From jp.luiggi at free.fr Thu Feb 1 08:18:59 2007 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Thu, 01 Feb 2007 11:18:59 -0500 Subject: [Bro] no reports generated In-Reply-To: <20070131195030.AJX66951@m4500-00.uchicago.edu> References: <20070131195030.AJX66951@m4500-00.uchicago.edu> Message-ID: <20070201161859.GA28462@armada.mynetwork.local> Hello Jacob, I think we've forgotten (in fact myself ) something with the process because it works for me. Just do the following thing : cd /bro-1.2.1/scripts/perl perl Makefile.PL make make install I think it's the solution or something which is close (we may have to tweak the perl's conf) but if i remember successfully, it was correct. Best regards. On Wed, Jan 31, 2007 at 07:50:30PM -0600, Jacob Yocom-Piatt wrote: > bro-1.2.1 is now running on a 4.0-release openbsd machine here (thx j-p!) and > generating logs, however i got an empty report email this morning. i mean empty > as in there was no body to the email i received. > > when i installed bro, i had to manually add the bro user and change ownership of > some of the directories in its install directory: > > # ls -al /usr/local/bro > > > total 68 > drwxr-xr-x 15 root wheel 512 Jan 30 20:05 . > drwxr-xr-x 15 root wheel 512 Jan 30 19:52 .. > drwxr-xr-x 2 bro wheel 512 Jan 30 19:52 archive > drwxr-xr-x 2 root wheel 512 Jan 30 20:02 bin > drwxr-xr-x 2 root wheel 512 Jan 30 20:10 etc > drwxr-xr-x 2 root wheel 512 Jan 30 20:00 include > drwxr-xr-x 2 root wheel 512 Jan 30 20:00 lib > drwxr-xr-x 3 bro wheel 3584 Jan 31 03:00 logs > drwxr-xr-x 4 root wheel 512 Jan 30 20:05 perl > drwxr-xr-x 3 root wheel 4096 Jan 30 20:05 policy > drwxr-xr-x 2 bro wheel 512 Jan 30 19:52 reports > drwxr-xr-x 2 root wheel 512 Jan 30 20:05 scripts > drwxr-xr-x 4 root wheel 512 Jan 30 19:52 share > drwxr-xr-x 2 root wheel 512 Jan 30 20:05 site > drwxr-xr-x 2 bro wheel 512 Jan 30 21:07 var > > perhaps this has something to do with the empty report? i've looked through the > system logs and cannot find anything indicating why the report was not generated. > > cluesticking appreciated. > > cheers, > jake > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From christian at whoop.org Thu Feb 1 11:46:24 2007 From: christian at whoop.org (Christian Kreibich) Date: Thu, 01 Feb 2007 11:46:24 -0800 Subject: [Bro] Multiple bro nodes In-Reply-To: <1bb5dd90701310601r64ed9b9y7aee739b6ce915de@mail.gmail.com> References: <1bb5dd90701310601r64ed9b9y7aee739b6ce915de@mail.gmail.com> Message-ID: <1170359185.8770.86.camel@strangepork> Hi there, On Wed, 2007-01-31 at 22:01 +0800, CS Lee wrote: > Hi, > > I haven't seen any discussion on this matter yet, while I have heard > how bro developers fully utilize bro-ids system. > > What's the good and standard management and maintenance process when > one deploy multiple bro-ids nodes in the site? This is tricky, as most > of security admins always have their own way of administration, but I > would like to know how bro-ids developers such as Vern, Christian or > Robin doing it or others who would like to share the idea. I'm afraid there really is no definitive answer to this. It depends on the particular purpose of your distributed installation -- what events would you like to distribute, how big do you picture your network of Bro nodes to be, how sensitive are those (do you need to encrypt the communication), etc. > How are the analysis and correlation process that can be done through > multiple bro-ids node? All information is exchanged in the form of events. By writing suitable event handlers, you can perform arbitrary forms of analysis/aggregation/ correlation on the events through the use of state tables and other typical Bro language features. (Note also that you can define multiple event handlers per event type, and that there is some meta-information on events available via built-in functions, such as is_remote_event().) > I know bro-ids documentation is improving especially after wiki is > launched. But I still hardly find the answer for the questions above. > I would like to know how it is done practically. We're aware that documentation of the Bro communication features is sorely lacking. We're in the process of wikifying our documentation in the hope that it'll be easier for us to update it as the need arises. As always, scarcity of time is the main hurdle. :( The Broccoli manual has a reasonable level of detail on how to configure communicative setups. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From M9415038 at mail.ntust.edu.tw Thu Feb 1 09:56:23 2007 From: M9415038 at mail.ntust.edu.tw (=?big5?B?qvS+y7z9?=) Date: Fri, 2 Feb 2007 01:56:23 +0800 Subject: [Bro] I have some questions about Bro, thanks! Message-ID: <001901c7462a$49eb8110$0301a8c0@jack> Dear all: I want to get some statistics about past connections. But the record_connection function in the "conn.bro", it seems to deal with one connection. So I need to get the past connection, but I have no idea that which function/event should I modify . In the Ref-Manual document, I saw the log_hook predefined fumction. I guess maybe this function is the key for my question. But I can't find this function in any file. Where can I find this function, or I have to create by myself ? If I have to create by myself, which file should add this funciotn ? (I mean which file should include this function.) My english is no well, so if it is impolite. Sorry about that. Thanks! Best Regards, Jack 2007/2/2 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070202/bc8a8829/attachment.html From scampbell at lbl.gov Thu Feb 1 14:25:26 2007 From: scampbell at lbl.gov (scott campbell) Date: Thu, 01 Feb 2007 14:25:26 -0800 Subject: [Bro] Multiple bro nodes In-Reply-To: <1170359185.8770.86.camel@strangepork> References: <1bb5dd90701310601r64ed9b9y7aee739b6ce915de@mail.gmail.com> <1170359185.8770.86.camel@strangepork> Message-ID: <45C268D6.20601@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There are some notes and ideas regarding inter-bro communication (and how it can be configured) here: http://www.nersc.gov/~scottc/ particularly, http://www.nersc.gov/~scottc/software/bro/broToBro.html As well, the bro conference presentations have some information regarding this as well. Soon this will all make it to the wiki... thanks! scott Christian Kreibich wrote: > Hi there, > > On Wed, 2007-01-31 at 22:01 +0800, CS Lee wrote: >> Hi, >> >> I haven't seen any discussion on this matter yet, while I have heard >> how bro developers fully utilize bro-ids system. >> >> What's the good and standard management and maintenance process when >> one deploy multiple bro-ids nodes in the site? This is tricky, as most >> of security admins always have their own way of administration, but I >> would like to know how bro-ids developers such as Vern, Christian or >> Robin doing it or others who would like to share the idea. > > I'm afraid there really is no definitive answer to this. It depends on > the particular purpose of your distributed installation -- what events > would you like to distribute, how big do you picture your network of Bro > nodes to be, how sensitive are those (do you need to encrypt the > communication), etc. > >> How are the analysis and correlation process that can be done through >> multiple bro-ids node? > > All information is exchanged in the form of events. By writing suitable > event handlers, you can perform arbitrary forms of analysis/aggregation/ > correlation on the events through the use of state tables and other > typical Bro language features. (Note also that you can define multiple > event handlers per event type, and that there is some meta-information > on events available via built-in functions, such as is_remote_event().) > >> I know bro-ids documentation is improving especially after wiki is >> launched. But I still hardly find the answer for the questions above. >> I would like to know how it is done practically. > > We're aware that documentation of the Bro communication features is > sorely lacking. We're in the process of wikifying our documentation in > the hope that it'll be easier for us to update it as the need arises. As > always, scarcity of time is the main hurdle. :( The Broccoli manual has > a reasonable level of detail on how to configure communicative setups. > > Cheers, > Christian. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFFwmjWK2Plq8B7ZBwRAgAEAKCWglm2RK3H+fh/EDodxvIvfpv3xgCgo8s+ F4wvTwFrOqG4WC+2OGe3ynM= =qWvw -----END PGP SIGNATURE----- From christian at whoop.org Thu Feb 1 18:11:50 2007 From: christian at whoop.org (Christian Kreibich) Date: Thu, 01 Feb 2007 18:11:50 -0800 Subject: [Bro] I have some questions about Bro, thanks! In-Reply-To: <001901c7462a$49eb8110$0301a8c0@jack> References: <001901c7462a$49eb8110$0301a8c0@jack> Message-ID: <1170382311.18672.12.camel@strangepork> Hi Jack, Bro can automatically produce a connection log containing a 1-line summary of all flows it observes. It sounds like this should be pretty close to what you want. See here for details: http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_Events#Generic_Connection_Analysis (This is part of the ongoing effort to wikify the manuals, apologies if it's still looking rough in places.) Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From robin at icir.org Thu Feb 1 19:10:08 2007 From: robin at icir.org (Robin Sommer) Date: Thu, 1 Feb 2007 19:10:08 -0800 Subject: [Bro] three things In-Reply-To: <45C12DE8.9000903@ncsa.uiuc.edu> References: <45C0F623.1060301@ncsa.uiuc.edu> <20070201010934.GB32680@icir.org> <45C12DE8.9000903@ncsa.uiuc.edu> Message-ID: <20070202031008.GA16532@icir.org> On Wed, Jan 31, 2007 at 18:01 -0600, Mike Dopheide wrote: > Trace attached. You'll need to run bro with -C to ignore checksum errors. Works for me: \xab\xf2^A\0\0^A\0\0\0\0\0\0^P_kerberos-master^D_udp^DNCSA^CEDU\0\0!\0^A T With this script again: redef udp_content_deliver_all_orig = T; event udp_contents(u: connection, is_orig: bool, contents: string) { print contents; print /NCSA/ in contents; } So, how does your script look like? Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From dopheide at ncsa.uiuc.edu Thu Feb 1 20:08:56 2007 From: dopheide at ncsa.uiuc.edu (Mike Dopheide) Date: Thu, 01 Feb 2007 22:08:56 -0600 Subject: [Bro] three things In-Reply-To: <20070202031008.GA16532@icir.org> References: <45C0F623.1060301@ncsa.uiuc.edu> <20070201010934.GB32680@icir.org> <45C12DE8.9000903@ncsa.uiuc.edu> <20070202031008.GA16532@icir.org> Message-ID: <45C2B958.9050002@ncsa.uiuc.edu> The packet you have printed is part of a DNS request (I think). I've been having problems specifically with the kerberos AS_REQ packets also included in the trace file that apparently have different special characters. (I apologize if that wasn't clear.) Instead of: udp_content_deliver_all_orig = T; Try: redef udp_content_delivery_ports_orig = { [88/udp] = T }; redef udp_content_delivery_ports_resp = { [88/udp] = T }; event udp_contents(u: connection, is_orig: bool, contents: string) { local mystring: string = sub_bytes(contents,47,(number+8-47)); print dop, fmt("%s",mystring); if(mystring == /.*NCSA.*/ ){ print dop, fmt("YAY"); } } I'm expecting your output to be: dopheide\xa2^J\x1b^HNCSA.EDU afsman\xa2^J\x1b^HNCSA.EDU Rather than: dopheide\xa2^J\x1b^HNCSA.EDU YAY afsman\xa2^J\x1b^HNCSA.EDU YAY -Mike Robin Sommer wrote: > On Wed, Jan 31, 2007 at 18:01 -0600, Mike Dopheide wrote: > >> Trace attached. You'll need to run bro with -C to ignore checksum errors. > > Works for me: > > \xab\xf2^A\0\0^A\0\0\0\0\0\0^P_kerberos-master^D_udp^DNCSA^CEDU\0\0!\0^A > T > > With this script again: > > redef udp_content_deliver_all_orig = T; > > event udp_contents(u: connection, is_orig: bool, contents: string) > { > print contents; > print /NCSA/ in contents; > } > > So, how does your script look like? > > Robin > From christian at whoop.org Fri Feb 2 09:52:03 2007 From: christian at whoop.org (Christian Kreibich) Date: Fri, 02 Feb 2007 09:52:03 -0800 Subject: [Bro] I have some questions about Bro, thanks! In-Reply-To: <000c01c74682$bcaf8220$a09b768c@oa> References: <001901c7462a$49eb8110$0301a8c0@jack> <1170382311.18672.12.camel@strangepork> <000c01c74682$bcaf8220$a09b768c@oa> Message-ID: <1170438723.18672.19.camel@strangepork> Hi Jack, On Fri, 2007-02-02 at 12:29 +0800, ??? wrote: > Hi Christian, > > I mean that I want to produce a connections' statistic log containing a > 1-line summary, not just connection summary. > For example, I want to produce a log file that each line is the statistic > about the past connections. > Thank you for respopnse. okay, but what do you mean by "statistic about the past connections"? (ps: please keep the list cc'd, thanks.) Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From vern at icir.org Fri Feb 2 17:14:19 2007 From: vern at icir.org (Vern Paxson) Date: Fri, 02 Feb 2007 17:14:19 -0800 Subject: [Bro] Traffic characteristics extraction with Bro In-Reply-To: <45BA26AB.6070104@cse.buffalo.edu> (Fri, 26 Jan 2007 11:04:59 EST). Message-ID: <200702030114.l131EJ9R077158@jaguar.icir.org> > The result is interesting: for ALL connections, the total size from the > ORIGINATOR side is an exact match, but for many connections, my values > for the RESPONDER side are higher and the discrepancies depend on the > total size. > Is there a bug, Vern ? It's likely that the responder side is more likely to retransmit packets. The usual way to diagnose something like this is pick the largest "offender", extract the corresponding packet trace, and inspect it by hand. > 3> I found that handling packet level events (such as tcp_packet) made > Bro run out of memory when analyzing a CRedII trace with lots of scans - > even if the handler does nothing. Bro works fine, though, if I don't > capture these events. That certainly suggests a leak. As we don't use tcp_packet in production use, we haven't tripped across this before. > 4> It would be nice if there's an overview explanation about the Bro CC > code, for someone who needs to extend or modify the code. Doesn't have > to be long, one or 2 pages are fine. Well, I don't know about "doesn't have to be long" - it is, after all, more than 100,000 lines of code. In any case, we're aware that this would be nice to have, but it's in fact a great deal of work, beyond our present resources (since we're funded primarily for research rather than development). > Also it would be great if we have > a page for people to share useful policy/scripts files. We have the beginnings of this in http://www.bro-ids.org/wiki/index.php/Category:User_Contributions though at present we do not provide public edit-access to the Wiki, but rather populate this based on contributions folks send us. Alternatively, one can use the mailing list for this, until a contribution is developed and stable enough to merit widespread use. > 5> I really like the Bro language and is learning a lot from Bro. > Thanks for creating such a wonderful tool. Very pleased to hear it! Vern From zreimer2 at unlnotes.unl.edu Mon Feb 5 09:06:10 2007 From: zreimer2 at unlnotes.unl.edu (Zachary P Reimer) Date: Mon, 5 Feb 2007 11:06:10 -0600 Subject: [Bro] Performance questions Message-ID: I've been testing out bro 1.1c, and am looking at putting it into production, but have a couple of questions about hardware and performance issues. I'm currently running under FreeBSD 6. The throughput it'll be watching won't be extremely high (~200Mb), but connection counts will be quite high. The main question is whether to get a multiprocessor/multicore box, or split out some of the traffic to multiple smaller boxes. I haven't seen any discussion in the archives about support for SMP (other than a 2005 conversation about the lack of SMP under Linux) and I'd prefer to not split out into multiple boxes, so I wanted to verify if bro will take advantage of the multiple processors. The other question is about the performance/CPU impact of the Dynamic Protocol Detection feature in 1.2, since I haven't seen discussion around that and would like to use it. Thanks, Zac -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070205/98507cfd/attachment.html From dopheide at ncsa.uiuc.edu Mon Feb 5 09:42:48 2007 From: dopheide at ncsa.uiuc.edu (Mike Dopheide) Date: Mon, 05 Feb 2007 11:42:48 -0600 Subject: [Bro] three things In-Reply-To: <45C2B958.9050002@ncsa.uiuc.edu> References: <45C0F623.1060301@ncsa.uiuc.edu> <20070201010934.GB32680@icir.org> <45C12DE8.9000903@ncsa.uiuc.edu> <20070202031008.GA16532@icir.org> <45C2B958.9050002@ncsa.uiuc.edu> Message-ID: <45C76C98.7070905@ncsa.uiuc.edu> My previous code sample was incomplete, here's an accurate bro script to go along with my trace if anyone wants to try it out. redef udp_content_delivery_ports_orig = { [88/udp] = T }; redef udp_content_delivery_ports_resp = { [88/udp] = T }; global dop = open_log_file("dop") &redef; global realm = "NCSA.EDU"; event udp_contents(u: connection, is_orig: bool, contents: string) { local number = strstr(contents,realm); local mystring: string = sub_bytes(contents,47,(number+8-47)); print dop, fmt("%s",mystring); if(mystring == /.*NCSA.*/ ){ print dop, fmt("YAY"); } } Mike Dopheide wrote: > The packet you have printed is part of a DNS request (I think). I've > been having problems specifically with the kerberos AS_REQ packets also > included in the trace file that apparently have different special > characters. (I apologize if that wasn't clear.) > > Instead of: > udp_content_deliver_all_orig = T; > > Try: > redef udp_content_delivery_ports_orig = { [88/udp] = T }; > redef udp_content_delivery_ports_resp = { [88/udp] = T }; > > event udp_contents(u: connection, is_orig: bool, contents: string) > { > local mystring: string = sub_bytes(contents,47,(number+8-47)); > print dop, fmt("%s",mystring); > if(mystring == /.*NCSA.*/ ){ > print dop, fmt("YAY"); > } > } > > I'm expecting your output to be: > dopheide\xa2^J\x1b^HNCSA.EDU > afsman\xa2^J\x1b^HNCSA.EDU > > Rather than: > dopheide\xa2^J\x1b^HNCSA.EDU > YAY > afsman\xa2^J\x1b^HNCSA.EDU > YAY > > -Mike > > Robin Sommer wrote: >> On Wed, Jan 31, 2007 at 18:01 -0600, Mike Dopheide wrote: >> >>> Trace attached. You'll need to run bro with -C to ignore checksum errors. >> Works for me: >> >> \xab\xf2^A\0\0^A\0\0\0\0\0\0^P_kerberos-master^D_udp^DNCSA^CEDU\0\0!\0^A >> T >> >> With this script again: >> >> redef udp_content_deliver_all_orig = T; >> >> event udp_contents(u: connection, is_orig: bool, contents: string) >> { >> print contents; >> print /NCSA/ in contents; >> } >> >> So, how does your script look like? >> >> Robin >> > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > From robin at icir.org Mon Feb 5 09:53:07 2007 From: robin at icir.org (Robin Sommer) Date: Mon, 5 Feb 2007 09:53:07 -0800 Subject: [Bro] Performance questions In-Reply-To: References: Message-ID: <20070205175307.GB5318@icir.org> On Mon, Feb 05, 2007 at 11:06 -0600, Zachary P Reimer wrote: > split out into multiple boxes, so I wanted to verify if bro will take > advantage of the multiple processors. It does not, for the most part. All of the main analysis is done in a single process and not able to make use of multiple CPUs. The only exception is remote communication which does the actual i/o via second process (but just the i/o; e.g., data strucutures are still serialized by the main process). We're planing to structure the processing into something more parallizable eventually but this will take some time. > The other question is about the performance/CPU impact of the Dynamic > Protocol Detection feature in 1.2, since I haven't seen discussion around > that and would like to use it. The main performance impact is the need to inspect all packets (instead if using a packet filter which selects only the relevant subset of ports, as Bro used to do it). See this paper for some performance numbers measured with an earlier prototype: http://www.icir.org/robin/papers/usenix06.pdf Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From christian at whoop.org Mon Feb 5 10:03:34 2007 From: christian at whoop.org (Christian Kreibich) Date: Mon, 05 Feb 2007 10:03:34 -0800 Subject: [Bro] [Fwd: Re: I have some questions about Bro, thanks!] Message-ID: <1170698614.26989.3.camel@strangepork> (I'm forwarding to the list again.) -------- Forwarded Message -------- > From: ??? > Cc: Christian Kreibich > Subject: Re: [Bro] I have some questions about Bro, thanks! > Date: Sun, 4 Feb 2007 16:13:12 +0800 > > These statistics that maybe are "the number of connections to the same host > as the current connection in the past two seconds". > It is like KDD Cup 99's features whcih has a time window. > Thanks!! > > Best Regards, > Jack > 2007/2/4 From mtdedlow at lbl.gov Mon Feb 5 10:30:22 2007 From: mtdedlow at lbl.gov (Mark Dedlow) Date: Mon, 05 Feb 2007 10:30:22 -0800 Subject: [Bro] Performance questions In-Reply-To: References: Message-ID: <45C777BE.3050608@lbl.gov> Zachary P Reimer wrote: > > I've been testing out bro 1.1c, and am looking at putting it into > production, but have a couple of questions about hardware and > performance issues. I'm currently running under FreeBSD 6. The > throughput it'll be watching won't be extremely high (~200Mb), but > connection counts will be quite high. The main question is whether to > get a multiprocessor/multicore box, or split out some of the traffic to > multiple smaller boxes. I can't say much about Bro, per se, but I recently did some performance testing of packet capture on FreeBSD 6 (ie, all the layers beneath Bro), and found that multiple processors do not help much. For example, top-of-the-line dual Xeon CPUs (>$4,000 of CPU) performed ~5% better than a single PentiumD at under $500. I'd also note that Bro cpu load is highly dependent on policy set. As a floor benchmark, I've seen a connection-logging only policy on a link averaging 100-200Mbs consume about 1% cpu on a low-end single cpu system. You can't extrapolate much from this, except to note that the Bro core seems to place very little demand on a system. Mark From christian at whoop.org Mon Feb 5 12:04:58 2007 From: christian at whoop.org (Christian Kreibich) Date: Mon, 05 Feb 2007 12:04:58 -0800 Subject: [Bro] three things In-Reply-To: <1170280659.8770.41.camel@strangepork> References: <45C0F623.1060301@ncsa.uiuc.edu> <1170280659.8770.41.camel@strangepork> Message-ID: <1170705898.2442.13.camel@strangepork> On Wed, 2007-01-31 at 13:57 -0800, Christian Kreibich wrote: > > 2) > > While looking at (1) I found that all patterns fail with bro-1.2.1 on > > Fedora Core 5: > > > > line 54: run-time error: error compiling pattern /^?.*(.*NCSA.*)/ > > > > It happens with patterns I write or any patterns in the provided .bro > > files. bro-1.1d works just fine on FC5 and bro-1.2.1 works fine on RHEL4 > > Thanks for this. We've received another report of this problem, but it > had us scratching our heads. It's great to know more precisely now where > it occurs. We'll look into it. A quick update on this: we can confirm the issue. It seems that for some reason the generated parser code shipped with 1.2.1 breaks on at least FC5. We're unsure as to why this is, but it is likely related to the fact that the bison that was used to create the parser is quite old. For the time being, the fix is to remove the generated parser files and use a local bison installation to regenerate them. To do so, remove the following files in src/ before doing a make (this removes all generated parser files, not just the regex-related ones): $ cd src/ $ rm bif_parse.{cc,h} parse.cc re-parse.{cc,h} rule-parse.{cc,h} Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From robin at icir.org Mon Feb 5 12:30:35 2007 From: robin at icir.org (Robin Sommer) Date: Mon, 5 Feb 2007 12:30:35 -0800 Subject: [Bro] three things In-Reply-To: <45C76C98.7070905@ncsa.uiuc.edu> References: <45C0F623.1060301@ncsa.uiuc.edu> <20070201010934.GB32680@icir.org> <45C12DE8.9000903@ncsa.uiuc.edu> <20070202031008.GA16532@icir.org> <45C2B958.9050002@ncsa.uiuc.edu> <45C76C98.7070905@ncsa.uiuc.edu> Message-ID: <20070205203035.GA6835@icir.org> On Mon, Feb 05, 2007 at 11:42 -0600, Mike Dopheide wrote: > My previous code sample was incomplete, here's an accurate bro script to > go along with my trace if anyone wants to try it out. Thanks! I'm now able to confirm it, and I will look into it. I'm pretty sure that it's because ".*" does not match across new-lines. However, I need to check whether we can change that or whether that would break something else. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From seth at net.ohio-state.edu Mon Feb 5 12:41:17 2007 From: seth at net.ohio-state.edu (Seth Hall) Date: Mon, 5 Feb 2007 15:41:17 -0500 Subject: [Bro] three things In-Reply-To: <20070205203035.GA6835@icir.org> References: <45C0F623.1060301@ncsa.uiuc.edu> <20070201010934.GB32680@icir.org> <45C12DE8.9000903@ncsa.uiuc.edu> <20070202031008.GA16532@icir.org> <45C2B958.9050002@ncsa.uiuc.edu> <45C76C98.7070905@ncsa.uiuc.edu> <20070205203035.GA6835@icir.org> Message-ID: <4A700790-D9AA-400C-8494-456A1B41CEFD@net.ohio-state.edu> On Feb 5, 2007, at 3:30 PM, Robin Sommer wrote: > Thanks! I'm now able to confirm it, and I will look into it. I'm > pretty sure that it's because ".*" does not match across new-lines. > However, I need to check whether we can change that or whether that > would break something else. Is the bro policy language pattern matching code separate from the signature pattern matching code? ".*" matches across newlines for me in signatures. .Seth From robin at icir.org Mon Feb 5 12:52:08 2007 From: robin at icir.org (Robin Sommer) Date: Mon, 5 Feb 2007 12:52:08 -0800 Subject: [Bro] three things In-Reply-To: <4A700790-D9AA-400C-8494-456A1B41CEFD@net.ohio-state.edu> References: <45C0F623.1060301@ncsa.uiuc.edu> <20070201010934.GB32680@icir.org> <45C12DE8.9000903@ncsa.uiuc.edu> <20070202031008.GA16532@icir.org> <45C2B958.9050002@ncsa.uiuc.edu> <45C76C98.7070905@ncsa.uiuc.edu> <20070205203035.GA6835@icir.org> <4A700790-D9AA-400C-8494-456A1B41CEFD@net.ohio-state.edu> Message-ID: <20070205205207.GC6835@icir.org> On Mon, Feb 05, 2007 at 15:41 -0500, Seth Hall wrote: > Is the bro policy language pattern matching code separate from the > signature pattern matching code? ".*" matches across newlines for me > in signatures. The code is the same but internally there is actually a flag toggling multiline matching; it's enabled for signatures but not for script-level regexps. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Feb 5 19:39:57 2007 From: robin at icir.org (Robin Sommer) Date: Mon, 5 Feb 2007 19:39:57 -0800 Subject: [Bro] three things In-Reply-To: <20070205203035.GA6835@icir.org> References: <45C0F623.1060301@ncsa.uiuc.edu> <20070201010934.GB32680@icir.org> <45C12DE8.9000903@ncsa.uiuc.edu> <20070202031008.GA16532@icir.org> <45C2B958.9050002@ncsa.uiuc.edu> <45C76C98.7070905@ncsa.uiuc.edu> <20070205203035.GA6835@icir.org> Message-ID: <20070206033957.GA12923@icir.org> On Mon, Feb 05, 2007 at 12:30 -0800, I wrote: > However, I need to check whether we can change that or whether that > would break something else. Seems that it would actually change semantics in an unexptected way. But as a work-around you can use "(.|\n)", e.g., if( mystring == /(.|\n)*NCSA(.|\n)*/ ) (This tip is from Vern.) Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From diogo_c at brturbo.com.br Tue Feb 6 05:38:50 2007 From: diogo_c at brturbo.com.br (diogo_c at brturbo.com.br) Date: Tue, 06 Feb 2007 11:38:50 -0200 Subject: [Bro] VPN Traffic Detection Message-ID: Hello, anyone has ever tested a way to detect VPN Traffic? Could BRO detect the connection initiation? After reading the RFC about ISAKMP I have found some characteristics about this protocol that could help detect it but I don't want to reinvent the wheel and there are other protocols used in VPN tunneling. Ideas anyone?? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070206/a38f5c53/attachment.html From vern at icir.org Wed Feb 7 00:24:35 2007 From: vern at icir.org (Vern Paxson) Date: Wed, 07 Feb 2007 00:24:35 -0800 Subject: [Bro] VPN Traffic Detection In-Reply-To: (Tue, 06 Feb 2007 11:38:50 -0200). Message-ID: <200702070824.l178OZAo062698@jaguar.icir.org> > anyone has ever tested a way to detect VPN Traffic? If it's using IPSEC, then it should be easy to detect due to use of well-known ports. That said, Bro doesn't have any IPSEC analyzers (if you're interested in contributing some, please let us know!). Vern From yuppie4ever at gmail.com Wed Feb 7 02:50:59 2007 From: yuppie4ever at gmail.com (Yuppie) Date: Wed, 07 Feb 2007 02:50:59 -0800 Subject: [Bro] signature match bug Message-ID: <1170845459.10071.55.camel@chaos.bivio.net> I found this comment in RuleMatcher.cc. // - Sometimes, the signature match event is generated after a // connection_finished (or similar) event. Using the default ru les.bro, // this means that we will not see the rule id in the connectio n summary. I wanted to fix this bug. Can somebody tell me what's the basic problem here... and any hints on the approach? I'm new to Bro regex matching code... so any documentation in understanding how Bro regex matching works would help too. thanks -y From brian.scott.1973 at gmail.com Wed Feb 7 04:42:29 2007 From: brian.scott.1973 at gmail.com (Brian Scott) Date: Wed, 7 Feb 2007 13:42:29 +0100 Subject: [Bro] SSH logging Message-ID: <37fc4fcc0702070442g4786e5b6q8f41ddac30b34868@mail.gmail.com> Hi all, we were trying to log all SSH connections going to one of our test computers. Even though they appear in the conn log, it does not even create a ssh log. Do we need to activate this module at a certain place? Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070207/e748b8bd/attachment.html From dopheide at ncsa.uiuc.edu Wed Feb 7 13:26:49 2007 From: dopheide at ncsa.uiuc.edu (Mike Dopheide) Date: Wed, 07 Feb 2007 15:26:49 -0600 Subject: [Bro] timely question about tables Message-ID: <45CA4419.9090801@ncsa.uiuc.edu> For table attributes such as &create_expire and &write_expire, is elapsed time based on real time or network time? (My experiments would claim real time, but I want to be wrong.) Thanks, Mike From robin at icir.org Wed Feb 7 14:52:24 2007 From: robin at icir.org (Robin Sommer) Date: Wed, 7 Feb 2007 14:52:24 -0800 Subject: [Bro] timely question about tables In-Reply-To: <45CA4419.9090801@ncsa.uiuc.edu> References: <45CA4419.9090801@ncsa.uiuc.edu> Message-ID: <20070207225223.GA19907@icir.org> On Wed, Feb 07, 2007 at 15:26 -0600, Mike Dopheide wrote: > For table attributes such as &create_expire and &write_expire, is > elapsed time based on real time or network time? It's network time but note that the timeouts actually give *minimum* intervals before elements are expired; elements may be kept longer than the interval specifies, especially for large tables. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From dhanesh at tataelxsi.co.in Thu Feb 8 03:53:22 2007 From: dhanesh at tataelxsi.co.in (Jaya Dhanesh) Date: Thu, 8 Feb 2007 17:23:22 +0530 Subject: [Bro] Assinging a string to a variable Message-ID: <000501c74b77$bc502970$0637a8c0@telxsi.com> Hi All, I have problems in assigning a string to a variable in the bro file (bro-1.1d). local act: string; if (value == 1) { act = "SAFE"; } else { act = "CHECK"; } The bro stopped when traffic was seen. I also tried using sub_bytes. I got the following error. 1170987410.223443 /root/bro-devel/dhanesh/site/dhanbro.bro, line 293 (act = sub_bytes(SAFE, 0, len)): error, illegal assignment in initialization. Can anyone suggest a method for assigning strings to a variable. Thanks, Dhanesh. From seth at net.ohio-state.edu Thu Feb 8 04:58:11 2007 From: seth at net.ohio-state.edu (Seth Hall) Date: Thu, 8 Feb 2007 07:58:11 -0500 Subject: [Bro] Assinging a string to a variable In-Reply-To: <000501c74b77$bc502970$0637a8c0@telxsi.com> References: <000501c74b77$bc502970$0637a8c0@telxsi.com> Message-ID: On Feb 8, 2007, at 6:53 AM, Jaya Dhanesh wrote: > I have problems in assigning a string to a variable in the bro file > (bro-1.1d). Do you have this problem in 1.2.1? I just tried both of your examples on 1.2 and they worked fine for me. When bro died when you tried to assign a string to a variable did you get any error message? .Seth From vern at icir.org Thu Feb 8 07:34:46 2007 From: vern at icir.org (Vern Paxson) Date: Thu, 08 Feb 2007 07:34:46 -0800 Subject: [Bro] Assinging a string to a variable In-Reply-To: <000501c74b77$bc502970$0637a8c0@telxsi.com> (Thu, 08 Feb 2007 17:23:22 +0530). Message-ID: <200702081534.l18FYk3A012470@jaguar.icir.org> > I have problems in assigning a string to a variable in the bro file > (bro-1.1d). > > local act: string; > if (value == 1) { > act = "SAFE"; > } else { > act = "CHECK"; > } > > The bro stopped when traffic was seen. If at all possible when posting problems like this to the list, please include a full script that illustrates the problem (and if you can a trace, if needed). The above has a variable "value" that isn't declared, so I dont know how to try reproducing it. It also isn't clear what you mean "stopped when traffic was seen". Do you mean the Bro process exited/crashed? Vern From robin at icir.org Thu Feb 8 14:53:42 2007 From: robin at icir.org (Robin Sommer) Date: Thu, 8 Feb 2007 14:53:42 -0800 Subject: [Bro] SSH logging In-Reply-To: <37fc4fcc0702070442g4786e5b6q8f41ddac30b34868@mail.gmail.com> References: <37fc4fcc0702070442g4786e5b6q8f41ddac30b34868@mail.gmail.com> Message-ID: <20070208225342.GB26141@icir.org> On Wed, Feb 07, 2007 at 13:42 +0100, Brian Scott wrote: > Do we need to activate this module at a certain place? Have you loaded ssh.bro? Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From jp.luiggi at free.fr Thu Feb 8 16:03:19 2007 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Thu, 8 Feb 2007 19:03:19 -0500 Subject: [Bro] SSH logging In-Reply-To: <37fc4fcc0702070442g4786e5b6q8f41ddac30b34868@mail.gmail.com> References: <37fc4fcc0702070442g4786e5b6q8f41ddac30b34868@mail.gmail.com> Message-ID: <20070209000319.GA23063@armada.mynetwork.local> Hello Brian, Just check "brolite.bro" (/policy) ==== ## Dynamic Protocol Detection configuration # # This is off by default, as it requires a more powerful Bro host. # Uncomment next line to activate. const use_dpd = T; @ifdef ( use_dpd ) @load dpd @load irc-bot @load dyn-disable @load detect-protocols @load detect-protocols-http @load proxy @load ssh ==== If you uncomment the "const use_dpd = T;" line, you'll get ssh activated. Best regards. On Wed, Feb 07, 2007 at 01:42:29PM +0100, Brian Scott wrote: > Hi all, > > we were trying to log all SSH connections going to one of our test > computers. > > Even though they appear in the conn log, it does not even create a ssh log. > Do we need to activate this module at a certain place? > > > Brian > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From robin at icir.org Thu Feb 8 16:59:25 2007 From: robin at icir.org (Robin Sommer) Date: Thu, 8 Feb 2007 16:59:25 -0800 Subject: [Bro] signature match bug In-Reply-To: <1170845459.10071.55.camel@chaos.bivio.net> References: <1170845459.10071.55.camel@chaos.bivio.net> Message-ID: <20070209005925.GA26744@icir.org> On Wed, Feb 07, 2007 at 02:50 -0800, Yuppie wrote: > I found this comment in RuleMatcher.cc. > > // - Sometimes, the signature match event is generated after a > // connection_finished (or similar) event. Using the default ru > les.bro, > // this means that we will not see the rule id in the connectio > n summary. Hmm... I think the comment is out of date. These days the connection summaries are generated by a connection_state_remove() handler in conn.bro. I don't think a signature_match can be generated *after* the connection_state_remove event (which is raised when the internal connection state is flushed). So, seems there's nothing to fix. :-) Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From bindiyavs at tataelxsi.co.in Mon Feb 19 02:22:24 2007 From: bindiyavs at tataelxsi.co.in (Bindiya V S) Date: Mon, 19 Feb 2007 15:52:24 +0530 (IST) Subject: [Bro] help for adding new packet filter Message-ID: <20070219155224.CGG44095@mail.tataelxsi.co.in> Hi guys, I am trying to integrate GRE protocol in BRO. When I tried adding pcap filter for the protocol - by adding the following lines in the bro file in site directory redef capture_filters = { ["tcp"]= "tcp", ["udp"] = "udp", ["icmp"] = "icmp", ["gre"] = "gre" }; it is giving the following run-time error. line 1: run-time error: precompile_pcap_filter: pcap_compile((((gre) or (udp)) or (tcp)) or (icmp)): parse error can't compile filter (((gre) or (udp)) or (tcp)) or (icmp) When using 1.1, I was able to use empty capture filter - by adding the following line in the hostname.bro file - redef capture_filters = { }; and get all the packets captured. The same is not working for 1.2 version. Somebody please help me out. Thanks, Bindiya V S From ducha at cse.buffalo.edu Mon Feb 19 10:21:07 2007 From: ducha at cse.buffalo.edu (Duc T Ha) Date: Mon, 19 Feb 2007 13:21:07 -0500 Subject: [Bro] Auckland Traffic Trace Message-ID: <45D9EA93.6080604@cse.buffalo.edu> Sorry for a deviate question. I am wondering if anybody here worked with some existing network traffic traces and might provide some help. + Recently, I went through repositories like NLANR, LBL's and Auckland to get some statistics. Somehow, the Auckland trace is very strange. For example, Bro returns nothing about connection statistics (using "conn" policy file). I checked again with Ethereal and found that in every connection reported by Ethereal, there's only one flow (the other direction is completely missing : 0 packets, 0 bytes) . Another tool returns the same result. Does anybody here know why? + I wonder if there is any mailing list/ group dedicated to this topic (something like this list). Any tip will be very much appreciated. Thanks and best regards, Duc -------------- next part -------------- A non-text attachment was scrubbed... Name: ducha.vcf Type: text/x-vcard Size: 263 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070219/49de5d8e/attachment.vcf From vern at icir.org Mon Feb 19 10:38:00 2007 From: vern at icir.org (Vern Paxson) Date: Mon, 19 Feb 2007 10:38:00 -0800 Subject: [Bro] help for adding new packet filter In-Reply-To: <20070219155224.CGG44095@mail.tataelxsi.co.in> (Mon, 19 Feb 2007 15:52:24 +0530). Message-ID: <200702191838.l1JIc07Z098797@jaguar.icir.org> > line 1: run-time error: precompile_pcap_filter: pcap_compile((((gre) or (udp)) or (tcp)) or (icmp)): parse error > can't compile filter (((gre) or (udp)) or (tcp)) or (icmp) The problem is that tcpdump (at least my version) doesn't have a "gre" keyword. So, to specify that you want to capture GRE traffic, you'll need to describe it dirctly in terms of the IP "protocol" field (e.g., "tcp" is the same as "ip proto 6"). Vern From bindiyavs at tataelxsi.co.in Mon Feb 19 19:22:47 2007 From: bindiyavs at tataelxsi.co.in (Bindiya V S) Date: Tue, 20 Feb 2007 08:52:47 +0530 Subject: [Bro] help for adding new packet filter In-Reply-To: <200702191838.l1JIc07Z098797@jaguar.icir.org> Message-ID: <000001c7549e$65bba230$1737a8c0@telxsi.com> Thanks That fixed it :) -----Original Message----- From: Vern Paxson [mailto:vern at icir.org] Sent: Tuesday, February 20, 2007 12:08 AM To: Bindiya V S Cc: bro at ICSI.Berkeley.EDU Subject: Re: [Bro] help for adding new packet filter > line 1: run-time error: precompile_pcap_filter: pcap_compile((((gre) or (udp)) or (tcp)) or (icmp)): parse error > can't compile filter (((gre) or (udp)) or (tcp)) or (icmp) The problem is that tcpdump (at least my version) doesn't have a "gre" keyword. So, to specify that you want to capture GRE traffic, you'll need to describe it dirctly in terms of the IP "protocol" field (e.g., "tcp" is the same as "ip proto 6"). Vern From christian.novello at gmail.com Tue Feb 20 03:16:25 2007 From: christian.novello at gmail.com (Christian Novello) Date: Tue, 20 Feb 2007 12:16:25 +0100 Subject: [Bro] FTP data connections Message-ID: <339de9bb0702200316u35b4b957r9beb0e1265e11673@mail.gmail.com> Hello, I'm using bro to analyze ftp sessions and I want identify ftp data connections. If the ftp session is in active mode, in ftp log file there is any line that indicate a ftp data connection instead in connection log file there is. Instead in passive mode there are any lines both in ftp log file and connection log file. Are there any istructions that must be enable to print information about data connections in ftp log file? Thanks Christian Novello From vern at icir.org Tue Feb 20 10:02:02 2007 From: vern at icir.org (Vern Paxson) Date: Tue, 20 Feb 2007 10:02:02 -0800 Subject: [Bro] FTP data connections In-Reply-To: <339de9bb0702200316u35b4b957r9beb0e1265e11673@mail.gmail.com> (Tue, 20 Feb 2007 12:16:25 +0100). Message-ID: <200702201802.l1KI22Ee081995@jaguar.icir.org> > I'm using bro to analyze ftp sessions and I want identify ftp data connections. > > If the ftp session is in active mode, in ftp log file there is any > line that indicate a ftp data connection instead in connection log > file there is. > Instead in passive mode there are any lines both in ftp log file and > connection log file. I'm afraid I'm having difficulty understanding from the above exactly what you're asking. However, Bro's FTP analyzer (see policy/ftp.bro) treats passive and active FTP transfers the same in terms of identifying the corresponding connection as "ftp-data". See the calls in the script to expect_connection(). > Are there any istructions that must be enable to print information > about data connections in ftp log file? What information about the connections do you want? They're already present in terms of PASV/PORT directives. Vern From mcuttler at bnl.gov Tue Feb 20 11:53:45 2007 From: mcuttler at bnl.gov (Matt Cuttler) Date: Tue, 20 Feb 2007 14:53:45 -0500 Subject: [Bro] question about send_email_notice Message-ID: <45DB51C9.2030405@bnl.gov> Bro users and developers, We have modified our notice action filters; some notices/alerts get sent via email (while others only get logged to file_notice). A small snippet: redef notice_action_filters += { [[AddressScan, PortScan, PasswordGuessing ]] = send_email_notice, }; redef notice_action_filters += { [[ProtocolDetector::ProtocolFound, ProtocolDetector::ServerFound ]] = file_notice, }; My question is: Is it easily possible to place additional information in the email notices themselves? For example, an AddressScan mail might simply say, "10.11.12.13 has scanned 100 hosts (45653/tcp)". It would save a log of analyst time ("grep time" if you will) if the mail included the hosts which were considered scanned by Bro. Thanks, Matt Cuttler From bltierney at lbl.gov Wed Feb 21 19:35:26 2007 From: bltierney at lbl.gov (Brian Tierney) Date: Wed, 21 Feb 2007 22:35:26 -0500 Subject: [Bro] question about send_email_notice In-Reply-To: <45DB51C9.2030405@bnl.gov> References: <45DB51C9.2030405@bnl.gov> Message-ID: <45DD0F7E.1000303@lbl.gov> My solution to this was to modify the email_notice function in notice.bro as follows: function email_notice(n: notice_info, action: NoticeAction, info: string) { if ( ! reading_live_traffic() || mail_dest == "" ) return; # Choose destination address based on action type. local destination = (action == NOTICE_EMAIL) ? mail_dest : mail_page_dest; local mail_cmd = ""; if (detailed_email) { # this version assumes script to generate more detailed Alarm mail_cmd = fmt("echo \"%s\" \| %s %s", info, mail_script, destination); } else # this version assumes simple Alarm sent # directly to Mail command { mail_cmd = fmt("echo \"%s\" | %s -s \"[Bro Alarm] %s\" %s", n$msg, mail_script, n$note, destination); } system(mail_cmd); } ---- By passing 'info' to this function, I was able to write my own email script containing the extra information. Matt Cuttler wrote: > Bro users and developers, > > We have modified our notice action filters; some notices/alerts get sent > via email (while others only get logged to file_notice). > > A small snippet: > > redef notice_action_filters += { > [[AddressScan, PortScan, PasswordGuessing ]] = send_email_notice, > }; > > redef notice_action_filters += { > [[ProtocolDetector::ProtocolFound, ProtocolDetector::ServerFound ]] = > file_notice, > }; > > > My question is: Is it easily possible to place additional information in > the email notices themselves? > > For example, an AddressScan mail might simply say, "10.11.12.13 has > scanned 100 hosts (45653/tcp)". It would save a log of analyst time > ("grep time" if you will) if the mail included the hosts which were > considered scanned by Bro. > > Thanks, > Matt Cuttler > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- ------------------------------------------------------------------------ Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 425-642-4558 bltierney at lbl.gov http://www-didc.lbl.gov/~tierney ------------------------------------------------------------------------ From jbabbinlists at gmail.com Thu Feb 22 11:25:44 2007 From: jbabbinlists at gmail.com (Jake Mailinglists) Date: Thu, 22 Feb 2007 14:25:44 -0500 Subject: [Bro] Openbsd 4.0 and Bro 1.2x patch In-Reply-To: <118136780702221118xd59913bq1f92eab7617cc47a@mail.gmail.com> References: <118136780702221118xd59913bq1f92eab7617cc47a@mail.gmail.com> Message-ID: <118136780702221125ue179e74m6ad08b1c2ffabe83@mail.gmail.com> List, Thought this might be helpful to the people working on getting bro 1.2.xworking on the OpenBSD 4.0 platforms. A big thanks to JP for the help and patience... Step 1 - copy the attached configure.in file into the "bro-1.2.x" directory Step 2 - patch the source with the attached patch or copy the attached *.cc and *.h files into the "src" directory Step 3 - run "autoconf-version-number" (example autoconf-2.60) from the " bro-1.2x" directory and then run "./configure --with-your-options" Step 4 - add this to the end of the line for "LIBS=" in your Makefile in the src directory "-lm". This fixes the error on Openbsd for "strlcpy vs strcpy" Let me know if this doesn't work. Jake -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070222/bf9c36bb/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: OPENBSD40_BRO121.zip Type: application/zip Size: 45380 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070222/bf9c36bb/attachment.zip From nikns at secure.lv Fri Feb 23 12:39:39 2007 From: nikns at secure.lv (Nikns Siankin) Date: Fri, 23 Feb 2007 22:39:39 +0200 Subject: [Bro] OpenBSD 4.0 bro-1.2.1 port Message-ID: <20070223203939.GA24166@secure.lv> made for 4.0! will fail on current... http://secure.lv/~nikns/stuff/ports/bro-1.2.1.tar comments: 1) for bpf_timeval issue would recommend to define struct pcap_timeval with 32bits tv elements for partability, take a look on patches in port. 2) nonbloking dns (ports/net/libbind) works fine with openbsd, except it throws ugly warning about libc and libbind conflicting symbols. I hope it will get fixed in -current soon. renaming conflicting symbols helps: http://secure.lv/~nikns/stuff/ports/libbind-9.3.2p1.diff 3) If building with libbind, then aux/broccoli/test/broping.o wants linking against -lbind... 4) Including net/ethertypes.h in ARP.h is trivial... 5) There should be possibility to avoid picking up libclamav or libmagic for example with --without-... configure options... if any issues with this port [except libbind warnings], please, contact me, so I can fix this in port... From abhinay at cs.utexas.edu Fri Feb 23 18:05:13 2007 From: abhinay at cs.utexas.edu (Abhinay Kampasi) Date: Fri, 23 Feb 2007 20:05:13 -0600 Subject: [Bro] Two-dimensional arrays and for loop in Bro Message-ID: Hi, I need to use two-dimensional (2D) arrays and for loops in one of my policy scripts. Could someone please clarify the following questions for me. 1. I am thinking of implementing 2D arrays as table of tables. Is this the best of doing this? Is "array[][]" in C equivalent to "global array: table[count] of table[count] of count" in Bro? Can I access an element of this array as array[index1][index2]? Also, is there a short-hand notation of initializing all the elements of the 2D array to 0? 2. The reference manual mentions that Bro lacks ways of controlling the order in which it iterates over the indices in a for loop. I need to iterate over a for loop in order. What is the best way of doing this? Thanks and Regards, Abhinay From bindiyavs at tataelxsi.co.in Tue Feb 27 02:55:44 2007 From: bindiyavs at tataelxsi.co.in (Bindiya V S) Date: Tue, 27 Feb 2007 16:25:44 +0530 (IST) Subject: [Bro] problem with TCP partial connection Message-ID: <20070227162544.CGN54461@mail.tataelxsi.co.in> Hi, I was trying to use the FTP analyzer in the bro1.2 to analyze FTP packets. We were trying to do some tcpreplays with some captured pcaps. We have some FTP pcaps that are not having any TCP handshake packets. On replaying these packets it is observed that the signature matching for TCP is not getting invoked (ie.signatures with ip-proto == tcp). It looks like the rulematcher of TCP is not getting called. Is there any way we can invoke TCP rulematcher for a set of TCP application packets which dont have any handshake packets? Thanks Bindiya From dopheide at ncsa.uiuc.edu Tue Feb 27 15:25:08 2007 From: dopheide at ncsa.uiuc.edu (Mike Dopheide) Date: Tue, 27 Feb 2007 17:25:08 -0600 Subject: [Bro] Type conversion and table initialization Message-ID: <45E4BDD4.6070807@ncsa.uiuc.edu> It's been a couple weeks since I had a problem, so now I've got two. :) 1) hex-string to addr type conversion I've got a udp packet that contains an IP address in the packet contents[*]. I can easily grab it with sub_bytes() and end up with a string like "\x8d\x8e\xde!" [**]. I'd like to convert that to an addr so I can do comparisons easily. After looking though the *.bif.bro files for conversion functions I'm stuck. There's to_addr(), but the string would need to actually be the IP address and not a hex representation. 2) table of set initialization (curiosity) I have something like this that works: global myset: set[addr] = {192.168.1.1}; global mytable: table[string] of set[addr] = { ["blaa"] = myset, }; When I try to combine that into one it breaks: global mytable: table[string] of set[addr] = { ["blaa"] = 192.168.1.1, }; bad tag in Val::CONVERTER (addr/table) I read somewhere that 'bad tag' is an internal error and I should never see it. I saw it. :) -Mike [*] -- It's a klog request for afs-kaserver3 through kaforwarder and fakeka. So the originating requester's IP is stored in the epoch time field of the RX packet. Whee! [**] -- 141.142.222.33 From robin at icir.org Wed Feb 28 09:33:42 2007 From: robin at icir.org (Robin Sommer) Date: Wed, 28 Feb 2007 09:33:42 -0800 Subject: [Bro] problem with TCP partial connection In-Reply-To: <20070227162544.CGN54461@mail.tataelxsi.co.in> References: <20070227162544.CGN54461@mail.tataelxsi.co.in> Message-ID: <20070228173342.GD28976@icir.org> On Tue, Feb 27, 2007 at 16:25 +0530, Bindiya V S wrote: > captured pcaps. We have some FTP pcaps that are not having any > TCP handshake packets. Can you send me one such connection as a pcap trace? Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Wed Feb 28 09:39:55 2007 From: robin at icir.org (Robin Sommer) Date: Wed, 28 Feb 2007 09:39:55 -0800 Subject: [Bro] Type conversion and table initialization In-Reply-To: <45E4BDD4.6070807@ncsa.uiuc.edu> References: <45E4BDD4.6070807@ncsa.uiuc.edu> Message-ID: <20070228173955.GE28976@icir.org> On Tue, Feb 27, 2007 at 17:25 -0600, Mike Dopheide wrote: > I've got a udp packet that contains an IP address in the packet > contents[*]. Hmmm... can't think of any other way than adding a new built-in ffunction specifically for this. > global myset: set[addr] = {192.168.1.1}; > global mytable: table[string] of set[addr] = { > ["blaa"] = myset, > }; Yeah, unfortunately this is the way to do it. Clumsy, but we don't have set constructors at the moment. > ["blaa"] = 192.168.1.1, The problem is here that you're initialiazing a set[addr] with just an addr (rather than a set of addrs). The natural way would be: ["blaa"] = { 192.168.1.1 } But that is not supported. > I read somewhere that 'bad tag' is an internal error and I should never > see it. That's true, at least in theory. :-) In practice, there are a couple of places where this can happen when types don't match. Not nice but hasn't been a high priority so far to fix. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From mtdedlow at lbl.gov Wed Feb 28 14:06:07 2007 From: mtdedlow at lbl.gov (Mark Dedlow) Date: Wed, 28 Feb 2007 14:06:07 -0800 Subject: [Bro] Type conversion and table initialization In-Reply-To: <20070228173955.GE28976@icir.org> References: <45E4BDD4.6070807@ncsa.uiuc.edu> <20070228173955.GE28976@icir.org> Message-ID: <45E5FCCF.4060100@lbl.gov> Robin Sommer wrote: > On Tue, Feb 27, 2007 at 17:25 -0600, Mike Dopheide wrote: > >> I've got a udp packet that contains an IP address in the packet >> contents[*]. > > Hmmm... can't think of any other way than adding a new built-in > ffunction specifically for this. I think this is as simple as adding to bro.bif: function hex_to_addr%(str: string%): addr %{ int a,b,c,d; int r; r = sscanf(str->CheckString(), "%x.%x.%x.%x", &a, &b, &c, &d); if ( r != 4 ) run_time("hex addr not parseable"); return new AddrVal(dotted_to_addr(fmt("%d.%d.%d.%d", a,b,c,d))); %} You may need to tweak the format, eg, for the \x format, to something like "\\x%x\\x%x\\x%x\\x%x". Mark From dopheide at ncsa.uiuc.edu Wed Feb 28 14:12:56 2007 From: dopheide at ncsa.uiuc.edu (Mike Dopheide) Date: Wed, 28 Feb 2007 16:12:56 -0600 Subject: [Bro] Type conversion and table initialization In-Reply-To: <45E5FCCF.4060100@lbl.gov> References: <45E4BDD4.6070807@ncsa.uiuc.edu> <20070228173955.GE28976@icir.org> <45E5FCCF.4060100@lbl.gov> Message-ID: <45E5FE68.4020505@ncsa.uiuc.edu> Haha.. you beat me to it. Here's what I was about to submit (patch attached): # Returns an addr from a string function rawstring_to_addr%(s: string%): addr %{ char* x = new char[16]; const u_char* sp = s->Bytes(); if(s->Len() != 4){ sprintf(x,"0.0.0.0"); }else{ sprintf(x,"%i.%i.%i.%i",sp[0],sp[1],sp[2],sp[3]); } Val* ret = new AddrVal(x); delete [] x; return ret; %} Mark Dedlow wrote: > Robin Sommer wrote: >> On Tue, Feb 27, 2007 at 17:25 -0600, Mike Dopheide wrote: >> >>> I've got a udp packet that contains an IP address in the packet >>> contents[*]. >> >> Hmmm... can't think of any other way than adding a new built-in >> ffunction specifically for this. > > I think this is as simple as adding to bro.bif: > > function hex_to_addr%(str: string%): addr > %{ > int a,b,c,d; > int r; > r = sscanf(str->CheckString(), "%x.%x.%x.%x", &a, &b, &c, &d); > if ( r != 4 ) > run_time("hex addr not parseable"); > return new AddrVal(dotted_to_addr(fmt("%d.%d.%d.%d", a,b,c,d))); > %} > > > You may need to tweak the format, eg, for the \x format, to something > like "\\x%x\\x%x\\x%x\\x%x". > > Mark > > -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: rawstring_to_addr.patch Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070228/779d155b/attachment.ksh