From jbarlow at ncsa.uiuc.edu Wed Nov 1 13:52:46 2006 From: jbarlow at ncsa.uiuc.edu (James J. Barlow) Date: Wed, 1 Nov 2006 15:52:46 -0600 Subject: [Bro] Bro Workshop information Message-ID: <20061101215246.GA29543@wolrab.ncsa.uiuc.edu> Here is a web page with the latest information on the Bro Workshop in Tampa on November 14th and 15th: http://www.ncsa.uiuc.edu/UserInfo/Security/Bro06-workshop.html It currently has speakers and times for the two half day sessions. I'll be sure to put the latest up-to-date info on that page and will also send out an email to the list when I have made any changes. One thing that we have worked into the schedule is plenty of time for discussion on various Bro topics. There are a few discussion questions toward the end of the workshop information webpage that we want to cover. If anyone has questions or topics that they want to make sure we try to discuss, then be sure to reply to the list with anything you may have in mind. -- James J. Barlow Head of Security Operations and Incident Response National Center for Supercomputing Applications Voice : (217)244-6403 1205 West Clark Street, Urbana, IL 61801 Cell : (217)840-0601 http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987 From dhanesh at tataelxsi.co.in Wed Nov 1 20:33:04 2006 From: dhanesh at tataelxsi.co.in (Jaya Dhanesh) Date: Thu, 2 Nov 2006 10:03:04 +0530 Subject: [Bro] TCP Partial Connection Message-ID: <000201c6fe37$fdc413e0$0637a8c0@telxsi.com> Hi All, BRO calls the Protocol Analyzers (for Applications using TCP) only after a TCP three way handshake has happened. For example the HTTP event handlers are called after the TCP handshake has happened and BRO recognizes it as a HTTP traffic by looking at the destination port. When I run capture files with a few TCP (HTTP) packets, without the handshake packets the HTTP event handlers were not called in this case. I suppose BRO will recognize it as TCP packet and then do nothing with the packet. How does BRO handle this TCP packets without handshake packets? Thanks in advance, Dhanesh. From phuong.d.nguyen at gmail.com Fri Nov 3 18:30:18 2006 From: phuong.d.nguyen at gmail.com (Phuong Nguyen) Date: Fri, 3 Nov 2006 18:30:18 -0800 Subject: [Bro] Running binpac generated code outside of bro Message-ID: <6fe2496b0611031830q96a077dr738ed6a270c25e27@mail.gmail.com> Hi all, I'm trying to run binpac (in Bro dist 1.2) generated code independently of Bro. It appears that binpac generated parser uses Bro's regex code. I was wondering if anyone have extracted the regex library to allow binpac code run outside of Bro? Thanks. Phuong -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061103/6817697f/attachment.html From lgh at gradinfo.net.edu.cn Sun Nov 5 08:17:27 2006 From: lgh at gradinfo.net.edu.cn (lgh) Date: Mon, 06 Nov 2006 00:17:27 +0800 Subject: [Bro] a bug in CheckPIA_FirstPacket()? Message-ID: <454E0E97.7060908@gradinfo.net.edu.cn> Hi, In function TCP_Analyzer::CheckPIA_FirstPacket(), I assume the testbit of first_packet_seen should be set when the first packet for that direction is met. However, currently, one direction clears the testbit of the other direction. If my guess is correct, the code should be changed from: first_packet_seen = ORIG; ... first_packet_seen = RESP; to first_packet_seen |= ORIG; ... first_packet_seen |= RESP; cheers, Guohan Lu From robin at icir.org Sun Nov 5 12:24:28 2006 From: robin at icir.org (Robin Sommer) Date: Sun, 5 Nov 2006 12:24:28 -0800 Subject: [Bro] a bug in CheckPIA_FirstPacket()? In-Reply-To: <454E0E97.7060908@gradinfo.net.edu.cn> References: <454E0E97.7060908@gradinfo.net.edu.cn> Message-ID: <20061105202428.GA5224@icir.org> On Mon, Nov 06, 2006 at 00:17 +0800, you wrote: > first_packet_seen |= ORIG; > first_packet_seen |= RESP; That's right. Thanks a lot for catching this! Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From johngerber at yahoo.com Mon Nov 6 13:17:03 2006 From: johngerber at yahoo.com (John Gerber) Date: Mon, 6 Nov 2006 13:17:03 -0800 (PST) Subject: [Bro] Local Subnet List Message-ID: <910060.95165.qm@web30006.mail.mud.yahoo.com> I am new to Bro, so I might be missing something obvious. I apologies if that is the case. The documentation states that Bro needs to know a list of the local subnets. How large can this list be? I would imagine the larger the list, the more work Bro will need to do to match the local subnets against the traffic. Is there a way not to define local subnets? If you made the traffic analysis be bidirectional, would that be possible? Thank you. John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061106/5ce65cde/attachment.html From vern at icir.org Mon Nov 6 13:22:29 2006 From: vern at icir.org (Vern Paxson) Date: Mon, 06 Nov 2006 13:22:29 -0800 Subject: [Bro] Local Subnet List In-Reply-To: <910060.95165.qm@web30006.mail.mud.yahoo.com> (Mon, 06 Nov 2006 13:17:03 PST). Message-ID: <200611062122.kA6LMTOU081988@jaguar.icir.org> > How large can this list be? I would imagine > the larger the list, the more work Bro will need to do to match the local > subnets against the traffic. Actually, that's not the case. Bro uses patricia trees when matching subnets (and hash tables for things like sets of addresses), so there's very little performance penalty for listing your local subnets. > Is there a way not to define local subnets? Yes, by default, they're not defined. > If you made the traffic analysis be bidirectional, would that be possible? The analysis is always bidirectional, though some types of activity are treated differently if perceived as incoming vs. outgoing. Vern From abhinay at cs.utexas.edu Tue Nov 7 16:30:27 2006 From: abhinay at cs.utexas.edu (Abhinay Kampasi) Date: Tue, 7 Nov 2006 18:30:27 -0600 Subject: [Bro] List of connections Message-ID: Hi, Is there any policy file in Bro that reports all connections present in the traffic seen by Bro? Does conn.bro provide this functionality? Regards, Abhinay From jbabbin at comcast.net Tue Nov 7 17:28:20 2006 From: jbabbin at comcast.net (jbabbin at comcast.net) Date: Wed, 08 Nov 2006 01:28:20 +0000 Subject: [Bro] List of connections Message-ID: <110820060128.5072.455132B4000E2D19000013D0220700095302070D0D0E0D06@comcast.net> Hi Abhinay, Yup the conn.log file that is created at run time is where you will see all of the connections BRO was able to make. As well as those "flows" that BRO saw but was unable to determine the application layer or was not an established connection. Jake -------------- Original message ---------------------- From: "Abhinay Kampasi" > Hi, > > Is there any policy file in Bro that reports all connections present in the > traffic seen by Bro? Does conn.bro provide this functionality? > > Regards, > Abhinay > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From mtdedlow at lbl.gov Tue Nov 7 17:48:04 2006 From: mtdedlow at lbl.gov (Mark Dedlow) Date: Tue, 07 Nov 2006 17:48:04 -0800 Subject: [Bro] List of connections In-Reply-To: References: Message-ID: <45513754.3070604@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Abhinay Kampasi wrote: > Is there any policy file in Bro that reports all connections present in the > traffic seen by Bro? Does conn.bro provide this functionality? conn.bro only logs TCP. Depending on what you mean by "connection", you may also want udp.bro and/or icmp.bro. Also, note that conn.bro does not *only* log connections. It does intrusion analysis -- for example, scan detection. Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) iD8DBQFFUTdUQ4njmwFOz6wRAuCtAJ9BRCZMkCbZDFlxq1A1qMR2CBzICgCghcQF RZvn+tu5ZQHQ1fZnvjUw/2U= =oPKf -----END PGP SIGNATURE----- From abhinay at cs.utexas.edu Tue Nov 7 17:49:57 2006 From: abhinay at cs.utexas.edu (Abhinay Kampasi) Date: Tue, 7 Nov 2006 19:49:57 -0600 Subject: [Bro] List of connections In-Reply-To: <45513754.3070604@lbl.gov> Message-ID: Thanks Mark, I only wanted TCP connection info. Regards, Abhinay -----Original Message----- From: Mark Dedlow [mailto:mtdedlow at lbl.gov] Sent: Tuesday, November 07, 2006 7:48 PM To: Abhinay Kampasi Cc: bro at bro-ids.org Subject: Re: [Bro] List of connections -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Abhinay Kampasi wrote: > Is there any policy file in Bro that reports all connections present in the > traffic seen by Bro? Does conn.bro provide this functionality? conn.bro only logs TCP. Depending on what you mean by "connection", you may also want udp.bro and/or icmp.bro. Also, note that conn.bro does not *only* log connections. It does intrusion analysis -- for example, scan detection. Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) iD8DBQFFUTdUQ4njmwFOz6wRAuCtAJ9BRCZMkCbZDFlxq1A1qMR2CBzICgCghcQF RZvn+tu5ZQHQ1fZnvjUw/2U= =oPKf -----END PGP SIGNATURE----- From jbarlow at ncsa.uiuc.edu Wed Nov 8 11:49:03 2006 From: jbarlow at ncsa.uiuc.edu (James J. Barlow) Date: Wed, 8 Nov 2006 13:49:03 -0600 Subject: [Bro] Bro Workshop location info Message-ID: <20061108194903.GA8987@wolrab.ncsa.uiuc.edu> Just put the following info on the Bro Workshop web page: http://www.ncsa.uiuc.edu/UserInfo/Security/Bro06-workshop.html The workshop is going to be held at the Tampa Airport Mariott (http://marriott.com/property/propertypage/TPAAP). It's about 8 miles from the Tampa Convention Center where the SC'06 conference is held. The room location is still forthcoming (they have been juggling our room arrangements around a bit). I'll put that info up as soon as we get the confirmation from them. Also one additional item that someone mentioned as a discussion topic: Is there work on an IDMEF module for use with applications like Prelude? -- James J. Barlow Head of Security Operations and Incident Response National Center for Supercomputing Applications Voice : (217)244-6403 1205 West Clark Street, Urbana, IL 61801 Cell : (217)840-0601 http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987 From phuong.d.nguyen at gmail.com Wed Nov 8 18:25:54 2006 From: phuong.d.nguyen at gmail.com (Phuong Nguyen) Date: Wed, 8 Nov 2006 18:25:54 -0800 Subject: [Bro] SMB Parsing and dialect Message-ID: <6fe2496b0611081825h5d381167x18fde2716c5ae6f@mail.gmail.com> Hi All, It appears that the current SMB parser does not maintain result of NEGOTIAGE, mainly the dialect, for parsing dialect dependent request/response. Is this something that will get added in the future? or deemed unnecessary? Thanks Phuong -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061108/a5dc59a3/attachment.html From grier at ICSI.Berkeley.EDU Wed Nov 8 19:09:23 2006 From: grier at ICSI.Berkeley.EDU (Chris Grier) Date: Wed, 08 Nov 2006 21:09:23 -0600 Subject: [Bro] SMB Parsing and dialect In-Reply-To: <6fe2496b0611081825h5d381167x18fde2716c5ae6f@mail.gmail.com> References: <6fe2496b0611081825h5d381167x18fde2716c5ae6f@mail.gmail.com> Message-ID: <45529BE3.8090401@icsi.berkeley.edu> Phuong Nguyen wrote: > Hi All, > > It appears that the current SMB parser does not maintain result of > NEGOTIAGE, mainly the dialect, for parsing dialect dependent > request/response. Is this something that will get added in the future? > or deemed unnecessary? Thanks > > Phuong There's an extended version of the SMB parser that maintains the results of many of the SMB packet types, which will probably be integrated in the future. It parses SMB packets in more detail and passes the results out to the policy, including things such as dialects in the SMB_NEGOTIATE packets and the responses. -- Chris Grier From vern at icir.org Thu Nov 9 00:06:33 2006 From: vern at icir.org (Vern Paxson) Date: Thu, 09 Nov 2006 00:06:33 -0800 Subject: [Bro] IDMEF (Re: Bro Workshop location info) In-Reply-To: <20061108194903.GA8987@wolrab.ncsa.uiuc.edu> (Wed, 08 Nov 2006 13:49:03 CST). Message-ID: <200611090806.kA986XYp064565@jaguar.icir.org> > Also one additional item that someone mentioned as a discussion topic: > > Is there work on an IDMEF module for use with applications like Prelude? Umesh Shankar added some IDMEF hooks to Bro quite a while ago. They haven't been maintained or further developed, however, and I don't believe anyone is currently working on enhancing this functionality. Vern From vern at icir.org Thu Nov 9 00:07:50 2006 From: vern at icir.org (Vern Paxson) Date: Thu, 09 Nov 2006 00:07:50 -0800 Subject: [Bro] SMB Parsing and dialect In-Reply-To: <45529BE3.8090401@icsi.berkeley.edu> (Wed, 08 Nov 2006 21:09:23 CST). Message-ID: <200611090807.kA987owP064595@jaguar.icir.org> > There's an extended version of the SMB parser that maintains the results > of many of the SMB packet types, which will probably be integrated in > the future. Yep - it will definitely be integrated, and is targeted as one of the main additions for the upcoming 1.3 release. Vern From vern at icir.org Thu Nov 9 00:33:22 2006 From: vern at icir.org (Vern Paxson) Date: Thu, 09 Nov 2006 00:33:22 -0800 Subject: [Bro] TCP Partial Connection In-Reply-To: <000201c6fe37$fdc413e0$0637a8c0@telxsi.com> (Thu, 02 Nov 2006 10:03:04 +0530). Message-ID: <200611090833.kA98XMTo065338@jaguar.icir.org> > When I run capture files with a few TCP (HTTP) packets, without the > handshake packets the HTTP event handlers were not called in this case. I > suppose BRO will recognize it as TCP packet and then do nothing with the > packet. > > How does BRO handle this TCP packets without handshake packets? It is customized per analyzer. Some analyzers designate that they can analyze partial connections, while others cannot. (It boils down to how likely is the analyzer to be able to synchronize its parsing given it's starting in the middle of a connection.) Vern From abhinay at cs.utexas.edu Thu Nov 9 10:32:31 2006 From: abhinay at cs.utexas.edu (Abhinay Kampasi) Date: Thu, 09 Nov 2006 12:32:31 -0600 Subject: [Bro] Traffic analysis by Bro Message-ID: <4553743F.8090402@cs.utexas.edu> Hi, What traffic does Bro monitor by default (i.e. what pcap capture filter does it use)? Suppose one of the policy scripts redefines the capture filter to monitor SSH traffic as follows: "redef capture_filters += { ["xxxx"] = "tcp port 22" };" Does this modify the global filter? I mean do all the policy scripts (and not only my script) see the SSH traffic? Thanks, Abhinay From robin at icir.org Fri Nov 10 09:10:41 2006 From: robin at icir.org (Robin Sommer) Date: Fri, 10 Nov 2006 09:10:41 -0800 Subject: [Bro] Traffic analysis by Bro In-Reply-To: <4553743F.8090402@cs.utexas.edu> References: <4553743F.8090402@cs.utexas.edu> Message-ID: <20061110171040.GA15102@icir.org> On Thu, Nov 09, 2006 at 12:32 -0600, Abhinay Kampasi wrote: > What traffic does Bro monitor by default (i.e. what pcap capture filter > does it use)? It builds the pcap filter dynamically at startup depending on which scripts you load. Just load the script print-filter to see how it looks like in your particular setup. > Does this modify the global filter? I mean do all the policy scripts > (and not only my script) see the SSH traffic? Yes. Yes. There's always only one pcap filter in use. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From vern at icir.org Fri Nov 10 09:16:03 2006 From: vern at icir.org (Vern Paxson) Date: Fri, 10 Nov 2006 09:16:03 -0800 Subject: [Bro] Traffic analysis by Bro In-Reply-To: <20061110171040.GA15102@icir.org> (Fri, 10 Nov 2006 09:10:41 PST). Message-ID: <200611101716.kAAHG3gO095719@jaguar.icir.org> > There's always only one pcap filter in use. (Nit: there can be two, if you use Bro's "secondary filter" capability, which is designed to provide a lightweight, additional packet stream to supplement the main analysis.) Vern From abhinay at cs.utexas.edu Fri Nov 10 10:47:02 2006 From: abhinay at cs.utexas.edu (Abhinay Kampasi) Date: Fri, 10 Nov 2006 12:47:02 -0600 Subject: [Bro] Traffic analysis by Bro In-Reply-To: <20061110171040.GA15102@icir.org> Message-ID: Thanks Robin, So suppose my script wants to analyze only interactive traffic (for example telnet, ssh), it will be have to explicitly ignore all packets not on ports 22/23 because the capture filter may have been modified by other scripts to capture other traffic. Regards, Abhinay -----Original Message----- From: Robin Sommer [mailto:robin at icir.org] Sent: Friday, November 10, 2006 11:11 AM To: Abhinay Kampasi Cc: bro at bro-ids.org Subject: Re: [Bro] Traffic analysis by Bro On Thu, Nov 09, 2006 at 12:32 -0600, Abhinay Kampasi wrote: > What traffic does Bro monitor by default (i.e. what pcap capture filter > does it use)? It builds the pcap filter dynamically at startup depending on which scripts you load. Just load the script print-filter to see how it looks like in your particular setup. > Does this modify the global filter? I mean do all the policy scripts > (and not only my script) see the SSH traffic? Yes. Yes. There's always only one pcap filter in use. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From jbarlow at ncsa.uiuc.edu Fri Nov 10 12:14:27 2006 From: jbarlow at ncsa.uiuc.edu (James J. Barlow) Date: Fri, 10 Nov 2006 14:14:27 -0600 Subject: [Bro] Bro Workshop location info In-Reply-To: <20061108194903.GA8987@wolrab.ncsa.uiuc.edu> Message-ID: <20061110201427.GA19045@wolrab.ncsa.uiuc.edu> On Wed, Nov 08, 2006 at 01:49:03PM -0600, James J. Barlow wrote: > Just put the following info on the Bro Workshop web page: > > http://www.ncsa.uiuc.edu/UserInfo/Security/Bro06-workshop.html > > > The workshop is going to be held at the Tampa Airport Mariott > (http://marriott.com/property/propertypage/TPAAP). It's about 8 miles > from the Tampa Convention Center where the SC'06 conference is held. > The room location is still forthcoming (they have been juggling our > room arrangements around a bit). I'll put that info up as soon as we > get the confirmation from them. Just added more info on the web page that the room location for the event is the Sarasota conference room. There is also a slight time change in that we have the room until 4:30 on Tuesday afternoon (rather than 5:00). Evidently they have big meeting there that evening that they need to start preping for earlier. Shouldn't affect things much, if we have more to discuss that afternoon we can roll it over into the dinner time hangout/beer drinking/discussions. :) If there are any questions or problems that come up you can call me on my cell number below. I'll also post it on the workshop web page. See you all in Tampa. -- James J. Barlow Head of Security Operations and Incident Response National Center for Supercomputing Applications Voice : (217)244-6403 1205 West Clark Street, Urbana, IL 61801 Cell : (217)840-0601 http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987 From robin at icir.org Sat Nov 11 10:09:16 2006 From: robin at icir.org (Robin Sommer) Date: Sat, 11 Nov 2006 10:09:16 -0800 Subject: [Bro] Traffic analysis by Bro In-Reply-To: References: <20061110171040.GA15102@icir.org> Message-ID: <20061111180916.GA7252@icir.org> On Fri, Nov 10, 2006 at 12:47 -0600, Abhinay Kampasi wrote: > So suppose my script wants to analyze only interactive traffic (for example > telnet, ssh), it will be have to explicitly ignore all packets not on ports > 22/23 because the capture filter may have been modified by other scripts to > capture other traffic. Hmm... Yes and no. Yes because in terms of filtering Bro does not keep track not which traffic is requested which script. But no because you script will contain event handlers to implement your detection logic. Many (though not all) events are thrown by application-specific analyzers which only analyze "their" traffic. E.g., the HTTP analyzer looks only at HTTP connections and thus you're only going to see HTTP events for traffic on port 80 (or whichever port it happens to use). So, the bottom-line is that it depends on which events you're going to analyze. Depending on that, you may or may not need to filter out events which are irrlevant for you. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From abhinay at cs.utexas.edu Sat Nov 11 10:15:36 2006 From: abhinay at cs.utexas.edu (Abhinay Kampasi) Date: Sat, 11 Nov 2006 12:15:36 -0600 Subject: [Bro] Traffic analysis by Bro In-Reply-To: <20061111180916.GA7252@icir.org> Message-ID: Thanks Robin, Right now my script has the tcp_packet(...) event handler. I am assuming that this event handler will be invoked for all TCP packets. Is that right? Regards, Abhinay -----Original Message----- From: Robin Sommer [mailto:robin at icir.org] Sent: Saturday, November 11, 2006 12:09 PM To: Abhinay Kampasi Cc: bro at bro-ids.org Subject: Re: [Bro] Traffic analysis by Bro On Fri, Nov 10, 2006 at 12:47 -0600, Abhinay Kampasi wrote: > So suppose my script wants to analyze only interactive traffic (for example > telnet, ssh), it will be have to explicitly ignore all packets not on ports > 22/23 because the capture filter may have been modified by other scripts to > capture other traffic. Hmm... Yes and no. Yes because in terms of filtering Bro does not keep track not which traffic is requested which script. But no because you script will contain event handlers to implement your detection logic. Many (though not all) events are thrown by application-specific analyzers which only analyze "their" traffic. E.g., the HTTP analyzer looks only at HTTP connections and thus you're only going to see HTTP events for traffic on port 80 (or whichever port it happens to use). So, the bottom-line is that it depends on which events you're going to analyze. Depending on that, you may or may not need to filter out events which are irrlevant for you. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From abhinay at cs.utexas.edu Sat Nov 11 10:25:29 2006 From: abhinay at cs.utexas.edu (Abhinay Kampasi) Date: Sat, 11 Nov 2006 12:25:29 -0600 Subject: [Bro] Backdoor Analyzer for interactive traffic Message-ID: Hi Vern, I was reading the "Detecting Backdoors" paper which talks about a general algorithm for detecting interactive traffic as well as some special-purpose algorithms. The backdoor policy script in Bro only has the implementation for detecting special-purpose backdoors. Is there any way I can use the general algorithm in Bro? I am writing an anomaly detector which needs to be applied only on interactive traffic. Thanks and Regards, Abhinay From vern at icir.org Sat Nov 11 10:40:17 2006 From: vern at icir.org (Vern Paxson) Date: Sat, 11 Nov 2006 10:40:17 -0800 Subject: [Bro] Backdoor Analyzer for interactive traffic In-Reply-To: (Sat, 11 Nov 2006 12:25:29 CST). Message-ID: <200611111840.kABIeHaH088798@jaguar.icir.org> > The backdoor policy script in Bro only has the implementation > for detecting special-purpose backdoors. Is there any way I can use the > general algorithm in Bro? It's implemented but in a separate policy script, interconn.bro. Vern From christian at whoop.org Sat Nov 11 12:20:18 2006 From: christian at whoop.org (Christian Kreibich) Date: Sat, 11 Nov 2006 12:20:18 -0800 Subject: [Bro] Traffic analysis by Bro In-Reply-To: References: Message-ID: <1163276418.5331.7.camel@strangepork> On Fri, 2006-11-10 at 12:47 -0600, Abhinay Kampasi wrote: > Thanks Robin, > > So suppose my script wants to analyze only interactive traffic (for example > telnet, ssh), it will be have to explicitly ignore all packets not on ports > 22/23 because the capture filter may have been modified by other scripts to > capture other traffic. Abhinay, you don't need to worry about this: the semantic level at which you're writing your script is far beyond the pcap filter specification. Typically you will write your script based on event types that are relevant to the traffic you are interested. For example, in the case of an SSH policy script, you might implement handlers for the ssh_client_version() and ssh_server_version() events, which only ever get triggered for SSH traffic (potentially in a port-independent fashion thanks to the new dynamic protocol detection framework). Think of it this way: you configure Bro using a number of policy scripts. These scripts together (and through other scripts they @load) make sure that Bro captures all traffic and only the traffic necessary to trigger the events you are interested in. At the same time, no events can ever be triggered (with some caveats) on traffic they are not meant for. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From robin at icir.org Sun Nov 12 16:32:32 2006 From: robin at icir.org (Robin Sommer) Date: Sun, 12 Nov 2006 16:32:32 -0800 Subject: [Bro] Traffic analysis by Bro In-Reply-To: References: <20061111180916.GA7252@icir.org> Message-ID: <20061113003232.GA7260@icir.org> On Sat, Nov 11, 2006 at 12:15 -0600, Abhinay Kampasi wrote: > Right now my script has the tcp_packet(...) event handler. I am assuming > that this event handler will be invoked for all TCP packets. Is that right? Yes, that's right. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From abhinay at cs.utexas.edu Tue Nov 14 13:22:35 2006 From: abhinay at cs.utexas.edu (Abhinay Kampasi) Date: Tue, 14 Nov 2006 15:22:35 -0600 Subject: [Bro] Backdoor Analyzer for interactive traffic In-Reply-To: <200611111840.kABIeHaH088798@jaguar.icir.org> References: <200611111840.kABIeHaH088798@jaguar.icir.org> Message-ID: <455A339B.8060803@cs.utexas.edu> Thanks Vern, The interconn analyzer is detecting the interactive connections that I am generating. I am using a custom server (netcat) to generate the interactive connections on random ports. However, the interconn analyzer was able to detect interactive connections only on standard ports like telnet/ssh because the packet filter that is loaded on startup captures traffic on these ports. According to the paper, the filter (ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20 should be loaded to capture all "small" packets. However, when I print the capture filter using print-filter analyzer, I cannot see this filter being loaded. How and when is this filter loaded? I want to be able to detect interactive connections on any random port. Regards, Abhinay Vern Paxson wrote: >> The backdoor policy script in Bro only has the implementation >> for detecting special-purpose backdoors. Is there any way I can use the >> general algorithm in Bro? >> > > It's implemented but in a separate policy script, interconn.bro. > > Vern > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > From vern at icir.org Tue Nov 14 13:46:59 2006 From: vern at icir.org (Vern Paxson) Date: Tue, 14 Nov 2006 13:46:59 -0800 Subject: [Bro] Backdoor Analyzer for interactive traffic In-Reply-To: <455A339B.8060803@cs.utexas.edu> (Tue, 14 Nov 2006 15:22:35 CST). Message-ID: <200611142146.kAELkxap091561@jaguar.icir.org> > According to the paper, the filter (ip[2:2] - > ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20 should be loaded to capture all > "small" packets. However, when I print the capture filter using > print-filter analyzer, I cannot see this filter being loaded. How and > when is this filter loaded? I want to be able to detect interactive > connections on any random port. In your wrapper script, add redef capture_filters += { ["interconn"] = "(ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20" }; to explicitly set the filter. Vern From seth at net.ohio-state.edu Thu Nov 16 05:12:48 2006 From: seth at net.ohio-state.edu (Seth Hall) Date: Thu, 16 Nov 2006 08:12:48 -0500 Subject: [Bro] wiki vandalism Message-ID: <01DC91A7-33D9-4364-B79A-6B33B48A51B3@net.ohio-state.edu> There was vandalism on the wiki last night by the "Scofco" user account. http://bro-ids.org/wiki/index.php/Subversion .Seth From robin at icir.org Thu Nov 16 07:38:57 2006 From: robin at icir.org (Robin Sommer) Date: Thu, 16 Nov 2006 07:38:57 -0800 Subject: [Bro] wiki vandalism In-Reply-To: <01DC91A7-33D9-4364-B79A-6B33B48A51B3@net.ohio-state.edu> References: <01DC91A7-33D9-4364-B79A-6B33B48A51B3@net.ohio-state.edu> Message-ID: <20061116153857.GB11155@icir.org> On Thu, Nov 16, 2006 at 08:12 -0500, Seth Hall wrote: > There was vandalism on the wiki last night by the "Scofco" user account. Fixed. Thanks for letting us know! (Actually the user shouldn't have had the permissions to do this. We'll check). Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From christian at whoop.org Thu Nov 16 15:50:50 2006 From: christian at whoop.org (Christian Kreibich) Date: Thu, 16 Nov 2006 15:50:50 -0800 Subject: [Bro] &expire_func/&create_expire question Message-ID: <1163721050.24818.66.camel@strangepork> Hi, can the &expire_func and &create_expire attributes be assigned at run-time? Mike (cc'd) sent me code for a sliding window implementation, which contained this: function sw_new( window : interval ) : sliding_window { local w : sliding_window; local tbl : table[time] of __sliding_window_slot &create_expire=window &expire_func=__sw_expire_slot; [...] The parser accepts this without complaint but the code caused a segmentation fault ... Program received signal SIGSEGV, Segmentation fault. 0x0812c31a in Val::AsInterval (this=0x0) at Val.h:247 247 CONST_ACCESSOR(TYPE_INTERVAL, double, double_val, AsInterval) (gdb) bt #0 0x0812c31a in Val::AsInterval (this=0x0) at Val.h:247 #1 0x0820a890 in TableVal::CheckExpireAttr (this=0x84148e8, at=ATTR_EXPIRE_CREATE) at Val.cc:1746 #2 0x0820a964 in TableVal::SetAttrs (this=0x84148e8, a=0x8302318) at Val.cc:1733 #3 0x082166d1 in TableVal (this=0x84148e8, t=0x83039f0, a=0x8302318) at Val.cc:1680 #4 0x081d7c94 in InitStmt::Exec (this=0x8304870, f=0x8413170, flow=@0xbf93ad2c) at Stmt.cc:1608 #5 0x081d7edd in StmtList::Exec (this=0x83047c8, f=0x8413170, flow=@0xbf93ad2c) at Stmt.cc:1390 #6 0x081460d8 in BroFunc::Call (this=0x8304750, args=0x84147a0, parent=0x84131a8) at Func.cc:313 ... that went away by making the window size fixed: type slots_table: table[time] of __sliding_window_slot &create_expire=SLIDING_WINDOW &expire_func=__sw_expire_slot; function sw_new() : sliding_window { local w : sliding_window; local tbl : slots_table; Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From vern at icir.org Thu Nov 16 23:51:24 2006 From: vern at icir.org (Vern Paxson) Date: Thu, 16 Nov 2006 23:51:24 -0800 Subject: [Bro] &expire_func/&create_expire question In-Reply-To: <1163721050.24818.66.camel@strangepork> (Thu, 16 Nov 2006 15:50:50 PST). Message-ID: <200611170751.kAH7pOXg089399@jaguar.icir.org> > can the &expire_func and &create_expire attributes be assigned at > run-time? They should be, and looking at the code in question where you're getting the crash, I don't offhand see why it's failing. Can you or Mike put together a self-contained demo script that tickles this bug? Vern From christian at whoop.org Fri Nov 17 11:06:51 2006 From: christian at whoop.org (Christian Kreibich) Date: Fri, 17 Nov 2006 11:06:51 -0800 Subject: [Bro] &expire_func/&create_expire question In-Reply-To: <200611170751.kAH7pOXg089399@jaguar.icir.org> References: <200611170751.kAH7pOXg089399@jaguar.icir.org> Message-ID: <1163790411.24818.165.camel@strangepork> On Thu, 2006-11-16 at 23:51 -0800, Vern Paxson wrote: > > can the &expire_func and &create_expire attributes be assigned at > > run-time? > > They should be, and looking at the code in question where you're getting > the crash, I don't offhand see why it's failing. Can you or Mike put > together a self-contained demo script that tickles this bug? Here you go -- this crashes on the first packet: ---- type flow_state: record { t: table[count] of count; }; global state: table[addr] of flow_state; function flow_state_new(i: interval): flow_state { local fs: flow_state; local t: table[count] of count &create_expire=i; fs$t = t; return fs; } event new_packet(c: connection, p: pkt_hdr) { local fs: flow_state; if (c$id$orig_h !in state) { fs = flow_state_new(5 secs); state[c$id$orig_h] = fs; } } ---- This works: ---- type count_table: table[count] of count &create_expire=5 secs; type flow_state: record { t: count_table; }; global state: table[addr] of flow_state; function flow_state_new(): flow_state { local fs: flow_state; local t: count_table; fs$t = t; return fs; } event new_packet(c: connection, p: pkt_hdr) { local fs: flow_state; if (c$id$orig_h !in state) { fs = flow_state_new(); state[c$id$orig_h] = fs; } } ---- Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From vern at icir.org Fri Nov 17 11:48:43 2006 From: vern at icir.org (Vern Paxson) Date: Fri, 17 Nov 2006 11:48:43 -0800 Subject: [Bro] &expire_func/&create_expire question In-Reply-To: <1163790411.24818.165.camel@strangepork> (Fri, 17 Nov 2006 11:06:51 PST). Message-ID: <200611171948.kAHJmhTI051019@jaguar.icir.org> > Here you go -- this crashes on the first packet: Thanks. That indeed reproduces the problem for me. Vern From muscletot at gmail.com Fri Nov 17 13:18:09 2006 From: muscletot at gmail.com (Mike Wood) Date: Fri, 17 Nov 2006 13:18:09 -0800 Subject: [Bro] &expire_func/&create_expire question Message-ID: <0826da6d41382c1c2b07464016ea374d@gmail.com> Hiya, Below is a script that I would think should cause the &expire_func to execute, but doesn't. (I would expect the expire function to execute assuming you run the script on a trace that has packets with arrival times separated by more than EXPIRE time, which is set to 1 second below). ------------ type test_key : string; #type test_key : time; global pkts : count = 0; function expF (tbl: table[test_key] of count, idx : test_key): interval { pkts = pkts - tbl[idx]; return 0 sec; } const EXPIRE : interval = 1 sec; global pkts_map: table[test_key] of count &default=0 &create_expire=EXPIRE &expire_func=expF; event new_packet(c: connection, p: pkt_hdr) { local k : string = fmt( "%s", network_time() ); #local k : time = network_time(); print fmt( "k=%s", k ); ++pkts; if ( k in pkts_map ) { pkts_map[k] = pkts_map[k] + 1; } else { pkts_map[k] = 1; } print fmt ("pkts = %d, pkt map: %d", pkts, pkts_map[k] ); } ------- Also, if you un-comment the test_key line at the top to use the 'time' type as a key in the table (and the corresponding key computation in the new_packet event), you get the following error: 1163788759.811588 (1163788759.81159): bad tag in Val::CONST_ACCESSOR (time/double) I tested this on Linux, if that's any use. Any help would be appreciated. - Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/enriched Size: 1473 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061117/50b65750/attachment.bin From christian at whoop.org Fri Nov 17 14:51:03 2006 From: christian at whoop.org (Christian Kreibich) Date: Fri, 17 Nov 2006 14:51:03 -0800 Subject: [Bro] &expire_func/&create_expire question In-Reply-To: <0826da6d41382c1c2b07464016ea374d@gmail.com> References: <0826da6d41382c1c2b07464016ea374d@gmail.com> Message-ID: <1163803863.24818.183.camel@strangepork> Hey Mike, mhmmm sorry but this seems to work here. For comparison, does this more basic one give you output? ---- function expire(t: table[count] of count, idx:count): interval { print fmt("Expiring %d", idx); return 0 sec; } global state: table[count] of count &create_expire=1sec &expire_func=expire; global idx: count = 0; event new_packet(c: connection, p: pkt_hdr) { ++idx; state[idx] = idx; } ---- > Also, if you un-comment the test_key line at the top to use the 'time' > type as a key in the table (and the corresponding key computation in > the new_packet event), you get the following error: That one I can confirm (and I don't understand the cause). Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From christian at whoop.org Fri Nov 17 16:37:15 2006 From: christian at whoop.org (Christian Kreibich) Date: Fri, 17 Nov 2006 16:37:15 -0800 Subject: [Bro] &expire_func/&create_expire question In-Reply-To: <1163803863.24818.183.camel@strangepork> References: <0826da6d41382c1c2b07464016ea374d@gmail.com> <1163803863.24818.183.camel@strangepork> Message-ID: <1163810235.24818.221.camel@strangepork> We have some progress on the non-triggering of the expiration callback. It is triggered, but a *long* time after the &create_expire interval. Below are the timings using a 20 minute trace for this code: function expire(t: table[count] of count, idx:count): interval { print fmt("%s %s (expire)", current_time(), network_time()); return 0 sec; } global state: table[count] of count &create_expire=1sec &expire_func=expire; global idx: count = 0; event new_packet(c: connection, p: pkt_hdr) { ++idx; state[idx] = idx; print fmt("%s %s", current_time(), network_time()); } | current_time() network_time() --------------------------+-------------------+----------------- first packet processed | 1163809190.13672 1039099587.68955 first expire cb triggered | 1163809190.75784 1039099678.4143 Real time is out, since 1s hasn't yet passed. But network time has advanced 91s before I see the callback!? Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From vern at icir.org Fri Nov 17 16:43:34 2006 From: vern at icir.org (Vern Paxson) Date: Fri, 17 Nov 2006 16:43:34 -0800 Subject: [Bro] &expire_func/&create_expire question In-Reply-To: <1163810235.24818.221.camel@strangepork> (Fri, 17 Nov 2006 16:37:15 PST). Message-ID: <200611180043.kAI0hYeZ077487@jaguar.icir.org> > Real time is out, since 1s hasn't yet passed. But network time has > advanced 91s before I see the callback!? Timer expiration is driven off of packet arrivals. Is there a lengthy lull in arriving packets that causes the 91 second delay? Vern From christian at whoop.org Fri Nov 17 17:39:45 2006 From: christian at whoop.org (Christian Kreibich) Date: Fri, 17 Nov 2006 17:39:45 -0800 Subject: [Bro] &expire_func/&create_expire question In-Reply-To: <200611180043.kAI0hYeZ077487@jaguar.icir.org> References: <200611180043.kAI0hYeZ077487@jaguar.icir.org> Message-ID: <1163813985.24818.236.camel@strangepork> On Fri, 2006-11-17 at 16:43 -0800, Vern Paxson wrote: > > Real time is out, since 1s hasn't yet passed. But network time has > > advanced 91s before I see the callback!? > > Timer expiration is driven off of packet arrivals. Is there a lengthy > lull in arriving packets that causes the 91 second delay? Uh-oh. I've discovered that packets in that trace were not in chronological order, sorry. So I switched to one that covers ~3 minutes, definitely sorted and without substantial gaps, and now the delay is at 60s, when a burst of expirations is triggered. I've uploaded the stdout output I get with that trace and the below code at http://www.cl.cam.ac.uk/~cpk25/bro/expiration-log.txt.gz . ---- function expire(t: table[count] of count, idx:count): interval { print fmt("Expiring %d at %s", idx, network_time()); return 0 sec; } global state: table[count] of count &create_expire=1sec &expire_func=expire; global idx: count = 0; event new_packet(c: connection, p: pkt_hdr) { ++idx; state[idx] = idx; print fmt("%s", network_time()); } ---- Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From christian at whoop.org Fri Nov 17 17:55:55 2006 From: christian at whoop.org (Christian Kreibich) Date: Fri, 17 Nov 2006 17:55:55 -0800 Subject: [Bro] &expire_func/&create_expire question In-Reply-To: <1163813985.24818.236.camel@strangepork> References: <200611180043.kAI0hYeZ077487@jaguar.icir.org> <1163813985.24818.236.camel@strangepork> Message-ID: <1163814955.24818.248.camel@strangepork> Another factoid: for *any* &create_expire delay between 1s and 60s (inclusive) the first expiration is triggered at exactly the same time, 1039100508.06149. Once it's at 61 seconds, the first expiration is at 1039100568.33063 -- pushed back by another minute. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From seth at net.ohio-state.edu Mon Nov 20 10:45:29 2006 From: seth at net.ohio-state.edu (Seth Hall) Date: Mon, 20 Nov 2006 13:45:29 -0500 Subject: [Bro] mod_security and bro Message-ID: Hi, since the bro workshop, I've been thinking about a lot of ways that bro could be used that it isn't currently being used. I had talked to Brian about how bro could go about detecting http application level attacks like cross site scripting and sql injection and we sort of came to the agreement that bro doesn't really work at this level currently. Over the weekend I realized that mod_security (http:// www.modsecurity.org/) does what I'm thinking of in terms of detecting web application attack signatures. My question is, does it seem reasonable to strip the apache specific code from mod_security and instrument it with broccoli to receive http events? It's sort of just an extension on the sensitive_URIs variable, but it could at least be code that is maintained externally for detecting this specific subset of attacks. .Seth From nikns at secure.lv Mon Nov 20 11:29:57 2006 From: nikns at secure.lv (nikns) Date: Mon, 20 Nov 2006 21:29:57 +0200 Subject: [Bro] mod_security and bro In-Reply-To: References: Message-ID: <20061120192957.GA30897@secure.lv> Perhaps this would be interesting for you: http://www.inliniac.net/blog/?p=46 On Mon, Nov 20, 2006 at 01:45:29PM -0500, Seth Hall wrote: >Hi, since the bro workshop, I've been thinking about a lot of ways >that bro could be used that it isn't currently being used. I had >talked to Brian about how bro could go about detecting http >application level attacks like cross site scripting and sql injection >and we sort of came to the agreement that bro doesn't really work at >this level currently. > >Over the weekend I realized that mod_security (http:// >www.modsecurity.org/) does what I'm thinking of in terms of detecting >web application attack signatures. My question is, does it seem >reasonable to strip the apache specific code from mod_security and >instrument it with broccoli to receive http events? It's sort of >just an extension on the sensitive_URIs variable, but it could at >least be code that is maintained externally for detecting this >specific subset of attacks. > > .Seth > >_______________________________________________ >Bro mailing list >bro at bro-ids.org >http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From robin at icir.org Mon Nov 20 11:31:54 2006 From: robin at icir.org (Robin Sommer) Date: Mon, 20 Nov 2006 11:31:54 -0800 Subject: [Bro] &expire_func/&create_expire question In-Reply-To: <1163814955.24818.248.camel@strangepork> References: <200611180043.kAI0hYeZ077487@jaguar.icir.org> <1163813985.24818.236.camel@strangepork> <1163814955.24818.248.camel@strangepork> Message-ID: <20061120193154.GA31810@icir.org> On Fri, Nov 17, 2006 at 17:55 -0800, Christian Kreibich wrote: > Another factoid: for *any* &create_expire delay between 1s and 60s To clarify how table expiration works: we do not install an individual timer for every table entry; that would way too many. Instead, every table gets *one* timer which periodically triggers the expiration of all outdated entries. By default, this is done every 10s (table_expire_interval). Furthermore, when entries are expired, only 5000 (table_incremental_step) are expired in a row, then a delay of 0.01 (table_expire_delay) is inserted to avoid dropping packets. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From seth at net.ohio-state.edu Mon Nov 20 11:38:51 2006 From: seth at net.ohio-state.edu (Seth Hall) Date: Mon, 20 Nov 2006 14:38:51 -0500 Subject: [Bro] mod_security and bro In-Reply-To: <20061120192957.GA30897@secure.lv> References: <20061120192957.GA30897@secure.lv> Message-ID: <5F7938F4-35EB-49EE-99B4-986F0CE9D783@net.ohio-state.edu> On Nov 20, 2006, at 2:29 PM, nikns wrote: > Perhaps this would be interesting for you: > http://www.inliniac.net/blog/?p=46 That's pretty interesting, but it's sort of the opposite direction of what I'm interested in. That's aggregating alerts from multiple apache servers into a single analyst's console, and that could be an interesting integration point for Bro, but I'm thinking of having Bro watch the raw traffic over the network and doing all of the mod_security analysis at that point. I'd like to be able to get alerts as if all of the hosts here were running mod_security (even though few likely are). Thanks for the link. .Seth From christian at whoop.org Mon Nov 20 11:50:44 2006 From: christian at whoop.org (Christian Kreibich) Date: Mon, 20 Nov 2006 11:50:44 -0800 Subject: [Bro] mod_security and bro In-Reply-To: References: Message-ID: <1164052244.19654.35.camel@strangepork> Hi Seth, On Mon, 2006-11-20 at 13:45 -0500, Seth Hall wrote: > Hi, since the bro workshop, I've been thinking about a lot of ways > that bro could be used that it isn't currently being used. I had > talked to Brian about how bro could go about detecting http > application level attacks like cross site scripting and sql injection > and we sort of came to the agreement that bro doesn't really work at > this level currently. > > Over the weekend I realized that mod_security (http:// > www.modsecurity.org/) does what I'm thinking of in terms of detecting > web application attack signatures. My question is, does it seem > reasonable to strip the apache specific code from mod_security and > instrument it with broccoli to receive http events? It's sort of > just an extension on the sensitive_URIs variable, but it could at > least be code that is maintained externally for detecting this > specific subset of attacks. mhmm -- I've only looked at their core signature set, but my impression was that it's largely a set of regex signatures, with some additional operations to check whether numerical values are in a certain range, etc. Is that roughly correct? Having a Broccoli-enabled version of that module would certainly be sweet. Currently I'm not sure whether coding that up (and maintaining it for future modsecurity releases) or supporting their signatures in Bro (similar to snort2bro) is the way to go. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From seth at net.ohio-state.edu Mon Nov 20 12:10:28 2006 From: seth at net.ohio-state.edu (Seth Hall) Date: Mon, 20 Nov 2006 15:10:28 -0500 Subject: [Bro] mod_security and bro In-Reply-To: <1164052244.19654.35.camel@strangepork> References: <1164052244.19654.35.camel@strangepork> Message-ID: <261D682C-B517-4048-B31C-F7D90485EDC3@net.ohio-state.edu> On Nov 20, 2006, at 2:50 PM, Christian Kreibich wrote: > On Mon, 2006-11-20 at 13:45 -0500, Seth Hall wrote: >> Over the weekend I realized that mod_security (http:// >> www.modsecurity.org/) does what I'm thinking of in terms of detecting >> web application attack signatures. My question is, does it seem >> reasonable to strip the apache specific code from mod_security and >> instrument it with broccoli to receive http events? It's sort of >> just an extension on the sensitive_URIs variable, but it could at >> least be code that is maintained externally for detecting this >> specific subset of attacks. > > mhmm -- I've only looked at their core signature set, but my > impression > was that it's largely a set of regex signatures, with some additional > operations to check whether numerical values are in a certain range, > etc. Is that roughly correct? > > Having a Broccoli-enabled version of that module would certainly be > sweet. Currently I'm not sure whether coding that up (and > maintaining it > for future modsecurity releases) or supporting their signatures in Bro > (similar to snort2bro) is the way to go. Ah, good point. I guess I hadn't spent enough time looking around at the rules for mod_security. I just went and looked a little longer at the rules and it seems that they have some problems in terms of how their rules work even. They can't even have a rule that needs to have some pattern matched in the REQUEST_FILENAME (their terminology) and another pattern matched in the RESPONSE_BODY for the rule to trigger. But who am I to say, maybe they consider that their signature matches are more flexible if the rules aren't too strict. .Seth From robin at icir.org Mon Nov 20 16:01:57 2006 From: robin at icir.org (Robin Sommer) Date: Mon, 20 Nov 2006 16:01:57 -0800 Subject: [Bro] mod_security and bro In-Reply-To: <1164052244.19654.35.camel@strangepork> References: <1164052244.19654.35.camel@strangepork> Message-ID: <20061121000157.GJ355@icir.org> On Mon, Nov 20, 2006 at 11:50 -0800, Christian Kreibich wrote: > Having a Broccoli-enabled version of that module would certainly be > sweet. Currently I'm not sure whether coding that up (and maintaining it > for future modsecurity releases) or supporting their signatures in Bro > (similar to snort2bro) is the way to go. Hmmm... On the one hand, the idea of feeding Bro-derived data into modsecurity for analysis is kind of intriguing. On the other, I think I'd prefer to keep the detection mechanism inside Bro as otherwise this might get tricky to use/setup/maintain (what happens with alerts? Are they going to be fed back to Bro?). A converter like snort2bro is an option though I'm not sure whether that is really worth the effort. There don't seem to be so many sigs at this point (I also haved looked only at the core patterns), so perhaps they can be just manually coded into a Bro script? Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From vern at icir.org Mon Nov 20 19:00:21 2006 From: vern at icir.org (Vern Paxson) Date: Mon, 20 Nov 2006 19:00:21 -0800 Subject: [Bro] mod_security and bro In-Reply-To: <20061121000157.GJ355@icir.org> (Mon, 20 Nov 2006 16:01:57 PST). Message-ID: <200611210300.kAL30LM1068977@jaguar.icir.org> > think I'd prefer to keep the detection mechanism inside Bro as > otherwise this might get tricky to use/setup/maintain (what happens > with alerts? Are they going to be fed back to Bro?). *Yes*, please let's strive for this whenever possible. It makes a major difference in the long run, when we (very often) find that the standalone detector isn't by itself actionable, but could be if combined with additional information/policy analysis - which Bro is much better at doing than in an ad hoc basis inside the standalone detector. Vern From robin at icir.org Tue Nov 21 20:05:11 2006 From: robin at icir.org (Robin Sommer) Date: Tue, 21 Nov 2006 20:05:11 -0800 Subject: [Bro] &expire_func/&create_expire question In-Reply-To: <1163790411.24818.165.camel@strangepork> References: <200611170751.kAH7pOXg089399@jaguar.icir.org> <1163790411.24818.165.camel@strangepork> Message-ID: <20061122040511.GA9592@icir.org> On Fri, Nov 17, 2006 at 11:06 -0800, Christian Kreibich wrote: > Here you go -- this crashes on the first packet: Ok, found the problem: it's not possbile to give *local* variables as the timeout; constants and globals are fine. I'm going to add an error message for the case of locals. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From vern at icir.org Tue Nov 21 21:41:19 2006 From: vern at icir.org (Vern Paxson) Date: Tue, 21 Nov 2006 21:41:19 -0800 Subject: [Bro] &expire_func/&create_expire question In-Reply-To: <20061122040511.GA9592@icir.org> (Tue, 21 Nov 2006 20:05:11 PST). Message-ID: <200611220541.kAM5fJus066786@jaguar.icir.org> > Ok, found the problem: it's not possbile to give *local* variables > as the timeout; constants and globals are fine. I'm going to add an > error message for the case of locals. This doesn't seem to me to be the correct semantics. It's a local variable that's being created. It should set its expiration timeout based on the value of the expression used in the declaration. It doesn't matter that that expression is in terms of a local variable, provided that that variable is defined at the time of initialization - which is indeed the case in the example Christian put together. Vern From robin at icir.org Wed Nov 22 11:20:58 2006 From: robin at icir.org (Robin Sommer) Date: Wed, 22 Nov 2006 11:20:58 -0800 Subject: [Bro] &expire_func/&create_expire question In-Reply-To: <200611220541.kAM5fJus066786@jaguar.icir.org> References: <20061122040511.GA9592@icir.org> <200611220541.kAM5fJus066786@jaguar.icir.org> Message-ID: <20061122192058.GD14595@icir.org> On Tue, Nov 21, 2006 at 21:41 -0800, you wrote: > This doesn't seem to me to be the correct semantics. Well, I agree. I would also like to see it work. I suppose my mail was misleading: it's not for semantical reasons that it doesn't work but for technical. At the location inside the code where the expire expression is evaluated (inside TableVal), I don't have a Frame at hand to access local variables. I haven't checked whether we might be able to get the Frame information to that place in some way but even if we could, it wouldn't exactly make the code nicer ... Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From dhanesh at tataelxsi.co.in Mon Nov 27 01:35:01 2006 From: dhanesh at tataelxsi.co.in (Jaya Dhanesh) Date: Mon, 27 Nov 2006 15:05:01 +0530 Subject: [Bro] BRO issues Message-ID: <001101c71207$504b4650$0637a8c0@telxsi.com> Hi all, Couple of issues in BRO 0.9a11 version: 1. Bro restarts because of an Internal error "Connection Missing". This error is defined in: void NetSessions::Remove(Connection* c) { .. .. else if ( ! tcp_conns.RemoveEntry(k) ) internal_error(fmt("connection missing")); .. .. } Can the internal error be ignored? anyways tcp connection entry is removed. 2. SSL does not seem to work properly for ciphersuites. We see crashes at different locations (tcp reassembler, tcp connection close etc). Any easy way to pick up the SSL bug fix patches from Bro 1.2 version? I believe few SSL bugs are fixed in newer version. Dhanesh From robin at icir.org Mon Nov 27 08:53:02 2006 From: robin at icir.org (Robin Sommer) Date: Mon, 27 Nov 2006 08:53:02 -0800 Subject: [Bro] BRO issues In-Reply-To: <001101c71207$504b4650$0637a8c0@telxsi.com> References: <001101c71207$504b4650$0637a8c0@telxsi.com> Message-ID: <20061127165302.GC6886@icir.org> On Mon, Nov 27, 2006 at 15:05 +0530, Jaya Dhanesh wrote: > different locations (tcp reassembler, tcp connection close etc). Any easy > way to pick up the SSL bug fix patches from Bro 1.2 version? No, not really. I recommend upgrading to either 1.1 or 1.2, which may fix both of the problems you're seeing. We can't do much about 0.9 anymore, sorry. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From dcaldwell at colsa.com Mon Nov 27 10:01:57 2006 From: dcaldwell at colsa.com (David Caldwell) Date: Mon, 27 Nov 2006 12:01:57 -0600 Subject: [Bro] Debian Bro install Message-ID: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com> I have been trying to get bro to configure {./configure} for some time now, and get errors at the end of the script run. Something to the tune of libpcap errors. Is there a package or packages I need to install to get bro to compile properly? TIA David Caldwell From seth at net.ohio-state.edu Mon Nov 27 10:41:40 2006 From: seth at net.ohio-state.edu (Seth Hall) Date: Mon, 27 Nov 2006 13:41:40 -0500 Subject: [Bro] Debian Bro install In-Reply-To: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com> References: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com> Message-ID: On Nov 27, 2006, at 1:01 PM, David Caldwell wrote: > I have been trying to get bro to configure {./configure} for some > time now, and get errors at the end of the script run. Something to > the tune of libpcap errors. Is there a package or packages I need to > install to get bro to compile properly? Have you tried... ./configure --enable-shippedpcap .Seth From jrlee at lbl.gov Mon Nov 27 11:03:19 2006 From: jrlee at lbl.gov (Jason R. Lee) Date: Mon, 27 Nov 2006 11:03:19 -0800 Subject: [Bro] Debian Bro install In-Reply-To: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com> References: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com> Message-ID: <456B3677.2050106@lbl.gov> David Caldwell wrote: > I have been trying to get bro to configure {./configure} for some > time now, and get errors at the end of the script run. Something to > the tune of libpcap errors. Is there a package or packages I need to > install to get bro to compile properly? you should have libpcap installed. usually an 'apt-get install libpcap' will work. If you want to send the output of your configure, I might be able to see what the problem is. Cheers, jason From bltierney at lbl.gov Mon Nov 27 11:03:36 2006 From: bltierney at lbl.gov (Brian Tierney) Date: Mon, 27 Nov 2006 11:03:36 -0800 Subject: [Bro] Debian Bro install In-Reply-To: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com> References: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com> Message-ID: <456B3688.9030104@lbl.gov> You'll need to install libpcap. See this page of the manual for more info: http://www.bro-ids.org/Bro-user-manual/Hardware-and-Software-Requirements.html David Caldwell wrote: > I have been trying to get bro to configure {./configure} for some > time now, and get errors at the end of the script run. Something to > the tune of libpcap errors. Is there a package or packages I need to > install to get bro to compile properly? > > TIA > David Caldwell > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- ------------------------------------------------------------------------ Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 425-642-4558 bltierney at lbl.gov http://www-didc.lbl.gov/~tierney ------------------------------------------------------------------------ From jp.luiggi at free.fr Mon Nov 27 11:27:01 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Mon, 27 Nov 2006 14:27:01 -0500 Subject: [Bro] Debian Bro install In-Reply-To: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com> References: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com> Message-ID: <20061127192701.GA7226@armada.mynetwork.local> Hello David, I installed and ran the last Bro's version on both Sarge and Etch without problems. Could you send the relevant informations (details of the log) please ? Best regards. On Mon, Nov 27, 2006 at 12:01:57PM -0600, David Caldwell wrote: > I have been trying to get bro to configure {./configure} for some > time now, and get errors at the end of the script run. Something to > the tune of libpcap errors. Is there a package or packages I need to > install to get bro to compile properly? > > TIA > David Caldwell > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jp.luiggi at free.fr Mon Nov 27 11:35:30 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Mon, 27 Nov 2006 14:35:30 -0500 Subject: [Bro] Debian Bro install In-Reply-To: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com> References: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com> Message-ID: <20061127193530.GA3071@armada.mynetwork.local> Hello, I just checked my own debian and here are the results. 1) a "./configure" on the archive (i only "grep"ed the pcap ref) checking for pcap_open_live in -lpcap... yes checking for pcap_freecode in -lpcap... yes checking for pcap headers... /usr/include checking if pcap_compile_nopcap needs error parameter... not needed checking pcap-int.h usability... no checking pcap-int.h presence... no checking for pcap-int.h... no checking for bpf_set_bufsize... no checking for pcap_version in libpcap... yes checking for main in -lpcap... yes 2) a "dpkg -l | grep pcap" on the debian ii libpcap0.8 0.9.5-1 System interface for user-level packet captu ii libpcap0.8-dev 0.9.5-1 Development library and header files for lib I suggest you verify about these two packages. Best regards. On Mon, Nov 27, 2006 at 12:01:57PM -0600, David Caldwell wrote: > I have been trying to get bro to configure {./configure} for some > time now, and get errors at the end of the script run. Something to > the tune of libpcap errors. Is there a package or packages I need to > install to get bro to compile properly? > > TIA > David Caldwell > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From lkmldrop at gmail.com Mon Nov 27 11:42:53 2006 From: lkmldrop at gmail.com (lk ml) Date: Mon, 27 Nov 2006 20:42:53 +0100 Subject: [Bro] Debian Bro install In-Reply-To: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com> References: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com> Message-ID: <3c7eb8fe0611271142q32cb7900jcafde18e21d72615@mail.gmail.com> On 11/27/06, David Caldwell wrote: > I have been trying to get bro to configure {./configure} for some > time now, and get errors at the end of the script run. Something to > the tune of libpcap errors. Is there a package or packages I need to > install to get bro to compile properly? apt-get install libpcap-dev optionally you could install libmagic-dev and libclamav-dev. From dcaldwell at colsa.com Mon Nov 27 14:38:51 2006 From: dcaldwell at colsa.com (David Caldwell) Date: Mon, 27 Nov 2006 16:38:51 -0600 Subject: [Bro] Debian Bro install In-Reply-To: References: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com> Message-ID: I thought I had responded to the list with this one. Yes, I have. I have also installed other packages that were suggested to make it work, but unfortunately that hasn't helped either. The thing is everything seems to work fine till it gets close to conclusion. The final messages I get are: checking for tgetnum in -ltermcap........no checking for termcap in /usr/lib{64}/termcap/......no configure: error: libtermcap not found in default paths nor /usr/lib {64}/termcap . I get that same error even using the --enable-shippedpcap option. I am not sure what I am doing wrong, but something is amiss here. I will try to send my responses directly back to the group from here on out. Thanks for the response David Caldwell On Nov 27, 2006, at 12:41 PM, Seth Hall wrote: > > On Nov 27, 2006, at 1:01 PM, David Caldwell wrote: > >> I have been trying to get bro to configure {./configure} for some >> time now, and get errors at the end of the script run. Something to >> the tune of libpcap errors. Is there a package or packages I need to >> install to get bro to compile properly? > > Have you tried... > ./configure --enable-shippedpcap > > .Seth > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From christian at whoop.org Mon Nov 27 15:20:56 2006 From: christian at whoop.org (Christian Kreibich) Date: Mon, 27 Nov 2006 15:20:56 -0800 Subject: [Bro] Debian Bro install In-Reply-To: References: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com>

Message-ID: <1164669657.27061.108.camel@strangepork> Hi David, On Mon, 2006-11-27 at 16:38 -0600, David Caldwell wrote: > I thought I had responded to the list with this one. Yes, I have. I > have also installed other packages that were suggested to make it > work, but unfortunately that hasn't helped either. > > The thing is everything seems to work fine till it gets close to > conclusion. The final messages I get are: > > checking for tgetnum in -ltermcap........no > checking for termcap in /usr/lib{64}/termcap/......no > configure: error: libtermcap not found in default paths nor /usr/lib > {64}/termcap > . > > I get that same error even using the --enable-shippedpcap option. I > am not sure what I am doing wrong, but something is amiss here. yeah, and it's unlikely to have anything to do with libpcap! As the output says, it's not finding libtermcap. Do you have libtermcap on your system? It is currently required for the build. On my Fedora system, for example, I have $ rpm -ql libtermcap libtermcap-devel /lib/libtermcap.so.2 /lib/libtermcap.so.2.0.8 /usr/include/termcap.h /usr/lib/libtermcap.a /usr/lib/libtermcap.so /usr/share/info/termcap.info.gz If it's installed but ends up in an unusual location on Debian, please let us know, otherwise try installing libtermcap and libtermcap-devel and see if that fixes things... Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From jrlee at lbl.gov Mon Nov 27 15:24:55 2006 From: jrlee at lbl.gov (Jason R. Lee) Date: Mon, 27 Nov 2006 15:24:55 -0800 Subject: [Bro] Debian Bro install In-Reply-To: References: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com>

Message-ID: <456B73C7.4090604@lbl.gov> Ahhh, Its not a libpcap problem but a termcap problem. On debian try: apt-get install libncurses5-dev Cheers, jason David Caldwell wrote: > I thought I had responded to the list with this one. Yes, I have. I > have also installed other packages that were suggested to make it > work, but unfortunately that hasn't helped either. > > The thing is everything seems to work fine till it gets close to > conclusion. The final messages I get are: > > checking for tgetnum in -ltermcap........no > checking for termcap in /usr/lib{64}/termcap/......no > configure: error: libtermcap not found in default paths nor /usr/lib > {64}/termcap > . > > I get that same error even using the --enable-shippedpcap option. I > am not sure what I am doing wrong, but something is amiss here. > > > I will try to send my responses directly back to the group from here > on out. > > Thanks for the response > > David Caldwell > > > On Nov 27, 2006, at 12:41 PM, Seth Hall wrote: > > >>On Nov 27, 2006, at 1:01 PM, David Caldwell wrote: >> >> >>>I have been trying to get bro to configure {./configure} for some >>>time now, and get errors at the end of the script run. Something to >>>the tune of libpcap errors. Is there a package or packages I need to >>>install to get bro to compile properly? >> >>Have you tried... >> ./configure --enable-shippedpcap >> >> .Seth >>_______________________________________________ >>Bro mailing list >>bro at bro-ids.org >>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From dcaldwell at colsa.com Tue Nov 28 06:36:43 2006 From: dcaldwell at colsa.com (David Caldwell) Date: Tue, 28 Nov 2006 08:36:43 -0600 Subject: [Bro] Debian Bro install In-Reply-To: <456B73C7.4090604@lbl.gov> References: <1A94B3DB-E667-4FF6-8E10-A2328FFCE1AC@colsa.com>

<456B73C7.4090604@lbl.gov> Message-ID: <1EB2EFF2-C3B4-482F-9DFB-50EAFEEB33F6@colsa.com> That got it!!! I had no idea that ncurses was not installed as part of the base install for Debian. I am now looking at the config screen, and I do very much appreciate everyones assistance. Now to start making things happen!!! David On Nov 27, 2006, at 5:24 PM, Jason R. Lee wrote: > > Ahhh, > > Its not a libpcap problem but a termcap problem. On debian try: > > apt-get install libncurses5-dev > > > Cheers, > jason > > > > David Caldwell wrote: >> I thought I had responded to the list with this one. Yes, I have. I >> have also installed other packages that were suggested to make it >> work, but unfortunately that hasn't helped either. >> >> The thing is everything seems to work fine till it gets close to >> conclusion. The final messages I get are: >> >> checking for tgetnum in -ltermcap........no >> checking for termcap in /usr/lib{64}/termcap/......no >> configure: error: libtermcap not found in default paths nor /usr/lib >> {64}/termcap >> . >> >> I get that same error even using the --enable-shippedpcap option. I >> am not sure what I am doing wrong, but something is amiss here. >> >> >> I will try to send my responses directly back to the group from here >> on out. >> >> Thanks for the response >> >> David Caldwell >> >> >> On Nov 27, 2006, at 12:41 PM, Seth Hall wrote: >> >> >>> On Nov 27, 2006, at 1:01 PM, David Caldwell wrote: >>> >>> >>>> I have been trying to get bro to configure {./configure} for some >>>> time now, and get errors at the end of the script run. Something to >>>> the tune of libpcap errors. Is there a package or packages I >>>> need to >>>> install to get bro to compile properly? >>> >>> Have you tried... >>> ./configure --enable-shippedpcap >>> >>> .Seth >>> _______________________________________________ >>> Bro mailing list >>> bro at bro-ids.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From dcaldwell at colsa.com Tue Nov 28 08:42:33 2006 From: dcaldwell at colsa.com (David Caldwell) Date: Tue, 28 Nov 2006 10:42:33 -0600 Subject: [Bro] Is there a quickstart method? Message-ID: <7A5C1B04-20C8-4BB6-838D-184DBBED40F7@colsa.com> I am seeking a quickstart method to perform the following. The intended purpose of the Bro install I am working on is to monitor incoming traffic only. To break it down simply I want to track only those incoming events that would appear to be malicious (ssh, telnet, etc). We are trying to upgrade our security situation here, and in order to get our customer to go along with it we have to show good reason why we need it. Using Bro to capture malicious attempted traffic will help us clarify the need for stiffer security measures than we currently implement. I am reading the manuals, and looking for the info I need to do just that. In the case of you, if I can get some pointers to where to look to do just what I have intended it would speed up the process for what I have in mind. We don't however wish to police our own outgoing and responding traffic. I know this is possible with Bro, and am trying to get this system up and running asap. Can anyone provide pointers in the manuals, or other locations for such a setup? From jbarlow at ncsa.uiuc.edu Tue Nov 28 13:47:58 2006 From: jbarlow at ncsa.uiuc.edu (James J. Barlow) Date: Tue, 28 Nov 2006 15:47:58 -0600 Subject: [Bro] Bro '06 workshop presentations online Message-ID: <20061128214758.GA30203@wolrab.ncsa.uiuc.edu> The first Bro workshop was held on Nov. 14th and 15th in Tampa, Florida. The workshop schedule and presentations can now be found at: http://www.bro-ids.org/bro-workshop-2006/Bro06-workshop.html Thanks for all the speakers who presented and all the participants who were able to attend. -- James J. Barlow Head of Security Operations and Incident Response National Center for Supercomputing Applications Voice : (217)244-6403 1205 West Clark Street, Urbana, IL 61801 Cell : (217)840-0601 http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987 From robin at icir.org Tue Nov 28 19:35:34 2006 From: robin at icir.org (Robin Sommer) Date: Tue, 28 Nov 2006 19:35:34 -0800 Subject: [Bro] Is there a quickstart method? In-Reply-To: <7A5C1B04-20C8-4BB6-838D-184DBBED40F7@colsa.com> References: <7A5C1B04-20C8-4BB6-838D-184DBBED40F7@colsa.com> Message-ID: <20061129033533.GB28224@icir.org> On Tue, Nov 28, 2006 at 10:42 -0600, you wrote: > The intended purpose of the Bro install I am working on is to monitor > incoming traffic only. To break it down simply I want to track only > those incoming events that would appear to be malicious (ssh, telnet, > etc). In general, it's not really possible to restrict Bro's *analysis* to only incoming traffic. The main reason here is that from Bro's policy-neutral perspective it's hard to tell what "incoming" actually means. Three ideas, depending on what exactly you want to achieve (which is not completely clear to me): First, you can filter the *alerts* so that only activity regarding local hosts is reported. That's possible by writing a corresponding notice-policy (see notice-policy.bro, or ask me again if you need more details). Second, if you're interested in a log of all incoming connections (or incoming connections to certain ports like ssh etc.), conn.log marks locally initiated connections with an "L" and remotely initiated ones with an "X" (once you've configured your local networks in site.bro). This is easily grep'able (or you can hack conn.bro to not even output the local connections[1]). Third, firewall.bro allows you to define "firewall-like" rules (e.g., "no external hosts are allowed to connect to any local telnet port") and raises alerts if one is violated. It's not well documented (um, not at all?), so again please ask for details if you're interested in this functionality. Does this help? Robin [1] In general you could hack any script to suppress its output for local connections but by default they don't provide this functionality. -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From bindiyavs at tataelxsi.co.in Tue Nov 28 20:31:05 2006 From: bindiyavs at tataelxsi.co.in (Bindiya V S) Date: Wed, 29 Nov 2006 10:01:05 +0530 (IST) Subject: [Bro] Trouble with getting SSLv2 work for bro 0.9 Message-ID: <20061129100105.CCS76375@mail.tataelxsi.co.in> Hi, I am using bro 0.9 release on my network box. It is behaving weirdly with SSLv2 packets. Whenever an SSLv2 packet comes, its giving the error "SSLv2: FATAL: recordLength doesn't match data block length!" On further checking I figured out that data is getting overwritten in the function SSL_ConnectionProxy::NewSSLRecord. So I replaced the initialization of sslpeo and sslper with sslpeo = (SSL_ProxyEndpoint*) orig->contents_processor; sslper = (SSL_ProxyEndpoint*) resp->contents_processor; as in SSLv1.1 release. So now the error is fixed, but its crashing when SSLv2 SERVER HELLO packet is coming. Its crashing when ((SSLv2_Endpoint*) s)->isDataPending() is getting called. Is there any fix for this? Can someone help me out? I am waiting with my fingers crossed. Thanks in advance, Bindiya From robin at icir.org Tue Nov 28 22:37:52 2006 From: robin at icir.org (Robin Sommer) Date: Tue, 28 Nov 2006 22:37:52 -0800 Subject: [Bro] Trouble with getting SSLv2 work for bro 0.9 In-Reply-To: <20061129100105.CCS76375@mail.tataelxsi.co.in> References: <20061129100105.CCS76375@mail.tataelxsi.co.in> Message-ID: <20061129063752.GA31409@icir.org> On Wed, Nov 29, 2006 at 10:01 +0530, Bindiya V S wrote: > I am using bro 0.9 release on my network box. It is behaving weirdly with SSLv2 packets. Can you please try Bro 1.2 and see if you get similar problems? Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From christian at whoop.org Tue Nov 28 23:12:56 2006 From: christian at whoop.org (Christian Kreibich) Date: Tue, 28 Nov 2006 23:12:56 -0800 Subject: [Bro] Is there a quickstart method? In-Reply-To: <7A5C1B04-20C8-4BB6-838D-184DBBED40F7@colsa.com> References: <7A5C1B04-20C8-4BB6-838D-184DBBED40F7@colsa.com> Message-ID: <1164784376.2453.79.camel@strangepork> On Tue, 2006-11-28 at 10:42 -0600, David Caldwell wrote: > We are trying to upgrade our security situation here, and in > order to get our customer to go along with it we have to show good > reason why we need it. David, just two quick additions to what Robin said: - Our marketing department just might fire me for saying this, but if you just want to show people how bad things are then you might not need anything as sophisticated as Bro. For example, compare the number of valid connection requests in your sshd log to invalid ones -- my little DSL-connected box at home got hit around 400 times per day with malicious log-in attempts before I moved sshd to a different port. Looking at Apache logs might give you a similar picture. - Speaking of different ports, a scenario in which Bro definitely *could* shine is detecting app-layer protocols on unusual ports, thanks to the new DPD framework: http://www.bro-ids.org/wiki/index.php/DynamicProtocolDetection As an example, you could use the IRC detector to find IRC-based botnets on arbitrary ports that way. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From Stephan at rheoli.net Tue Nov 28 23:31:10 2006 From: Stephan at rheoli.net (Stephan) Date: Wed, 29 Nov 2006 08:31:10 +0100 Subject: [Bro] Bro 1.2 under Solaris 8 Message-ID: <20061129073110.GA16863@rheoli.net> Hi, Is there someone running Bro 1.2 successfully under Solaris 8? I can compile it after some patching but it always core dump (as more traffic is on the wire a faster it core dump). The problem also occurs on Bro 1.1 but not on 0.9. Best regards, Stephan Toggweiler From jprakash at tataelxsi.co.in Wed Nov 29 02:44:36 2006 From: jprakash at tataelxsi.co.in (Jai Prakash D R) Date: Wed, 29 Nov 2006 16:14:36 +0530 Subject: [Bro] multiple logs for a signature Message-ID: Hi, I am working on bro-0.9, fedora machine. I want to generate logs using signatures the entire communication during a session. Due to the following check in RuleMatcher.cc // Skip if rule already fired for this connection. if ( state->matched_rules.is_member(r->Index()) ) continue; i was getting only one log per signature, though it matches second time its not giving me log. I tried uncomminting the above two lines, though i am getting logs when ever it matches i am also getting the logs for other signatuers which were earlier logged. say for ex: i have Signature-1 and Signature-2. first time Signature-1 is matched and i get a log for Signature-1. secont time when a packet is matched for Signature-2 i am getting log for Signature-1 and Signature-2 as well. Please help me to resolve this issue. Regards Prakash. -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 1812 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061129/e0d66d2b/attachment.bin From jprakash at tataelxsi.co.in Wed Nov 29 04:10:46 2006 From: jprakash at tataelxsi.co.in (Jai Prakash D R) Date: Wed, 29 Nov 2006 17:40:46 +0530 Subject: [Bro] signature match Message-ID: Hi, I am working with bro-0.9 signatuers. Please let me know where exactly the packets is being compared against the all the available signatuers. Once a signature is matched i want to get the rule->ID( ) of that signature. When i am using the below piece of code from RuleMatcher.cc loop_over_list(accepted, i) { Rule* r = Rule::rule_table[accepted[i] - 1]; #ifdef MATCHER_PRINT_DEBUG fprintf(stderr, "%.06f Checking rule: %s\n", network_time, r->id); #endif } the rule->id's of previously matched signatues are bing displayed. please help me in this regard. Regards Prakash. -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 1720 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061129/300762f8/attachment.bin From bindiyavs at tataelxsi.co.in Wed Nov 29 06:25:35 2006 From: bindiyavs at tataelxsi.co.in (Bindiya V S) Date: Wed, 29 Nov 2006 19:55:35 +0530 (IST) Subject: [Bro] TCP Packets not getting logged Message-ID: <20061129195535.CCT62576@mail.tataelxsi.co.in> Hi, I tried running some SSL PCAP(packet capture) files (using tcpreplay on the primary interface) with bro running on the system. Some of the TCP connections in the PCAP are not having the connection closing handshakes (FIN and ACK). When I try re-running the same PCAP in short intervals (running tcpreplays multiple times on the same PCAP), the packets coming on the connection which didnt have FIN and ACK earlier are not getting logged. The other packets which had their connections neatly closed are getting loggged fine. I am working on ver 0.9 currently, but the same thing is happening on 1.1 release. I assumed that conn->IsReuse() in Sessions.cc will return true for these kind of packets. But that is not happening. Can some one help me out? Thanks in Advance Bindiya :) From dcaldwell at colsa.com Wed Nov 29 09:12:12 2006 From: dcaldwell at colsa.com (David Caldwell) Date: Wed, 29 Nov 2006 11:12:12 -0600 Subject: [Bro] What am I doing wrong here? Message-ID: <4873D587-8BDA-422D-9C12-F97D8C4F8EAF@colsa.com> Okay, I now have bro installed. Things appear to be in the right place. I must have missed something in the docs to get this working, and I am sure that it does not help that I am not exactly familiar with Debian. bear with me here as I stumble my way through a new OS and Bro. I expect I am going to ask alot of stupid questions, but I am documenting everything so that it may be used later to update or possibly improve the documentation or help someone else who is in the same boat I am. Here is what I get when I try to start Bro from the command line: jyd:/etc/rc3.d# /etc/init.d/bro.rc start bro.rc: Running as non-root user bro No directory, logging in with HOME=/ bro.rc: Starting ..........bro.rc: Failed to start Bro /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live: socket: Operation not permitted .. FAILED here are the outputs in the logs files in /usr/local/bro/logs: /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live: socket: Operation not permitted Am I missing a permission issue here or what? Do I need to make some changes in a config file that I missed? TIA David Caldwell Colsa-HMT From bltierney at lbl.gov Wed Nov 29 10:24:33 2006 From: bltierney at lbl.gov (Brian Tierney) Date: Wed, 29 Nov 2006 10:24:33 -0800 Subject: [Bro] What am I doing wrong here? In-Reply-To: <4873D587-8BDA-422D-9C12-F97D8C4F8EAF@colsa.com> References: <4873D587-8BDA-422D-9C12-F97D8C4F8EAF@colsa.com> Message-ID: <456DD061.7010109@lbl.gov> Did you do a 'make install-brolite'? If so, it looks like the bro user account did not get created correctly. Check your /etc/passwd for a bro user id, and make sure the home directory is correct (/usr/local/bro) David Caldwell wrote: > Okay, I now have bro installed. Things appear to be in the right > place. I must have missed something in the docs to get this working, > and I am sure that it does not help that I am not exactly familiar > with Debian. bear with me here as I stumble my way through a new OS > and Bro. I expect I am going to ask alot of stupid questions, but I > am documenting everything so that it may be used later to update or > possibly improve the documentation or help someone else who is in the > same boat I am. > > Here is what I get when I try to start Bro from the command line: > > jyd:/etc/rc3.d# /etc/init.d/bro.rc start > bro.rc: Running as non-root user bro > No directory, logging in with HOME=/ > bro.rc: Starting ..........bro.rc: Failed to start Bro > /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live: > socket: Operation not permitted > .. FAILED > > here are the outputs in the logs files in /usr/local/bro/logs: > > /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live: > socket: Operation not permitted > > Am I missing a permission issue here or what? Do I need to make some > changes in a config file that I missed? > > TIA > > David Caldwell > Colsa-HMT > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- ------------------------------------------------------------------------ Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 425-642-4558 bltierney at lbl.gov http://www-didc.lbl.gov/~tierney ------------------------------------------------------------------------ From philou at philou.ch Wed Nov 29 10:38:05 2006 From: philou at philou.ch (Philippe Strauss) Date: Wed, 29 Nov 2006 19:38:05 +0100 Subject: [Bro] What am I doing wrong here? Message-ID: <20061129183805.GA11518@philou.ch> On Wed, Nov 29, 2006 at 11:12:12AM -0600, David Caldwell wrote: > Okay, I now have bro installed. Things appear to be in the right > place. I must have missed something in the docs to get this working, > and I am sure that it does not help that I am not exactly familiar > with Debian. bear with me here as I stumble my way through a new OS > and Bro. I expect I am going to ask alot of stupid questions, but I > am documenting everything so that it may be used later to update or > possibly improve the documentation or help someone else who is in the > same boat I am. > > Here is what I get when I try to start Bro from the command line: > > jyd:/etc/rc3.d# /etc/init.d/bro.rc start > bro.rc: Running as non-root user bro > No directory, logging in with HOME=/ > bro.rc: Starting ..........bro.rc: Failed to start Bro > /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live: > socket: Operation not permitted > .. FAILED > > here are the outputs in the logs files in /usr/local/bro/logs: > > /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live: > socket: Operation not permitted > > Am I missing a permission issue here or what? Do I need to make some > changes in a config file that I missed? Yeap, on Linux systems you have to be root to open interfaces in promisc mode. edit etc/bro.cfg like the following: # User id to install and run Bro under BRO_USER_ID="root" regards. -- Philippe Strauss av. de Beaulieu 25 1004 Lausanne http://philou.ch From robin at icir.org Wed Nov 29 10:39:28 2006 From: robin at icir.org (Robin Sommer) Date: Wed, 29 Nov 2006 10:39:28 -0800 Subject: [Bro] What am I doing wrong here? In-Reply-To: <4873D587-8BDA-422D-9C12-F97D8C4F8EAF@colsa.com> References: <4873D587-8BDA-422D-9C12-F97D8C4F8EAF@colsa.com> Message-ID: <20061129183928.GA28480@icir.org> On Wed, Nov 29, 2006 at 11:12 -0600, David Caldwell wrote: > bro.rc: Running as non-root user bro [...] > /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live: > socket: Operation not permitted On Linux you need to be root to capture packets[1] Robin [1] Hack the kernel: http://www.icir.org/robin/patches/capture_group.html -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From jp.luiggi at free.fr Wed Nov 29 11:32:25 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Wed, 29 Nov 2006 14:32:25 -0500 Subject: [Bro] What am I doing wrong here? In-Reply-To: <4873D587-8BDA-422D-9C12-F97D8C4F8EAF@colsa.com> References: <4873D587-8BDA-422D-9C12-F97D8C4F8EAF@colsa.com> Message-ID: <20061129193225.GA94@armada.mynetwork.local> Hello David, You've a problem with permissions, Robin responded about this problem in August. Here's the response : ======= > at last,have a error message:problem with eth0 - pcap_open_live:socker:Operation not permitted You don't have sufficient privileges to capture packets. I presume this is Linux? Then you need to run Bro as root (or apply a kernel patch: http://www.icir.org/robin/patches/capture_group.html) Robin ====== Best regards. On Wed, Nov 29, 2006 at 11:12:12AM -0600, David Caldwell wrote: > Here is what I get when I try to start Bro from the command line: > > jyd:/etc/rc3.d# /etc/init.d/bro.rc start > bro.rc: Running as non-root user bro > No directory, logging in with HOME=/ > bro.rc: Starting ..........bro.rc: Failed to start Bro > /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live: > socket: Operation not permitted > . FAILED > > here are the outputs in the logs files in /usr/local/bro/logs: > > /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live: > socket: Operation not permitted > > Am I missing a permission issue here or what? Do I need to make some > changes in a config file that I missed? > > TIA > > David Caldwell > Colsa-HMT > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From dcaldwell at colsa.com Wed Nov 29 11:34:58 2006 From: dcaldwell at colsa.com (David Caldwell) Date: Wed, 29 Nov 2006 13:34:58 -0600 Subject: [Bro] What am I doing wrong here? In-Reply-To: <456DD8A1.9080207@lbl.gov> References: <4873D587-8BDA-422D-9C12-F97D8C4F8EAF@colsa.com> <456DD8A1.9080207@lbl.gov> Message-ID: <5EBF81FC-A8F9-4D72-85BD-3C4D6FB94EC4@colsa.com> That is something I did not know till I got the responses from you guys. I re-ran brolite, and used the default user [root] for the user to run under. Now bro has started up and is doing something that resembles its job at this point. The startup was successful, and we shall see what kiind of stuff it collects sitting in the internal office network fro the next couple of hours. Now with the next question. Since the service runs as root, and the eth1 interface that it is running on is going to be exposed to the outside world, what do I need to do to my firewall config on this box to protect it from attack? What are your suggestions? I can run some pretty simple firewall rules to simply deny all on the interface, and allow only internal requests, but will this hinder bro from being able to do its job? David On Nov 29, 2006, at 12:59 PM, Jason Lee wrote: > > I think on Linux you have to run bro as root otherwise it can't > open the Ethernet device in promiscuous mode. > > Cheers, > jason > > > > David Caldwell wrote: >> Okay, I now have bro installed. Things appear to be in the right >> place. I must have missed something in the docs to get this working, >> and I am sure that it does not help that I am not exactly familiar >> with Debian. bear with me here as I stumble my way through a new OS >> and Bro. I expect I am going to ask alot of stupid questions, but I >> am documenting everything so that it may be used later to update or >> possibly improve the documentation or help someone else who is in the >> same boat I am. >> >> Here is what I get when I try to start Bro from the command line: >> >> jyd:/etc/rc3.d# /etc/init.d/bro.rc start >> bro.rc: Running as non-root user bro >> No directory, logging in with HOME=/ >> bro.rc: Starting ..........bro.rc: Failed to start Bro >> /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live: >> socket: Operation not permitted >> .. FAILED >> >> here are the outputs in the logs files in /usr/local/bro/logs: >> >> /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live: >> socket: Operation not permitted >> >> Am I missing a permission issue here or what? Do I need to make some >> changes in a config file that I missed? >> >> TIA >> >> David Caldwell >> Colsa-HMT >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > From dcaldwell at colsa.com Wed Nov 29 12:10:03 2006 From: dcaldwell at colsa.com (David Caldwell) Date: Wed, 29 Nov 2006 14:10:03 -0600 Subject: [Bro] Is there a quickstart method? In-Reply-To: <20061129192946.GA6752@icir.org> References: <7A5C1B04-20C8-4BB6-838D-184DBBED40F7@colsa.com> <20061129033533.GB28224@icir.org> <816F940B-7057-430B-B1C2-7449F6C5E4B3@colsa.com> <20061129185333.GC6508@icir.org> <7A612632-1A4B-4A12-AD4F-13EB2622060D@colsa.com> <20061129192946.GA6752@icir.org> Message-ID: Running FreeBSD, while being a good idea from all sides considering that was what it was developed on, puts me in a position where I have to relearn a whole operating system and be abel to function half way responsibly right this minute. I don't have that option.....yet. Bro actually won't be parsing data the way we are setting it up. I am mirroring the ports between the switch outside the firewall (input to the switch), and the interface of the bro machine. Now the bro machine is going to be sitting completely outside the firewall, with no internal connections at all. the admin interface (eth2) will also be outside the firewall. I will have to ssh to it from wherever. If I am thinking correctly it really does not matter what ip address I assign to the bro listening interface because in promiscuous mode the interface will not really have an ip address anyway.....it just listens on this interface (please correct me if I am wrong). the second interface I can set up a quick iptables ruleset to deny all and allow only internal (to the box) requests. So while I am not too terribly concerned about this box being used to circumvent my security inside the firewall, I am concerned about the box being taken over. Any of you have a suggestion as to how to keep this from happening, or is my logic sound on my thinking here? David On Nov 29, 2006, at 1:29 PM, Robin Sommer wrote: > > On Wed, Nov 29, 2006 at 13:03 -0600, you wrote: > >> Is that safe? > > Um, frankly, no. > > Personally I don't think that running Bro as root in production mode > is a good idea. But Linux does require root privs for packet > capturing (which is why I wrote this kernel hack to allow non-root > members of a certain group to do it as well). One thing on my to-do > list is adding code to Bro which drops the root privs once the > interface is opened. Haven't got around to do that yet though, > primarily because most of us here use FreeBSD which doesn't have > this problem (and is *much* better in capture performance anyway). > >> thing is it? Now considering I am going to be running in pro mode I >> suppose that it really won't have an ip assigned to that particular >> interface so it really doesn't matter to much who the service runs >> under, but still..... > > Yes, still... Just think about that Bro is parsing the data on the > network link, e.g., data supplied by external entities... > >> I did run brolite to get things going yesterday, and it choked trying >> to create the user bro. It told me that I had to do it by hand. I did >> that, but neglected to assign the user a home directory. > > (I actually don't know much about the internals of the bro-lite > framework). > > Robin > > -- > Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org > LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From jp.luiggi at free.fr Wed Nov 29 12:53:04 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Wed, 29 Nov 2006 15:53:04 -0500 Subject: [Bro] What am I doing wrong here? In-Reply-To: <5EBF81FC-A8F9-4D72-85BD-3C4D6FB94EC4@colsa.com> References: <4873D587-8BDA-422D-9C12-F97D8C4F8EAF@colsa.com> <456DD8A1.9080207@lbl.gov> <5EBF81FC-A8F9-4D72-85BD-3C4D6FB94EC4@colsa.com> Message-ID: <20061129205304.GA31152@armada.mynetwork.local> Hello, As far i know but i may have missed something :) , Bro doesn't listen on a specific network port and you can't ask to deliver a service as you would do for an Apache server. So just protect your firewall as usual. Best regards. On Wed, Nov 29, 2006 at 01:34:58PM -0600, David Caldwell wrote: > That is something I did not know till I got the responses from you > guys. I re-ran brolite, and used the default user [root] for the user > to run under. Now bro has started up and is doing something that > resembles its job at this point. The startup was successful, and we > shall see what kiind of stuff it collects sitting in the internal > office network fro the next couple of hours. > > Now with the next question. > > Since the service runs as root, and the eth1 interface that it is > running on is going to be exposed to the outside world, what do I > need to do to my firewall config on this box to protect it from attack? > What are your suggestions? I can run some pretty simple firewall > rules to simply deny all on the interface, and allow only internal > requests, but will this hinder bro from being able to do its job? > > David > > > On Nov 29, 2006, at 12:59 PM, Jason Lee wrote: > > > > > I think on Linux you have to run bro as root otherwise it can't > > open the Ethernet device in promiscuous mode. > > > > Cheers, > > jason > > > > > > > > David Caldwell wrote: > >> Okay, I now have bro installed. Things appear to be in the right > >> place. I must have missed something in the docs to get this working, > >> and I am sure that it does not help that I am not exactly familiar > >> with Debian. bear with me here as I stumble my way through a new OS > >> and Bro. I expect I am going to ask alot of stupid questions, but I > >> am documenting everything so that it may be used later to update or > >> possibly improve the documentation or help someone else who is in the > >> same boat I am. > >> > >> Here is what I get when I try to start Bro from the command line: > >> > >> jyd:/etc/rc3.d# /etc/init.d/bro.rc start > >> bro.rc: Running as non-root user bro > >> No directory, logging in with HOME=/ > >> bro.rc: Starting ..........bro.rc: Failed to start Bro > >> /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live: > >> socket: Operation not permitted > >> .. FAILED > >> > >> here are the outputs in the logs files in /usr/local/bro/logs: > >> > >> /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live: > >> socket: Operation not permitted > >> > >> Am I missing a permission issue here or what? Do I need to make some > >> changes in a config file that I missed? > >> > >> TIA > >> > >> David Caldwell > >> Colsa-HMT > >> > >> _______________________________________________ > >> Bro mailing list > >> bro at bro-ids.org > >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > >> > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From seth at net.ohio-state.edu Wed Nov 29 13:04:27 2006 From: seth at net.ohio-state.edu (Seth Hall) Date: Wed, 29 Nov 2006 16:04:27 -0500 Subject: [Bro] Is there a quickstart method? In-Reply-To: References: <7A5C1B04-20C8-4BB6-838D-184DBBED40F7@colsa.com> <20061129033533.GB28224@icir.org> <816F940B-7057-430B-B1C2-7449F6C5E4B3@colsa.com> <20061129185333.GC6508@icir.org> <7A612632-1A4B-4A12-AD4F-13EB2622060D@colsa.com> <20061129192946.GA6752@icir.org> Message-ID: On Nov 29, 2006, at 3:10 PM, David Caldwell wrote: > So while I am not too terribly concerned about this box being used to > circumvent my security inside the firewall, I am concerned about the > box being taken over. Any of you have a suggestion as to how to keep > this from happening, or is my logic sound on my thinking here? You have to keep in mind that since bro will be parsing packets that are passing over your network and if someone crafts a packet that crashes one of the protocol analyzers, there is potential for compromise. Wireshark (ethereal) has run into this issue many times recently and they have always strongly advised upgrading because people will tend to run it as root, especially on linux. And if someone compromises your IDS as the root user, it makes the attackers job of hiding their activity much easier. Open source software isn't the only software affected by this problem either, ISS's IDS had this problem recently too, and many of their customers were compromised by malicious packets. Here's the CERT advisory about it.. https://www.kb.cert.org/vuls/id/150326 Fortunately, Bro is heading down the path of becoming less vulnerable to these attacks with binpac (http://bro-ids.org/wiki/index.php/BinPAC). I would advise following Robin's advice and running bro as a user other than root. That offers a little protection, but keep in mind that closely monitoring the server is suggested so that if you are compromised you may be able to detect it and recover quickly. later, .Seth From dcaldwell at colsa.com Wed Nov 29 14:50:16 2006 From: dcaldwell at colsa.com (David Caldwell) Date: Wed, 29 Nov 2006 16:50:16 -0600 Subject: [Bro] What am I doing wrong here? In-Reply-To: <20061129205304.GA31152@armada.mynetwork.local> References: <4873D587-8BDA-422D-9C12-F97D8C4F8EAF@colsa.com> <456DD8A1.9080207@lbl.gov> <5EBF81FC-A8F9-4D72-85BD-3C4D6FB94EC4@colsa.com> <20061129205304.GA31152@armada.mynetwork.local> Message-ID: Just so I can make sure I was clear here, and so I have this down right in my explanation to the group, I am going to rephrase the question I asked earlier. We have two interfaces on the machine that will run bro. One is the bro listening interface, and this one gets run in promiscuous mode. The second, which is my admin interface and will be firewalled to the degree that I only have ssh listening on it is in reality open to the outside world. Since the bro interface runs in promiscuous mode, it really doesn't matter what ip I run on that port (I currently have it configured as a 10. address, and bro didn't complain going into promiscuous mode). Both interfaces are physically set outside the firewall. They have no internal connection to the inside network, nor does the machine have anything running or set up to run that will allow access to the inside network. Basically, if we want to look at bro logs we have to ssh in from outside or go directly to the box in the closet. Now I do understand that running any process as root has its ugly side, and it does open me up for malicious intent, bro doesn't do anything but listen like a big ear. There is no response built into bro that would allow it to do anything. I do understand the crafted packet concept, but if the only reachable port on the machine is only listening to ssh requests from a specific range of ips, and is set up to use pass phrase authentication with all other ports blocked to the outside, am I not safe? I do intend to implement the patch to set bro up to run as bro if for nothing else but to try to insure that is one less way of compromising the machine. I am in no way a security guy. I am just trying to analyze this in a fashion that seems to make some form of logical sense to me. I know there is no such thing as perfect security, but in the end this box really does nothing but listen and record what it hears. It has no exposure to the internal network at all except for ssh connections coming to it from a specifically small range of ips. I know this reads as argumentative, but all I am trying to do is understand what is happening and try to implement sound measures so I don't have to rebuild this box again once a week. I guess maybe I shoudl be asking for suggestions more than anything as to how I should set this up. if I had a way to put a diagram of the setup here I woudl and maybe you guys could tell me what I need to know that way. I am not known for being the best at explaining things. David On Nov 29, 2006, at 2:53 PM, Jean-Philippe Luiggi wrote: > Hello, > > As far i know but i may have missed something :) , Bro doesn't > listen on a > specific network port and you can't ask to deliver a service as you > would do for an Apache server. > > So just protect your firewall as usual. > > Best regards. > From mcuttler at bnl.gov Wed Nov 29 15:59:02 2006 From: mcuttler at bnl.gov (Matt Cuttler) Date: Wed, 29 Nov 2006 18:59:02 -0500 Subject: [Bro] What am I doing wrong here? In-Reply-To: References: <4873D587-8BDA-422D-9C12-F97D8C4F8EAF@colsa.com> <456DD8A1.9080207@lbl.gov> <5EBF81FC-A8F9-4D72-85BD-3C4D6FB94EC4@colsa.com> <20061129205304.GA31152@armada.mynetwork.local> Message-ID: <456E1EC6.6080309@bnl.gov> David Caldwell wrote: > We have two interfaces on the machine that will run bro. One is the > bro listening interface, and this one gets run in promiscuous mode. > The second, which is my admin interface and will be firewalled to the > degree that I only have ssh listening on it is in reality open to the > outside world. Since the bro interface runs in promiscuous mode, it > really doesn't matter what ip I run on that port (I currently have it > configured as a 10. address, and bro didn't complain going into > promiscuous mode). Both interfaces are physically set outside the > firewall. They have no internal connection to the inside network, nor > does the machine have anything running or set up to run that will > allow access to the inside network. Basically, if we want to look at > bro logs we have to ssh in from outside or go directly to the box in > the closet. David, You don't need an IP address at all on your bro interface; the interface just needs to be "up" to throw it into promisc mode. With respects to the admin interface, there's always serial port / out of band management (I'd recommend that the management box or console access server reside behind your firewall!). Rather than getting way off topic, I'd invite you to contact my off-list if you'd like to discuss :-) If you employ both of these methods, your bro box is (pretty much, at least at L3) invisible to the world. Good luck -Matt Cuttler From jp.luiggi at free.fr Wed Nov 29 16:27:07 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Wed, 29 Nov 2006 19:27:07 -0500 Subject: [Bro] Is there a quickstart method? In-Reply-To: References: <7A5C1B04-20C8-4BB6-838D-184DBBED40F7@colsa.com> <20061129033533.GB28224@icir.org> <816F940B-7057-430B-B1C2-7449F6C5E4B3@colsa.com> <20061129185333.GC6508@icir.org> <7A612632-1A4B-4A12-AD4F-13EB2622060D@colsa.com> <20061129192946.GA6752@icir.org> Message-ID: <20061130002707.GA28942@armada.mynetwork.local> Hello, On Wed, Nov 29, 2006 at 02:10:03PM -0600, David Caldwell wrote: > > be outside the firewall. I will have to ssh to it from wherever. If I > am thinking correctly it really does not matter what ip address I > assign to the bro listening interface because in promiscuous mode the > interface will not really have an ip address anyway.....it just There is no relation between the fact to have or not an IP address and the fact to run in promiscuous mode. You can listen (promiscuous or not) the traffic on an interface, with an IP ou without one. > listens on this interface (please correct me if I am wrong). the > second interface I can set up a quick iptables ruleset to deny all > and allow only internal (to the box) requests. Yes, it's a possible workaround. > So while I am not too terribly concerned about this box being used to > circumvent my security inside the firewall, I am concerned about the > box being taken over. Any of you have a suggestion as to how to keep > this from happening, or is my logic sound on my thinking here? As i said before Bro does'nt run as network service. And the some ideas : - use firewall (iptables) to block offending traffic. - use ssh on a different port than 22. - use complex password, disable direct root login (example of conf following): ==== Port 22101 Protocol 2 ListenAddress x.y.z.t LoginGraceTime 30s PermitRootLogin no StrictModes yes MaxAuthTries 2 ==== - You may too want to use HIDS as "ossec" Best regards. From robin at icir.org Wed Nov 29 18:58:11 2006 From: robin at icir.org (Robin Sommer) Date: Wed, 29 Nov 2006 18:58:11 -0800 Subject: [Bro] Bro 1.2 under Solaris 8 In-Reply-To: <20061129073110.GA16863@rheoli.net> References: <20061129073110.GA16863@rheoli.net> Message-ID: <20061130025811.GD8909@icir.org> On Wed, Nov 29, 2006 at 08:31 +0100, Stephan wrote: > Is there someone running Bro 1.2 successfully under Solaris 8? I don't know whether anybody is using Bro with live traffic but it used to work for me offline on Solaris 9 (iirc, the last version I tried was 1.1). > I can compile it after some patching but it always core dump (as > more traffic is on the wire a faster it core dump). It's supposed to compile on Solaris without requiring patches. Can you send us the error messages as well as which tweaks you did to get it to compile? Regarding the core dumps, can you compile a debug version (configure --enable-debug) and send a stack backtrace? (And one thing also worth trying is reading a larger trace instead of running live, which as said I've never tried on Solaris). Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Wed Nov 29 19:01:49 2006 From: robin at icir.org (Robin Sommer) Date: Wed, 29 Nov 2006 19:01:49 -0800 Subject: [Bro] multiple logs for a signature In-Reply-To: References: Message-ID: <20061130030149.GE8909@icir.org> On Wed, Nov 29, 2006 at 16:14 +0530, Jai Prakash D R wrote: > I am working on bro-0.9, fedora machine. I want to generate logs using > signatures the entire communication during a session. Bro's model is to report each signature at most once per connection. I don't think that this is easily changeable. Can you sketch why in your setup you'd like to have signatures reported multiple times? Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Wed Nov 29 19:05:31 2006 From: robin at icir.org (Robin Sommer) Date: Wed, 29 Nov 2006 19:05:31 -0800 Subject: [Bro] signature match In-Reply-To: References: Message-ID: <20061130030531.GF8909@icir.org> On Wed, Nov 29, 2006 at 17:40 +0530, Jai Prakash D R wrote: > Once a signature is matched i want to get the rule->ID( ) of that signature. The method RuleMatcher::ExecRuleActions() might be the best entry point for you. It's called when a signature matches for the first time on a certain connection, and triggers actions like raising the signature_match event. Depending on what exactly you want to do, you may also consider a writing a new RuleAction. See class RuleActionEvent as an example. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Wed Nov 29 19:10:11 2006 From: robin at icir.org (Robin Sommer) Date: Wed, 29 Nov 2006 19:10:11 -0800 Subject: [Bro] TCP Packets not getting logged In-Reply-To: <20061129195535.CCT62576@mail.tataelxsi.co.in> References: <20061129195535.CCT62576@mail.tataelxsi.co.in> Message-ID: <20061130031011.GG8909@icir.org> On Wed, Nov 29, 2006 at 19:55 +0530, Bindiya V S wrote: > connection closing handshakes (FIN and ACK). When I try re-running > the same PCAP in short intervals (running tcpreplays multiple times > on the same PCAP), the packets coming on the connection which didnt > have FIN and ACK earlier are not getting logged. That's because the internal connection state for these connections is still in memory and Bro believes that the incoming packets do actually belong to the same (old) connection. For connections closed with FINs, the connection state is flushed more quickly, which is why you're less likely to see this effect for them. In general, replaying the same traffic multiple times is likely to confuse Bro in various ways (e.g., also some of the scripts). Usually it's best to create multiple different instances of the trace first by, e.g., changing IP addresses. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From dhanesh at tataelxsi.co.in Thu Nov 30 01:42:21 2006 From: dhanesh at tataelxsi.co.in (Jaya Dhanesh) Date: Thu, 30 Nov 2006 15:12:21 +0530 Subject: [Bro] Bro errors on opensuse 10.1 i586 Message-ID: <008301c71463$d5c5b410$0637a8c0@telxsi.com> Hi, Bro compiles fine, installs fine, but this is what I get while trying to run it on opensuse 10.1 i585: /home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 34: run-time error: error compiling pattern /(((((((((((((((((((((^?.*(etc.* \/.*(passwd|shadow|netconfig)))|(^?.*(IFS[ \t]*=)))|(^?.*(nph-test-cgi \?)))|(^?.*((%0a|\.\.)\/(bin|etc|usr|tmp))))|(^?.*(\/Admin_files\/order \.log)))|(^?.*(\/carbo\.dll)))|(^?.*(\/cgi-bin\/(phf|php\.cgi| test-cgi))))|(^?.*(\/cgi-dos\/args\.bat)))|(^?.*(\/cgi-win\/uploader \.exe)))|(^?.*(\/search97\.vts)))|(^?.*(tk \.tgz)))|(^?.*(ownz)))|(^?.*(viewtopic\.php.*%.*\(.*\()))|(^?.*(sshd \.(tar| tgz).*)))|(^?.*([aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*([tT][aA][gG][gG] [eE][dD].*)))|(^?.*(shv4\.(tar|tgz).*)))|(^?.*(lrk\.(tar|tgz).*)))|(^?.*(lyc eum\.(tar|tgz).*)))|(^?.*(maxty\.(tar|tgz).*)))|(^?.*(rootII\.(tar|tgz).*))) |(^?.*(invader\.(tar|tgz).*))/ /home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 42: run-time error: error compiling pattern /((^?.*(.*\/c\ +dir))|(^?.*(.*cool.dll.*)))|(^?.*(.*Admin.dll.*Admin.dll.*))/ /home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 48: run-time error: error compiling pattern /^?.*(\/cgi-bin\/(phf|php\.cgi| test-cgi))/ /home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 50: run-time error: error compiling pattern /^?.*(wwwroot|WWWROOT)/ /home/vish/work/net/bro/bro-soap/policy/http-reply.bro, line 110: run-time error: error compiling pattern /^?.*(^ )/ /home/vish/work/net/bro/bro-soap/policy/hot-ids.bro, line 15: run-time error: error compiling pattern /^?.*((y[o0]u)(r|ar[e3])([o0]wn.*))/ Is there any problem with BRO regular expressions? How can I fix it? Thanks, Dhanesh From jp.luiggi at free.fr Thu Nov 30 06:14:54 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Thu, 30 Nov 2006 09:14:54 -0500 Subject: [Bro] Bro errors on opensuse 10.1 i586 In-Reply-To: <008301c71463$d5c5b410$0637a8c0@telxsi.com> References: <008301c71463$d5c5b410$0637a8c0@telxsi.com> Message-ID: <20061130141454.GA3918@armada.mynetwork.local> Hello Jaya, I'm not familiar with opensuse but the first question coming to my mind is about the Bro's version you use. Best regards. On Thu, Nov 30, 2006 at 03:12:21PM +0530, Jaya Dhanesh wrote: > > Hi, > > Bro compiles fine, installs fine, but this is what I get while trying to > run it on opensuse 10.1 i585: > > /home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 34: > run-time error: error compiling pattern /(((((((((((((((((((((^?.*(etc.* > \/.*(passwd|shadow|netconfig)))|(^?.*(IFS[ \t]*=)))|(^?.*(nph-test-cgi > \?)))|(^?.*((%0a|\.\.)\/(bin|etc|usr|tmp))))|(^?.*(\/Admin_files\/order > \.log)))|(^?.*(\/carbo\.dll)))|(^?.*(\/cgi-bin\/(phf|php\.cgi| > test-cgi))))|(^?.*(\/cgi-dos\/args\.bat)))|(^?.*(\/cgi-win\/uploader > \.exe)))|(^?.*(\/search97\.vts)))|(^?.*(tk > \.tgz)))|(^?.*(ownz)))|(^?.*(viewtopic\.php.*%.*\(.*\()))|(^?.*(sshd > \.(tar| > tgz).*)))|(^?.*([aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*([tT][aA][gG][gG] > [eE][dD].*)))|(^?.*(shv4\.(tar|tgz).*)))|(^?.*(lrk\.(tar|tgz).*)))|(^?.*(lyc > eum\.(tar|tgz).*)))|(^?.*(maxty\.(tar|tgz).*)))|(^?.*(rootII\.(tar|tgz).*))) > |(^?.*(invader\.(tar|tgz).*))/ > /home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 42: > run-time error: error compiling pattern /((^?.*(.*\/c\ > +dir))|(^?.*(.*cool.dll.*)))|(^?.*(.*Admin.dll.*Admin.dll.*))/ > /home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 48: > run-time error: error compiling pattern /^?.*(\/cgi-bin\/(phf|php\.cgi| > test-cgi))/ > /home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 50: > run-time error: error compiling pattern /^?.*(wwwroot|WWWROOT)/ > /home/vish/work/net/bro/bro-soap/policy/http-reply.bro, line 110: > run-time error: error compiling pattern /^?.*(^ )/ > /home/vish/work/net/bro/bro-soap/policy/hot-ids.bro, line 15: run-time > error: error compiling pattern /^?.*((y[o0]u)(r|ar[e3])([o0]wn.*))/ > > Is there any problem with BRO regular expressions? How can I fix it? > > Thanks, > Dhanesh > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From dhanesh at tataelxsi.co.in Thu Nov 30 08:22:22 2006 From: dhanesh at tataelxsi.co.in (Jaya Dhanesh) Date: Thu, 30 Nov 2006 21:52:22 +0530 Subject: [Bro] Bro errors on opensuse 10.1 i586 In-Reply-To: <20061130141454.GA3918@armada.mynetwork.local> Message-ID: <001601c7149b$b7a18210$0637a8c0@telxsi.com> Hi Iam using 0.9a11 Dhanesh. -----Original Message----- From: Jean-Philippe Luiggi [mailto:jp.luiggi at free.fr] Sent: Thursday, November 30, 2006 19:45 To: Jaya Dhanesh Cc: bro at ICSI.Berkeley.EDU Subject: Re: [Bro] Bro errors on opensuse 10.1 i586 Hello Jaya, I'm not familiar with opensuse but the first question coming to my mind is about the Bro's version you use. Best regards. On Thu, Nov 30, 2006 at 03:12:21PM +0530, Jaya Dhanesh wrote: > > Hi, > > Bro compiles fine, installs fine, but this is what I get while trying to > run it on opensuse 10.1 i585: > > /home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 34: > run-time error: error compiling pattern /(((((((((((((((((((((^?.*(etc.* > \/.*(passwd|shadow|netconfig)))|(^?.*(IFS[ \t]*=)))|(^?.*(nph-test-cgi > \?)))|(^?.*((%0a|\.\.)\/(bin|etc|usr|tmp))))|(^?.*(\/Admin_files\/order > \.log)))|(^?.*(\/carbo\.dll)))|(^?.*(\/cgi-bin\/(phf|php\.cgi| > test-cgi))))|(^?.*(\/cgi-dos\/args\.bat)))|(^?.*(\/cgi-win\/uploader > \.exe)))|(^?.*(\/search97\.vts)))|(^?.*(tk > \.tgz)))|(^?.*(ownz)))|(^?.*(viewtopic\.php.*%.*\(.*\()))|(^?.*(sshd > \.(tar| > tgz).*)))|(^?.*([aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*([tT][aA][gG][gG] > [eE][dD].*)))|(^?.*(shv4\.(tar|tgz).*)))|(^?.*(lrk\.(tar|tgz).*)))|(^?.*(lyc > eum\.(tar|tgz).*)))|(^?.*(maxty\.(tar|tgz).*)))|(^?.*(rootII\.(tar|tgz).*))) > |(^?.*(invader\.(tar|tgz).*))/ > /home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 42: > run-time error: error compiling pattern /((^?.*(.*\/c\ > +dir))|(^?.*(.*cool.dll.*)))|(^?.*(.*Admin.dll.*Admin.dll.*))/ > /home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 48: > run-time error: error compiling pattern /^?.*(\/cgi-bin\/(phf|php\.cgi| > test-cgi))/ > /home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 50: > run-time error: error compiling pattern /^?.*(wwwroot|WWWROOT)/ > /home/vish/work/net/bro/bro-soap/policy/http-reply.bro, line 110: > run-time error: error compiling pattern /^?.*(^ )/ > /home/vish/work/net/bro/bro-soap/policy/hot-ids.bro, line 15: run-time > error: error compiling pattern /^?.*((y[o0]u)(r|ar[e3])([o0]wn.*))/ > > Is there any problem with BRO regular expressions? How can I fix it? > > Thanks, > Dhanesh > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jp.luiggi at free.fr Thu Nov 30 09:08:54 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Thu, 30 Nov 2006 12:08:54 -0500 Subject: [Bro] Bro 1.2 vs OpenBSD Message-ID: <20061130170854.GA9884@armada.mynetwork.local> Hello All, Good news... i was tired to still use the 1.0 so the last two days (i use an old but good laptop) was dedicated to the stage of making Bro 1.2 working on OpenBSD. I use OpenBSD 4.0 current and magically : # uname -a OpenBSD armada.mynetwork.local 4.0 GENERIC#1227 i386 # ps waux | grep bro root 25579 0.0 0.4 888 800 p3 I 11:49AM 0:00.07 sh ./bro.rc start root 14757 0.1 5.8 1868 11164 p3 S 11:49AM 0:01.03 /opt/share/bro-1.2/bin/bro -W -i rl0 brolite.bro I just had to "slightly" modify "configure.in" and add some #ifdef in the source tree. The last surprise was with "bro.rc" and the "old" bug : # sh ./bro.rc start ./bro.rc[478]: syntax error: (' unexpected The problem was related to the name of the function in charge to stop the process. It's called stop() in the script and i suspect a problem with the shell. I just had to rename it to brostop() to make it functionnal. so it now works, the next few days will be spent checking if the solution is stable. Best regards. From jp.luiggi at free.fr Thu Nov 30 09:13:36 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Thu, 30 Nov 2006 12:13:36 -0500 Subject: [Bro] Bro errors on opensuse 10.1 i586 In-Reply-To: <001601c7149b$b7a18210$0637a8c0@telxsi.com> References: <20061130141454.GA3918@armada.mynetwork.local> <001601c7149b$b7a18210$0637a8c0@telxsi.com> Message-ID: <20061130171336.GB9884@armada.mynetwork.local> Hello Jaya, I can't remenber a bug looking to this one but could you consider testing the last release (1.2) ? Just to check the fact the problem is still here or not ? Best regards. On Thu, Nov 30, 2006 at 09:52:22PM +0530, Jaya Dhanesh wrote: > Hi > > Iam using 0.9a11 > > Dhanesh. > > -----Original Message----- > From: Jean-Philippe Luiggi [mailto:jp.luiggi at free.fr] > Sent: Thursday, November 30, 2006 19:45 > To: Jaya Dhanesh > Cc: bro at ICSI.Berkeley.EDU > Subject: Re: [Bro] Bro errors on opensuse 10.1 i586 > > > Hello Jaya, > > I'm not familiar with opensuse but the first question coming to my mind is > about the Bro's version you use. > > Best regards. > > On Thu, Nov 30, 2006 at 03:12:21PM +0530, Jaya Dhanesh wrote: > > > > Hi, > > > > Bro compiles fine, installs fine, but this is what I get while trying to > > run it on opensuse 10.1 i585: > > > > /home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 34: > > run-time error: error compiling pattern /(((((((((((((((((((((^?.*(etc.* > > \/.*(passwd|shadow|netconfig)))|(^?.*(IFS[ \t]*=)))|(^?.*(nph-test-cgi > > \?)))|(^?.*((%0a|\.\.)\/(bin|etc|usr|tmp))))|(^?.*(\/Admin_files\/order > > \.log)))|(^?.*(\/carbo\.dll)))|(^?.*(\/cgi-bin\/(phf|php\.cgi| > > test-cgi))))|(^?.*(\/cgi-dos\/args\.bat)))|(^?.*(\/cgi-win\/uploader > > \.exe)))|(^?.*(\/search97\.vts)))|(^?.*(tk > > \.tgz)))|(^?.*(ownz)))|(^?.*(viewtopic\.php.*%.*\(.*\()))|(^?.*(sshd > > \.(tar| > > > tgz).*)))|(^?.*([aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*([tT][aA][gG][gG] > > > [eE][dD].*)))|(^?.*(shv4\.(tar|tgz).*)))|(^?.*(lrk\.(tar|tgz).*)))|(^?.*(lyc > > > eum\.(tar|tgz).*)))|(^?.*(maxty\.(tar|tgz).*)))|(^?.*(rootII\.(tar|tgz).*))) > > |(^?.*(invader\.(tar|tgz).*))/ > > /home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 42: > > run-time error: error compiling pattern /((^?.*(.*\/c\ > > +dir))|(^?.*(.*cool.dll.*)))|(^?.*(.*Admin.dll.*Admin.dll.*))/ > > /home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 48: > > run-time error: error compiling pattern /^?.*(\/cgi-bin\/(phf|php\.cgi| > > test-cgi))/ > > /home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 50: > > run-time error: error compiling pattern /^?.*(wwwroot|WWWROOT)/ > > /home/vish/work/net/bro/bro-soap/policy/http-reply.bro, line 110: > > run-time error: error compiling pattern /^?.*(^ )/ > > /home/vish/work/net/bro/bro-soap/policy/hot-ids.bro, line 15: run-time > > error: error compiling pattern /^?.*((y[o0]u)(r|ar[e3])([o0]wn.*))/ > > > > Is there any problem with BRO regular expressions? How can I fix it? > > > > Thanks, > > Dhanesh > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From robin at icir.org Thu Nov 30 10:10:11 2006 From: robin at icir.org (Robin Sommer) Date: Thu, 30 Nov 2006 10:10:11 -0800 Subject: [Bro] Bro 1.2 vs OpenBSD In-Reply-To: <20061130170854.GA9884@armada.mynetwork.local> References: <20061130170854.GA9884@armada.mynetwork.local> Message-ID: <20061130181011.GB14218@icir.org> On Thu, Nov 30, 2006 at 12:08 -0500, Jean-Philippe Luiggi wrote: > so it now works, the next few days will be spent checking if the solution is stable. If so, please send us a patch with the changes you did! Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From jp.luiggi at free.fr Thu Nov 30 10:45:17 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Thu, 30 Nov 2006 13:45:17 -0500 Subject: [Bro] Bro 1.2 vs OpenBSD In-Reply-To: <20061130181011.GB14218@icir.org> References: <20061130170854.GA9884@armada.mynetwork.local> <20061130181011.GB14218@icir.org> Message-ID: <20061130184517.GA10677@armada.mynetwork.local> Hello Sure my friend. :-) Even if the solution seems to work, i think, it's the first stage of porting Bro to OpenBSD. But (IMHO), it'll be the first stage of the job. Next will be the add the availibility of non blocking DNS request. I know how to do this, i only have to test it. Best regards. On Thu, Nov 30, 2006 at 10:10:11AM -0800, Robin Sommer wrote: > > On Thu, Nov 30, 2006 at 12:08 -0500, Jean-Philippe Luiggi wrote: > > > > so it now works, the next few days will be spent checking if the solution is stable. > > If so, please send us a patch with the changes you did! > > Robin > > -- > Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org > LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From jp.luiggi at free.fr Thu Nov 30 11:12:16 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Thu, 30 Nov 2006 14:12:16 -0500 Subject: [Bro] Bro 1.2 vs OpenBSD In-Reply-To: <20061130170854.GA9884@armada.mynetwork.local> References: <20061130170854.GA9884@armada.mynetwork.local> Message-ID: <20061130191216.GA17405@armada.mynetwork.local> Hello, Just to be sure of my idea regarding the problem with the stop() function inside "bro.rc", i changed the shell and used bash. stop() now works as it. May i suggest to modify the offending function's name ? :-) Best regards. > The last surprise was with "bro.rc" and the "old" bug : > > # sh ./bro.rc start > ./bro.rc[478]: syntax error: (' unexpected > > The problem was related to the name of the function in charge to stop the > process. It's called stop() in the script and i suspect a problem with the > shell. I just had to rename it to brostop() to make it functionnal. > > so it now works, the next few days will be spent checking if the solution is stable. > > Best regards. > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From christian at whoop.org Thu Nov 30 13:59:22 2006 From: christian at whoop.org (Christian Kreibich) Date: Thu, 30 Nov 2006 13:59:22 -0800 Subject: [Bro] Bro 1.2 vs OpenBSD In-Reply-To: <20061130170854.GA9884@armada.mynetwork.local> References: <20061130170854.GA9884@armada.mynetwork.local> Message-ID: <1164923962.17959.31.camel@strangepork> Hi, On Thu, 2006-11-30 at 12:08 -0500, Jean-Philippe Luiggi wrote: > I just had to "slightly" modify "configure.in" and add some #ifdef in the > source tree. I just tried to build the 1.2 release on OpenBSD 3.8 and it bombs out with yet another ARP header inclusion glitch. :( Is that what you fixed? It seems what's needed is a header check for net/ethertypes.h. On Thu, 2006-11-30 at 13:45 -0500, Jean-Philippe Luiggi wrote: > Even if the solution seems to work, i think, it's the first stage of > porting Bro to OpenBSD. It really shouldn't have to be a "port". :) Besides the ARP glitch and the fact that nbdns is not available, is there anything else? Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org