From edthoma at sandia.gov Thu Mar 1 16:05:15 2007 From: edthoma at sandia.gov (Thomas, Eric D.) Date: Thu, 01 Mar 2007 16:05:15 -0800 Subject: [Bro] TRW Scan feature suggestion Message-ID: Hello, the honeypot specification for my site is much more complex than can be expressed as a set of addresses. And unfortunately this is significantly skewing my TRW scan results. Might I suggest a small but permanent change to the TRW algorithm: instead of using a set lookup (the honeypot global) to determine whether a connection is related to a honeypot, let there be a function variable that gets set to a function which takes a connection record as input and returns a boolean. The return value specifies T/F whether the connection is associated with a honeypot. This function is called in check_TRW_scan (trw-impl.bro) instead of the set lookup in honeypot. The default function would do the simple set lookup, as is done now. But it allows others to create a function that performs more complex operations. Cheers, Eric Thomas Sandia National Laboratories From dhanesh at tataelxsi.co.in Thu Mar 1 20:15:01 2007 From: dhanesh at tataelxsi.co.in (Jaya Dhanesh) Date: Fri, 2 Mar 2007 09:45:01 +0530 Subject: [Bro] Clarification reg signatures In-Reply-To: Message-ID: <005e01c75c81$59b047d0$0637a8c0@telxsi.com> Hi all, I have a clarification regarding writing signatures. I want to check only the first 4 bytes of the tcp payload. I tried using signature payload-3 { ip-proto == tcp event "First three bytes matched" payload/.{0,3}\x0a\x2a\x17/ } This signature didn't match. Can anyone suggest how to compare the first 'n' bytes of the payload? I also saw patterns like payload/{4}reg-exp/ in signatures file. What do they imply? Thanks, Dhanesh. From robin at icir.org Thu Mar 1 21:23:53 2007 From: robin at icir.org (Robin Sommer) Date: Thu, 1 Mar 2007 21:23:53 -0800 Subject: [Bro] Clarification reg signatures In-Reply-To: <005e01c75c81$59b047d0$0637a8c0@telxsi.com> References: <005e01c75c81$59b047d0$0637a8c0@telxsi.com> Message-ID: <20070302052353.GA6724@icir.org> On Fri, Mar 02, 2007 at 09:45 +0530, Jaya Dhanesh wrote: > payload/.{0,3}\x0a\x2a\x17/ That should actually work. Can you send me the packets of a connection which should match this signature and the exact command-line you are using to start Bro? > I also saw patterns like payload /{4}reg-exp/ in signatures file. That looks like a syntax error and should not compile. Where did you see it? Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From nikns at secure.lv Fri Mar 2 05:49:21 2007 From: nikns at secure.lv (Nikns Siankin) Date: Fri, 2 Mar 2007 15:49:21 +0200 Subject: [Bro] warning: Unmatched end of data Message-ID: <20070302134921.GA21926@secure.lv> Hello! Bro runs on live interface. Got following warnings, what do they mean? # BROPATH=/usr/local/policy/ bro -f tcp -i fxp1 brolite bro:/usr/lib/libc.so.39.3: /usr/local/lib/libbind.so.2.0 : WARNING: symbol(__p_class_syms) size mismatch, relink your program bro:/usr/lib/libc.so.39.3: bro : WARNING: symbol(_res) size mismatch, relink your program bro:/usr/lib/libc.so.39.3: /usr/local/lib/libbind.so.2.0 : WARNING: symbol(__p_type_syms) size mismatch, relink your program pcap bufsize = 32768 listening on fxp1 1172677797.973010 warning: Unmatched end of data 1172682221.064469 warning: Unmatched end of data 1172686653.318668 warning: Unmatched end of data 1172694350.686900 warning: Unmatched end of data 1172804317.999561 warning: Unmatched end of data From vallentin at ICSI.Berkeley.EDU Fri Mar 2 06:17:30 2007 From: vallentin at ICSI.Berkeley.EDU (Matthias Vallentin) Date: Fri, 2 Mar 2007 15:17:30 +0100 Subject: [Bro] warning: Unmatched end of data In-Reply-To: <20070302134921.GA21926@secure.lv> References: <20070302134921.GA21926@secure.lv> Message-ID: <20070302141729.GH8466@icsi.berkeley.edu> On Fri, Mar 02, 2007 at 03:49:21PM +0200, Nikns Siankin wrote: > Hello! > Bro runs on live interface. > Got following warnings, what do they mean? > > # BROPATH=/usr/local/policy/ bro -f tcp -i fxp1 brolite > bro:/usr/lib/libc.so.39.3: /usr/local/lib/libbind.so.2.0 : WARNING: symbol(__p_class_syms) size > mismatch, relink your program > bro:/usr/lib/libc.so.39.3: bro : WARNING: symbol(_res) size mismatch, relink your program > bro:/usr/lib/libc.so.39.3: /usr/local/lib/libbind.so.2.0 : WARNING: symbol(__p_type_syms) size > mismatch, relink your program > pcap bufsize = 32768 > listening on fxp1 > 1172677797.973010 warning: Unmatched end of data > 1172682221.064469 warning: Unmatched end of data > 1172686653.318668 warning: Unmatched end of data > 1172694350.686900 warning: Unmatched end of data > 1172804317.999561 warning: Unmatched end of data Hello Nikns! To help you further debugging, it would be great if you could provide a little bit more information about (i) your Bro version and (ii) your environment (architecture, os, etc.). Please use the latest Bro version unless you have a certain reason not to do so. Assuming that you are using FreeBSD, you also want to tweak the bpf buffer sizes; add the following to your /etc/sysctl.conf: net.bpf.maxbufsize=8388608 net.bpf.bufsize=4194304 Matthias -- Matthias Vallentin vallentin at icsi.berkeley.edu pgp/gpg: 0x37F34C16 From rreitz at fnal.gov Mon Mar 5 14:04:00 2007 From: rreitz at fnal.gov (Randolph Reitz) Date: Mon, 05 Mar 2007 16:04:00 -0600 Subject: [Bro] No packets for me Message-ID: Hi, Fermilab is making another run at BRO. A machine running Scientific Linux Fermi LTS release 4.4 (Wilson) has been set up for BRO testing. It has a span of the border traffic fed from a GigaVue to eth2 (an Intel PRO/1000 MT Dual Port) on the Linux box. Installing BRO 1.2.1 was no problem. ./configure reported... Broccoli Configuration Summary ========================================================== - Debugging enabled: no - Pcap packet support: yes - Semaphores used: POSIX - Shared memory used: SYSV Now run: $ make # make install (or use gmake when make on your platform isn't GNU make) Bro Configuration Summary ========================================================== - Debugging enabled: no - OpenSSL support: yes - Non-blocking main loop: yes - Non-blocking resolver: yes - Installation prefix: /usr/local/bro - Perl interpreter: /usr/bin/perl - Using basic_string: yes - Using libmagic: Yes - Using libclamav: No - Pcap used: system-provided Make was uneventful. Install put everything in /usr/local/bro. After starting BRO and letting it run for ~20 minutes, it reports seeing 4 packets. [root at rhyolite rreitz]# export BROPATH=/usr/local/bro/policy:/usr/ local/bro/policy/sigs [root at rhyolite rreitz]# bro -i eth2 brolite /usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5004.inktomisearch.com /usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5005.inktomisearch.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j5006.inktomisearch.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j100.inktomi.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j101.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: j3002.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3000.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3001.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3002.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3003.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si4000.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4001.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4002.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: wm3018.inktomi.com listening on eth2 1173131791.280848 received termination signal 4 packets received on interface eth2, 0 dropped Humm, I expected more packets. Eth2 seems to be receiving packets when bro is started... [rreitz at rhyolite ~]$ while true;do /sbin/ifconfig eth2 | egrep bytes; sleep 10; done RX bytes:4142 (4.0 KiB) TX bytes:398 (398.0 b) RX bytes:28062 (27.4 KiB) TX bytes:398 (398.0 b) RX bytes:57132 (55.7 KiB) TX bytes:398 (398.0 b) RX bytes:72298 (70.6 KiB) TX bytes:398 (398.0 b) But after a while... [rreitz at rhyolite bro]$ while true;do /sbin/ifconfig eth2 | egrep bytes; sleep 10; done RX bytes:818658 (799.4 KiB) TX bytes:398 (398.0 b) RX bytes:818658 (799.4 KiB) TX bytes:398 (398.0 b) RX bytes:818658 (799.4 KiB) TX bytes:398 (398.0 b) The interface seems stuck. [rreitz at rhyolite bro]$ /sbin/ifconfig eth2 eth2 Link encap:Ethernet HWaddr 00:04:23:D1:E3:EB inet6 addr: fe80::204:23ff:fed1:e3eb/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:10442 errors:0 dropped:0 overruns:0 frame:0 TX packets:5 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:818658 (799.4 KiB) TX bytes:398 (398.0 b) Base address:0x1040 Memory:f40a0000-f40c0000 Here is some info on the OS... [rreitz at rhyolite bro-1.2.1]$ rpm -qa | egrep pcap libpcap-0.8.3-10.RHEL4 [rreitz at rhyolite bro-1.2.1]$ uname -a Linux rhyolite.fnal.gov 2.6.9-42.0.10.ELsmp #1 SMP Tue Feb 27 08:38:56 CST 2007 i686 athlon i386 GNU/Linux [rreitz at rhyolite bro-1.2.1]$ cat /etc/redhat- redhat-lsb/ redhat-release [rreitz at rhyolite bro-1.2.1]$ cat /etc/redhat-release Scientific Linux Fermi LTS release 4.4 (Wilson) [rreitz at rhyolite bro]$ bro -v bro version 1.2.1 A search of this email list for 'linux' gets no hits. Hence I'm asking for suggestions. Thanks, Randy Reitz Computer Security Team From vern at icir.org Mon Mar 5 14:13:28 2007 From: vern at icir.org (Vern Paxson) Date: Mon, 05 Mar 2007 14:13:28 -0800 Subject: [Bro] No packets for me In-Reply-To: (Mon, 05 Mar 2007 16:04:00 CST). Message-ID: <200703052213.l25MDSdJ009476@jaguar.icir.org> Is the link using VLANs? If so, you need to explicitly load vlan.bro. Vern From vern at icir.org Mon Mar 5 14:15:14 2007 From: vern at icir.org (Vern Paxson) Date: Mon, 05 Mar 2007 14:15:14 -0800 Subject: [Bro] searching the mailing list (Re: No packets for me) In-Reply-To: (Mon, 05 Mar 2007 16:04:00 CST). Message-ID: <200703052215.l25MFExZ009495@jaguar.icir.org> > A search of this email list for 'linux' gets no hits. Hence I'm > asking for suggestions. Are you doing the search from http://bro-ids.org/mailing-list.html ? I get 400 hits from there ... Vern From bltierney at lbl.gov Tue Mar 6 10:19:22 2007 From: bltierney at lbl.gov (Brian Tierney) Date: Tue, 06 Mar 2007 10:19:22 -0800 Subject: [Bro] Possible Bro hands-on workshop this summer Message-ID: <45EDB0AA.9090405@lbl.gov> Hi All: We are considering doing a Bro Workshop July 23-25 at UCSD in San Diego. Our current thinking is that we'd do a 1/2 day Bro scripting language tutorial, followed by a couple days of hands-on exercises. All participants would be required to bring a Unix laptop with a working Bro configuration. We'd provide sample trace files to work with. Before we confirm this workshop, we need to get an idea of how many people would like to attend, and what topics you are most interested in. The workshop cost should be minimal (perhaps $50) to cover breakfast/breaks. Please let us know what you think. Replying to the list would be best. Thanks. From seth at net.ohio-state.edu Tue Mar 6 10:30:26 2007 From: seth at net.ohio-state.edu (Seth Hall) Date: Tue, 6 Mar 2007 13:30:26 -0500 Subject: [Bro] Possible Bro hands-on workshop this summer In-Reply-To: <45EDB0AA.9090405@lbl.gov> References: <45EDB0AA.9090405@lbl.gov> Message-ID: On Mar 6, 2007, at 1:19 PM, Brian Tierney wrote: > Please let us know what you think. Replying to the list would be best. I'll definitely be there if at all possible. My group manager may attend as well. .Seth From jamesp at PartyGaming.com Tue Mar 6 11:19:43 2007 From: jamesp at PartyGaming.com (James Pichardo) Date: Tue, 6 Mar 2007 20:19:43 +0100 Subject: [Bro] Possible Bro hands-on workshop this summer Message-ID: <0B1B9163138571439EAF804646F3F6AA17485C@GIBSVWIN004X.partygaming.local> I would definetely attend. A couple of of topics I can think of: - distributed sensor architecture and policy building - anomaly detection? (A buzzword I know but you probably know what I mean) Cheers, James. ----------- Sent from a BlackBerry device -----Original Message----- From: bro-bounces at ICSI.Berkeley.EDU To: bro at ICSI.Berkeley.EDU CC: abe at sdsc.edu Sent: Tue Mar 06 19:19:22 2007 Subject: [Bro] Possible Bro hands-on workshop this summer Hi All: We are considering doing a Bro Workshop July 23-25 at UCSD in San Diego. Our current thinking is that we'd do a 1/2 day Bro scripting language tutorial, followed by a couple days of hands-on exercises. All participants would be required to bring a Unix laptop with a working Bro configuration. We'd provide sample trace files to work with. Before we confirm this workshop, we need to get an idea of how many people would like to attend, and what topics you are most interested in. The workshop cost should be minimal (perhaps $50) to cover breakfast/breaks. Please let us know what you think. Replying to the list would be best. Thanks. _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070306/02396fb7/attachment.html From taosecurity at gmail.com Wed Mar 7 10:00:44 2007 From: taosecurity at gmail.com (Richard Bejtlich) Date: Wed, 7 Mar 2007 13:00:44 -0500 Subject: [Bro] Possible Bro hands-on workshop this summer Message-ID: <120ef0530703071000p1289c333h3f05ae34aa3f4fd8@mail.gmail.com> Brian Tierney wrote: > Hi All: > > We are considering doing a Bro Workshop July 23-25 at UCSD in San Diego. I am interested! Unfortunately I am teaching at SANSFIRE on 25 July. I would have to fly home the afternoon of the 24th to be back in DC to teach Wednesday morning. Sincerely, Richard From rreitz at fnal.gov Thu Mar 8 08:32:09 2007 From: rreitz at fnal.gov (Randolph Reitz) Date: Thu, 08 Mar 2007 10:32:09 -0600 Subject: [Bro] Possible Bro hands-on workshop this summer In-Reply-To: <45EDB0AA.9090405@lbl.gov> References: <45EDB0AA.9090405@lbl.gov> Message-ID: <5BE063CA-91C0-48B2-B54E-FA5F77E4EECE@fnal.gov> On Mar 6, 2007, at 12:19, Brian Tierney wrote: > > Hi All: > > We are considering doing a Bro Workshop July 23-25 at UCSD in San > Diego. > > Our current thinking is that we'd do a 1/2 day Bro scripting language > tutorial, followed by a couple days of hands-on exercises. All > participants would be required to bring a Unix laptop with a > working Bro > configuration. We'd provide sample trace files to work with. > > Before we confirm this workshop, we need to get an idea of how many > people would like to attend, and what topics you are most > interested in. > The workshop cost should be minimal (perhaps $50) to cover > breakfast/breaks. > > Please let us know what you think. Replying to the list would be best. > > Thanks. > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro Fermilab is interested in a Bro workshop. Please allocate 2 attendees from Fremilab. I understand that the Fermilab conference/ travel approval process take some time, so the sooner you can firm up conference details, the better. Thanks, Randy Reitz Computer Security Team From jferdinand at thescholars.info Fri Mar 9 01:41:04 2007 From: jferdinand at thescholars.info (Jules) Date: Fri, 09 Mar 2007 09:41:04 +0000 Subject: [Bro] Snort to Bro Message-ID: <45F12BB0.4000002@thescholars.info> hi there How can i convert Snort rules to BRO ? regards, From jferdinand at thescholars.info Fri Mar 9 01:53:45 2007 From: jferdinand at thescholars.info (Jules) Date: Fri, 09 Mar 2007 09:53:45 +0000 Subject: [Bro] Snort to Bro Message-ID: <45F12EA9.5010600@thescholars.info> hi there How can i convert Snort rules to BRO ? regards, Jules From yuppie4ever at gmail.com Fri Mar 9 02:18:26 2007 From: yuppie4ever at gmail.com (Vishal Verma) Date: Fri, 9 Mar 2007 02:18:26 -0800 Subject: [Bro] Possible Bro hands-on workshop this summer Message-ID: <2999b2f00703090218n29aa3867wa53c9b1c1856863@mail.gmail.com> On Tue, 2007-03-06 at 10:19 -0800, Brian Tierney wrote: We are considering doing a Bro Workshop July 23-25 at UCSD in San Diego. I would be highly interested in such a workshop too. My interest, particularly, would be in advanced topics like: Stateful matching when running in a cluster. * Co-relating connections when running in a cluster. * BRO RE engine internals and how to optimize it further? * Providing more detailed statistics - like flow details and analyzer/policy-module stats. * Aggregating statistics when BRO is running in a clustered environment. * Broccoli & interfacing BRO with other systems. * Optimizing BRO in general. We'll be able to make a decision as soon as someone can send us an agenda. thanks -vish From nikns at secure.lv Fri Mar 9 02:32:38 2007 From: nikns at secure.lv (Nikns Siankin) Date: Fri, 9 Mar 2007 12:32:38 +0200 Subject: [Bro] warning: Unmatched end of data In-Reply-To: <20070302141729.GH8466@icsi.berkeley.edu> References: <20070302134921.GA21926@secure.lv> <20070302141729.GH8466@icsi.berkeley.edu> Message-ID: <20070309103238.GA28500@secure.lv> On Fri, Mar 02, 2007 at 03:17:30PM +0100, Matthias Vallentin wrote: >On Fri, Mar 02, 2007 at 03:49:21PM +0200, Nikns Siankin wrote: >> Hello! >> Bro runs on live interface. >> Got following warnings, what do they mean? >> >> # BROPATH=/usr/local/policy/ bro -f tcp -i fxp1 brolite >> bro:/usr/lib/libc.so.39.3: /usr/local/lib/libbind.so.2.0 : WARNING: symbol(__p_class_syms) size >> mismatch, relink your program >> bro:/usr/lib/libc.so.39.3: bro : WARNING: symbol(_res) size mismatch, relink your program >> bro:/usr/lib/libc.so.39.3: /usr/local/lib/libbind.so.2.0 : WARNING: symbol(__p_type_syms) size >> mismatch, relink your program >> pcap bufsize = 32768 >> listening on fxp1 >> 1172677797.973010 warning: Unmatched end of data >> 1172682221.064469 warning: Unmatched end of data >> 1172686653.318668 warning: Unmatched end of data >> 1172694350.686900 warning: Unmatched end of data >> 1172804317.999561 warning: Unmatched end of data > >Hello Nikns! > >To help you further debugging, it would be great if you could provide a >little bit more information about (i) your Bro version and (ii) your >environment (architecture, os, etc.). > >Please use the latest Bro version unless you have a certain reason not to do >so. Assuming that you are using FreeBSD, you also want to tweak the bpf >buffer sizes; add the following to your /etc/sysctl.conf: > >net.bpf.maxbufsize=8388608 >net.bpf.bufsize=4194304 Thanks, did so, but got warning anyway: [...] pcap bufsize = 4194304 listening on fxp1 1173366784.729356 warning: Unmatched end of data I am on OpenBSD 4.0, bro 1.2.1. Am I droping packets? CPU is ~80% idle. BTW: Could it be so, that I have IP addresses in ssh.log, which hasn't in conn.log? sounds weird. I thought every connection is logged in conn.log.... Thanks! > > Matthias >-- >Matthias Vallentin >vallentin at icsi.berkeley.edu >pgp/gpg: 0x37F34C16 >_______________________________________________ >Bro mailing list >bro at bro-ids.org >http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From ayyappa at tataelxsi.co.in Fri Mar 9 03:53:35 2007 From: ayyappa at tataelxsi.co.in (Ayyappa Suryanarayana T) Date: Fri, 9 Mar 2007 17:23:35 +0530 (IST) Subject: [Bro] Regarding signatures Message-ID: <20070309172335.CGX43602@mail.tataelxsi.co.in> Hi all, I am having trouble matching same signature for packets in different connections,its matching one connection but its not matching for another connection but the packets have same payload. The signature that is to be matched is the following: signature gtalk_test { event "gtalk test received" payload /\x17\x03\x01/ } I tried the following signature also signature gtalk_one { event "gtalk one received" payload /.{0,0}\x17/ payload /.{1,1}\x03/ payload /.{2,2}\x00/ } The pcap that is not matching is attached along with this mail. can any one help me to know how the signature matching happens in bro-1.2.1 Thanks Ayyappa -------------- next part -------------- A non-text attachment was scrubbed... Name: jabber-matched.pcap.pcap Type: application/octet-stream Size: 987 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070309/ed142716/attachment.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: jabber-unmatched.pcap.pcap Type: application/octet-stream Size: 699 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070309/ed142716/attachment-0001.obj From ayyappa at tataelxsi.co.in Fri Mar 9 05:11:47 2007 From: ayyappa at tataelxsi.co.in (Ayyappa Suryanarayana T) Date: Fri, 9 Mar 2007 18:41:47 +0530 (IST) Subject: [Bro] Regarding signatures Message-ID: <20070309184147.CGX52808@mail.tataelxsi.co.in> Hi all, sorry a small correction in previous mail.. The signature that is to be matched is the following: signature gtalk_test { event "gtalk test received" payload /\x17\x03\x01/ } I tried the following signature also signature gtalk_one { event "gtalk one received" payload /.{0,0}\x17/ payload /.{1,1}\x03/ payload /.{2,2}\x01/ } From vallentin at ICSI.Berkeley.EDU Fri Mar 9 05:14:02 2007 From: vallentin at ICSI.Berkeley.EDU (Matthias Vallentin) Date: Fri, 9 Mar 2007 14:14:02 +0100 Subject: [Bro] warning: Unmatched end of data In-Reply-To: <20070309103238.GA28500@secure.lv> References: <20070302134921.GA21926@secure.lv> <20070302141729.GH8466@icsi.berkeley.edu> <20070309103238.GA28500@secure.lv> Message-ID: <20070309131402.GC8470@icsi.berkeley.edu> On Fri, Mar 09, 2007 at 12:32:38PM +0200, Nikns Siankin wrote: > 1173366784.729356 warning: Unmatched end of data The warning itself orginates from the SMTP analyzer and reports an unexpected end of SMTP data. (see src/SMTP.cc, line 896). Probably you are seeing weird SMTP traffic. > Am I droping packets? CPU is ~80% idle. This depends generally on how much traffic you are monitoring and how heavy your analysis is. You seem to be fine though. Matthias -- Matthias Vallentin vallentin at icsi.berkeley.edu pgp/gpg: 0x37F34C16 From akadams at psc.edu Fri Mar 9 06:02:08 2007 From: akadams at psc.edu (Andrew K. Adams) Date: Fri, 09 Mar 2007 09:02:08 -0500 Subject: [Bro] Possible Bro hands-on workshop this summer In-Reply-To: <45EDB0AA.9090405@lbl.gov> References: <45EDB0AA.9090405@lbl.gov> Message-ID: <37035DABB5D36037C292DEBE@wraith.psc.edu> --On Tuesday, March 06, 2007 10:19:22 -0800 Brian Tierney wrote: > > we need to get an idea of how many people would like to attend, I (or perhaps another from PSC, Ben Bennett) would be interested in attending. > and what topics you are most interested in. I'm interested in any (novel) approaches for changing policy to better identify anomalous behavior. -aka -- Andrew K. Adams Network Security & Research Engineer Pittsburgh Supercomputing Center Office: 380 Carnegie Mellon University Phone: (412) 268-5142 300 South Craig Street Fax: (412) 268-5832 Pittsburgh, PA 15213 WWW: http://www.psc.edu/~akadams/ D3 FA 7D 61 FD ED BD D9 0C DE 94 DB 0F 25 D0 2E From robin at icir.org Fri Mar 9 11:09:59 2007 From: robin at icir.org (Robin Sommer) Date: Fri, 9 Mar 2007 11:09:59 -0800 Subject: [Bro] Snort to Bro In-Reply-To: <45F12EA9.5010600@thescholars.info> References: <45F12EA9.5010600@thescholars.info> Message-ID: <20070309190959.GB21908@icir.org> On Fri, Mar 09, 2007 at 09:53 +0000, Jules wrote: > How can i convert Snort rules to BRO ? Bro ships with a script snort2bro but is it somewhat outdated and does not support some of the newer Snort options. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From jferdinand at thescholars.info Fri Mar 9 11:29:59 2007 From: jferdinand at thescholars.info (Jules) Date: Fri, 09 Mar 2007 19:29:59 +0000 Subject: [Bro] Snort to Bro In-Reply-To: <20070309190959.GB21908@icir.org> References: <45F12EA9.5010600@thescholars.info> <20070309190959.GB21908@icir.org> Message-ID: <45F1B5B7.9030407@thescholars.info> Thanks Robin is there any better solution? Can i just rely on Bro policies? will that be enough? is there a real difference betwen the snort rules and Bro policies? Robin Sommer wrote: > On Fri, Mar 09, 2007 at 09:53 +0000, Jules wrote: > > >> How can i convert Snort rules to BRO ? >> > > Bro ships with a script snort2bro but is it somewhat outdated and > does not support some of the newer Snort options. > > Robin > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070309/51f9d5a8/attachment.html From robin at icir.org Fri Mar 9 12:13:22 2007 From: robin at icir.org (Robin Sommer) Date: Fri, 9 Mar 2007 12:13:22 -0800 Subject: [Bro] Snort to Bro In-Reply-To: <45F1B5B7.9030407@thescholars.info> References: <45F12EA9.5010600@thescholars.info> <20070309190959.GB21908@icir.org> <45F1B5B7.9030407@thescholars.info> Message-ID: <20070309201322.GA22213@icir.org> On Fri, Mar 09, 2007 at 19:29 +0000, Jules wrote: > be enough? is there a real difference betwen the snort rules and Bro > policies? Well, the systems' detection approaches are quite different. Bro does not primarily rely on pattern matching as Snort does; its policies use a different abstraction. You can't really compare the two. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From bltierney at lbl.gov Fri Mar 9 20:29:09 2007 From: bltierney at lbl.gov (Brian Tierney) Date: Fri, 09 Mar 2007 20:29:09 -0800 Subject: [Bro] Possible Bro hands-on workshop this summer In-Reply-To: <37035DABB5D36037C292DEBE@wraith.psc.edu> References: <45EDB0AA.9090405@lbl.gov> <37035DABB5D36037C292DEBE@wraith.psc.edu> Message-ID: <45F23415.8010203@lbl.gov> Hi all: It looks like we have plenty of interest, so assume the workshop is on. We'll plan to start Monday July 23 at 9am, and go till noon on Wednesday. From bindiyavs at tataelxsi.co.in Tue Mar 13 01:18:17 2007 From: bindiyavs at tataelxsi.co.in (Bindiya V S) Date: Tue, 13 Mar 2007 13:48:17 +0530 (IST) Subject: [Bro] Trouble with ASYMETRIC FTP traffic Message-ID: <20070313134817.CHA65620@mail.tataelxsi.co.in> Hi, I am trying to analyze asymmetric (one sided) FTP traffic. I have added signatures for identifying FTP traffic, and FTP commands are getting properly identified. But I am facing problems when trying to analyze the FTP data traffic. When 227 response comes, the function expect_connection is getting called. But it looks like the data connection is not getting identified after that. File_Analyzer::DeliverStream is not getting called for the data transfer. Can some-body help me out? I am waiting with my fingers crossed. Thanks in advance Bindiya :) From rreitz at fnal.gov Tue Mar 13 11:58:42 2007 From: rreitz at fnal.gov (Randolph Reitz) Date: Tue, 13 Mar 2007 13:58:42 -0500 Subject: [Bro] Linux Kernel dropping a lot of packets Message-ID: I'm wondering why Bro is so quiet. So I tried tcpdump with Bro's filter ... [root at rhyolite rreitz]# /usr/sbin/tcpdump -i eth2 '((((((((((((((((((((((port 111) or (port smtp)) or (port ftp)) or (port smtp)) or (icmp)) or (tcp[2:2] > 32770 and tcp[2:2] < 32901 and tcp[0:2] != 80 and tcp[0:2] != 22 and tcp[0:2] != 139)) or ((ip[6:2] & 0x3fff != 0) and tcp)) or (port 111)) or (tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000)) or (tcp src port 80 or tcp src port 8080 or tcp src port 8000)) or (port 6666)) or (port 512 or port 513 or port 515)) or (tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8001)) or (port telnet or tcp port 513)) or (port telnet)) or (port 53)) or ((src net 131.225.0.0/16 or src net 198.124.212.0/24 or src net 198.124.213.0/24) and (dst port 135 or dst port 137 or dst port 139 or dst port 445))) or (tcp[13] & 7 != 0)) or (port ftp)) or (port 6667)) or (port 143)) or (udp port 69)) or (port 161 or port 162)' tcpdump: WARNING: eth2: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes .... Killing after ~10 seconds ... 166 packets captured 249098 packets received by filter 248721 packets dropped by kernel Do I read this as the kernel dropped the packets since they failed the Bro filter, or is the kernel just dropping packets because it's Tuesday? I see in the email list advice like ... "That all boils down to this certainly looking like a problem with the packet filter itself rather than Bro." I'm using ... [root at rhyolite rreitz]# cat /etc/redhat-release Scientific Linux Fermi LTS release 4.4 (Wilson) This is Fermilab's release of RedHat Enterprise 4, update 4. [root at rhyolite rreitz]# rpm -qa | egrep pcap libpcap-0.8.3-10.RHEL4 Bro is 1.2.1 - not using the built-in libpcap. [root at rhyolite bro-1.2.1]# tail /etc/sysctl.conf # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 net.core.rmem_max = 16777216 [root at rhyolite bro-1.2.1]# /sbin/sysctl net.core.rmem_max net.core.rmem_max = 131071 At this point, I remembered Jason Lee's advice to tune the Linux kernel. He suggested this link http://www.net.t-labs.tu-berlin.de/research/bpcs/ So I did ... [root at rhyolite bro-1.2.1]# cat /proc/sys/net/core/rmem_default 110592 [root at rhyolite bro-1.2.1]# echo 33554432 > /proc/sys/net/core/ rmem_default [root at rhyolite bro-1.2.1]# echo 33554432 > /proc/sys/net/core/rmem_max [root at rhyolite bro-1.2.1]# echo 10000 > /proc/sys/net/core/ netdev_max_backlog [root at rhyolite bro-1.2.1]# /sbin/sysctl net.core.rmem_max net.core.rmem_max = 33554432 OK, this looks like progress. I tried the same tcpdump as above. Now I see ... 121 packets captured 149216 packets received by filter 121673 packets dropped by kernel Before the 'tune', the kernel was dropping 99.8%. After the tune, it's dropping 81.5%. Not much better. No fair to suggest I drop Linux for FreeBSD! Suggestions? Thanks, Randy Reitz Computer Security Team From rreitz at fnal.gov Tue Mar 13 12:23:59 2007 From: rreitz at fnal.gov (Randolph Reitz) Date: Tue, 13 Mar 2007 14:23:59 -0500 Subject: [Bro] Linux Kernel dropping a lot of packets Message-ID: <4A48DE4E-7E64-4142-A012-4E0BF75FAC18@fnal.gov> [snip] At this point, I remembered Jason Lee's advice to tune the Linux kernel. He suggested this link http://www.net.t-labs.tu-berlin.de/research/bpcs/ So I did ... [root at rhyolite bro-1.2.1]# cat /proc/sys/net/core/rmem_default 110592 [root at rhyolite bro-1.2.1]# echo 33554432 > /proc/sys/net/core/ rmem_default [root at rhyolite bro-1.2.1]# echo 33554432 > /proc/sys/net/core/rmem_max [root at rhyolite bro-1.2.1]# echo 10000 > /proc/sys/net/core/ netdev_max_backlog [root at rhyolite bro-1.2.1]# /sbin/sysctl net.core.rmem_max net.core.rmem_max = 33554432 OK, this looks like progress. I tried the same tcpdump as above. Now I see ... 121 packets captured 149216 packets received by filter 121673 packets dropped by kernel Before the 'tune', the kernel was dropping 99.8%. After the tune, it's dropping 81.5%. Not much better. No fair to suggest I drop Linux for FreeBSD! -=-=-=- Please ignore the previous email with this subject. The kernel 'tuning' above seems to be working. Bro is now running and the logs are filling up. Bro is consuming 100% of one CPU. Thanks, Randy Reitz Computer Security Team From vanepp at sfu.ca Tue Mar 13 13:11:09 2007 From: vanepp at sfu.ca (Peter Van Epp) Date: Tue, 13 Mar 2007 13:11:09 -0700 Subject: [Bro] Linux Kernel dropping a lot of packets In-Reply-To: References: Message-ID: <20070313201109.GD1501@sfu.ca> On Tue, Mar 13, 2007 at 01:58:42PM -0500, Randolph Reitz wrote: > I'm wondering why Bro is so quiet. So I tried tcpdump with Bro's > filter ... > > [root at rhyolite rreitz]# /usr/sbin/tcpdump -i eth2 > '((((((((((((((((((((((port 111) or (port smtp)) or (port ftp)) or > (port smtp)) or (icmp)) or (tcp[2:2] > 32770 and tcp[2:2] < 32901 and > tcp[0:2] != 80 and tcp[0:2] != 22 and tcp[0:2] != 139)) or ((ip[6:2] > & 0x3fff != 0) and tcp)) or (port 111)) or (tcp dst port 80 or tcp > dst port 8080 or tcp dst port 8000)) or (tcp src port 80 or tcp src > port 8080 or tcp src port 8000)) or (port 6666)) or (port 512 or port > 513 or port 515)) or (tcp port 80 or tcp port 8080 or tcp port 8000 > or tcp port 8001)) or (port telnet or tcp port 513)) or (port > telnet)) or (port 53)) or ((src net 131.225.0.0/16 or src net > 198.124.212.0/24 or src net 198.124.213.0/24) and (dst port 135 or > dst port 137 or dst port 139 or dst port 445))) or (tcp[13] & 7 != > 0)) or (port ftp)) or (port 6667)) or (port 143)) or (udp port 69)) > or (port 161 or port 162)' > tcpdump: WARNING: eth2: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes > .... > > Killing after ~10 seconds ... > > 166 packets captured > 249098 packets received by filter > 248721 packets dropped by kernel > If you are up for adventure you should look at the pf-ring code from www.ntop.org. While fairly exciting to get in (it replaces the native pcap code in the kernel) once you do it appears to work fairly well. On an earlier version of pf-ring we managed to keep up with a 995 megabit jumbo frame netperf run with argus (the jumbos however are the best case traffic senario). I have the latest version running in an IBM P510 in OpenSUSE 10.2 and a 2.6.18 kernel (I think) but haven't yet managed to get it in to a busy gig link yet (the original link has gone 10 gig in the interrum and is thus no longer available :-)). Small packets are its most likely weakness. Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. Canada From mtdedlow at lbl.gov Tue Mar 13 13:36:55 2007 From: mtdedlow at lbl.gov (Mark Dedlow) Date: Tue, 13 Mar 2007 13:36:55 -0700 Subject: [Bro] Linux Kernel dropping a lot of packets In-Reply-To: <20070313201109.GD1501@sfu.ca> References: <20070313201109.GD1501@sfu.ca> Message-ID: <45F70B67.9090807@lbl.gov> Peter Van Epp wrote: > If you are up for adventure you should look at the pf-ring code from > www.ntop.org. While fairly exciting to get in (it replaces the native pcap > code in the kernel) once you do it appears to work fairly well. On an earlier > version of pf-ring we managed to keep up with a 995 megabit jumbo frame netperf > run with argus (the jumbos however are the best case traffic senario). I have > the latest version running in an IBM P510 in OpenSUSE 10.2 and a 2.6.18 kernel > (I think) but haven't yet managed to get it in to a busy gig link yet (the > original link has gone 10 gig in the interrum and is thus no longer available > :-)). Small packets are its most likely weakness. I tested this recently, and while a great improvement, it was still considerably less than out-of-the-box FreeBSD performance. Mark From christian at whoop.org Tue Mar 13 14:35:11 2007 From: christian at whoop.org (Christian Kreibich) Date: Tue, 13 Mar 2007 14:35:11 -0700 Subject: [Bro] Two-dimensional arrays and for loop in Bro In-Reply-To: References: Message-ID: <1173821711.31938.5.camel@strangepork> Hi Abhinay, On Fri, 2007-02-23 at 20:05 -0600, Abhinay Kampasi wrote: > Hi, > > I need to use two-dimensional (2D) arrays and for loops in one of my policy > scripts. Could someone please clarify the following questions for me. > > 1. I am thinking of implementing 2D arrays as table of tables. Is this the > best of doing this? Is "array[][]" in C equivalent to "global array: > table[count] of table[count] of count" in Bro? No, it's most closely related to a vector of vectors, much like in C. > Can I access an element of > this array as array[index1][index2]? Yes, assuming the structure located at array[index1] is defined. > Also, is there a short-hand notation of > initializing all the elements of the 2D array to 0? Not at the moment, no, since it'll depend on what size you want the matrix to be. > 2. The reference manual mentions that Bro lacks ways of controlling the > order in which it iterates over the indices in a for loop. I need to iterate > over a for loop in order. What is the best way of doing this? You can avoid this by using vectors. The code snippet below uses recursion to work around the lack of a numeric for-loop and will print out: m[1,1] = 1 m[1,2] = 0 m[1,3] = 0 m[2,1] = 0 m[2,2] = 2 m[2,3] = 0 m[3,1] = 0 m[3,2] = 0 m[3,3] = 3 type mrow: vector of count; type matrix: vector of mrow; function matrix_row_init(r: mrow, col: count) { r[col] = 0; if (col > 1) matrix_row_init(r, col-1); } function matrix_init(m: matrix, row: count, cols: count) { local r: mrow; matrix_row_init(r, cols); m[row] = r; if (row > 1) matrix_init(m, row-1, cols); } function matrix_new(rows: count, cols: count): matrix { local m: matrix; matrix_init(m, rows, cols); return m; } event bro_init() { local m: matrix = matrix_new(3, 3); m[1][1] = 1; m[2][2] = 2; m[3][3] = 3; for (r in m) { for (c in m[r]) { print fmt("m[%d,%d] = %d", r, c, m[r][c]); } } } Note that while you have to do the assignment of rows to the matrix vector, you can save yourself the assignment of counts to each position in a row if you know you'll always be assigning values before using them. I also have no idea how slow/fast the above code will be for nontrivial matrix sizes. :) Cheers, Christian -- ________________________________________________________________________ http://www.icir.org/christian http://www.whoop.org From vanepp at sfu.ca Tue Mar 13 15:57:55 2007 From: vanepp at sfu.ca (Peter Van Epp) Date: Tue, 13 Mar 2007 15:57:55 -0700 Subject: [Bro] Linux Kernel dropping a lot of packets In-Reply-To: <45F70B67.9090807@lbl.gov> References: <20070313201109.GD1501@sfu.ca> <45F70B67.9090807@lbl.gov> Message-ID: <20070313225755.GA5715@sfu.ca> On Tue, Mar 13, 2007 at 01:36:55PM -0700, Mark Dedlow wrote: > Peter Van Epp wrote: > > If you are up for adventure you should look at the pf-ring code from > >www.ntop.org. While fairly exciting to get in (it replaces the native pcap > >code in the kernel) once you do it appears to work fairly well. On an > >earlier > >version of pf-ring we managed to keep up with a 995 megabit jumbo frame > >netperf > >run with argus (the jumbos however are the best case traffic senario). I > >have > >the latest version running in an IBM P510 in OpenSUSE 10.2 and a 2.6.18 > >kernel > >(I think) but haven't yet managed to get it in to a busy gig link yet (the > >original link has gone 10 gig in the interrum and is thus no longer > >available > >:-)). Small packets are its most likely weakness. > > I tested this recently, and while a great improvement, it was > still considerably less than out-of-the-box FreeBSD performance. > > Mark Hmmm, perhaps I should test again. At that point on a dual athelon FreeBSD (which is my default platform for running argus on) lost %50 of the traffic on that gig link. Same hardware with Linux and pf-ring lost nothing. I did see that the FreeBSD 6 series was supposed to improve networking but unless they also made radical changes in bpf the kernel/user copy eats memory bandwidth (which pf-ring I believe avoids by doing ugly things direct to the page tables avoiding the memory to memory copy). I recall the pf-ring author also saying the same trick wouldn't work on FreeBSD and he felt the code was going to be hard to port to FreeBSD. Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. Canada From mtdedlow at lbl.gov Tue Mar 13 16:38:09 2007 From: mtdedlow at lbl.gov (Mark Dedlow) Date: Tue, 13 Mar 2007 16:38:09 -0700 Subject: [Bro] Linux Kernel dropping a lot of packets In-Reply-To: <20070313225755.GA5715@sfu.ca> References: <20070313201109.GD1501@sfu.ca> <45F70B67.9090807@lbl.gov> <20070313225755.GA5715@sfu.ca> Message-ID: <45F735E1.2070101@lbl.gov> Peter Van Epp wrote: > On Tue, Mar 13, 2007 at 01:36:55PM -0700, Mark Dedlow wrote: >> Peter Van Epp wrote: >>> If you are up for adventure you should look at the pf-ring code from >>> www.ntop.org. While fairly exciting to get in (it replaces the native pcap >>> code in the kernel) once you do it appears to work fairly well. On an >>> earlier >>> version of pf-ring we managed to keep up with a 995 megabit jumbo frame >>> netperf >>> run with argus (the jumbos however are the best case traffic senario). I >>> have >>> the latest version running in an IBM P510 in OpenSUSE 10.2 and a 2.6.18 >>> kernel >>> (I think) but haven't yet managed to get it in to a busy gig link yet (the >>> original link has gone 10 gig in the interrum and is thus no longer >>> available >>> :-)). Small packets are its most likely weakness. >> I tested this recently, and while a great improvement, it was >> still considerably less than out-of-the-box FreeBSD performance. >> >> Mark > > Hmmm, perhaps I should test again. At that point on a dual athelon > FreeBSD (which is my default platform for running argus on) lost %50 of the > traffic on that gig link. Same hardware with Linux and pf-ring lost nothing. > I did see that the FreeBSD 6 series was supposed to improve networking but > unless they also made radical changes in bpf the kernel/user copy eats > memory bandwidth (which pf-ring I believe avoids by doing ugly things direct > to the page tables avoiding the memory to memory copy). I recall the pf-ring > author also saying the same trick wouldn't work on FreeBSD and he felt the > code was going to be hard to port to FreeBSD. I should add that I did not attempt a comprehensive comparison, and that the performance probably varies significantly as a function of variables such as traffic profile. My tests used synthetic traffic with a single packet size mix (simulating our actual environment.) This was on 6.1 btw. Mark From jferdinand at thescholars.info Wed Mar 14 02:06:41 2007 From: jferdinand at thescholars.info (Jules) Date: Wed, 14 Mar 2007 09:06:41 +0000 Subject: [Bro] incoming traffic Message-ID: <45F7BB21.40708@thescholars.info> hi there Just wondering if there is a known incoming speed limit at which Bro will perform to its best? I refer to the traffic speed (100Mbps ?) thanks From vern at icir.org Wed Mar 14 20:10:30 2007 From: vern at icir.org (Vern Paxson) Date: Wed, 14 Mar 2007 20:10:30 -0700 Subject: [Bro] Trouble with ASYMETRIC FTP traffic In-Reply-To: <20070313134817.CHA65620@mail.tataelxsi.co.in> (Tue, 13 Mar 2007 13:48:17 +0530). Message-ID: <200703150310.l2F3AUhT015400@jaguar.icir.org> > I am trying to analyze asymmetric (one sided) FTP traffic. It's not clear what you mean by one-sided. If you mean you only see either the client side or the server side, unfortunately Bro rarely operates well when faced with only half of the dialog in a connection. Probably what's failing is that there's no connection_established event because you're not seeing a SYN/SYN-ACK exchange. Vern From vern at icir.org Wed Mar 14 20:12:08 2007 From: vern at icir.org (Vern Paxson) Date: Wed, 14 Mar 2007 20:12:08 -0700 Subject: [Bro] incoming traffic In-Reply-To: <45F7BB21.40708@thescholars.info> (Wed, 14 Mar 2007 09:06:41 -0000). Message-ID: <200703150312.l2F3C8mU015490@jaguar.icir.org> > Just wondering if there is a known incoming speed limit at which Bro > will perform to its best? I refer to the traffic speed (100Mbps ?) This isn't really a well-formed question: too much depends on the specifics of your traffic mix, the sorts of analysis you want to perform, and your hardware platform. We use Bro operationally at LBL and NERSC to monitor 10 Gbps links using commodity PCs. However, monitoring UC Berkeley's traffic (slower links, technically, but much busier anyway) requires the user of a clusterized Bro. That said, if 100 Mbps is the speed you wish to monitor, that should certainly be doable. Vern From john8xyp at yahoo.com.cn Wed Mar 14 21:01:44 2007 From: john8xyp at yahoo.com.cn (=?iso-2022-jp?B?GyRCNycxSko/GyhC?=) Date: Thu, 15 Mar 2007 12:01:44 +0800 (CST) Subject: [Bro] How does Bro capture the traffic of ftp data connection ? Message-ID: <863393.39837.qm@web15204.mail.cnb.yahoo.com> if i only load the ftp analyzer-ftp.bro,and the following line redef capture_filters += { ["ftp"] = "port ftp" }; will guide bro to capture the traffic from and to port 21,and the event handler of ftp_request and ftp_reply,doesn't include statements to capture the port traffic after finding the command "port" or "pasv",and just add a entry in the session table,but if libpcap can't capture corresponding packet,the added entry doesn't work! So how does it dynamically add the filter string to capture the temporary traffic? Anyone can help me ? 3x ___________________________________________________________ ????????-3.5G???20M??? http://cn.mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070315/5bc7dfdf/attachment.html From vanepp at sfu.ca Thu Mar 15 09:52:25 2007 From: vanepp at sfu.ca (Peter Van Epp) Date: Thu, 15 Mar 2007 09:52:25 -0700 Subject: [Bro] Linux Kernel dropping a lot of packets In-Reply-To: <45F735E1.2070101@lbl.gov> References: <20070313201109.GD1501@sfu.ca> <45F70B67.9090807@lbl.gov> <20070313225755.GA5715@sfu.ca> <45F735E1.2070101@lbl.gov> Message-ID: <20070315165225.GB18166@sfu.ca> On Tue, Mar 13, 2007 at 04:38:09PM -0700, Mark Dedlow wrote: > > I should add that I did not attempt a comprehensive comparison, and > that the performance probably varies significantly as a function of > variables such as traffic profile. My tests used synthetic traffic > with a single packet size mix (simulating our actual environment.) > This was on 6.1 btw. > > Mark A late thought on this subject: were you running a stock Linux kernel (i.e. with just the pf-ring patches)? I use the config out of our HPC folks with tcp stack tweaks which can (and does daily) do 995 megabits per second across a 40 msec latency light path on a grid cluster here (the 200 terabyte file store is here the compute engines are in several other sites across town and several thousand miles away). The stock kernel (which we used by accident during a test one day) gets 35 megabits per second on that same gig link and I suspect that may impact capture performance too. When our HPC guys started up 5 or 6 years ago I suggested FreeBSD but testing indicated that a properly tuned Linux kernel was just as fast (at least in tcp :-)) as FreeBSD and was more common in Beowolf clusters so they went Linux. Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. Canada From milesgrun at yahoo.com Thu Mar 15 10:47:04 2007 From: milesgrun at yahoo.com (miles grun) Date: Thu, 15 Mar 2007 10:47:04 -0700 (PDT) Subject: [Bro] Why do I get duplicate new_connection event? Message-ID: <634999.99362.qm@web55106.mail.re4.yahoo.com> Hi, I am quite new in Bro. I have been experimenting with it for a couple of days by now, and couldn't figure out the reason for the problem below (I went through the archives as much as I can but nothing popped up). I am running the following simple bro script on the test data using the steps below: $cat a.bro @load weird event new_connection(c: connection) { print fmt("new connection=%s",c); } $tcpdump -r test.1 -n -tt reading from file test.1, link-type EN10MB (Ethernet) 1007672739.741946 IP 190.84.172.89.2278 > 222.37.1.55.80: S 3585205640:3585205640(0) win 5840 1007672740.081079 IP 222.37.1.55.80 > 190.84.172.89.2278: S 3552369456:3552369456(0) ack 3585205641 win 1460 1007672740.083354 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 1 win 5840 1007672740.090794 IP 190.84.172.89.2278 > 222.37.1.55.80: P 1:626(625) ack 1 win 5840 1007672740.443563 IP 222.37.1.55.80 > 190.84.172.89.2278: . ack 626 win 31856 1007672743.331707 IP 222.37.1.55.80 > 190.84.172.89.2278: P 1:206(205) ack 626 win 31856 1007672743.334165 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 206 win 6432 1007672743.478567 IP 190.84.172.89.2278 > 222.37.1.55.80: P 626:1262(636) ack 206 win 6432 1007672743.692464 IP 222.37.1.55.80 > 190.84.172.89.2278: P 206:410(204) ack 1262 win 31856 1007672743.694853 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 410 win 7504 1007672743.838441 IP 190.84.172.89.2278 > 222.37.1.55.80: P 1262:1895(633) ack 410 win 7504 1007672744.048642 IP 222.37.1.55.80 > 190.84.172.89.2278: P 410:614(204) ack 1895 win 31856 1007672744.051076 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 614 win 8576 1007672751.518485 IP 190.84.172.89.2278 > 222.37.1.55.80: F 1895:1895(0) ack 614 win 8576 1007672751.835071 IP 222.37.1.55.80 > 190.84.172.89.2278: . ack 1896 win 31856 1007672751.835299 IP 222.37.1.55.80 > 190.84.172.89.2278: F 614:614(0) ack 1896 win 31856 1007672751.839189 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 615 win 8576 $bro -r test.1 ./a.bro new connection=[id=[orig_h=190.84.172.89, orig_p=2278/tcp, resp_h=222.37.1.55, resp_p=80/tcp], orig=[size=0, state=1], resp=[size=0, state=0], start_time=1007672739.74195, duration=0.0, service=, addl=cc=1, hot=0, history=] (I REMOVED HTTP CONTENT GAP EVENTS FOR CONCISENESS) new connection=[id=[orig_h=190.84.172.89, orig_p=2278/tcp, resp_h=222.37.1.55, resp_p=80/tcp], orig=[size=0, state=0], resp=[size=0, state=0], start_time=1007672751.83919, duration=0.0, service=, addl=, hot=0, history=] $ From the timestamp, it looks to me that the second new connection is triggered by the last ACK. But this ACK is the ACK of the FIN packet from server, so we should not receive a second new_connection event. Is there anything I am missing here, or is it the expected behavior? Note: I am using bro-1.2.1 and did not change anything in the policy directory. Thanks for all your time, ____________________________________________________________________________________ Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains. http://farechase.yahoo.com/promo-generic-14795097 From robin at icir.org Thu Mar 15 12:09:57 2007 From: robin at icir.org (Robin Sommer) Date: Thu, 15 Mar 2007 12:09:57 -0700 Subject: [Bro] How does Bro capture the traffic of ftp data connection ? In-Reply-To: <863393.39837.qm@web15204.mail.cnb.yahoo.com> References: <863393.39837.qm@web15204.mail.cnb.yahoo.com> Message-ID: <20070315190957.GB860@icir.org> On Thu, Mar 15, 2007 at 12:01 +0800, you wrote: > So how does it dynamically add the filter string to capture the > temporary traffic? It doesn't. Dynamically changing the BPF filter is too expensive as it would need to be recompiled every time (and the filter would quickly get huge). If you want Bro to analyze the content of ftp-data sessions, you need to manually override the pcap filter to include all packets, e.g., by running with "-f tcp". Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Thu Mar 15 12:09:57 2007 From: robin at icir.org (Robin Sommer) Date: Thu, 15 Mar 2007 12:09:57 -0700 Subject: [Bro] How does Bro capture the traffic of ftp data connection ? In-Reply-To: <863393.39837.qm@web15204.mail.cnb.yahoo.com> References: <863393.39837.qm@web15204.mail.cnb.yahoo.com> Message-ID: <20070315190957.GB860@icir.org> On Thu, Mar 15, 2007 at 12:01 +0800, you wrote: > So how does it dynamically add the filter string to capture the > temporary traffic? It doesn't. Dynamically changing the BPF filter is too expensive as it would need to be recompiled every time (and the filter would quickly get huge). If you want Bro to analyze the content of ftp-data sessions, you need to manually override the pcap filter to include all packets, e.g., by running with "-f tcp". Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From christian at whoop.org Thu Mar 15 13:09:14 2007 From: christian at whoop.org (Christian Kreibich) Date: Thu, 15 Mar 2007 13:09:14 -0700 Subject: [Bro] Why do I get duplicate new_connection event? In-Reply-To: <634999.99362.qm@web55106.mail.re4.yahoo.com> References: <634999.99362.qm@web55106.mail.re4.yahoo.com> Message-ID: <1173989354.19953.130.camel@strangepork> Hi, it's not clear to me why you see an additional new_connection event, but I also don't understand why you apparently encounter content gaps, because (after just eyeballing) I don't see any. Would you mind sending that trace? ps: it's a good idea to turn off linewrapping in your mailer when sending log output. Cheers, Christian -- ________________________________________________________________________ http://www.icir.org/christian http://www.whoop.org From milesgrun at yahoo.com Thu Mar 15 15:01:37 2007 From: milesgrun at yahoo.com (Miles Grun) Date: Thu, 15 Mar 2007 15:01:37 -0700 (PDT) Subject: [Bro] Why do I get duplicate new_connection event? In-Reply-To: <1173989354.19953.130.camel@strangepork> Message-ID: <538444.56149.qm@web55113.mail.re4.yahoo.com> Thanks for quick response. I was believing (but I may be wrong) this is because only the first 64 bytes of the packets exist in this pcap file. Here is test.1 (uuencoded). I also attach it to this email. regards, begin 644 test.1 MU,.RH0(`!````````````)`````!````H]T//#I2"P!*````3@```"%,M\VB MH``P9=5>"`@`10``/,GB0`!`!B;/OE2L6=XE`3<(Y@!0U;'EB`````"@`A;0 M]@@```($!;0$`@@*`$DL:@`````!`P,`I-T//+<\`0!*````3@```"%,M\VB MH`@`*YZ(F0@`10``/"8K0``V!M2&WB4!-[Y4K%D`4`CFT[S;,-6QY8F@$@6T M+I@```($!;0$`@@*)T("3`!)+&H!`P,`I-T//)I%`0!"````3@```"%,M\VB MH``P9=5>"`@`10``-,GC0`!`!B;6OE2L6=XE`3<(Y@!0U;'EB=.\VS&`$!;0 M3!\```$!"`H`22R,)T("3*3=#SRJ8@$`0@```+<"```A3+?-HJ``,&757@@( M`$4``J7)Y$``0`8D9+Y4K%G>)0$W".8`4-6QY8G3O-LQ@!@6T`+.```!`0@* M`$DLC"="`DRDW0\\J\0&`$(```!&````(4RWS:*@"``KGHB9"`!%```T)DU` M`#8&U&S>)0$WOE2L60!0".;3O-LQU;'G^H`0?'#CZ@```0$("B="`F\`22R, MI]T//+L/!0!"````$P$``"%,M\VBH`@`*YZ(F0@`10`!`2;E0``V!M,'WB4! M-[Y4K%D`4`CFT[S;,=6QY_J`&'QP/E(```$!"`HG0 at .;`$DLC*?=#SQ5&04` M0@```$X````A3+?-HJ``,&757@@(`$4``#3)Y4``0`8FU+Y4K%G>)0$W".8` M4-6QY_K3O-O^@!`9($/]```!`0@*`$DMT2="`YNGW0\\9TT'`$(```#"`@`` M(4RWS:*@`#!EU5X("`!%``*PR>9``$`&)%>^5*Q9WB4!-PCF`%#5L>?ZT[S; M_H`8&2!W20```0$("@!)+=\G0 at .;I]T///"0"@!"````$@$``"%,M\VBH`@` M*YZ(F0@`10`!`";[0``V!M+RWB4!-[Y4K%D`4`CFT[S;_M6QZG:`&'QP`*\` M``$!"`HG0@/"`$DMWZ?=#SQ%F at H`0@```$X````A3+?-HJ``,&757@@(`$4` M`#3)YT``0`8FTKY4K%G>)0$W".8`4-6QZG;3O-S*@!`=4#PZ```!`0@*`$DM M]2="`\*GW0\\*A``$`& M)%B^5*Q9WB4!-PCF`%#5L>IVT[S)0$W".8`4-6Q M[._3O-V6@!`A@#1\```!`0@*`$DN&2="`^>OW0\\5>D'`$(```!.````(4RW MS:*@`#!EU5X("`!%```TR>I``$`&)L^^5*Q9WB4!-PCF`%#5L>SOT[S=EH`1 M(8`QD````0$("@!),00G0@/GK]T///^]#`!"````1@```"%,M\VBH`@`*YZ( MF0@`10``-"C at 0``V!M'9WB4!-[Y4K%D`4`CFT[S=EM6Q[/"`$'QPTZ````$! M"`HG0@;F`$DQ!*_=#SSCO at P`0@```$8````A3+?-HJ`(`"N>B)D(`$4``#0H MX4``-@;1V-XE`3>^5*Q9`%`(YM.\W9;5L>SP@!%\<-.?```!`0@*)T(&Y@!) M,02OW0\\%SPT[S=EX`0(8`N<````0$("@!),20G0@;F ` end --- Christian Kreibich wrote: > Hi, > > it's not clear to me why you see an additional > new_connection event, but > I also don't understand why you apparently encounter > content gaps, > because (after just eyeballing) I don't see any. > Would you mind sending > that trace? > > ps: it's a good idea to turn off linewrapping in > your mailer when > sending log output. > > Cheers, > Christian > -- > ________________________________________________________________________ > > http://www.icir.org/christian > > http://www.whoop.org > > ____________________________________________________________________________________ We won't tell. Get more on shows you hate to love (and love to hate): Yahoo! TV's Guilty Pleasures list. http://tv.yahoo.com/collections/265 -------------- next part -------------- A non-text attachment was scrubbed... Name: test.1 Type: application/octet-stream Size: 1434 bytes Desc: pat569700682 Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070315/9d3c09b3/attachment.obj From milesgrun at yahoo.com Thu Mar 15 18:24:11 2007 From: milesgrun at yahoo.com (Miles Grun) Date: Thu, 15 Mar 2007 18:24:11 -0700 (PDT) Subject: [Bro] Why do I get duplicate new_connection event? In-Reply-To: <538444.56149.qm@web55113.mail.re4.yahoo.com> Message-ID: <92015.83940.qm@web55105.mail.re4.yahoo.com> Hi Again, I would like to post the pcap file (test.1) that caused double new_connection messages. My previous email contained this file in uuencoded format, however, I have discovered that the email system somehow substituted @ with `at` in message body. Since I do not know how to work around this problem and/or post a binary file, I am posting the fully decoded pcap file instead. I hope somebody can point the reason for double new connection messages quickly. Best regards, $ tcpdump -r test.1 -XX -n 16:05:39.741946 IP 190.84.172.89.2278 > 222.37.1.55.80: S 3585205640:3585205640(0) win 5840 0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E. 0x0010: 003c c9e2 4000 4006 26cf be54 ac59 de25 .<.. at .@.&..T.Y.% 0x0020: 0137 08e6 0050 d5b1 e588 0000 0000 a002 .7...P.......... 0x0030: 16d0 f608 0000 0204 05b4 0402 080a 0049 ...............I 0x0040: 2c6a 0000 0000 0103 0300 ,j........ 16:05:40.081079 IP 222.37.1.55.80 > 190.84.172.89.2278: S 3552369456:3552369456(0) ack 3585205641 win 1460 0x0000: 214c b7cd a2a0 0800 2b9e 8899 0800 4500 !L......+.....E. 0x0010: 003c 262b 4000 3606 d486 de25 0137 be54 .<&+ at .6....%.7.T 0x0020: ac59 0050 08e6 d3bc db30 d5b1 e589 a012 .Y.P.....0...... 0x0030: 05b4 2e98 0000 0204 05b4 0402 080a 2742 ..............'B 0x0040: 024c 0049 2c6a 0103 0300 .L.I,j.... 16:05:40.083354 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 1 win 5840 0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E. 0x0010: 0034 c9e3 4000 4006 26d6 be54 ac59 de25 .4.. at .@.&..T.Y.% 0x0020: 0137 08e6 0050 d5b1 e589 d3bc db31 8010 .7...P.......1.. 0x0030: 16d0 4c1f 0000 0101 080a 0049 2c8c 2742 ..L........I,.'B 0x0040: 024c .L 16:05:40.090794 IP 190.84.172.89.2278 > 222.37.1.55.80: P 1:626(625) ack 1 win 5840 0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E. 0x0010: 02a5 c9e4 4000 4006 2464 be54 ac59 de25 .... at .@.$d.T.Y.% 0x0020: 0137 08e6 0050 d5b1 e589 d3bc db31 8018 .7...P.......1.. 0x0030: 16d0 02ce 0000 0101 080a 0049 2c8c 2742 ...........I,.'B 0x0040: 024c .L 16:05:40.443563 IP 222.37.1.55.80 > 190.84.172.89.2278: . ack 626 win 31856 0x0000: 214c b7cd a2a0 0800 2b9e 8899 0800 4500 !L......+.....E. 0x0010: 0034 264d 4000 3606 d46c de25 0137 be54 .4&M at .6..l.%.7.T 0x0020: ac59 0050 08e6 d3bc db31 d5b1 e7fa 8010 .Y.P.....1...... 0x0030: 7c70 e3ea 0000 0101 080a 2742 026f 0049 |p........'B.o.I 0x0040: 2c8c ,. 16:05:43.331707 IP 222.37.1.55.80 > 190.84.172.89.2278: P 1:206(205) ack 626 win 31856 0x0000: 214c b7cd a2a0 0800 2b9e 8899 0800 4500 !L......+.....E. 0x0010: 0101 26e5 4000 3606 d307 de25 0137 be54 ..&. at .6....%.7.T 0x0020: ac59 0050 08e6 d3bc db31 d5b1 e7fa 8018 .Y.P.....1...... 0x0030: 7c70 3e52 0000 0101 080a 2742 039b 0049 |p>R......'B...I 0x0040: 2c8c ,. 16:05:43.334165 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 206 win 6432 0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E. 0x0010: 0034 c9e5 4000 4006 26d4 be54 ac59 de25 .4.. at .@.&..T.Y.% 0x0020: 0137 08e6 0050 d5b1 e7fa d3bc dbfe 8010 .7...P.......... 0x0030: 1920 43fd 0000 0101 080a 0049 2dd1 2742 ..C........I-.'B 0x0040: 039b .. 16:05:43.478567 IP 190.84.172.89.2278 > 222.37.1.55.80: P 626:1262(636) ack 206 win 6432 0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E. 0x0010: 02b0 c9e6 4000 4006 2457 be54 ac59 de25 .... at .@.$W.T.Y.% 0x0020: 0137 08e6 0050 d5b1 e7fa d3bc dbfe 8018 .7...P.......... 0x0030: 1920 7749 0000 0101 080a 0049 2ddf 2742 ..wI.......I-.'B 0x0040: 039b .. 16:05:43.692464 IP 222.37.1.55.80 > 190.84.172.89.2278: P 206:410(204) ack 1262 win 31856 0x0000: 214c b7cd a2a0 0800 2b9e 8899 0800 4500 !L......+.....E. 0x0010: 0100 26fb 4000 3606 d2f2 de25 0137 be54 ..&. at .6....%.7.T 0x0020: ac59 0050 08e6 d3bc dbfe d5b1 ea76 8018 .Y.P.........v.. 0x0030: 7c70 00af 0000 0101 080a 2742 03c2 0049 |p........'B...I 0x0040: 2ddf -. 16:05:43.694853 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 410 win 7504 0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E. 0x0010: 0034 c9e7 4000 4006 26d2 be54 ac59 de25 .4.. at .@.&..T.Y.% 0x0020: 0137 08e6 0050 d5b1 ea76 d3bc dcca 8010 .7...P...v...... 0x0030: 1d50 3c3a 0000 0101 080a 0049 2df5 2742 .P<:.......I-.'B 0x0040: 03c2 .. 16:05:43.838441 IP 190.84.172.89.2278 > 222.37.1.55.80: P 1262:1895(633) ack 410 win 7504 0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E. 0x0010: 02ad c9e8 4000 4006 2458 be54 ac59 de25 .... at .@.$X.T.Y.% 0x0020: 0137 08e6 0050 d5b1 ea76 d3bc dcca 8018 .7...P...v...... 0x0030: 1d50 5520 0000 0101 080a 0049 2e03 2742 .PU........I..'B 0x0040: 03c2 .. 16:05:44.048642 IP 222.37.1.55.80 > 190.84.172.89.2278: P 410:614(204) ack 1895 win 31856 0x0000: 214c b7cd a2a0 0800 2b9e 8899 0800 4500 !L......+.....E. 0x0010: 0100 2715 4000 3606 d2d8 de25 0137 be54 ..'. at .6....%.7.T 0x0020: ac59 0050 08e6 d3bc dcca d5b1 ecef 8018 .Y.P............ 0x0030: 7c70 d64d 0000 0101 080a 2742 03e7 0049 |p.M......'B...I 0x0040: 2e03 .. 16:05:44.051076 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 614 win 8576 0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E. 0x0010: 0034 c9e9 4000 4006 26d0 be54 ac59 de25 .4.. at .@.&..T.Y.% 0x0020: 0137 08e6 0050 d5b1 ecef d3bc dd96 8010 .7...P.......... 0x0030: 2180 347c 0000 0101 080a 0049 2e19 2742 !.4|.......I..'B 0x0040: 03e7 .. 16:05:51.518485 IP 190.84.172.89.2278 > 222.37.1.55.80: F 1895:1895(0) ack 614 win 8576 0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E. 0x0010: 0034 c9ea 4000 4006 26cf be54 ac59 de25 .4.. at .@.&..T.Y.% 0x0020: 0137 08e6 0050 d5b1 ecef d3bc dd96 8011 .7...P.......... 0x0030: 2180 3190 0000 0101 080a 0049 3104 2742 !.1........I1.'B 0x0040: 03e7 .. 16:05:51.835071 IP 222.37.1.55.80 > 190.84.172.89.2278: . ack 1896 win 31856 0x0000: 214c b7cd a2a0 0800 2b9e 8899 0800 4500 !L......+.....E. 0x0010: 0034 28e0 4000 3606 d1d9 de25 0137 be54 .4(. at .6....%.7.T 0x0020: ac59 0050 08e6 d3bc dd96 d5b1 ecf0 8010 .Y.P............ 0x0030: 7c70 d3a0 0000 0101 080a 2742 06e6 0049 |p........'B...I 0x0040: 3104 1. 16:05:51.835299 IP 222.37.1.55.80 > 190.84.172.89.2278: F 614:614(0) ack 1896 win 31856 0x0000: 214c b7cd a2a0 0800 2b9e 8899 0800 4500 !L......+.....E. 0x0010: 0034 28e1 4000 3606 d1d8 de25 0137 be54 .4(. at .6....%.7.T 0x0020: ac59 0050 08e6 d3bc dd96 d5b1 ecf0 8011 .Y.P............ 0x0030: 7c70 d39f 0000 0101 080a 2742 06e6 0049 |p........'B...I 0x0040: 3104 1. 16:05:51.839189 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 615 win 8576 0x0000: 214c b7cd a2a0 0030 65d5 5e08 0800 4500 !L.....0e.^...E. 0x0010: 0034 0000 4000 ff06 31b9 be54 ac59 de25 .4.. at ...1..T.Y.% 0x0020: 0137 08e6 0050 d5b1 ecf0 d3bc dd97 8010 .7...P.......... 0x0030: 2180 2e70 0000 0101 080a 0049 3124 2742 !..p.......I1$'B 0x0040: 06e6 .. - ____________________________________________________________________________________ We won't tell. Get more on shows you hate to love (and love to hate): Yahoo! TV's Guilty Pleasures list. http://tv.yahoo.com/collections/265 From john8xyp at yahoo.com.cn Thu Mar 15 19:02:27 2007 From: john8xyp at yahoo.com.cn (=?iso-2022-jp?B?GyRCNycxSko/GyhC?=) Date: Fri, 16 Mar 2007 10:02:27 +0800 (CST) Subject: [Bro] =?gb2312?b?UmWjuiAgSG93IGRvZXMgQnJvIGNhcHR1cmUgdGhlIHRyYWZm?= =?gb2312?b?aWMgb2YgZnRwIGRhdGEgY29ubmVjdGlvbiA/?= Message-ID: <527065.18182.qm@web15209.mail.cnb.yahoo.com> ----- ???? ---- ???? Robin Sommer ???? ?$B7'1JJ? ??? Bro at bro-ids.org; bro at ICSI.Berkeley.EDU ???? 2007/3/16(??), ??3:09:57 ??? Re: [Bro] How does Bro capture the traffic of ftp data connection ? Thank you for your answer How does bro be aware of the close of ftp data connection if she can't capture the corresponding tcp session packet? via the interactive info appeared in the ftp control connection? And ?To dynamically capture some certain traffic without including all packet, it feels feasible to create a new thread/process to run another bro to capture and analyze?but is this process so long as to miss some packets in that certain session? On Thu, Mar 15, 2007 at 12:01 +0800, you wrote: > So how does it dynamically add the filter string to capture the > temporary traffic? It doesn't. Dynamically changing the BPF filter is too expensive as it would need to be recompiled every time (and the filter would quickly get huge). If you want Bro to analyze the content of ftp-data sessions, you need to manually override the pcap filter to include all packets, e.g., by running with "-f tcp". Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org ___________________________________________________________ ??????-3.5G???20M?? http://cn.mail.yahoo.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070316/e58d1f25/attachment.html From yongping.xiong at gmail.com Thu Mar 15 23:39:34 2007 From: yongping.xiong at gmail.com (Yongping Xiong) Date: Fri, 16 Mar 2007 14:39:34 +0800 Subject: [Bro] =?gb2312?b?UmWjuiAgSG93IGRvZXMgQnJvIGNhcHR1cmUgdGhlIHRyYWZm?= =?gb2312?b?aWMgb2YgZnRwIGRhdGEgY29ubmVjdGlvbiA/?= Message-ID: <695d285b0703152339l204ffd22wed0358d87c8b6c8f@mail.gmail.com> sorry,there're something wrong with my mailer this morning. Thank you for your answer How does bro be aware of the close of ftp data connection if she can't capture the corresponding tcp session packet? via the interactive info appeared in the ftp control connection? And ?To dynamically capture some certain traffic without including all packet, it feels feasible to create a new thread/process to run another bro to capture and analyze?but is this process so long as to miss some packets in that certain session? On Thu, Mar 15, 2007 at 12:01 +0800, you wrote: > So how does it dynamically add the filter string to capture the > temporary traffic? It doesn't. Dynamically changing the BPF filter is too expensive as it would need to be recompiled every time (and the filter would quickly get huge). If you want Bro to analyze the content of ftp-data sessions, you need to manually override the pcap filter to include all packets, e.g., by running with "-f tcp". Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070316/5f040bd8/attachment.html From robin at icir.org Fri Mar 16 09:34:31 2007 From: robin at icir.org (Robin Sommer) Date: Fri, 16 Mar 2007 09:34:31 -0700 Subject: [Bro] Re?? How does Bro capture the traffic of ftp data connection ? In-Reply-To: <695d285b0703152339l204ffd22wed0358d87c8b6c8f@mail.gmail.com> References: <695d285b0703152339l204ffd22wed0358d87c8b6c8f@mail.gmail.com> Message-ID: <20070316163431.GA6342@icir.org> On Fri, Mar 16, 2007 at 14:39 +0800, Yongping Xiong wrote: > How does bro be aware of the close of ftp data connection if she can't > capture the corresponding tcp session packet? By default Bro captures *all* TCP control packets (SYNs/FINs/RSTs) and will therefore know about the ftp-data connection. However, it does not capture any payload packets of the data connection. > And ??To dynamically capture some certain traffic without including all > packet, it feels feasible to create a new thread/process to run another bro > to capture and analyze The second Bro still would have the same problem that it needs to adapt its filter on the fly. And yes, the latency of the communication would quite likely lead to missed packets. But we are working on another solution to the problem: we're in the process of interfacing Bro with our time machine[1]. Bro will be able to query the TM for the ftp-data connection once is has parsed the control sessions. Robin [1] http://www.net.t-labs.tu-berlin.de/research/tm -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From christian at whoop.org Fri Mar 16 15:02:24 2007 From: christian at whoop.org (Christian Kreibich) Date: Fri, 16 Mar 2007 15:02:24 -0700 Subject: [Bro] Why do I get duplicate new_connection event? In-Reply-To: <538444.56149.qm@web55113.mail.re4.yahoo.com> References: <538444.56149.qm@web55113.mail.re4.yahoo.com> Message-ID: <1174082544.18408.50.camel@strangepork> On Thu, 2007-03-15 at 15:01 -0700, Miles Grun wrote: > Thanks for quick response. I was believing (but I may > be wrong) this is because only the first 64 bytes of > the packets exist in this pcap file. Here is test.1 > (uuencoded). I also attach it to this email. Thanks for this. Robin and I just had a look, and you're indeed not seeing the intended behavior. The problem is that currently tcp_close_delay is set to 0 seconds and so Bro considers the connection complete immediately after having seen both FINs. Either bump up tcp_close_delay ... bro -r test.1 tcp_close_delay=1sec a.bro ... or load heavy-analysis.bro (which also bumps up the various timeouts): bro -r test.1 a.bro heavy-analysis In the next release, we'll likely set tcp_close_delay to a small but non-zero timeout. Cheers, Christian -- ________________________________________________________________________ http://www.icir.org/christian http://www.whoop.org From robin at icir.org Fri Mar 16 15:11:13 2007 From: robin at icir.org (Robin Sommer) Date: Fri, 16 Mar 2007 15:11:13 -0700 Subject: [Bro] Regarding signatures In-Reply-To: <20070309172335.CGX43602@mail.tataelxsi.co.in> References: <20070309172335.CGX43602@mail.tataelxsi.co.in> Message-ID: <20070316221113.GB8409@icir.org> On Fri, Mar 09, 2007 at 17:23 +0530, Ayyappa Suryanarayana T wrote: > I am having trouble matching same signature for packets in > different connections,its matching one connection but its not > matching for another connection but the packets have same payload. (Sorry for the delay in getting back to this.) It actually works fine for me: >cat a.sig signature gtalk_test { event "gtalk test received" payload /\x17\x03\x01/ } >bro -r jabber-matched.pcap.pcap -s ./a.sig signatures 1165632085.395097 SensitiveSignature 192.168.0.3: gtalk test received >bro -r jabber-unmatched.pcap.pcap -s ./a.sig signatures 1165670194.604938 SensitiveSignature 216.239.37.125: gtalk test received What's the command line you're using? Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From edthoma at sandia.gov Tue Mar 20 16:46:35 2007 From: edthoma at sandia.gov (Thomas, Eric D.) Date: Tue, 20 Mar 2007 16:46:35 -0700 Subject: [Bro] ContentGap problem in offline traces Message-ID: Hi, I have an HTTP trace where I downloaded a 20 meg executable (no encoding). The trace was created by tcpdump, not bro. It was suggested in the archives that if one gets a lot of ContentGap errors when processing a trace off-line it is likely because there are missing packets in the trace. I'm sure my trace has all of the packets because if I run tcpflow on the trace and remove all of the HTTP headers from the larger of the two resulting files, I get a file that is the same size as the executable I downloaded. When I process the trace offline with bro (I have a custom policy that writes the HTTP data out using the http_entity_data event) I get a lot of ContentGap errors. The size of the written file is smaller than the size of the executable. When I add up all of the missing bytes reported by the many ContentGap notices, the sum is exactly the difference between the size (in bytes) of the executable and the size of the written file. Therefore, I assume that Bro is not passing the "missing" data to the http_entity_data handler. When all of the packets are in the trace and my filter (according to print-filter) is "tcp or icmp or udp", what else is a common cause of the ContentGap notice? Is there some tweak that I need to make to account for larger gaps/windows? Eric Thomas edthoma [you know what to do] sandia.gov From vern at icir.org Tue Mar 20 17:03:08 2007 From: vern at icir.org (Vern Paxson) Date: Tue, 20 Mar 2007 17:03:08 -0700 Subject: [Bro] ContentGap problem in offline traces In-Reply-To: (Tue, 20 Mar 2007 16:46:35 PDT). Message-ID: <200703210003.l2L038CM027187@jaguar.icir.org> Any chance you could send us the trace to have a look at? Vern From edthoma at sandia.gov Tue Mar 20 17:48:32 2007 From: edthoma at sandia.gov (Thomas, Eric D.) Date: Tue, 20 Mar 2007 17:48:32 -0700 Subject: [Bro] ContentGap problem in offline traces In-Reply-To: <200703210003.l2L038CM027187@jaguar.icir.org> Message-ID: I'll sync up with you off-line. Thanks! Eric On 3/20/07 5:03 PM, "Vern Paxson" wrote: > Any chance you could send us the trace to have a look at? > > Vern > From bachhaiduong at gmail.com Sat Mar 24 21:09:36 2007 From: bachhaiduong at gmail.com (Nguoi Khong Mang Ho) Date: Sun, 25 Mar 2007 11:09:36 +0700 Subject: [Bro] Using Broccoli to config Bro agents remotely Message-ID: <4db30bc0703242109r4aeaebdcwf0121538a00c9e91@mail.gmail.com> Hi all, Do you ever use Broccoli to config, register or implement your own event handlers on remote Bro agents from the central one? Is there any docs or experiences on doing that? Thanks, Bach Hai Duong -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070325/d3286eb4/attachment.html From bindiyavs at tataelxsi.co.in Mon Mar 26 04:33:14 2007 From: bindiyavs at tataelxsi.co.in (Bindiya V S) Date: Mon, 26 Mar 2007 17:03:14 +0530 (IST) Subject: [Bro] Query about IPROTO Message-ID: <20070326170314.CHM19504@mail.tataelxsi.co.in> Hi, I was experimenting on BRO 1.2 version. I could see that the value of IPPROTO_ICMP defined in bro.init. But it looks like the source files (eg. Discard.cc) are taking the value from the system file /usr/include/netinet/in.h. Is it supposed to work this way? or am I hitting on a bug? Regards, Bindiya From vern at icir.org Mon Mar 26 13:04:09 2007 From: vern at icir.org (Vern Paxson) Date: Mon, 26 Mar 2007 13:04:09 -0700 Subject: [Bro] Query about IPROTO In-Reply-To: <20070326170314.CHM19504@mail.tataelxsi.co.in> (Mon, 26 Mar 2007 17:03:14 +0530). Message-ID: <200703262004.l2QK49a1032434@jaguar.icir.org> > ... I could see that > the value of IPPROTO_ICMP defined in bro.init. But it looks like > the source files (eg. Discard.cc) are taking the value from the system file /usr/include/netinet/in.h. > > Is it supposed to work this way? or am I hitting on a bug? It's supposed to work that way. Vern From dcaldwell at colsa.com Mon Mar 26 14:00:23 2007 From: dcaldwell at colsa.com (David Caldwell) Date: Mon, 26 Mar 2007 16:00:23 -0500 Subject: [Bro] switched to exim Message-ID: <1174942823.5026.38.camel@dcaldwell> Someone updated a few things on the bro machine and changed over the MTA from sendmail to exim. What needs to be done to get BRO working again here? What config script do I need to run to set BRo up to work through exim? David Caldwell Colsa/HMT From bltierney at lbl.gov Mon Mar 26 14:30:16 2007 From: bltierney at lbl.gov (Brian Tierney) Date: Mon, 26 Mar 2007 14:30:16 -0700 Subject: [Bro] switched to exim In-Reply-To: <1174942823.5026.38.camel@dcaldwell> References: <1174942823.5026.38.camel@dcaldwell> Message-ID: <46083B68.8030008@lbl.gov> You'll need to rewrite: /usr/local/bro/scripts/mail_reports.sh to work with exim. David Caldwell wrote: > Someone updated a few things on the bro machine and changed over the MTA > from sendmail to exim. What needs to be done to get BRO working again > here? What config script do I need to run to set BRo up to work through > exim? > > David Caldwell > Colsa/HMT > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- ------------------------------------------------------------------------ Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 425-642-4558 bltierney at lbl.gov http://www-didc.lbl.gov/~tierney ------------------------------------------------------------------------ From aashish at uiuc.edu Wed Mar 28 14:52:38 2007 From: aashish at uiuc.edu (Aashish Sharma) Date: Wed, 28 Mar 2007 16:52:38 -0500 Subject: [Bro] error compiling pattern: ver. 1.2.1 Message-ID: <20070328215238.GA31126@uiuc.edu> Hello All: Just downloaded the latest bro development release version 1.2.1 and I am seeing the following errors when I run bro : /usr/local/bro/policy/http-request.bro, line 34: run-time error: error compiling pattern /((((((((((((((((((((^?.*(etc\/(passwd|shadow|netconfig)))|(^?.*(IFS[ \t]*=)))|(^?.*(nph-test-cgi\?)))|(^?.*((%0a|\.\.)\/(bin|etc|usr|tmp))))|(^?.*(\/Admin_files\/order\.log)))|(^?.*(\/carbo\.dll)))|(^?.*(\/cgi-bin\/(phf|php\.cgi|test-cgi))))|(^?.*(\/cgi-dos\/args\.bat)))|(^?.*(\/cgi-win\/uploader\.exe)))|(^?.*(\/search97\.vts)))|(^?.*(tk\.tgz)))|(^?.*(ownz)))|(^?.*(viewtopic\.php.*%.*\(.*\()))|(^?.*(sshd\.(tar|tgz).*)))|(^?.*([aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(shv4\.(tar|tgz).*)))|(^?.*(lrk\.(tar|tgz).*)))|(^?.*(lyceum\.(tar|tgz).*)))|(^?.*(maxty\.(tar|tgz).*)))|(^?.*(rootII\.(tar|tgz).*)))|(^?.*(invader\.(tar|tgz).*))/ /usr/local/bro/policy/http-request.bro, line 42: run-time error: error compiling pattern /((^?.*(.*\/c\+dir))|(^?.*(.*cool.dll.*)))|(^?.*(.*Admin.dll.*Admin.dll.*))/ /usr/local/bro/policy/http-request.bro, line 48: run-time error: error compiling pattern /^?.*(\/cgi-bin\/(phf|php\.cgi|test-cgi))/ /usr/local/bro/policy/http-request.bro, line 50: run-time error: error compiling pattern /^?.*(wwwroot|WWWROOT)/ /usr/local/bro/policy/http-reply.bro, line 111: run-time error: error compiling pattern /^?.*(^ )/ /usr/local/bro/policy/hot-ids.bro, line 15: run-time error: error compiling pattern /^?.*((y[o0]u)(r|ar[e3])([o0]wn.*))/ /usr/local/bro/policy/ftp.bro, line 43: run-time error: error compiling pattern /((((((((((((((((((((((^?.*(.*(etc\/|master\.)?(passwd|shadow|s?pwd\.db)))|(^?.*(.*snoop\.(tar|tgz).*)))|(^?.*(.*bnc\.(tar|tgz).*)))|(^?.*(.*datapipe.*)))|(^?.*(.*ADMw0rm.*)))|(^?.*(.*newnick.*)))|(^?.*(.*sniffit.*)))|(^?.*(.*neet\.(tar|tgz).*)))|(^?.*(.*\.\.\..*)))|(^?.*(.*ftpscan.txt.*)))|(^?.*(.*jcc.pdf.*)))|(^?.*(.*\.[Ff]rom.*)))|(^?.*(.*sshd\.(tar|tgz).*)))|(^?.*(.*\/rk7.*)))|(^?.*(.*rk7\..*)))|(^?.*(.*[aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(.*[tT][aA][gG][gG][eE][dD].*)))|(^?.*(.*shv4\.(tar|tgz).*)))|(^?.*(.*lrk\.(tar|tgz).*)))|(^?.*(.*lyceum\.(tar|tgz).*)))|(^?.*(.*maxty\.(tar|tgz).*)))|(^?.*(.*rootII\.(tar|tgz).*)))|(^?.*(.*invader\.(tar|tgz).*))/ /usr/local/bro/policy/ftp.bro, line 48: run-time error: error compiling pattern /(^?.*(.*\.rhosts))|(^?.*(.*\.forward))/ /usr/local/bro/policy/ftp.bro, line 51: run-time error: error compiling pattern /^?.*([Ee][Xx][Ee][Cc].*)/ /usr/local/bro/policy/ftp.bro, line 63: run-time error: error compiling pattern /^?.*(,0,0)/ /usr/local/bro/policy/ftp.bro, line 154: run-time error: error compiling pattern /^?.*((\/|[A-Za-z]:[\\\/]).*)/ /usr/local/bro/policy/ftp.bro, line 349: run-time error: error compiling pattern /^?.*([\x00-\x7f])/ /usr/local/bro/policy/ftp.bro, line 462: run-time error: error compiling pattern /^?.*([Ee][Xx][Ee][Cc])/ /usr/local/bro/policy/ftp.bro, line 527: run-time error: error compiling pattern /^?.*(\"([^\"]|\"\")*(\/|\\)([^\"]|\"\")*\")/ /usr/local/bro/policy/ftp.bro, line 545: run-time error: error compiling pattern /^?.*(((\/)+([^\/]|\\\/)+)?((\/)+\.\.(\/)+))/ /usr/local/bro/policy/ftp.bro, line 555: run-time error: error compiling pattern /^?.*((\/){2,})/ /usr/local/bro/policy/ftp.bro, line 700: run-time error: error compiling pattern /^?.*([\x80-\xff]{3})/ /usr/local/bro/policy/ftp.bro, line 735: run-time error: error compiling pattern /^?.*(USER|PASS|ACCT)/ /usr/local/bro/policy/portmapper.bro, line 310: run-time error: error compiling pattern /^?.*(^\[)/ /usr/local/bro/policy/portmapper.bro, line 311: run-time error: error compiling pattern /^?.*(\]$)/ /usr/local/bro/policy/login.bro, line 66: run-time error: error compiling pattern /((((((((((((((((((((((((((((((((^?.*(rewt))|(^?.*(eggdrop)))|(^?.*(\/bin\/eject)))|(^?.*(oir##t)))|(^?.*(ereeto)))|(^?.*((shell|xploit)_?code)))|(^?.*(execshell)))|(^?.*(ff\.core)))|(^?.*(unset[ \t]+(histfile|history|HISTFILE|HISTORY))))|(^?.*(neet\.tar)))|(^?.*(r0kk0)))|(^?.*(su[ \t]+(daemon|news|adm))))|(^?.*(\.\/clean)))|(^?.*(rm[ \t]+-rf[ \t]+secure)))|(^?.*(cd[ \t]+\/dev\/[a-zA-Z]{3})))|(^?.*(solsparc_lpset)))|(^?.*(\.\/[a-z]+[ \t]+passwd)))|(^?.*(\.\/bnc)))|(^?.*(bnc\.conf)))|(^?.*(\"\/bin\/ksh\")))|(^?.*(LAST STAGE OF DELIRIUM)))|(^?.*(SNMPXDMID_PROG)))|(^?.*(snmpXdmid for solaris)))|(^?.*(\"\/bin\/uname)))|(^?.*(gcc[ \t]+1\.c)))|(^?.*(>\/etc\/passwd)))|(^?.*(lynx[ \t]+-source[ \t]+.*(packetstorm|shellcode|linux|sparc))))|(^?.*(gcc.*\/bin\/login)))|(^?.*(#define NOP.*0x)))|(^?.*(printf\(\"overflowing)))|(^?.*(exec[a-z]*\(\"\/usr\/openwin)))|(^?.*(perl[ \t]+.*x.*[0-9][0-9][0-9][0-9])))|(^?.*(ping.*-s.*%d))/ /usr/local/bro/policy/login.bro, line 72: run-time error: error compiling pattern /^?.*([ \t]*(cd|pushd|more|less|cat|vi|emacs|pine)[ \t]+((['"]?\.\.\.)|(["'](\.*)[ \t])))/ /usr/local/bro/policy/login.bro, line 75: run-time error: error compiling pattern /^?.*(No such file or directory)/ /usr/local/bro/policy/login.bro, line 84: run-time error: error compiling pattern /^?.*(.*loadmodule.*)/ /usr/local/bro/policy/login.bro, line 138: run-time error: error compiling pattern /(((((((((((((((((((((((((((((((((((((((((((((((((^?.*(^-r.s.*root.*\/bin\/(sh|csh|tcsh)))|(^?.*(Jumping to address)))|(^?.*(Jumping Address)))|(^?.*(smashdu\.c)))|(^?.*(PATH_UTMP)))|(^?.*(Log started at =)))|(^?.*(www\.anticode\.com)))|(^?.*(www\.uberhax0r\.net)))|(^?.*(smurf\.c by TFreak)))|(^?.*(Super Linux Xploit)))|(^?.*(^# \[root@)))|(^?.*(^-r.s.*root.*\/bin\/(time|sh|csh|tcsh|bash|ksh))))|(^?.*(invisibleX)))|(^?.*(PATH_(UTMP|WTMP|LASTLOG))))|(^?.*([0-9]{5,} bytes from)))|(^?.*((PATH|STAT):\ .*=>)))|(^?.*(----- \[(FIN|RST|DATA LIMIT|Timed Out)\])))|(^?.*(IDLE TIMEOUT)))|(^?.*(DATA LIMIT)))|(^?.*(-- TCP\/IP LOG --)))|(^?.*(STAT: (FIN|TIMED_OUT) )))|(^?.*((shell|xploit)_code)))|(^?.*(execshell)))|(^?.*(x86_bsd_compaexec)))|(^?.*(\\xbf\\xee\\xee\\xee\\x08\\xb8)))|(^?.*(Coded by James Seter)))|(^?.*(Irc Proxy v)))|(^?.*(Daemon port\.\.\.\.)))|(^?.*(BOT_VERSION)))|(^?.*(NICKCRYPT)))|(^?.*(\/etc\/\.core)))|(^?.*(exec.*\/bin\/newgrp)))|(^?.*(deadcafe)))|(^?.*([ \/]snap\.sh)))|(^?.*(Secure atime,ctime,mtime)))|(^?.*(Can\'t fix checksum)))|(^?.*(Promisc Dectection)))|(^?.*(ADMsn0ofID)))|(^?.*((cd \/; uname -a; pwd; id))))|(^?.*(drw0rm)))|(^?.*([Rr][Ee3][Ww][Tt][Ee3][Dd])))|(^?.*(rpc\.sadmin)))|(^?.*(AbraxaS)))|(^?.*(\[target\])))|(^?.*(ID_SENDSYN)))|(^?.*(ID_DISTROIT)))|(^?.*(by Mixter)))|(^?.*(rap(e?)ing.*using weapons)))|(^?.*(spsiod)))|(^?.*([aA][dD][oO][rR][eE][bB][sS][dD]))/ /usr/local/bro/policy/login.bro, line 141: run-time error: error compiling pattern /^?.*(.*Trojaning in progress.*)/ /usr/local/bro/policy/login.bro, line 147: run-time error: error compiling pattern /((^?.*(^[!-~]*( ?)[#%$] ))|(^?.*(.*no job control)))|(^?.*(WinGate>))/ /usr/local/bro/policy/login.bro, line 149: run-time error: error compiling pattern /^?.*(^ *#.*#)/ /usr/local/bro/policy/login.bro, line 151: run-time error: error compiling pattern /^?.*(VT666|007)/ /usr/local/bro/policy/irc.bro, line 60: run-time error: error compiling pattern /(((^?.*(.*etc\/shadow.*))|(^?.*(.*etc\/ldap.secret.*)))|(^?.*(.*phatbot.*)))|(^?.*(.*botnet.*))/ /usr/local/bro/policy/irc.bro, line 171: run-time error: error compiling pattern /^?.*(.*:$)/ /usr/local/bro/policy/stepping.bro, line 75: run-time error: error compiling pattern /(^?.*(^([Ll]ast +(successful)? *login)))|(^?.*(^Last interactive login))/ /usr/local/bro/policy/stepping.bro, line 78: run-time error: error compiling pattern /^?.*(\001)/ /usr/local/bro/policy/smtp.bro, line 19: run-time error: error compiling pattern /^?.*(.*@.*lbl.gov)/ /usr/local/bro/policy/smtp.bro, line 22: run-time error: error compiling pattern /^?.*(@)/ /usr/local/bro/policy/smtp.bro, line 84: run-time error: error compiling pattern /^?.*(.*<.*@.*:.*>.*)/ /usr/local/bro/policy/smtp.bro, line 85: run-time error: error compiling pattern /^?.*(.*<.*@.*:.*>.*)/ /usr/local/bro/policy/smtp.bro, line 86: run-time error: error compiling pattern /^?.*(.*)/ /usr/local/bro/policy/smtp.bro, line 87: run-time error: error compiling pattern /^?.*(.*)/ /usr/local/bro/policy/smtp.bro, line 88: run-time error: error compiling pattern /^?.*(.*)/ /usr/local/bro/policy/smtp.bro, line 267: run-time error: error compiling pattern /^?.*((<|:|>)*)/ /usr/local/bro/policy/smtp.bro, line 281: run-time error: error compiling pattern /^?.*(<( |\t)*)/ /usr/local/bro/policy/smtp.bro, line 292: run-time error: error compiling pattern /^?.*(( |\t)*>)/ /usr/local/bro/policy/smtp.bro, line 303: run-time error: error compiling pattern /^?.*(:)/ /usr/local/bro/policy/notice-policy.bro, line 58: run-time error: error compiling pattern /^?.*(Solaris listen service)/ /usr/local/bro/policy/notice-policy.bro, line 67: run-time error: error compiling pattern /^?.*(.*\.(gif|GIF|png|PNG|jpg|JPG))/ /usr/local/bro/policy/brolite.bro, line 138: run-time error: error compiling pattern /^?.*(.*exe)/ /usr/local/bro/policy/brolite.bro, line 138: run-time error: error compiling pattern /(^?.*(^?(.*exe)$?))|(^?.*((((^?(.*etc\/shadow.*)$?)|(^?(.*etc\/ldap.secret.*)$?))|(^?(.*phatbot.*)$?))|(^?(.*botnet.*)$?)))/ pcap bufsize = 8192 listening on eth2 pcap bufsize = 8192 listening on eth3 Bro Version: 1.2.1 Started with the following command line options: -W -i eth2 -i eth3 fog.ncsa.uiuc.edu.bro Capture filter: ((((((((((port 6667) or ((ip[6:2] & 0x3fff != 0) and tcp)) or (port 6666)) or (tcp src port 80 or tcp src port 8080 or tcp src port 8000)) or (port telnet or tcp port 513)) or (udp port 69)) or (tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000)) or (port smtp)) or (tcp[13] & 7 != 0)) or (port ftp)) or (port 111) Aashish From vern at icir.org Wed Mar 28 15:01:04 2007 From: vern at icir.org (Vern Paxson) Date: Wed, 28 Mar 2007 15:01:04 -0700 Subject: [Bro] error compiling pattern: ver. 1.2.1 In-Reply-To: <20070328215238.GA31126@uiuc.edu> (Wed, 28 Mar 2007 16:52:38 CDT). Message-ID: <200703282201.l2SM14pv061472@jaguar.icir.org> > Just downloaded the latest bro development release version 1.2.1 and I > am seeing the following errors when I run bro : This came up last month on the mailing list. Christian Kreibich's solution: > ... remove the following files in src/ before doing a make (this > removes all generated parser files, not just the regex-related ones): > > $ cd src/ > $ rm bif_parse.{cc,h} parse.cc re-parse.{cc,h} rule-parse.{cc,h} - Vern From seth at net.ohio-state.edu Wed Mar 28 15:03:42 2007 From: seth at net.ohio-state.edu (Seth Hall) Date: Wed, 28 Mar 2007 18:03:42 -0400 Subject: [Bro] error compiling pattern: ver. 1.2.1 In-Reply-To: <20070328215238.GA31126@uiuc.edu> References: <20070328215238.GA31126@uiuc.edu> Message-ID: On Mar 28, 2007, at 5:52 PM, Aashish Sharma wrote: > /usr/local/bro/policy/http-request.bro, line 42: run-time error: > error compiling pattern /((^?.*(.*\/c\+dir))|(^?.*(.*cool.dll.*)))| > (^?.*(.*Admin.dll.*Admin.dll.*))/ I thought this looked familiar so I checked through old messages. Here was Christian's response... ===== A quick update on this: we can confirm the issue. It seems that for some reason the generated parser code shipped with 1.2.1 breaks on at least FC5. We're unsure as to why this is, but it is likely related to the fact that the bison that was used to create the parser is quite old. For the time being, the fix is to remove the generated parser files and use a local bison installation to regenerate them. To do so, remove the following files in src/ before doing a make (this removes all generated parser files, not just the regex-related ones): $ cd src/ $ rm bif_parse.{cc,h} parse.cc re-parse.{cc,h} rule-parse.{cc,h} ===== .Seth