From jean-philippe.luiggi at didconcept.com Sat Dec 1 05:53:52 2007 From: jean-philippe.luiggi at didconcept.com (jean-philippe luiggi) Date: Sat, 1 Dec 2007 08:53:52 -0500 Subject: [Bro] (no subject) In-Reply-To: <6db04b6c0711301205u27aa4dd6rde0b5b9b3bdbc9a5@mail.gmail.com> References: <6db04b6c0711301205u27aa4dd6rde0b5b9b3bdbc9a5@mail.gmail.com> Message-ID: <20071201085352.2269ca6a@mygw.didconcept.com> Hello, As far i know, you could choose the email address you want. Beside of this, you should run 1) site-report.pl 2) mail_reports.sh /bro.cfg First script will generale a file ".rpt" then the second will send it to the address provided in "bro.cfg". Best regards, Jean-philippe. On Fri, 30 Nov 2007 15:05:43 -0500 "kanthi myneni" wrote: > Hi, > > I am unable to generate dialy reports in bro. it configured and > installed successfully. To which address it will send the reports. > > Like in configuring bro > > Email addresses for internal reports [bro at localhost] > > what type of email address I can provide here. > > It went well in every aspect except this. Can you help me generating > reports. > > Thanks&Regards, > > Kanthi Myneni. > > > > > > !DSPAM:1,47507141284061142080570! From robin at icir.org Mon Dec 3 09:47:38 2007 From: robin at icir.org (Robin Sommer) Date: Mon, 3 Dec 2007 09:47:38 -0800 Subject: [Bro] Subversion repository and Blog Message-ID: <20071203174738.GA59970@icir.org> Dear Bro list, we are happy to announce some news: - the Bro Subversion repository it now available for public access. - ICSI's networking group now has a blog at http://blog.icir.org, which we will also use to cover Bro usage and development. For more information about the Subversion repository, see the blog. :-) Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From muscletot at gmail.com Tue Dec 4 11:35:47 2007 From: muscletot at gmail.com (Mike Wood) Date: Tue, 4 Dec 2007 11:35:47 -0800 Subject: [Bro] a tree structure with Bro records -- traversal w/ callback (FYI) Message-ID: <7f3e32390712041135v5df8257dpedef3556895adf46@mail.gmail.com> Thanks for the tip -- I have built my tree as you suggest, storing nodes in a table and managing the hierarchy simply w/ non-recursive key references stored in each node. Now I would like to create a function to walk my tree that takes a callback function to performn some arbitrary computation on each node as the tree is traversed. What I'd like is the ability to do the following: function callback( i : count ) { print fmt("i: %d", i); } function caller( f : function(j:count) ) { f(13); } event bro_init() { caller( callback ); } ... but as you will see, lots of type clashing errors are generated for this code. I have had success defining a global variable for the callback function and using 'redef' to change its value, but that will only allow one value for the callback per bro invocation. AHA! While writing this message, I have discovered the problem -- the function callback signature and its corresponding function argument signatures must match *exactly* -- including the argument names. In the above case, the "i" and "j" cannot be different, they must be the same. The corrected version of the above would be function callback( i : count ) { print fmt("i: %d", i); } function caller( f : function(i:count) ) { f(13); } event bro_init() { caller( callback ); } .. which prints "i: 13" to stdout. Like I said in the subject, just an FYI. Thanks, Mike On 11/30/07, Vern Paxson wrote: > > You could fake it up using table[string] of XYZ, where XYZ records include > > a string that point back into the table. Not pretty, but seems it should > > work. > > (or, slightly easier, a table[count] of XYZ, along with a counter that you > just increment every time you add a new node, which becomes its identifier) > From vern at icir.org Tue Dec 4 13:27:00 2007 From: vern at icir.org (Vern Paxson) Date: Tue, 04 Dec 2007 13:27:00 -0800 Subject: [Bro] a tree structure with Bro records -- traversal w/ callback (FYI) In-Reply-To: <7f3e32390712041135v5df8257dpedef3556895adf46@mail.gmail.com> (Tue, 04 Dec 2007 11:35:47 PST). Message-ID: <200712042127.lB4LR5Kd007556@pork.ICSI.Berkeley.EDU> > signatures must match *exactly* -- including the argument names. In > the above case, the "i" and "j" cannot be different, they must be the > same. The corrected version of the above would be Yeah, that's something stupid from day-one when I first introduced functions that I've never gotten around to fixing. Sorry about the time spent puzzling this out :-(. Vern From muscletot at gmail.com Tue Dec 4 15:43:37 2007 From: muscletot at gmail.com (Mike Wood) Date: Tue, 4 Dec 2007 15:43:37 -0800 Subject: [Bro] invoking an analayzer without the default policy script? Message-ID: <7f3e32390712041543l77ad3ac3h246085a6d131306e@mail.gmail.com> I would like to be able to write nothing but event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) { print fmt("dns: %s", query); } in my policy script, and get a print out for every DNS request... but this dns_request handler does not get called unless I add @load dns at the top. I don't really want all the other stuff that comes with the dns.bro script. Is there any way around this? Thanks, Mike From robin at icir.org Wed Dec 5 00:43:40 2007 From: robin at icir.org (Robin Sommer) Date: Wed, 5 Dec 2007 00:43:40 -0800 Subject: [Bro] invoking an analayzer without the default policy script? In-Reply-To: <7f3e32390712041543l77ad3ac3h246085a6d131306e@mail.gmail.com> References: <7f3e32390712041543l77ad3ac3h246085a6d131306e@mail.gmail.com> Message-ID: <20071205084340.GB70580@icir.org> On Tue, Dec 04, 2007 at 15:43 -0800, Mike Wood wrote: > this dns_request handler does not get called unless I add > > @load dns Most likely you haven't set the capture filter to include DNS packets into the analysis. Try adding this to your script (which is from dns.bro): redef capture_filters += { ["dns"] = "port 53", ["netbios-ns"] = "udp port 137", }; Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From muscletot at gmail.com Wed Dec 5 10:36:29 2007 From: muscletot at gmail.com (Mike Wood) Date: Wed, 5 Dec 2007 10:36:29 -0800 Subject: [Bro] invoking an analayzer without the default policy script? In-Reply-To: <20071205084340.GB70580@icir.org> References: <7f3e32390712041543l77ad3ac3h246085a6d131306e@mail.gmail.com> <20071205084340.GB70580@icir.org> Message-ID: <7f3e32390712051036t782d3307s6862106b216b0957@mail.gmail.com> On 12/5/07, Robin Sommer wrote: > > On Tue, Dec 04, 2007 at 15:43 -0800, Mike Wood wrote: > > > this dns_request handler does not get called unless I add > > > > @load dns > > Most likely you haven't set the capture filter to include DNS > packets into the analysis. Try adding this to your script (which is > from dns.bro): > > redef capture_filters += { > ["dns"] = "port 53", > ["netbios-ns"] = "udp port 137", > }; I gave that a shot, but still didn't see any output. I did have success by adding the following: global dns_ports = { 53/udp, 53/tcp, 137/udp }; redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] }; (also from dns.bro), and that triggered my event handler for dns_request. Note this seemed to work with and without redefining the capture filters. Any ideas why this is the case? Particularly, am I only going to be able implement my custom event handlers for analyzers that are part of the DPD framework? Many thanks, Mike From christian at whoop.org Wed Dec 5 12:17:18 2007 From: christian at whoop.org (Christian Kreibich) Date: Wed, 05 Dec 2007 12:17:18 -0800 Subject: [Bro] invoking an analayzer without the default policy script? In-Reply-To: <7f3e32390712051036t782d3307s6862106b216b0957@mail.gmail.com> References: <7f3e32390712041543l77ad3ac3h246085a6d131306e@mail.gmail.com> <20071205084340.GB70580@icir.org> <7f3e32390712051036t782d3307s6862106b216b0957@mail.gmail.com> Message-ID: <1196885838.11847.76.camel@strangepork> On Wed, 2007-12-05 at 10:36 -0800, Mike Wood wrote: > I did have success by adding the following: > > global dns_ports = { 53/udp, 53/tcp, 137/udp }; > redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] }; > > (also from dns.bro), and that triggered my event handler for dns_request. > Note this seemed to work with and without redefining the capture filters. > > Any ideas why this is the case? Afaik, this is exactly the way to enable a DPD-enabled analyzer. http://www.bro-ids.org/wiki/index.php/DynamicProtocolDetection#Using_the_new_analyzer_framework Likely, your capture filter is already set up to capture the relevant packets anyway, so needs no special tweaking. (One of the best tips ever regarding this stuff is to test the resulting filter by adding "print-filter" at the end of your list of policy files specified at the command line.) > Particularly, am I only going to be > able implement my custom event handlers for analyzers that are part of > the DPD framework? No, you can generally expect to use your own event handlers for the other analyzers as well, unless these were somehow designed to require substantial policy code. Cheers, Christian -- ________________________________________________________________________ http://www.icir.org/christian http://www.whoop.org From robin at icir.org Thu Dec 6 05:12:24 2007 From: robin at icir.org (Robin Sommer) Date: Thu, 6 Dec 2007 05:12:24 -0800 Subject: [Bro] invoking an analayzer without the default policy script? In-Reply-To: <7f3e32390712051036t782d3307s6862106b216b0957@mail.gmail.com> References: <7f3e32390712041543l77ad3ac3h246085a6d131306e@mail.gmail.com> <20071205084340.GB70580@icir.org> <7f3e32390712051036t782d3307s6862106b216b0957@mail.gmail.com> Message-ID: <20071206131224.GC51287@icir.org> On Wed, Dec 05, 2007 at 10:36 -0800, you wrote: > I did have success by adding the following: > > global dns_ports = { 53/udp, 53/tcp, 137/udp }; > redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] }; Ah, sorry, I forgot that. Actually you need both, the right packet filter and the dpd_config. As Christian noted, your packet filter might already be right if you're not loading any other scripts (because then Bro uses the default filter "tcp or udp or icmp"). Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From irdeto at gmail.com Mon Dec 10 09:08:01 2007 From: irdeto at gmail.com (Fabian Hensel) Date: Mon, 10 Dec 2007 18:08:01 +0100 Subject: [Bro] Time machine crashing Message-ID: Hi all After having resolved my last problem, I'm already facing a new one. I am trying to setup Broccoli communication between Bro and the Timemachine. TM and Bro are running on the same machine and I have included the "listen-clear" and "time-machine" in my policy, in tm.conf the bro_connect_str is configured accordingly (see the attached files). What happens is that I can see in the remote.log that the TM registers to TimeMachine::command and in Bro's tm.log that it indeed sends queries over to the TM. If I then look at the TM's logfile, I see that the query was unsuccessful (0 matches). After a couple of mismatches it seems that some part of the TM crashes. (i.e. it still logs that it drops all the packets; no increase in CPU usage though) The TM can then only be shut down by using kill -9. If I don't use Broccoli at all and instead manually enter the same queries in the console (replacing the "query feed" part with "query to_file"), everything works fine. Does anyone have an idea what could be the problem here? My guess that it something in the TM and not in Bro. Regards - Fabian -------------- next part -------------- A non-text attachment was scrubbed... Name: remote.log Type: application/octet-stream Size: 3534 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20071210/ac0cea21/attachment.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: tm_tm.log Type: application/octet-stream Size: 7401 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20071210/ac0cea21/attachment-0001.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: tm.conf Type: application/octet-stream Size: 918 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20071210/ac0cea21/attachment-0002.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: bro_tm.log Type: application/octet-stream Size: 1726 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20071210/ac0cea21/attachment-0003.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: poc-nf.bro Type: application/octet-stream Size: 419 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20071210/ac0cea21/attachment-0004.obj From kanthimyneni at gmail.com Wed Dec 12 11:13:14 2007 From: kanthimyneni at gmail.com (kanthi myneni) Date: Wed, 12 Dec 2007 14:13:14 -0500 Subject: [Bro] bro-hands on workshop Message-ID: <6db04b6c0712121113x5f98bad7rb24d73ddd9f5cef9@mail.gmail.com> Hi, Is there any bro-hands on workshop in the coming days..... Thanks&Regards, KM. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20071212/719a3545/attachment.html From vern at icir.org Thu Dec 13 00:09:32 2007 From: vern at icir.org (Vern Paxson) Date: Thu, 13 Dec 2007 00:09:32 -0800 Subject: [Bro] bro-hands on workshop In-Reply-To: <6db04b6c0712121113x5f98bad7rb24d73ddd9f5cef9@mail.gmail.com> (Wed, 12 Dec 2007 14:13:14 EST). Message-ID: <200712130809.lBD89bZi029539@pork.ICSI.Berkeley.EDU> > Is there any bro-hands on workshop in the coming days..... We don't yet have one planned, but we definitely want to put together another such workshop. Vern From robin at icir.org Thu Dec 13 05:44:50 2007 From: robin at icir.org (Robin Sommer) Date: Thu, 13 Dec 2007 05:44:50 -0800 Subject: [Bro] bro-hands on workshop In-Reply-To: <6db04b6c0712121113x5f98bad7rb24d73ddd9f5cef9@mail.gmail.com> References: <6db04b6c0712121113x5f98bad7rb24d73ddd9f5cef9@mail.gmail.com> Message-ID: <20071213134450.GC39437@icir.org> On Wed, Dec 12, 2007 at 14:13 -0500, you wrote: > Is there any bro-hands on workshop in the coming days..... We're planing to do another workshop but we don't have any date yet. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From kanthimyneni at gmail.com Thu Dec 13 07:17:33 2007 From: kanthimyneni at gmail.com (kanthi myneni) Date: Thu, 13 Dec 2007 10:17:33 -0500 Subject: [Bro] bro-hands on workshop In-Reply-To: <200712130809.lBD89bZi029539@pork.ICSI.Berkeley.EDU> References: <6db04b6c0712121113x5f98bad7rb24d73ddd9f5cef9@mail.gmail.com> <200712130809.lBD89bZi029539@pork.ICSI.Berkeley.EDU> Message-ID: <6db04b6c0712130717l5850d7a5qc7cf7e2d55688a19@mail.gmail.com> Thanks , that would help me a lot. Plz let me know if you people planned for such workshop. On Dec 13, 2007 3:09 AM, Vern Paxson wrote: > > Is there any bro-hands on workshop in the coming days..... > > We don't yet have one planned, but we definitely want to put together > another such workshop. > > Vern > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20071213/fefad377/attachment.html From kanthimyneni at gmail.com Thu Dec 13 17:51:23 2007 From: kanthimyneni at gmail.com (kanthi myneni) Date: Thu, 13 Dec 2007 20:51:23 -0500 Subject: [Bro] anomaly/alert score Message-ID: <6db04b6c0712131751o5fd5d16lfdae51aa92cfab35@mail.gmail.com> Hi, Is there any thing that calculates anomaly/alert score in Bro. What are the cron jobs that are executed with configuring Bro. Do we need to run every analyzer by hand or are there any of them which are done automatically. I got this doubt because for generating reports we need to run that report generating file. Thanks&Regards, Kanthi Myneni. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20071213/05e82e8f/attachment.html From research at webhostvision.com Fri Dec 14 10:42:20 2007 From: research at webhostvision.com (Research Team) Date: Fri, 14 Dec 2007 18:42:20 -0000 Subject: [Bro] bro-hands on workshop In-Reply-To: <20071213134450.GC39437@icir.org> References: <6db04b6c0712121113x5f98bad7rb24d73ddd9f5cef9@mail.gmail.com> <20071213134450.GC39437@icir.org> Message-ID: <006f01c83e81$12344d60$369ce820$@com> Giving that everyone is not able to attend (foreign countries) would it not a good thing to organise some web conferencing every now and then? -----Original Message----- From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Robin Sommer Sent: 13 December 2007 13:45 To: kanthi myneni Cc: bro at ICSI.Berkeley.EDU Subject: Re: [Bro] bro-hands on workshop On Wed, Dec 12, 2007 at 14:13 -0500, you wrote: > Is there any bro-hands on workshop in the coming days..... We're planing to do another workshop but we don't have any date yet. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From kanthimyneni at gmail.com Mon Dec 17 14:26:56 2007 From: kanthimyneni at gmail.com (kanthi myneni) Date: Mon, 17 Dec 2007 17:26:56 -0500 Subject: [Bro] Fwd: anomaly/alert score In-Reply-To: <6db04b6c0712131751o5fd5d16lfdae51aa92cfab35@mail.gmail.com> References: <6db04b6c0712131751o5fd5d16lfdae51aa92cfab35@mail.gmail.com> Message-ID: <6db04b6c0712171426n5f53ded7hfc8cc31309f62173@mail.gmail.com> ---------- Forwarded message ---------- From: kanthi myneni Date: Dec 13, 2007 8:51 PM Subject: anomaly/alert score To: bro at icsi.berkeley.edu Hi, Is there any thing that calculates anomaly/alert score in Bro. What are the cron jobs that are executed with configuring Bro. Do we need to run every analyzer by hand or are there any of them which are done automatically. I got this doubt because for generating reports we need to run that report generating file. Thanks&Regards, Kanthi Myneni. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20071217/68b64605/attachment.html From dpark1978 at gmail.com Tue Dec 18 11:50:18 2007 From: dpark1978 at gmail.com (Dongsu Park) Date: Tue, 18 Dec 2007 20:50:18 +0100 Subject: [Bro] DPD or binpac on kernel-level Message-ID: <20071218195018.GA23926@dongsupark.de> Hi, is there any implementation of DPD or binpac on kernel-level, for instance on Linux netfilter? If not, do you have any plan for it? I think DPD and binpac are excellent implementations, but they currently depend on Bro IDS. They would be more useful if they could be combined into kernel-level firewalls, with enabling detected packets to be dropped immediately. As far as I know, L7-filter does similar jobs. It seems to be interesting if DPD/binpac can be ported to kernel modules on L7-filter, or something like that. -- Dongsu Park From rreitz at fnal.gov Wed Dec 19 13:22:44 2007 From: rreitz at fnal.gov (Randolph Reitz) Date: Wed, 19 Dec 2007 15:22:44 -0600 Subject: [Bro] Sudden urge to do IRC analysis Message-ID: I want to add the IRC analysis to my list of BRO policies. I'm running heavy-analysis which causes an error when I add irc... [rreitz at rhyolite ~]$ bro heavy-analysis irc /usr/local/bro/policy/heavy.irc.bro, line 3 (IRC::irc_users): error, "redef" used but not previously defined /usr/local/bro/policy/heavy.irc.bro, line 4 (IRC::irc_channels): error, "redef" used but not previously defined I'm using ... [rreitz at rhyolite ~]$ bro -v bro version 1.3.2 I can't find the variables 'irc_users' or 'irc_channels' in any policy. What am I missing? Thanks, Randy Reitz Fermilab From vern at icir.org Wed Dec 19 13:34:30 2007 From: vern at icir.org (Vern Paxson) Date: Wed, 19 Dec 2007 13:34:30 -0800 Subject: [Bro] Sudden urge to do IRC analysis In-Reply-To: (Wed, 19 Dec 2007 15:22:44 CST). Message-ID: <200712192134.lBJLYZow017479@pork.ICSI.Berkeley.EDU> > I can't find the variables 'irc_users' or 'irc_channels' in any > policy. What am I missing? Oops, yeah, that's a bug that's fixed (as of 1.3.4). Try changing them to active_users and active_channels (though I'm not sure it's as easy as that). Vern From ssakai at sdsc.edu Wed Dec 19 19:37:45 2007 From: ssakai at sdsc.edu (scott sakai) Date: Wed, 19 Dec 2007 19:37:45 -0800 Subject: [Bro] L flag in conn log Message-ID: <4769E389.8040700@sdsc.edu> Have the semantics of the "L" flag in the conn log been changed? >From http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_Events#Connection_summaries: Line format: ----- \ , \ ----- and ----- L indicates that the connection was initiated locally, i.e., the host corresponding to A_l initiated the connection. If L is missing, then the host corresponding to A_r initiated the connection. ----- However, this does not seem to agree with what I see in the conn log. When interpreted this way, I see strange stuff like a web server making outbound connections from port 80 to some high numbered port. This is even more confusing when trying to figure out which host is portscanning and which one is being scanned. The correct line format seems to be ... Can anyone confirm this? conn.bro, line 275 suggests that this is the case: ----- local log_msg = fmt("%.6f %s %s %s %s %d %d %s %s %s %s %s", c$start_time, duration, id$orig_h, id$resp_h, s, ----- However, I'd like to make sure that it is. Thanks. From korovin.anton at gmail.com Thu Dec 20 09:07:08 2007 From: korovin.anton at gmail.com (Anton Korovin) Date: Thu, 20 Dec 2007 19:07:08 +0200 Subject: [Bro] Unknown protocol in Bro Message-ID: <35e358630712200907i323285fco7d422f9983184c12@mail.gmail.com> Hi! I used Bro version 1.1.0. I wrote policy for dump data content, which is transferring on unknown protocol. And I modified method NewConn() in NetSessions class: If port value isn't handled I create instance of UnknownConnection class, which fair events for each request/reply of its connection. These events are handled in policy script and write the content to HDD. How can I do the same in new versions Bro? Best regards, Anton Korovin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20071220/eee0fc84/attachment.html From kanthimyneni at gmail.com Thu Dec 20 10:58:22 2007 From: kanthimyneni at gmail.com (kanthi myneni) Date: Thu, 20 Dec 2007 13:58:22 -0500 Subject: [Bro] how to run on trace files Message-ID: <6db04b6c0712201058j7c7e0a11qcb23c1133317a532@mail.gmail.com> Hi, I am trying to run bro on trace file specifically on the tcpdump file provided in bro workshop. url http://www.bro-ids.org/bro-workshop-2007/exercises/exercise1.html but I was unable run that giving me command not found. sample of my output is In the url http://www.bro-ids.org/bro-workshop-2007/exercises/exercise1-solution.html they asked to create local.bro I created that file Then they asked to run some analyzer they asked to use setenv and bro -r I used to them but giving me command not found. loud at 1006kro:/usr/local/bro$ sudo vim local.bro loud at 1006kro:/usr/local/bro$ ls archive etc lib logs policy scripts site var bin include local.bro perl reports share trace1.tcpdump loud at 1006kro:/usr/local/bro$ cat local.bro redef local_nets: set[subnet] = { 10.20.1.0/24, }; loud at 1006kro:/usr/local/bro$ sudo setenv BROPATH = /usr/local/bro/site/:/usr/local/bro/policy/:/usr/local/bro/policy/sigs sudo: setenv: command not found loud at 1006kro:/usr/local/bro$ setenv BROPATH = /usr/local/bro/site/:/usr/local/bro/policy/:/usr/local/bro/policy/sigs bash: setenv: command not found loud at 1006kro:/usr/local/bro$ bro -r trace1.tcpdump local tcp alarm wierd bash: bro: command not found loud at 1006kro:/usr/local/bro$ are those commands depend on the directory I am present. In which directory do I need to run that command. Thanks, KM. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20071220/5bf1bca1/attachment.html From nweaver at ICSI.Berkeley.EDU Thu Dec 20 11:10:12 2007 From: nweaver at ICSI.Berkeley.EDU (Nicholas Weaver) Date: Thu, 20 Dec 2007 11:10:12 -0800 Subject: [Bro] how to run on trace files In-Reply-To: <6db04b6c0712201058j7c7e0a11qcb23c1133317a532@mail.gmail.com> References: <6db04b6c0712201058j7c7e0a11qcb23c1133317a532@mail.gmail.com> Message-ID: <20071220191012.GA11109@kona.ICSI.Berkeley.EDU> Setenv is the TCSH syntax for setting environment variables. For bash, you do BROHOME=/usr/local/bro BROPATH=$BROHOME/site:$BROHOME/policy:$BROHOME/sigs Also, you need to set your path to include bro PATH=/usr/local/bro/bin:$PATH > loud at 1006kro:/usr/local/bro$ bro -r trace1.tcpdump local tcp alarm wierd > bash: bro: command not found > loud at 1006kro:/usr/local/bro$ > > > are those commands depend on the directory I am present. > > In which directory do I need to run that command. > > Thanks, > KM. > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Nicholas C. Weaver nweaver at icsi.berkeley.edu This message has been ROT-13 encrypted twice for higher security. From kanthimyneni at gmail.com Thu Dec 20 11:40:06 2007 From: kanthimyneni at gmail.com (kanthi myneni) Date: Thu, 20 Dec 2007 14:40:06 -0500 Subject: [Bro] how to run on trace files In-Reply-To: <20071220191012.GA11109@kona.ICSI.Berkeley.EDU> References: <6db04b6c0712201058j7c7e0a11qcb23c1133317a532@mail.gmail.com> <20071220191012.GA11109@kona.ICSI.Berkeley.EDU> Message-ID: <6db04b6c0712201140r42efb228y355391c586365837@mail.gmail.com> I am sorry I didnt get it. I am not that much familiar with linux commands . I tried to do so but getting same output loud at 1006kro:/$ BROHOME = /usr/local/bro/ bash: BROHOME: command not found loud at 1006kro:/$ BROPATH = $/usr/local/bro/site bash: BROPATH: command not found loud at 1006kro:/$ PATH = /usr/local/bro/bin:SPATH bash: PATH: command not found Thanks&Regards, Kanthi Myneni. On Dec 20, 2007 2:10 PM, Nicholas Weaver wrote: > Setenv is the TCSH syntax for setting environment variables. > > For bash, you do > > BROHOME=/usr/local/bro > BROPATH=$BROHOME/site:$BROHOME/policy:$BROHOME/sigs > > Also, you need to set your path to include bro > > PATH=/usr/local/bro/bin:$PATH > > > > > > loud at 1006kro:/usr/local/bro$ bro -r trace1.tcpdump local tcp alarm wierd > > bash: bro: command not found > > loud at 1006kro:/usr/local/bro$ > > > > > > are those commands depend on the directory I am present. > > > > In which directory do I need to run that command. > > > > Thanks, > > KM. > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > -- > Nicholas C. Weaver nweaver at icsi.berkeley.edu > This message has been ROT-13 encrypted twice for higher security. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20071220/cbc6d44b/attachment.html From nweaver at ICSI.Berkeley.EDU Thu Dec 20 12:55:06 2007 From: nweaver at ICSI.Berkeley.EDU (Nicholas Weaver) Date: Thu, 20 Dec 2007 12:55:06 -0800 Subject: [Bro] how to run on trace files In-Reply-To: <6db04b6c0712201140r42efb228y355391c586365837@mail.gmail.com> References: <6db04b6c0712201058j7c7e0a11qcb23c1133317a532@mail.gmail.com> <20071220191012.GA11109@kona.ICSI.Berkeley.EDU> <6db04b6c0712201140r42efb228y355391c586365837@mail.gmail.com> Message-ID: <20071220205506.GC11354@kona.ICSI.Berkeley.EDU> On Thu, Dec 20, 2007 at 02:40:06PM -0500, kanthi myneni composed: > I am sorry I didnt get it. I am not that much familiar with linux commands . > > I tried to do so but getting same output > > loud at 1006kro:/$ BROHOME = /usr/local/bro/ > bash: BROHOME: command not found > loud at 1006kro:/$ BROPATH = $/usr/local/bro/site > bash: BROPATH: command not found > loud at 1006kro:/$ PATH = /usr/local/bro/bin:SPATH > bash: PATH: command not found No spaces, sorry BROHOME=/usr/local/bro/ BROPATH=$BROHOME/site:$BROHOME/policy:$BROHOME/policy/sigs PATH=/usr/local/bro/bin:$PATH > Thanks&Regards, > Kanthi Myneni. > > On Dec 20, 2007 2:10 PM, Nicholas Weaver wrote: > > > Setenv is the TCSH syntax for setting environment variables. > > > > For bash, you do > > > > BROHOME=/usr/local/bro > > BROPATH=$BROHOME/site:$BROHOME/policy:$BROHOME/sigs > > > > Also, you need to set your path to include bro > > > > PATH=/usr/local/bro/bin:$PATH > > > > > > > > > > > loud at 1006kro:/usr/local/bro$ bro -r trace1.tcpdump local tcp alarm wierd > > > bash: bro: command not found > > > loud at 1006kro:/usr/local/bro$ > > > > > > > > > are those commands depend on the directory I am present. > > > > > > In which directory do I need to run that command. > > > > > > Thanks, > > > KM. > > > > > _______________________________________________ > > > Bro mailing list > > > bro at bro-ids.org > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > -- > > Nicholas C. Weaver nweaver at icsi.berkeley.edu > > This message has been ROT-13 encrypted twice for higher security. > > -- Nicholas C. Weaver nweaver at icsi.berkeley.edu This message has been ROT-13 encrypted twice for higher security. From kanthimyneni at gmail.com Thu Dec 20 13:30:22 2007 From: kanthimyneni at gmail.com (kanthi myneni) Date: Thu, 20 Dec 2007 16:30:22 -0500 Subject: [Bro] how to run on trace files In-Reply-To: <20071220205506.GC11354@kona.ICSI.Berkeley.EDU> References: <6db04b6c0712201058j7c7e0a11qcb23c1133317a532@mail.gmail.com> <20071220191012.GA11109@kona.ICSI.Berkeley.EDU> <6db04b6c0712201140r42efb228y355391c586365837@mail.gmail.com> <20071220205506.GC11354@kona.ICSI.Berkeley.EDU> Message-ID: <6db04b6c0712201330n7af39853u196c4f612a0f4121@mail.gmail.com> Thanks a lot for your reply. It worked. But I am having problem in running bro . It is giving me the following error loud at 1006kro:/usr/local/bro/bin$ sudo bro -r trace1.tcpdump local tcp alarm weird Password: sudo: bro: command not found loud at 1006kro:/usr/local/bro/bin$ sudo ./bro -r trace1.tcpdump local tcp alarm weird line 1: error: can't open bro.init loud at 1006kro:/usr/local/bro/bin$ Giving me the above error. Thanks&Regards, Kanthi Myneni. On Dec 20, 2007 3:55 PM, Nicholas Weaver wrote: > On Thu, Dec 20, 2007 at 02:40:06PM -0500, kanthi myneni composed: > > I am sorry I didnt get it. I am not that much familiar with linux > commands . > > > > I tried to do so but getting same output > > > > loud at 1006kro:/$ BROHOME = /usr/local/bro/ > > bash: BROHOME: command not found > > loud at 1006kro:/$ BROPATH = $/usr/local/bro/site > > bash: BROPATH: command not found > > loud at 1006kro:/$ PATH = /usr/local/bro/bin:SPATH > > bash: PATH: command not found > > No spaces, sorry > > BROHOME=/usr/local/bro/ > BROPATH=$BROHOME/site:$BROHOME/policy:$BROHOME/policy/sigs > PATH=/usr/local/bro/bin:$PATH > > > Thanks&Regards, > > Kanthi Myneni. > > > > On Dec 20, 2007 2:10 PM, Nicholas Weaver > wrote: > > > > > Setenv is the TCSH syntax for setting environment variables. > > > > > > For bash, you do > > > > > > BROHOME=/usr/local/bro > > > BROPATH=$BROHOME/site:$BROHOME/policy:$BROHOME/sigs > > > > > > Also, you need to set your path to include bro > > > > > > PATH=/usr/local/bro/bin:$PATH > > > > > > > > > > > > > > > > loud at 1006kro:/usr/local/bro$ bro -r trace1.tcpdump local tcp alarm > wierd > > > > bash: bro: command not found > > > > loud at 1006kro:/usr/local/bro$ > > > > > > > > > > > > are those commands depend on the directory I am present. > > > > > > > > In which directory do I need to run that command. > > > > > > > > Thanks, > > > > KM. > > > > > > > _______________________________________________ > > > > Bro mailing list > > > > bro at bro-ids.org > > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > > > -- > > > Nicholas C. Weaver > nweaver at icsi.berkeley.edu > > > This message has been ROT-13 encrypted twice for higher security. > > > > > -- > Nicholas C. Weaver nweaver at icsi.berkeley.edu > This message has been ROT-13 encrypted twice for higher security. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20071220/c1b90a4e/attachment.html From nweaver at ICSI.Berkeley.EDU Thu Dec 20 14:25:18 2007 From: nweaver at ICSI.Berkeley.EDU (Nicholas Weaver) Date: Thu, 20 Dec 2007 14:25:18 -0800 Subject: [Bro] how to run on trace files In-Reply-To: <6db04b6c0712201330n7af39853u196c4f612a0f4121@mail.gmail.com> References: <6db04b6c0712201058j7c7e0a11qcb23c1133317a532@mail.gmail.com> <20071220191012.GA11109@kona.ICSI.Berkeley.EDU> <6db04b6c0712201140r42efb228y355391c586365837@mail.gmail.com> <20071220205506.GC11354@kona.ICSI.Berkeley.EDU> <6db04b6c0712201330n7af39853u196c4f612a0f4121@mail.gmail.com> Message-ID: <20071220222517.GA11606@kona.ICSI.Berkeley.EDU> A: For running off of traces, you don't need to use sudo and shoundn't. THe can't find "bro.init" error says the bropath is messed up type the command: which bro printenv BROHOME printenv BROPATH On Thu, Dec 20, 2007 at 04:30:22PM -0500, kanthi myneni composed: > Thanks a lot for your reply. > > It worked. But I am having problem in running bro . It is giving me the > following error > > loud at 1006kro:/usr/local/bro/bin$ sudo bro -r trace1.tcpdump local tcp alarm > weird > Password: > sudo: bro: command not found > loud at 1006kro:/usr/local/bro/bin$ sudo ./bro -r trace1.tcpdump local tcp > alarm weird > line 1: error: can't open bro.init > loud at 1006kro:/usr/local/bro/bin$ > > > Giving me the above error. > > Thanks&Regards, > Kanthi Myneni. > > On Dec 20, 2007 3:55 PM, Nicholas Weaver wrote: > > > On Thu, Dec 20, 2007 at 02:40:06PM -0500, kanthi myneni composed: > > > I am sorry I didnt get it. I am not that much familiar with linux > > commands . > > > > > > I tried to do so but getting same output > > > > > > loud at 1006kro:/$ BROHOME = /usr/local/bro/ > > > bash: BROHOME: command not found > > > loud at 1006kro:/$ BROPATH = $/usr/local/bro/site > > > bash: BROPATH: command not found > > > loud at 1006kro:/$ PATH = /usr/local/bro/bin:SPATH > > > bash: PATH: command not found > > > > No spaces, sorry > > > > BROHOME=/usr/local/bro/ > > BROPATH=$BROHOME/site:$BROHOME/policy:$BROHOME/policy/sigs > > PATH=/usr/local/bro/bin:$PATH > > > > > Thanks&Regards, > > > Kanthi Myneni. > > > > > > On Dec 20, 2007 2:10 PM, Nicholas Weaver > > wrote: > > > > > > > Setenv is the TCSH syntax for setting environment variables. > > > > > > > > For bash, you do > > > > > > > > BROHOME=/usr/local/bro > > > > BROPATH=$BROHOME/site:$BROHOME/policy:$BROHOME/sigs > > > > > > > > Also, you need to set your path to include bro > > > > > > > > PATH=/usr/local/bro/bin:$PATH > > > > > > > > > > > > > > > > > > > > > loud at 1006kro:/usr/local/bro$ bro -r trace1.tcpdump local tcp alarm > > wierd > > > > > bash: bro: command not found > > > > > loud at 1006kro:/usr/local/bro$ > > > > > > > > > > > > > > > are those commands depend on the directory I am present. > > > > > > > > > > In which directory do I need to run that command. > > > > > > > > > > Thanks, > > > > > KM. > > > > > > > > > _______________________________________________ > > > > > Bro mailing list > > > > > bro at bro-ids.org > > > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > > > > > -- > > > > Nicholas C. Weaver > > nweaver at icsi.berkeley.edu > > > > This message has been ROT-13 encrypted twice for higher security. > > > > > > > > -- > > Nicholas C. Weaver nweaver at icsi.berkeley.edu > > This message has been ROT-13 encrypted twice for higher security. > > -- Nicholas C. Weaver nweaver at icsi.berkeley.edu This message has been ROT-13 encrypted twice for higher security. From rpang at cs.princeton.edu Fri Dec 21 18:52:46 2007 From: rpang at cs.princeton.edu (Ruoming Pang) Date: Sat, 22 Dec 2007 10:52:46 +0800 Subject: [Bro] DPD or binpac on kernel-level In-Reply-To: <20071218195018.GA23926@dongsupark.de> References: <20071218195018.GA23926@dongsupark.de> Message-ID: Hi Dongsu, People have tried using binpac on systems other than Bro. The main obstacle is to have a regular expression matching library, which binpac-based analyzers rely on. If you have such a library that can be used in-kernel, you are pretty close. Then you need a library to handle dynamic memory allocation (if I understand kernel programming correctly). Ruoming On Dec 19, 2007 3:50 AM, Dongsu Park wrote: > Hi, > > is there any implementation of DPD or binpac on kernel-level, > for instance on Linux netfilter? > If not, do you have any plan for it? > > I think DPD and binpac are excellent implementations, but they currently > depend on Bro IDS. They would be more useful if they could be combined > into kernel-level firewalls, with enabling detected packets to be dropped > immediately. > > As far as I know, L7-filter does > similar jobs. It seems to be interesting if DPD/binpac can be ported to > kernel modules H L7-filter, or something like that. > > > -- > Dongsu Park > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From christian at whoop.org Sat Dec 22 13:17:01 2007 From: christian at whoop.org (Christian Kreibich) Date: Sat, 22 Dec 2007 22:17:01 +0100 Subject: [Bro] DPD or binpac on kernel-level In-Reply-To: <20071218195018.GA23926@dongsupark.de> References: <20071218195018.GA23926@dongsupark.de> Message-ID: <1198358221.2752.58.camel@strangepork> Hi Dongsu, On Tue, 2007-12-18 at 20:50 +0100, Dongsu Park wrote: > Hi, > > is there any implementation of DPD or binpac on kernel-level, > for instance on Linux netfilter? > If not, do you have any plan for it? No. Primarily because we have no concrete reason to do so, and also because it'd very likely incur a world of pain -- C++ in kernel space is a thorny issue (the least technical obstacle is probably the fact that the STL isn't available, but much more subtle issues abound). Also notice that DPD and BinPAC are very different beasts. DPD's purpose is to detect likely protocols in flows, while BinPAC's purpose is to produce protocol parsers written in a high-level language. In Bro, we use BinPAC-generated parsers to confirm/reject the potential protocol identifications that DPD provides. > I think DPD and binpac are excellent implementations, but they currently > depend on Bro IDS. They would be more useful if they could be combined > into kernel-level firewalls, with enabling detected packets to be dropped > immediately. Thanks for the praise. What you're saying is no doubt true, though the issue is not primarily about kernel space, but Bro-independent use in general. In fact, we are surprised that many other tools for which accurate protocol identification is crucial haven't yet adopted the technology. > As far as I know, L7-filter does > similar jobs. It seems to be interesting if DPD/binpac can be ported to > kernel modules on L7-filter, or something like that. Surely it *could* be done, but the existence of L7 (which is great) provides another reason for us not to go down that road. Cheers, Christian -- ________________________________________________________________________ http://www.icir.org/christian http://www.whoop.org From nweaver at ICSI.Berkeley.EDU Sun Dec 23 10:30:58 2007 From: nweaver at ICSI.Berkeley.EDU (Nicholas Weaver) Date: Sun, 23 Dec 2007 10:30:58 -0800 Subject: [Bro] DPD or binpac on kernel-level In-Reply-To: <1198358221.2752.58.camel@strangepork> References: <20071218195018.GA23926@dongsupark.de> <1198358221.2752.58.camel@strangepork> Message-ID: <20071223183058.GB2076@kona.ICSI.Berkeley.EDU> Additionally, if you want to do something like this, I'd recommend something more along the lines as follows: Once a protocol is identified, or identification fails, you can put it on a fash path. But until then, you want a slow path. So you can use a shunt or shunt-style strategy. Either in software in Click (which DOES run in the kernel) or in hardware (we have prototypes in progress, but nothing I'd trust for production) you have a cache of flow records. (For both you want it as a cache, so you can statically allocate all resources). These flow records are sent through the fast path (eithe directly or with whatever shaping), with all other records going to the slow path, user level analysis. For DPD this works VERY well, as almost all of the traffic ends up on the fast path. On Sat, Dec 22, 2007 at 10:17:01PM +0100, Christian Kreibich composed: > Hi Dongsu, > > On Tue, 2007-12-18 at 20:50 +0100, Dongsu Park wrote: > > Hi, > > > > is there any implementation of DPD or binpac on kernel-level, > > for instance on Linux netfilter? > > If not, do you have any plan for it? > > No. Primarily because we have no concrete reason to do so, and also > because it'd very likely incur a world of pain -- C++ in kernel space is > a thorny issue (the least technical obstacle is probably the fact that > the STL isn't available, but much more subtle issues abound). Also > notice that DPD and BinPAC are very different beasts. DPD's purpose is > to detect likely protocols in flows, while BinPAC's purpose is to > produce protocol parsers written in a high-level language. In Bro, we > use BinPAC-generated parsers to confirm/reject the potential protocol > identifications that DPD provides. > > > I think DPD and binpac are excellent implementations, but they currently > > depend on Bro IDS. They would be more useful if they could be combined > > into kernel-level firewalls, with enabling detected packets to be dropped > > immediately. > > Thanks for the praise. What you're saying is no doubt true, though the > issue is not primarily about kernel space, but Bro-independent use in > general. In fact, we are surprised that many other tools for which > accurate protocol identification is crucial haven't yet adopted the > technology. > > > As far as I know, L7-filter does > > similar jobs. It seems to be interesting if DPD/binpac can be ported to > > kernel modules on L7-filter, or something like that. > > Surely it *could* be done, but the existence of L7 (which is great) > provides another reason for us not to go down that road. > > Cheers, > Christian > -- > ________________________________________________________________________ > http://www.icir.org/christian > http://www.whoop.org > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Nicholas C. Weaver nweaver at icsi.berkeley.edu This message has been ROT-13 encrypted twice for higher security. From robin at icir.org Sat Dec 29 05:00:27 2007 From: robin at icir.org (Robin Sommer) Date: Sat, 29 Dec 2007 05:00:27 -0800 Subject: [Bro] Unknown protocol in Bro In-Reply-To: <35e358630712200907i323285fco7d422f9983184c12@mail.gmail.com> References: <35e358630712200907i323285fco7d422f9983184c12@mail.gmail.com> Message-ID: <20071229130027.GH67585@icir.org> On Thu, Dec 20, 2007 at 19:07 +0200, you wrote: > If port value isn't handled I create instance of UnknownConnection class, > which fair events for each request/reply of its connection. These events > are handled in policy script and write the content to HDD. > > How can I do the same in new versions Bro? The best location for such functionality should be DPM::BuildInitialAnalyzerTree() in DPM.{h,cc} (DPM is the "dynamic protocol manager()). In the new version of Bro, this method takes the initial decision which analyzers to use for a connection, in particular by checking whether there is a well-known port for any of the protocols Bro supports. Instead of creating an UnknownConnection class, you can derive a class UnknownProtocolAnalyzer from class Analyzer and then add an instance of that in BuildInitialAnalyzerTree() to the connection's analyzer tree whenever there isn't any other analyzer to put in charge. The drawback of this approach is that you'll also be writing content to disk for connections for which an analyzer is found later, e.g., via DPD's signature matching. If that is a problem (i.e., you don't want to rely on well-known ports only for the content saving), an alternative would be to instantiate the UnknownProtocolAnalyzer later, e.g., only once the signature matching has been turned off. Until this point all content is buffered so you wouldn't loose anything. However, performance might affected somewhat with this approach if there are a lot of connections with unsupported protocols. Let me know if you need more details on the DPD implementation. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org