From ander.elexpuru at alumni.eps.mondragon.edu Wed Mar 1 06:34:45 2006 From: ander.elexpuru at alumni.eps.mondragon.edu ((ikasle) ander elexpuru) Date: Wed, 1 Mar 2006 15:34:45 +0100 Subject: [Bro] BRO prelude sensor Message-ID: Hi Everybody!!! I am new here and I would like your help. I am studing computer science and I am doing the final proyect in security. I am running Bro 0.9a9 and I would like made it a prelude sensor, and also if it is posible to save alert information in a MySQl database. Can anybody help me? I would be grateful if I could have your answear. thanks -ANDER- From christian at whoop.org Wed Mar 1 07:02:14 2006 From: christian at whoop.org (Christian Kreibich) Date: Wed, 01 Mar 2006 15:02:14 +0000 Subject: [Bro] BRO prelude sensor In-Reply-To: References: Message-ID: <1141225334.25214.19.camel@localhost> Hi Ander, On Wed, 2006-03-01 at 15:34 +0100, (ikasle) ander elexpuru wrote: > Hi Everybody!!! > I am new here and I would like your help. > I am studing computer science and I am doing the final proyect in > security. > I am running Bro 0.9a9 and I would like made it a prelude sensor, and there should be some existing work on this here: http://www.rstack.org/manux/ It's rather old, and as the author says, is "crappy code", which is probably a good thing for your project. :) For integrating Bro event communication with non-Bro applications, you might find Broccoli (as of now included in the Bro distribution) helpful: http://www.cl.cam.ac.uk/~cpk25/broccoli/index.html > also if it is posible to save alert information in a MySQl database. That's a major feature we've been thinking of implementing for a while now ourselves. It mainly hasn't happened yet due to lack of time. There are a good deal of things to consider and before you start hacking away it'd make it vastly more likely for your changes to end up in the Bro distribution if we could discuss things first. Basically, we would like to have fully decoupled output modules, where a default one might log to files as is currently done, another one to a database, etc. I'd suggest starting with familiarizing yourself with the current notice/alarm framework first. Focus on the development branch, not the stable one. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From ander.elexpuru at alumni.eps.mondragon.edu Fri Mar 3 07:09:39 2006 From: ander.elexpuru at alumni.eps.mondragon.edu ((ikasle) ander elexpuru) Date: Fri, 3 Mar 2006 16:09:39 +0100 Subject: [Bro] (no subject) Message-ID: Hi everybody! I have a patch that I think that will be useful to make Bro a prelude sensor, but I need Bro 0.8a20 or Bro 0.7a175. I have been trying with Bro 0.8a20 and I have a these error: > g++ -o bif_parse.o -c bif_parse.cc > builtin-func.y:60: error: expected constructor, destructor, or type conversion antes del elemento '<' > builtin-func.y:60: error: expected `,' or `;' antes del elemento '<' > builtin-func.y: In function `int yyparse()': > builtin-func.y:148: error: `args' sin declarar (primer uso en esta funci?n) > builtin-func.y:148: error: (Cada identificador sin declarar es reportado s?lo una vez para cada funci?n en el que aparece.) > make: *** [bif_parse.o] Error 1 Can anybody help me?? Can anybody tell me where can I take Bro 0.8a20 and Bro 0.7a175?? thanks. -ANDER- From christian at whoop.org Fri Mar 3 07:28:42 2006 From: christian at whoop.org (Christian Kreibich) Date: Fri, 03 Mar 2006 15:28:42 +0000 Subject: [Bro] (no subject) In-Reply-To: References: Message-ID: <1141399722.2295.60.camel@localhost> On Fri, 2006-03-03 at 16:09 +0100, (ikasle) ander elexpuru wrote: > Hi everybody! > I have a patch that I think that will be useful to make Bro a prelude sensor, but I need Bro 0.8a20 or Bro 0.7a175. I have been trying with Bro 0.8a20 and I have a these error: > > g++ -o bif_parse.o -c bif_parse.cc > > builtin-func.y:60: error: expected constructor, destructor, or type conversion antes del elemento '<' > > builtin-func.y:60: error: expected `,' or `;' antes del elemento '<' > > builtin-func.y: In function `int yyparse()': > > builtin-func.y:148: error: `args' sin declarar (primer uso en esta funci?n) > > builtin-func.y:148: error: (Cada identificador sin declarar es reportado s?lo una vez para cada funci?n en el que aparece.) > > make: *** [bif_parse.o] Error 1 > Can anybody help me?? Can anybody tell me where can I take Bro 0.8a20 and Bro 0.7a175?? There are some 0.8-series tarballs at ftp://bro-ids.org/ , can you try and see how far you get with those? Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From christian at whoop.org Fri Mar 3 08:27:18 2006 From: christian at whoop.org (Christian Kreibich) Date: Fri, 03 Mar 2006 16:27:18 +0000 Subject: [Bro] (no subject) In-Reply-To: References: <1141399722.2295.60.camel@localhost> Message-ID: <1141403238.2295.64.camel@localhost> On Fri, 2006-03-03 at 17:00 +0100, (ikasle) ander elexpuru wrote: > Thanks Christian but in these FTP the oldest version of Bro is 0.8a88 > and a need older ones, 0.7a175 and 0.8a20. Ander, may I ask why? I suspect you're looking for these versions because they're suggested by the Prelude patch you have, but I'd strongly recommend you only try to understand what the patch does (using an old 0.8 release), but then rewrite it to go with a recent 1.o version. We won't be able to provide support for these ancient versions. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From ander.elexpuru at alumni.eps.mondragon.edu Fri Mar 3 08:33:18 2006 From: ander.elexpuru at alumni.eps.mondragon.edu ((ikasle) ander elexpuru) Date: Fri, 3 Mar 2006 17:33:18 +0100 Subject: [Bro] (no subject) Message-ID: Christian, yes I am looking those versions because the patch is done for them, you have reason saying that is better to implement the patch to version 1.0 but I am not an esperienced boy in Linux, so is very dificult for me to change a patch! Bro compilin erros; with Bro 0.8a87 I have these error make[1]: Leaving directory `/home/segu05/bro-pub-0.8a87/libedit' bison -y -d -t -v builtin-func.y flex -obif_lex.cc builtin-func.l g++ -o bif_lex.o -c bif_lex.cc g++ -o bif_parse.o -c bif_parse.cc g++ -o bif_arg.o -c bif_arg.cc g++ -I. -Ilibedit -O -Ilinux-include -o bifcl bif_lex.o bif_parse.o bif_arg.o ./bifcl event.bif ./bifcl const.bif g++ -I. -Ilibedit -O -Ilinux-include -c main.cc In file included from PacketFilter.h:9, from Sessions.h:29, from RuleMatcher.h:12, from main.cc:54: PrefixTable.h:48: error: `struct PrefixTable::iterator' redeclarado con acceso diferente main.cc: In function `int main(int, char**)': main.cc:317: error: se proh?be el l?mite de matriz despu?s del id de tipo entre par?ntesis main.cc:317: nota: intente eliminando los par?ntesis alrededor del id de tipo make: *** [main.o] Error 1 with Bro 0.8a20 I have these error g++ -o bif_parse.o -c bif_parse.cc builtin-func.y:60: error: expected constructor, destructor, or type conversion antes del elemento '<' builtin-func.y:60: error: expected `,' or `;' antes del elemento '<' builtin-func.y: In function `int yyparse()': builtin-func.y:148: error: `args' sin declarar (primer uso en esta funci?n) builtin-func.y:148: error: (Cada identificador sin declarar es reportado s?lo una vez para cada funci?n en el que aparece.) make: *** [bif_parse.o] Error 1 How can I solve them?? Thanks -ANDER- From christian at whoop.org Fri Mar 3 09:34:45 2006 From: christian at whoop.org (Christian Kreibich) Date: Fri, 03 Mar 2006 17:34:45 +0000 Subject: [Bro] (no subject) In-Reply-To: References: Message-ID: <1141407285.2295.74.camel@localhost> On Fri, 2006-03-03 at 17:33 +0100, (ikasle) ander elexpuru wrote: > Christian, yes I am looking those versions because the patch is done > for them, you have reason saying that is better to implement the patch > to version 1.0 but I am not an esperienced boy in Linux, so is very > dificult for me to change a patch! What I meant was that you should try to understand what the patch does to Bro in order to make it a Prelude sensor. Then throw the patch away, and start from scratch with a 1.o release. It's probably a matter of linking in libprelude and shipping IDMEF events out at suitable points in the code. > Bro compilin erros; with Bro 0.8a87 I have these error [snip] > How can I solve them?? I'm sorry but I really can't walk you through this, as it's more of a programming exercise than a Bro request. Best of luck. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From sedki at cril.univ-artois.fr Sun Mar 5 23:55:23 2006 From: sedki at cril.univ-artois.fr (Karima Sedki) Date: Mon, 06 Mar 2006 08:55:23 +0100 Subject: [Bro] 'help' Message-ID: <1141631723.16740.5.camel@aigle.univ-artois.fr> I want to subscribe in list mailing. Thnak you. From hahaman5 at gmail.com Mon Mar 6 07:08:34 2006 From: hahaman5 at gmail.com (Jay Hwang) Date: Tue, 7 Mar 2006 00:08:34 +0900 Subject: [Bro] bro cannot read large pcap file!! Message-ID: <80ff6e7e0603060708m7faefee2p@mail.gmail.com> Hi, I want to run bro with 300GB pcap file but it cannot run jhwhang at wien:~/bro-0.9a11$ bro -r ~/jh/20051107_2200_2h_Rx.pcap.2 bro: problem with trace file /home/jhwhang/jh/20051107_2200_2h_Rx.pcap.2 - /home/jhwhang/jh/20051107_2200_2h_Rx.pcap.2: File too large I tried ./configure --prefix=/home/jhwhang/gb/bro/ --enable-largefile and CFLAGS=-D__USE_LARGEFILE64 ./configure --prefix=/home/jhwhang/gb/bro/ --enable-largefile but both didn't work How can I do? -- ???, Jay Hwang, KAIST, CS undergraduate http://gon.kaist.ac.kr/~hahaman5/diary -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060307/33050f2f/attachment.html From hahaman5 at gmail.com Mon Mar 6 07:17:54 2006 From: hahaman5 at gmail.com (Jay Hwang) Date: Tue, 7 Mar 2006 00:17:54 +0900 Subject: [Bro] cannot read large pcap file Message-ID: <80ff6e7e0603060717s31005bb3m7ba4883ba638df94@mail.gmail.com> Hi, I want to run bro with 300GB pcap file but it cannot run jhwhang at wien:~/bro-0.9a11$ bro -r ~/jh/20051107_2200_2h_Rx.pcap.2 bro: problem with trace file /home/jhwhang/jh/20051107_2200_2h_Rx.pcap.2 - /home/jhwhang/jh/20051107_2200_2h_Rx.pcap.2: File too large I tried ./configure --prefix=/home/jhwhang/gb/bro/ --enable-largefile and CFLAGS=-D__USE_LARGEFILE64 ./configure --prefix=/home/jhwhang/gb/bro/ --enable-largefile but both didn't work How can I do? -- ???, Jay Hwang, KAIST, CS undergraduate http://gon.kaist.ac.kr/~hahaman5/diary -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060307/d3c98461/attachment.html From christian at whoop.org Mon Mar 6 08:17:33 2006 From: christian at whoop.org (Christian Kreibich) Date: Mon, 06 Mar 2006 16:17:33 +0000 Subject: [Bro] cannot read large pcap file In-Reply-To: <80ff6e7e0603060717s31005bb3m7ba4883ba638df94@mail.gmail.com> References: <80ff6e7e0603060717s31005bb3m7ba4883ba638df94@mail.gmail.com> Message-ID: <1141661853.16672.7.camel@gonzo-1> Hi Jay, does the problem persist if you try with a Bro 1.o release? Also, ensure that the pcap library Bro picks does have large-file support itself. On Tue, 2006-03-07 at 00:17 +0900, Jay Hwang wrote: > Hi, I want to run bro with 300GB pcap file but it cannot run [snip] > How can I do? Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From antonat at ics.forth.gr Mon Mar 6 12:21:56 2006 From: antonat at ics.forth.gr (Spiros Antonatos) Date: Tue, 7 Mar 2006 04:21:56 +0800 Subject: [Bro] cannot read large pcap file In-Reply-To: <1141661853.16672.7.camel@gonzo-1> Message-ID: <200603070217.k272HLNk005594@webmail.ics.forth.gr> pcap library does not support large files (u have to manually add the O_LARGEFILE in open()'s flags and recompile pcap). A trick done is to 'cat' the file and have your program (bro, tcpdump, whatever) read from stdin. Works fine in debian Spiros Antonatos > -----Original Message----- > From: bro-admin at ICSI.Berkeley.EDU [mailto:bro-admin at ICSI.Berkeley.EDU] On > Behalf Of Christian Kreibich > Sent: Tuesday, March 07, 2006 12:18 AM > To: Jay Hwang > Cc: Bro List > Subject: Re: [Bro] cannot read large pcap file > > Hi Jay, > > does the problem persist if you try with a Bro 1.o release? Also, ensure > that the pcap library Bro picks does have large-file support itself. > > On Tue, 2006-03-07 at 00:17 +0900, Jay Hwang wrote: > > Hi, I want to run bro with 300GB pcap file but it cannot run > [snip] > > How can I do? > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From frgag272 at ift.ulaval.ca Sun Mar 12 19:26:33 2006 From: frgag272 at ift.ulaval.ca (=?iso-8859-1?b?RnJhbudvaXM=?= Gagnon) Date: Sun, 12 Mar 2006 22:26:33 -0500 Subject: [Bro] Capturing and analyzing IGMP packets Message-ID: <1142220393.4414e6690414a@courriel.ift.ulaval.ca> Hi, I am wondering if Bro is able to capture and analyze IGMP packets ? I tried to turn all filters off ("redef capture_filters = {};" at the end of brolite-sigs.bro) I built a very simple signature: signature header3 { src-ip == 10.92.39.3 event "Header 3" } When I run with this on a trace containing only IGMP traffic, nothing appends even though there is plenty of packets with src-ip == 10.92.39.3 in the trace. I tried running with the same config on a trace containing TCP, and there I get the alarms. Is there any way to get Bro to analyze IGMP packets ? Thanks! From vern at icir.org Fri Mar 17 23:31:37 2006 From: vern at icir.org (Vern Paxson) Date: Fri, 17 Mar 2006 23:31:37 -0800 Subject: [Bro] Capturing and analyzing IGMP packets In-Reply-To: Your message of Sun, 12 Mar 2006 22:26:33 EST. Message-ID: <200603180731.k2I7VbxI028712@jaguar.icir.org> > I am wondering if Bro is able to capture and analyze IGMP packets ? Bro doesn't have an IGMP analyzer. (Contributions for this welcome!) > I tried to turn all filters off ("redef capture_filters = {};" at the end of > brolite-sigs.bro) > > I built a very simple signature: > > signature header3 > { > src-ip == 10.92.39.3 > event "Header 3" > } > > When I run with this on a trace containing only IGMP traffic, nothing appends > even though there is plenty of packets with src-ip == 10.92.39.3 in the trace. You'll need to redef capture_filters so that it in some fashion includes this traffic. Vern From jbabbin at comcast.net Tue Mar 21 06:57:02 2006 From: jbabbin at comcast.net (jbabbin at comcast.net) Date: Tue, 21 Mar 2006 14:57:02 +0000 Subject: [Bro] couple of questions Message-ID: <032120061457.12677.4420143D000E981C00003185220073747802070D0D0E0D06@comcast.net> List, I have a couple of questions that I can't seem to figure out. 1) Brian - Thanks for the SSL patch Once enabled I don't see any way of filtering out hosts from the non-ssl traffic alarm. For example, I have several custom applications that use that port for their traffic...don't ask...so I need to be able to filter them out of the alarms like below. "1141848057.399932 WeirdActivity ** 192.x.x.x/48612 > 206.x.x.x/https: SSL: Skipping connection (not an SSL connection?!)!" The problem seems to be that the detection of non-ssl traffic is done in the source SSLProxy engine and I don't really want to be recompiling every time I need to add another host. Ideas? 2) Is is possible in a policy file to perform a size comparison on a string? For example, if you wanted to see if a filename was longer than a certain length. How would you sizeof a string value? Thanks in advance, Jake Babbin From christian at whoop.org Tue Mar 21 07:32:51 2006 From: christian at whoop.org (Christian Kreibich) Date: Tue, 21 Mar 2006 15:32:51 +0000 Subject: [Bro] couple of questions In-Reply-To: <032120061457.12677.4420143D000E981C00003185220073747802070D0D0E0D06@comcast.net> References: <032120061457.12677.4420143D000E981C00003185220073747802070D0D0E0D06@comcast.net> Message-ID: <1142955171.21008.8.camel@localhost.localdomain> Hi Jake, On Tue, 2006-03-21 at 14:57 +0000, jbabbin at comcast.net wrote: > List, > I have a couple of questions that I can't seem to figure out. > > 1) Brian - Thanks for the SSL patch > Once enabled I don't see any way of filtering out hosts from the > non-ssl traffic alarm. For example, I have several custom applications > that use that port for their traffic...don't ask...so I need to be > able to filter them out of the alarms like below. > > "1141848057.399932 WeirdActivity ** 192.x.x.x/48612 > 206.x.x.x/https: > SSL: Skipping connection (not an SSL connection?!)!" > > The problem seems to be that the detection of non-ssl traffic is done > in the source SSLProxy engine and I don't really want to be > recompiling every time I need to add another host. Ideas? have a look at weird_ignore_host set, defined in weird.bro. It allows you to filter weird-type events based on the event string and source/ destination IP addresses. http://www.bro-ids.org/Bro-reference-manual/weird-variables.html#weird-variables Depending on your analysis needs, you could also exclude the custom traffic via the pcap filtering expression, though I'd imagine that quickly gets tedious. > 2) Is is possible in a policy file to perform a size comparison on a > string? > For example, if you wanted to see if a filename was longer than a > certain length. How would you sizeof a string value? Sure. It depends on what version of Bro you're using. In the development releases, there's now a magnitude operator |x| that, when given a value, returns its length, size, or whatever is most meaningful as magnitude (vector length, table size, string length, etc). In older releases (0.9 and before), the byte_len() function returned a string's length. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From mtdedlow at lbl.gov Tue Mar 21 07:44:09 2006 From: mtdedlow at lbl.gov (Mark Dedlow) Date: Tue, 21 Mar 2006 07:44:09 -0800 Subject: [Bro] couple of questions In-Reply-To: <032120061457.12677.4420143D000E981C00003185220073747802070D0D0E0D06@comcast.net> References: <032120061457.12677.4420143D000E981C00003185220073747802070D0D0E0D06@comcast.net> Message-ID: <44201F49.4090004@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > 2) Is is possible in a policy file to perform a size comparison on a string? > For example, if you wanted to see if a filename was longer than a certain length. How would you sizeof a string value? local filename = "foobar" if ( byte_len(filename) > n ) ... Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEIB9JjgpF4tNDKlsRArT1AJ9cOaQ+OqQF42R4r62xlEDlP2sSMQCgjVeO y/ZmyokNILLukR3UIQxRHEA= =ykhV -----END PGP SIGNATURE----- From harsha at cs.washington.edu Tue Mar 21 18:57:08 2006 From: harsha at cs.washington.edu (Harsha V. Madhyastha) Date: Tue, 21 Mar 2006 18:57:08 -0800 Subject: [Bro] memory leak? Message-ID: <4420BD04.9060100@cs.washington.edu> Hi, We have been having some problems with bro. We have been running bro for a couple of days and we see that the memory usage of bro keeps increasing monotonically. Bro eventually uses up all the memory on the machine and crashes. Considering that we are running bro on a machine with 2GB of memory, I guess this is not expected behavior. A similar problem was reported way back in 1999, and Vern had then proposed a fix. http://mailman.icsi.berkeley.edu/pipermail/bro/1999-April/000813.html http://mailman.icsi.berkeley.edu/pipermail/bro/1999-May/000818.html But, we are using version 0.9a11 (the latest stable version available), which already includes the above fix. Has anyone else had similar memory problems? Is this a known problem? Please let me know if you would like a snapshot of the data we are receiving to diagnose the problem. Below is more information about the system on which we are running bro and the increasing memory usage that we notice. Any help would much appreciated. Thanks! Harsha System config: Intel Xeon CPU 3.06GHz 2GB RAM Linux 2.6.11-1.1369_FC4smp Bro executed as: sudo ./src/bro -i eth0 mt Snapshot of bro's memory usage every 10 minutes since it is started: top - 15:59:54 up 56 days, 1:45, 2 users, load average: 0.02, 0.02, 0.12 31919 root 15 0 35836 31m 2664 S 5.9 1.6 0:06.01 bro top - 16:09:54 up 56 days, 1:55, 2 users, load average: 0.37, 0.19, 0.12 31919 root 15 0 77988 72m 2684 S 7.9 3.6 0:50.23 bro top - 16:19:55 up 56 days, 2:05, 2 users, load average: 0.19, 0.20, 0.16 31919 root 15 0 86072 80m 2684 S 9.9 4.0 1:40.03 bro top - 16:29:55 up 56 days, 2:15, 2 users, load average: 0.11, 0.12, 0.12 31919 root 15 0 90276 84m 2692 S 5.9 4.2 2:31.14 bro top - 16:39:56 up 56 days, 2:25, 2 users, load average: 0.18, 0.16, 0.12 31919 root 15 0 105m 101m 2692 S 15.8 5.0 3:27.62 bro top - 16:49:56 up 56 days, 2:35, 2 users, load average: 0.10, 0.12, 0.09 31919 root 15 0 105m 101m 2692 S 5.9 5.0 4:21.60 bro top - 16:59:57 up 56 days, 2:45, 2 users, load average: 0.02, 0.08, 0.08 31919 root 15 0 105m 101m 2692 S 9.9 5.0 5:13.48 bro top - 17:09:57 up 56 days, 2:55, 2 users, load average: 0.02, 0.08, 0.08 31919 root 15 0 105m 101m 2692 S 5.9 5.0 6:01.54 bro top - 17:19:58 up 56 days, 3:05, 2 users, load average: 0.04, 0.08, 0.08 31919 root 15 0 105m 101m 2692 S 11.9 5.0 6:56.49 bro top - 17:29:58 up 56 days, 3:15, 2 users, load average: 0.18, 0.17, 0.11 31919 root 15 0 111m 107m 2692 R 11.9 5.3 7:54.42 bro top - 17:39:59 up 56 days, 3:25, 2 users, load average: 0.16, 0.12, 0.09 31919 root 15 0 111m 108m 2692 S 7.9 5.3 8:49.19 bro top - 17:49:59 up 56 days, 3:35, 2 users, load average: 0.19, 0.21, 0.14 31919 root 15 0 120m 116m 2692 S 7.9 5.7 9:43.56 bro top - 18:00:00 up 56 days, 3:45, 2 users, load average: 0.08, 0.10, 0.10 31919 root 15 0 120m 117m 2692 R 23.7 5.8 10:41.71 bro top - 18:10:00 up 56 days, 3:55, 2 users, load average: 0.20, 0.12, 0.09 31919 root 15 0 120m 117m 2692 S 7.9 5.8 11:35.80 bro top - 18:20:01 up 56 days, 4:05, 2 users, load average: 0.45, 0.26, 0.15 31919 root 16 0 123m 119m 2692 R 7.9 5.9 12:28.89 bro top - 18:30:01 up 56 days, 4:15, 2 users, load average: 0.13, 0.14, 0.14 31919 root 15 0 131m 128m 2692 R 9.9 6.3 13:25.72 bro top - 18:40:02 up 56 days, 4:25, 2 users, load average: 0.20, 0.16, 0.12 31919 root 15 0 138m 134m 2692 S 7.9 6.6 14:25.36 bro top - 18:50:02 up 56 days, 4:35, 2 users, load average: 0.22, 0.15, 0.10 31919 root 15 0 142m 139m 2692 S 11.9 6.9 15:37.64 bro top - 19:00:03 up 56 days, 4:45, 2 users, load average: 0.11, 0.15, 0.11 31919 root 15 0 142m 139m 2692 S 11.8 6.9 16:51.76 bro From vern at icir.org Tue Mar 21 19:11:27 2006 From: vern at icir.org (Vern Paxson) Date: Tue, 21 Mar 2006 19:11:27 -0800 Subject: [Bro] memory leak? In-Reply-To: Your message of Tue, 21 Mar 2006 18:57:08 PST. Message-ID: <200603220311.k2M3BRri059087@jaguar.icir.org> This will commonly occur simply due to state building up in the variables managed by the event engine and the policy scripts. The main problem is the need to associate timeouts with the corresponding tables. See our paper: H. Dreger, A. Feldmann, V. Paxson, and R. Sommer, Operational Experiences with High-Volume Network Intrusion Detection, Proc. ACM CCS, October 2004 http://www.icir.org/vern/papers/high-volume-ccs04.pdf for discussion. You can turn on a bunch (though not an exhaustive set) of these sorts of timeouts by @load'ing reduce-memory.bro. Soon we will change Bro so that by default it includes this sort of configuration, rather than the user needing to enable it specifically. Vern From frgag272 at ift.ulaval.ca Tue Mar 21 19:43:53 2006 From: frgag272 at ift.ulaval.ca (=?iso-8859-1?b?RnJhbudvaXM=?= Gagnon) Date: Tue, 21 Mar 2006 22:43:53 -0500 Subject: [Bro] Alarms in log vs alarms in report Message-ID: <1142999033.4420c7f930806@courriel.ift.ulaval.ca> Hi, I have noticed that Bro can provide the user with a fine grained classification of alarms in the reports (likely unsuccessful, likely successful, ...). However, in the log, Bro provides me with a less specific classification (alarm vs no alarm) with no indication of the potential success (or failure) of the attack. I think that the events in the log correspond to likely successful attacks only (correct me if I am wrong). I am wondering if there is any way to get Bro to output all events in the log WITH their classification (likely successful, likely unsuccessful, ...) or if this feature is reserved specifically for reports ? Thank you very much! --- Fran?ois Gagnon From jbabbin at comcast.net Thu Mar 23 19:47:57 2006 From: jbabbin at comcast.net (jbabbin at comcast.net) Date: Fri, 24 Mar 2006 03:47:57 +0000 Subject: [Bro] couple of questions Message-ID: <032420060347.13630.44236BED0004AFCA0000353E220076143802070D0D0E0D06@comcast.net> Hi Christian, I had another question that should hopefully be simple. 1) In the DNS policy file there is an event for "dns_EDNS_addl" what part of the packet is this field in a DNS connection and what is the "pldsize" value from? Is there a way to break out the data from this field? 2) When a DNS record has "DNS_SEC_OK" What is that from the packet connection? Thanks, Jake -------------- Original message ---------------------- From: Christian Kreibich > Hi Jake, > > On Tue, 2006-03-21 at 14:57 +0000, jbabbin at comcast.net wrote: > > List, > > I have a couple of questions that I can't seem to figure out. > > > > 1) Brian - Thanks for the SSL patch > > Once enabled I don't see any way of filtering out hosts from the > > non-ssl traffic alarm. For example, I have several custom applications > > that use that port for their traffic...don't ask...so I need to be > > able to filter them out of the alarms like below. > > > > "1141848057.399932 WeirdActivity ** 192.x.x.x/48612 > 206.x.x.x/https: > > SSL: Skipping connection (not an SSL connection?!)!" > > > > The problem seems to be that the detection of non-ssl traffic is done > > in the source SSLProxy engine and I don't really want to be > > recompiling every time I need to add another host. Ideas? > > have a look at weird_ignore_host set, defined in weird.bro. It allows > you to filter weird-type events based on the event string and source/ > destination IP addresses. > > http://www.bro-ids.org/Bro-reference-manual/weird-variables.html#weird-variables > > Depending on your analysis needs, you could also exclude the custom > traffic via the pcap filtering expression, though I'd imagine that > quickly gets tedious. > > > 2) Is is possible in a policy file to perform a size comparison on a > > string? > > For example, if you wanted to see if a filename was longer than a > > certain length. How would you sizeof a string value? > > Sure. It depends on what version of Bro you're using. In the development > releases, there's now a magnitude operator |x| that, when given a value, > returns its length, size, or whatever is most meaningful as magnitude > (vector length, table size, string length, etc). In older releases (0.9 > and before), the byte_len() function returned a string's length. > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From christian at whoop.org Fri Mar 24 04:36:45 2006 From: christian at whoop.org (Christian Kreibich) Date: Fri, 24 Mar 2006 12:36:45 +0000 Subject: [Bro] couple of questions In-Reply-To: <032420060347.13630.44236BED0004AFCA0000353E220076143802070D0D0E0D06@comcast.net> References: <032420060347.13630.44236BED0004AFCA0000353E220076143802070D0D0E0D06@comcast.net> Message-ID: <1143203805.9185.54.camel@localhost.localdomain> On Fri, 2006-03-24 at 03:47 +0000, jbabbin at comcast.net wrote: > Hi Christian, > I had another question that should hopefully be simple. > 1) In the DNS policy file there is an event for "dns_EDNS_addl" what > part of the packet is this field in a DNS connection and what is the > "pldsize" value from? Is there a way to break out the data from this > field? > 2) When a DNS record has "DNS_SEC_OK" What is that from the packet > connection? Sorry, I'm not familiar with the internals of the DNS analyzer. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From bltierney at lbl.gov Fri Mar 24 07:10:46 2006 From: bltierney at lbl.gov (Brian Tierney) Date: Fri, 24 Mar 2006 09:10:46 -0600 Subject: [Bro] Alarms in log vs alarms in report In-Reply-To: <1142999033.4420c7f930806@courriel.ift.ulaval.ca> References: <1142999033.4420c7f930806@courriel.ift.ulaval.ca> Message-ID: <533F5528-EBA5-4CC9-AA72-0B64A2F95306@lbl.gov> The "likely successful, likely unsuccessful, etc" categories are generated by the report generation script, based on whether or not there are subsequent successful connections to the same host. So there is no easy way to do this in the logs. On Mar 21, 2006, at 9:43 PM, Fran?ois Gagnon wrote: > Hi, > > I have noticed that Bro can provide the user with a fine grained > classification > of alarms in the reports (likely unsuccessful, likely > successful, ...). > However, in the log, Bro provides me with a less specific > classification (alarm > vs no alarm) with no indication of the potential success (or > failure) of the > attack. I think that the events in the log correspond to likely > successful > attacks only (correct me if I am wrong). > > I am wondering if there is any way to get Bro to output all events > in the log > WITH their classification (likely successful, likely > unsuccessful, ...) or if > this feature is reserved specifically for reports ? > > Thank you very much! > > --- > Fran?ois Gagnon > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro ------------------------------------------------------------------------ ------------------- Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 425-642-4558 bltierney at lbl.gov http://dsd.lbl.gov/~tierney ------------------------------------------------------------------------ ------------------ From harsha at cs.washington.edu Fri Mar 24 09:07:55 2006 From: harsha at cs.washington.edu (Harsha V. Madhyastha) Date: Fri, 24 Mar 2006 09:07:55 -0800 Subject: [Bro] memory leak? Message-ID: <4424276B.9020607@cs.washington.edu> Hi, I tried out the suggestion of @load'ing reduce-memory.bro (I appended a line "@load reduce-memory" at the end of the file mt.bro. I also have a "@load rotate-logs" line in addition to the mt.bro that comes with the distribution.), but I still see memory usage increasing monotonically. Below is a snapshot of memory usage every 10 minutes. Should I be @load'ing reduce-memory.bro in some other way? If not, is there anything else I can do to prevent continuous accumulation of state? Please let me know if any of you have any other suggestions. Thanks! Harsha top - 16:57:19 up 58 days, 2:42, 2 users, load average: 0.55, 0.52, 0.45 9567 root 15 0 13780 9.9m 2608 S 4.0 0.5 0:00.73 bro top - 17:07:19 up 58 days, 2:52, 2 users, load average: 0.80, 0.73, 0.56 9567 root 15 0 25208 21m 2676 R 15.7 1.0 1:23.21 bro top - 17:17:20 up 58 days, 3:02, 2 users, load average: 0.78, 0.71, 0.61 9567 root 15 0 30700 26m 2688 S 13.8 1.3 2:51.30 bro top - 17:27:20 up 58 days, 3:12, 2 users, load average: 0.85, 0.74, 0.65 9567 root 15 0 36796 32m 2688 S 19.8 1.6 4:21.41 bro top - 17:37:21 up 58 days, 3:23, 2 users, load average: 0.83, 0.71, 0.65 9567 root 15 0 43208 38m 2688 S 11.8 1.9 5:47.97 bro top - 17:47:22 up 58 days, 3:33, 2 users, load average: 0.56, 0.66, 0.65 9567 root 15 0 47760 43m 2688 S 13.8 2.1 7:03.52 bro top - 17:57:22 up 58 days, 3:43, 2 users, load average: 0.77, 0.63, 0.61 9567 root 16 0 52308 47m 2696 S 7.9 2.3 8:20.43 bro top - 18:07:23 up 58 days, 3:53, 2 users, load average: 0.58, 0.62, 0.61 9567 root 15 0 56592 51m 2696 S 13.8 2.5 9:31.94 bro top - 18:17:23 up 58 days, 4:03, 2 users, load average: 0.56, 0.55, 0.56 9567 root 15 0 62036 56m 2696 S 11.9 2.8 10:47.16 bro top - 18:27:24 up 58 days, 4:13, 2 users, load average: 0.85, 0.65, 0.57 9567 root 15 0 66576 61m 2696 S 11.9 3.0 12:01.87 bro top - 18:37:24 up 58 days, 4:23, 2 users, load average: 0.73, 0.65, 0.58 9567 root 15 0 73496 68m 2696 R 11.9 3.4 13:24.69 bro top - 18:47:25 up 58 days, 4:33, 2 users, load average: 0.50, 0.65, 0.62 9567 root 15 0 77644 72m 2696 S 11.9 3.6 14:43.69 bro top - 18:57:25 up 58 days, 4:43, 2 users, load average: 0.44, 0.48, 0.54 9567 root 15 0 82576 76m 2696 S 13.8 3.8 16:03.00 bro ...... top - 06:58:03 up 58 days, 16:43, 2 users, load average: 0.51, 0.51, 0.52 9567 root 15 0 349m 345m 2696 S 13.8 17.1 153:08.79 bro top - 07:08:03 up 58 days, 16:53, 2 users, load average: 0.70, 0.66, 0.57 9567 root 15 0 353m 349m 2696 S 25.7 17.3 155:17.46 bro top - 07:18:04 up 58 days, 17:03, 2 users, load average: 0.72, 0.67, 0.58 9567 root 15 0 356m 352m 2696 S 27.7 17.4 157:27.63 bro top - 07:28:04 up 58 days, 17:13, 2 users, load average: 0.43, 0.53, 0.54 9567 root 15 0 365m 361m 2696 R 37.5 17.8 159:45.66 bro top - 07:38:05 up 58 days, 17:23, 2 users, load average: 0.42, 0.56, 0.54 9567 root 15 0 365m 361m 2696 S 21.7 17.8 162:05.27 bro top - 07:48:05 up 58 days, 17:33, 2 users, load average: 0.66, 0.52, 0.52 9567 root 15 0 369m 365m 2696 S 11.8 18.1 164:24.92 bro top - 07:58:06 up 58 days, 17:43, 2 users, load average: 0.70, 0.42, 0.46 9567 root 15 0 372m 368m 2696 S 21.8 18.2 166:41.43 bro top - 08:08:06 up 58 days, 17:53, 2 users, load average: 0.56, 0.56, 0.49 9567 root 15 0 376m 372m 2696 R 27.7 18.4 169:01.29 bro top - 08:18:07 up 58 days, 18:03, 2 users, load average: 0.63, 0.52, 0.49 9567 root 15 0 379m 375m 2696 S 19.7 18.5 171:16.30 bro top - 08:28:07 up 58 days, 18:13, 2 users, load average: 0.75, 0.66, 0.56 9567 root 16 0 383m 379m 2696 S 19.8 18.7 173:36.79 bro top - 08:38:08 up 58 days, 18:23, 2 users, load average: 1.01, 0.73, 0.60 9567 root 15 0 392m 388m 2696 S 19.7 19.2 176:06.30 bro top - 08:48:08 up 58 days, 18:33, 2 users, load average: 0.35, 0.54, 0.57 9567 root 15 0 392m 388m 2696 S 27.7 19.2 178:34.94 bro top - 08:58:09 up 58 days, 18:43, 2 users, load average: 0.85, 0.68, 0.62 9567 root 15 0 394m 391m 2696 R 27.7 19.3 181:01.10 bro Vern Paxson wrote: > This will commonly occur simply due to state building up in the variables > managed by the event engine and the policy scripts. The main problem is > the need to associate timeouts with the corresponding tables. See our paper: > > H. Dreger, A. Feldmann, V. Paxson, and R. Sommer, > Operational Experiences with High-Volume Network Intrusion Detection, > Proc. ACM CCS, October 2004 > > http://www.icir.org/vern/papers/high-volume-ccs04.pdf > > for discussion. > > You can turn on a bunch (though not an exhaustive set) of these sorts of > timeouts by @load'ing reduce-memory.bro. Soon we will change Bro so that > by default it includes this sort of configuration, rather than the user > needing to enable it specifically. > > Vern From vern at icir.org Fri Mar 24 14:11:16 2006 From: vern at icir.org (Vern Paxson) Date: Fri, 24 Mar 2006 14:11:16 -0800 Subject: [Bro] memory leak? In-Reply-To: Your message of Fri, 24 Mar 2006 09:07:55 PST. Message-ID: <200603242211.k2OMBGam028073@jaguar.icir.org> If reduce-memory isn't helping, then most likely the culprit is state you are building up in script variables. You can generate lightweight periodic script statistics by @load'ing stats.bro, or heavier-weight and more detailed using profiling.bro. You can also see the sizes of your script variables using the function global_sizes() (see for example print-globals.bro, which simply calls this when Bro exits). Often a way to hone in on which variable is getting large is to either run on a trace and use print-globals to dump the sizes when Bro finishes, or set up a timer to print out global_sizes() every minute or so. Vern From vern at icir.org Fri Mar 24 14:16:43 2006 From: vern at icir.org (Vern Paxson) Date: Fri, 24 Mar 2006 14:16:43 -0800 Subject: [Bro] couple of questions In-Reply-To: Your message of Fri, 24 Mar 2006 03:47:57 GMT. Message-ID: <200603242216.k2OMGhub028294@jaguar.icir.org> > 1) In the DNS policy file there is an event for "dns_EDNS_addl" what > part of the packet is this field in a DNS connection EDNS is a general mechanism for specifying extensions to DNS. > and what is the > "pldsize" value from? It comes from the framing provided by the EDNS mechanism. > Is there a way to break out the data from this field? No, though if there are specific EDNS extensions you're interested in, we'd certainly encourage you to consider adding analysis for them to the event engine (in DNS.cc). > 2) When a DNS record has "DNS_SEC_OK" What is that from the packet connection? That's also part of EDNS (the 'Z' field), and specifes that the extension accepts DNSSEC RRs. Vern From sedki at cril.univ-artois.fr Fri Mar 31 01:11:10 2006 From: sedki at cril.univ-artois.fr (Karima Sedki) Date: Fri, 31 Mar 2006 11:11:10 +0200 Subject: [Bro] "help" Message-ID: <1143796270.11140.7.camel@aigle.univ-artois.fr> Hi, I want know , if i can work with paquets of connexion (i.e) I want recover know if it possibleto recover with bro informations ( duration , protocol, flag, service, ..) before connexion would be finished. Thant you for any help.