From gspathoulas at gmail.com Wed Jun 4 09:24:29 2008 From: gspathoulas at gmail.com (Georgios Spathoulas) Date: Wed, 04 Jun 2008 19:24:29 +0300 Subject: [Bro] Bro and Darpa dataset problems Message-ID: <4846C1BD.10905@gmail.com> Hello to all, I am trying to run Bro on the 1999 Darpa dataset in order to get results and use them in my Phd research. I am using Bro 1.2.1 on an Ubuntu 7.10 machine. I have installed Bro and try to run it through the command : /usr/local/bro/bin/bro -r outside.tcpdump brolite where outside.tcpdump is the file containing the Darpa dataset. If I use the default Bro 1.2.1 source code i get the known errors (error compiling pattern) at runtime and I get the following results : For 5 days of data (2nd week of Darpa) I get 26318 alerts, which are mainly *HTTP_SensitiveURI* and a small percentage 2-3% are *sensitiveLogin.* If I use the Bro 1.2.1 source code after I have removed the 6 files from source code : http://www.bro-ids.org/wiki/index.php/%22Error_compiling_pattern%22 I do not get any errors but I get the following results : For 5 days of data (2nd week of Darpa) I get only 16 alerts, which are : t=920936697.501194 no=SensitiveConnection na=NOTICE_ALARM_ALWAYS sa=172.16.112.194 sp=2285/tcp da=135.8.60.182 dp=23/tcp msg=hot:\ 172.16.112.194\ 3741b\ >\ 135.8.60.182/telnet\ 30476b\ 10097.6s\ "lucyj"\ \ @1 tag=@1 t=921119665.164879 no=SensitiveLogin na=NOTICE_ALARM_ALWAYS sa=172.16.113.204 sp=8259/tcp da=195.115.218.108 dp=23/tcp user=roderica msg=172.16.113.204/8259\ >\ 195.115.218.108/telnet\ output\ "^L\\x1b[24;1H"bt.c"\ 6\ lines,\ 76\ characters\\x1b[4;9Hi\ =\ (float\ *)\ malloc\ (300);\\x1b[5;9Hprintf("Jumping\ to\ address:\ ha\ ha\ ha\\n");\\x1b[7;1H~" tag=@10 t=921120857.604970 no=SensitiveConnection na=NOTICE_ALARM_ALWAYS sa=172.16.113.204 sp=8259/tcp da=195.115.218.108 dp=23/tcp msg=hot:\ 172.16.113.204\ 5330b\ >\ 195.115.218.108/telnet\ 32971b\ 18149.6s\ "roderica"\ \ @10 tag=@10 t=921149967.471687 no=ScanSummary na=NOTICE_ALARM_ALWAYS sa=204.97.153.43 num=0 msg=204.97.153.43\ scanned\ a\ total\ of\ 0\ hosts t=921191119.811940 no=SensitiveConnection na=NOTICE_ALARM_ALWAYS sa=172.16.113.84 sp=5061/tcp da=195.73.151.50 dp=23/tcp msg=hot:\ 172.16.113.84\ 2777b\ >\ 195.73.151.50/telnet\ 24910b\ 9230.2s\ fail/reynaldv\ "reynaldv"\ \ @10 tag=@10 t=921197787.382379 no=FTP_Sensitive na=NOTICE_ALARM_ALWAYS sa=194.7.248.153 sp=1112/tcp da=172.16.112.50 dp=21/tcp user=anonymous num=250 msg=ftp:\ 194.7.248.153/1112\ >\ 172.16.112.50/ftp\ #93\ RNTO\ .rhosts\ (ok) t=921236083.657840 no=ScanSummary na=NOTICE_ALARM_ALWAYS sa=207.103.80.104 num=0 msg=207.103.80.104\ scanned\ a\ total\ of\ 0\ hosts t=921236083.657840 no=ScanSummary na=NOTICE_ALARM_ALWAYS sa=209.117.157.183 num=0 msg=209.117.157.183\ scanned\ a\ total\ of\ 0\ hosts t=921236083.657840 no=SensitiveConnection na=NOTICE_ALARM_ALWAYS sa=172.16.114.168 sp=22889/tcp da=197.182.91.233 dp=23/tcp msg=hot:\ 172.16.114.168\ 6003b\ }3\ 197.182.91.233/telnet\ 57126b\ 14024.9s\ "kiaraa"\ \ @8 tag=@8 t=921276791.470544 no=AddressDropped na=NOTICE_ALARM_ALWAYS sa=209.167.99.71 sp=1029/tcp da=172.16.112.50 dp=5/tcp msg=low\ port\ trolling\ 209.167.99.71\ 5/tcp tag=@8 t=921276801.859385 no=PortScan na=NOTICE_ALARM_ALWAYS sa=209.167.99.71 sp=2106/tcp da=172.16.112.50 dp=78/tcp msg=209.167.99.71\ has\ scanned\ 50\ ports\ of\ 172.16.112.50 tag=@9 t=921276831.072201 no=PortScan na=NOTICE_ALARM_ALWAYS sa=209.167.99.71 sp=4219/tcp da=172.16.112.50 dp=284/tcp msg=209.167.99.71\ has\ scanned\ 250\ ports\ of\ 172.16.112.50 tag=@10 t=921276938.172329 no=PortScan na=NOTICE_ALARM_ALWAYS sa=209.167.99.71 sp=12443/tcp da=172.16.112.50 dp=1042/tcp msg=209.167.99.71\ has\ scanned\ 1000\ ports\ of\ 172.16.112.50 tag=@11 t=921322768.174245 no=ScanSummary na=NOTICE_ALARM_ALWAYS sa=204.97.153.43 num=0 msg=204.97.153.43\ scanned\ a\ total\ of\ 0\ hosts t=921322768.174245 no=ScanSummary na=NOTICE_ALARM_ALWAYS sa=209.167.99.71 num=0 msg=209.167.99.71\ scanned\ a\ total\ of\ 0\ hosts t=921322768.174245 no=SensitiveConnection na=NOTICE_ALARM_ALWAYS sa=172.16.114.207 sp=10102/tcp da=196.37.75.158 dp=23/tcp msg=hot:\ 172.16.114.207\ 4060b\ }3\ 196.37.75.158/telnet\ 25337b\ 12792.4s\ "selmam"\ \ @6 tag=@6 I guess I am missing something. For the same data Snort produces 15000 alerts.... If somebody has a clue what's going wrong or has successfully run Bro on Darpa dataset please help me Giorgos From adriel at netragard.com Wed Jun 4 17:11:33 2008 From: adriel at netragard.com (Adriel Desautels) Date: Wed, 04 Jun 2008 20:11:33 -0400 Subject: [Bro] Ignore Weird Events??? Message-ID: <48472F35.1000506@netragard.com> Greetings List, We are currently testing bro and have read the documentation. So far everything looks pretty good, very interesting technology to say the least. One question though. Why isn't this working? # This file should describe your network configuration. # If your local network is a class C, and its network # address was 192.168.1.0 and a class B network # with address space 10.1.0.0. # Then you would put 192.168.1.0/24 and 10.1.0.0/16 into # this file, telling bro what your local networks are. @load site redef notice_action_filters += { WeirdActivity = ignore_notice, }; redef local_nets: set[subnet] = { # example of a class C network 192.168.1.0/24, # example of a class B network 172.16.15.0/24 }; Which results in the following Error: zerosum# ../scripts/bro.rc start bro.rc: Starting ..........bro.rc: Failed to start Bro /usr/local/bro/site/zerosum.testme.com.bro, line 11: error: unknown identifier WeirdActivity, at or near "WeirdActivity" ... FAILED zerosum# Did we miss something? -- Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn -------------- next part -------------- A non-text attachment was scrubbed... Name: adriel.vcf Type: text/x-vcard Size: 298 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080604/995e35fe/attachment.vcf From vern at icir.org Wed Jun 4 17:30:54 2008 From: vern at icir.org (Vern Paxson) Date: Wed, 04 Jun 2008 17:30:54 -0700 Subject: [Bro] Ignore Weird Events??? In-Reply-To: <48472F35.1000506@netragard.com> (Wed, 04 Jun 2008 20:11:33 EDT). Message-ID: <200806050030.m550UvBQ015401@pork.ICSI.Berkeley.EDU> You need two tweaks to your script, per the appended diff. Note, in general you'd add definitions like yours to local.lite.bro rather than local.site.bro. Putting them in the latter risks introducing dependency circularities (such as due to the new "@load weird"). Vern --- orig.bro 2008-06-04 17:28:17.000000000 -0700 +++ modified.bro 2008-06-04 17:28:11.000000000 -0700 @@ -6,9 +6,10 @@ # this file, telling bro what your local networks are. @load site + at load weird redef notice_action_filters += { - WeirdActivity = ignore_notice, + [Weird::WeirdActivity] = ignore_notice, }; redef local_nets: set[subnet] = { From adriel at netragard.com Wed Jun 4 17:59:58 2008 From: adriel at netragard.com (Adriel Desautels) Date: Wed, 04 Jun 2008 20:59:58 -0400 Subject: [Bro] Ignore Weird Events??? In-Reply-To: <200806050030.m550UvBQ015401@pork.ICSI.Berkeley.EDU> References: <200806050030.m550UvBQ015401@pork.ICSI.Berkeley.EDU> Message-ID: <48473A8E.3070002@netragard.com> I do not have a local.lite.bro file, where's it at? Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Vern Paxson wrote: > You need two tweaks to your script, per the appended diff. > > Note, in general you'd add definitions like yours to local.lite.bro rather > than local.site.bro. Putting them in the latter risks introducing dependency > circularities (such as due to the new "@load weird"). > > Vern > > > --- orig.bro 2008-06-04 17:28:17.000000000 -0700 > +++ modified.bro 2008-06-04 17:28:11.000000000 -0700 > @@ -6,9 +6,10 @@ > # this file, telling bro what your local networks are. > > @load site > + at load weird > > redef notice_action_filters += { > - WeirdActivity = ignore_notice, > + [Weird::WeirdActivity] = ignore_notice, > }; > > redef local_nets: set[subnet] = { -------------- next part -------------- A non-text attachment was scrubbed... Name: adriel.vcf Type: text/x-vcard Size: 298 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080604/aeac2410/attachment.vcf From vern at icir.org Wed Jun 4 18:02:47 2008 From: vern at icir.org (Vern Paxson) Date: Wed, 04 Jun 2008 18:02:47 -0700 Subject: [Bro] Ignore Weird Events??? In-Reply-To: <48473A8E.3070002@netragard.com> (Wed, 04 Jun 2008 20:59:58 EDT). Message-ID: <200806050102.m5512nru015745@pork.ICSI.Berkeley.EDU> > I do not have a local.lite.bro file, where's it at? If you don't, then presumably you're not editing local.site.bro, and my original concern doesn't matter. Vern From adriel at netragard.com Wed Jun 4 18:23:08 2008 From: adriel at netragard.com (Adriel Desautels) Date: Wed, 04 Jun 2008 21:23:08 -0400 Subject: [Bro] Ignore Weird Events??? In-Reply-To: <200806050102.m5512nru015745@pork.ICSI.Berkeley.EDU> References: <200806050102.m5512nru015745@pork.ICSI.Berkeley.EDU> Message-ID: <48473FFC.9000007@netragard.com> Understood (I think). I'll give your edits a shot. Thank you for your help in advance. Also, any chance I can get my hands on the spinning cube code? Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Vern Paxson wrote: >> I do not have a local.lite.bro file, where's it at? > > If you don't, then presumably you're not editing local.site.bro, and > my original concern doesn't matter. > > Vern -------------- next part -------------- A non-text attachment was scrubbed... Name: adriel.vcf Type: text/x-vcard Size: 298 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080604/8f7bb57b/attachment.vcf From adriel at netragard.com Wed Jun 4 18:27:55 2008 From: adriel at netragard.com (Adriel Desautels) Date: Wed, 04 Jun 2008 21:27:55 -0400 Subject: [Bro] Ignore Weird Events??? In-Reply-To: <200806050102.m5512nru015745@pork.ICSI.Berkeley.EDU> References: <200806050102.m5512nru015745@pork.ICSI.Berkeley.EDU> Message-ID: <4847411B.5080202@netragard.com> Curous, same problem: Attempt to execute. zerosum# /usr/local/bro/scripts/bro.rc start bro.rc: Starting ..........bro.rc: Failed to start Bro /usr/local/bro/site/zerosum.netragard.com.bro, line 12: error: unknown identifier Weird::WeirdActivity, at or near "Weird::WeirdActivity" ... FAILED zerosum# CWD: /usr/local/bro/site/zerosum.netragard.com.bro FreeBSD zerosum.netragard.com 6.2-RELEASE-p5 FreeBSD 6.2-RELEASE-p5 #1: Thu Jul 12 12:10:58 EDT 2007 root at zerosum.netragard.com:/usr/obj/usr/src/sys/ZEROSUM i386 zerosum# more zerosum.netragard.com.bro # This file should describe your network configuration. # If your local network is a class C, and its network # address was 192.168.1.0 and a class B network # with address space 10.1.0.0. # Then you would put 192.168.1.0/24 and 10.1.0.0/16 into # this file, telling bro what your local networks are. @load site @load weird redef notice_action_filters += { [Weird::WeirdActivity] = ignore_notice, }; redef local_nets: set[subnet] = { # example of a class C network 192.168.1.0/24, # example of a class B network 172.16.15.0/24 }; zerosum# Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Vern Paxson wrote: >> I do not have a local.lite.bro file, where's it at? > > If you don't, then presumably you're not editing local.site.bro, and > my original concern doesn't matter. > > Vern -------------- next part -------------- A non-text attachment was scrubbed... Name: adriel.vcf Type: text/x-vcard Size: 298 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080604/b0937cc8/attachment.vcf From vern at icir.org Wed Jun 4 18:50:07 2008 From: vern at icir.org (Vern Paxson) Date: Wed, 04 Jun 2008 18:50:07 -0700 Subject: [Bro] Ignore Weird Events??? In-Reply-To: <4847411B.5080202@netragard.com> (Wed, 04 Jun 2008 21:27:55 EDT). Message-ID: <200806050150.m551oAmg016230@pork.ICSI.Berkeley.EDU> > identifier Weird::WeirdActivity, at or near "Weird::WeirdActivity" You're then presumably using an older version of Bro that doesn't use scoping for weird.bro. Try dropping "Weird::". Vern From adriel at netragard.com Wed Jun 4 18:53:34 2008 From: adriel at netragard.com (Adriel Desautels) Date: Wed, 04 Jun 2008 21:53:34 -0400 Subject: [Bro] Ignore Weird Events??? In-Reply-To: <200806050150.m551oAmg016230@pork.ICSI.Berkeley.EDU> References: <200806050150.m551oAmg016230@pork.ICSI.Berkeley.EDU> Message-ID: <4847471E.3070005@netragard.com> The version of bro that I installed was installed by the ports. I am trying the latest stable version thats available from your site now. It would be interesting to see how well this works. Also, any news on how to get the code for the spinning cube of potential doom for Bro Visualization? Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Vern Paxson wrote: >> identifier Weird::WeirdActivity, at or near "Weird::WeirdActivity" > > You're then presumably using an older version of Bro that doesn't use > scoping for weird.bro. Try dropping "Weird::". > > Vern -------------- next part -------------- A non-text attachment was scrubbed... Name: adriel.vcf Type: text/x-vcard Size: 298 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080604/7b963c8e/attachment.vcf From vern at icir.org Wed Jun 4 18:57:12 2008 From: vern at icir.org (Vern Paxson) Date: Wed, 04 Jun 2008 18:57:12 -0700 Subject: [Bro] Ignore Weird Events??? In-Reply-To: <4847471E.3070005@netragard.com> (Wed, 04 Jun 2008 21:53:34 EDT). Message-ID: <200806050157.m551vF81016330@pork.ICSI.Berkeley.EDU> > Also, any news on how to get the code for the spinning cube of potential > doom for Bro Visualization? This is not part of the Bro distribution. The authors of it read the Bro list, however, and might answer about it. Vern From hall.692 at osu.edu Wed Jun 4 19:34:59 2008 From: hall.692 at osu.edu (Seth Hall) Date: Wed, 4 Jun 2008 22:34:59 -0400 Subject: [Bro] Ignore Weird Events??? In-Reply-To: <4847471E.3070005@netragard.com> References: <200806050150.m551oAmg016230@pork.ICSI.Berkeley.EDU> <4847471E.3070005@netragard.com> Message-ID: On Jun 4, 2008, at 9:53 PM, Adriel Desautels wrote: > Also, any news on how to get the code for the spinning cube of > potential doom for Bro Visualization? As far as I know, that code was never publicly released. We've used doomcube for the same effect though.. http://www.kismetwireless.net/doomcube/ .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From scampbell at lbl.gov Wed Jun 4 20:18:21 2008 From: scampbell at lbl.gov (scott campbell) Date: Wed, 04 Jun 2008 20:18:21 -0700 Subject: [Bro] Ignore Weird Events??? In-Reply-To: <4847471E.3070005@netragard.com> References: <200806050150.m551oAmg016230@pork.ICSI.Berkeley.EDU> <4847471E.3070005@netragard.com> Message-ID: <48475AFD.50008@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The original code was (to the best of my knowledge) never actually released. Someone else found it useful enough to port to GPL. see: http://www.kismetwireless.net/doomcube/ scott Adriel Desautels wrote: | The version of bro that I installed was installed by the ports. I am | trying the latest stable version thats available from your site now. It | would be interesting to see how well this works. | | Also, any news on how to get the code for the spinning cube of potential | doom for Bro Visualization? | | Regards, | Adriel T. Desautels | Chief Technology Officer | Netragard, LLC. | Office : 617-934-0269 | Mobile : 617-633-3821 | http://www.linkedin.com/pub/1/118/a45 | | Join the Netragard, LLC. Linked In Group: | http://www.linkedin.com/e/gis/48683/0B98E1705142 | | --------------------------------------------------------------- | Netragard, LLC - http://www.netragard.com - "We make IT Safe" | Penetration Testing, Vulnerability Assessments, Website Security | | Netragard Whitepaper Downloads: | ------------------------------- | Choosing the right provider : http://tinyurl.com/2ahk3j | Three Things you must know : http://tinyurl.com/26pjsn | | | Vern Paxson wrote: |>> identifier Weird::WeirdActivity, at or near "Weird::WeirdActivity" |> |> You're then presumably using an older version of Bro that doesn't use |> scoping for weird.bro. Try dropping "Weird::". |> |> Vern | | ------------------------------------------------------------------------ | | _______________________________________________ | Bro mailing list | bro at bro-ids.org | http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIR1r9K2Plq8B7ZBwRAotVAJ9mO3WOS6OpCScIL/ZdtJGj2tFksQCfVKpF vdazSlgnsONV+w6u1h136MA= =77sP -----END PGP SIGNATURE----- From geek00l at gmail.com Thu Jun 5 07:39:15 2008 From: geek00l at gmail.com (CS Lee) Date: Thu, 5 Jun 2008 22:39:15 +0800 Subject: [Bro] spinning cube Message-ID: <1bb5dd90806050739k6fe76a4ds83979cbd521d694d@mail.gmail.com> hi adriel, You may be interested in this too - http://www.cs.ru.ac.za/research/g02v2468/inetvis.html Cheers ;] -- Best Regards, CS Lee http://geek00l.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080605/1dc1a6c4/attachment.html From stephen.lau at ucsf.edu Thu Jun 5 10:38:37 2008 From: stephen.lau at ucsf.edu (Stephen Lau) Date: Thu, 05 Jun 2008 10:38:37 -0700 Subject: [Bro] spinning cube In-Reply-To: <1bb5dd90806050739k6fe76a4ds83979cbd521d694d@mail.gmail.com> References: <1bb5dd90806050739k6fe76a4ds83979cbd521d694d@mail.gmail.com> Message-ID: <4848249D.90509@ucsf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CS Lee wrote: | hi adriel, | | You may be interested in this too - | | http://www.cs.ru.ac.za/research/g02v2468/inetvis.html | | Cheers ;] | | The original Cube is here: http://www.nersc.gov/nusers/security/TheSpinningCube.php and uses Bro. Steve - -- +--------------------------------------------------------------------- Stephen Lau - Stephen.Lau at ucsf.edu Information Security Policy and Program Manager University of California, San Francisco 1855 Folsom, Suite 602, Box 0707, San Francisco, CA 94143 +1(415) 476-3106 (Work) +1(415) 476-1717 (Fax) PGP: 44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B +--------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkhIJJwACgkQmgSrK/Y/dIsq4ACgnZU1T2jeN2PuimPnmoOfnL12 xi8AniX5Gz4AOdg/U7gHeup3g18knJDv =IV9L -----END PGP SIGNATURE----- From jean-philippe.luiggi at didconcept.com Thu Jun 5 17:16:38 2008 From: jean-philippe.luiggi at didconcept.com (jean-philippe luiggi) Date: Thu, 5 Jun 2008 20:16:38 -0400 Subject: [Bro] spinning cube In-Reply-To: <4848249D.90509@ucsf.edu> References: <1bb5dd90806050739k6fe76a4ds83979cbd521d694d@mail.gmail.com> <4848249D.90509@ucsf.edu> Message-ID: <20080605201638.2960ae8e@mygw.didconcept.com> Hello everybody, I'm sure i'm missing something but on this page it's said " Code is currently not available"... :-) With regards, Jean-Philippe. On Thu, 05 Jun 2008 10:38:37 -0700 "Stephen Lau" wrote: > The original Cube is here: > > http://www.nersc.gov/nusers/security/TheSpinningCube.php > > and uses Bro. > > Steve From jean-philippe.luiggi at didconcept.com Thu Jun 5 17:28:32 2008 From: jean-philippe.luiggi at didconcept.com (jean-philippe luiggi) Date: Thu, 5 Jun 2008 20:28:32 -0400 Subject: [Bro] spinning cube In-Reply-To: <1bb5dd90806050739k6fe76a4ds83979cbd521d694d@mail.gmail.com> References: <1bb5dd90806050739k6fe76a4ds83979cbd521d694d@mail.gmail.com> Message-ID: <20080605202832.03ab2eb4@mygw.didconcept.com> Hello, You're right, according to the web page, they used the concept Stephen has developped : InetVis is a 3-D scatter-plot visualization for network traffic. In way, it's more or less like a media player, but for network traffic. It's quite handy for observing scan activity and other anomolous traffic patterns. The 3-D scatter-plot concept is adopted from Stephen Lau's Spinning Cube of Potential Doom. Just to mention two things for people interested in security data visualization (a thing often ignored in the field of safety) : 1) http://www.vizsec.org 2) a good book from Greg Conti : "security data visualization" With regards, Jean-Philippe. From stephen.lau at ucsf.edu Thu Jun 5 17:44:10 2008 From: stephen.lau at ucsf.edu (Stephen Lau) Date: Thu, 05 Jun 2008 17:44:10 -0700 Subject: [Bro] spinning cube In-Reply-To: <20080605201638.2960ae8e@mygw.didconcept.com> References: <1bb5dd90806050739k6fe76a4ds83979cbd521d694d@mail.gmail.com><4848249D.90509@ucsf.edu> <20080605201638.2960ae8e@mygw.didconcept.com> Message-ID: <4848885A.3080900@ucsf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 jean-philippe luiggi wrote: | Hello everybody, | | I'm sure i'm missing something but on this page it's said " Code is | currently not available"... :-) You have to ask real nice. :-) Steve - -- +--------------------------------------------------------------------- Stephen Lau - Stephen.Lau at ucsf.edu Information Security Policy and Program Manager University of California, San Francisco 1855 Folsom, Suite 602, Box 0707, San Francisco, CA 94143 +1(415) 476-3106 (Work) +1(415) 476-1717 (Fax) PGP: 44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B +--------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkhIiFkACgkQmgSrK/Y/dIsxbQCeNHURkW1X2PBIH+uYl+38vZEX K/kAoMoM/sQZeOnQLnSESH4av8pcntkK =RVCv -----END PGP SIGNATURE----- From stephen.lau at ucsf.edu Thu Jun 5 18:02:37 2008 From: stephen.lau at ucsf.edu (Stephen Lau) Date: Thu, 05 Jun 2008 18:02:37 -0700 Subject: [Bro] spinning cube In-Reply-To: <4848885A.3080900@ucsf.edu> References: <1bb5dd90806050739k6fe76a4ds83979cbd521d694d@mail.gmail.com><4848249D.90509@ucsf.edu> <20080605201638.2960ae8e@mygw.didconcept.com> <4848885A.3080900@ucsf.edu> Message-ID: <48488CAD.5050007@ucsf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Lau wrote: | jean-philippe luiggi wrote: | | Hello everybody, | | | | I'm sure i'm missing something but on this page it's said " Code is | | currently not available"... :-) | | You have to ask real nice. :-) | | Steve | Seriously though, I wrote it while I was at LBNL. It's owned by the Regents of the University of California. My attempts to release the source code got caught up in legality since there had been pictures of it in ACM. (read they didn't want someone else to start making money off it). I essentially dropped pursuing public release of the code. It's somewhat silly because the code itself isn't that complex. For bro, I have a reader that parses conn files and plots them via OpenGL in three d. There are other cubes out there that do similar things. By the way, I also have a little app I wrote that is a companion piece to the Cube. Give it a series of images and a network address space and it'll perform a scan that will will show up as a little animated movie inside the Cube if the Cube is displaying that segment of the network. Of course the resolution is a little limited and you risk lighting up all sorts of alarms with it. I attached an image of it...I call it the "The Evil Otto of Doom". Steve - -- +--------------------------------------------------------------------- Stephen Lau - Stephen.Lau at ucsf.edu Information Security Policy and Program Manager University of California, San Francisco 1855 Folsom, Suite 602, Box 0707, San Francisco, CA 94143 +1(415) 476-3106 (Work) +1(415) 476-1717 (Fax) PGP: 44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B +--------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkhIjKwACgkQmgSrK/Y/dIt2oACgvxxsjpzFfGSRQKrBhtfEC35O a64An154F2KJSQ/YB3MbBLghOsJeXR82 =Eyxz -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: Smiley.jpg Type: image/jpeg Size: 116099 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080605/2035f12f/attachment.jpg From gregory.edigarov at gmail.com Sun Jun 8 09:11:56 2008 From: gregory.edigarov at gmail.com (Gregory Edigarov) Date: Sun, 8 Jun 2008 19:11:56 +0300 Subject: [Bro] Error while trying to compile Bro Message-ID: <7ac8a60b0806080911t715e86b2o6da9a36de37b9fc0@mail.gmail.com> Hello, I am trying to get bro working on my system: $ uname -a OpenBSD edigarov.sa.net.ua 4.3 GENERIC#0 amd64 $ I am getting the following error. As Bro is written in C++, and I am not a speciallist in this language (I am a C guy, after all) I am asking you to help: gmake[4]: Entering directory `/usr/home/greg/bro-1.2.1/src' if g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac/lib -I../src -I. -I.. -Ilibedit -O -W -Wall -Wno-unused -g -O2 -MT TCP_Rewriter.o -MD -MP -MF ".deps/TCP_Rewriter.Tpo" -c -o TCP_Rewriter.o TCP_Rewriter.cc; \ then mv -f ".deps/TCP_Rewriter.Tpo" ".deps/TCP_Rewriter.Po"; else rm -f ".deps/TCP_Rewriter.Tpo"; exit 1; fi TCP_Rewriter.cc: In member function `int TCP_TracePacket::Finish(pcap_pkthdr*&, const u_char*&, int&, unsigned int, unsigned int)': TCP_Rewriter.cc:328: error: no match for 'operator=' in ' this->TCP_TracePacket::pcap_hdr.pcap_pkthdr::ts = double_to_timeval(double)()' /usr/include/net/bpf.h:129: error: candidates are: bpf_timeval& bpf_timeval::operator=(const bpf_timeval&) gmake[4]: *** [TCP_Rewriter.o] Error 1 gmake[4]: Leaving directory `/usr/home/greg/bro-1.2.1/src' gmake[3]: *** [all-recursive] Error 1 gmake[3]: Leaving directory `/usr/home/greg/bro-1.2.1/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/home/greg/bro-1.2.1/src' gmake[1]: *** [all-recursive] Error 1 gmake[1]: Leaving directory `/usr/home/greg/bro-1.2.1' gmake: *** [all] Error 2 Thanks a lot in advance. -- With best regards, Gregory Edigarov -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080608/87733af1/attachment.html From jean-philippe.luiggi at didconcept.com Sun Jun 8 15:28:37 2008 From: jean-philippe.luiggi at didconcept.com (jean-philippe luiggi) Date: Sun, 8 Jun 2008 18:28:37 -0400 Subject: [Bro] Error while trying to compile Bro In-Reply-To: <7ac8a60b0806080911t715e86b2o6da9a36de37b9fc0@mail.gmail.com> References: <7ac8a60b0806080911t715e86b2o6da9a36de37b9fc0@mail.gmail.com> Message-ID: <20080608182837.42ac75f1@mygw.didconcept.com> Hello everybody, I can't remember if i compiled directly (aka without tweaks) Bro 1.2.1 on OpenBSD (i'm sure it was not 4.3) but speaking of the last release of Bro (1.3.2), it works perfectly on the last release of "puffy". May i suggest you switch/use 1.3.2 because the following line remember me to the problems i ran into. >/usr/include/net/bpf.h:129: error: candidates are: bpf_timeval& >bpf_timeval::operator=(const bpf_timeval&) With regards, Jean-Philippe. On Sun, 8 Jun 2008 19:11:56 +0300 "Gregory Edigarov" wrote: > Hello, > > I am trying to get bro working on my system: > $ uname -a > OpenBSD edigarov.sa.net.ua 4.3 GENERIC#0 amd64 > $ > > I am getting the following error. > As Bro is written in C++, and I am not a speciallist in this language > (I am a C guy, after all) I am asking you to help: > > gmake[4]: Entering directory `/usr/home/greg/bro-1.2.1/src' > if g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac/lib -I../src > -I. -I.. -Ilibedit -O -W -Wall -Wno-unused -g -O2 -MT > TCP_Rewriter.o -MD -MP -MF ".deps/TCP_Rewriter.Tpo" -c -o > TCP_Rewriter.o TCP_Rewriter.cc; \ then mv -f ".deps/TCP_Rewriter.Tpo" > ".deps/TCP_Rewriter.Po"; else rm -f ".deps/TCP_Rewriter.Tpo"; exit 1; > fi TCP_Rewriter.cc: In member function `int > TCP_TracePacket::Finish(pcap_pkthdr*&, > const u_char*&, int&, unsigned int, unsigned int)': > TCP_Rewriter.cc:328: error: no match for 'operator=' in ' > this->TCP_TracePacket::pcap_hdr.pcap_pkthdr::ts = > double_to_timeval(double)()' > /usr/include/net/bpf.h:129: error: candidates are: bpf_timeval& > bpf_timeval::operator=(const bpf_timeval&) > gmake[4]: *** [TCP_Rewriter.o] Error 1 > gmake[4]: Leaving directory `/usr/home/greg/bro-1.2.1/src' > gmake[3]: *** [all-recursive] Error 1 > gmake[3]: Leaving directory `/usr/home/greg/bro-1.2.1/src' > gmake[2]: *** [all] Error 2 > gmake[2]: Leaving directory `/usr/home/greg/bro-1.2.1/src' > gmake[1]: *** [all-recursive] Error 1 > gmake[1]: Leaving directory `/usr/home/greg/bro-1.2.1' > gmake: *** [all] Error 2 > > Thanks a lot in advance. > > -- > With best regards, > Gregory Edigarov > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From uchekuru at gmail.com Wed Jun 18 11:42:10 2008 From: uchekuru at gmail.com (uday chekuri) Date: Wed, 18 Jun 2008 14:42:10 -0400 Subject: [Bro] error with local nets definition Message-ID: Hi, I am trying to run offline analysis using bro on pcap files. I created local.bro as redef local_nets: set[subnet] = { a.b.c.d/24, }; @load brolite @load brolite-sigs Then I am trying to use bro -r trace1.tcpdump local.bro but giving me errors like this /usr/local/bro//policy/local.bro, line 1 (local_nets): error, "redef" used but not previously defined What can I do to overcome this error. Thanks in advance. --uday -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080618/252ee944/attachment.html From uchekuru at gmail.com Wed Jun 18 12:41:30 2008 From: uchekuru at gmail.com (uday chekuri) Date: Wed, 18 Jun 2008 15:41:30 -0400 Subject: [Bro] solved with local net but more run time compilation errors Message-ID: Hi, I dont know why but giving tcp before local in command not giving redef error. I used bro -r trace1.tcpdump tcp local Then again edited local.bro adding 2 more lines redef local_nets: set[subnet] = { a.b.c.d/24, }; @load brolite @load brolite-sigs I tried the same command but giving more run time compilation errors 964800422.648548 run-time error: error compiling pattern /usr/local/bro//policy/worm.bro, line 23: run-time error: error compiling pattern /^?.*(\.id[aq]\?.*XXXXXXXXXXXXX)/ /usr/local/bro//policy/brolite.bro, line 138: run-time error: error compiling pattern /^?.*(.*exe) /usr/local/bro//policy/smtp.bro, line 281: run-time error: error compiling pattern /^?.*(<( |\t)*)/ /usr/local/bro//policy/irc.bro, line 60: run-time error: error compiling pattern /usr/local/bro//policy/login.bro, line 141: run-time error: error compiling pattern /^?.*(.*Trojaning in progress.*)/ in the same way ftp, portmapper. hot-ids, http-request.bro too.... To solve run time compilation errors I saw in wiki to delete few files and build again with make. but no luck... Plz help to resolve this issue. Thanks --uday -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080618/157398c1/attachment.html From jmellander at lbl.gov Wed Jun 18 13:12:59 2008 From: jmellander at lbl.gov (Jim Mellander) Date: Wed, 18 Jun 2008 13:12:59 -0700 Subject: [Bro] error with local nets definition In-Reply-To: References: Message-ID: <48596C4B.6090002@lbl.gov> Try putting the redef after the @load commands - it needs to be defined in the @load'ed scripts before it can be redef'd. Hope this helps. uday chekuri wrote: > Hi, > > I am trying to run offline analysis using bro on pcap files. > > I created local.bro as > > redef local_nets: set[subnet] = { > a.b.c.d/24, > }; > > @load brolite > @load brolite-sigs > > Then I am trying to use > > bro -r trace1.tcpdump local.bro > > but giving me errors like this > > /usr/local/bro//policy/local.bro, line 1 (local_nets): error, "redef" > used but not previously defined > > What can I do to overcome this error. > > Thanks in advance. > > --uday > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Jim Mellander Incident Response Manager Computer Protection Program Lawrence Berkeley National Laboratory (510) 486-7204 The reason you are having computer problems is: Please move your Z06 - its blocking turn 4. From greglindon at gmail.com Fri Jun 20 06:43:29 2008 From: greglindon at gmail.com (Greg Lindon) Date: Fri, 20 Jun 2008 09:43:29 -0400 Subject: [Bro] Debugging and non-interactive install Message-ID: <1068dd500806200643wad65078k80af9979920cbc6e@mail.gmail.com> Hi Guys, I've been playing with Bro (1.3.2 dev release) on and off for a few weeks now. I like the idea of the product, the code looks good, and the scripting language quite powerful. Having said that I'm having a few problems. 1. I need a non-interactive install of Bro. I want to roll it out to a number of red-hat-based sensors, so the usual process that requires human interaction is not feasible/maintainable. My usual approach with other software on the sensors is to create an rpm with a default install and then check the box/network specific configuration out of svn over the top of the defaults. The two-stage install (make install, make install-brolite) makes this a bit complicated. I tried separating out the parts of the install that need to be run on the target system and putting them in the rpm post install (creating bro user, checking kernel params). This involved chopping parts out of the makefile, running the perl scripts in the post, and disabling the prompts by accepting defaults in brolite. Unfortunately I never got all this to work properly. I'm hoping that someone who understands the installation process better than me can either create an rpm or a install-non-interactive Makefile target that drops a default install on the box :) Happy to accept any other suggestions too. 2. I'm having some trouble debugging a simple policy file (I'd include it, but its on another network). I basically want to redefine some of the clear-passwords methods to reduce log noise by checking if this is a password we already know about, and to ignore IRC JOINs with no password. when I run: bro -d -r test.pcap brolite local.clear-passwords or bro -d -r test.pcap local.clear-passwords it never drops into the debugger (and if you Ctrl-C it dies). But if I run bro -d -r test.pcap brolite it drops into the debugger fine. Help? My clear-passwords has the same load statements as the distributed version. Do I need something special to cause the debugger to break? I'm at the stage where bro isn't giving me any errors about the policy but it is not producing any output, at all, for any policy. Any hints? Thanks, Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080620/1b21594b/attachment.html From greglindon at gmail.com Fri Jun 20 07:37:55 2008 From: greglindon at gmail.com (Greg Lindon) Date: Fri, 20 Jun 2008 10:37:55 -0400 Subject: [Bro] Debugging and non-interactive install In-Reply-To: <1068dd500806200643wad65078k80af9979920cbc6e@mail.gmail.com> References: <1068dd500806200643wad65078k80af9979920cbc6e@mail.gmail.com> Message-ID: <1068dd500806200737h453ae11cq3694a8aa95e60ab3@mail.gmail.com> Hi Guys, I've been playing with Bro (1.3.2 dev release) on and off for a few weeks now. I like the idea of the product, the code looks good, and the scripting language quite powerful. Having said that I'm having a few problems. 1. I need a non-interactive install of Bro. I want to roll it out to a number of red-hat-based sensors, so the usual process that requires human interaction is not feasible/maintainable. My usual approach with other software on the sensors is to create an rpm with a default install and then check the box/network specific configuration out of svn over the top of the defaults. The two-stage install (make install, make install-brolite) makes this a bit complicated. I tried separating out the parts of the install that need to be run on the target system and putting them in the rpm post install (creating bro user, checking kernel params). This involved chopping parts out of the makefile, running the perl scripts in the post, and disabling the prompts by accepting defaults in brolite. Unfortunately I never got all this to work properly. I'm hoping that someone who understands the installation process better than me can either create an rpm or a install-non-interactive Makefile target that drops a default install on the box :) Happy to accept any other suggestions too. 2. I'm having some trouble debugging a simple policy file (I'd include it, but its on another network). I basically want to redefine some of the clear-passwords methods to reduce log noise by checking if this is a password we already know about, and to ignore IRC JOINs with no password. when I run: bro -d -r test.pcap brolite local.clear-passwords or bro -d -r test.pcap local.clear-passwords it never drops into the debugger (and if you Ctrl-C it dies). But if I run bro -d -r test.pcap brolite it drops into the debugger fine. Help? My clear-passwords has the same load statements as the distributed version. Do I need something special to cause the debugger to break? I'm at the stage where bro isn't giving me any errors about the policy but it is not producing any output, at all, for any policy. Any hints? Thanks, Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080620/ee8bf67f/attachment.html From robin at icir.org Fri Jun 20 08:49:10 2008 From: robin at icir.org (Robin Sommer) Date: Fri, 20 Jun 2008 08:49:10 -0700 Subject: [Bro] Debugging and non-interactive install In-Reply-To: <1068dd500806200737h453ae11cq3694a8aa95e60ab3@mail.gmail.com> References: <1068dd500806200643wad65078k80af9979920cbc6e@mail.gmail.com> <1068dd500806200737h453ae11cq3694a8aa95e60ab3@mail.gmail.com> Message-ID: <20080620154910.GB22925@icir.org> On Fri, Jun 20, 2008 at 10:37 -0400, Greg Lindon wrote: > 1. I need a non-interactive install of Bro. I want to roll it out to a I actually can't say much about the BroLite install (not very familiar with the details of that), except that it's indeed not really intended for non-interactive usage. Our plan is to replace the current install process, as well as the whole BroLite framework, with something based on the the Bro Cluster setup. There's already prototype of this new scheme, see http://blog.icir.org/2008/04/interactive-shell-for-operating-bro.html Note that while the Blog posting talks about an "interactive shell", the installation is actually non-interactive and the result should work well with an rpm-plus-svn scheme as you sketch (I believe; if not we should fix that). So, perhaps you could give this a try? Any feedback is appreciated. > bro -d -r test.pcap local.clear-passwords No, immediate idea. Can you please send the script? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From vern at icir.org Fri Jun 20 10:47:19 2008 From: vern at icir.org (Vern Paxson) Date: Fri, 20 Jun 2008 10:47:19 -0700 Subject: [Bro] Debugging and non-interactive install In-Reply-To: <1068dd500806200643wad65078k80af9979920cbc6e@mail.gmail.com> (Fri, 20 Jun 2008 09:43:29 EDT). Message-ID: <200806201747.m5KHlKuB018499@pork.ICSI.Berkeley.EDU> > 1. I need a non-interactive install of Bro ... I can't really comment on this as I'm not one of the Bro install gurus, but perhaps someone who is will do so. > 2. I'm having some trouble debugging a simple policy file (I'd include it, > but its on another network). I basically want to redefine some of the > clear-passwords methods to reduce log noise by checking if this is a > password we already know about, and to ignore IRC JOINs with no password. If you're able at some point to send it along, I can probably help out directly. > when I run: > > bro -d -r test.pcap brolite local.clear-passwords > or > bro -d -r test.pcap local.clear-passwords > > it never drops into the debugger (and if you Ctrl-C it dies). But if I run Unfortunately the debugger has not been maintained and isn't reliable at this point :-(. I'd definitely like to fix that, but to date it hasn't been a high priority. I'd like to hear from any others who also would make use of it. Offhand, I don't see any obvious problem with what you're trying above. > I'm at the stage where bro isn't giving me any errors about the policy but > it is not producing any output, at all, for any policy. Any hints? Try "bro -t tracefile ..." to generate an execution trace. When no output gets produced, usually the problem is that no events are being generated because the event engine isn't finding that you've defined the event handlers it expects for turning on different forms of application analysis. If the trace shows that the events are being generated, then annotating your script with logging information will usually help zero in on the problem quickly. Vern From greglindon at gmail.com Fri Jun 20 11:12:31 2008 From: greglindon at gmail.com (Greg Lindon) Date: Fri, 20 Jun 2008 14:12:31 -0400 Subject: [Bro] Debugging and non-interactive install In-Reply-To: <200806201747.m5KHlKuB018499@pork.ICSI.Berkeley.EDU> References: <1068dd500806200643wad65078k80af9979920cbc6e@mail.gmail.com> <200806201747.m5KHlKuB018499@pork.ICSI.Berkeley.EDU> Message-ID: <1068dd500806201112l29cf517r36b5b678e54a0fe3@mail.gmail.com> Thanks guys, that helps. Robin I'll take a look at the cluster, looks like you have a standalone config in there, so that will have to do for the time being - won't be getting any new boxes in the immediate future to make a real cluster. > Try "bro -t tracefile ..." to generate an execution trace. When no output > gets produced, usually the problem is that no events are being generated > because the event engine isn't finding that you've defined the event > handlers it expects for turning on different forms of application analysis. > If the trace shows that the events are being generated, then annotating > your script with logging information will usually help zero in on the > problem quickly. > > Fair enough, I'll give that a try. I liked the idea of the debugger because you could run through a fairly large pcap and fix most of the problems in one go rather than many repeated analysis runs. This way I'll have to carve out a much smaller pcap that has the traffic to generate the needed events. If I can't get any further along like this I'll move the config over and send it to the list. Thanks for the quick replies! Cheers, Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080620/1438dd27/attachment.html From robin at icir.org Fri Jun 20 11:19:26 2008 From: robin at icir.org (Robin Sommer) Date: Fri, 20 Jun 2008 11:19:26 -0700 Subject: [Bro] Debugging and non-interactive install In-Reply-To: <1068dd500806201112l29cf517r36b5b678e54a0fe3@mail.gmail.com> References: <1068dd500806200643wad65078k80af9979920cbc6e@mail.gmail.com> <200806201747.m5KHlKuB018499@pork.ICSI.Berkeley.EDU> <1068dd500806201112l29cf517r36b5b678e54a0fe3@mail.gmail.com> Message-ID: <20080620181926.GE22925@icir.org> On Fri, Jun 20, 2008 at 14:12 -0400, Greg Lindon wrote: > Thanks guys, that helps. Robin I'll take a look at the cluster, looks like > you have a standalone config in there, so that will have to do for the time > being - won't be getting any new boxes in the immediate future to make a > real cluster. Right, that's the idea: the standalone config is for a traditional, single-box install. You don't need an actual cluster to use the new framework (perhaps we should at some point rename the framework's main script from "cluster" to something less specific). Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From uchekuru at gmail.com Sat Jun 21 11:34:32 2008 From: uchekuru at gmail.com (uday chekuri) Date: Sat, 21 Jun 2008 14:34:32 -0400 Subject: [Bro] Compilation errors Message-ID: Hi, I am having lot of compilation errors while running bro on pcap files. $ bro -r tracefile.pcap brolite-sigs.bro local.bro I tried the stuff in archives and wiki cd /usr/local/bro cp policy/sigs/dpd.sig site/dpd.sig which is there in archive and $ cd src/ $ rm bif_parse.{cc,h} parse.cc re-parse.{cc,h} rule-parse.{cc,h} which is there in wiki . What else I can do to solve this problem. Thanks, --Uday. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080621/5db16164/attachment.html From uchekuru at gmail.com Sat Jun 21 11:35:49 2008 From: uchekuru at gmail.com (uday chekuri) Date: Sat, 21 Jun 2008 14:35:49 -0400 Subject: [Bro] error compiling pattern errors Message-ID: Hi, I am having lot of error compiling pattern errors while running bro on pcap files. $ bro -r tracefile.pcap brolite-sigs.bro local.bro I tried the stuff in archives and wiki cd /usr/local/bro cp policy/sigs/dpd.sig site/dpd.sig which is there in archive and $ cd src/ $ rm bif_parse.{cc,h} parse.cc re-parse.{cc,h} rule-parse.{cc,h} which is there in wiki . What else I can do to solve this problem. Thanks, --Uday. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080621/7917c225/attachment.html From greglindon at gmail.com Mon Jun 23 09:14:37 2008 From: greglindon at gmail.com (Greg Lindon) Date: Mon, 23 Jun 2008 12:14:37 -0400 Subject: [Bro] Debugging policy Message-ID: <1068dd500806230914v10c0cc24v6da8a50127c047f2@mail.gmail.com> OK, so I'm still having problems :( I have a small pcap (1.6 MB) with a telnet login to test with, but it is taking forever for bro to even get to the point of giving me an error with my policy. I am running bro 1.3.2 with: bro -r test.pcap -t tracefile.txt local.clear-passwords.bro which takes around 30 minutes(!?!) to give me a fairly unhelpful error about my policy. Why is it so slow? In tracefile.txt I only get stuff from bro.init about opening log files, and in the terminal I only get the usual stuff from scan.bro about the DNS root servers. Why is scan.bro even being run? As far as I can see, the policy files that I am including (see attached) don't depend on it? I thought the box I was using might be overly taxed with other software, but I installed it somewhere else with the same slow result. Bro doesn't even show up in the first page of "top" processes. Is there some sort of nice-ing going on that I can turn off? Can I tell it to consume more system resources? The error bro gives is "parse error at or near event", the line number is for the "event account_tried" declaration. I'm guessing that I have a syntax error in my password array, but this process is making debugging slow. Thoughts? Greg On Fri, Jun 20, 2008 at 2:19 PM, Robin Sommer wrote: > > On Fri, Jun 20, 2008 at 14:12 -0400, Greg Lindon wrote: > >> Thanks guys, that helps. Robin I'll take a look at the cluster, looks like >> you have a standalone config in there, so that will have to do for the time >> being - won't be getting any new boxes in the immediate future to make a >> real cluster. > > Right, that's the idea: the standalone config is for a traditional, > single-box install. You don't need an actual cluster to use the new > framework (perhaps we should at some point rename the framework's > main script from "cluster" to something less specific). > > Robin > > > > -- > Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: bro_clear_pass_policy.txt Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080623/49fc8232/attachment.txt From vern at icir.org Mon Jun 23 09:46:13 2008 From: vern at icir.org (Vern Paxson) Date: Mon, 23 Jun 2008 09:46:13 -0700 Subject: [Bro] Debugging policy In-Reply-To: <1068dd500806230914v10c0cc24v6da8a50127c047f2@mail.gmail.com> (Mon, 23 Jun 2008 12:14:37 EDT). Message-ID: <200806231646.m5NGkIFn016691@pork.ICSI.Berkeley.EDU> > bro -r test.pcap -t tracefile.txt local.clear-passwords.bro > > which takes around 30 minutes(!?!) to give me a fairly unhelpful error > about my policy. > ... > Bro doesn't even show up in the first page of "top" processes. Try setting the environment variable BRO_DNS_FAKE to turn off DNS lookups. Most likely it's simply sitting in a series of long DNS timeouts. > The error bro gives is "parse error at or near event", the line number > is for the "event account_tried" declaration. I'm guessing that I > have a syntax error in my password array, but this process is making > debugging slow. Yes, you don't have a ';' at the end of "global known_pass = { ... }". Vern From greglindon at gmail.com Mon Jun 23 11:06:34 2008 From: greglindon at gmail.com (Greg Lindon) Date: Mon, 23 Jun 2008 14:06:34 -0400 Subject: [Bro] Debugging policy In-Reply-To: <200806231646.m5NGkIFn016691@pork.ICSI.Berkeley.EDU> References: <1068dd500806230914v10c0cc24v6da8a50127c047f2@mail.gmail.com> <200806231646.m5NGkIFn016691@pork.ICSI.Berkeley.EDU> Message-ID: <1068dd500806231106j61fab808q1dc2f084c6ddddab@mail.gmail.com> Thanks. Seems painfully obvious now :) Greg On Mon, Jun 23, 2008 at 12:46 PM, Vern Paxson wrote: >> bro -r test.pcap -t tracefile.txt local.clear-passwords.bro >> >> which takes around 30 minutes(!?!) to give me a fairly unhelpful error >> about my policy. >> ... >> Bro doesn't even show up in the first page of "top" processes. > > Try setting the environment variable BRO_DNS_FAKE to turn off DNS lookups. > Most likely it's simply sitting in a series of long DNS timeouts. > >> The error bro gives is "parse error at or near event", the line number >> is for the "event account_tried" declaration. I'm guessing that I >> have a syntax error in my password array, but this process is making >> debugging slow. > > Yes, you don't have a ';' at the end of "global known_pass = { ... }". > > Vern > From uchekuru at gmail.com Wed Jun 25 19:39:04 2008 From: uchekuru at gmail.com (uday chekuri) Date: Wed, 25 Jun 2008 22:39:04 -0400 Subject: [Bro] problem with using snort rules by bro Message-ID: Hi, I am having a trace file with BID 10108. I am having converted snort rules of version 2.3.2.by s2b. My bro version is 1.2.1. When I run bro on my pcap file it is running with few error compiling patterns. It is not showing me the exact rule related to 10108 BID in alarm and signature file. I think this is due to those error compiling patterns. To solve that I tried the solution in wiki and archive. But no luck. I am sorry for reposting the same issue. I got no reply previously. But please help me with this issue. Regards, Uday. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080625/c6ed9f03/attachment.html From robin at icir.org Thu Jun 26 15:58:40 2008 From: robin at icir.org (Robin Sommer) Date: Thu, 26 Jun 2008 15:58:40 -0700 Subject: [Bro] problem with using snort rules by bro In-Reply-To: References: Message-ID: <20080626225840.GJ38898@icir.org> On Wed, Jun 25, 2008 at 22:39 -0400, uday chekuri wrote: > this is due to those error compiling patterns. To solve that I tried the Have you tried the most recent Bro version? Do you still see the problem with that? If yes, please also try the current trunk directly from the Subversion directory. I think this should be solved there already. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Thu Jun 26 18:18:23 2008 From: robin at icir.org (Robin Sommer) Date: Thu, 26 Jun 2008 18:18:23 -0700 Subject: [Bro] Reporting problem in http_header event In-Reply-To: <9b5f0ba60804300202l1981c420x9030dc35345d0bd0@mail.gmail.com> References: <9b5f0ba60804300202l1981c420x9030dc35345d0bd0@mail.gmail.com> Message-ID: <20080627011823.GD59861@icir.org> On Wed, Apr 30, 2008 at 14:32 +0530, Sanmeet Bhatia wrote: > I have found a bug in the event called http_header. The value : string it > returns has a space at the beginning. Like "www.yahoo.com" will be > returned as " www.yahoo.com". I've now fixed this in my branch. Thanks! Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org