From robin at icir.org Sat Jul 1 10:36:31 2006 From: robin at icir.org (Robin Sommer) Date: Sat, 1 Jul 2006 10:36:31 -0700 Subject: [Bro] Bro traffic logging In-Reply-To: <20060629081705.38531.qmail@web53912.mail.yahoo.com> References: <20060629081705.38531.qmail@web53912.mail.yahoo.com> Message-ID: <20060701173631.GB4628@icir.org> On Thu, Jun 29, 2006 at 01:17 -0700, Lee Sheng wrote: > Is there a way when bro logs the suspicious traffics > in pcap format but with separated files. There's no out-of-the-box solution for this but Bro provides the functions dump_packet(pkt: pcap_packet, file_name: string) and get_current_packet() which can be used to achieve this. However, due to the packets being passed to the script-layer this with is most suitable for capturing a few selected packets, not a large bunch of them. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Sat Jul 1 10:39:59 2006 From: robin at icir.org (Robin Sommer) Date: Sat, 1 Jul 2006 10:39:59 -0700 Subject: [Bro] Cant build Bro current on freebsd 6.1 In-Reply-To: <1089.62.1.106.146.1151589706.squirrel@mail.upnet.gr> References: <1089.62.1.106.146.1151589706.squirrel@mail.upnet.gr> Message-ID: <20060701173959.GC4628@icir.org> On Thu, Jun 29, 2006 at 17:01 +0300, dkalpakis at upnet.gr wrote: > I cant build Bro on my system, using FreeBSD 6.1 release. (In general, Bro builds fine on 6.1) > NetVar.h:240:30: const.bif.netvar_h: No such file or directory > NetVar.h:241:30: event.bif.netvar_h: No such file or directory These are strange, as these files should be automatically created during compilation. You don't see any other error messages before this? This is Bro 1.1? Can you try a "make distclean", and if that doesn't help extract a fresh copy of the archive? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Sat Jul 1 10:46:43 2006 From: robin at icir.org (Robin Sommer) Date: Sat, 1 Jul 2006 10:46:43 -0700 Subject: [Bro] Coustom Signatures In-Reply-To: <1151735954.1193.265086868@webmail.messagingengine.com> References: <1151735954.1193.265086868@webmail.messagingengine.com> Message-ID: <20060701174643.GD4628@icir.org> On Fri, Jun 30, 2006 at 23:39 -0700, Anandraj wrote: > i did try bro -s ../site/signatures.bro ! there was no response .. i had > to do a ctrl + c ! Not sure I understand what you did. Where you running Bro on live traffic (then I suppose you also gave it the interface to listen on), or on a trace (then, similarly, the command line needs to include the trace file). In general, the best way to debug such signature problems is to capture a small trace on which the signature should match and then first make sure that the packets' content indeed look like what the signature expects (e.g., using tcpdump). If it does, then making the signature less and less restrictive until it finally matches often helps to understand what the problem actually is. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org From dkalpakis at upnet.gr Mon Jul 3 11:41:25 2006 From: dkalpakis at upnet.gr (dkalpakis at upnet.gr) Date: Mon, 3 Jul 2006 21:41:25 +0300 (EEST) Subject: [Bro] Cant build Bro current on freebsd 6.1 In-Reply-To: <20060701173959.GC4628@icir.org> References: <1089.62.1.106.146.1151589706.squirrel@mail.upnet.gr> <20060701173959.GC4628@icir.org> Message-ID: <1159.194.219.17.112.1151952085.squirrel@mail.upnet.gr> > > On Thu, Jun 29, 2006 at 17:01 +0300, dkalpakis at upnet.gr wrote: > >> I cant build Bro on my system, using FreeBSD 6.1 release. > > (In general, Bro builds fine on 6.1) > >> NetVar.h:240:30: const.bif.netvar_h: No such file or directory >> NetVar.h:241:30: event.bif.netvar_h: No such file or directory > > These are strange, as these files should be automatically created > during compilation. You don't see any other error messages before > this? > > This is Bro 1.1? Can you try a "make distclean", and if that doesn't > help extract a fresh copy of the archive? > > Robin > > -- > Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org > ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org > Neither trying "make distclean" nor fetching a fresh copy of the archive worked ...:( I m still getting the same error, without seeing any other messages before it. Is there a possibility that there is something wrong/broken with the archive of current Bro 1.1? Has anyone succeeded to build it recently, using this specific archive? Any other suggestions? Thank you for your quick reply Robin... taki From christian at whoop.org Mon Jul 3 12:36:54 2006 From: christian at whoop.org (Christian Kreibich) Date: Mon, 03 Jul 2006 20:36:54 +0100 Subject: [Bro] Cant build Bro current on freebsd 6.1 In-Reply-To: <1159.194.219.17.112.1151952085.squirrel@mail.upnet.gr> References: <1089.62.1.106.146.1151589706.squirrel@mail.upnet.gr> <20060701173959.GC4628@icir.org> <1159.194.219.17.112.1151952085.squirrel@mail.upnet.gr> Message-ID: <1151955414.1501.20.camel@strangepork> On Mon, 2006-07-03 at 21:41 +0300, dkalpakis at upnet.gr wrote: > > Neither trying "make distclean" nor fetching a fresh copy of the archive > worked ...:( I m still getting the same error, without seeing any other > messages before it. > > Is there a possibility that there is something wrong/broken with the > archive of current Bro 1.1? Has anyone succeeded to build it recently, > using this specific archive? Any other suggestions? Could you upload somewhere a complete transcript of your configure run and build process? (The mailing list will likely complain about them being too big.) As Robin says, the missing files are generated during the build. Double-check whether the following appear during the build -- maybe the problem is not visib;e error messages but rather the lack of them... source='bif_lex.cc' object='bif_lex.o' libtool=no \ depfile='.deps/bif_lex.Po' tmpdepfile='.deps/bif_lex.TPo' \ depmode=gcc3 /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac -I../src -I. -I.. -Ilibedit -I../linux-include -O -W -Wall -Wno-unused -I../linux-inclu de -g -O2 -c -o bif_lex.o `test -f bif_lex.cc || echo './'`bif_lex.cc source='bif_parse.cc' object='bif_parse.o' libtool=no \ depfile='.deps/bif_parse.Po' tmpdepfile='.deps/bif_parse.TPo' \ depmode=gcc3 /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac -I../src -I. -I.. -Ilibedit -I../linux-include -O -W -Wall -Wno-unused -I../linux-inclu de -g -O2 -c -o bif_parse.o `test -f bif_parse.cc || echo './'`bif_parse.cc source='bif_arg.cc' object='bif_arg.o' libtool=no \ depfile='.deps/bif_arg.Po' tmpdepfile='.deps/bif_arg.TPo' \ depmode=gcc3 /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac -I../src -I. -I.. -Ilibedit -I../linux-include -O -W -Wall -Wno-unused -I../linux-inclu de -g -O2 -c -o bif_arg.o `test -f bif_arg.cc || echo './'`bif_arg.cc g++ -g -O2 -o bifcl bif_lex.o bif_parse.o bif_arg.o -Llibedit -ledit -lpcap -lpcap -lssl -lcrypto -lpcap /usr/lib/libresolv.a -ltermcap -lm ./bifcl ./bro.bif ./bifcl ./event.bif ./bifcl ./const.bif Is there an executable in the src/build directory called "bifcl" at the time the build breaks? Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From christian at whoop.org Mon Jul 3 12:39:48 2006 From: christian at whoop.org (Christian Kreibich) Date: Mon, 03 Jul 2006 20:39:48 +0100 Subject: [Bro] Cant build Bro current on freebsd 6.1 In-Reply-To: <1151955414.1501.20.camel@strangepork> References: <1089.62.1.106.146.1151589706.squirrel@mail.upnet.gr> <20060701173959.GC4628@icir.org> <1159.194.219.17.112.1151952085.squirrel@mail.upnet.gr> <1151955414.1501.20.camel@strangepork> Message-ID: <1151955588.1501.23.camel@strangepork> On Mon, 2006-07-03 at 20:36 +0100, Christian Kreibich wrote: > > Is there an executable in the src/build directory ps: sorry I just realised that this is ambiguous -- I don't mean a directory called "src/build", what I meant was your src directory if you haven't configured a different build directory, and your build directory otherwise. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From jp.luiggi at free.fr Mon Jul 3 13:09:45 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Mon, 03 Jul 2006 16:09:45 -0400 Subject: [Bro] Cant build Bro current on freebsd 6.1 In-Reply-To: <1159.194.219.17.112.1151952085.squirrel@mail.upnet.gr> References: <1089.62.1.106.146.1151589706.squirrel@mail.upnet.gr> <20060701173959.GC4628@icir.org> <1159.194.219.17.112.1151952085.squirrel@mail.upnet.gr> Message-ID: <20060703200945.GA3711@armada.mynetwork.local> On Mon, Jul 03, 2006 at 09:41:25PM +0300, dkalpakis at upnet.gr wrote: > > > > On Thu, Jun 29, 2006 at 17:01 +0300, dkalpakis at upnet.gr wrote: > > > >> I cant build Bro on my system, using FreeBSD 6.1 release. > > > Is there a possibility that there is something wrong/broken with the > archive of current Bro 1.1? Has anyone succeeded to build it recently, > using this specific archive? Any other suggestions? Hello, I built it on different (distro) Linux box without any problems. I too began to build it on OpenBSD 3.9 but it doesn't build as-is so beside of just doing a patch, i prefer to add some functionnalities that are missing for now (non blocking DNS mainly). Best regards. From darkxer05 at yahoo.com Tue Jul 4 07:27:56 2006 From: darkxer05 at yahoo.com (Lee Sheng) Date: Tue, 4 Jul 2006 07:27:56 -0700 (PDT) Subject: [Bro] Bro-IDS integration to sguil Message-ID: <20060704142756.11164.qmail@web53913.mail.yahoo.com> Hi all, I think I had previously mentioned the availabilities of brooery and Christian has replied with the answer that brooery is not ready yet and recommend me to try sguil. I have been long time user of sguil under production environment, and I would like to see the integration of bro-ids to provide alert data to sguil. While sguil integrates 4 forms of data including alert data that provided by snort, I think that's possible to have bro-IDS alert data sending to sguil as well. I have talked to the core developer of sguil - Bamm, and he told me that it can be done by having bro talking to the sensor_agent.tcl. I'm not that familiar with bro comparing to snort, thus I would like to know any pointer and reference that can help me to complete the integration of bro to sguil. Many Thanks. I think that would be lovely to have it done. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From christian at whoop.org Tue Jul 4 09:20:32 2006 From: christian at whoop.org (Christian Kreibich) Date: Tue, 04 Jul 2006 17:20:32 +0100 Subject: [Bro] Bro-IDS integration to sguil In-Reply-To: <20060704142756.11164.qmail@web53913.mail.yahoo.com> References: <20060704142756.11164.qmail@web53913.mail.yahoo.com> Message-ID: <1152030032.5053.21.camel@strangepork> On Tue, 2006-07-04 at 07:27 -0700, Lee Sheng wrote: > Hi all, I think I had previously mentioned the > availabilities of brooery and Christian has replied > with the answer that brooery is not ready yet and > recommend me to try sguil. I have been long time user > of sguil under production environment, and I would > like to see the integration of bro-ids to provide > alert data to sguil. Yeah, that'd definitely be useful. > While sguil integrates 4 forms of data including alert > data that provided by snort, I think that's possible > to have bro-IDS alert data sending to sguil as well. I > have talked to the core developer of sguil - Bamm, and > he told me that it can be done by having bro talking > to the sensor_agent.tcl. > > I'm not that familiar with bro comparing to snort, > thus I would like to know any pointer and reference > that can help me to complete the integration of bro to > sguil. Many Thanks. You definitely want to check out the Broccoli library -- communication with other nodes is intrinsic now in Bro, and Broccoli provides nearly full-blown Bro communications endpoint functionality to external applications: http://www.cl.cam.ac.uk/~cpk25/broccoli/index.html I'm not familiar with sensor_agent.tcl but instead of hacking more support for external features into Bro, Broccoli is very likely the better alternative. Indeed if we had Broccoli bindings to more languages it'd become even easier, but finding the time is a problem right now... > I think that would be lovely to have it done. No doubt! Keep us posted. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From jp.luiggi at free.fr Tue Jul 4 11:09:59 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Tue, 04 Jul 2006 14:09:59 -0400 Subject: [Bro] Bro-IDS integration to sguil In-Reply-To: <20060704142756.11164.qmail@web53913.mail.yahoo.com> References: <20060704142756.11164.qmail@web53913.mail.yahoo.com> Message-ID: <20060704180959.GA17029@armada.mynetwork.local> Hello Lee, The question is what sort of data sguil is waiting for : text, binaries, syslog ? Bro is able to send data using various methods so as soon as we know what do we need to send, we'll see how doing this. Best regards. PS: i find your idea very good. Best regards. On Tue, Jul 04, 2006 at 07:27:56AM -0700, Lee Sheng wrote: > Hi all, I think I had previously mentioned the > availabilities of brooery and Christian has replied > with the answer that brooery is not ready yet and > recommend me to try sguil. I have been long time user > of sguil under production environment, and I would > like to see the integration of bro-ids to provide > alert data to sguil. > > While sguil integrates 4 forms of data including alert > data that provided by snort, I think that's possible > to have bro-IDS alert data sending to sguil as well. I > have talked to the core developer of sguil - Bamm, and > he told me that it can be done by having bro talking > to the sensor_agent.tcl. > > I'm not that familiar with bro comparing to snort, > thus I would like to know any pointer and reference > that can help me to complete the integration of bro to > sguil. Many Thanks. > > I think that would be lovely to have it done. > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From anandrajm at fastmail.fm Wed Jul 5 08:53:25 2006 From: anandrajm at fastmail.fm (Anandraj) Date: Wed, 05 Jul 2006 08:53:25 -0700 Subject: [Bro] event.bif ?? Message-ID: <1152114805.29375.265342876@webmail.messagingengine.com> Hi all, Could someone brief me about the event.bif , event.bif.bro , event.bif.netvar_def ,event.bif.netvar_h,event.bif.netvar_init .. I belive they are auto genearated . Thanks, Anand -- http://www.fastmail.fm - Choose from over 50 domains or use your own From rpang at cs.princeton.edu Wed Jul 5 09:10:29 2006 From: rpang at cs.princeton.edu (Ruoming Pang) Date: Wed, 5 Jul 2006 12:10:29 -0400 Subject: [Bro] event.bif ?? In-Reply-To: <1152114805.29375.265342876@webmail.messagingengine.com> References: <1152114805.29375.265342876@webmail.messagingengine.com> Message-ID: event.bif contains the prototypes for the Bro events. It is hand-written and the source file for event.bif.{bro,netvar_def,...}, which are generated by bifcl from event.bif. Ruoming On 7/5/06, Anandraj wrote: > Hi all, > Could someone brief me about the event.bif , event.bif.bro , > event.bif.netvar_def ,event.bif.netvar_h,event.bif.netvar_init .. I > belive they are auto genearated . > > Thanks, > Anand > > -- > http://www.fastmail.fm - Choose from over 50 domains or use your own > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From dkalpakis at upnet.gr Wed Jul 5 19:50:06 2006 From: dkalpakis at upnet.gr (dkalpakis at upnet.gr) Date: Thu, 6 Jul 2006 05:50:06 +0300 (EEST) Subject: [Bro] Cant build Bro current on freebsd 6.1 In-Reply-To: <1151955414.1501.20.camel@strangepork> References: <1089.62.1.106.146.1151589706.squirrel@mail.upnet.gr> <20060701173959.GC4628@icir.org> <1159.194.219.17.112.1151952085.squirrel@mail.upnet.gr> <1151955414.1501.20.camel@strangepork> Message-ID: <1109.62.1.133.172.1152154206.squirrel@mail.upnet.gr> > On Mon, 2006-07-03 at 21:41 +0300, dkalpakis at upnet.gr wrote: >> >> Neither trying "make distclean" nor fetching a fresh copy of the archive >> worked ...:( I m still getting the same error, without seeing any other >> messages before it. >> >> Is there a possibility that there is something wrong/broken with the >> archive of current Bro 1.1? Has anyone succeeded to build it recently, >> using this specific archive? Any other suggestions? > > Could you upload somewhere a complete transcript of your configure run > and build process? (The mailing list will likely complain about them > being too big.) As Robin says, the missing files are generated during > the build. Double-check whether the following appear during the build -- > maybe the problem is not visib;e error messages but rather the lack of > them... > > source='bif_lex.cc' object='bif_lex.o' libtool=no \ > depfile='.deps/bif_lex.Po' tmpdepfile='.deps/bif_lex.TPo' \ > depmode=gcc3 /bin/sh ../depcomp \ > g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac -I../src -I. -I.. > -Ilibedit -I../linux-include -O -W -Wall -Wno-unused -I../linux-inclu > de -g -O2 -c -o bif_lex.o `test -f bif_lex.cc || echo './'`bif_lex.cc > source='bif_parse.cc' object='bif_parse.o' libtool=no \ > depfile='.deps/bif_parse.Po' tmpdepfile='.deps/bif_parse.TPo' \ > depmode=gcc3 /bin/sh ../depcomp \ > g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac -I../src -I. -I.. > -Ilibedit -I../linux-include -O -W -Wall -Wno-unused -I../linux-inclu > de -g -O2 -c -o bif_parse.o `test -f bif_parse.cc || echo > './'`bif_parse.cc > source='bif_arg.cc' object='bif_arg.o' libtool=no \ > depfile='.deps/bif_arg.Po' tmpdepfile='.deps/bif_arg.TPo' \ > depmode=gcc3 /bin/sh ../depcomp \ > g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac -I../src -I. -I.. > -Ilibedit -I../linux-include -O -W -Wall -Wno-unused -I../linux-inclu > de -g -O2 -c -o bif_arg.o `test -f bif_arg.cc || echo './'`bif_arg.cc > g++ -g -O2 -o bifcl bif_lex.o bif_parse.o bif_arg.o -Llibedit -ledit > -lpcap -lpcap -lssl -lcrypto -lpcap /usr/lib/libresolv.a -ltermcap > -lm > ./bifcl ./bro.bif > ./bifcl ./event.bif > ./bifcl ./const.bif > > Is there an executable in the src/build directory called "bifcl" at the > time the build breaks? > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > > Hi Christian, I dont see any messages like those above during the build process and at the time it breaks there isnt such executable called "bifcl". Right now I am not able to upload somewhere the transcripts you asked for, so I ll try to post them to the list. Because of the size limit (<40K) in the list I ve attached to this message only the transcript of the configure process (configure.txt - 11K). The transcript of the build process (make.txt - 34K) will be attached to the message that follows. Maybe you can find out whats wrong with my system. Thank you in advance... taki -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: configure.txt Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060706/082c874d/attachment.txt From dkalpakis at upnet.gr Wed Jul 5 19:52:01 2006 From: dkalpakis at upnet.gr (dkalpakis at upnet.gr) Date: Thu, 6 Jul 2006 05:52:01 +0300 (EEST) Subject: [Bro] Cant build Bro current on freebsd 6.1 Message-ID: <1109.62.1.133.172.1152154321.squirrel@mail.upnet.gr> And here is the transcript of the make process. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: make.txt Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060706/d63b2134/attachment.txt From anandrajm at fastmail.fm Thu Jul 6 11:14:54 2006 From: anandrajm at fastmail.fm (Anandraj) Date: Thu, 06 Jul 2006 11:14:54 -0700 Subject: [Bro] Clarification on Backdoor Event Engine Message-ID: <1152209694.11750.265444019@webmail.messagingengine.com> Hi all, I just wanna clarify that , is the backdoor event engine(which does all the signature detection) eventually invokes the corresponding event engine and the Analyser . For example let me take SSH , when the ssh packet is recevied through the libpcap , the backdoor event engine will be th e one which handles the packet first , based on the signatures invokes the ssh event engine and the ssh event engine invokes the Policy scripts which contain the event handlers/analysers ..finally log the data to the file. Please correct me if my understanding is wrong. Thanks, Anand -- http://www.fastmail.fm - A fast, anti-spam email service. From christian at whoop.org Thu Jul 6 19:23:19 2006 From: christian at whoop.org (Christian Kreibich) Date: Fri, 07 Jul 2006 03:23:19 +0100 Subject: [Bro] Cant build Bro current on freebsd 6.1 In-Reply-To: <1109.62.1.133.172.1152154206.squirrel@mail.upnet.gr> References: <1089.62.1.106.146.1151589706.squirrel@mail.upnet.gr> <20060701173959.GC4628@icir.org> <1159.194.219.17.112.1151952085.squirrel@mail.upnet.gr> <1151955414.1501.20.camel@strangepork> <1109.62.1.133.172.1152154206.squirrel@mail.upnet.gr> Message-ID: <1152239000.6466.195.camel@strangepork> On Thu, 2006-07-06 at 05:50 +0300, dkalpakis at upnet.gr wrote: > Hi Christian, > > I dont see any messages like those above during the build process and at > the time it breaks there isnt such executable called "bifcl". Right now I > am not able to upload somewhere the transcripts you asked for, so I ll try > to post them to the list. Because of the size limit (<40K) in the list I > ve attached to this message only the transcript of the configure process > (configure.txt - 11K). The transcript of the build process (make.txt - > 34K) will be attached to the message that follows. Maybe you can find out > whats wrong with my system. I think I've managed to reproduce the problem. After running configure, do not immediately run 'make install', but run plain 'make' first and follow that with a 'make install' once the build is complete. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From dkalpakis at upnet.gr Fri Jul 7 11:22:00 2006 From: dkalpakis at upnet.gr (dkalpakis at upnet.gr) Date: Fri, 7 Jul 2006 21:22:00 +0300 (EEST) Subject: [Bro] Cant build Bro current on freebsd 6.1 In-Reply-To: <1152239000.6466.195.camel@strangepork> References: <1089.62.1.106.146.1151589706.squirrel@mail.upnet.gr> <20060701173959.GC4628@icir.org> <1159.194.219.17.112.1151952085.squirrel@mail.upnet.gr> <1151955414.1501.20.camel@strangepork> <1109.62.1.133.172.1152154206.squirrel@mail.upnet.gr> <1152239000.6466.195.camel@strangepork> Message-ID: <2319.62.1.222.208.1152296520.squirrel@mail.upnet.gr> > On Thu, 2006-07-06 at 05:50 +0300, dkalpakis at upnet.gr wrote: >> Hi Christian, >> >> I dont see any messages like those above during the build process and at >> the time it breaks there isnt such executable called "bifcl". Right now >> I >> am not able to upload somewhere the transcripts you asked for, so I ll >> try >> to post them to the list. Because of the size limit (<40K) in the list I >> ve attached to this message only the transcript of the configure process >> (configure.txt - 11K). The transcript of the build process (make.txt - >> 34K) will be attached to the message that follows. Maybe you can find >> out >> whats wrong with my system. > > I think I've managed to reproduce the problem. After running configure, > do not immediately run 'make install', but run plain 'make' first and > follow that with a 'make install' once the build is complete. > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > > It works now :)...thank you very much Christian. I am just wondering, why is this happening? Is this happening on all 6.1 release systems or is it just a problem specific to my system? And when the latter is the case, what did i wrong in the configuration of my system? taki From vern at icir.org Sat Jul 8 23:23:16 2006 From: vern at icir.org (Vern Paxson) Date: Sat, 08 Jul 2006 23:23:16 -0700 Subject: [Bro] Clarification on Backdoor Event Engine In-Reply-To: Your message of Thu, 06 Jul 2006 11:14:54 PDT. Message-ID: <200607090623.k696NGvV045697@jaguar.icir.org> > I just wanna clarify that , is the backdoor event engine(which does all > the signature detection) eventually invokes the corresponding event > engine and the Analyser . The backdoor analyzer is separate from Bro's signature engine. The analyzer only generates backdoor events - not other signature events, and not protocol parsing events. Vern From tabia_karim at yahoo.fr Sun Jul 9 02:39:32 2006 From: tabia_karim at yahoo.fr (karim tabia) Date: Sun, 9 Jul 2006 11:39:32 +0200 (CEST) Subject: [Bro] Error 77 during building Bro on Linux Mandrake 9 Message-ID: <20060709093932.17311.qmail@web26111.mail.ukl.yahoo.com> Hello, I need help in order to build Bro on Linux Mandrake 9 system. During installation, there happens a problem: error 77: impossible to calculate size of long long.. Thanks for your help. --------------------------------- Yahoo! Mail r?invente le mail ! D?couvrez le nouveau Yahoo! Mail et son interface r?volutionnaire. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060709/ebf7d0f4/attachment.html From christian at whoop.org Mon Jul 10 07:53:24 2006 From: christian at whoop.org (Christian Kreibich) Date: Mon, 10 Jul 2006 15:53:24 +0100 Subject: [Bro] Cant build Bro current on freebsd 6.1 In-Reply-To: <2319.62.1.222.208.1152296520.squirrel@mail.upnet.gr> References: <1089.62.1.106.146.1151589706.squirrel@mail.upnet.gr> <20060701173959.GC4628@icir.org> <1159.194.219.17.112.1151952085.squirrel@mail.upnet.gr> <1151955414.1501.20.camel@strangepork> <1109.62.1.133.172.1152154206.squirrel@mail.upnet.gr> <1152239000.6466.195.camel@strangepork> <2319.62.1.222.208.1152296520.squirrel@mail.upnet.gr> Message-ID: <1152543205.10562.55.camel@strangepork> On Fri, 2006-07-07 at 21:22 +0300, dkalpakis at upnet.gr wrote: > > It works now :)...thank you very much Christian. Cool, glad it works. > I am just wondering, why is this happening? Is this happening on all 6.1 > release systems or is it just a problem specific to my system? And when > the latter is the case, what did i wrong in the configuration of my > system? There's nothing wrong really, just don't configure and go straight to make install, but do a make inbetween. I believe the problem occurs because bifcl is a temporary tool that is not installed (it's a noinst_PROGRAMS target in automake lingo), and so going straight to make install apparently doesn't fall back to building it first. Note that there's never any guarantee that make install will also run make for you. Leaving out 'make' is a bad habit, don't do it. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From christian at whoop.org Mon Jul 10 07:58:49 2006 From: christian at whoop.org (Christian Kreibich) Date: Mon, 10 Jul 2006 15:58:49 +0100 Subject: [Bro] Error 77 during building Bro on Linux Mandrake 9 In-Reply-To: <20060709093932.17311.qmail@web26111.mail.ukl.yahoo.com> References: <20060709093932.17311.qmail@web26111.mail.ukl.yahoo.com> Message-ID: <1152543529.10562.60.camel@strangepork> Hi, I'll go out on a limb and predict that you need to install the termcap devel package. There've been issues with Mandrake before: http://mailman.icsi.berkeley.edu/pipermail/bro/2006-June/002422.html Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From darkxer05 at yahoo.com Wed Jul 12 03:50:15 2006 From: darkxer05 at yahoo.com (Lee Sheng) Date: Wed, 12 Jul 2006 03:50:15 -0700 (PDT) Subject: [Bro] bro-ids + sguil Message-ID: <20060712105015.70939.qmail@web53912.mail.yahoo.com> Christian, I have read a lot regarding brocolli and it seems that's what needed to code with instead of hacking bro src. Especially brocolli able to talk to bro to extract the information it needs. From my experience about sguil, that's how snort get to talk to sguil in this form - snort -> barnyard(snort native db output plugin that hacked to work with sguil sensor) -> sguil sensor -> sguil server Previously sguil developers mod the snort for it's portscan data and now no longer needed and instead just need to mod the barnyard. Is it similar to bro as well where bro-ids -> brocolli(hack to work with sguil sensor) -> sguil sensor -> sguil server I also take a look at brooery to get the better idea of how bro needed to put into gui context. It seems that brooery is not real time notification system, and indeed it targets on enhancing the analysis capabilities, while this is already been achieved in sguil, I think it should get real time notification for alarm event and analyse on the fly when possible. Thanks. --------------------------------- Yahoo! Music Unlimited - Access over 1 million songs.Try it free. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060712/74bbf4ad/attachment.html From christian at whoop.org Thu Jul 13 06:53:01 2006 From: christian at whoop.org (Christian Kreibich) Date: Thu, 13 Jul 2006 15:53:01 +0200 Subject: [Bro] bro-ids + sguil In-Reply-To: <20060712105015.70939.qmail@web53912.mail.yahoo.com> References: <20060712105015.70939.qmail@web53912.mail.yahoo.com> Message-ID: <1152798781.446.29.camel@strangepork> Hi Lee, On Wed, 2006-07-12 at 03:50 -0700, Lee Sheng wrote: > Christian, > > I have read a lot regarding brocolli It's "Broccoli". Like the food. Two "c"s, one "l". :^) > and it seems that's what needed to code with instead of hacking bro > src. Especially brocolli able to talk to bro to extract the > information it needs. From my experience about sguil, that's how snort > get to talk to sguil in this form - > > snort -> barnyard(snort native db output plugin that hacked to work > with sguil sensor) -> sguil sensor -> sguil server > > Previously sguil developers mod the snort for it's portscan data and > now no longer needed and instead just need to mod the barnyard. Is it > similar to bro as well where > > bro-ids -> brocolli(hack to work with sguil sensor) -> sguil sensor -> > sguil server Please don't make any changes to Broccoli that add features irrelevant to Bro's communication protocol, since such patches will never get in. Rather, I'd suggest writing a translator or something that uses Broccoli to receive Bro events, then translates them into whatever sguil needs, and forwards that on to the sguil sensor. Kind of like this: bro-ids -> bro2sguil translator -> sguil server. That translator would effectively function as a sguil sensor. Alternatively, if the sguil server is sufficiently flexible, it'll just get a new Bro module in addition to other things it can talk to. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From jmzhou.ml at gmail.com Thu Jul 13 15:00:49 2006 From: jmzhou.ml at gmail.com (jmzhou.ml at gmail.com) Date: Thu, 13 Jul 2006 15:00:49 -0700 (PDT) Subject: [Bro] bro 1.1-current compile error Message-ID: Hi, apology if this has been reported/fixed. I'm compiling bro on Mac OS X 10.4.7 (gcc 4.0.1) and get error as the following: g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac -I../src -I. -I.. -Ilibedit -O -W -Wall -Wno-unused -g -O2 -c -o TCP.o `test -f TCP.cc || echo './'`TCP.cc TCP.cc: In member function 'virtual void TCP_Connection::NextPacket(double, int, const IP_Hdr*, int, int, const u_char*&, int&, int&, const pcap_pkthdr*, const u_char*, int)': TCP_Endpoint.h:170: error: 'uint32 TCP_Endpoint::ack_seq' is protected TCP.cc:768: error: within this context TCP_Endpoint.h:170: error: 'uint32 TCP_Endpoint::ack_seq' is protected TCP.cc:777: error: within this context make[4]: *** [TCP.o] Error 1 make[3]: *** [all-recursive] Error 1 make[2]: *** [all] Error 2 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 A quick (crude) fix is to modify TCP_Endpoint.h and move the line "uint32 start_seq, last_seq, ack_seq;" above "protected:". Other than this, it seems everything is working smoothly. :-) Cheers, Jimmy From vern at icir.org Thu Jul 13 23:33:20 2006 From: vern at icir.org (Vern Paxson) Date: Thu, 13 Jul 2006 23:33:20 -0700 Subject: [Bro] bro 1.1-current compile error In-Reply-To: Your message of Thu, 13 Jul 2006 15:00:49 PDT. Message-ID: <200607140633.k6E6XKEI007767@jaguar.icir.org> > TCP_Endpoint.h:170: error: 'uint32 TCP_Endpoint::ack_seq' is protected > TCP.cc:768: error: within this context Huh, I wonder why we haven't seen this before, because it's certainly an error. What compiler/version are you using? I've fixed this for the next release. Vern From jmzhou.ml at gmail.com Fri Jul 14 09:48:55 2006 From: jmzhou.ml at gmail.com (jmzhou.ml at gmail.com) Date: Fri, 14 Jul 2006 09:48:55 -0700 (PDT) Subject: [Bro] bro 1.1-current compile error In-Reply-To: <200607140633.k6E6XKEI007767@jaguar.icir.org> References: <200607140633.k6E6XKEI007767@jaguar.icir.org> Message-ID: Here it is. I have no clue why the compiler didn't catch this error since it is so obvious. % g++ -v Using built-in specs. Target: powerpc-apple-darwin8 Configured with: /private/var/tmp/gcc/gcc-5341.obj~1/src/configure --disable-checking -enable-werror --prefix=/usr --mandir=/share/man --enable-languages=c,objc,c++,obj-c++ --program-transform-name=/^[cg][^.-]*$/s/$/-4.0/ --with-gxx-include-dir=/include/c++/4.0.0 --with-slibdir=/usr/lib --build=powerpc-apple-darwin8 --host=powerpc-apple-darwin8 --target=powerpc-apple-darwin8 Thread model: posix gcc version 4.0.1 (Apple Computer, Inc. build 5341) On Thu, 13 Jul 2006, Vern Paxson wrote: >> TCP_Endpoint.h:170: error: 'uint32 TCP_Endpoint::ack_seq' is protected >> TCP.cc:768: error: within this context > > Huh, I wonder why we haven't seen this before, because it's certainly > an error. What compiler/version are you using? > > I've fixed this for the next release. > > Vern From geek00l at gmail.com Sat Jul 15 15:12:59 2006 From: geek00l at gmail.com (CS Lee) Date: Sun, 16 Jul 2006 06:12:59 +0800 Subject: [Bro] Bro Digest, Vol 3, Issue 11 In-Reply-To: References: Message-ID: <1bb5dd90607151512w474a5bd3y1999ad5c478d8214@mail.gmail.com> Christian, That's awesome. Thanks a lot. On 7/14/06, bro-request at icsi.berkeley.edu wrote: > > Send Bro mailing list submissions to > bro at ICSI.Berkeley.EDU > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > or, via email, send a message with subject or body 'help' to > bro-request at ICSI.Berkeley.EDU > > You can reach the person managing the list at > bro-owner at ICSI.Berkeley.EDU > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Bro digest..." > > > Today's Topics: > > 1. Re: bro-ids + sguil (Christian Kreibich) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 13 Jul 2006 15:53:01 +0200 > From: Christian Kreibich > Subject: Re: [Bro] bro-ids + sguil > To: Lee Sheng > Cc: bro at ICSI.Berkeley.EDU > Message-ID: <1152798781.446.29.camel at strangepork> > Content-Type: text/plain > > Hi Lee, > > On Wed, 2006-07-12 at 03:50 -0700, Lee Sheng wrote: > > Christian, > > > > I have read a lot regarding brocolli > > It's "Broccoli". Like the food. Two "c"s, one "l". :^) > > > and it seems that's what needed to code with instead of hacking bro > > src. Especially brocolli able to talk to bro to extract the > > information it needs. From my experience about sguil, that's how snort > > get to talk to sguil in this form - > > > > snort -> barnyard(snort native db output plugin that hacked to work > > with sguil sensor) -> sguil sensor -> sguil server > > > > Previously sguil developers mod the snort for it's portscan data and > > now no longer needed and instead just need to mod the barnyard. Is it > > similar to bro as well where > > > > bro-ids -> brocolli(hack to work with sguil sensor) -> sguil sensor -> > > sguil server > > Please don't make any changes to Broccoli that add features irrelevant > to Bro's communication protocol, since such patches will never get in. > Rather, I'd suggest writing a translator or something that uses Broccoli > to receive Bro events, then translates them into whatever sguil needs, > and forwards that on to the sguil sensor. Kind of like this: > > bro-ids -> bro2sguil translator -> sguil server. > > That translator would effectively function as a sguil sensor. > Alternatively, if the sguil server is sufficiently flexible, it'll just > get a new Bro module in addition to other things it can talk to. > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > > > > ------------------------------ > > _______________________________________________ > Bro mailing list > Bro at ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > End of Bro Digest, Vol 3, Issue 11 > ********************************** > -- Best Regards, CS Lee -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060716/06fbbc3d/attachment.html From geek00l at gmail.com Sun Jul 16 01:20:15 2006 From: geek00l at gmail.com (CS Lee) Date: Sun, 16 Jul 2006 16:20:15 +0800 Subject: [Bro] IRC Botnet Message-ID: <1bb5dd90607160120j676a609cs582a1c72bc281b69@mail.gmail.com> Recently I had found this in my bro log, while I'm not much into bro-ids, can someone shade some lights regarding the irc log contents below, I know it is the host that connecting to the botnet, but apparently it is not in clear plain text(hex indeed). 1152142830.931951 #1 message from 'EM[]!~EM at 1.2.3.4' to '#cyberunknown': \xf7\xf2\xee \xf2\xee \xeb\xe0\ xf2 \xf2\xe0\xec \xed\xe0 \xea\xee\xf0\xe8\xeb 1152142854.966781 #1 message from '[gh0st]!~gh0s7y at onlines.net.ru' to '#cyberunknown': \xf3\xf5\xf3 1152142865.018714 #1 message from '[gh0st]!~gh0s7y at onlines.net.ru' to '#cyberunknown': irc.chatnet.ru 1152142868.897694 #1 message from '[gh0st]!~gh0s7y at onlines.net.ru' to '#cyberunknown': \xe2 \xe4\xe0\xeb\xed\xe 5\xf2 \xef\xf0\xe8\xe2\xe5\xe4\xe5\xf2? 1152142873.336908 #1 message from 'EM[]!~EM at 213.228.120.34' to '#cyberunknown': \xf1\xea\xee\xeb\xfc\xea\xee \x ea\xe8\xeb\xee\xe1\xe0\xe8\xf2 \xea\xee\xe4\xe0 Does anyone has similar stuffs in the logs and would like to share your experience, thanks. -- Best Regards, CS Lee -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060716/cdf363d2/attachment.html From scampbell at lbl.gov Wed Jul 19 10:59:33 2006 From: scampbell at lbl.gov (scott campbell) Date: Wed, 19 Jul 2006 10:59:33 -0700 Subject: [Bro] DAG cards and bro Message-ID: <44BE7305.8080001@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anybody have feedback regarding the use of DAG cards and bro? I looked over the code checked in, but am more interested in actual behavior (ie stability and performance). thanks! scott -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFEvnMFK2Plq8B7ZBwRAhzEAKDCNY5MIT97JeAplCfN6QaMCIl9ZACgwrHS VAnBoqgZKXVbJrVGOcUqgvg= =6GCR -----END PGP SIGNATURE----- From jmzhou.ml at gmail.com Wed Jul 19 11:47:08 2006 From: jmzhou.ml at gmail.com (jmzhou.ml at gmail.com) Date: Wed, 19 Jul 2006 11:47:08 -0700 (PDT) Subject: [Bro] plan of integration with pia-bro? Message-ID: Hi, I've just read the paper "Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection". Just wonder if there is any plan to integrate PIA-Bro into mainstream Bro source code in the new future? Or is the PIA-Bro source code available somewhere for download? Thanks! Cheers, Jimmy From aashish at uiuc.edu Wed Jul 19 11:49:09 2006 From: aashish at uiuc.edu (Aashish Sharma) Date: Wed, 19 Jul 2006 13:49:09 -0500 Subject: [Bro] DAG cards and bro In-Reply-To: <44BE7305.8080001@lbl.gov> Message-ID: <20060719184909.GA28016@uiuc.edu> Hi Scott : We are (trying) to use DAG cards with bro and argus to capture data of our 10G route. We did have initial problems including bro not supporting dag cards and even the choice of OS to run those on. Now, after interacting with Robin Sommer, bro does have support built in for the dag cards. Thanks Robin ! As of performance, currently we are facing the issue of getting too little light using optical splitter and thus are waiting for a optical switch which is in order. Once we get the switch we should be able to start the monitoring and see how bro behaves. Right now, with the support libraries in place, complilation and installation is not a problem at all. I can update you of performance once we get the switch and have enough signal getting to the cards. Hope this helps. Aashish Sharma On Wed, Jul 19, 2006 at 10:59:33AM -0700, scott campbell wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Anybody have feedback regarding the use of DAG cards and bro? I looked > over the code checked in, but am more interested in actual behavior (ie > stability and performance). > > thanks! > > scott > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org > > iD8DBQFEvnMFK2Plq8B7ZBwRAhzEAKDCNY5MIT97JeAplCfN6QaMCIl9ZACgwrHS > VAnBoqgZKXVbJrVGOcUqgvg= > =6GCR > -----END PGP SIGNATURE----- > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060719/00f595fa/attachment.bin From vern at icir.org Wed Jul 19 12:18:32 2006 From: vern at icir.org (Vern Paxson) Date: Wed, 19 Jul 2006 12:18:32 -0700 Subject: [Bro] plan of integration with pia-bro? In-Reply-To: Your message of Wed, 19 Jul 2006 11:47:08 PDT. Message-ID: <200607191918.k6JJIWmM030579@jaguar.icir.org> > Just wonder if there is any plan to > integrate PIA-Bro into mainstream Bro source code in the new future? Yes, expect this in the next major release. Vern From antonat at ics.forth.gr Wed Jul 19 16:57:16 2006 From: antonat at ics.forth.gr (Spiros Antonatos) Date: Thu, 20 Jul 2006 02:57:16 +0300 Subject: [Bro] DAG cards and bro In-Reply-To: <20060719184909.GA28016@uiuc.edu> Message-ID: <200607192356.k6JNuwWG025062@webmail.ics.forth.gr> Fyi, New libpcap versions support DAG cards. Spiros Antonatos -----Original Message----- From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Aashish Sharma Sent: Wednesday, July 19, 2006 9:49 PM To: scott campbell Cc: Anne Hutton; bro at ICSI.Berkeley.EDU Subject: Re: [Bro] DAG cards and bro Hi Scott : We are (trying) to use DAG cards with bro and argus to capture data of our 10G route. We did have initial problems including bro not supporting dag cards and even the choice of OS to run those on. Now, after interacting with Robin Sommer, bro does have support built in for the dag cards. Thanks Robin ! As of performance, currently we are facing the issue of getting too little light using optical splitter and thus are waiting for a optical switch which is in order. Once we get the switch we should be able to start the monitoring and see how bro behaves. Right now, with the support libraries in place, complilation and installation is not a problem at all. I can update you of performance once we get the switch and have enough signal getting to the cards. Hope this helps. Aashish Sharma On Wed, Jul 19, 2006 at 10:59:33AM -0700, scott campbell wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Anybody have feedback regarding the use of DAG cards and bro? I looked > over the code checked in, but am more interested in actual behavior (ie > stability and performance). > > thanks! > > scott > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org > > iD8DBQFEvnMFK2Plq8B7ZBwRAhzEAKDCNY5MIT97JeAplCfN6QaMCIl9ZACgwrHS > VAnBoqgZKXVbJrVGOcUqgvg= > =6GCR > -----END PGP SIGNATURE----- > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From anandrajm at fastmail.fm Thu Jul 27 08:55:45 2006 From: anandrajm at fastmail.fm (Anandraj) Date: Thu, 27 Jul 2006 08:55:45 -0700 Subject: [Bro] BRO gets Autorestarted or Killed Message-ID: <1154015745.9283.267013980@webmail.messagingengine.com> Hi All, I m facing a strange problem . I made some changes to the BRO code to Detect Bittorrent Traffic , a simple implemenation of detecting Traffic on port 6881 . I was able to detect bittorrent pkts on port 6881 on linux desktop PC. when i moved the same code base to a Transparent Bridge kinda of setup , where the bittorrent traffic passes through the bridge .. ..I was facing some strange problems , like the bro process either get restarted when it gets a packet (any packet) or the process gets killed when it gets a packet . Could someone help me out on this ? Thanks, Anand -- http://www.fastmail.fm - One of many happy users: http://www.fastmail.fm/docs/quotes.html From christian at whoop.org Thu Jul 27 09:24:32 2006 From: christian at whoop.org (Christian Kreibich) Date: Thu, 27 Jul 2006 17:24:32 +0100 Subject: [Bro] BRO gets Autorestarted or Killed In-Reply-To: <1154015745.9283.267013980@webmail.messagingengine.com> References: <1154015745.9283.267013980@webmail.messagingengine.com> Message-ID: <1154017472.31409.191.camel@strangepork> Hi, On Thu, 2006-07-27 at 08:55 -0700, Anandraj wrote: > Hi All, > > I m facing a strange problem . > I made some changes to the BRO code to Detect Bittorrent Traffic , a > simple implemenation of detecting Traffic on port 6881 > . I was able to detect bittorrent pkts on port 6881 on linux desktop PC. > when i moved the same code base to a Transparent Bridge kinda of setup , > where the bittorrent traffic passes through the bridge .. ..I was facing > some strange problems , like the bro process either get restarted when > it gets a packet (any packet) or the process gets killed when it gets a > packet . please understand that in order for us to be able to help you, you'll have to describe exactly what you mean by a transparent bridge "kind of" setup, and how the main Bro process gets killed (by whom, is it a segfault, etc). In terms of packet capture there's no technical difference between running, say, tcpdump on an interface and Bro, so try to see if that works well first. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From robin at icir.org Thu Jul 27 10:01:03 2006 From: robin at icir.org (Robin Sommer) Date: Thu, 27 Jul 2006 10:01:03 -0700 Subject: [Bro] BRO gets Autorestarted or Killed In-Reply-To: <1154015745.9283.267013980@webmail.messagingengine.com> References: <1154015745.9283.267013980@webmail.messagingengine.com> Message-ID: <20060727170103.GA28438@icir.org> On Thu, Jul 27, 2006 at 08:55 -0700, Anandraj wrote: > some strange problems , like the bro process either get restarted when > it gets a packet (any packet) or the process gets killed when it gets a Can you send me a small trace captured on the bridge with tcpdump (e.g., just one short connection)? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org