From ar-605 at hotmail.com Tue Jul 1 08:13:22 2008 From: ar-605 at hotmail.com (Tianyi Zhang) Date: Tue, 1 Jul 2008 23:13:22 +0800 Subject: [Bro] (no subject) Message-ID: _________________________________________________________________ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080701/a43c0e10/attachment.html From adayadil.thomas at gmail.com Sun Jul 6 13:01:02 2008 From: adayadil.thomas at gmail.com (Adayadil Thomas) Date: Sun, 6 Jul 2008 16:01:02 -0400 Subject: [Bro] Bro build failure. Help needed. Message-ID: Greetings. I have downloaded bro 1.3.2 version. I am getting these errors while building it. Any help is much appreciated. System Info: Linux 2.4.27 gcc version 2.95.4 g++ -v Reading specs from /usr/lib/gcc-lib/i386-linux/2.95.4/specs gcc version 2.95.4 20011002 (Debian prerelease) ./configure --disable-broccoli --enable-debug make Generating code for SMB_transaction Generating code for SMB_transaction_secondary Generating code for SMB_transaction_response Generating code for SMB_get_dfs_referral Generating code for SMB_MailSlot_message Generating code for SMB_MailSlot_command Generating code for SMB_MailSlot_host_announcement Generating code for SMB_MailSlot_announcement_request Generating code for SMB_MailSlot_request_election Generating code for SMB_MailSlot_get_backup_list_request Generating code for SMB_MailSlot_get_backup_list_response Generating code for SMB_MailSlot_domain_announcement Generating code for SMB_MailSlot_local_master_announcement Generating code for SMB_Pipe_message Generating code for SMB_RAP_message make all-am make[3]: Entering directory `/opt/src/DEV/athomas/IDS/bro/bro-1.3.2/src' source='DNS-binpac.cc' object='DNS-binpac.o' libtool=no \ depfile='.deps/DNS-binpac.Po' tmpdepfile='.deps/DNS-binpac.TPo' \ depmode=gcc /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -DDEBUG -g -c -o DNS-binpac.o `test -f 'DNS-binpac.cc' || echo './'`DNS-binpac.cc source='HTTP-binpac.cc' object='HTTP-binpac.o' libtool=no \ depfile='.deps/HTTP-binpac.Po' tmpdepfile='.deps/HTTP-binpac.TPo' \ depmode=gcc /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -DDEBUG -g -c -o HTTP-binpac.o `test -f 'HTTP-binpac.cc' || echo './'`HTTP-binpac.cc source='main.cc' object='main.o' libtool=no \ depfile='.deps/main.Po' tmpdepfile='.deps/main.TPo' \ depmode=gcc /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -DDEBUG -g -c -o main.o `test -f 'main.cc' || echo './'`main.cc source='net_util.cc' object='net_util.o' libtool=no \ depfile='.deps/net_util.Po' tmpdepfile='.deps/net_util.TPo' \ depmode=gcc /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -DDEBUG -g -c -o net_util.o `test -f 'net_util.cc' || echo './'`net_util.cc g++ -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -DLIBDEST=\"/usr/local/bro/lib/\" -c ./util.cc ./util.cc: In function `double calc_next_rotate(double, const char *)': ./util.cc:951: implicit declaration of function `int strptime(...)' make[3]: *** [util.o] Error 1 make[3]: Leaving directory `/opt/src/DEV/athomas/IDS/bro/bro-1.3.2/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/opt/src/DEV/athomas/IDS/bro/bro-1.3.2/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/src/DEV/athomas/IDS/bro/bro-1.3.2' make: *** [all] Error 2 After a make clean and make it stops at another point -- Generating code for SMB_transaction_secondary Generating code for SMB_transaction_response Generating code for SMB_get_dfs_referral Generating code for SMB_MailSlot_message Generating code for SMB_MailSlot_command Generating code for SMB_MailSlot_host_announcement Generating code for SMB_MailSlot_announcement_request Generating code for SMB_MailSlot_request_election Generating code for SMB_MailSlot_get_backup_list_request Generating code for SMB_MailSlot_get_backup_list_response Generating code for SMB_MailSlot_domain_announcement Generating code for SMB_MailSlot_local_master_announcement Generating code for SMB_Pipe_message Generating code for SMB_RAP_message make all-am make[3]: Entering directory `/opt/src/DEV/athomas/IDS/bro/bro-1.3.2/src' source='DNS-binpac.cc' object='DNS-binpac.o' libtool=no \ depfile='.deps/DNS-binpac.Po' tmpdepfile='.deps/DNS-binpac.TPo' \ depmode=gcc /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -DDEBUG -g -c -o DNS-binpac.o `test -f 'DNS-binpac.cc' || echo './'`DNS-binpac.cc source='HTTP-binpac.cc' object='HTTP-binpac.o' libtool=no \ depfile='.deps/HTTP-binpac.Po' tmpdepfile='.deps/HTTP-binpac.TPo' \ depmode=gcc /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -DDEBUG -g -c -o HTTP-binpac.o `test -f 'HTTP-binpac.cc' || echo './'`HTTP-binpac.cc source='main.cc' object='main.o' libtool=no \ depfile='.deps/main.Po' tmpdepfile='.deps/main.TPo' \ depmode=gcc /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -DDEBUG -g -c -o main.o `test -f 'main.cc' || echo './'`main.cc source='net_util.cc' object='net_util.o' libtool=no \ depfile='.deps/net_util.Po' tmpdepfile='.deps/net_util.TPo' \ depmode=gcc /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -DDEBUG -g -c -o net_util.o `test -f 'net_util.cc' || echo './'`net_util.cc g++ -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -DLIBDEST=\"/usr/local/bro/lib/\" -c ./util.cc ./util.cc: In function `double calc_next_rotate(double, const char *)': ./util.cc:951: implicit declaration of function `int strptime(...)' make[3]: *** [util.o] Error 1 make[3]: Leaving directory `/opt/src/DEV/athomas/IDS/bro/bro-1.3.2/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/opt/src/DEV/athomas/IDS/bro/bro-1.3.2/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/src/DEV/athomas/IDS/bro/bro-1.3.2' make: *** [all] Error 2 From cjsu at hotmail.com Wed Jul 9 14:59:22 2008 From: cjsu at hotmail.com (Chi-Jiun Su) Date: Wed, 9 Jul 2008 17:59:22 -0400 Subject: [Bro] To convert l7-filter signatures to Bro signatures Message-ID: Hi, Is there a script readily available to convert l7-filter signatures into Bro signatures? l7-filter (kernel version) said to use V8 regexps while Bro is said to follow flex regexp. Thanks. cj _________________________________________________________________ Need to know now? Get instant answers with Windows Live Messenger. http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_messenger_072008 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080709/931cab5d/attachment.html From robin at icir.org Wed Jul 9 19:42:11 2008 From: robin at icir.org (Robin Sommer) Date: Wed, 9 Jul 2008 19:42:11 -0700 Subject: [Bro] To convert l7-filter signatures to Bro signatures In-Reply-To: References: Message-ID: <20080710024211.GF56697@icir.org> On Wed, Jul 09, 2008 at 17:59 -0400, Chi-Jiun Su wrote: > Is there a script readily available to convert l7-filter signatures into Bro signatures? No, sorry, there isn't. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From paolo.tironi85 at gmail.com Fri Jul 11 07:28:06 2008 From: paolo.tironi85 at gmail.com (Paolo Tironi) Date: Fri, 11 Jul 2008 16:28:06 +0200 Subject: [Bro] can't compile BRO policy Message-ID: <131b22480807110728m49824cf4vee049849f1da9414@mail.gmail.com> Hi, we are 3 students of University of Milan (DTI - Crema): Paolo Tironi, Paolo Bettini and Matteo Morato. We study for a project on Bro IDS. We install BRO only running ./configure and make, and then we setted $ pwd /home/christian/devel/bro $ echo $BROPATH /home/christian/devel/bro/policy:/home/christian/devel/bro/policy/sigs Next, we setted the BRO_DNS_FAKE environment variable. Finally we runned BRO: $ ./src/bro -r trace1.tcpdump tcp scan alarm weird. We have some problems: bt bin # bro -r trace1.tcpdump tcp scan alarm weird dns /usr/local/bro/policy/bro.init, line 1: warning: problem initializing NB-DNS: connect(200.3.200.5): Network is unreachable /usr/local/bro/policy/dns.bro, line 123: run-time error: error compiling pattern /^?.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.in-addr\.arpa)/ /usr/local/bro/policy/dns.bro, line 179: run-time error: error compiling pattern /^?.*(\.)/ /usr/local/bro/policy/dns.bro, line 557: run-time error: error compiling pattern /^?.*(\?(PTR|\*.*in-addr).*)/ /usr/local/bro/policy/dns.bro, line 571: run-time error: error compiling pattern /^?.*(\?(PTR|\*.*in-addr).*)/ line 1: warning: event handlers never invoked: line 1: warning: account_tried Is there anybody who can help me? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080711/5c85fcaa/attachment.html From robin at icir.org Fri Jul 11 11:33:16 2008 From: robin at icir.org (Robin Sommer) Date: Fri, 11 Jul 2008 11:33:16 -0700 Subject: [Bro] can't compile BRO policy In-Reply-To: <131b22480807110728m49824cf4vee049849f1da9414@mail.gmail.com> References: <131b22480807110728m49824cf4vee049849f1da9414@mail.gmail.com> Message-ID: <20080711183316.GA90383@icir.org> On Fri, Jul 11, 2008 at 16:28 +0200, you wrote: > /usr/local/bro/policy/dns.bro, line 123: run-time error: error compiling > pattern /^?.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.in-addr\.arpa)/ There's a fix for this described at http://www.bro-ids.org/wiki/index.php/%22Error_compiling_pattern%22 Does that solve the problem? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From paolo.tironi85 at gmail.com Mon Jul 14 01:40:33 2008 From: paolo.tironi85 at gmail.com (Paolo Tironi) Date: Mon, 14 Jul 2008 10:40:33 +0200 Subject: [Bro] can't compile BRO policy In-Reply-To: <20080711183316.GA90383@icir.org> References: <131b22480807110728m49824cf4vee049849f1da9414@mail.gmail.com> <20080711183316.GA90383@icir.org> Message-ID: <131b22480807140140g7c425452k10f1d3ded0d409df@mail.gmail.com> We don't find these files..but we have anyway the problem. Paolo Matteo Paolo 2008/7/11 Robin Sommer : > > On Fri, Jul 11, 2008 at 16:28 +0200, you wrote: > > > /usr/local/bro/policy/dns.bro, line 123: run-time error: error compiling > > pattern /^?.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.in-addr\.arpa)/ > > There's a fix for this described at > > http://www.bro-ids.org/wiki/index.php/%22Error_compiling_pattern%22 > > Does that solve the problem? > > Robin > > -- > Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080714/6e980925/attachment.html From uchekuru at gmail.com Tue Jul 15 07:24:19 2008 From: uchekuru at gmail.com (uday chekuri) Date: Tue, 15 Jul 2008 10:24:19 -0400 Subject: [Bro] IGMP analyzer Message-ID: I am just wondering whether the IGMP analyzer is available in the new version of bro 1.3.2??? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080715/b61c72f6/attachment.html From vern at icir.org Tue Jul 15 07:44:51 2008 From: vern at icir.org (Vern Paxson) Date: Tue, 15 Jul 2008 07:44:51 -0700 Subject: [Bro] IGMP analyzer In-Reply-To: (Tue, 15 Jul 2008 10:24:19 EDT). Message-ID: <200807151444.m6FEiwmF024948@pork.ICSI.Berkeley.EDU> > I am just wondering whether the IGMP analyzer is available in the new > version of bro 1.3.2??? What IGMP analyzer are you referring to? Vern From gregoryb at fnal.gov Tue Jul 15 08:30:14 2008 From: gregoryb at fnal.gov (Gregory Brown) Date: Tue, 15 Jul 2008 10:30:14 -0500 Subject: [Bro] Bro crash with "bro: out of memory in new" Message-ID: <00dd01c8e68f$ada59180$b482e183@fnal.gov> I am setting up a Bro IDS running on Freebsd6.3 AMD64 64 bit dual quad-core processors. Previous builds using ./configure This build using ./configure --enable-int64 --enable-shippedpcap I am getting crashes with the title "bro: out of memory in new". I am sending the debuger output for one of these crashes. Please advise any further information needed. #0 0x000000080131860c in kill () from /lib/libc.so.6 #1 0x000000080131749d in abort () from /lib/libc.so.6 #2 0x0000000000437302 in out_of_memory () at SSLInterpreter.cc:31 #3 0x0000000800fee45d in operator new () from /usr/lib/libstdc++.so.5 #4 0x000000000040e78c in std::vector >::reserve (this=0x303d168, __n=18446744071662796800) at new_allocator.h:81 #5 0x0000000000429574 in binpac::SunRPC::RPC_Opaque::Parse (this=0x5449ca8, t_begin_of_data=0x801459a00 "", t_end_of_data=0x801459a14 "G\b?\231\021?{H", t_byteorder=20022828) at rpc_pac.cc:538 #6 0x0000000000429e77 in binpac::SunRPC::RPC_OpaqueAuth::Parse (this=0x5cd3eb8, t_begin_of_data=0x8014599fc "", t_end_of_data=0x801459a14 "G\b?\231\021?{H", t_byteorder=0) at rpc_pac.cc:611 #7 0x000000000042a103 in binpac::SunRPC::RPC_Call::Parse (this=0x5b9a0b8, t_begin_of_data=0x8014599e4 "", t_end_of_data=0x801459a14 "G\b?\231\021?{H", t_context=0x3d67838, t_byteorder=0) at rpc_pac.cc:188 #8 0x000000000042b073 in binpac::SunRPC::RPC_Message::Parse (this=0x552e040, t_begin_of_data=0x8014599dc "\v+4t", t_end_of_data=0x801459a14 "G\b?\231\021?{H", t_context=0x3d67838) at rpc_pac.h:155 #9 0x000000000042b1f4 in binpac::SunRPC::RPC_Flow::NewData (this=0x2f2f120, t_begin_of_data=0x8014599dc "\v+4t", t_end_of_data=0x801459a14 "G\b?\231\021?{H") at rpc_pac.cc:1009 #10 0x000000000051f69d in RPC_UDP_Analyzer_binpac::DeliverPacket (this=0x1772508, len=56, data=0x8014599dc "\v+4t", orig=44, seq=-2137894624, ip=0x7fffffffdf38, caplen=0) at RPC.cc:608 #11 0x0000000000450073 in Analyzer::ForwardPacket (this=0x548d050, len=56, data=0x8014599dc "\v+4t", is_orig=8, seq=-1, ip=0x7fffffffe480, caplen=64) at Analyzer.cc:363 #12 0x000000000057396d in UDP_Analyzer::DeliverPacket (this=0x548d050, len=56, data=0x8014599dc "\v+4t", is_orig=true, seq=-1, ip=0x7fffffffe480, caplen=64) at UDP.cc:179 #13 0x000000000045fdef in Connection::NextPacket (this=0x5ff39ec, t=3.8733205149138704e-317, is_orig=6, ip=0x2b0de40, len=64, caplen=-2137894624, data=@0x7fffffffe3f0, record_packet=@0x7fffffffe3f8, record_content=@0x7fffffffe3fc, hdr=0x80131862c, pkt=0x10d39
, hdr_size=0) at Conn.cc:241 #14 0x0000000000543a73 in NetSessions::DoNextPacket (this=0x133f7a8, t=1216071185.658416, hdr=0x133f498, ip_hdr=0x7fffffffe480, pkt=0x8014599b2 "", hdr_size=14) at Sessions.cc:603 #15 0x0000000000543fe4 in NetSessions::NextPacket (this=0x133f7a8, t=1216071185.658416, hdr=0x133f498, pkt=0x8014599b2 "", hdr_size=14, pkt_elem=0x0) at Sessions.cc:294 #16 0x000000000050565e in net_packet_dispatch (t=1216071185.658416, hdr=0x133f498, pkt=0x8014599b2 "", hdr_size=14, src_ps=0x133f458, pkt_elem=0x0) at Net.cc:402 #17 0x000000000051233d in PktSrc::Process (this=0x133f458) at PktSrc.cc:211 #18 0x0000000000505d7e in net_run () at Net.cc:492 #19 0x00000000004344b1 in main (argc=9307256, argv=0x0) at main.cc:1008 (gdb) Thanks Greg ______________________________________________________________________ Gregory Brown Fermi National Accelerator Laboratory From vern at icir.org Tue Jul 15 09:14:11 2008 From: vern at icir.org (Vern Paxson) Date: Tue, 15 Jul 2008 09:14:11 -0700 Subject: [Bro] Bro crash with "bro: out of memory in new" In-Reply-To: <00dd01c8e68f$ada59180$b482e183@fnal.gov> (Tue, 15 Jul 2008 10:30:14 CDT). Message-ID: <200807151614.m6FGEI7b026958@pork.ICSI.Berkeley.EDU> This looks similar to a bug Tom Kho flagged a few months ago. (His concerned traces without full payloads - do you have that?) I've appended a patch for it, extracted from a larger patch, so it might be incomplete. Let me know if it fixes it. Note, we're quite close to releasing Bro 1.4, which includes this. Vern Index: src/UDP.cc =================================================================== --- src/UDP.cc (revision 5856) +++ src/UDP.cc (revision 5857) @@ -106,6 +106,7 @@ len -= sizeof(struct udphdr); ulen -= sizeof(struct udphdr); + caplen -= sizeof(struct udphdr); Conn()->SetLastTime(current_timestamp); @@ -178,7 +179,8 @@ Event(udp_reply); } - ForwardPacket(len, data, is_orig, seq, ip, caplen); + if ( caplen >= len ) + ForwardPacket(len, data, is_orig, seq, ip, caplen); if ( TraceRewriter() && current_hdr ) ((UDP_Rewriter*) TraceRewriter())->NextPacket(is_orig, From hall.692 at osu.edu Tue Jul 15 09:16:26 2008 From: hall.692 at osu.edu (Seth Hall) Date: Tue, 15 Jul 2008 12:16:26 -0400 Subject: [Bro] Bro crash with "bro: out of memory in new" In-Reply-To: <00dd01c8e68f$ada59180$b482e183@fnal.gov> References: <00dd01c8e68f$ada59180$b482e183@fnal.gov> Message-ID: <344C69BB-4027-4FF9-A850-DE2CCA75100C@osu.edu> On Jul 15, 2008, at 11:30 AM, Gregory Brown wrote: > I am getting crashes with the title "bro: out of memory in new". > I am sending the debuger output for one of these crashes. Please > advise any > further information needed. Your host ran out of memory :) There are a couple of ways that I know of to compensate for this happening regularly. You can run a Bro cluster which spreads a good deal of the memory load across all of the machines in the cluster or you can run the prof.bro script and watch for the output of the global variable sizes in the prof.log file and subsequently tune your analysis to not store so much state. .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From vern at icir.org Tue Jul 15 09:42:12 2008 From: vern at icir.org (Vern Paxson) Date: Tue, 15 Jul 2008 09:42:12 -0700 Subject: [Bro] Bro crash with "bro: out of memory in new" In-Reply-To: <344C69BB-4027-4FF9-A850-DE2CCA75100C@osu.edu> (Tue, 15 Jul 2008 12:16:26 EDT). Message-ID: <200807151642.m6FGgJUY027543@pork.ICSI.Berkeley.EDU> > Your host ran out of memory :) > > There are a couple of ways that I know of to compensate for this > happening regularly ... Actually, in this case it's different. The analyzer is reading a length value and allocating a buffer of that size, but the length is garbage and the analyzer is coming up with a huge value which it then tries to malloc. Vern From paolo.tironi85 at gmail.com Wed Jul 16 07:50:50 2008 From: paolo.tironi85 at gmail.com (Paolo Tironi) Date: Wed, 16 Jul 2008 14:50:50 +0000 Subject: [Bro] many error with bro policy Message-ID: <131b22480807160750t78776231g585044b0e2aed532@mail.gmail.com> Hi, I've some problems using bro (offline). When I set a policy on bro to scan a dump file it happens I have this warnings: /usr/local/bro/policy//scan.bro, line 92: warning: no such host: j5004.inktomisearch.com /usr/local/bro/policy//scan.bro, line 92: warning: no such host: j5005.inktomisearch.com /usr/local/bro/policy//scan.bro, line 93: warning: no such host: j5006.inktomisearch.com /usr/local/bro/policy//scan.bro, line 93: warning: no such host: j100.inktomi.com /usr/local/bro/policy//scan.bro, line 93: warning: no such host: j101.inktomi.com /usr/local/bro/policy//scan.bro, line 94: warning: no such host: j3002.inktomi.com /usr/local/bro/policy//scan.bro, line 94: warning: no such host: si3000.inktomi.com /usr/local/bro/policy//scan.bro, line 94: warning: no such host: si3001.inktomi.com /usr/local/bro/policy//scan.bro, line 95: warning: no such host: si3002.inktomi.com /usr/local/bro/policy//scan.bro, line 95: warning: no such host: si3003.inktomi.com /usr/local/bro/policy//scan.bro, line 95: warning: no such host: si4000.inktomi.com /usr/local/bro/policy//scan.bro, line 96: warning: no such host: si4001.inktomi.com /usr/local/bro/policy//scan.bro, line 96: warning: no such host: si4002.inktomi.com /usr/local/bro/policy//scan.bro, line 96: warning: no such host: wm3018.inktomi.com Everytime I have this warnings I have also some errors like: /usr/local/bro/policy//ftp.bro, line 48: run-time error: error compiling pattern /(^?.*(.*\.rhosts))|(^?.*(.*\.forward))/ and bro don't create any log or alarm. I don't understand this error. Can you help me? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080716/96d55fc5/attachment.html From sullivan at cs.ucsb.edu Wed Jul 16 11:53:53 2008 From: sullivan at cs.ucsb.edu (Lorenzo Cavallaro) Date: Wed, 16 Jul 2008 11:53:53 -0700 Subject: [Bro] many error with bro policy In-Reply-To: <131b22480807160750t78776231g585044b0e2aed532@mail.gmail.com> References: <131b22480807160750t78776231g585044b0e2aed532@mail.gmail.com> Message-ID: <20080716185353.GB6651@galilei> Hi, On Wed, Jul 16, 2008 at 02:50:50PM +0000, Paolo Tironi wrote: > Hi, I've some problems using bro (offline). When I set a policy on bro to > scan a dump file it happens I have this warnings: > > /usr/local/bro/policy//scan.bro, line 92: warning: no such host: > j5004.inktomisearch.com [snip] These hosts don't exist anymore (well, DNS entries for them seem to not exist anymore). I solved it by just commenting those lines (anyway it was just a warning saying it couldn't resolve that host). > Everytime I have this warnings I have also some errors like: > > /usr/local/bro/policy//ftp.bro, line 48: run-time error: error compiling > pattern /(^?.*(.*\.rhosts))|(^?.*(.*\.forward))/ I guess Robin already pointed you out to http://www.bro-ids.org/wiki/index.php/%22Error_compiling_pattern%22 What version of Bro are you using (here, I've Bro-1.2.1 stable on GNU/Linux Ubuntu 8.04)? bye, Lorenzo -- Lorenzo `Gigi Sullivan' Cavallaro GPG key at http://security.dico.unimi.it/~sullivan/sullivan.asc Until I loved, life had no beauty; I did not know I lived until I had loved. (Theodor Korner) See the reality in your eyes, when the hate makes you blind. (A.H.X) From sychan at lbl.gov Wed Jul 16 15:14:13 2008 From: sychan at lbl.gov (Stephen Chan) Date: Wed, 16 Jul 2008 15:14:13 -0700 Subject: [Bro] Errors while building pybroccoli? Message-ID: <487E72B5.8060809@lbl.gov> Hi, I just checked out the python bindings for broccoli and tried building it against Bro 1.3.2 using the suggested "python setup.py install". I am using python 2.4.3 and gcc 4.1.2 on CentOS 5 Unfortunately the build just results in a few screens of compilation errors and warnings. Looking at the Makefile, I decided to try regenerating the swing bindings and running setup.pu again. This cut down the number of errors to only a single screenful. Here's what I'm getting: [sychan at panopticon python]$ python setup.py install running install running build running build_py creating build creating build/lib.linux-i686-2.4 copying broccoli.py -> build/lib.linux-i686-2.4 running build_ext building '_broccoli_intern' extension creating build/temp.linux-i686-2.4 gcc -pthread -fno-strict-aliasing -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -D_GNU_SOURCE -fPIC -fPIC -I/usr/include/python2.4 -c broccoli_intern_wrap.c -o build/temp.linux-i686-2.4/broccoli_intern_wrap.o broccoli_intern_wrap.c:2504: warning: useless storage class specifier in empty declaration broccoli_intern_wrap.c: In function ?valToPyObj?: broccoli_intern_wrap.c:2595: warning: pointer targets in passing argument 1 of ?PyString_FromStringAndSize? differ in signedness broccoli_intern_wrap.c: In function ?pyObjToVal?: broccoli_intern_wrap.c:2681: warning: pointer targets in assignment differ in signedness broccoli_intern_wrap.c: At top level: broccoli_intern_wrap.c:2762: error: expected declaration specifiers or ?...? before ?BroEvMeta? broccoli_intern_wrap.c: In function ?event_callback?: broccoli_intern_wrap.c:2767: error: ?meta? undeclared (first use in this function) broccoli_intern_wrap.c:2767: error: (Each undeclared identifier is reported only once broccoli_intern_wrap.c:2767: error: for each function it appears in.) broccoli_intern_wrap.c: In function ?_wrap_bro_event_add_val?: broccoli_intern_wrap.c:4716: warning: assignment discards qualifiers from pointer target type broccoli_intern_wrap.c: In function ?_wrap_bro_event_set_val?: broccoli_intern_wrap.c:4786: warning: assignment discards qualifiers from pointer target type broccoli_intern_wrap.c: In function ?_wrap_bro_event_registry_add_compact?: broccoli_intern_wrap.c:4988: warning: assignment from incompatible pointer type broccoli_intern_wrap.c: In function ?_wrap_bro_record_add_val?: broccoli_intern_wrap.c:5849: warning: assignment discards qualifiers from pointer target type broccoli_intern_wrap.c: In function ?_wrap_bro_record_set_nth_val?: broccoli_intern_wrap.c:6004: warning: assignment discards qualifiers from pointer target type broccoli_intern_wrap.c: In function ?_wrap_bro_record_set_named_val?: broccoli_intern_wrap.c:6075: warning: assignment discards qualifiers from pointer target type error: command 'gcc' failed with exit status 1 [sychan at panopticon python]$ The first error "broccoli_intern_wrap.c:2762: error: expected declaration specifiers or ?...? before ?BroEvMeta?" references this: // C-level event handler for events. We register all events with this callback, // passing the target Python function in via data. void event_callback(BroConn *bc, void *data, BroEvMeta *meta) { ... I don't see any declaration for the BroEvMeta type anywhere. There's a reference to this type in http://svn.icir.org/bro/trunk/bro/aux/broccoli/test/broping.c in the bro_pong_compact() declaration: static void bro_pong_compact(BroConn *conn, void *data, BroEvMeta *meta) However signature in my version of the broping is: static void bro_pong_compact(BroConn *conn, void *data, int num_args, BroEvArg *args) I'm guessing that things have changed since the 1.3.2 release and that the python bindings are against the current code base. Is that true? Do I need to download the latest bro source tree via subversion to use the pythong bindings? Steve From robin at icir.org Wed Jul 16 17:29:20 2008 From: robin at icir.org (Robin Sommer) Date: Wed, 16 Jul 2008 17:29:20 -0700 Subject: [Bro] Errors while building pybroccoli? In-Reply-To: <487E72B5.8060809@lbl.gov> References: <487E72B5.8060809@lbl.gov> Message-ID: <20080717002919.GE64444@icir.org> On Wed, Jul 16, 2008 at 15:14 -0700, Stephen Chan wrote: > I'm guessing that things have changed since the 1.3.2 release and that > the python bindings are against the current code base. Is that true? Yes, that's the problem here. There was an API change in Broccoli that in turn required the Python bindings to be adapted, which is why you're seeing these mismatches. If you don't want to upgrade Broccoli, you could check out an older revision of the Python bindings from my branch. The relevant change was in revision 5937 so if you, say, checkout revision 5936 it should work (and there haven't been any other changes since this to the bindings). Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From paolo.tironi85 at gmail.com Thu Jul 17 03:37:37 2008 From: paolo.tironi85 at gmail.com (Paolo Tironi) Date: Thu, 17 Jul 2008 10:37:37 +0000 Subject: [Bro] Using snort2bro Message-ID: <131b22480807170337o14e1d85aof712bb26c9c866b5@mail.gmail.com> Hi, i can't use snort2bro. I follow the wiky instruction ( http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures#snort2bro) but it say: snort2bro command not found. I know that it has to be already installed with bro, but if i give "locate snort2bro", i can't find it. How can i use it? thanks Paolo Tironi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080717/d3f6ee6e/attachment.html From paolo.tironi85 at gmail.com Thu Jul 17 06:06:06 2008 From: paolo.tironi85 at gmail.com (Paolo Tironi) Date: Thu, 17 Jul 2008 13:06:06 +0000 Subject: [Bro] Using snort2bro In-Reply-To: <131b22480807170337o14e1d85aof712bb26c9c866b5@mail.gmail.com> References: <131b22480807170337o14e1d85aof712bb26c9c866b5@mail.gmail.com> Message-ID: <131b22480807170606y10f2f17agd1f40700fd278333@mail.gmail.com> i've just resolved the problem. Now i understand how to use s2b and i've just convert a snort rule in a bro policy. I redirected the stdout to a file .bro. The result is a file with many row of code, but i can't use it as a bro policy (error: unknown idetifier signature, at or near "signature"). The structure of the file is: signature 549-8 { ip-proto == tcp src-ip == local_nets dst-ip != local_nets dst-port == 8888 tcp-state established,originator event "P2P napster login" payload /.*\x00\x02\x00/ } this is not equal to a classic bro policy. How can i use it to create my own policy? Thaks Paolo Tironi 2008/7/17 Paolo Tironi : > Hi, i can't use snort2bro. > I follow the wiky instruction ( > http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures#snort2bro) > but it say: snort2bro command not found. > I know that it has to be already installed with bro, but if i give "locate > snort2bro", i can't find it. > > How can i use it? > > thanks > Paolo Tironi > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080717/6e1651fe/attachment.html From adayadil.thomas at gmail.com Thu Jul 17 09:59:20 2008 From: adayadil.thomas at gmail.com (Adayadil Thomas) Date: Thu, 17 Jul 2008 12:59:20 -0400 Subject: [Bro] Multiple interfaces Message-ID: Greetings. Can bro (running as a single process) read packets (monitor traffic) from multiple interfaces (say eth0 and eth1) ? Thanks From mcuttler at bnl.gov Thu Jul 17 10:50:20 2008 From: mcuttler at bnl.gov (Cuttler, Matt) Date: Thu, 17 Jul 2008 13:50:20 -0400 Subject: [Bro] Multiple interfaces In-Reply-To: References: Message-ID: > Greetings. > > Can bro (running as a single process) read packets (monitor traffic) from multiple interfaces (say > eth0 and eth1) ? That's more of an OS thing than a Bro thing. Assuming linux, you could use the 'bonding' module ( http://www.linuxfoundation.org/en/Net:Bonding ). You would then tell bro to use this device as your capture interface. It's not uncommon to need more than one interface to collect (i.e. a regen fibre tap). -Matt Cuttler From sullivan at cs.ucsb.edu Thu Jul 17 11:19:51 2008 From: sullivan at cs.ucsb.edu (Lorenzo Cavallaro) Date: Thu, 17 Jul 2008 11:19:51 -0700 Subject: [Bro] Using snort2bro In-Reply-To: <131b22480807170606y10f2f17agd1f40700fd278333@mail.gmail.com> References: <131b22480807170337o14e1d85aof712bb26c9c866b5@mail.gmail.com> <131b22480807170606y10f2f17agd1f40700fd278333@mail.gmail.com> Message-ID: <20080717181950.GA7801@galilei> Hi Paolo, On Thu, Jul 17, 2008 at 01:06:06PM +0000, Paolo Tironi wrote: > signature 549-8 { > ip-proto == tcp > src-ip == local_nets > dst-ip != local_nets > dst-port == 8888 > tcp-state established,originator > event "P2P napster login" > payload /.*\x00\x02\x00/ > } > > this is not equal to a classic bro policy. > How can i use it to create my own policy? You can write your own Bro policy script which defines a signature_match event handler for signatures to catch specifically this signature on your own (the signature_match event is triggered for every signatures mathing but it receives a signature_state parameter which contains the id of the signature being matched. In you case it'd be 549-8). Alternatively, just uncomment brolite-sigs (i.e., @load it) in your host file generated when Bro was installed (it's usually in site/.bro). I suggest you to read brolite-sigs.bro as well as you may also want to redefine signature_files to include your own signature file. Also, take a look at http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures bye, Lorenzo > 2008/7/17 Paolo Tironi : > > > Hi, i can't use snort2bro. > > I follow the wiky instruction ( > > http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures#snort2bro) > > but it say: snort2bro command not found. > > I know that it has to be already installed with bro, but if i give "locate > > snort2bro", i can't find it. > > > > How can i use it? > > > > thanks > > Paolo Tironi > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Lorenzo `Gigi Sullivan' Cavallaro GPG key at http://security.dico.unimi.it/~sullivan/sullivan.asc Until I loved, life had no beauty; I did not know I lived until I had loved. (Theodor Korner) See the reality in your eyes, when the hate makes you blind. (A.H.X) From hall.692 at osu.edu Thu Jul 17 11:30:48 2008 From: hall.692 at osu.edu (Seth Hall) Date: Thu, 17 Jul 2008 14:30:48 -0400 Subject: [Bro] Multiple interfaces In-Reply-To: References: Message-ID: <6F373306-D39D-406E-8E2F-46FE2AEC7932@osu.edu> On Jul 17, 2008, at 12:59 PM, Adayadil Thomas wrote: > Can bro (running as a single process) read packets (monitor traffic) > from multiple interfaces (say eth0 and eth1) ? Besides the bonding technique that Matt mentioned, the bro binary accepts multiple "-i" flags for multiple interfaces. .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From uchekuru at gmail.com Wed Jul 23 15:06:08 2008 From: uchekuru at gmail.com (uday chekuri) Date: Wed, 23 Jul 2008 18:06:08 -0400 Subject: [Bro] IGMP analyzer In-Reply-To: <200807151444.m6FEiwmF024948@pork.ICSI.Berkeley.EDU> References: <200807151444.m6FEiwmF024948@pork.ICSI.Berkeley.EDU> Message-ID: I am having trace file containg an attack related to bid 514. DOS IGMP dos attack sid 1:273:8 bid 514;" snort is showing up but the converted snort2bro rule signature s2b-273-8 { header ip[9:1] == 2 event "DOS IGMP dos attack sid 1:273:8 bid 514;" header ip[6:1] & 224 == 32 } is not throwing any alerts. Thats the reason why I asked Thanks, UC On 7/15/08, Vern Paxson wrote: > > > I am just wondering whether the IGMP analyzer is available in the new > > version of bro 1.3.2??? > > > What IGMP analyzer are you referring to? > > > Vern > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080723/f9350f02/attachment.html From vern at icir.org Wed Jul 23 15:18:29 2008 From: vern at icir.org (Vern Paxson) Date: Wed, 23 Jul 2008 15:18:29 -0700 Subject: [Bro] IGMP analyzer In-Reply-To: (Wed, 23 Jul 2008 18:06:08 EDT). Message-ID: <200807232218.m6NMIbsI010240@pork.ICSI.Berkeley.EDU> > I am having trace file containg an attack related to bid 514. Can you send it? > snort is showing up but the converted snort2bro rule > signature s2b-273-8 { > header ip[9:1] == 2 > event "DOS IGMP dos attack sid 1:273:8 bid 514;" > header ip[6:1] & 224 == 32 > } Note, we don't term this an IGMP *analyzer*, just an imported Snort rule. We don't support such rules other than in terms of fixing problems they exhibit that are due to Bro's underlying signature-matcher. (That is, we don't vouch for the Snort rules, nor try to clean them up, nor support the snort2bro translation utility.) Vern From sychan at lbl.gov Fri Jul 25 16:57:43 2008 From: sychan at lbl.gov (Stephen Chan) Date: Fri, 25 Jul 2008 16:57:43 -0700 Subject: [Bro] "Meta" event handling? Message-ID: <488A6877.5090607@lbl.gov> From within an event handler, is there a generic way to find out the name of the event, and the names and types of the parameters that were passed to the event? The reason I'm asking is that I'd like a generic way to encapsulate events and send them to a broccoli listener, which is only requesting the "wrapper" events. The client would then unwrap it, and then figure out what to do with it based on it's local configuration (the particular thing I'd like to write is a broccoli listener that pushes events into a database). Ideally, there would be some function such as "whatamI()" that returned some representation of the calling handler's name, and name value pairs that corresponded to the parameters names and values. This could then be the parameter for the wrapper event, which is sent out to the listener. Has anyone tried to do this? A lot of the serialization stuff seems to exist already, so maybe the only new code would be something to peek under the hood of the call stack? Steve From robin at icir.org Mon Jul 28 12:47:38 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 28 Jul 2008 12:47:38 -0700 Subject: [Bro] "Meta" event handling? In-Reply-To: <488A6877.5090607@lbl.gov> References: <488A6877.5090607@lbl.gov> Message-ID: <20080728194738.GF43768@icir.org> On Fri, Jul 25, 2008 at 16:57 -0700, you wrote: > From within an event handler, is there a generic way to find out the > name of the event, and the names and types of the parameters that were > passed to the event? You're asking about the Bro side, right? No, there isn't, and if I understood correctly what you want to do I think it would be rather tricky to implement it as Bro generally doesn't have much support for such generic analysis at all. It relies almost completely on static type checking which makes such things difficult. However, I'm not completely sure I got the idea of what you are trying to achieve. Would it be possible to do this all within another Broccoli client? Broccoli's interface provides you with most of the information you look for (event name, argument types (though not argumemtnames)). Could you write a Broccoli app that does the wrapping? Or asked differently, why can't you just send "normal" Bro events to your Broccoli listener? It could subscribe to everything[1] and then have generic event-handling code which does the neccessary steps. Robin [1] Subscribing to everything is actually not possible at the moment but I have patch which adds that for Broccoli-to-Broccoli connections and we could also implement it on the Bro side. -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From sychan at lbl.gov Mon Jul 28 13:50:14 2008 From: sychan at lbl.gov (Stephen Chan) Date: Mon, 28 Jul 2008 13:50:14 -0700 Subject: [Bro] "Meta" event handling? In-Reply-To: <20080728194738.GF43768@icir.org> References: <488A6877.5090607@lbl.gov> <20080728194738.GF43768@icir.org> Message-ID: <488E3106.4000605@lbl.gov> Robin Sommer wrote: > However, I'm not completely sure I got the idea of what you are > trying to achieve. Would it be possible to do this all within > another Broccoli client? Broccoli's interface provides you with most > of the information you look for (event name, argument types (though > not argumemtnames)). Could you write a Broccoli app that does the > wrapping? > > Or asked differently, why can't you just send "normal" Bro events to > your Broccoli listener? It could subscribe to everything[1] and then > have generic event-handling code which does the neccessary steps. > This is actually what I originally hoped to do, but there seemed to be a stumbling block with Bro not forwarding events, so I was curious about the option of playing with things on the Bro side. Is there any sample code that shows how you would setup a generic handler that has access to the event name and argument count/types? Steve > Robin > > [1] Subscribing to everything is actually not possible at the moment > but I have patch which adds that for Broccoli-to-Broccoli > connections and we could also implement it on the Bro side. > > From robin at icir.org Mon Jul 28 15:00:28 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 28 Jul 2008 15:00:28 -0700 Subject: [Bro] "Meta" event handling? In-Reply-To: <488E3106.4000605@lbl.gov> References: <488A6877.5090607@lbl.gov> <20080728194738.GF43768@icir.org> <488E3106.4000605@lbl.gov> Message-ID: <20080728220028.GA69354@icir.org> On Mon, Jul 28, 2008 at 13:50 -0700, Stephen Chan wrote: > Is there any sample code that shows how you would setup a generic > handler that has access to the event name and argument count/types? Yes, have a look at bro_pong_compact() in broccoli/test/broping.c Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From vern at icir.org Thu Jul 31 23:19:12 2008 From: vern at icir.org (Vern Paxson) Date: Thu, 31 Jul 2008 23:19:12 -0700 Subject: [Bro] Bro 1.4 pre-release Message-ID: <200808010619.m716JHId001843@pork.ICSI.Berkeley.EDU> We are just about ready to release Bro version 1.4. Prior to doing so, wed like to have some folks volunteer to try out a pre-release to catch any lingering problems. If you're interested in doing so, reply privately to me *and Robin Sommer (cc'd)* and we'll point you at the distribution. Vern (Note, I'm out of the office for several weeks, with limited email access, which is why you should be sure to include Robin.)