[Bro] About Bro drop packet....

Jean-Philippe Luiggi jp.luiggi at free.fr
Wed Jan 17 10:06:41 PST 2007 

Hello,

Just a question, what's your hardware ?

Just check at http://bro-ids.org/Bro-user-manual/Network-Tap.html#Network-Tap
if you've the requirements needed.

Depending on your configuration, it may be difficult for your IDS to follow
the network's stream.

Best regards.

On Wed, Jan 17, 2007 at 04:26:24PM +0800, ?i?A?? wrote:
> My simulate environment below :
> Bro 1.2, load local.lite.bro, run  in linux fedora 5, Bro`s ip is 192.168.0.1, and replay tcpdump file`s machine is 192.168.0.3.
> 
> I use tcpreplay to replay Darpa 2000 LLDOS 1.0 DMZ dumpfile to Bro`s machine in real close network.
> 
> My question is:
> In info.localhost.06-12-27_13.16.39 file , I find a lots of packets be droped, why? is it right? if not, and how to improve it?
> 
> Thanks your help!!
> 
>                                                                                                                                     Gita in NTUST
> 
> tcpreplay command is below:
> tcpreplay LLDOS_1.0_dump_file -i 192.168.0.3
>   
> info.localhost.06-12-27_13.16.39 file content below
> ----------------------------------------------------------------
> /usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5004.inktomisearch.com
> /usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5005.inktomisearch.com
> /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j5006.inktomisearch.com
> /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j100.inktomi.com
> /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j101.inktomi.com
> /usr/local/bro/policy/scan.bro, line 94: warning: no such host: j3002.inktomi.com
> /usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3000.inktomi.com
> /usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3001.inktomi.com
> /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3002.inktomi.com
> /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3003.inktomi.com
> /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si4000.inktomi.com
> /usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4001.inktomi.com
> /usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4002.inktomi.com
> /usr/local/bro/policy/scan.bro, line 96: warning: no such host: wm3018.inktomi.com
> /usr/local/bro/policy/scan.bro, line 99: warning: no such host: test-scooter.av.pa-x.dec.com
> /usr/local/bro/policy/scan.bro, line 130: warning: no such host: a.root-servers.net
> /usr/local/bro/policy/scan.bro, line 130: warning: no such host: b.root-servers.net
> /usr/local/bro/policy/scan.bro, line 130: warning: no such host: c.root-servers.net
> /usr/local/bro/policy/scan.bro, line 131: warning: no such host: d.root-servers.net
> /usr/local/bro/policy/scan.bro, line 131: warning: no such host: e.root-servers.net
> /usr/local/bro/policy/scan.bro, line 131: warning: no such host: f.root-servers.net
> /usr/local/bro/policy/scan.bro, line 132: warning: no such host: g.root-servers.net
> /usr/local/bro/policy/scan.bro, line 132: warning: no such host: h.root-servers.net
> /usr/local/bro/policy/scan.bro, line 132: warning: no such host: i.root-servers.net
> /usr/local/bro/policy/scan.bro, line 133: warning: no such host: j.root-servers.net
> /usr/local/bro/policy/scan.bro, line 133: warning: no such host: k.root-servers.net
> /usr/local/bro/policy/scan.bro, line 133: warning: no such host: l.root-servers.net
> /usr/local/bro/policy/scan.bro, line 134: warning: no such host: m.root-servers.net
> /usr/local/bro/policy/scan.bro, line 138: warning: no such host: a.gtld-servers.net
> /usr/local/bro/policy/scan.bro, line 138: warning: no such host: b.gtld-servers.net
> /usr/local/bro/policy/scan.bro, line 138: warning: no such host: c.gtld-servers.net
> /usr/local/bro/policy/scan.bro, line 139: warning: no such host: d.gtld-servers.net
> /usr/local/bro/policy/scan.bro, line 139: warning: no such host: e.gtld-servers.net
> /usr/local/bro/policy/scan.bro, line 139: warning: no such host: f.gtld-servers.net
> /usr/local/bro/policy/scan.bro, line 140: warning: no such host: g.gtld-servers.net
> /usr/local/bro/policy/scan.bro, line 140: warning: no such host: h.gtld-servers.net
> /usr/local/bro/policy/scan.bro, line 140: warning: no such host: i.gtld-servers.net
> /usr/local/bro/policy/scan.bro, line 141: warning: no such host: j.gtld-servers.net
> /usr/local/bro/policy/scan.bro, line 141: warning: no such host: k.gtld-servers.net
> /usr/local/bro/policy/scan.bro, line 141: warning: no such host: l.gtld-servers.net
> /usr/local/bro/policy/scan.bro, line 142: warning: no such host: m.gtld-servers.net
> /usr/local/bro/policy/ftp.bro, line 74: warning: no such host: gvaona1.cns.hp.com
> /usr/local/bro/policy/portmapper.bro, line 146: warning: no such host: sun-rpc.mcast.net
> listening on eth0
> Bro Version: 1.2
> Started with the following command line options:  -W -i eth0 local.lite.bro
> Capture filter: ((((((((((((((((((((((port ftp) or (port 143)) or (port 111)) or (udp port 69)) or (port 6666)) or (tcp[2:2] > 32770 and tcp[2:2] < 32901 and tcp[0:2] != 80 and tcp[0:2] != 22 and tcp[0:2] != 139)) or ( icmp)) or (port 512 or port 513 or port 515)) or (port ftp)) or (port telnet or tcp port 513)) or (port smtp)) or (tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8001)) or (port smtp)) or ((ip[6:2] & 0x3fff != 0) and tcp)) or (tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000)) or (dst port 135 or dst port 137 or dst port 139 or dst port 445)) or (port telnet)) or (port 161 or port 162)) or (port 53)) or (port 6667)) or (port 111)) or (tcp[13] & 7 != 0)) or (tcp src port 80 or tcp src port 8080 or tcp src port 8000)
> 1168837833.287204 received termination signal
> 334036 packets received on interface eth0, 12343464 dropped

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list