK11pcap_pkthdrPKhiP17PacketSortElement (afd6e0, 41d15bfc, f69522c4, aed1f8, aee1da, e) + 1f8 00236374 _ZN11NetSessions14DispatchPacketEdPK11pcap_pkthdrPKhiP6PktSrcP17PacketSortElement (afd6e0, 41d15bfc, f69522c4, aed1f8, aee1da, e) + 300 001bfbbc _Z19net_packet_dispatchdPK11pcap_pkthdrPKhiP6PktSrcP17PacketSortElement (41d15bfc, f69522c4, aed1f8, aee1da, e, aed1c0) + 274 001bfed8 _Z18net_packet_arrivaldPK11pcap_pkthdrPKhiP6PktSrc (41d15bfc, f69522c4, aed1f8, aee1da, e, aed1c0) + d8 001d77a4 _ZN6PktSrc7ProcessEv (aed1c0, 8, 3f78b0, 41d15bfc, f69762aa, 3fb3a8) + 190 001c0764 _Z7net_runv (1, ffbefb1c, ffbefb84, 0, 22610, 73b40) + 1d0 00073db8 main (4, ffbefcdc, ffbefcf0, 4ac508, 0, 0) + 209c 00013f5c _start (0, 0, 0, 0, 0, 0) + 5c --------------- I will try to made some traces on static pcap files. > Robin > > -- > Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org > LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org Best regards, Stephan -------------- next part -------------- A non-text attachment was scrubbed... Name: bro-1.2.patch.tar.gz Type: application/x-tar-gz Size: 1526 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061201/e4edbe75/attachment.bin From dhanesh at tataelxsi.co.in Fri Dec 1 01:34:48 2006 From: dhanesh at tataelxsi.co.in (Jaya Dhanesh) Date: Fri, 1 Dec 2006 15:04:48 +0530 Subject: [Bro] TCP idle timer expiry Message-ID: <001601c7152b$f243dfe0$0637a8c0@telxsi.com> Hi, If the tcp connection is idle for some time, the connection_state_remove event handler is getting called. So the subsequent packets in the same connection doesn't get logged. How can I increase the tcp idle time out? The increase in the timer is also not the best solution. Is there a way where the packets gets logged even after BRO removes the connection from the table? Thanks, Dhanesh. From akadams at psc.edu Fri Dec 1 04:50:09 2006 From: akadams at psc.edu (Andrew K. Adams) Date: Fri, 01 Dec 2006 07:50:09 -0500 Subject: [Bro] Bro 1.2 vs OpenBSD In-Reply-To: <1164923962.17959.31.camel@strangepork> References: <20061130170854.GA9884@armada.mynetwork.local> <1164923962.17959.31.camel@strangepork> Message-ID: <46BD7F79B7790DBE6F899662@wraith.psc.edu> --On Thursday, November 30, 2006 13:59:22 -0800 Christian Kreibich wrote: > > I just tried to build the 1.2 release on OpenBSD 3.8 and it bombs out > with yet another ARP header inclusion glitch. :( Is that what you fixed? > It seems what's needed is a header check for net/ethertypes.h. As an additional data point, NetBSD 3.x needs this check as well. -aka -- Andrew K. Adams Network Engineer Pittsburgh Supercomputing Center Office: 380 Carnegie Mellon University Phone: (412) 268-5142 300 South Craig Street Fax: (412) 268-5832 Pittsburgh, PA 15213 WWW: http://www.psc.edu/~akadams/ D3 FA 7D 61 FD ED BD D9 0C DE 94 DB 0F 25 D0 2E From jp.luiggi at free.fr Fri Dec 1 07:00:42 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Fri, 01 Dec 2006 10:00:42 -0500 Subject: [Bro] Bro 1.2 vs OpenBSD In-Reply-To: <1164923962.17959.31.camel@strangepork> References: <20061130170854.GA9884@armada.mynetwork.local> <1164923962.17959.31.camel@strangepork> Message-ID: <20061201150042.GA12299@armada.mynetwork.local> Hello Christian, You're right, in fact, here's is the process i used : - modify "configure.in" and define HAVE_OPENBSD (current test as of 1.2 was to check openbsd3) as i use OpenBSD's current. note that i'm not sure of the need to specify the value "1" into AC_DEFINE... (i'm not yet a M4's wizard). ==== configure.in openbsd3*) AM_CONDITIONAL(USE_NMALLOC, true) AC_DEFINE(HAVE_OPENBSD,,[We are on a OpenBSD system]) ;; openbsd4*) AM_CONDITIONAL(USE_NMALLOC, true) AC_DEFINE(HAVE_OPENBSD,1,[We are on a OpenBSD system]) ;; ==== - modify ARP.h as you did with an #ifdef HAVE_OPENBSD and in such this case use #include ==== ARP.h #elif HAVE_SYS_ETHERNET_H #include #elif HAVE_OPENBSD #include #endif ==== - modify util.cc and util.h in order to use bpf_timeval as structure for the double_to_timeval() function. (just used #ifdef HAVE_OPENBSD) ==== util.h #ifdef HAVE_OPENBSD extern struct bpf_timeval double_to_timeval(double t); #elif extern struct timeval double_to_timeval(double t); #endif ==== ==== util.cc #ifdef HAVE_OPENBSD struct bpf_timeval double_to_timeval(double t) { struct bpf_timeval tv; #elif struct timeval double_to_timeval(double t) { struct timeval tv; #endif ==== - modify bro.rc (changed the name of stop() to brostop() ). Best regards. ps1 : next stage will be the use of bind libraries in order to be able to use non blocking DNS routines. ps2 : i mean by "porting", doing th job to use Bro with OpenBSD ... :-) On Thu, Nov 30, 2006 at 01:59:22PM -0800, Christian Kreibich wrote: > Hi, > > On Thu, 2006-11-30 at 12:08 -0500, Jean-Philippe Luiggi wrote: > > I just had to "slightly" modify "configure.in" and add some #ifdef in the > > source tree. > > I just tried to build the 1.2 release on OpenBSD 3.8 and it bombs out > with yet another ARP header inclusion glitch. :( Is that what you fixed? > It seems what's needed is a header check for net/ethertypes.h. > > On Thu, 2006-11-30 at 13:45 -0500, Jean-Philippe Luiggi wrote: > > Even if the solution seems to work, i think, it's the first stage of > > porting Bro to OpenBSD. > > It really shouldn't have to be a "port". :) Besides the ARP glitch and > the fact that nbdns is not available, is there anything else? > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jp.luiggi at free.fr Fri Dec 1 07:03:20 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Fri, 01 Dec 2006 10:03:20 -0500 Subject: [Bro] Bro 1.2 vs OpenBSD In-Reply-To: <46BD7F79B7790DBE6F899662@wraith.psc.edu> References: <20061130170854.GA9884@armada.mynetwork.local> <1164923962.17959.31.camel@strangepork> <46BD7F79B7790DBE6F899662@wraith.psc.edu> Message-ID: <20061201150320.GB12299@armada.mynetwork.local> Hello Andrew, I just sent a mail with the details of the porting process i used for OpenBSD and i think there's not too much work for using NetBSD. If you want, i may try this at the end of the week. Best regards. On Fri, Dec 01, 2006 at 07:50:09AM -0500, Andrew K. Adams wrote: > > > --On Thursday, November 30, 2006 13:59:22 -0800 Christian Kreibich > wrote: > > > > > I just tried to build the 1.2 release on OpenBSD 3.8 and it bombs out > > with yet another ARP header inclusion glitch. :( Is that what you fixed? > > It seems what's needed is a header check for net/ethertypes.h. > > As an additional data point, NetBSD 3.x needs this check as well. > > > -aka > > -- > Andrew K. Adams Network Engineer > Pittsburgh Supercomputing Center Office: 380 > Carnegie Mellon University Phone: (412) 268-5142 > 300 South Craig Street Fax: (412) 268-5832 > Pittsburgh, PA 15213 WWW: http://www.psc.edu/~akadams/ > > D3 FA 7D 61 FD ED BD D9 0C DE 94 DB 0F 25 D0 2E > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From akadams at psc.edu Fri Dec 1 07:53:49 2006 From: akadams at psc.edu (Andrew K. Adams) Date: Fri, 01 Dec 2006 10:53:49 -0500 Subject: [Bro] Bro 1.2 vs OpenBSD In-Reply-To: <20061201150320.GB12299@armada.mynetwork.local> References: <20061130170854.GA9884@armada.mynetwork.local> <1164923962.17959.31.camel@strangepork> <46BD7F79B7790DBE6F899662@wraith.psc.edu> <20061201150320.GB12299@armada.mynetwork.local> Message-ID: <6958229295121FDD57E0A02E@wraith.psc.edu> --On Friday, December 01, 2006 10:03:20 -0500 Jean-Philippe Luiggi wrote: > > I just sent a mail with the details of the porting process i used for > OpenBSD and i think there's not too much work for using NetBSD. Other than the ethertypes header, I remember running into some gcc C++ parsing issues. > If you want, i may try this at the end of the week. Please! I started to port Bro to NetBSD, but recently lost the spare cycles I had ... so, by all means, please go for it (thanks!) -aka -- Andrew K. Adams Network Engineer Pittsburgh Supercomputing Center Office: 380 Carnegie Mellon University Phone: (412) 268-5142 300 South Craig Street Fax: (412) 268-5832 Pittsburgh, PA 15213 WWW: http://www.psc.edu/~akadams/ D3 FA 7D 61 FD ED BD D9 0C DE 94 DB 0F 25 D0 2E From jp.luiggi at free.fr Fri Dec 1 08:04:01 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Fri, 01 Dec 2006 11:04:01 -0500 Subject: [Bro] Bro 1.2 vs OpenBSD In-Reply-To: <6958229295121FDD57E0A02E@wraith.psc.edu> References: <20061130170854.GA9884@armada.mynetwork.local> <1164923962.17959.31.camel@strangepork> <46BD7F79B7790DBE6F899662@wraith.psc.edu> <20061201150320.GB12299@armada.mynetwork.local> <6958229295121FDD57E0A02E@wraith.psc.edu> Message-ID: <20061201160401.GA23064@armada.mynetwork.local> Hello, Ok, i'll do my best. Best regards. On Fri, Dec 01, 2006 at 10:53:49AM -0500, Andrew K. Adams wrote: > > > --On Friday, December 01, 2006 10:03:20 -0500 Jean-Philippe Luiggi > wrote: > > > > >I just sent a mail with the details of the porting process i used for > >OpenBSD and i think there's not too much work for using NetBSD. > > Other than the ethertypes header, I remember running into some gcc C++ > parsing issues. > > >If you want, i may try this at the end of the week. > > Please! I started to port Bro to NetBSD, but recently lost the spare > cycles I had ... so, by all means, please go for it (thanks!) > > > -aka > > -- > Andrew K. Adams Network Engineer > Pittsburgh Supercomputing Center Office: 380 > Carnegie Mellon University Phone: (412) 268-5142 > 300 South Craig Street Fax: (412) 268-5832 > Pittsburgh, PA 15213 WWW: http://www.psc.edu/~akadams/ > > D3 FA 7D 61 FD ED BD D9 0C DE 94 DB 0F 25 D0 2E > From christian at whoop.org Fri Dec 1 10:58:10 2006 From: christian at whoop.org (Christian Kreibich) Date: Fri, 01 Dec 2006 10:58:10 -0800 Subject: [Bro] Bro 1.2 vs OpenBSD In-Reply-To: <20061201150042.GA12299@armada.mynetwork.local> References: <20061130170854.GA9884@armada.mynetwork.local> <1164923962.17959.31.camel@strangepork> <20061201150042.GA12299@armada.mynetwork.local> Message-ID: <1164999490.17959.157.camel@strangepork> Hi again, On Fri, 2006-12-01 at 10:00 -0500, Jean-Philippe Luiggi wrote: > Hello Christian, > > You're right, in fact, here's is the process i used : > > - modify "configure.in" and define HAVE_OPENBSD (current test as of 1.2 was to > check openbsd3) as i use OpenBSD's current. right, "openbsd3" definitely needs to go. > ==== configure.in > openbsd3*) > AM_CONDITIONAL(USE_NMALLOC, true) > AC_DEFINE(HAVE_OPENBSD,,[We are on a OpenBSD system]) > ;; > > openbsd4*) > AM_CONDITIONAL(USE_NMALLOC, true) > AC_DEFINE(HAVE_OPENBSD,1,[We are on a OpenBSD system]) > ;; ... or just "openbsd*)"? I'll be damned if we actually need to differentiate between the different releases. > > - modify ARP.h as you did with an #ifdef HAVE_OPENBSD and in such this case > use #include > > ==== ARP.h > #elif HAVE_SYS_ETHERNET_H > #include > #elif HAVE_OPENBSD > #include > #endif > ==== Yep. It'd be nicer to just add sys/ethernet.h to the header checks in configure.in, so it'll be #elif HAVE_SYS_ETHERTYPES_H along with the others. I'm also thinking of doing #ifdef/#endif for each of those headers instead of #ifdef/#elif/#elif/#endif. The more the merrier. :) > - modify util.cc and util.h in order to use bpf_timeval as structure for the > double_to_timeval() function. (just used #ifdef HAVE_OPENBSD) Wow, this is so weird. I could swear we've fixed this before -- this is due to OpenBSD's pcap using bpf_timeval instead of just timeval like everyone else, correct? Rater than #ifdeffing different functions, it'd be nicer to make the type difference transparent by typedefing the bpf_timeval to a timeval in the OpenBSD case. > - modify bro.rc (changed the name of stop() to brostop() ). Yeah. I've also noticed that there seem to be pcap versions where our API checks fail, causing the build to break since pcap_open_dead() isn't defined. We already have our own version but only use it when pcap doesn't provide pcap_freecode(), which in those cases *does* exist. This is at least the scenario I've encoutered in the OpenBSD setup on Sourceforge's compile farm. > ps1 : next stage will be the use of bind libraries in order to be able to use > non blocking DNS routines. Right. We don't currently have a clear picture of why exactly the nbdns code doesn't build on OpenBSD. Patches welcome! > ps2 : i mean by "porting", doing th job to use Bro with OpenBSD ... :-) Sure. :) Thanks for your feedback. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From scampbell at lbl.gov Fri Dec 1 11:11:51 2006 From: scampbell at lbl.gov (scott campbell) Date: Fri, 01 Dec 2006 11:11:51 -0800 Subject: [Bro] TCP idle timer expiry In-Reply-To: <001601c7152b$f243dfe0$0637a8c0@telxsi.com> References: <001601c7152b$f243dfe0$0637a8c0@telxsi.com> Message-ID: <45707E77.1090509@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jaya Dhanesh wrote: > > Hi, > > If the tcp connection is idle for some time, the connection_state_remove > event handler is getting called. > So the subsequent packets in the same connection doesn't get logged. > > How can I increase the tcp idle time out? The increase in the timer is also > not the best solution. You can reconfigure several timer values such as: redef tcp_SYN_timeout = X secs; redef tcp_attempt_delay = X secs; redef tcp_inactivity_timeout = X mins; redef udp_inactivity_timeout = X secs; redef icmp_inactivity_timeout = X secs; which might help out some. See heavy-analysis.bro for a better list. > Is there a way where the packets gets logged even after BRO removes the > connection from the table? > You will get a *new* connection for post-timed out data if the pcap expression allows for ACK flagged packets to be seen (such as 80/tcp with the http analyzer loaded). If not, then the FIN/RST ought to be picked up as an additional connection. If your configuration is not seeing much in the way of traffic, then it is possible to turn the timeout values quite high. They have been tuned to their current values to prevent state explosion for busy sites. scott > Thanks, > Dhanesh. > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFFcH53K2Plq8B7ZBwRAmXtAKDEcAZrfAY4p2fgT0eduRvLpe8AJwCeObvK NeLc4o3Dr0gRf3iMRj/Xinw= =Wtts -----END PGP SIGNATURE----- From vern at icir.org Fri Dec 1 16:17:13 2006 From: vern at icir.org (Vern Paxson) Date: Fri, 01 Dec 2006 16:17:13 -0800 Subject: [Bro] What am I doing wrong here? In-Reply-To: (Wed, 29 Nov 2006 16:50:16 CST). Message-ID: <200612020017.kB20HDXF006943@jaguar.icir.org> > ... this box > really does nothing but listen and record what it hears. It has no > exposure to the internal network at all except for ssh connections > coming to it from a specifically small range of ips. I know this > reads as argumentative, but all I am trying to do is understand what > is happening and try to implement sound measures so I don't have to > rebuild this box again once a week. It would seem that just listening to network traffic, you must be safe from it. However, this is actually not the case. The problem arises from executing code to analyze the contents of the traffic you see. If this code contains flaws such as insufficiently sized buffers, then an attacker can craft traffic that will infect you *even though all you do is look at it!* Such flaws have been found in tcpdump, Ethereal, and Snort - and, even more striking, formed the basis for the Witty worm which was launched against ISS's network intrusion detection system products, infecting them via their passive analysis of network traffic. All that said, while this is a real threat against Bro, it is one you wind up living with running any IDS written in a language that is not fully type-safe. > I guess maybe I shoudl be asking for suggestions more than anything > as to how I should set this up. The various firewalling, avoiding setuid root, etc., that have been proposed on this thread for isolating your system are all prudent steps. Vern From stephen.lau at ucsf.edu Fri Dec 1 16:20:31 2006 From: stephen.lau at ucsf.edu (Stephen Lau) Date: Fri, 01 Dec 2006 16:20:31 -0800 Subject: [Bro] Strange Bro build problem with yacc/bison Message-ID: <4570C6CF.9080202@ucsf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I attempted to compile Bro 1.2 on a FreeBSD 6.1 box with yacc installed and Bro complained of the following: ======== if g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac/lib -I../src - -I. -I.. -Ilibedit -O -W -Wall -Wno-unused -g -O2 -MT parse.o -MD - -MP -MF " .deps/parse.Tpo" -c -o parse.o parse.cc; then mv -f ".deps/parse.Tpo" ".deps/parse.Po"; else rm -f ".deps/parse.Tpo"; exit 1; fi parse.y: In function `int yyparse()': parse.y:184: error: stray '@' in program parse.y:184: error: stray '@' in program parse.y:184: error: no matching function for call to `set_location(int, int)' Obj.h:94: note: candidates are: void set_location(Location) Obj.h:99: note: void set_location(Location, Location) parse.y:190: error: stray '@' in program parse.y:190: error: stray '@' in program parse.y:190: error: no matching function for call to `set_location(int, int)' Obj.h:94: note: candidates are: void set_location(Location) Obj.h:99: note: void set_location(Location, Location) parse.y:196: error: stray '@' in program parse.y:196: error: stray '@' in program parse.y:196: error: no matching function for call to `set_location(int, int)' Obj.h:94: note: candidates are: void set_location(Location) Obj.h:99: note: void set_location(Location, Location) parse.y:202: error: stray '@' in program parse.y:202: error: stray '@' in program parse.y:202: error: no matching function for call to `set_location(int, int)' Obj.h:94: note: candidates are: void set_location(Location) Obj.h:99: note: void set_location(Location, Location) parse.y:208: error: stray '@' in program parse.y:208: error: stray '@' in program parse.y:208: error: no matching function for call to `set_location(int, int)' Obj.h:94: note: candidates are: void set_location(Location) Obj.h:99: note: void set_location(Location, Location) parse.y:214: error: stray '@' in program parse.y:214: error: stray '@' in program ========= I installed bison, did a make distclean and recompiled and it still came up with this same error. I manually removed parse.cc, did a make and it compiled fine. It looks like there's a slight bug in the Makefile under src. distclean-compile: -rm -f *.tab.c This should probably be changed to parse.cc or something to ensure that the bison outputted file gets removed on a clean. I don't know why Yacc disliked it, but it seems to work under bison properly. Steve - -- +--------------------------------------------------------------------- Stephen Lau - Stephen.Lau at ucsf.edu Information Security Policy and Program Manager University of California, San Francisco 1855 Folsom, Suite 602, Box 0707, San Francisco, CA 94143 +1(415) 476-3106 (Work) +1(415) 476-1717 (Fax) PGP: 44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B +--------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFFcMbNmgSrK/Y/dIsRApwZAJwJMwnnuiCF3jVjt8JEwIRbrPT/IwCff7+7 04uW/tD5RGBdwqiIJAhnOXc= =zSJZ -----END PGP SIGNATURE----- From jmellander at lbl.gov Fri Dec 1 16:27:08 2006 From: jmellander at lbl.gov (Jim Mellander) Date: Fri, 01 Dec 2006 16:27:08 -0800 Subject: [Bro] tcp_attempt_delay In-Reply-To: <45707E77.1090509@lbl.gov> References: <001601c7152b$f243dfe0$0637a8c0@telxsi.com> <45707E77.1090509@lbl.gov> Message-ID: <4570C85C.6070808@lbl.gov> Could someone explain what tcp_attempt_delay is used for? It seems that it may be relevant to a script problem that I am experiencing, where a 'new_connection' event is occurring 5 seconds after the packet is received (an unanswered SYN), 5 seconds being also the default value of tcp_attempt_delay - so I am drawing a (possibly unwarranted) connection between the value of tcp_attempt_delay and the time delay I am experiencing. Is there perhaps a different event that I should be looking at, or can this value be turned to zero without negative effect? - I need to respond immediately to an incoming packet. The application is a custom 'catch-and release' blocking script. We block a host when it scans, then unblock after an interval of quiescence, to preserve a working set of currently threatening hosts. When a host that was unblocked as much as sends a single packet, we want to immediately reblock. This, of course, requires immediate response - waiting for a 5 second interval is unacceptable. On an older version of Bro, the new_connection event was triggered immediately on receipt of the first packet, and the 'catch-and-release' mechanism worked correctly, now we seem to have this 5 second delay. Thanks in advance. -- Jim Mellander Incident Response Manager Computer Protection Program Lawrence Berkeley National Laboratory (510) 486-7204 The reason you are having computer problems is: The Internet is being scanned for viruses. From jp.luiggi at free.fr Fri Dec 1 17:05:48 2006 From: jp.luiggi at free.fr (jp.luiggi at free.fr) Date: Sat, 02 Dec 2006 02:05:48 +0100 Subject: [Bro] Bro 1.2 vs OpenBSD In-Reply-To: <1164999490.17959.157.camel@strangepork> References: <20061130170854.GA9884@armada.mynetwork.local> <1164923962.17959.31.camel@strangepork> <20061201150042.GA12299@armada.mynetwork.local> <1164999490.17959.157.camel@strangepork> Message-ID: <1165021548.4570d16cba55a@imp2-g19.free.fr> Hello Christian, Quoting Christian Kreibich : > Hi again, > > On Fri, 2006-12-01 at 10:00 -0500, Jean-Philippe Luiggi wrote: > > Hello Christian, > > > > You're right, in fact, here's is the process i used : > > > > - modify "configure.in" and define HAVE_OPENBSD (current test as of 1.2 was > to > > check openbsd3) as i use OpenBSD's current. > > right, "openbsd3" definitely needs to go. I do not wish to take this point for asset, there's still v3 around, i even use one.. :-) > > > ==== configure.in > > openbsd3*) > > AM_CONDITIONAL(USE_NMALLOC, true) > > AC_DEFINE(HAVE_OPENBSD,,[We are on a OpenBSD system]) > > ;; > > > > openbsd4*) > > AM_CONDITIONAL(USE_NMALLOC, true) > > AC_DEFINE(HAVE_OPENBSD,1,[We are on a OpenBSD system]) > > ;; > > ... or just "openbsd*)"? I'll be damned if we actually need to > differentiate between the different releases. Right, but as i don't wanted to change original things, i kept the old value. > > > > - modify ARP.h as you did with an #ifdef HAVE_OPENBSD and in such this case > > use #include > > > > ==== ARP.h > > #elif HAVE_SYS_ETHERNET_H > > #include > > #elif HAVE_OPENBSD > > #include > > #endif > > ==== > > Yep. It'd be nicer to just add sys/ethernet.h to the header checks in > configure.in, so it'll be > > #elif HAVE_SYS_ETHERTYPES_H That seems good like idea. > along with the others. I'm also thinking of doing #ifdef/#endif for each > of those headers instead of #ifdef/#elif/#elif/#endif. The more the > merrier. :) :-)) > > - modify util.cc and util.h in order to use bpf_timeval as structure for > the > > double_to_timeval() function. (just used #ifdef HAVE_OPENBSD) > > Wow, this is so weird. I could swear we've fixed this before -- this is > due to OpenBSD's pcap using bpf_timeval instead of just timeval like > everyone else, correct? In fact i was unable to find another idea to solve my problem. I'll have to check if this is the only one solution. > Rater than #ifdeffing different functions, it'd be nicer to make the > type difference transparent by typedefing the bpf_timeval to a timeval > in the OpenBSD case. You're right but as my first goal was to want to make Bro running with OpenBSD. I showed as fast as possible if all functioned... > > - modify bro.rc (changed the name of stop() to brostop() ). > > Yeah. Good idea as i spent most of the time to fix this so little thing.. I can't remember the number of 'echo "test"' i did in the script to find where was the bug... :-) > I've also noticed that there seem to be pcap versions where our API > checks fail, causing the build to break since pcap_open_dead() isn't > defined. We already have our own version but only use it when pcap > doesn't provide pcap_freecode(), which in those cases *does* exist. This > is at least the scenario I've encoutered in the OpenBSD setup on > Sourceforge's compile farm. I think we may use the same scheme used by FreeBSD. i'll have to check this tomorrow (i already took a look to "bro_config.in"). > > ps1 : next stage will be the use of bind libraries in order to be able to > use > > non blocking DNS routines. > > Right. We don't currently have a clear picture of why exactly the nbdns > code doesn't build on OpenBSD. Patches welcome! Ok, i'll do my best (in fact, trying of course)... > > ps2 : i mean by "porting", doing th job to use Bro with OpenBSD ... :-) > > Sure. :) Next there'll be an official port into packages... > Thanks for your feedback. Just normal, thanks for all the developpers. Best regards. From vern at icir.org Fri Dec 1 18:39:55 2006 From: vern at icir.org (Vern Paxson) Date: Fri, 01 Dec 2006 18:39:55 -0800 Subject: [Bro] Strange Bro build problem with yacc/bison In-Reply-To: <4570C6CF.9080202@ucsf.edu> (Fri, 01 Dec 2006 16:20:31 PST). Message-ID: <200612020239.kB22dtOs009116@jaguar.icir.org> Yeah, we ran into this on a FreeBSD 6.1 machine too. It wasn't clear at the time whether it was a general 6.1 problem or unique to our build; I guess now we know :-). I'm not sure what's the right autoconf goop to solve this - certainly the current build failure isn't pretty. Vern From christian at whoop.org Sat Dec 2 12:33:17 2006 From: christian at whoop.org (Christian Kreibich) Date: Sat, 02 Dec 2006 12:33:17 -0800 Subject: [Bro] Strange Bro build problem with yacc/bison In-Reply-To: <200612020239.kB22dtOs009116@jaguar.icir.org> References: <200612020239.kB22dtOs009116@jaguar.icir.org> Message-ID: <1165091598.32215.98.camel@strangepork> On Fri, 2006-12-01 at 18:39 -0800, Vern Paxson wrote: > Yeah, we ran into this on a FreeBSD 6.1 machine too. It wasn't clear > at the time whether it was a general 6.1 problem or unique to our build; > I guess now we know :-). > > I'm not sure what's the right autoconf goop to solve this - certainly > the current build failure isn't pretty. Such files should go into MOSTLYCLEANFILES. Try this: Index: Makefile.am =================================================================== --- Makefile.am (revision 3857) +++ Makefile.am (working copy) @@ -54,6 +54,10 @@ portmap-protocol.pac portmap-analyzer.pac \ rpc-protocol.pac rpc-analyzer.pac +YACC_OUTPUT = \ + bif_parse.h bif_parse.cc broparse.h parse.cc \ + re-parse.h re-parse.cc rule-parse.h rule-parse.cc + # this is better if USE_NBDNS dns_srcs = nb_dns.c @@ -161,8 +165,7 @@ # Files created in the src dir. MOSTLYCLEANFILES = $(BIF_FUNC_H) $(BIF_FUNC_DEF) $(BIF_FUNC_INIT) \ $(BIF_NETVAR_H) $(BIF_NETVAR_DEF) $(BIF_NETVAR_INIT) \ - $(BRO_BIF) \ - $(BINPAC_H) $(BINPAC_CC) \ + $(BRO_BIF) $(BINPAC_H) $(BINPAC_CC) $(YACC_OUTPUT) \ $(DISTCLEANFILES) Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From sudhakarg79spam at gmail.com Mon Dec 4 04:50:58 2006 From: sudhakarg79spam at gmail.com (sudhakar govindavajhala) Date: Mon, 4 Dec 2006 04:50:58 -0800 Subject: [Bro] IDS newbie. Question on security Vs performance Message-ID: <2a070a20612040450k19ef15a9k23fcb9c604a5a5f4@mail.gmail.com> Hi all, I am a post-doc at Princeton. I am new to Bro/IDS systems and am pondering on fuure research ideas. I am thinking of researching Bro, Snort and other intrusion detection systems. I am a bit new to intrusion detection stuff. Do IDS systems in general have a parameter that can be used to tune security versus performance? Intrusion detection systems easily observe millions of packets a second. Given this voluminous data, the performance per packet could have signicant impact on the performance of the network. Also, system administrators can easily get overwhelmed with the false positives even if the rate is small. Do intrusion detection systems have an .alert level that decides how aggressively to look for attacks. When in a heightened state of alert, cyber security managers could change the alert level so that the intrusion detection system tries to look more closely at packets to make a more informed decision. Does this idea of alert level make any sense? --Sudhakar http://www.cs.princeton.edu/~sudhakar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061204/e47ba980/attachment.html From vze2p5vq at verizon.net Sun Dec 3 19:14:24 2006 From: vze2p5vq at verizon.net (Tim Fowler) Date: Sun, 03 Dec 2006 22:14:24 -0500 Subject: [Bro] Bro and OpenBSD 4.0 issues In-Reply-To: <1165117612.32215.123.camel@strangepork> Message-ID: <000601c71752$4f119d20$1a00a8c0@node8> Hello Christian, How are you? I really appreciate the response back. I have attached the config.log from my last attempted build, which I used the "make" program that came default with the base install. I tried it again with "gmake" and received the same errors. In regards to the build I use, here are the packages I use: OpenBSD 4.0 bsd, bsd.rd, base40.tgz, comp40.tgz, etc40.tgz, man40.tgz, misc40.tgz Updates 1. I install the latest version of libpcap. Thank you, Tim Fowler -----Original Message----- From: Christian Kreibich [mailto:christian at whoop.org] Sent: Saturday, December 02, 2006 10:47 PM To: Tim Fowler Cc: jp.luiggi at free.fr Subject: RE: Bro Digest, Vol 8, Issue 3 Hi Tim, I'm more than happy to help you out because we have a strong interest in seeing Bro working on OpenBSD. You'll have to send me/us more output from the configure run and the actual build error. Also feel free to keep this thread on the list, the more eyes see the issues the quicker the help... On Sat, 2006-12-02 at 18:38 -0500, Tim Fowler wrote: > Hello, > > I was reading the bro lists and found your posting on OpenBSD. I use > OpenBSD as my primary network collection platform and I'd like to install > bro on my build and test it out; however, I can not get it to build. Do > either of you know how I can get bro to install on OpenBSD 4.0? If you have > any suggestions, I'd greatly appreciate it. > > V/R > Tim Fowler Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org -------------- next part -------------- A non-text attachment was scrubbed... Name: config.log Type: application/octet-stream Size: 65061 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061203/9c97a4e8/attachment.obj From jp.luiggi at free.fr Mon Dec 4 10:36:26 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Mon, 04 Dec 2006 13:36:26 -0500 Subject: [Bro] Bro and OpenBSD 4.0 issues In-Reply-To: <000601c71752$4f119d20$1a00a8c0@node8> References: <1165117612.32215.123.camel@strangepork> <000601c71752$4f119d20$1a00a8c0@node8> Message-ID: <20061204183626.GA1520@armada.mynetwork.local> Hello Tim, Beside of the fact you run the "base" OpenBSD 4.0 and myself the development's version, i can't figure out (yet) where's the problem. In didn't notice in the files you sent (but i may be wrong) the result of the "make". Could you send it please ? Best regards. On Sun, Dec 03, 2006 at 10:14:24PM -0500, Tim Fowler wrote: > Hello Christian, > > How are you? I really appreciate the response back. I have attached the > config.log from my last attempted build, which I used the "make" program > that came default with the base install. I tried it again with "gmake" and > received the same errors. In regards to the build I use, here are the > packages I use: > > OpenBSD 4.0 > bsd, bsd.rd, base40.tgz, comp40.tgz, etc40.tgz, man40.tgz, misc40.tgz > > Updates > 1. I install the latest version of libpcap. > > Thank you, > > Tim Fowler From robin at icir.org Mon Dec 4 10:39:06 2006 From: robin at icir.org (Robin Sommer) Date: Mon, 4 Dec 2006 10:39:06 -0800 Subject: [Bro] tcp_attempt_delay In-Reply-To: <4570C85C.6070808@lbl.gov> References: <001601c7152b$f243dfe0$0637a8c0@telxsi.com> <45707E77.1090509@lbl.gov> <4570C85C.6070808@lbl.gov> Message-ID: <20061204183906.GA23358@icir.org> On Fri, Dec 01, 2006 at 16:27 -0800, Jim Mellander wrote: > On an older version of Bro, the new_connection event was triggered > immediately on receipt of the first packet, and the 'catch-and-release' > mechanism worked correctly, now we seem to have this 5 second delay. This might be an (unintentional) artifact of the connection compressor. I'll look into it. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From frenzy at frenzy.org Mon Dec 4 10:44:47 2006 From: frenzy at frenzy.org (frenzy at frenzy.org) Date: Mon, 4 Dec 2006 11:44:47 -0700 (MST) Subject: [Bro] Strange Bro build problem with yacc/bison Message-ID: I am getting this on a FreeBSD 5.4 system also. It seems that make_parser.pl is not getting called to interpret the parse.y file. If I run 'make_parser.pl byacc' manually, then the build completes. It's been awhile since I've played with autoconf/automake. The conflict appears to be somewhere in the following two entries: broparse.h parse.cc: parse.y $(YACC) $(YFLAGS) parse.y @sed '/extern char.*getenv/d;s/yylex/brolex/' parse.cc @mv y.tab.h broparse.h @rm y.tab.c parse.y: parse.in make_parser.pl @rm -f parse.y perl -w $(srcdir)/make_parser.pl "$(YACC)" chmod -w parse.y Thanks, Randy On Sat, 2 Dec 2006, Christian Kreibich wrote: > On Fri, 2006-12-01 at 18:39 -0800, Vern Paxson wrote: >> Yeah, we ran into this on a FreeBSD 6.1 machine too. It wasn't clear >> at the time whether it was a general 6.1 problem or unique to our build; >> I guess now we know :-). >> >> I'm not sure what's the right autoconf goop to solve this - certainly >> the current build failure isn't pretty. > > Such files should go into MOSTLYCLEANFILES. Try this: > > Index: Makefile.am > =================================================================== > --- Makefile.am (revision 3857) > +++ Makefile.am (working copy) > @@ -54,6 +54,10 @@ > portmap-protocol.pac portmap-analyzer.pac \ > rpc-protocol.pac rpc-analyzer.pac > > +YACC_OUTPUT = \ > + bif_parse.h bif_parse.cc broparse.h parse.cc \ > + re-parse.h re-parse.cc rule-parse.h rule-parse.cc > + > # this is better > if USE_NBDNS > dns_srcs = nb_dns.c > @@ -161,8 +165,7 @@ > # Files created in the src dir. > MOSTLYCLEANFILES = $(BIF_FUNC_H) $(BIF_FUNC_DEF) $(BIF_FUNC_INIT) \ > $(BIF_NETVAR_H) $(BIF_NETVAR_DEF) $(BIF_NETVAR_INIT) \ > - $(BRO_BIF) \ > - $(BINPAC_H) $(BINPAC_CC) \ > + $(BRO_BIF) $(BINPAC_H) $(BINPAC_CC) $(YACC_OUTPUT) \ > $(DISTCLEANFILES) > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From christian at whoop.org Mon Dec 4 12:03:36 2006 From: christian at whoop.org (Christian Kreibich) Date: Mon, 04 Dec 2006 12:03:36 -0800 Subject: [Bro] Strange Bro build problem with yacc/bison In-Reply-To: References: Message-ID: <1165262616.16726.216.camel@strangepork> Hi Randy, On Mon, 2006-12-04 at 11:44 -0700, frenzy at frenzy.org wrote: > I am getting this on a FreeBSD 5.4 system also. It seems that > make_parser.pl is not getting called to interpret the parse.y file. > If I run 'make_parser.pl byacc' manually, then the build completes. I think the problem is that it seems we ship a parse.y with the tarball, even though it should be generated. The shipped one seems to cause problems on some systems. Can you try the following? - Unpack the tarball again - cd src - rm parse.y - cd .. - ./configure etc and see if it works? Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From frenzy at frenzy.org Mon Dec 4 13:13:48 2006 From: frenzy at frenzy.org (frenzy at frenzy.org) Date: Mon, 4 Dec 2006 14:13:48 -0700 (MST) Subject: [Bro] Strange Bro build problem with yacc/bison In-Reply-To: <1165262616.16726.216.camel@strangepork> Message-ID: This works (without the patch). :) I forgot to mention that we had run through that as well. I wasn't sure if the parse.y needed to be included or not. Is there going to be a problem on systems that don't have yacc installed? Or was it required anyway? Thanks, Randy On Mon, 4 Dec 2006, Christian Kreibich wrote: > I think the problem is that it seems we ship a parse.y with the tarball, > even though it should be generated. The shipped one seems to cause > problems on some systems. Can you try the following? > > - Unpack the tarball again > - cd src > - rm parse.y > - cd .. > - ./configure etc > > and see if it works? > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > From christian at whoop.org Mon Dec 4 14:32:19 2006 From: christian at whoop.org (Christian Kreibich) Date: Mon, 04 Dec 2006 22:32:19 +0000 Subject: [Bro] Strange Bro build problem with yacc/bison In-Reply-To: References: Message-ID: <1165271539.16726.249.camel@strangepork> On Mon, 2006-12-04 at 14:13 -0700, frenzy at frenzy.org wrote: > This works (without the patch). :) I forgot to mention that we had run > through that as well. I wasn't sure if the parse.y needed to be included > or not. Is there going to be a problem on systems that don't have > yacc installed? Or was it required anyway? I believe we currently ship generated yacc output. I had forgotted about that -- the patch I posted actually conflicts with that approach because it removes files that could only be regenerated with yacc/bison. I'm not sure what people prefer. Dropping the generated files from the tarball is the cleanest solution, but we then require (f)lex/ yacc/bison. If we don't drop them, we could force invocation of make_parser.pl by tweaking the Makefile rules. *shrug* Btw, make_parser.pl is only ever used in the parse.y case, but we also have re-parse.y and rule-parse.y. Do the "@"-issues you're seeing not occur with the latter two? Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From vern at icir.org Mon Dec 4 14:36:32 2006 From: vern at icir.org (Vern Paxson) Date: Mon, 04 Dec 2006 14:36:32 -0800 Subject: [Bro] Strange Bro build problem with yacc/bison In-Reply-To: <1165271539.16726.249.camel@strangepork> (Mon, 04 Dec 2006 22:32:19 GMT). Message-ID: <200612042236.kB4MaWOT015464@jaguar.icir.org> > Btw, make_parser.pl is only ever used in the parse.y case, but we also > have re-parse.y and rule-parse.y. Do the "@"-issues you're seeing not > occur with the latter two? parse.y is the only one of Bro's parsers that uses the @N construct. Vern From christian at whoop.org Mon Dec 4 17:19:21 2006 From: christian at whoop.org (Christian Kreibich) Date: Mon, 04 Dec 2006 17:19:21 -0800 Subject: [Bro] Strange Bro build problem with yacc/bison In-Reply-To: References: Message-ID: <1165281561.16726.312.camel@strangepork> On Mon, 2006-12-04 at 11:44 -0700, frenzy at frenzy.org wrote: > I am getting this on a FreeBSD 5.4 system also. It seems that > make_parser.pl is not getting called to interpret the parse.y file. > If I run 'make_parser.pl byacc' manually, then the build completes. Robin and I just stared at this for a while longer. What's happening is that when the error occurs, the build re-generates parse.cc, even on the initial build after unpacking the tarball. This is not what we intended. It does not seem to be a flaw of the Makefile, but stem from the fact that on some platforms, this rule... > broparse.h parse.cc: parse.y > $(YACC) $(YFLAGS) parse.y > @sed '/extern char.*getenv/d;s/yylex/brolex/' parse.cc > @mv y.tab.h broparse.h > @rm y.tab.c ... is triggered despite the fact that broparse.h, parse.cc, and parse.y all have the same timestamp. Could you double-check that this is the case on your tree, by unpacking the tarball and doing a $ ls -la broparse.h parse.y parse.cc -rw-r--r-- 1 kreibich networks 7396 Oct 5 13:36 broparse.h -rw-r--r-- 1 kreibich networks 134265 Oct 5 13:36 parse.cc -r--r--r-- 1 kreibich networks 24651 Oct 5 13:36 parse.y ? What happens is that make determines that broparse.h/parse.cc need to be rebuilt, but it uses the parse.y that's shipped with the tarball, and not a new one generated from parse.in that'd have the yacc-hack applied to it via make_parser.pl. So you end up with a broken parse.cc. We'll think of a way to ensure that the parse.y is always compatible with the local bison/yacc (if available). Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From vze2p5vq at verizon.net Mon Dec 4 22:58:16 2006 From: vze2p5vq at verizon.net (Tim Fowler) Date: Tue, 05 Dec 2006 01:58:16 -0500 Subject: [Bro] Bro and OpenBSD 4.0 issues In-Reply-To: Message-ID: <000601c7183a$bddb3ca0$1a00a8c0@node8> Hello Mr. Luiggi, I have already posted the config.log file. However, I have attached the Makefile and another file called info.txt. After running configure and make, I ran the make install command and redirected the output to info.txt. I'm just an end user and I have no coding skills at all. Although, I do have access to some very good coding folks so if there is something I can pass on to them to help out, please let me know. Thanks. Tim Fowler -----Original Message----- From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of bro-request at ICSI.Berkeley.EDU Sent: Monday, December 04, 2006 3:00 PM To: bro at ICSI.Berkeley.EDU Subject: Bro Digest, Vol 8, Issue 6 Send Bro mailing list submissions to bro at ICSI.Berkeley.EDU To subscribe or unsubscribe via the World Wide Web, visit http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro or, via email, send a message with subject or body 'help' to bro-request at ICSI.Berkeley.EDU You can reach the person managing the list at bro-owner at ICSI.Berkeley.EDU When replying, please edit your Subject line so it is more specific than "Re: Contents of Bro digest..." Today's Topics: 1. Re: Bro and OpenBSD 4.0 issues (Jean-Philippe Luiggi) 2. Re: tcp_attempt_delay (Robin Sommer) 3. Re: Strange Bro build problem with yacc/bison (frenzy at frenzy.org) ---------------------------------------------------------------------- Message: 1 Date: Mon, 04 Dec 2006 13:36:26 -0500 From: Jean-Philippe Luiggi Subject: Re: [Bro] Bro and OpenBSD 4.0 issues To: Tim Fowler Cc: bro at ICSI.Berkeley.EDU Message-ID: <20061204183626.GA1520 at armada.mynetwork.local> Content-Type: text/plain; charset=us-ascii Hello Tim, Beside of the fact you run the "base" OpenBSD 4.0 and myself the development's version, i can't figure out (yet) where's the problem. In didn't notice in the files you sent (but i may be wrong) the result of the "make". Could you send it please ? Best regards. On Sun, Dec 03, 2006 at 10:14:24PM -0500, Tim Fowler wrote: > Hello Christian, > > How are you? I really appreciate the response back. I have attached the > config.log from my last attempted build, which I used the "make" program > that came default with the base install. I tried it again with "gmake" and > received the same errors. In regards to the build I use, here are the > packages I use: > > OpenBSD 4.0 > bsd, bsd.rd, base40.tgz, comp40.tgz, etc40.tgz, man40.tgz, misc40.tgz > > Updates > 1. I install the latest version of libpcap. > > Thank you, > > Tim Fowler ------------------------------ Message: 2 Date: Mon, 4 Dec 2006 10:39:06 -0800 From: Robin Sommer Subject: Re: [Bro] tcp_attempt_delay To: Jim Mellander Cc: bro at ICSI.Berkeley.EDU Message-ID: <20061204183906.GA23358 at icir.org> Content-Type: text/plain; charset=us-ascii On Fri, Dec 01, 2006 at 16:27 -0800, Jim Mellander wrote: > On an older version of Bro, the new_connection event was triggered > immediately on receipt of the first packet, and the 'catch-and-release' > mechanism worked correctly, now we seem to have this 5 second delay. This might be an (unintentional) artifact of the connection compressor. I'll look into it. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org ------------------------------ Message: 3 Date: Mon, 4 Dec 2006 11:44:47 -0700 (MST) From: frenzy at frenzy.org Subject: Re: [Bro] Strange Bro build problem with yacc/bison To: bro at ICSI.Berkeley.EDU Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII I am getting this on a FreeBSD 5.4 system also. It seems that make_parser.pl is not getting called to interpret the parse.y file. If I run 'make_parser.pl byacc' manually, then the build completes. It's been awhile since I've played with autoconf/automake. The conflict appears to be somewhere in the following two entries: broparse.h parse.cc: parse.y $(YACC) $(YFLAGS) parse.y @sed '/extern char.*getenv/d;s/yylex/brolex/' parse.cc @mv y.tab.h broparse.h @rm y.tab.c parse.y: parse.in make_parser.pl @rm -f parse.y perl -w $(srcdir)/make_parser.pl "$(YACC)" chmod -w parse.y Thanks, Randy On Sat, 2 Dec 2006, Christian Kreibich wrote: > On Fri, 2006-12-01 at 18:39 -0800, Vern Paxson wrote: >> Yeah, we ran into this on a FreeBSD 6.1 machine too. It wasn't clear >> at the time whether it was a general 6.1 problem or unique to our build; >> I guess now we know :-). >> >> I'm not sure what's the right autoconf goop to solve this - certainly >> the current build failure isn't pretty. > > Such files should go into MOSTLYCLEANFILES. Try this: > > Index: Makefile.am > =================================================================== > --- Makefile.am (revision 3857) > +++ Makefile.am (working copy) > @@ -54,6 +54,10 @@ > portmap-protocol.pac portmap-analyzer.pac \ > rpc-protocol.pac rpc-analyzer.pac > > +YACC_OUTPUT = \ > + bif_parse.h bif_parse.cc broparse.h parse.cc \ > + re-parse.h re-parse.cc rule-parse.h rule-parse.cc > + > # this is better > if USE_NBDNS > dns_srcs = nb_dns.c > @@ -161,8 +165,7 @@ > # Files created in the src dir. > MOSTLYCLEANFILES = $(BIF_FUNC_H) $(BIF_FUNC_DEF) $(BIF_FUNC_INIT) \ > $(BIF_NETVAR_H) $(BIF_NETVAR_DEF) $(BIF_NETVAR_INIT) \ > - $(BRO_BIF) \ > - $(BINPAC_H) $(BINPAC_CC) \ > + $(BRO_BIF) $(BINPAC_H) $(BINPAC_CC) $(YACC_OUTPUT) \ > $(DISTCLEANFILES) > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > ------------------------------ _______________________________________________ Bro mailing list Bro at ICSI.Berkeley.EDU http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro End of Bro Digest, Vol 8, Issue 6 ********************************* -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: info.txt Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061205/24c31234/attachment.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: Makefile Type: application/octet-stream Size: 22317 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061205/24c31234/attachment.obj From christian at whoop.org Tue Dec 5 14:51:36 2006 From: christian at whoop.org (Christian Kreibich) Date: Tue, 05 Dec 2006 14:51:36 -0800 Subject: [Bro] Bro and OpenBSD 4.0 issues In-Reply-To: <000601c71752$4f119d20$1a00a8c0@node8> References: <000601c71752$4f119d20$1a00a8c0@node8> Message-ID: <1165359097.16235.28.camel@strangepork> Hi Tim, thanks for that. Your config.log points out a few things very useful to us: - The check for netinet/if_ether.h fails, but not because the file doesn't exist, but because on OpenBSD compiling a program with it requires additional headers to be included: /usr/include/netinet/if_ether.h:140: error: field `ea_hdr' has incomplete type /usr/include/netinet/if_ether.h:158: error: field `ac_if' has incomplete type /usr/include/netinet/if_ether.h:161: error: syntax error before "LIST_HEAD" /usr/include/netinet/if_ether.h:166: error: syntax error before "LIST_ENTRY" /usr/include/netinet/if_ether.h:222: error: syntax error before "LIST_ENTRY" - ns_msg is (correctly, I believe) not found, and thus nonblocking DNS is disabled. As far as we're concerned, our configuration checks work fine here and we simply can't support nonblocking DNS on OpenBSD at the moment. Patches are very welcome. Regarding your build errors, it seems from the output you have posted in your follow-up email that you also have encountered the parse.cc problem, since the build stops there. See my mail from yesterday for possible workarounds. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From robin at icir.org Tue Dec 5 16:03:06 2006 From: robin at icir.org (Robin Sommer) Date: Tue, 5 Dec 2006 16:03:06 -0800 Subject: [Bro] Bro 1.2 under Solaris 8 In-Reply-To: <20061201093041.GA14454@rheoli.net> References: <20061129073110.GA16863@rheoli.net> <20061130025811.GD8909@icir.org> <20061201093041.GA14454@rheoli.net> Message-ID: <20061206000306.GC17561@icir.org> On Fri, Dec 01, 2006 at 10:30 +0100, Stephan wrote: > You are right there only some small patches for library problems (see > attachment). Thanks for the diffs. Seems that primarily "-ldl -lsocket" was missing for the linker, right? Two questions: for which library did you need the path /sw/sl/lib? That doesn't seem to be a standard path? What's the "touch $(top_srcdir)/src/libedit/termcap.h" in Makefile for? Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From frenzy at frenzy.org Tue Dec 5 17:29:13 2006 From: frenzy at frenzy.org (frenzy at frenzy.org) Date: Tue, 5 Dec 2006 18:29:13 -0700 (MST) Subject: [Bro] Strange Bro build problem with yacc/bison In-Reply-To: <1165281561.16726.312.camel@strangepork> Message-ID: Christian, All had the same timestamp. I did an experiment and gave parse.y an older timestamp than the other files. In that case, gmake ran without any errors. Randy > ... is triggered despite the fact that broparse.h, parse.cc, and parse.y > all have the same timestamp. Could you double-check that this is the > case on your tree, by unpacking the tarball and doing a > > $ ls -la broparse.h parse.y parse.cc > -rw-r--r-- 1 kreibich networks 7396 Oct 5 13:36 broparse.h > -rw-r--r-- 1 kreibich networks 134265 Oct 5 13:36 parse.cc > -r--r--r-- 1 kreibich networks 24651 Oct 5 13:36 parse.y > > ? From geek00l at gmail.com Wed Dec 6 00:47:47 2006 From: geek00l at gmail.com (CS Lee) Date: Wed, 6 Dec 2006 16:47:47 +0800 Subject: [Bro] Bro-ids dpd offline analysis Message-ID: <1bb5dd90612060047r65e4ba31yad8bfc966cc47e20@mail.gmail.com> Hey people, I'm wondering are there any examples showing how to use bro with all the argument options, I found it kinda confusing especially for people who new to bro-ids and not much result when I tried googling. Maybe having all the usage examples in the wiki would be much help. By the way I'm wondering is there a way to do offline analysis to pcap using dpd. I have checked out brolite.bro where it loads - @load dpd @load irc-bot @load dyn-disable @load detect-protocols @load detect-protocols-http @load proxy I tried to load all this to mt.bro, and running - bro -r test.pcap mt It runs fine if without loading all the dpd related analyzers, however I have gone through all the bro workshop presentation slides and come across the DPD performance test where it is used to run offline analysis against large pcap files(The presentation that done by Robin). I would like to know how the test is conducted and how one can do efficient offline bulk data analysis with new bro-1.2. Thanks. -- Best Regards, CS Lee -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061206/c16b1199/attachment.html From jp.luiggi at free.fr Wed Dec 6 06:09:33 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Wed, 06 Dec 2006 09:09:33 -0500 Subject: [Bro] Bro and OpenBSD 4.0 issues In-Reply-To: <1165359097.16235.28.camel@strangepork> References: <000601c71752$4f119d20$1a00a8c0@node8> <1165359097.16235.28.camel@strangepork> Message-ID: <20061206140933.GA9009@armada.mynetwork.local> Hello, On Tue, Dec 05, 2006 at 02:51:36PM -0800, Christian Kreibich wrote: > Hi Tim, > > thanks for that. Your config.log points out a few things very useful to > us: > > - The check for netinet/if_ether.h fails, but not because the file > doesn't exist, but because on OpenBSD compiling a program with it > requires additional headers to be included: > > /usr/include/netinet/if_ether.h:140: error: field `ea_hdr' has incomplete type > /usr/include/netinet/if_ether.h:158: error: field `ac_if' has incomplete type > /usr/include/netinet/if_ether.h:161: error: syntax error before "LIST_HEAD" > /usr/include/netinet/if_ether.h:166: error: syntax error before "LIST_ENTRY" > /usr/include/netinet/if_ether.h:222: error: syntax error before "LIST_ENTRY" I didn't get these problems with Current's release, so i built a "simple" GENERIC installation in order being in the same setup as Tim. > - ns_msg is (correctly, I believe) not found, and thus nonblocking DNS > is disabled. As far as we're concerned, our configuration checks work > fine here and we simply can't support nonblocking DNS on OpenBSD at the > moment. Patches are very welcome. Same things, no problem with nonblocking DNS for me. I know about a workaround (using the extra libbind given from a package) and using a "configure --with-dns-lib" and "configure --with-dns-include" in order to give the ability to OpenBSD to use them. > Regarding your build errors, it seems from the output you have posted in > your follow-up email that you also have encountered the parse.cc > problem, since the build stops there. See my mail from yesterday for > possible workarounds. And again i didn't notice this. I can't (yet) believe there're so much difference between GENERIC and CURRENT so i know what to do this week end. :-) Best regards. From robin at icir.org Wed Dec 6 09:38:47 2006 From: robin at icir.org (Robin Sommer) Date: Wed, 6 Dec 2006 09:38:47 -0800 Subject: [Bro] Bro-ids dpd offline analysis In-Reply-To: <1bb5dd90612060047r65e4ba31yad8bfc966cc47e20@mail.gmail.com> References: <1bb5dd90612060047r65e4ba31yad8bfc966cc47e20@mail.gmail.com> Message-ID: <20061206173847.GB23347@icir.org> On Wed, Dec 06, 2006 at 16:47 +0800, CS Lee wrote: > I'm wondering are there any examples showing how to use bro with all the > argument options, I found it kinda confusing especially for people who new Sorry, the shipped documentation is all we have in this regard at this time. Yeah, having some more examples would certainly by nice. > I tried to load all this to mt.bro, and running - > > bro -r test.pcap mt That's almost correct except for one missing piece: for DPD you need to set the capture-filter to include packets on non-standard ports, e.g., "bro -f tcp -r test.pcap mt" to include all TCP packets. (This is not different from live analysis which requires this too.) Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From christian at whoop.org Wed Dec 6 12:53:46 2006 From: christian at whoop.org (Christian Kreibich) Date: Wed, 06 Dec 2006 12:53:46 -0800 Subject: [Bro] Bro and OpenBSD 4.0 issues In-Reply-To: <20061206140933.GA9009@armada.mynetwork.local> References: <000601c71752$4f119d20$1a00a8c0@node8> <1165359097.16235.28.camel@strangepork> <20061206140933.GA9009@armada.mynetwork.local> Message-ID: <1165438427.16235.101.camel@strangepork> Hi there, On Wed, 2006-12-06 at 09:09 -0500, Jean-Philippe Luiggi wrote: > > /usr/include/netinet/if_ether.h:140: error: field `ea_hdr' has incomplete type > > /usr/include/netinet/if_ether.h:158: error: field `ac_if' has incomplete type > > /usr/include/netinet/if_ether.h:161: error: syntax error before "LIST_HEAD" > > /usr/include/netinet/if_ether.h:166: error: syntax error before "LIST_ENTRY" > > /usr/include/netinet/if_ether.h:222: error: syntax error before "LIST_ENTRY" > > I didn't get these problems with Current's release, so i built a "simple" > GENERIC installation in order being in the same setup as Tim. this is only in config.log, did you check there? What does your configure check for netinet/if_ether report? > > - ns_msg is (correctly, I believe) not found, and thus nonblocking DNS > > is disabled. As far as we're concerned, our configuration checks work > > fine here and we simply can't support nonblocking DNS on OpenBSD at the > > moment. Patches are very welcome. > > Same things, no problem with nonblocking DNS for me. > I know about a workaround (using the extra libbind given from a package) and > using a "configure --with-dns-lib" and "configure > --with-dns-include" in order to give the ability to OpenBSD to use them. So can you tell us which header files define ns_msg in your setup? We currently rely on that definition being in arpa/nameser.h. If your libbind installation reliably solves the problem, we might make this a FAQ and possibly add output to the configure script that tells OpenBSD people what they need to do. > > Regarding your build errors, it seems from the output you have posted in > > your follow-up email that you also have encountered the parse.cc > > problem, since the build stops there. See my mail from yesterday for > > possible workarounds. > > And again i didn't notice this. Did your configure run pick up bison or yacc? (Actually, as usual it'd be helpful if you could post the shell output you get when running configure, as well as the resulting config.log.) Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From yuppie4ever at gmail.com Fri Dec 8 02:25:17 2006 From: yuppie4ever at gmail.com (Yuppie) Date: Fri, 08 Dec 2006 15:55:17 +0530 Subject: [Bro] Changing an internal variable from C code Message-ID: <1165573517.10727.218.camel@chaos.bivio.net> Hi, I wanted to change an internal variable from the C code. I have defined a variable in a .bro file as global my_count: count; At some later point in the C code, I want to change it: Val *my_count = internal_val("my_count"); // change the value of my_count to something else I am at loss on how to accomplish this. Can the Bro gurus help me out? thanks -vish From Stephan at rheoli.net Fri Dec 8 03:26:53 2006 From: Stephan at rheoli.net (Stephan) Date: Fri, 8 Dec 2006 12:26:53 +0100 Subject: [Bro] Bro 1.2 under Solaris 8 In-Reply-To: <20061206000306.GC17561@icir.org> References: <20061129073110.GA16863@rheoli.net> <20061130025811.GD8909@icir.org> <20061201093041.GA14454@rheoli.net> <20061206000306.GC17561@icir.org> Message-ID: <20061208112653.GA18364@rheoli.net> On Tue, Dec 05, 2006 at 04:03:06PM -0800, Robin Sommer wrote: > > On Fri, Dec 01, 2006 at 10:30 +0100, Stephan wrote: > > > You are right there only some small patches for library problems (see > > attachment). > > Thanks for the diffs. Seems that primarily "-ldl -lsocket" was > missing for the linker, right? Yes, there where some more patches for bro 1.0 or bro 1.1. > > Two questions: for which library did you need the path /sw/sl/lib? > That doesn't seem to be a standard path? What's the "touch > $(top_srcdir)/src/libedit/termcap.h" in Makefile for? We use our own path (/sw) for building applications. The building environment is gcc 4.0.3, bison 2.3, gas 2.16. Solaris 8 has no termcap.h so I'm put it into libedit... -Stephan From jferdinand at thescholars.info Fri Dec 8 07:57:18 2006 From: jferdinand at thescholars.info (Jules) Date: Fri, 8 Dec 2006 15:57:18 -0000 Subject: [Bro] windows? Message-ID: <006901c71ae1$8a811e70$640fa8c0@MaterDevThesc> Hi there Just wondering what could be the options to compile bro under windows environment? Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061208/50c00ca8/attachment.html From rpang at cs.princeton.edu Fri Dec 8 08:20:06 2006 From: rpang at cs.princeton.edu (Ruoming Pang) Date: Fri, 8 Dec 2006 11:20:06 -0500 Subject: [Bro] Changing an internal variable from C code In-Reply-To: <1165573517.10727.218.camel@chaos.bivio.net> References: <1165573517.10727.218.camel@chaos.bivio.net> Message-ID: Hi, Please take a look at NetVar.{h,cc} as a starting point. That's where "internal variables" are defined. By the way, which is the variable you want to manipulate in C++ code? Ruoming On 12/8/06, Yuppie wrote: > Hi, > > I wanted to change an internal variable from the C code. I have defined > a variable in a .bro file as > global my_count: count; > > At some later point in the C code, I want to change it: > Val *my_count = internal_val("my_count"); > // change the value of my_count to something else > > I am at loss on how to accomplish this. Can the Bro gurus help me out? > > thanks > -vish > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From yuppie4ever at gmail.com Fri Dec 8 09:52:27 2006 From: yuppie4ever at gmail.com (Yuppie) Date: Fri, 08 Dec 2006 23:22:27 +0530 Subject: [Bro] Changing an internal variable from C code In-Reply-To: References: <1165573517.10727.218.camel@chaos.bivio.net> Message-ID: <1165600347.32714.10.camel@chaos.bivio.net> On Fri, 2006-12-08 at 11:20 -0500, Ruoming Pang wrote: > Please take a look at NetVar.{h,cc} as a starting point. That's where > "internal variables" are defined. Net.cc doesn't seem to modify anything. I wanted to know how can I modify variables that are defined in the .bro files. > By the way, which is the variable you want to manipulate in C++ code? It's my own variable - a variable defined by my .bro file which is loaded on startup. I want to modify it later in the C++ code. thanks! -vish From rpang at cs.princeton.edu Fri Dec 8 10:07:24 2006 From: rpang at cs.princeton.edu (Ruoming Pang) Date: Fri, 8 Dec 2006 13:07:24 -0500 Subject: [Bro] Changing an internal variable from C code In-Reply-To: <1165600347.32714.10.camel@chaos.bivio.net> References: <1165573517.10727.218.camel@chaos.bivio.net> <1165600347.32714.10.camel@chaos.bivio.net> Message-ID: > > Please take a look at NetVar.{h,cc} as a starting point. That's where > > "internal variables" are defined. > > Net.cc doesn't seem to modify anything. I wanted to know how can I > modify variables that are defined in the .bro files. Well, first, it's not Net.cc, but NetVar.cc. Are you looking at the right file? Second, the way it works is that you define a variable in NetVar.{h,cc} and also in bro.init. Then you can access the variable from both C++ and bro scripts. > > By the way, which is the variable you want to manipulate in C++ code? > > It's my own variable - a variable defined by my .bro file which is > loaded on startup. I want to modify it later in the C++ code. What does the variable represent? I'm curious about why you need an additional internal variable because they are not needed for most cases---that's why there are only a limited number of them. Ruoming From yuppie4ever at gmail.com Fri Dec 8 10:27:18 2006 From: yuppie4ever at gmail.com (Yuppie) Date: Fri, 08 Dec 2006 23:57:18 +0530 Subject: [Bro] Changing an internal variable from C code In-Reply-To: References: <1165573517.10727.218.camel@chaos.bivio.net> <1165600347.32714.10.camel@chaos.bivio.net> Message-ID: <1165602438.32714.15.camel@chaos.bivio.net> On Fri, 2006-12-08 at 13:07 -0500, Ruoming Pang wrote: > > Net.cc doesn't seem to modify anything. I wanted to know how can I > > modify variables that are defined in the .bro files. > > Well, first, it's not Net.cc, but NetVar.cc. Are you looking at the > right file? Second, the way it works is that you define a variable in > NetVar.{h,cc} and also in bro.init. Then you can access the variable > from both C++ and bro scripts. Sorry about the typo... I did mean NetVar.cc. Accessing is one thing.. I know how to do it. Can you point me to an example where C++ code modifies it? Or give a li'l sample code. > > > By the way, which is the variable you want to manipulate in C++ code? > > > > It's my own variable - a variable defined by my .bro file which is > > loaded on startup. I want to modify it later in the C++ code. > > What does the variable represent? I'm curious about why you need an > additional internal variable because they are not needed for most > cases---that's why there are only a limited number of them. Well... it's a variable defined and required by my .bro module. I want to be able to send a signal to Bro and change its value... in C++ code. I want to use it to change Bro behavior. thanks! -yp From christian at whoop.org Fri Dec 8 12:23:03 2006 From: christian at whoop.org (Christian Kreibich) Date: Fri, 08 Dec 2006 12:23:03 -0800 Subject: [Bro] windows? In-Reply-To: <006901c71ae1$8a811e70$640fa8c0@MaterDevThesc> References: <006901c71ae1$8a811e70$640fa8c0@MaterDevThesc> Message-ID: <1165609383.23561.64.camel@strangepork> On Fri, 2006-12-08 at 15:57 +0000, Jules wrote: > Hi there > > Just wondering what could be the options to compile bro under windows > environment? The first rule of the Bro environment: You do not talk about the windows environment. The second rule of the Bro environment: You DO NOT talk about the windows environment. (Okay, seriously: we have no intention to support Bro on Windows. If you really really have to, you could try the Cygwin/MinGW route, but it'll likely be painful. You might have more luck with setting up a Linux box in a virtual machine and running everything in there, though it might get tricky to get Bro to tap into the right traffic.) Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From jmellander at lbl.gov Fri Dec 8 15:21:02 2006 From: jmellander at lbl.gov (Jim Mellander) Date: Fri, 08 Dec 2006 15:21:02 -0800 Subject: [Bro] windows? In-Reply-To: <006901c71ae1$8a811e70$640fa8c0@MaterDevThesc> References: <006901c71ae1$8a811e70$640fa8c0@MaterDevThesc> Message-ID: <4579F35E.3090502@lbl.gov> Jules wrote: > Hi there > > > > Just wondering what could be the options to compile bro under windows > environment? > I actually had Bro running on my windows laptop under Cygwin last year (I call it WinBro), to see if it could be done, first of all, and to see what added value it could bring. Were I to be persuaded to work on it further, I'd probably use mingw instead - although cygwin is still a viable option. I found out several things: 1. Bro people are less than enthusiastic about Windows 2. It seemed to add value as a way for internal hosts to have a lightweight IDS capability, which could potentially report back to a central station. 3. It adds a dimension to internal monitoring that e.g. Netflow doesn't have, as it gives the opportunity for detection of intra-subnet scanning or other malicious activities. If anyone is interested in being my partner in crime, I would be happy to dust off my notes, and have another go at it. -- Jim Mellander Incident Response Manager Computer Protection Program Lawrence Berkeley National Laboratory (510) 486-7204 The reason you are having computer problems is: According to Microsoft, it's by design From christian at whoop.org Sun Dec 10 13:22:44 2006 From: christian at whoop.org (Christian Kreibich) Date: Sun, 10 Dec 2006 13:22:44 -0800 Subject: [Bro] windows? In-Reply-To: <4579F35E.3090502@lbl.gov> References: <006901c71ae1$8a811e70$640fa8c0@MaterDevThesc> <4579F35E.3090502@lbl.gov> Message-ID: <1165785764.31333.9.camel@strangepork> On Fri, 2006-12-08 at 15:21 -0800, Jim Mellander wrote: > 1. Bro people are less than enthusiastic about Windows > 2. It seemed to add value as a way for internal hosts to have a > lightweight IDS capability, which could potentially report back to a > central station. > 3. It adds a dimension to internal monitoring that e.g. Netflow doesn't > have, as it gives the opportunity for detection of intra-subnet scanning > or other malicious activities. Maybe I need to stress that I was referring only to Bro itself. If you want to feed Windows host-based information into your monitoring setup, for example, then Broccoli is very much an option. I can't guarantee that it'll currently build out of the box on Windows, but I successfully ran Windows Broccoli apps a while back. Having Broccoli work on as many platforms as possible is definitely our intention, and patches as well as experience reports are very welcome. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From geek00l at gmail.com Sun Dec 10 22:25:51 2006 From: geek00l at gmail.com (CS Lee) Date: Mon, 11 Dec 2006 14:25:51 +0800 Subject: [Bro] Notice.log Message-ID: <1bb5dd90612102225t41b27fbdve4023b9a26750126@mail.gmail.com> Hey all I come across this log recently, it is from notice.log. I'm wondering what is actually indicated by content gap, checking on mailing list and I found vern talked about it when someone mentioned packets drop. I would like to know what Content Gap means and the rate (> 1/175) or (> 1/1400). 1158285796.903890:ContentGap:NOTICE_ALARM_ALWAYS::1.2.3.4:59537/tcp:2.3.4.5:80/tcp::::::1.2.3.4/59537> 2.3.4.5/http content gap (> 1/175)::@21 1158285796.976927:ContentGap:NOTICE_ALARM_ALWAYS::1.2.3.4:8286/tcp:3.4.5.6:1983/tcp::::::1.2.3.4/8286> 3.4.5.6/1983 content gap (> 1/1400)::@22 Thanks. -- Best Regards, CS Lee -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061211/c1149de9/attachment.html From bill at sdsc.edu Mon Dec 11 13:11:56 2006 From: bill at sdsc.edu (Bill Link) Date: Mon, 11 Dec 2006 13:11:56 -0800 Subject: [Bro] Bro reports zero hosts scanned Message-ID: <1165871515.14631.50.camel@link.sdsc.edu> I am currently running Bro 1.1 and have found scan summaries recording zero hosts scanned in my notice logs. This seems to be a new problem, I haven't seen evidence of it in log files from previous versions of Bro. Here is an example of the messages I am getting: notice.smog.06-12-10_14.29.29-06-12-11_00.00.00:t=1165824021.887450 no=TRWScanSummary na=NOTICE_ALARM_ALWAYS sa=198.95.226.192 msg=198.95.226.192\ scanned\ a\ total\ of\ 0\ hosts notice.smog.06-12-10_14.29.29-06-12-11_00.00.00:t=1165824021.887450 no=ScanSummary na=NOTICE_EMAIL sa=67.161.137.231 num=0 msg=67.161.137.231\ scanned\ a\ total\ of\ 0\ hosts notice.smog.06-12-10_14.29.29-06-12-11_00.00.00:t=1165824021.887450 no=TRWScanSummary na=NOTICE_ALARM_ALWAYS sa=137.110.134.151 msg=137.110.134.151\ scanned\ a\ total\ of\ 2\ hosts notice.smog.06-12-10_14.29.29-06-12-11_00.00.00:t=1165824021.887450 no=TRWScanSummary na=NOTICE_ALARM_ALWAYS sa=221.113.211.235 msg=221.113.211.235\ scanned\ a\ total\ of\ 0\ hosts notice.smog.06-12-10_14.29.29-06-12-11_00.00.00:t=1165824021.887450 no=TRWScanSummary na=NOTICE_ALARM_ALWAYS sa=59.117.181.165 msg=59.117.181.165\ scanned\ a\ total\ of\ 0\ hosts Bill -- ===================================================================== William J. Link Security/Systems Programmer Security Technologies Group San Diego Supercomputer Center University of California, San Diego bill at sdsc.edu SDSC, MC 0505 Phone: (858) 822-0851 9500 Gilman Drive FAX: (858) 534-5077 La Jolla, CA 92093-0505 ===================================================================== From jferdinand at thescholars.info Mon Dec 11 14:03:24 2006 From: jferdinand at thescholars.info (Jules) Date: Mon, 11 Dec 2006 22:03:24 -0000 Subject: [Bro] any experience on BRO into hardware Message-ID: <000501c71d70$2e824360$670fa8c0@MaterDevThesc> Hi All Just wondering if someone has an experience compiling Bro into Hardware? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061211/3fef9973/attachment.html From jmellander at lbl.gov Mon Dec 11 15:23:12 2006 From: jmellander at lbl.gov (Jim Mellander) Date: Mon, 11 Dec 2006 15:23:12 -0800 Subject: [Bro] any experience on BRO into hardware In-Reply-To: <000501c71d70$2e824360$670fa8c0@MaterDevThesc> References: <000501c71d70$2e824360$670fa8c0@MaterDevThesc> Message-ID: <457DE860.2000906@lbl.gov> Jules wrote: > Hi All > > > > Just wondering if someone has an experience compiling Bro into Hardware? > > > > Thanks > Not only have I had Bro running on Windows, but I have also gotten it to run on a commodity Linksys router under the openwrt linux distribution. I believe Jason has tinkered with it a bit and put some of the info up at: http://www.dsd.lbl.gov/~jason/openwrt/ -- Jim Mellander Incident Response Manager Computer Protection Program Lawrence Berkeley National Laboratory (510) 486-7204 The reason you are having computer problems is: We didn't pay the Internet bill and it's been cut off. From jferdinand at thescholars.info Mon Dec 11 15:38:08 2006 From: jferdinand at thescholars.info (Jules) Date: Mon, 11 Dec 2006 23:38:08 -0000 Subject: [Bro] any experience on BRO into hardware In-Reply-To: <457DE860.2000906@lbl.gov> Message-ID: <001c01c71d7d$6b247f60$670fa8c0@MaterDevThesc> Hi Jim Thanks for the quick reply. I am not sure if I got what you mean in your reply. What I actually meant is to integrate Bro into the hardware itself and not configuring Bro to work with a particular hardware. Thanks. -----Original Message----- From: Jim Mellander [mailto:jmellander at lbl.gov] Sent: 11 December 2006 23:23 To: Jules Cc: bro at ICSI.Berkeley.EDU Subject: Re: [Bro] any experience on BRO into hardware Jules wrote: > Hi All > > > > Just wondering if someone has an experience compiling Bro into Hardware? > > > > Thanks > Not only have I had Bro running on Windows, but I have also gotten it to run on a commodity Linksys router under the openwrt linux distribution. I believe Jason has tinkered with it a bit and put some of the info up at: http://www.dsd.lbl.gov/~jason/openwrt/ -- Jim Mellander Incident Response Manager Computer Protection Program Lawrence Berkeley National Laboratory (510) 486-7204 The reason you are having computer problems is: We didn't pay the Internet bill and it's been cut off. From vern at icir.org Mon Dec 11 16:02:32 2006 From: vern at icir.org (Vern Paxson) Date: Mon, 11 Dec 2006 16:02:32 -0800 Subject: [Bro] IDS newbie. Question on security Vs performance In-Reply-To: <2a070a20612040450k19ef15a9k23fcb9c604a5a5f4@mail.gmail.com> (Mon, 04 Dec 2006 04:50:58 PST). Message-ID: <200612120002.kBC02W9V071655@jaguar.icir.org> > Do IDS systems in general have a parameter that can be used to tune security > versus performance? Not a single knob, but a whole suite of tuning possibilities. One large instance is deciding which signatures (of perhaps thousands) and other forms of analysis you want to turn on, and for what subset of the packet stream. > Intrusion detection systems easily observe millions of packets a second. I don't know about "easily". For example, UC Berkeley, which has about 50K hosts, averages less than a 10th of that across its border. > Given this voluminous data, the performance per packet could have signicant > impact on the performance of the network. Also, system administrators can > easily get overwhelmed with the false positives even if the rate is small. Yep. > Do intrusion detection systems have an .alert level that decides how > aggressively to look for attacks. When in a heightened state of alert, cyber > security managers could change the alert level so that the intrusion > detection system tries to look more closely at packets to make a more > informed decision. > > Does this idea of alert level make any sense? Per the above, the space is much broader than a single alert level. This makes tuning and adaptation quite complex. Vern From bltierney at lbl.gov Mon Dec 11 16:09:38 2006 From: bltierney at lbl.gov (Brian Tierney) Date: Mon, 11 Dec 2006 16:09:38 -0800 Subject: [Bro] any experience on BRO into hardware In-Reply-To: <457DE860.2000906@lbl.gov> References: <000501c71d70$2e824360$670fa8c0@MaterDevThesc> <457DE860.2000906@lbl.gov> Message-ID: <457DF342.7090904@lbl.gov> There is even more info up on www.bro-ids.org/linksys.html Jim Mellander wrote: > > Not only have I had Bro running on Windows, but I have also gotten it to > run on a commodity Linksys router under the openwrt linux distribution. > I believe Jason has tinkered with it a bit and put some of the info up > at: http://www.dsd.lbl.gov/~jason/openwrt/ > -- ------------------------------------------------------------------------ Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 425-642-4558 bltierney at lbl.gov http://www-didc.lbl.gov/~tierney ------------------------------------------------------------------------ From ml at grid.einherjar.de Tue Dec 12 08:17:48 2006 From: ml at grid.einherjar.de (Thorolf) Date: Tue, 12 Dec 2006 17:17:48 +0100 Subject: [Bro] How to dissable http_log Message-ID: <457ED62C.80606@grid.einherjar.de> Hello list, I would like to redefine/disable http_log and "ignore" normal logging due to heavy http traffic on my net but I'm still interested in alerts triggered by HTTP_SensitiveURI. What is the best way to do this? Thank you, /rl From scampbell at lbl.gov Tue Dec 12 10:45:22 2006 From: scampbell at lbl.gov (scott campbell) Date: Tue, 12 Dec 2006 10:45:22 -0800 Subject: [Bro] any experience on BRO into hardware In-Reply-To: <000501c71d70$2e824360$670fa8c0@MaterDevThesc> References: <000501c71d70$2e824360$670fa8c0@MaterDevThesc> Message-ID: <457EF8C2.40005@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jules wrote: > Hi All > > > > Just wondering if someone has an experience compiling Bro into Hardware? > > > > Thanks > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro Are you asking about some sort of pcap/bpf in hardware offloading, an actual implementation of bro on dedicated hardware (like an ASIC), or something else? thanks! scott -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFFfvjCK2Plq8B7ZBwRAk4EAJ0bRmRIu2kQEwQrmbi8L7M8yVrPvgCeKSLJ XS0s4F2cTL2t/W3xQchifLM= =CGar -----END PGP SIGNATURE----- From jferdinand at thescholars.info Tue Dec 12 10:51:27 2006 From: jferdinand at thescholars.info (Jules) Date: Tue, 12 Dec 2006 18:51:27 -0000 Subject: [Bro] any experience on BRO into hardware In-Reply-To: <457EF8C2.40005@lbl.gov> Message-ID: <009901c71e1e$8a123650$670fa8c0@MaterDevThesc> Hi Scott That's what I meant. I was talking about something like ASIC or FPGA. thanks -----Original Message----- From: scott campbell [mailto:scampbell at lbl.gov] Sent: 12 December 2006 18:45 To: Jules Cc: Subject: Re: [Bro] any experience on BRO into hardware -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jules wrote: > Hi All > > > > Just wondering if someone has an experience compiling Bro into Hardware? > > > > Thanks > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro Are you asking about some sort of pcap/bpf in hardware offloading, an actual implementation of bro on dedicated hardware (like an ASIC), or something else? thanks! scott -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFFfvjCK2Plq8B7ZBwRAk4EAJ0bRmRIu2kQEwQrmbi8L7M8yVrPvgCeKSLJ XS0s4F2cTL2t/W3xQchifLM= =CGar -----END PGP SIGNATURE----- From vern at icir.org Tue Dec 12 17:47:48 2006 From: vern at icir.org (Vern Paxson) Date: Tue, 12 Dec 2006 17:47:48 -0800 Subject: [Bro] How to dissable http_log In-Reply-To: <457ED62C.80606@grid.einherjar.de> (Tue, 12 Dec 2006 17:17:48 +0100). Message-ID: <200612130147.kBD1lmLD070033@jaguar.icir.org> > I would like to redefine/disable http_log and "ignore" normal logging > due to heavy http traffic on my net but I'm still interested in alerts > triggered by HTTP_SensitiveURI. Is your concern the CPU time (which likely won't go down much if you turn off logging), or the disk space? You can turn off the logging (the file will be empty) using: module HTTP; event bro_init() { close(http_log); } - Vern From vern at icir.org Wed Dec 13 00:13:50 2006 From: vern at icir.org (Vern Paxson) Date: Wed, 13 Dec 2006 00:13:50 -0800 Subject: [Bro] content gaps (Re: Notice.log) In-Reply-To: <1bb5dd90612102225t41b27fbdve4023b9a26750126@mail.gmail.com> (Mon, 11 Dec 2006 14:25:51 +0800). Message-ID: <200612130813.kBD8DoBB076264@jaguar.icir.org> > I'm wondering what > is actually indicated by content gap A content gap occurs when Bro's TCP stream reassembler frees up memory allocated to previous TCP segments and some of those segments were never delivered (i.e., were never in-sequence). It generally indicates the presence of measurement drops (similar to ack_above_hole), though can also occur when running on traces that have been filtered. > I would like to > know what Content Gap means and the rate (> 1/175) or (> 1/1400). It's not a rate but rather a range of sequence numbers, so in the second case, it ranges for 1400 bytes starting at sequence #1 to. Vern From ml at grid.einherjar.de Wed Dec 13 02:48:56 2006 From: ml at grid.einherjar.de (Thorolf) Date: Wed, 13 Dec 2006 11:48:56 +0100 Subject: [Bro] How to dissable http_log In-Reply-To: <200612130147.kBD1lmLD070033@jaguar.icir.org> References: <200612130147.kBD1lmLD070033@jaguar.icir.org> Message-ID: <457FDA98.30100@grid.einherjar.de> Hi Vern, list, Vern Paxson wrote: > Is your concern the CPU time (which likely won't go down > much if you turn off logging), or the disk space? > You can turn off the logging (the file will be empty) using: thank you for the info, it did the trick ;-). CPU isn't a big problem, storage neither, but we have those logs on http servers already and I tought that we can safe some IO and disk-space on IDS. I know that the other way was to rewrite the http-*.bro modules but nicer is to disable it in may case. Thx, /rl From scampbell at lbl.gov Wed Dec 13 10:58:57 2006 From: scampbell at lbl.gov (scott campbell) Date: Wed, 13 Dec 2006 10:58:57 -0800 Subject: [Bro] any experience on BRO into hardware In-Reply-To: <009901c71e1e$8a123650$670fa8c0@MaterDevThesc> References: <009901c71e1e$8a123650$670fa8c0@MaterDevThesc> Message-ID: <45804D71.4070003@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There have been a number of efforts along these lines, but most of them have focused less on taking the entire bro entity (or more likely the event engine side) and punting it all into hardware. In no particular order, you may want to look at: http://www.icir.org/vern/papers/hotsec06.pdf also Nick Weaver at ICIR may have some insight. There has been significantly more work done on taking the bpf burden off a host and running that in hardware. There are several different companies that have products for this, but one that I have personal experience with is the Force 10 P10 device. There is also a 1 gig version as well. In general I suspect that there is less to gain by running the entire application on ASIC - there is still a considerable burden associated with memory bandwidth and state maintenance. On the other hand if a more knowledgeable person on this list has a different opinion, I would be happy to recant. Hopefully this is a little helpful? thanks, scott Jules wrote: > Hi Scott > > That's what I meant. I was talking about something like ASIC or FPGA. > > thanks > > > -----Original Message----- > From: scott campbell [mailto:scampbell at lbl.gov] > Sent: 12 December 2006 18:45 > To: Jules > Cc: > Subject: Re: [Bro] any experience on BRO into hardware > > Jules wrote: >>> Hi All >>> >>> >>> >>> Just wondering if someone has an experience compiling Bro into Hardware? >>> >>> >>> >>> Thanks >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Bro mailing list >>> bro at bro-ids.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > Are you asking about some sort of pcap/bpf in hardware offloading, an > actual implementation of bro on dedicated hardware (like an ASIC), or > something else? > > thanks! > > scott -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFFgE1wK2Plq8B7ZBwRApACAKCaRcX9Mi6S90D90+HAGwzvaulkfgCfcKoy 5IpHpbMjUrf1o/sq+E63ovE= =4DPf -----END PGP SIGNATURE----- From caldejon at mac.com Wed Dec 13 21:15:08 2006 From: caldejon at mac.com (Randy Caldejon) Date: Thu, 14 Dec 2006 00:15:08 -0500 Subject: [Bro] Performance testing BRO Message-ID: <6935CE4E-D3DE-468A-820A-42D9A8DEE169@mac.com> Greetings, My company is in the process of porting ntop ( www.ntop.org ) to a hardware acceleration platform. After this, we'd like to do the same for BRO as an experiment. I'm curious to know if there is a standard suite of tests used to benchmark BRO? Our goal is to baseline BRO on commodity hardware then run the same tests on the accelerated platform. We have ideas on how to do this, but we're certainly open to suggestions -- especially from those intimately familiar with BRO. Regards, Randy From bltierney at lbl.gov Thu Dec 14 12:21:07 2006 From: bltierney at lbl.gov (Brian Tierney) Date: Thu, 14 Dec 2006 12:21:07 -0800 Subject: [Bro] updated versions of Bro 1.1 (stable) and 1.2( devel) now available Message-ID: <4581B233.60009@lbl.gov> New versions are available at: http://www.bro-ids.org/download.html These are mainly somewhat minor bug fixes, and some makefile fixes. However we still recommend upgrading to the these versions. Details of the changes follow: 1.1d Tue Dec 5 15:17:04 PST 2006 - Fixed using "time" values as table indices. (Vern Paxson) - Fixed crash if local variable is given as timeout value for table. (Reported by Mike Wood.) - Added Linux tuning to brolite install script. (Brian Tierney) ========================================================= 1.2.1 Mon Dec 11 16:22:58 PST 2006 - Fixed delayed triggering of new_connection events when using the connection compressor. - Fixed tracking of first packet in TCP analyzer. (Reported by Guohan Lu) - The syslog built-in got lost during some previous merge. - Fixed crash if local variable is given as timeout value for table. (Reported by Mike Wood.) - Fixed using "time" values as table indices. - Added ssh to default brolite DPD configuration. - Fixed catching up to real-time in case of lull. - Fixed Broccoli "BRO_DATA_FORMAT_VERSION" to match version in Bro. - Fixed Makefile problem in doc directory. - Fixed Makefile dependency problem in binpac directory. - Added Linux tuning to brolite install script. - Modified Makefile to include broccoli/contrib. - Adding missing initialization to remote serializer. - Minor documentation updates for reference manual and Broccoli. -- ------------------------------------------------------------------------ Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 425-642-4558 bltierney at lbl.gov http://www-didc.lbl.gov/~tierney ------------------------------------------------------------------------ From dcaldwell at colsa.com Fri Dec 15 10:35:49 2006 From: dcaldwell at colsa.com (David Caldwell) Date: Fri, 15 Dec 2006 12:35:49 -0600 Subject: [Bro] Not generating reports Message-ID: My bro installation is logging correctly, but is not generating reports. I am not sure what I did wrong, or what to post here to try to get assistance with this issue. Any suggestions? TIA David Caldwell From geek00l at gmail.com Fri Dec 15 11:37:54 2006 From: geek00l at gmail.com (CS Lee) Date: Sat, 16 Dec 2006 03:37:54 +0800 Subject: [Bro] content gaps (Re: Notice.log) In-Reply-To: <200612130813.kBD8DoBB076264@jaguar.icir.org> References: <1bb5dd90612102225t41b27fbdve4023b9a26750126@mail.gmail.com> <200612130813.kBD8DoBB076264@jaguar.icir.org> Message-ID: <1bb5dd90612151137y808ef93k653ef54aac881faf@mail.gmail.com> Vern, Thanks for the explanation. On 12/13/06, Vern Paxson wrote: > > > I'm wondering what > > is actually indicated by content gap > > A content gap occurs when Bro's TCP stream reassembler frees up memory > allocated to previous TCP segments and some of those segments were never > delivered (i.e., were never in-sequence). It generally indicates the > presence of measurement drops (similar to ack_above_hole), though can > also occur when running on traces that have been filtered. > > > I would like to > > know what Content Gap means and the rate (> 1/175) or (> 1/1400). > > It's not a rate but rather a range of sequence numbers, so in the > second case, it ranges for 1400 bytes starting at sequence #1 to. > > Vern > -- Best Regards, CS Lee -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061216/d6422709/attachment.html From robin at icir.org Fri Dec 15 11:52:01 2006 From: robin at icir.org (Robin Sommer) Date: Fri, 15 Dec 2006 11:52:01 -0800 Subject: [Bro] Performance testing BRO In-Reply-To: <6935CE4E-D3DE-468A-820A-42D9A8DEE169@mac.com> References: <6935CE4E-D3DE-468A-820A-42D9A8DEE169@mac.com> Message-ID: <20061215195201.GA28378@icir.org> On Thu, Dec 14, 2006 at 00:15 -0500, Randy Caldejon wrote: > I'm curious to know if there is a standard suite of tests used to > benchmark BRO? Our goal is to baseline BRO on commodity hardware > then run the same tests on the accelerated platform. We have ideas > on how to do this, but we're certainly open to suggestions -- > especially from those intimately familiar with BRO. No, we don't have any performance benchmark. We did some performance measurements in the past on traces (see http://www.icir.org/robin/papers/ccs04.pdf), but I'd suppose that you guys are more interested in live traffic. In general, when doing measurements with Bro, it is important to keep in mind that performance depends a *lot* on the actual configuration. Bro internally applies various schemes to only perform types of analysis which are actually required for the given setup. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From bltierney at lbl.gov Fri Dec 15 13:00:08 2006 From: bltierney at lbl.gov (Brian Tierney) Date: Fri, 15 Dec 2006 13:00:08 -0800 Subject: [Bro] Not generating reports In-Reply-To: References: Message-ID: <45830CD8.9010107@lbl.gov> Did you do a 'make install-brolite' ? That is required to install the report generation stuff. What happens when you run this: /usr/local/bro/scripts/site-report.pl \ --broconfig /usr/local/bro/etc/bro.cfg David Caldwell wrote: > My bro installation is logging correctly, but is not generating > reports. I am not sure what I did wrong, or what to post here to try > to get assistance with this issue. > > Any suggestions? > > TIA > David Caldwell > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- ------------------------------------------------------------------------ Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 425-642-4558 bltierney at lbl.gov http://www-didc.lbl.gov/~tierney ------------------------------------------------------------------------ From dcaldwell at colsa.com Fri Dec 15 13:19:17 2006 From: dcaldwell at colsa.com (David Caldwell) Date: Fri, 15 Dec 2006 15:19:17 -0600 Subject: [Bro] Not generating reports In-Reply-To: <45830CD8.9010107@lbl.gov> References: <45830CD8.9010107@lbl.gov> Message-ID: <8DDC5E70-EF7A-44C2-9642-1D1608BC78B8@colsa.com> yes, I did do 'make install-brolite' and gave it the times and everything requested by the script. If I run that command I get this Can't locate Bro/Config.pm in @INC (@INC contains: /usr/local/bro/ perl/lib/perl5/site_perl /etc/perl /usr/local/lib/perl/5.8.4 /usr/ local/share/perl/5.8.4 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/ 5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl .) at /usr/local/bro/ scripts/site-report.pl line 25. BEGIN failed--compilation aborted at /usr/local/bro/scripts/site- report.pl line 25. Thanks, David On Dec 15, 2006, at 3:00 PM, Brian Tierney wrote: > > Did you do a 'make install-brolite' ? That is required to install the > report generation stuff. What happens when you run this: > > /usr/local/bro/scripts/site-report.pl \ > --broconfig /usr/local/bro/etc/bro.cfg > > > > David Caldwell wrote: >> My bro installation is logging correctly, but is not generating >> reports. I am not sure what I did wrong, or what to post here to try >> to get assistance with this issue. >> >> Any suggestions? >> >> TIA >> David Caldwell >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > -- > ---------------------------------------------------------------------- > -- > Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) > 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 > tel: 510-486-7381 fax: 510-495-2998 efax: 425-642-4558 > bltierney at lbl.gov http://www-didc.lbl.gov/~tierney > ---------------------------------------------------------------------- > -- From bltierney at lbl.gov Fri Dec 15 13:30:26 2006 From: bltierney at lbl.gov (Brian Tierney) Date: Fri, 15 Dec 2006 13:30:26 -0800 Subject: [Bro] Not generating reports In-Reply-To: <8DDC5E70-EF7A-44C2-9642-1D1608BC78B8@colsa.com> References: <45830CD8.9010107@lbl.gov> <8DDC5E70-EF7A-44C2-9642-1D1608BC78B8@colsa.com> Message-ID: <458313F2.80603@lbl.gov> Looks like something did not get fully installed. Did you run 'make install-brolite' as root? Can you re-run 'make install-brolite', and send me the output? David Caldwell wrote: > yes, I did do 'make install-brolite' and gave it the times and > everything requested by the script. > > If I run that command I get this > > Can't locate Bro/Config.pm in @INC (@INC contains: > /usr/local/bro/perl/lib/perl5/site_perl /etc/perl > /usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4 /usr/lib/perl5 > /usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 > /usr/local/lib/site_perl .) at /usr/local/bro/scripts/site-report.pl > line 25. > BEGIN failed--compilation aborted at > /usr/local/bro/scripts/site-report.pl line 25. > > Thanks, > David > > > On Dec 15, 2006, at 3:00 PM, Brian Tierney wrote: > >> >> Did you do a 'make install-brolite' ? That is required to install the >> report generation stuff. What happens when you run this: >> >> /usr/local/bro/scripts/site-report.pl \ >> --broconfig /usr/local/bro/etc/bro.cfg >> >> >> >> David Caldwell wrote: >>> My bro installation is logging correctly, but is not generating >>> reports. I am not sure what I did wrong, or what to post here to try >>> to get assistance with this issue. >>> >>> Any suggestions? >>> >>> TIA >>> David Caldwell >>> _______________________________________________ >>> Bro mailing list >>> bro at bro-ids.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> >> -------------------------------------------------------------------------- >> >> Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) >> 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 >> tel: 510-486-7381 fax: 510-495-2998 efax: 425-642-4558 >> bltierney at lbl.gov http://www-didc.lbl.gov/~tierney >> ------------------------------------------------------------------------ -- ------------------------------------------------------------------------ Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 425-642-4558 bltierney at lbl.gov http://www-didc.lbl.gov/~tierney ------------------------------------------------------------------------ From philou at philou.ch Sat Dec 16 04:45:57 2006 From: philou at philou.ch (Philippe Strauss) Date: Sat, 16 Dec 2006 13:45:57 +0100 Subject: [Bro] Not generating reports In-Reply-To: <45830CD8.9010107@lbl.gov> References: <45830CD8.9010107@lbl.gov> Message-ID: <20061216124557.GA27046@philou.ch> I've just upgraded to bro 1.2.1, and I had to change the perl path by hand after make install-brolite: scripts/site-report.pl: #use lib '/usr/local/bro/perl/lib/perl5/site_perl'; use lib '/usr/local/bro/perl/share/perl/5.8.4/'; it's a debian stable box. regards. -- Philippe Strauss av. de Beaulieu 25 1004 Lausanne http://philou.ch From jferdinand at thescholars.info Mon Dec 18 12:08:07 2006 From: jferdinand at thescholars.info (Jules) Date: Mon, 18 Dec 2006 20:08:07 -0000 Subject: [Bro] binpac Message-ID: <003101c722e0$3c7de210$640fa8c0@MaterDevThesc> Hi All Is there any documentation available for binpac? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061218/67e5ae7e/attachment.html From jferdinand at thescholars.info Mon Dec 18 12:15:06 2006 From: jferdinand at thescholars.info (Jules) Date: Mon, 18 Dec 2006 20:15:06 -0000 Subject: [Bro] bincpac compilation error Message-ID: <003601c722e1$362dddb0$640fa8c0@MaterDevThesc> Hi All When compiling BinPac I have the fellowing error -------------- Compiling byteorder-test.c... ../byteorder-test.c:7:4: #error "I_AM_LITTLE_ENDIAN" ----------------- Any idea of what this would be? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061218/789ad33c/attachment.html From P.Sandford at lboro.ac.uk Tue Dec 19 07:43:48 2006 From: P.Sandford at lboro.ac.uk (P.Sandford at lboro.ac.uk) Date: Tue, 19 Dec 2006 15:43:48 +0000 Subject: [Bro] Compiling Bro Under Solaris Message-ID: <1166543028.458808b485268@staff-webmail.lboro.ac.uk> Hi all, We've been having some fun with Bro under Solaris 8. After making slow progress attempting to iron out problems we've hit something a little more difficult to track down. After eliminating /usr/ccs/bin from the environment and setting $CFLAGS to '-lssl -lsocket', configure ran OK, but then make failed as termcap.h wasn't found. Got termcap 1.3 from sunfreeware - made that and tried making bro again - got past that error and make now complains about missing libstdc++.so.6. Added /usr/avt/gcc-3.4.2/lib to LD_LIBRARY_PATH and that got over that hurdle, but have hit this: make[4]: Entering directory `/[filepath]/dev/[project]/src/Packages/bro-1.1c/src' ../src/binpac/binpac ./dce_rpc.pac make[4]: *** [dce_rpc_pac.cc] Segmentation Fault (core dumped) Any comments / suggestions on what could be causing this? or is more information needed? Many thanks, Pete Sandford From jp.luiggi at free.fr Tue Dec 19 17:48:26 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Tue, 19 Dec 2006 20:48:26 -0500 Subject: [Bro] Bro 1.2.1 vs OpenBSD 4.0 (phase 2) Message-ID: <20061220014826.GA28314@armada.mynetwork.local> Hello Christian, On Fri, Dec 01, 2006 at 10:58:10AM -0800, Christian Kreibich wrote: > > - modify util.cc and util.h in order to use bpf_timeval as structure for the > > double_to_timeval() function. (just used #ifdef HAVE_OPENBSD) > > Wow, this is so weird. I could swear we've fixed this before -- this is > due to OpenBSD's pcap using bpf_timeval instead of just timeval like > everyone else, correct? > > Rater than #ifdeffing different functions, it'd be nicer to make the > type difference transparent by typedefing the bpf_timeval to a timeval > in the OpenBSD case. The problem we get into is "struct timeval" because it's defined in OpenBSD's system (sys/time.h) but not in the way we need it : /* * Structure returned by gettimeofday(2) system call, * and used in other calls. */ struct timeval { long tv_sec; /* seconds */ long tv_usec; /* and microseconds */ }; And Bro complains in "TCP_Rewriter.cc" on the following line : "pcap_hdr.ts = double_to_timeval(timestamp);" ======================= TCP_Rewriter.cc: In member function int TCP_TracePacket::Finish(pcap_pkthdr*&,const u_char*&, int&, unsigned int, unsigned int)': TCP_Rewriter.cc:328: error: no match for 'operator=' in ' this->TCP_TracePacket::pcap_hdr.pcap_pkthdr::ts = double_to_timeval(double)()' /usr/include/net/bpf.h:129: error: candidates are: bpf_timeval& bpf_timeval::operator=(const bpf_timeval&) *** Error code 1 ======================= so here's "struct bpf_timeval" i used which is defined in (net/bpf.h) as : struct bpf_timeval { u_int32_t tv_sec; u_int32_t tv_usec; }; I don't see (yet) how using just a "#typedef" will solve the problem. I may be wrong but i can't use a "typedef struct bpf_timeval timeval;" "struct timeval" exists and is used elsewhere. Best regards. PS : "struct timeval" is defined in linux as : struct timeval { time_t tv_sec; /* seconds */ suseconds_t tv_usec; /* microseconds */ }; From christian at whoop.org Wed Dec 20 03:29:42 2006 From: christian at whoop.org (Christian Kreibich) Date: Wed, 20 Dec 2006 12:29:42 +0100 Subject: [Bro] Bro 1.2.1 vs OpenBSD 4.0 (phase 2) In-Reply-To: <20061220014826.GA28314@armada.mynetwork.local> References: <20061220014826.GA28314@armada.mynetwork.local> Message-ID: <1166614182.1785.129.camel@strangepork> On Tue, 2006-12-19 at 20:48 -0500, Jean-Philippe Luiggi wrote: > I don't see (yet) how using just a "#typedef" will solve the problem. > I may be wrong but i can't use a "typedef struct bpf_timeval timeval;" > "struct timeval" exists and is used elsewhere. I see your point. I still don't think there's a need to #ifdef different functions though -- if we use struct timeval consistently throughout the code (as we are), then you'll probably only need to add assignment operators for the two different types (that'd fix the compiler error you're pointing out) and maybe casts to struct timeval* in other places. Let me know if there are other problems I'm missing. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From christian at whoop.org Wed Dec 20 04:28:01 2006 From: christian at whoop.org (Christian Kreibich) Date: Wed, 20 Dec 2006 13:28:01 +0100 Subject: [Bro] Compiling Bro Under Solaris In-Reply-To: <1166543028.458808b485268@staff-webmail.lboro.ac.uk> References: <1166543028.458808b485268@staff-webmail.lboro.ac.uk> Message-ID: <1166617681.1785.142.camel@strangepork> Hi Pete, On Tue, 2006-12-19 at 15:43 +0000, P.Sandford at lboro.ac.uk wrote: > Hi all, > > We've been having some fun with Bro under Solaris 8. After making slow > progress attempting to iron out problems we've hit something a little more > difficult to track down. thanks for trying so hard. :) > After eliminating /usr/ccs/bin from the environment and setting $CFLAGS to > '-lssl -lsocket', configure ran OK, Mhmm I'm puzzled as to why you had to do this. We're aware of Solaris's unique library requirements. -lnsl -lsocket should automatically be added during configure, and -lssl gets added after a separate check. As always, can you post the configure output and config.log? > but then make failed as termcap.h > wasn't found. > > Got termcap 1.3 from sunfreeware Yes, we require termcap. > - made that and tried making bro again - > got past that error and make now complains about missing libstdc++.so.6. > Added /usr/avt/gcc-3.4.2/lib to LD_LIBRARY_PATH and that got over that > hurdle, but have hit this: > > make[4]: Entering directory > `/[filepath]/dev/[project]/src/Packages/bro-1.1c/src' > ../src/binpac/binpac ./dce_rpc.pac > make[4]: *** [dce_rpc_pac.cc] Segmentation Fault (core dumped) > > Any comments / suggestions on what could be causing this? or is more > information needed? What compiler are you building with? If you've built with gcc 3.4.2 then it should have found that directory automaticall.y My guess is that "brute-forcing" GCC's lib directory onto the search path might cause an incompatible libstdc++ to be used. Is there another one on your system? Can you run "../src/binpac/binpac ./dce_rpc.pac" from the src/ directory manually under gdb and find out what's causing the segfault? Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From jp.luiggi at free.fr Wed Dec 20 06:25:49 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Wed, 20 Dec 2006 09:25:49 -0500 Subject: [Bro] Bro 1.2.1 vs OpenBSD 4.0 (phase 2) In-Reply-To: <1166614182.1785.129.camel@strangepork> References: <20061220014826.GA28314@armada.mynetwork.local> <1166614182.1785.129.camel@strangepork> Message-ID: <20061220142549.GB20368@armada.mynetwork.local> Hello Christian, On Wed, Dec 20, 2006 at 12:29:42PM +0100, Christian Kreibich wrote: > On Tue, 2006-12-19 at 20:48 -0500, Jean-Philippe Luiggi wrote: > > I don't see (yet) how using just a "#typedef" will solve the problem. > > I may be wrong but i can't use a "typedef struct bpf_timeval timeval;" > > "struct timeval" exists and is used elsewhere. > > I see your point. I still don't think there's a need to #ifdef different > functions though -- if we use struct timeval consistently throughout the Sure, you're right but i tried to follow the suggestion and ran into "trouble" so i prefered to switch to the "easy way" (to make Bro working)... :-) > code (as we are), then you'll probably only need to add assignment > operators for the two different types (that'd fix the compiler error > you're pointing out) and maybe casts to struct timeval* in other places. > Let me know if there are other problems I'm missing. No, the problem with "timeval" is the biggest one i think, the others are managed : - ARP.(h/cc) - bro.rc (i still have a litlle error with a "SIGHUP" but the script works). It's not a bug (but a feature) so as soon as i have a correct "timeval" solution, i'll play with the DNS. Best regards. From Sam.Sexton at reuters.com Thu Dec 21 03:36:01 2006 From: Sam.Sexton at reuters.com (Sam Sexton) Date: Thu, 21 Dec 2006 11:36:01 +0000 Subject: [Bro] Compiling Bro Under Solaris Message-ID: <515D160C16AE3C439D9B3F072EBEEE320311BFB2@LONSMSXM06.emea.ime.reuters.com> Christian, Apologies, in my last response (apparently still in limbo awaiting moderator approval due to the size), I didn't include config.log or respond to your question about versions of libstdc++. I'll upload config.log in my next update, as that will probably go into limbo as well, but we only have other copies of libstdc++ in other gcc directories (different versions), which shouldn't come into the picture at all. Regards, /Sam Sam Sexton Infrastructure Group Transactions Group (Sales & Trading) Reuters Messaging: sam.sexton.reuters.com at reuters.net (t) +44 24 7625 6562 | (m) +44 7990 563739 | (f) +44 24 7655 5203 Get the latest news at Reuters.com This email was sent to you by Reuters, the global news and information company. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061221/8415e1e6/attachment.html From Sam.Sexton at reuters.com Thu Dec 21 03:41:59 2006 From: Sam.Sexton at reuters.com (Sam Sexton) Date: Thu, 21 Dec 2006 11:41:59 +0000 Subject: [Bro] Compiling Bro Under Solaris Message-ID: <515D160C16AE3C439D9B3F072EBEEE320311BFC0@LONSMSXM06.emea.ime.reuters.com> Christian, Here's config.log (gzipped in the hope it won't get delayed). /Sam Sam Sexton Infrastructure Group Transactions Group (Sales & Trading) Reuters Messaging: sam.sexton.reuters.com at reuters.net (t) +44 24 7625 6562 | (m) +44 7990 563739 | (f) +44 24 7655 5203 Get the latest news at Reuters.com This email was sent to you by Reuters, the global news and information company. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061221/2d294e2b/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: config.log.gz Type: application/x-gzip Size: 12233 bytes Desc: config.log.gz Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061221/2d294e2b/attachment.gz From Sam.Sexton at reuters.com Wed Dec 20 07:26:37 2006 From: Sam.Sexton at reuters.com (Sam Sexton) Date: Wed, 20 Dec 2006 15:26:37 +0000 Subject: [Bro] Compiling Bro Under Solaris Message-ID: <515D160C16AE3C439D9B3F072EBEEE320311BE33@LONSMSXM06.emea.ime.reuters.com> Christian, I'm working with Pete Sandford on this problem and have attached a log of a fresh configure, make and binpac test. I don't really know adb, but I've extracted a little information from the core file in case that's of any use. Let me know if there's anything else you need. Regards, /Sam Sam Sexton Infrastructure Group Transactions Group (Sales & Trading) Reuters Messaging: sam.sexton.reuters.com at reuters.net (t) +44 24 7625 6562 | (m) +44 7990 563739 | (f) +44 24 7655 5203 Get the latest news at Reuters.com This email was sent to you by Reuters, the global news and information company. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061220/2ccd5a1a/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: ADTSniffer_build_bro.log Type: application/octet-stream Size: 53435 bytes Desc: ADTSniffer_build_bro.log Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061220/2ccd5a1a/attachment.obj From ewages at colsa.com Fri Dec 22 13:03:39 2006 From: ewages at colsa.com (Eric Wages) Date: Fri, 22 Dec 2006 15:03:39 -0600 Subject: [Bro] Buffered output on logs Message-ID: Question for you folks - clearly the logging functionality of Bro is buffered, but will it also be flushed after a certain time has expired as well? I'm noticing that the alarm output file can have immediate writes, but something like the ssh output file will have 0 bytes until I manually checkpoint the server. Your thoughts? Thanks, -Eric Eric Wages COLSA Corporation Operations Manager, HMT ROC 256-721-0372, ext 110 From seth at net.ohio-state.edu Fri Dec 22 13:26:01 2006 From: seth at net.ohio-state.edu (Seth Hall) Date: Fri, 22 Dec 2006 16:26:01 -0500 Subject: [Bro] Buffered output on logs In-Reply-To: References: Message-ID: <7D098CDE-0E25-4ABB-BE6B-8B150DEB5B2B@net.ohio-state.edu> On Dec 22, 2006, at 4:03 PM, Eric Wages wrote: > Question for you folks - clearly the logging functionality of Bro is > buffered, but will it also be flushed after a certain time has > expired as well? @load file-flush redef file_flush_interval = 10 sec; Log files will write to disk every 10 seconds. .Seth From ewages at colsa.com Fri Dec 22 13:27:42 2006 From: ewages at colsa.com (Eric Wages) Date: Fri, 22 Dec 2006 15:27:42 -0600 Subject: [Bro] Buffered output on logs In-Reply-To: <7D098CDE-0E25-4ABB-BE6B-8B150DEB5B2B@net.ohio-state.edu> References: <7D098CDE-0E25-4ABB-BE6B-8B150DEB5B2B@net.ohio-state.edu> Message-ID: <382EC384-78D7-45A9-A398-B16FFCAF2F4A@colsa.com> Excellent! Thanks, Seth! That's just what I needed. -Eric Eric Wages COLSA Corporation Operations Manager, HMT ROC 256-721-0372, ext 110 On Dec 22, 2006, at 3:26 PM, Seth Hall wrote: > > On Dec 22, 2006, at 4:03 PM, Eric Wages wrote: > >> Question for you folks - clearly the logging functionality of Bro is >> buffered, but will it also be flushed after a certain time has >> expired as well? > > @load file-flush > redef file_flush_interval = 10 sec; > > Log files will write to disk every 10 seconds. > > .Seth From geek00l at gmail.com Sat Dec 23 18:22:44 2006 From: geek00l at gmail.com (CS Lee) Date: Sun, 24 Dec 2006 10:22:44 +0800 Subject: [Bro] Dynamic Protocol Detection Message-ID: <1bb5dd90612231822mce522abt15d1718a36d53913@mail.gmail.com> Gentle people, I have enabled dpd in brolite.bro with const use_dpd = T; At the same time I also comment out this line because I want to look into port 80 traffics. # redef restrict_filters += [ ["not-http"] = "not (port 80)" ]; I get a lot of this ..... t=1166923564.867909 no=ProtocolViolation na=NOTICE_ALARM_ALWAYS sa=1.2.3.5sp=46616/tcp da= 1.2.3.4 dp=80/tcp msg=1.2.3.5/46616\ >\ 1.2.3.4/http\ analyzer\ HTTP\ disabled\ due\ to\ protocol\ violatio n sub=not\ a\ http\ request\ line tag=@5618 ..... In the wiki, it says that Bro can disable an analyzer on the fly if that finds that it cannot parse a connection's payload---which most probably means the protocol detection went wrong. I'm curious about the protocol violation part. From what I have studied if I enable dpd, it should examine the traffics via dpd.sig before determine which protocol is used. Since I have pcap logging, I try to examine the traffic manually with tcpdump and it seems to be normal http session from 1.2.3.5 to 1.2.3.4. Thus I'm wondering why it happens as if the http analyzer is disabled then the ids can be evaded. Another strange behaviour is the redef restrict_filters += [ ["not-http"] = "not (port 80)" ]; I have few ports running http traffic, so I need to avoid the report of http traffics running on port other than 80. For example I have two ports such as ports 7777 and 7778 running some http kind of daemon, so to do it I just add this in the dpd section of brolite.bro redef restrict_filters += [ ["cpanel2"] = "not (port 7777)" ]; redef restrict_filters += [ ["cpanel3"] = "not (port 7778)" ]; So it works as expect but when I add another port for example port 7785 below above two lines, redef restrict_filters += [ ["cpanel3"] = "not (port 7785)" ]; Suddenly it doesn't work and report http traffics running on those ports. So I'm curious if anyone have this similar issue. I have tried to define multiple ports with not(port 7777 and port 7778) for example but it doesn't work, I read the wiki and it says that restrict_filters introduces "and" so that's why I have to specify multiple restrict_filters instead. One interesting issue also that happens to me is that I have tried to enable the full trace in bro.cfg, BRO_CREATE_TRACE_FILE=YES It logs the pcap correctly, so I try to disable it with BRO_CREATE_TRACE_FILE=NO Then restart bro-ids with bro.rc checkpoint, however it is still logging, thus I have to comment out the line # BRO_CREATE_TRACE_FILE=NO Restarting bro-ids again and this time the full pcap logging no longer works. That's all, I know sooner this will be replaced by time machine for full content logging but just would like to know if this is my problem or anyone have this. Thanks and cheers. -- Best Regards, CS Lee -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061224/4c3ae286/attachment.html From bachhaiduong at gmail.com Mon Dec 25 09:22:00 2006 From: bachhaiduong at gmail.com (Bach Hai Duong) Date: Tue, 26 Dec 2006 00:22:00 +0700 Subject: [Bro] Error while compiling bro-1.1d Message-ID: <459008B8.5080805@gmail.com> Hi all, I've just download the stable version bro-1.1d and start compile on my Linux box. It show these errors: --- 8< --- .... g++ -g -O2 -o bifcl bif_lex.o bif_parse.o bif_arg.o -Llibedit -ledit -lpcap -lpcap -lssl -lcrypto -lpcap /usr/lib/libresolv.a -ltermcap -lm ./bifcl ./bro.bif ./bifcl ./event.bif ./bifcl ./const.bif ./bifcl ./common-rw.bif ./bifcl ./finger-rw.bif ./bifcl ./ident-rw.bif ./bifcl ./ftp-rw.bif ./bifcl ./smtp-rw.bif ./bifcl ./http-rw.bif ./bifcl ./strings.bif perl ./make_dbg_constants.pl ./DebugCmdInfoConstants.in make all-recursive make[3]: Entering directory `/root/bro-1.1d/src' Making all in binpac make[4]: Entering directory `/root/bro-1.1d/src/binpac' if g++ -DHAVE_CONFIG_H -I. -I. -I../.. -W -Wall -Wno-unused -I../../linux-include -g -O2 -MT pac_parse.o -MD -MP -MF ".deps/pac_parse.Tpo" -c -o pac_parse.o pac_parse.cc; \ then mv -f ".deps/pac_parse.Tpo" ".deps/pac_parse.Po"; else rm -f ".deps/pac_parse.Tpo"; exit 1; fi pac.h:109: warning: 'class Evaluatable' has virtual functions but non-virtual destructor pac.h:615: error: extra qualification 'Field::' on member 'getFieldBegin' pac.h:616: error: extra qualification 'Field::' on member 'getFieldEnd' pac.h:658: warning: 'class LetDef' has virtual functions but non-virtual destructor make[4]: *** [pac_parse.o] Error 1 make[4]: Leaving directory `/root/bro-1.1d/src/binpac' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/root/bro-1.1d/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/bro-1.1d/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/bro-1.1d' make: *** [all] Error 2 --- 8< --- Do you have any idea? Thank you, BHD From ewages at colsa.com Tue Dec 26 08:45:47 2006 From: ewages at colsa.com (Eric Wages) Date: Tue, 26 Dec 2006 10:45:47 -0600 Subject: [Bro] Toggling traffic direction in reports/logs? Message-ID: First off, I hope everyone had (is having) a happy holiday season. I've finally got the daily Bro reporting mechanism working and sending out emails as I expected. However, after letting it run for a few days, I'm starting to notice something that's a little unusual. The Bytes In/Bytes Out pair as well as the Local Host/Remote Host pairs seem to be opposite. For example, it will say something like: Local Remote Conn. Local Host Remote Host Bytes Bytes Count ----------------------- ----------------------- --------- --------- ------- some.externalhost.com my.internalhost.com 1562 K 142902 2136 This is the exact opposite of what is the actual traffic pattern. Is there a way that I can tell Bro that my /28 subnet is "local" and everything else is "remote"? I don't seem to see anything like that in the configuration files. Thanks so much! -Eric Eric Wages COLSA Corporation Operations Manager, HMT ROC 256-721-0372, ext 110 From sifukurt at yahoo.com Tue Dec 26 09:13:09 2006 From: sifukurt at yahoo.com (Kurt) Date: Tue, 26 Dec 2006 09:13:09 -0800 (PST) Subject: [Bro] Bro & OSSEC? Message-ID: <20061226171309.32835.qmail@web31009.mail.mud.yahoo.com> Hello. I'm new to the list and still a relatively new user of Bro. I've been an avid user of OSSEC (http://www.ossec.net) for quite some time now, and I would like to start incorporating Bro into my network security posture. To that end, I have a couple questions: 1. Has anyone had any experience Bro and OSSEC together? 2. Is there any interest in the Bro community for some sort of interface into OSSEC? 3. Just to make sure I'm not stepping on anyone's toes, there aren't any formal projects underway to create such an interface between Bro and OSSEC are there? I would very much like to work on such a project, but if one is already in progress, I don't want to duplicate efforts or infringe on someone else's territory. Thanks. Kurt perl -e "($_='tjgvlvsuAzbipp/dpn')=~s/(.)/chr(ord($1)-1)/ge;print" My Blog: http://kwoon.blogspot.com PGP Public Key (0x71D25CDA) @ http://cryptonomicon.mit.edu/ ----- Inveniemus viam aut faciemus --Hannibal __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From scampbell at lbl.gov Tue Dec 26 14:23:07 2006 From: scampbell at lbl.gov (scott campbell) Date: Tue, 26 Dec 2006 14:23:07 -0800 Subject: [Bro] Bro & OSSEC? In-Reply-To: <20061226171309.32835.qmail@web31009.mail.mud.yahoo.com> References: <20061226171309.32835.qmail@web31009.mail.mud.yahoo.com> Message-ID: <4591A0CB.10304@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please see comments in line .. Kurt wrote: > Hello. I'm new to the list and still a relatively new user of Bro. I've been an avid user of OSSEC (http://www.ossec.net) for quite some time now, and I would like to start incorporating Bro into my network security posture. To that end, I have a couple questions: > > 1. Has anyone had any experience Bro and OSSEC together? As far as I know, there has been no interaction between the two projects. Seems like a natural fit though. > 2. Is there any interest in the Bro community for some sort of interface into OSSEC? After reading the ossec web page, I suspect that there might be a general interest in this. Personally I think it is an excellent idea. See #3. > 3. Just to make sure I'm not stepping on anyone's toes, there aren't any formal projects underway to create such an interface between Bro and OSSEC are there? I would very much like to work on such a project, but if one is already in progress, I don't want to duplicate efforts or infringe on someone else's territory. The one question that I would have is regarding the direction of integration. If you are not a big bro user, it seems natural to just take bro as an additional data source and be done with it. - From my perspective, it might be interesting to be able to use ossec as a way to feed interesting information into bro and let it correlate incoming network connections with host based events. There has been some work with this with syslog, ssh and apache logs via the broccoli library. For more examples of this, look on the bro web site: http://www.bro-ids.org and my personal site www.nersc.gov/~scottc under "Notes on new Bro functionality" cheers, scott > > Thanks. > > Kurt > perl -e "($_='tjgvlvsuAzbipp/dpn')=~s/(.)/chr(ord($1)-1)/ge;print" > My Blog: http://kwoon.blogspot.com > PGP Public Key (0x71D25CDA) @ http://cryptonomicon.mit.edu/ > ----- > Inveniemus viam aut faciemus --Hannibal > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFFkaDLK2Plq8B7ZBwRAp2+AKCspWSC31/hfibBYz3lZuVtt++Y6QCgrSfQ n7s94xmYT8Nxp0U0RuP3pXQ= =VPNP -----END PGP SIGNATURE----- From vern at icir.org Wed Dec 27 13:10:23 2006 From: vern at icir.org (Vern Paxson) Date: Wed, 27 Dec 2006 13:10:23 -0800 Subject: [Bro] any experience on BRO into hardware In-Reply-To: <45804D71.4070003@lbl.gov> (Wed, 13 Dec 2006 10:58:57 PST). Message-ID: <200612272110.kBRLANH5004042@jaguar.icir.org> > In no particular order, you may want to look at: > > http://www.icir.org/vern/papers/hotsec06.pdf We now have a paper available on a different approach, Shunting (with which you Scott are of course already familiar): http://www.icir.org/vern/papers/shunt-fpga-2007.pdf - Vern From jferdinand at thescholars.info Wed Dec 27 13:20:23 2006 From: jferdinand at thescholars.info (Jules) Date: Wed, 27 Dec 2006 21:20:23 -0000 Subject: [Bro] any experience on BRO into hardware In-Reply-To: <200612272110.kBRLANH5004042@jaguar.icir.org> Message-ID: <004101c729fc$d2bb5be0$7d0fa8c0@MaterDevThesc> Thanks Vern for the new link (the second link). I have read the first paper already and it was interesting. Only the title of the new paper sounds good. Jules -----Original Message----- From: Vern Paxson [mailto:vern at icir.org] Sent: 27 December 2006 21:10 To: scott campbell Cc: Jules; bro at ICSI.Berkeley.EDU Subject: Re: [Bro] any experience on BRO into hardware > In no particular order, you may want to look at: > > http://www.icir.org/vern/papers/hotsec06.pdf We now have a paper available on a different approach, Shunting (with which you Scott are of course already familiar): http://www.icir.org/vern/papers/shunt-fpga-2007.pdf - Vern From christian at whoop.org Sun Dec 31 03:40:24 2006 From: christian at whoop.org (Christian Kreibich) Date: Sun, 31 Dec 2006 12:40:24 +0100 Subject: [Bro] Error while compiling bro-1.1d In-Reply-To: <459008B8.5080805@gmail.com> References: <459008B8.5080805@gmail.com> Message-ID: <1167565224.25705.40.camel@strangepork> Hi, On Tue, 2006-12-26 at 00:22 +0700, Bach Hai Duong wrote: > Hi all, > > I've just download the stable version bro-1.1d and start compile on my > Linux box. It show these errors: thanks for the report -- this is a known issue and fixed in the development release. Try that one instead, and see also http://mailman.icsi.berkeley.edu/pipermail/bro/2006-June/002459.html . Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org