[Bro] Bro Digest, Vol 28, Issue 2

CS Lee geek00l at gmail.com
Mon Aug 4 18:02:00 PDT 2008


hi miguel,

If u are using hostname.bro which may load brolite.bro(it will load
http.bro), and http_ports is defined in http.bro as well, you may find the
following lines -

# DPM configuration.
# global http_ports = {
#       80/tcp, 81/tcp, 631/tcp, 3138/tcp,
#       8000/tcp, 8080/tcp, 8888/tcp,
# } &redef;

I comment them out, instead in snort.bro I comment out one line and add the
similar config in http.bro

#const http_ports = { 80/tcp, 8000/tcp, 8001/tcp, 8080/tcp };
global http_ports = {
        80/tcp, 81/tcp, 631/tcp, 3128/tcp,
        8000/tcp, 8080/tcp, 8888/tcp,
} &redef;

Then try to run it again and see if it works.

Cheers


On Tue, Aug 5, 2008 at 3:00 AM, <bro-request at icsi.berkeley.edu> wrote:

> Send Bro mailing list submissions to
>        bro at ICSI.Berkeley.EDU
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
>        bro-request at ICSI.Berkeley.EDU
>
> You can reach the person managing the list at
>        bro-owner at ICSI.Berkeley.EDU
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
>   1. signarture dst-port issue (Miguel Angel Calvo Moya)
>   2. Re: signarture dst-port issue (Robin Sommer)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 4 Aug 2008 10:33:18 +0200
> From: Miguel Angel Calvo Moya <mangel12321 at hotmail.com>
> Subject: [Bro] signarture dst-port issue
> To: <bro at ICSI.Berkeley.EDU>
> Message-ID: <BLU130-W798FDC80C818195E29E43F0780 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> Hello,
>
> I am having trouble using signatures on bro. Lets say we have the following
> signature
>
> signature s2b-99999-9 {
>  ip-proto == tcp
>  #dst-port == 80
>  #dst-port == http_ports
>  tcp-state established
>  event "Sample Signature"
> }
>
> when I using "dst-port == 80" everything goes seems to work. By 'work' I
> mean that bro generates plenty of warnings placing them on signatures.log,
> however, if we replace "st-port == 80" for "dst-port == http_ports" and
> throw it again against the same trace, we no longer get any warnings.
>
> http_ports is declared on $BROPATH/policy/snort.bro as:
> const http_ports = { 80/tcp, 8000/tcp, 8001/tcp, 8080/tcp };
>
> I assume snort..bro is loaded correctly since otherwise throws
> non-declaration errors. It is loaded it on my hostname.bro file which I use
> when running bro.
>
> Also, does anybody know whether next release will implement other regular
> expression matching library? I am trying to update snort2bro to support the
> snort pcre, however it is not a trivial task.
>
> Any suggestions?
> Thank you!
> Miguel
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 4 Aug 2008 10:52:46 -0700
> From: Robin Sommer <robin at icir.org>
> Subject: Re: [Bro] signarture dst-port issue
> To: bro at ICSI.Berkeley.EDU, Miguel Angel Calvo Moya
>        <mangel12321 at hotmail.com>
> Message-ID: <20080804175246.GA51343 at icir.org>
> Content-Type: text/plain; charset=us-ascii
>
>
> On Mon, Aug 04, 2008 at 10:33 +0200, Miguel Angel Calvo Moya wrote:
>
> > I am having trouble using signatures on bro. Lets say we have the
> following signature
>
> Can you send me a small trace with which you see the problem and the
> exect command line you're using to start Bro?
>
> > Also, does anybody know whether next release will implement other
> > regular expression matching library?
>
> No, we don't have any plans to switch to another regexp library.
>
> >  I am trying to update snort2bro to support the snort pcre, however
> >  it is not a trivial task.
>
> Cool! but yeah, not exactly trivial. :)
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro at ICSI.Berkeley.EDU
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 28, Issue 2
> **********************************
>



-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080805/aecdc449/attachment.html 


More information about the Bro mailing list