From rreitz at fnal.gov Fri Mar 7 14:12:28 2008 From: rreitz at fnal.gov (Randolph Reitz) Date: Fri, 07 Mar 2008 16:12:28 -0600 Subject: [Bro] bro on freebsd 7-RC1 In-Reply-To: <47BB29A3.8050508@lbl.gov> References: <47BB29A3.8050508@lbl.gov> Message-ID: Anne, I have a new box with FreeBSD 7.0-RELEASE installed (selected developer install). When compiling BRO (1.3.2), I get an error ... Making install in src source='DNS-binpac.cc' object='DNS-binpac.o' libtool=no depfile='.deps/DNS-binpac.Po' tmpdepfile='.deps/DNS-binpac.TPo' depmode=gcc3 /usr/local/bin/bash ../depcomp g++ -DHAVE_CONFIG_H -I. - I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -O -W - Wall -Wno-unused -g -O2 -c -o DNS-binpac.o `test -f 'DNS-binpac.cc' || echo './'`DNS-binpac.cc In file included from ARP.h:43, from Sessions.h:28, from RuleMatcher.h:12, from Conn.h:32, from Analyzer.h:11, from UDP.h:25, from DNS-binpac.h:6, from DNS-binpac.cc:3: NetVar.h:260:30: error: const.bif.netvar_h: No such file or directory NetVar.h:261:30: error: event.bif.netvar_h: No such file or directory In file included from DNS-binpac.cc:3: DNS-binpac.h:9:21: error: dns_pac.h: No such file or directory DNS-binpac.h:40:25: error: dns_tcp_pac.h: No such file or directory In file included from DNS-binpac.h:7, from DNS-binpac.cc:3: TCP.h: In static member function 'static bool TCPStats_Analyzer::Available()': TCP.h:360: error: 'conn_stats' was not declared in this scope TCP.h:360: error: 'tcp_rexmit' was not declared in this scope In file included from DNS-binpac.cc:3: DNS-binpac.h: At global scope: DNS-binpac.h:37: error: 'binpac' has not been declared (this goes on and on) It looks like there is a DNS dependency that I need to figure out?? Randy Reitz Fermilab On Feb 19, 2008, at 1:10, Anne Hutton wrote: > is anyone using bro on freebsd 7-RC1? > > thanks, > Anne > -- > Anne Hutton > Computer Protection Program > Lawrence Berkeley National Laboratory > (510) 495-2681 > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From ahutton at lbl.gov Fri Mar 7 14:25:58 2008 From: ahutton at lbl.gov (Anne Hutton) Date: Fri, 07 Mar 2008 14:25:58 -0800 Subject: [Bro] bro on freebsd 7-RC1 -- oops In-Reply-To: References: <47BB29A3.8050508@lbl.gov> Message-ID: <47D1C0F6.6090103@lbl.gov> Randolph Reitz wrote: > Anne, > > I have a new box with FreeBSD 7.0-RELEASE installed (selected developer > install). When compiling BRO (1.3.2), I get an error ... try using bro 1.2.1 (stable) rather than current to see if that compiles. However, I found that bro-1.2.1 just stopped collecting after a while. I will try 1.3.2 as well. Anne > > Making install in src > source='DNS-binpac.cc' object='DNS-binpac.o' libtool=no > depfile='.deps/DNS-binpac.Po' tmpdepfile='.deps/DNS-binpac.TPo' > depmode=gcc3 /usr/local/bin/bash ../depcomp g++ -DHAVE_CONFIG_H -I. -I. > -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -O -W -Wall > -Wno-unused -g -O2 -c -o DNS-binpac.o `test -f 'DNS-binpac.cc' || echo > './'`DNS-binpac.cc > In file included from ARP.h:43, > from Sessions.h:28, > from RuleMatcher.h:12, > from Conn.h:32, > from Analyzer.h:11, > from UDP.h:25, > from DNS-binpac.h:6, > from DNS-binpac.cc:3: > NetVar.h:260:30: error: const.bif.netvar_h: No such file or directory > NetVar.h:261:30: error: event.bif.netvar_h: No such file or directory > In file included from DNS-binpac.cc:3: > DNS-binpac.h:9:21: error: dns_pac.h: No such file or directory > DNS-binpac.h:40:25: error: dns_tcp_pac.h: No such file or directory > In file included from DNS-binpac.h:7, > from DNS-binpac.cc:3: > TCP.h: In static member function 'static bool > TCPStats_Analyzer::Available()': > TCP.h:360: error: 'conn_stats' was not declared in this scope > TCP.h:360: error: 'tcp_rexmit' was not declared in this scope > In file included from DNS-binpac.cc:3: > DNS-binpac.h: At global scope: > DNS-binpac.h:37: error: 'binpac' has not been declared > (this goes on and on) > > It looks like there is a DNS dependency that I need to figure out?? > > Randy Reitz > Fermilab > > On Feb 19, 2008, at 1:10, Anne Hutton wrote: > >> is anyone using bro on freebsd 7-RC1? >> >> thanks, >> Anne >> -- >> Anne Hutton >> Computer Protection Program >> Lawrence Berkeley National Laboratory >> (510) 495-2681 >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Anne Hutton Computer Protection Program Lawrence Berkeley National Laboratory (510) 495-2681 From pauls at utdallas.edu Fri Mar 7 14:30:09 2008 From: pauls at utdallas.edu (Paul Schmehl) Date: Fri, 07 Mar 2008 16:30:09 -0600 Subject: [Bro] bro on freebsd 7-RC1 In-Reply-To: References: <47BB29A3.8050508@lbl.gov> Message-ID: --On Friday, March 07, 2008 16:12:28 -0600 Randolph Reitz wrote: > Anne, > > I have a new box with FreeBSD 7.0-RELEASE installed (selected > developer install). When compiling BRO (1.3.2), I get an error ... > > Making install in src > source='DNS-binpac.cc' object='DNS-binpac.o' libtool=no > depfile='.deps/DNS-binpac.Po' tmpdepfile='.deps/DNS-binpac.TPo' > depmode=gcc3 /usr/local/bin/bash ../depcomp g++ -DHAVE_CONFIG_H -I. - > I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -O -W - > Wall -Wno-unused -g -O2 -c -o DNS-binpac.o `test -f 'DNS-binpac.cc' >|| echo './'`DNS-binpac.cc > In file included from ARP.h:43, > from Sessions.h:28, > from RuleMatcher.h:12, > from Conn.h:32, > from Analyzer.h:11, > from UDP.h:25, > from DNS-binpac.h:6, > from DNS-binpac.cc:3: > NetVar.h:260:30: error: const.bif.netvar_h: No such file or directory > NetVar.h:261:30: error: event.bif.netvar_h: No such file or directory > In file included from DNS-binpac.cc:3: > DNS-binpac.h:9:21: error: dns_pac.h: No such file or directory > DNS-binpac.h:40:25: error: dns_tcp_pac.h: No such file or directory > In file included from DNS-binpac.h:7, > from DNS-binpac.cc:3: > TCP.h: In static member function 'static bool > TCPStats_Analyzer::Available()': > TCP.h:360: error: 'conn_stats' was not declared in this scope > TCP.h:360: error: 'tcp_rexmit' was not declared in this scope > In file included from DNS-binpac.cc:3: > DNS-binpac.h: At global scope: > DNS-binpac.h:37: error: 'binpac' has not been declared > (this goes on and on) > > It looks like there is a DNS dependency that I need to figure out?? > I'm the FreeBSD port maintainer for bro. I'm running 7.0 RELEASE (i386), and I'm not having a problems compiling bro. (I just compiled it after reading your email.) Make sure that your sources, kernel and ports are up to date and try it again. Also, what architechture are you trying to compile on? I'm running i386 SMP. On a different note, I updated this port on request. I don't use bro personally, so I'd appreciate any comments about improvements, changes, etc. For example, if you'd like to see more options available (we call them KNOBS), let me know, *in detail*, what you're looking for, and I'll work on improving the port further. Since I don't know how people use the program, it's hard for me to know what functionality to include by default or highlight, offer as an option, etc., etc. -- Paul Schmehl (pauls at utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ From ager at net.in.tum.de Fri Mar 7 15:33:55 2008 From: ager at net.in.tum.de (Bernhard Ager) Date: Sat, 8 Mar 2008 00:33:55 +0100 Subject: [Bro] bro on freebsd 7-RC1 In-Reply-To: References: <47BB29A3.8050508@lbl.gov> Message-ID: <20080307233355.GS13325@in.tum.de> On Fri, Mar 07, 2008 at 04:12:28PM -0600, Randolph Reitz wrote: > Anne, > > I have a new box with FreeBSD 7.0-RELEASE installed (selected > developer install). When compiling BRO (1.3.2), I get an error ... > > Making install in src > source='DNS-binpac.cc' object='DNS-binpac.o' libtool=no > depfile='.deps/DNS-binpac.Po' tmpdepfile='.deps/DNS-binpac.TPo' > depmode=gcc3 /usr/local/bin/bash ../depcomp g++ -DHAVE_CONFIG_H -I. - > I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -O -W - > Wall -Wno-unused -g -O2 -c -o DNS-binpac.o `test -f 'DNS-binpac.cc' > || echo './'`DNS-binpac.cc > In file included from ARP.h:43, > from Sessions.h:28, > from RuleMatcher.h:12, > from Conn.h:32, > from Analyzer.h:11, > from UDP.h:25, > from DNS-binpac.h:6, > from DNS-binpac.cc:3: > NetVar.h:260:30: error: const.bif.netvar_h: No such file or directory > NetVar.h:261:30: error: event.bif.netvar_h: No such file or directory Just a wild guess: You've been trying a parallel build ('make -j ...')? As far as I know the Bro Makefile is not yet save for parallel building, so just leave the '-j' out. Bernhard -- Technische Universit?t Berlin An-Institut Deutsche Telekom Laboratories FG INET, Research Group Anja Feldmann Sekr. TEL 4 Ernst-Reuter-Platz 7 D-10587 Berlin From rreitz at fnal.gov Mon Mar 10 11:47:27 2008 From: rreitz at fnal.gov (Randolph Reitz) Date: Mon, 10 Mar 2008 13:47:27 -0500 Subject: [Bro] bro on freebsd 7-RC1 In-Reply-To: References: <47BB29A3.8050508@lbl.gov> Message-ID: On Mar 7, 2008, at 4:30, Paul Schmehl wrote: > I'm the FreeBSD port maintainer for bro. I'm running 7.0 RELEASE > (i386), and > I'm not having a problems compiling bro. (I just compiled it after > reading > your email.) Make sure that your sources, kernel and ports are up > to date and > try it again. Also, what architechture are you trying to compile > on? I'm > running i386 SMP. I didn't notice the bro port. Yes, the bro port compiles fine on 7.0- RELEASE. You get bro-1.2.1 which is the current stable release. I was trying to compile bro-1.3.2 which is the current development release. Are FreeBSD ports made for development releases? Thanks, Randy From pauls at utdallas.edu Mon Mar 10 13:00:53 2008 From: pauls at utdallas.edu (Paul Schmehl) Date: Mon, 10 Mar 2008 15:00:53 -0500 Subject: [Bro] bro on freebsd 7-RC1 In-Reply-To: References: <47BB29A3.8050508@lbl.gov> Message-ID: --On Monday, March 10, 2008 13:47:27 -0500 Randolph Reitz wrote: > > On Mar 7, 2008, at 4:30, Paul Schmehl wrote: > >> I'm the FreeBSD port maintainer for bro. I'm running 7.0 RELEASE >> (i386), and >> I'm not having a problems compiling bro. (I just compiled it after >> reading >> your email.) Make sure that your sources, kernel and ports are up >> to date and >> try it again. Also, what architechture are you trying to compile >> on? I'm >> running i386 SMP. > > I didn't notice the bro port. Yes, the bro port compiles fine on > 7.0-RELEASE. You get bro-1.2.1 which is the current stable release. I was > trying to compile bro-1.3.2 which is the current development release. > > Are FreeBSD ports made for development releases? In general, no. FreeBSD devel ports are usually the libraries associated with or required by a port. I thought about creating one for the devel release, but the problem is, the code is constantly changing, so maintaining the port would be a PITA. It's much easier to maintain a stable release version. However, when I said "I'm not having any problems compiling bro", I was referring to the 1.3.1 devel release that you were trying to compile. I downloaded and compiled it before posting my response. Did you ever say what ARCH you're running? -- Paul Schmehl (pauls at utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ From rreitz at fnal.gov Mon Mar 10 14:13:40 2008 From: rreitz at fnal.gov (Randolph Reitz) Date: Mon, 10 Mar 2008 16:13:40 -0500 Subject: [Bro] bro on freebsd 7-RC1 In-Reply-To: References: <47BB29A3.8050508@lbl.gov> Message-ID: <40FD3504-FF32-4E4E-BA14-C19D68E9A66B@fnal.gov> On Mar 10, 2008, at 3:00, Paul Schmehl wrote: > --On Monday, March 10, 2008 13:47:27 -0500 Randolph Reitz > > wrote: > >> >> On Mar 7, 2008, at 4:30, Paul Schmehl wrote: >> >>> I'm the FreeBSD port maintainer for bro. I'm running 7.0 RELEASE >>> (i386), and >>> I'm not having a problems compiling bro. (I just compiled it after >>> reading >>> your email.) Make sure that your sources, kernel and ports are up >>> to date and >>> try it again. Also, what architechture are you trying to compile >>> on? I'm >>> running i386 SMP. >> >> I didn't notice the bro port. Yes, the bro port compiles fine on >> 7.0-RELEASE. You get bro-1.2.1 which is the current stable >> release. I was >> trying to compile bro-1.3.2 which is the current development release. >> >> Are FreeBSD ports made for development releases? > > In general, no. FreeBSD devel ports are usually the libraries > associated with > or required by a port. > > I thought about creating one for the devel release, but the problem > is, the > code is constantly changing, so maintaining the port would be a > PITA. It's > much easier to maintain a stable release version. > > However, when I said "I'm not having any problems compiling bro", I > was > referring to the 1.3.1 devel release that you were trying to > compile. I > downloaded and compiled it before posting my response. > > Did you ever say what ARCH you're running? I have ... [root at dtmb ~]# uname -a FreeBSD dtmb.dhcp.fnal.gov 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root at logan.cse.buffalo.edu:/usr/obj/usr/src/ sys/GENERIC i386 > Humm, I tried to 'make install' bro 1.3.2 again and it worked. [root at dtmb /home/rreitz/bro-1.3.2]# /usr/local/bro/bin/bro -v /usr/local/bro/bin/bro version 1.3.2 > I can't say what is different today from last Friday. I thought that installing the bro port may have added a dependency, but that doesn't seem to be the case... [root at dtmb /usr/ports/security/bro]# make depends ===> bro-1.2_1 depends on file: /usr/local/bin/perl5.8.8 - found ===> bro-1.2_1 depends on file: /usr/local/bin/perl5.8.8 - found ===> bro-1.2_1 depends on executable: bison - found ===> bro-1.2_1 depends on file: /usr/local/bin/perl5.8.8 - found ===> bro-1.2_1 depends on file: /usr/local/bin/perl5.8.8 - found [root at dtmb /usr/ports/security/bro]# whereis bison bison: /usr/local/bin/bison /usr/local/man/man1/bison.1.gz /usr/ports/ devel/bison [root at dtmb /usr/ports/security/bro]# ls -l /usr/local/bin/bison -r-xr-xr-x 1 root wheel 228028 Mar 5 14:37 /usr/local/bin/bison Thanks for looking at this. I'll install my 10GB network card and see what new trouble I can find. Randy > -- > Paul Schmehl (pauls at utdallas.edu) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From wwxxmu at hotmail.com Mon Mar 10 19:35:02 2008 From: wwxxmu at hotmail.com (wengwenxiang) Date: Tue, 11 Mar 2008 10:35:02 +0800 Subject: [Bro] Can bro be act as an IPS? Message-ID: Hi Can bro captures and analyzes the real network traffic but not copies, and so that we can stop the instruction on the server. Regards. _________________________________________________________________ ????????????????? http://get.live.cn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080311/3bfbc86f/attachment.html From rmkml at free.fr Mon Mar 10 17:10:03 2008 From: rmkml at free.fr (rmkml) Date: Tue, 11 Mar 2008 01:10:03 +0100 (CET) Subject: [Bro] Can bro be act as an IPS? In-Reply-To: References: Message-ID: Hi, starting with: http://www.bro-ids.org/bro-workshop-2007/slides/Bro-IPS.pdf Regards Rmkml On Tue, 11 Mar 2008, wengwenxiang wrote: > Date: Tue, 11 Mar 2008 10:35:02 +0800 > From: wengwenxiang > To: bro at bro-ids.org > Subject: [Bro] Can bro be act as an IPS? > > Hi Can bro captures and analyzes the real network traffic but not copies, and so that we can stop the instruction on the server. Regards. > _________________________________________________________________ > ????????????????? > http://get.live.cn From mazequest at hotmail.com Tue Mar 11 05:15:08 2008 From: mazequest at hotmail.com (Kyle Cosmo) Date: Tue, 11 Mar 2008 12:15:08 +0000 Subject: [Bro] Can bro be act as an IPS? In-Reply-To: References: Message-ID: That still doesn't make Bro an IPS though. An IPS blocks malicious traffic itself. Reconfiguring a nearby router after the original malicious traffic went through doesn't do any good if the goal is to stop the initial malicious session. It is useful though... especially for machines infected with worms that generate a lot of traffic. Kyle > Hi, > starting with: > http://www.bro-ids.org/bro-workshop-2007/slides/Bro-IPS.pdf > Regards > Rmkml > > > On Tue, 11 Mar 2008, wengwenxiang wrote: > > > Date: Tue, 11 Mar 2008 10:35:02 +0800 > > From: wengwenxiang > > To: bro at bro-ids.org > > Subject: [Bro] Can bro be act as an IPS? _________________________________________________________________ Shed those extra pounds with MSN and The Biggest Loser! http://biggestloser.msn.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080311/42a68845/attachment.html From joel.ebrahimi at gmail.com Tue Mar 11 17:03:49 2008 From: joel.ebrahimi at gmail.com (Joel Ebrahimi) Date: Tue, 11 Mar 2008 17:03:49 -0700 Subject: [Bro] Throughput Problems Message-ID: <46ee7b1c0803111703r70264a5bu16a8d90e9736bc19@mail.gmail.com> Hi All, I have been testing Bro recently. I have been having some performance issues. I can load these any and all (without the bad ones listed below) of these policies I get great performance: @load site @load alarm @load weird @load http @load worm @load blaster @load hot @load signatures @load synflood @load backdoor If I add any single one of these I go from being able to process traffic at 90Mb/s to under 1 Mb/s. @load login @load irc @load portmapper @load http-request @load http-reply @load ftp @load stepping @load tftp @load frag @load smtp Has anyone ever seen this problem before? Know the solution? Know to where even start looking? I was also curious at waht speeds people start dropping packets. Obviously the traffic your monitoring has an impact so maybe a little background would help too. (ie 100 Mb/s with 64k udp packets) Thanks in advance, // Joel Joel Ebrahimi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080311/a60d3c0b/attachment.html From vern at icir.org Tue Mar 11 17:21:20 2008 From: vern at icir.org (Vern Paxson) Date: Tue, 11 Mar 2008 17:21:20 -0700 Subject: [Bro] Throughput Problems In-Reply-To: <46ee7b1c0803111703r70264a5bu16a8d90e9736bc19@mail.gmail.com> (Tue, 11 Mar 2008 17:03:49 PDT). Message-ID: <200803120021.m2C0LP8w022215@pork.ICSI.Berkeley.EDU> What OS are you running under? First immediate guess is that your BPF buffers are much too small. Vern From joel.ebrahimi at gmail.com Tue Mar 11 19:10:01 2008 From: joel.ebrahimi at gmail.com (Joel Ebrahimi) Date: Tue, 11 Mar 2008 19:10:01 -0700 Subject: [Bro] Throughput Problems In-Reply-To: <200803120021.m2C0LP8w022215@pork.ICSI.Berkeley.EDU> References: <46ee7b1c0803111703r70264a5bu16a8d90e9736bc19@mail.gmail.com> <200803120021.m2C0LP8w022215@pork.ICSI.Berkeley.EDU> Message-ID: <46ee7b1c0803111910k4ad10340g122608bf7ba80e56@mail.gmail.com> I am running using Suse on PowerPC. I am also using specialty hardware from Bivio. I do not belive it is an issue with BPF. // Joel On Tue, Mar 11, 2008 at 5:21 PM, Vern Paxson wrote: > What OS are you running under? First immediate guess is that your > BPF buffers are much too small. > > Vern > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080311/c3cea1bb/attachment.html From joel.ebrahimi at gmail.com Tue Mar 11 19:46:04 2008 From: joel.ebrahimi at gmail.com (Joel Ebrahimi) Date: Tue, 11 Mar 2008 19:46:04 -0700 Subject: [Bro] Throughput Problems In-Reply-To: <46ee7b1c0803111910k4ad10340g122608bf7ba80e56@mail.gmail.com> References: <46ee7b1c0803111703r70264a5bu16a8d90e9736bc19@mail.gmail.com> <200803120021.m2C0LP8w022215@pork.ICSI.Berkeley.EDU> <46ee7b1c0803111910k4ad10340g122608bf7ba80e56@mail.gmail.com> Message-ID: <46ee7b1c0803111946l5a2b1d82je395159d12067447@mail.gmail.com> I also just tested this on a dual core intel platform running FC 6. I get the same exact behavior. In this case I did the following: ./configure make make install make install-brolite ( i had to remove the pre-generated parser code as well) When I remove loading brolite from the site file I get exceptional performance. With brolite enabled it almost appears as if bro does nothing. When I send a test pcap with 30K packets bro is only able to proces 1800. The cpu usage of bro never even gets passed 5%. // Joel On Tue, Mar 11, 2008 at 7:10 PM, Joel Ebrahimi wrote: > I am running using Suse on PowerPC. I am also using specialty hardware > from Bivio. > I do not belive it is an issue with BPF. > > > // Joel > > > > On Tue, Mar 11, 2008 at 5:21 PM, Vern Paxson wrote: > > > What OS are you running under? First immediate guess is that your > > BPF buffers are much too small. > > > > Vern > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080311/3c689e41/attachment.html From vern at icir.org Tue Mar 11 20:01:48 2008 From: vern at icir.org (Vern Paxson) Date: Tue, 11 Mar 2008 20:01:48 -0700 Subject: [Bro] Throughput Problems In-Reply-To: <46ee7b1c0803111910k4ad10340g122608bf7ba80e56@mail.gmail.com> (Tue, 11 Mar 2008 19:10:01 PDT). Message-ID: <200803120301.m2C31rcj024462@pork.ICSI.Berkeley.EDU> > I am running using Suse on PowerPC. I am also using specialty hardware from > Bivio. > I do not belive it is an issue with BPF. Well, it's very likely *some* issue with packet capture, since I believe the difference between your policy-scripts-that-work and scripts-that-don't is that the latter capture full-sized packets and the former basically don't. Try this. Run with the set of scripts that work plus print-filter.bro to see what filter is being used. Then run with the scripts that don't work plus print-filter and get that filter. See then how tcpdump fares using each filter (along with -s 0 to capture full-sized packets). If that doesn't shed light, then what are the dominant types of appications in your traffic, and how do you fare using Bro setups that don't capture them? We routinely run on traffic with 100+ Mbps traffic (18K pps), predominantly SSH and HTTP, without significant problems with drops. Vern From robin at icir.org Tue Mar 11 20:53:03 2008 From: robin at icir.org (Robin Sommer) Date: Tue, 11 Mar 2008 20:53:03 -0700 Subject: [Bro] Can bro be act as an IPS? In-Reply-To: References: Message-ID: <20080312035303.GB74863@icir.org> On Tue, Mar 11, 2008 at 10:35 +0800, you wrote: > Hi Can bro captures and analyzes the real network traffic but not copies, and so that we can stop the instruction on the server. Regards. So, no, Bro does not provide inline capabilities at this point. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From nweaver at ICSI.Berkeley.EDU Tue Mar 11 23:53:24 2008 From: nweaver at ICSI.Berkeley.EDU (Nicholas Weaver) Date: Tue, 11 Mar 2008 23:53:24 -0700 Subject: [Bro] Throughput Problems In-Reply-To: <46ee7b1c0803111703r70264a5bu16a8d90e9736bc19@mail.gmail.com> References: <46ee7b1c0803111703r70264a5bu16a8d90e9736bc19@mail.gmail.com> Message-ID: <20080312065324.GA22472@kona.ICSI.Berkeley.EDU> One thing to quickly try is to tune the packet capture on Linux, as the defaults are pretty bad. See: http://www.net.t-labs.tu-berlin.de/research/hppc/ For the definitive guide. The shortcut version is, as root: echo 33554432 > /proc/sys/net/core/rmem_default echo 33554432 > /proc/sys/net/core/rmem_max echo 10000 > /proc/sys/net/core/netdev_max_backlog which will temporarily increase the size of the packte capture buffers to 32 MB, and see if that makes a difference. -- Nicholas C. Weaver nweaver at icsi.berkeley.edu This message has been ROT-13 encrypted twice for higher security. From joel.ebrahimi at gmail.com Wed Mar 12 11:38:35 2008 From: joel.ebrahimi at gmail.com (Joel Ebrahimi) Date: Wed, 12 Mar 2008 11:38:35 -0700 Subject: [Bro] Throughput Problems In-Reply-To: <200803120301.m2C31rcj024462@pork.ICSI.Berkeley.EDU> References: <46ee7b1c0803111910k4ad10340g122608bf7ba80e56@mail.gmail.com> <200803120301.m2C31rcj024462@pork.ICSI.Berkeley.EDU> Message-ID: <46ee7b1c0803121138w66cde942w1d97e2fc22d72185@mail.gmail.com> Vern, Thanks for this info. I had not realized that brolite was applying a number of filters. My main testing pcap was a large variety of services,protocols, and sessions. My testing was semi-automated to check packets sent vs packets bro received. The fillter scewed my results. I applied a redef to the packet filter and I am now seeing excellent statistics on the intel machine. I will use this information now to re-test on the Bivio platform. // Joel On Tue, Mar 11, 2008 at 8:01 PM, Vern Paxson wrote: > > I am running using Suse on PowerPC. I am also using specialty hardware > from > > Bivio. > > I do not belive it is an issue with BPF. > > Well, it's very likely *some* issue with packet capture, since I believe > the difference between your policy-scripts-that-work and > scripts-that-don't > is that the latter capture full-sized packets and the former basically > don't. > > Try this. Run with the set of scripts that work plus print-filter.bro to > see what filter is being used. Then run with the scripts that don't work > plus print-filter and get that filter. See then how tcpdump fares using > each filter (along with -s 0 to capture full-sized packets). > > If that doesn't shed light, then what are the dominant types of > appications > in your traffic, and how do you fare using Bro setups that don't capture > them? > > We routinely run on traffic with 100+ Mbps traffic (18K pps), > predominantly > SSH and HTTP, without significant problems with drops. > > Vern > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080312/a90ded5f/attachment.html From bro1338 at yahoo.com Thu Mar 13 03:37:16 2008 From: bro1338 at yahoo.com (Navdeep Singh) Date: Thu, 13 Mar 2008 03:37:16 -0700 (PDT) Subject: [Bro] Start to Bro..... Message-ID: <128110.43442.qm@web46315.mail.sp1.yahoo.com> Respected Sir, I am new to bro and started it just recenlty.please guide me where to start from and where can i get the resources. I will be very thankful to you. Thanks & Regards Navdeep Singh ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080313/ddea36a3/attachment.html From rmkml at free.fr Wed Mar 12 22:45:50 2008 From: rmkml at free.fr (rmkml) Date: Thu, 13 Mar 2008 06:45:50 +0100 (CET) Subject: [Bro] Start to Bro..... In-Reply-To: <128110.43442.qm@web46315.mail.sp1.yahoo.com> References: <128110.43442.qm@web46315.mail.sp1.yahoo.com> Message-ID: Hi, maybe: http://www.bro-ids.org/Bro-quick-start.pdf Regards Rmkml On Thu, 13 Mar 2008, Navdeep Singh wrote: > Date: Thu, 13 Mar 2008 03:37:16 -0700 (PDT) > From: Navdeep Singh > To: bro at ICSI.Berkeley.EDU > Subject: [Bro] Start to Bro..... > > Respected Sir, > I am new to bro and started it just recenlty.please guide me where to start from and where can i get the resources. I will be very thankful to you. > > Thanks & Regards > Navdeep Singh > > > > > ____________________________________________________________________________________ > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > From bec_agarcia at correo.seguridad.unam.mx Thu Mar 13 21:43:22 2008 From: bec_agarcia at correo.seguridad.unam.mx (bec_agarcia at correo.seguridad.unam.mx) Date: Thu, 13 Mar 2008 23:43:22 -0500 Subject: [Bro] About problems to install on Debian In-Reply-To: References: Message-ID: <20080313234322.ismdxgzpj400soos@correo.seguridad.unam.mx> Hi Well i try to install bro on debian, but i cant, becouse when i do the command "make or make install " i recive the next few errors -O2 -MT FileAnalyzer.o -MD -MP -MF ".deps/FileAnalyzer.Tpo" -c -o FileAnalyzer.o FileAnalyzer.cc; \ then mv -f ".deps/FileAnalyzer.Tpo" ".deps/FileAnalyzer.Po"; else rm -f ".deps/FileAnalyzer.Tpo"; exit 1; fi Analyzer.h:100: warning: ?class Analyzer::OutputHandler? has virtual functions but non-virtual destructor FileAnalyzer.cc: In member function ?void File_Analyzer::Identify()?: FileAnalyzer.cc:80: error: ?cl_scanbuff? was not declared in this scope FileAnalyzer.cc: In static member function ?static void File_Analyzer::InitClamAV()?: FileAnalyzer.cc:113: error: ?cl_loaddbdir? was not declared in this scope FileAnalyzer.cc:117: error: ?cl_perror? was not declared in this scope FileAnalyzer.cc:125: error: ?cl_perror? was not declared in this scope make[4]: *** [FileAnalyzer.o] Error 1 make[4]: se sale del directorio `/usr/local/src/Bro-ids/bro-1.2.1/src' make[3]: *** [all-recursive] Error 1 make[3]: se sale del directorio `/usr/local/src/Bro-ids/bro-1.2.1/src' make[2]: *** [all] Error 2 make[2]: se sale del directorio `/usr/local/src/Bro-ids/bro-1.2.1/src' make[1]: *** [all-recursive] Error 1 make[1]: se sale del directorio `/usr/local/src/Bro-ids/bro-1.2.1' make: *** [all] Error 2 i have been install libclamav and the others dependens, but i recive always this error and i dont know how i can resolve, i hope somebody help me please... thanks for all bro-request at ICSI.Berkeley.EDU ha escrito: > Welcome to the Bro at ICSI.Berkeley.EDU mailing list! > > To post to this list, send your email to: > > bro at ICSI.Berkeley.EDU > > General information about the mailing list is at: > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > If you ever want to unsubscribe or change your options (eg, switch to > or from digest mode, change your password, etc.), visit your > subscription page at: > > > http://mailman.ICSI.Berkeley.EDU/mailman/options/bro/bec_agarcia%40correo.seguridad.unam.mx > > > You can also make such adjustments via email by sending a message to: > > Bro-request at ICSI.Berkeley.EDU > > with the word `help' in the subject or body (don't include the > quotes), and you will get back a message with instructions. > > You must know your password to change your options (including changing > the password, itself) or to unsubscribe. It is: > > saintabril > > Normally, Mailman will remind you of your ICSI.Berkeley.EDU mailing > list passwords once every month, although you can disable this if you > prefer. This reminder will also include instructions on how to > unsubscribe or change your account options. There is also a button on > your options page that will email your current password to you. > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From vallentin at ICSI.Berkeley.EDU Fri Mar 14 00:42:26 2008 From: vallentin at ICSI.Berkeley.EDU (Matthias Vallentin) Date: Fri, 14 Mar 2008 08:42:26 +0100 Subject: [Bro] NIDS Cluster In-Reply-To: <70c421780803131946y21271c6fvd24364bf0d443777@mail.gmail.com> References: <70c421780803131946y21271c6fvd24364bf0d443777@mail.gmail.com> Message-ID: <942AE76D-A454-47F3-AC37-23CA35899377@ICSI.Berkeley.EDU> I'm cc'ing this issue to the Bro mailing list. On Mar 14, 2008, at 3:46 AM, Anh Le wrote: > Hello Matthias, > > I am very interested in your work on NIDS cluster. I have read both > your Bachelor's thesis and your recent publication in RAID 2007. They > are very nicely done. However, during my reading, I have several > questions regarding the Inter-Connection Analysis which I can not find > the answers. In particular, my questions arise from this paragraph: > > ------------------------------ > Some scripts, however, do require information from multiple > connections. A prominent example is the scan detector, which counts > connection attempts per source address. If these reach a certain > threshold, the system raises an alarm. In the cluster setup, the scan > detector now must count across backends; we therefore synchronize the > corresponding tables of counters (which simply entails annotating the > corresponding script variables with the attribute &synchronized). > Other examples of scripts needing synchronization are the worm > detector (which maintains a global list of infected hosts) and the > SMTP relay detector (which identifies open SMTP relays by associating > incoming with outgoing mails). Overall, we needed to synchronize 29 > script-level variables spanning 19 different types of analysis. > ------------------------------ > > 1. I can not find details about the 19 types of analysis and 29 > variables mentioned above. I wonder if you could help me with the > details about them. Hi Anh, thanks for delving into these issues so profoundly. I hope I can help you with your questions. At the time of writing the thesis, we counted 29 script variables that had to be synchronized in order to maintain the correct global semantics. The 19 types of analysis are simply the different uses, e.g. scan detection, SMTP relay detection, worm detection, etc.. By looking at the &synchronized variables in the code, you can check to which type of analysis the variable corresponds. To this end, consult Robin's work branch with the most recent updates on cluster work. Here is some information that might help you getting started: http://blog.icir.org/search/label/subversion . > 2. I also wonder if during your experimentation, you have any > statistics or insights about the percentage of detection requiring > Inter-Connection Analysis in comparison with the one only requiring > Intra-Connection Analysis. We did not explicitly measure the percentage of of inter-connection vs. intra-connection ratio. When we performed the measurements, the scan detection accounted for largest share of inter-connection analysis. The other types of analysis were comparably negligible. Note that this greatly depends on your traffic's application mix and may greatly vary in different environments. > 3. Finally, does Bro have any DDoS detection policy scripts which > require Inter-Connection Analysis? To my knowledge, no such scripts exist (please correct me if I am wrong!). But if they did, they sure would require inter-connection analysis, as this type of analysis has global semantics. Feel free to ask any further questions, preferably to the Bro mailing list directly! Matthias -- Matthias Vallentin vallentin at icsi.berkeley.edu pgp/gpg: 0x37F34C16 From r.gruyters at yirdis.nl Fri Mar 14 00:57:27 2008 From: r.gruyters at yirdis.nl (Robin Gruyters) Date: Fri, 14 Mar 2008 08:57:27 +0100 Subject: [Bro] undefined value as a SCALAR Message-ID: <20080314075727.GA35674@server.yirdis.net> Hi ya, Yesterday I have installed Bro 1.3.x from SVN on one of our test servers and noticed the follow message when try to run site-report.pl: Finished processing alarm files Starting processing of conn file /nsm/bro/logs/conn.test.08-03-12_13.48.58-08-03-13_00.00.00 Finished processing conn file Starting processing of conn file /nsm/bro/logs/conn.test.08-03-13_13.15.13-08-03-13_13.15.20 Finished processing conn file Can't use an undefined value as a SCALAR reference at /usr/local/bin/site-report.pl line 1281. : 1204412358.158256 Generating report file: /nsm/bro/reports/yirdis.net.1205481090.21744.rpt Although it says it is generating a report, the report itself is empty: # ls -l /nsm/bro/reports/yirdis.net.1205481090.21744.rpt -rw-r--r-- 1 root bro 0 Mar 14 08:51 /nsm/bro/reports/yirdis.net.1205481090.21744.rpt Kind regards, -- Robin Gruyters Network and Security Engineer Betronic Nederland B.V. I: http://yirdis.com I: http://betronic.nl P: +31 (0)20 5659191 F: +31 (0)20 5659190 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080314/f6c93374/attachment.bin From r.gruyters at yirdis.nl Fri Mar 14 02:59:26 2008 From: r.gruyters at yirdis.nl (Robin Gruyters) Date: Fri, 14 Mar 2008 10:59:26 +0100 Subject: [Bro] undefined value as a SCALAR In-Reply-To: References: <20080314075727.GA35674@server.yirdis.net> Message-ID: <20080314095925.GA50377@server.yirdis.net> On Fri, Mar 14, 2008 at 03:00:06AM +0100, rmkml wrote: > Hi Robin, > That contains the line 1281 on /usr/local/bin/site-report.pl ? > Regards > Rmkml > The following entry: .. if( !( print $fh $$part ) ) .. site-report.pl is located in the bro source tree under scripts/perl/script. Regards, Robin Gruyters > > On Fri, 14 Mar 2008, Robin Gruyters wrote: > > >Date: Fri, 14 Mar 2008 08:57:27 +0100 > >From: Robin Gruyters > >To: bro at ICSI.Berkeley.EDU > >Subject: [Bro] undefined value as a SCALAR > > > >Hi ya, > > > >Yesterday I have installed Bro 1.3.x from SVN on one of our test servers > >and > >noticed the follow message when try to run site-report.pl: > > > >Finished processing alarm files > >Starting processing of conn file > >/nsm/bro/logs/conn.test.08-03-12_13.48.58-08-03-13_00.00.00 > >Finished processing conn file > >Starting processing of conn file > >/nsm/bro/logs/conn.test.08-03-13_13.15.13-08-03-13_13.15.20 > >Finished processing conn file > >Can't use an undefined value as a SCALAR reference at > >/usr/local/bin/site-report.pl line 1281. > >: 1204412358.158256 > >Generating report file: /nsm/bro/reports/yirdis.net.1205481090.21744.rpt > > > >Although it says it is generating a report, the report itself is empty: > > > ># ls -l /nsm/bro/reports/yirdis.net.1205481090.21744.rpt > >-rw-r--r-- 1 root bro 0 Mar 14 08:51 > >/nsm/bro/reports/yirdis.net.1205481090.21744.rpt > > > >Kind regards, > >-- > >Robin Gruyters > >Network and Security Engineer > >Betronic Nederland B.V. > >I: http://yirdis.com > >I: http://betronic.nl > >P: +31 (0)20 5659191 > >F: +31 (0)20 5659190 > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080314/353ec6c2/attachment.bin From joel.ebrahimi at gmail.com Fri Mar 14 12:16:19 2008 From: joel.ebrahimi at gmail.com (Joel Ebrahimi) Date: Fri, 14 Mar 2008 12:16:19 -0700 Subject: [Bro] Memory Usage Message-ID: <46ee7b1c0803141216l744879d7x1c1bd10f265a4617@mail.gmail.com> I have been testing Bro 1.2.1 and the current 1.3.2. In both cases over time the memory is eventaully exhausted. It takes only a few hours with some intensive pcaps to reach this point. I spent a little bit of time running 1.3.2 through Valgrind but I was not able to find a definitive leak. I will keep looking into this more but I wanted to see if anyone was aware if there are any potential memory leaks or are resources being used that are not being released? Thanks, // Joel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080314/40083a26/attachment.html From bec_agarcia at correo.seguridad.unam.mx Fri Mar 14 12:34:13 2008 From: bec_agarcia at correo.seguridad.unam.mx (bec_agarcia at correo.seguridad.unam.mx) Date: Fri, 14 Mar 2008 14:34:13 -0500 Subject: [Bro] (no subject) Message-ID: <20080314143413.016u9wz1ckcw0ogo@correo.seguridad.unam.mx> Hi i try to start up bro on ubuntu but when i execute /usr/local/bro/etc/bro.rc --start, i recive the next output with a lot of errors, but i dont know where and how i can resolve them, anybody help me please thanks root at client-honeypot:/usr/local/src/Bro-ids/bro-1.2.1# /usr/local/bro/etc/bro.rc --start bro.rc: Running as non-root user ddjimenez bro.rc: Starting ..........bro.rc: Failed to start Bro /usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5004.inktomisearch.com /usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5005.inktomisearch.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j5006.inktomisearch.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j100.inktomi.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j101.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: j3002.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3000.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3001.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3002.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3003.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si4000.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4001.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4002.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: wm3018.inktomi.com /usr/local/bro/policy/http-request.bro, line 34: run-time error: error compiling pattern /((((((((((((((((((((^?.*(etc\/(passwd|shadow|netconfig)))|(^?.*(IFS[ \t]*=)))|(^?.*(nph-test-cgi\?)))|(^?.*((%0a|\.\.)\/(bin|etc|usr|tmp))))|(^?.*(\/Admin_files\/order\.log)))|(^?.*(\/carbo\.dll)))|(^?.*(\/cgi-bin\/(phf|php\.cgi|test-cgi))))|(^?.*(\/cgi-dos\/args\.bat)))|(^?.*(\/cgi-win\/uploader\.exe)))|(^?.*(\/search97\.vts)))|(^?.*(tk\.tgz)))|(^?.*(ownz)))|(^?.*(viewtopic\.php.*%.*\(.*\()))|(^?.*(sshd\.(tar|tgz).*)))|(^?.*([aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(shv4\.(tar|tgz).*)))|(^?.*(lrk\.(tar|tgz).*)))|(^?.*(lyceum\.(tar|tgz).*)))|(^?.*(maxty\.(tar|tgz).*)))|(^?.*(rootII\.(tar|tgz).*)))|(^?.*(invader\.(tar|tgz).*))/ /usr/local/bro/policy/http-request.bro, line 42: run-time error: error compiling pattern /((^?.*(.*\/c\+dir))|(^?.*(.*cool.dll.*)))|(^?.*(.*Admin.dll.*Admin.dll.*))/ /usr/local/bro/policy/http-request.bro, line 48: run-time error: error compiling pattern /^?.*(\/cgi-bin\/(phf|php\.cgi|test-cgi))/ /usr/local/bro/policy/http-request.bro, line 50: run-time error: error compiling pattern /^?.*(wwwroot|WWWROOT)/ /usr/local/bro/policy/http-reply.bro, line 111: run-time error: error compiling pattern /^?.*(^ )/ /usr/local/bro/policy/hot-ids.bro, line 15: run-time error: error compiling pattern /^?.*((y[o0]u)(r|ar[e3])([o0]wn.*))/ /usr/local/bro/policy/ftp.bro, line 43: run-time error: error compiling pattern /((((((((((((((((((((((^?.*(.*(etc\/|master\.)?(passwd|shadow|s?pwd\.db)))|(^?.*(.*snoop\.(tar|tgz).*)))|(^?.*(.*bnc\.(tar|tgz).*)))|(^?.*(.*datapipe.*)))|(^?.*(.*ADMw0rm.*)))|(^?.*(.*newnick.*)))|(^?.*(.*sniffit.*)))|(^?.*(.*neet\.(tar|tgz).*)))|(^?.*(.*\.\.\..*)))|(^?.*(.*ftpscan.txt.*)))|(^?.*(.*jcc.pdf.*)))|(^?.*(.*\.[Ff]rom.*)))|(^?.*(.*sshd\.(tar|tgz).*)))|(^?.*(.*\/rk7.*)))|(^?.*(.*rk7\..*)))|(^?.*(.*[aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(.*[tT][aA][gG][gG][eE][dD].*)))|(^?.*(.*shv4\.(tar|tgz).*)))|(^?.*(.*lrk\.(tar|tgz).*)))|(^?.*(.*lyceum\.(tar|tgz).*)))|(^?.*(.*maxty\.(tar|tgz).*)))|(^?.*(.*rootII\.(tar|tgz).*)))|(^?.*(.*invader\.(tar|tgz).*))/ /usr/local/bro/policy/ftp.bro, line 48: run-time error: error compiling pattern /(^?.*(.*\.rhosts))|(^?.*(.*\.forward))/ /usr/local/bro/policy/ftp.bro, line 51: run-time error: error compiling pattern /^?.*([Ee][Xx][Ee][Cc].*)/ /usr/local/bro/policy/ftp.bro, line 63: run-time error: error compiling pattern /^?.*(,0,0)/ /usr/local/bro/policy/ftp.bro, line 154: run-time error: error compiling pattern /^?.*((\/|[A-Za-z]:[\\\/]).*)/ /usr/local/bro/policy/ftp.bro, line 349: run-time error: error compiling pattern /^?.*([\x00-\x7f])/ /usr/local/bro/policy/ftp.bro, line 462: run-time error: error compiling pattern /^?.*([Ee][Xx][Ee][Cc])/ /usr/local/bro/policy/ftp.bro, line 527: run-time error: error compiling pattern /^?.*(\"([^\"]|\"\")*(\/|\\)([^\"]|\"\")*\")/ /usr/local/bro/policy/ftp.bro, line 545: run-time error: error compiling pattern /^?.*(((\/)+([^\/]|\\\/)+)?((\/)+\.\.(\/)+))/ /usr/local/bro/policy/ftp.bro, line 555: run-time error: error compiling pattern /^?.*((\/){2,})/ /usr/local/bro/policy/ftp.bro, line 700: run-time error: error compiling pattern /^?.*([\x80-\xff]{3})/ /usr/local/bro/policy/ftp.bro, line 735: run-time error: error compiling pattern /^?.*(USER|PASS|ACCT)/ /usr/local/bro/policy/portmapper.bro, line 310: run-time error: error compiling pattern /^?.*(^\[)/ /usr/local/bro/policy/portmapper.bro, line 311: run-time error: error compiling pattern /^?.*(\]$)/ /usr/local/bro/policy/login.bro, line 66: run-time error: error compiling pattern /((((((((((((((((((((((((((((((((^?.*(rewt))|(^?.*(eggdrop)))|(^?.*(\/bin\/eject)))|(^?.*(oir##t)))|(^?.*(ereeto)))|(^?.*((shell|xploit)_?code)))|(^?.*(execshell)))|(^?.*(ff\.core)))|(^?.*(unset[ \t]+(histfile|history|HISTFILE|HISTORY))))|(^?.*(neet\.tar)))|(^?.*(r0kk0)))|(^?.*(su[ \t]+(daemon|news|adm))))|(^?.*(\.\/clean)))|(^?.*(rm[ \t]+-rf[ \t]+secure)))|(^?.*(cd[ \t]+\/dev\/[a-zA-Z]{3})))|(^?.*(solsparc_lpset)))|(^?.*(\.\/[a-z]+[ \t]+passwd)))|(^?.*(\.\/bnc)))|(^?.*(bnc\.conf)))|(^?.*(\"\/bin\/ksh\")))|(^?.*(LAST STAGE OF DELIRIUM)))|(^?.*(SNMPXDMID_PROG)))|(^?.*(snmpXdmid for solaris)))|(^?.*(\"\/bin\/uname)))|(^?.*(gcc[ \t]+1\.c)))|(^?.*(>\/etc\/passwd)))|(^?.*(lynx[ \t]+-source[ \t]+.*(packetstorm|shellcode|linux|sparc))))|(^?.*(gcc.*\/bin\/login)))|(^?.*(#define NOP.*0x)))|(^?.*(printf\(\"overflowing)))|(^?.*(exec[a-z]*\(\"\/usr\/openwin)))|(^?.*(perl[ \t]+.*x.*[0-9][0-9][0-9][0-9])))|(^?.*(ping.*-s.*%d))/ /usr/local/bro/policy/login.bro, line 72: run-time error: error compiling pattern /^?.*([ \t]*(cd|pushd|more|less|cat|vi|emacs|pine)[ \t]+((['"]?\.\.\.)|(["'](\.*)[ \t])))/ /usr/local/bro/policy/login.bro, line 75: run-time error: error compiling pattern /^?.*(No such file or directory)/ /usr/local/bro/policy/login.bro, line 84: run-time error: error compiling pattern /^?.*(.*loadmodule.*)/ /usr/local/bro/policy/login.bro, line 138: run-time error: error compiling pattern /(((((((((((((((((((((((((((((((((((((((((((((((((^?.*(^-r.s.*root.*\/bin\/(sh|csh|tcsh)))|(^?.*(Jumping to address)))|(^?.*(Jumping Address)))|(^?.*(smashdu\.c)))|(^?.*(PATH_UTMP)))|(^?.*(Log started at =)))|(^?.*(www\.anticode\.com)))|(^?.*(www\.uberhax0r\.net)))|(^?.*(smurf\.c by TFreak)))|(^?.*(Super Linux Xploit)))|(^?.*(^# \[root@)))|(^?.*(^-r.s.*root.*\/bin\/(time|sh|csh|tcsh|bash|ksh))))|(^?.*(invisibleX)))|(^?.*(PATH_(UTMP|WTMP|LASTLOG))))|(^?.*([0-9]{5,} bytes from)))|(^?.*((PATH|STAT):\ .*=>)))|(^?.*(----- \[(FIN|RST|DATA LIMIT|Timed Out)\])))|(^?.*(IDLE TIMEOUT)))|(^?.*(DATA LIMIT)))|(^?.*(-- TCP\/IP LOG --)))|(^?.*(STAT: (FIN|TIMED_OUT) )))|(^?.*((shell|xploit)_code)))|(^?.*(execshell)))|(^?.*(x86_bsd_compaexec)))|(^?.*(\\xbf\\xee\\xee\\xee\\x08\\xb8)))|(^?.*(Coded by James Seter)))|(^?.*(Irc Proxy v)))|(^?.*(Daemon port\.\.\.\.)))|(^?.*(BOT_VERSION)))|(^?.*(NICKCRYPT)))|(^?.*(\/etc\/\.core)))|(^?.*(exec.*\/bin\/newgrp)))|(^?.*(deadcafe)))|(^?.*([ \/]snap\.sh)))|(^?.*(Secure atime,ctime,mtime)))|(^?.*(Can\'t fix checksum)))|(^?.*(Promisc Dectection)))|(^?.*(ADMsn0ofID)))|(^?.*((cd \/; uname -a; pwd; id))))|(^?.*(drw0rm)))|(^?.*([Rr][Ee3][Ww][Tt][Ee3][Dd])))|(^?.*(rpc\.sadmin)))|(^?.*(AbraxaS)))|(^?.*(\[target\])))|(^?.*(ID_SENDSYN)))|(^?.*(ID_DISTROIT)))|(^?.*(by Mixter)))|(^?.*(rap(e?)ing.*using weapons)))|(^?.*(spsiod)))|(^?.*([aA][dD][oO][rR][eE][bB][sS][dD]))/ /usr/local/bro/policy/login.bro, line 141: run-time error: error compiling pattern /^?.*(.*Trojaning in progress.*)/ /usr/local/bro/policy/login.bro, line 147: run-time error: error compiling pattern /((^?.*(^[!-~]*( ?)[#%$] ))|(^?.*(.*no job control)))|(^?.*(WinGate>))/ /usr/local/bro/policy/login.bro, line 149: run-time error: error compiling pattern /^?.*(^ *#.*#)/ /usr/local/bro/policy/login.bro, line 151: run-time error: error compiling pattern /^?.*(VT666|007)/ /usr/local/bro/policy/irc.bro, line 60: run-time error: error compiling pattern /(((^?.*(.*etc\/shadow.*))|(^?.*(.*etc\/ldap.secret.*)))|(^?.*(.*phatbot.*)))|(^?.*(.*botnet.*))/ /usr/local/bro/policy/irc.bro, line 171: run-time error: error compiling pattern /^?.*(.*:$)/ /usr/local/bro/policy/stepping.bro, line 75: run-time error: error compiling pattern /(^?.*(^([Ll]ast +(successful)? *login)))|(^?.*(^Last interactive login))/ /usr/local/bro/policy/stepping.bro, line 78: run-time error: error compiling pattern /^?.*(\001)/ /usr/local/bro/policy/smtp.bro, line 19: run-time error: error compiling pattern /^?.*(.*@.*lbl.gov)/ /usr/local/bro/policy/smtp.bro, line 22: run-time error: error compiling pattern /^?.*(@)/ /usr/local/bro/policy/smtp.bro, line 84: run-time error: error compiling pattern /^?.*(.*<.*@.*:.*>.*)/ /usr/local/bro/policy/smtp.bro, line 85: run-time error: error compiling pattern /^?.*(.*<.*@.*:.*>.*)/ /usr/local/bro/policy/smtp.bro, line 86: run-time error: error compiling pattern /^?.*(.*)/ /usr/local/bro/policy/smtp.bro, line 87: run-time error: error compiling pattern /^?.*(.*)/ /usr/local/bro/policy/smtp.bro, line 88: run-time error: error compiling pattern /^?.*(.*)/ /usr/local/bro/policy/smtp.bro, line 267: run-time error: error compiling pattern /^?.*((<|:|>)*)/ /usr/local/bro/policy/smtp.bro, line 281: run-time error: error compiling pattern /^?.*(<( |\t)*)/ /usr/local/bro/policy/smtp.bro, line 292: run-time error: error compiling pattern /^?.*(( |\t)*>)/ /usr/local/bro/policy/smtp.bro, line 303: run-time error: error compiling pattern /^?.*(:)/ /usr/local/bro/policy/notice-policy.bro, line 58: run-time error: error compiling pattern /^?.*(Solaris listen service)/ /usr/local/bro/policy/notice-policy.bro, line 67: run-time error: error compiling pattern /^?.*(.*\.(gif|GIF|png|PNG|jpg|JPG))/ /usr/local/bro/policy/brolite.bro, line 138: run-time error: error compiling pattern /^?.*(.*exe)/ /usr/local/bro/policy/brolite.bro, line 138: run-time error: error compiling pattern /(^?.*(^?(.*exe)$?))|(^?.*((((^?(.*etc\/shadow.*)$?)|(^?(.*etc\/ldap.secret.*)$?))|(^?(.*phatbot.*)$?))|(^?(.*botnet.*)$?)))/ /usr/local/bro/bin/bro: problem with interface eth0 - pcap_open_live: socket: Operation not permitted ... FAILED ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From robin at icir.org Fri Mar 14 16:09:13 2008 From: robin at icir.org (Robin Sommer) Date: Fri, 14 Mar 2008 16:09:13 -0700 Subject: [Bro] (no subject) In-Reply-To: <20080314143413.016u9wz1ckcw0ogo@correo.seguridad.unam.mx> References: <20080314143413.016u9wz1ckcw0ogo@correo.seguridad.unam.mx> Message-ID: <20080314230913.GH35506@icir.org> On Fri, Mar 14, 2008 at 14:34 -0500, bec_agarcia at correo.seguridad.unam.mx wrote: > i try to start up bro on ubuntu but when i execute > /usr/local/bro/etc/bro.rc --start, i recive the next output with a lot > of errors, but i dont know where and how i can resolve them, anybody > help me please Please see if this helps: http://www.bro-ids.org/wiki/index.php/%22Error_compiling_pattern%22 Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Fri Mar 14 16:25:35 2008 From: robin at icir.org (Robin Sommer) Date: Fri, 14 Mar 2008 16:25:35 -0700 Subject: [Bro] Memory Usage In-Reply-To: <46ee7b1c0803141216l744879d7x1c1bd10f265a4617@mail.gmail.com> References: <46ee7b1c0803141216l744879d7x1c1bd10f265a4617@mail.gmail.com> Message-ID: <20080314232535.GI35506@icir.org> On Fri, Mar 14, 2008 at 12:16 -0700, Joel Ebrahimi wrote: > I have been testing Bro 1.2.1 and the current 1.3.2. In both cases over time > the memory is eventaully exhausted. In general that can have a number of reasons. An internal memory leak is one of them but not necessarily the most likely. The best thing to do first is loading profile.bro. It will produce an output file prof.log containing regular snapshots of the amount of state stored inside various of Bro's components. Admittedly, prof.log is a bit cryptic; feel free to send me a copy if you need help interpreting it. One very typical problem is that one of the script-level variables gets large. If that is the case, the variable should show up in prof.log in the sections starting with "Global_sizes > 100k". The memory amounts given there are only very rough estimates but generally the big hitters in terms of script-level state will show up. That said, a few leaks have been fixed since 1.3.2. Try the current trunk to see if it changes anything; one or two more are fixed in my development branch (see http://www.bro-ids.org/wiki/index.php/Subversion#Public_Access for how to get the code out of the Subversion repository). Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bec_agarcia at correo.seguridad.unam.mx Sat Mar 15 21:11:08 2008 From: bec_agarcia at correo.seguridad.unam.mx (bec_agarcia at correo.seguridad.unam.mx) Date: Sat, 15 Mar 2008 23:11:08 -0500 Subject: [Bro] Problems running Bro Message-ID: <20080315231108.qilcghthl1c40cso@correo.seguridad.unam.mx> Sorry but when i try to read a file i recive the next output root at lobito:/usr/local/bro/etc# /usr/local/bro/bin/bro -r segment190.pcap line 1: error: can't open bro.init root at lobito:/usr/local/bro/etc# netstat -natu -p Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2317/hpiod tcp 0 0 127.0.0.1:36942 0.0.0.0:* LISTEN 2320/python tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2006/portmap tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 2619/inetd tcp 0 0 0.0.0.0:39636 0.0.0.0:* LISTEN 2709/rpc.statd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2433/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2563/exim4 udp 0 0 0.0.0.0:32768 0.0.0.0:* 2507/avahi-daemon: udp 0 0 0.0.0.0:32770 0.0.0.0:* 2709/rpc.statd udp 0 0 192.168.150.134:32787 192.168.150.2:53 ESTABLISHED21988/bro udp 0 0 0.0.0.0:68 0.0.0.0:* 3184/dhclient udp 0 0 0.0.0.0:5353 0.0.0.0:* 2507/avahi-daemon: udp 0 0 0.0.0.0:111 0.0.0.0:* 2006/portmap udp 0 0 0.0.0.0:631 0.0.0.0:* 2433/cupsd udp 0 0 0.0.0.0:765 0.0.0.0:* 2709/rpc.statd Does anybody knows what im doing wrong? or i have to set and another option to read this file??? thanks ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From vallentin at ICSI.Berkeley.EDU Sun Mar 16 01:36:01 2008 From: vallentin at ICSI.Berkeley.EDU (Matthias Vallentin) Date: Sun, 16 Mar 2008 09:36:01 +0100 Subject: [Bro] Problems running Bro In-Reply-To: <20080315231108.qilcghthl1c40cso@correo.seguridad.unam.mx> References: <20080315231108.qilcghthl1c40cso@correo.seguridad.unam.mx> Message-ID: <4301B0B9-5A40-4F58-9A49-C30C2ACCD387@icsi.berkeley.edu> On Mar 16, 2008, at 5:11 AM, bec_agarcia at correo.seguridad.unam.mx wrote: > Sorry but when i try to read a file i recive the next output > > root at lobito:/usr/local/bro/etc# /usr/local/bro/bin/bro -r > segment190.pcap > line 1: error: can't open bro.init This error means that Bro cannot find the policy scripts. The environment variable $BROPATH should contain the path to your policy script directory and to all other custom directories that include policy script files: % BRO_DIR="/path/to/bro" % export BROPATH="${BRO_DIR}/policy:${BRO_DIR}/policy/local:${BRO_DIR}/ policy/sigs" Matthias -- Matthias Vallentin vallentin at icsi.berkeley.edu pgp/gpg: 0x37F34C16 From bec_agarcia at correo.seguridad.unam.mx Sun Mar 16 14:06:10 2008 From: bec_agarcia at correo.seguridad.unam.mx (bec_agarcia at correo.seguridad.unam.mx) Date: Sun, 16 Mar 2008 16:06:10 -0500 Subject: [Bro] (no subject) In-Reply-To: <20080314230913.GH35506@icir.org> References: <20080314143413.016u9wz1ckcw0ogo@correo.seguridad.unam.mx> <20080314230913.GH35506@icir.org> Message-ID: <20080316160610.w7mfnb4fgowkocsg@correo.seguridad.unam.mx> Thanks for reply my email well i do the things of the web page : http://www.bro-ids.org/wiki/index.php/%22Error_compiling_pattern%22 but i still have problems with bro, after do this three lines: $ cd src/ $ rm bif_parse.{cc,h} parse.cc re-parse.{cc,h} rule-parse.{cc,h} $ make i have the next output root at lobito:~/Desktop# bro -r seg190-5-21-19febrero08.tcpdump tcp alarm weird ftp smtp /usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5004.inktomisearch.com /usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5005.inktomisearch.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j5006.inktomisearch.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j100.inktomi.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j101.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: j3002.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3000.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3001.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3002.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3003.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si4000.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4001.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4002.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: wm3018.inktomi.com /usr/local/bro/policy/hot-ids.bro, line 15: run-time error: error compiling pattern /^?.*((y[o0]u)(r|ar[e3])([o0]wn.*))/ /usr/local/bro/policy/ftp.bro, line 43: run-time error: error compiling pattern /((((((((((((((((((((((^?.*(.*(etc\/|master\.)?(passwd|shadow|s?pwd\.db)))|( ^?.*(.*snoop\.(tar|tgz).*)))|(^?.*(.*bnc\.(tar|tgz).*)))|(^?.*(.*datapipe.*)))|(^?.*(.*ADMw0rm.*)))|(^?.*(.*newnick.*)))|(^?.*(.*sniffit.*)))|(^?.*(.*neet\. (tar|tgz).*)))|(^?.*(.*\.\.\..*)))|(^?.*(.*ftpscan.txt.*)))|(^?.*(.*jcc.pdf.*)))|(^?.*(.*\.[Ff]rom.*)))|(^?.*(.*sshd\.(tar|tgz).*)))|(^?.*(.*\/rk7.*)))|(^?. *(.*rk7\..*)))|(^?.*(.*[aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(.*[tT][aA][gG][gG][eE][dD].*)))|(^?.*(.*shv4\.(tar|tgz).*)))|(^?.*(.*lrk\.(tar|tgz).*)))| (^?.*(.*lyceum\.(tar|tgz).*)))|(^?.*(.*maxty\.(tar|tgz).*)))|(^?.*(.*rootII\.(tar|tgz).*)))|(^?.*(.*invader\.(tar|tgz).*))/ /usr/local/bro/policy/ftp.bro, line 48: run-time error: error compiling pattern /(^?.*(.*\.rhosts))|(^?.*(.*\.forward))/ /usr/local/bro/policy/ftp.bro, line 51: run-time error: error compiling pattern /^?.*([Ee][Xx][Ee][Cc].*)/ /usr/local/bro/policy/ftp.bro, line 63: run-time error: error compiling pattern /^?.*(,0,0)/ /usr/local/bro/policy/ftp.bro, line 154: run-time error: error compiling pattern /^?.*((\/|[A-Za-z]:[\\\/]).*)/ /usr/local/bro/policy/ftp.bro, line 349: run-time error: error compiling pattern /^?.*([\x00-\x7f])/ /usr/local/bro/policy/ftp.bro, line 462: run-time error: error compiling pattern /^?.*([Ee][Xx][Ee][Cc])/ /usr/local/bro/policy/ftp.bro, line 527: run-time error: error compiling pattern /^?.*(\"([^\"]|\"\")*(\/|\\)([^\"]|\"\")*\")/ /usr/local/bro/policy/ftp.bro, line 545: run-time error: error compiling pattern /^?.*(((\/)+([^\/]|\\\/)+)?((\/)+\.\.(\/)+))/ /usr/local/bro/policy/ftp.bro, line 555: run-time error: error compiling pattern /^?.*((\/){2,})/ /usr/local/bro/policy/ftp.bro, line 700: run-time error: error compiling pattern /^?.*([\x80-\xff]{3})/ /usr/local/bro/policy/ftp.bro, line 735: run-time error: error compiling pattern /^?.*(USER|PASS|ACCT)/ /usr/local/bro/policy/smtp.bro, line 19: run-time error: error compiling pattern /^?.*(.*@.*lbl.gov)/ /usr/local/bro/policy/smtp.bro, line 22: run-time error: error compiling pattern /^?.*(@)/ /usr/local/bro/policy/smtp.bro, line 84: run-time error: error compiling pattern /^?.*(.*<.*@.*:.*>.*)/ /usr/local/bro/policy/smtp.bro, line 85: run-time error: error compiling pattern /^?.*(.*<.*@.*:.*>.*)/ /usr/local/bro/policy/smtp.bro, line 86: run-time error: error compiling pattern /^?.*(.*)/ /usr/local/bro/policy/smtp.bro, line 87: run-time error: error compiling pattern /^?.*(.*)/ /usr/local/bro/policy/smtp.bro, line 88: run-time error: error compiling pattern /^?.*(.*)/ /usr/local/bro/policy/smtp.bro, line 267: run-time error: error compiling pattern /^?.*((<|:|>)*)/ /usr/local/bro/policy/smtp.bro, line 281: run-time error: error compiling pattern /^?.*(<( |\t)*)/ /usr/local/bro/policy/smtp.bro, line 292: run-time error: error compiling pattern /^?.*(( |\t)*>)/ /usr/local/bro/policy/smtp.bro, line 303: run-time error: error compiling pattern /^?.*(:)/ This error alter the final traffic analyse???? This problem creates a lot of false/positives???? How can i resolve this problem??? thanks for all Robin Sommer ha escrito: > > On Fri, Mar 14, 2008 at 14:34 -0500, > bec_agarcia at correo.seguridad.unam.mx wrote: > >> i try to start up bro on ubuntu but when i execute >> /usr/local/bro/etc/bro.rc --start, i recive the next output with a lot >> of errors, but i dont know where and how i can resolve them, anybody >> help me please > > Please see if this helps: > > http://www.bro-ids.org/wiki/index.php/%22Error_compiling_pattern%22 > > Robin > > -- > Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From bro1338 at yahoo.com Wed Mar 26 00:43:51 2008 From: bro1338 at yahoo.com (Navdeep Singh) Date: Wed, 26 Mar 2008 00:43:51 -0700 (PDT) Subject: [Bro] URL and datastructures..... Message-ID: <440012.9491.qm@web46315.mail.sp1.yahoo.com> Hi everyone....plz help me out... Actually I want to find out the URL's visited by the users...plz tell me how to do that.... im trying to do that by using followoing event... global http_request: event(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) { print original_URI."------"; } but i dont know the datastructure of original_URI.....plz tell me where r these datastructures defined.....like the data structure for c:connection is... type connection: record { id: conn_id; orig: endpoint; resp: endpoint; start_time: time; duration: interval; service: string; # if empty, service not yet determined addl: string; hot: count; history: string; }; if u have other idea plz let me know.....i new to bro...I will be evry thankful to you.... Thanks & Regards Navdeep Singh +91-094640-77449 --------------------------------- Looking for last minute shopping deals? Find them fast with Yahoo! Search. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080326/d41a060a/attachment.html From seth at net.ohio-state.edu Wed Mar 26 05:55:01 2008 From: seth at net.ohio-state.edu (Seth Hall) Date: Wed, 26 Mar 2008 08:55:01 -0400 Subject: [Bro] URL and datastructures..... In-Reply-To: <440012.9491.qm@web46315.mail.sp1.yahoo.com> References: <440012.9491.qm@web46315.mail.sp1.yahoo.com> Message-ID: <8790C77B-8B11-46F3-9512-6619756FBCE6@net.ohio-state.edu> On Mar 26, 2008, at 3:43 AM, Navdeep Singh wrote: > Hi everyone....plz help me out... > Actually I want to find out the URL's visited by the users...plz > tell me how to do that.... > im trying to do that by using followoing event... > > global http_request: event(c: connection, method: string, > original_URI: string, unescaped_URI: string, version: string) That's the right event to be handling. You need to handle the event like this... event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) { print original_URI; } but, if you want the full url, you can handle a different event. Here's an example... @load http-entity @load http-reply module HTTP; event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) { if ( is_orig ) { local s = lookup_http_request_stream(c); local msg = get_http_message(s, is_orig); local host = (s$next_request$host=="") ? fmt("%s", c$id$resp_h) : s $next_request$host; local url = fmt("%s http://%s%s", r$method, host, r$URI); print url; } } > but i dont know the datastructure of original_URI.....plz tell me > where r these datastructures defined.....like the data structure for > c:connection is... original_URI is just a string. There isn't any underlying data structure to it. .Seth From bro1338 at yahoo.com Thu Mar 27 02:54:07 2008 From: bro1338 at yahoo.com (Navdeep Singh) Date: Thu, 27 Mar 2008 02:54:07 -0700 (PDT) Subject: [Bro] building custom scripts..... Message-ID: <250142.51329.qm@web46311.mail.sp1.yahoo.com> hi everyone...somebody plz help me...how can i build custom scripts....plz give me a small code...like... @load ....... <------- // I dont know why this is used for... @prefix ...... <------ // same problem with this..... and do we need to save it as xxx.bro and store in SITE directory and can we access it as #bro -r trace.out xxx.bro plz tell me the procedure so that i can get the start..... Thanks & Regards Navdeep Singh 094640-77449 --------------------------------- Looking for last minute shopping deals? Find them fast with Yahoo! Search. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080327/d5da2fbc/attachment.html From ssmit7 at gmail.com Mon Mar 31 12:11:22 2008 From: ssmit7 at gmail.com (Stephen Smith) Date: Mon, 31 Mar 2008 15:11:22 -0400 Subject: [Bro] scan.bro error Message-ID: Hello, I checked out and built the latest version from stable svn tree, and now startup is failing on an error from the scan.bro policy. bro.rc: Starting ..........bro.rc: Failed to start Bro /usr/local/bro/policy/scan.bro, line 302 (): error, empty list in untyped initialization /usr/local/bro/policy/scan.bro, line 313 (): error, empty list in untyped initialization /usr/local/bro/policy/scan.bro, line 313 (&mergeable): error, &mergeable only applicable to tables/sets /usr/local/bro/policy/scan.bro, line 377 (): error, empty list in untyped initialization /usr/local/bro/policy/scan.bro, line 377 (&mergeable): error, &mergeable only applicable to tables/sets /usr/local/bro/policy/scan.bro, line 385 (): error, empty list in untyped initialization /usr/local/bro/policy/scan.bro, line 385 (&mergeable): error, &mergeable only applicable to tables/sets /usr/local/bro/policy/scan.bro, line 398 (): error, empty list in untyped initialization /usr/local/bro/policy/scan.bro, line 398 (&mergeable): error, &mergeable only applicable to tables/sets /usr/local/bro/policy/scan.bro, line 421 (): error, empty list in untyped initialization /usr/local/bro/policy/scan.bro, line 421 (&mergeable): error, &mergeable only applicable to tables/sets /usr/local/bro/policy/scan.bro, line 424 (): error, empty list in untyped initialization /usr/local/bro/policy/scan.bro, line 424 (&mergeable): error, &mergeable only applicable to tables/sets /usr/local/bro/policy/scan.bro, line 448 (): error, empty list in untyped initialization ... FAILED I see the "set() &mergeable" notation in other policy files, and I'm not sure I see what is different in this one. Let me know if you need more supporting info. Thanks, -Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080331/9a1f76b3/attachment.html From robin at icir.org Mon Mar 31 21:30:00 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 31 Mar 2008 21:30:00 -0700 Subject: [Bro] scan.bro error In-Reply-To: References: Message-ID: <20080401043000.GA2045@icir.org> On Mon, Mar 31, 2008 at 15:11 -0400, you wrote: > I checked out and built the latest version from stable svn tree, and now > startup is failing on an error from the scan.bro policy. Any chance that you're mixing the bro binary with policy scripts from a different Bro versions? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro1338 at yahoo.com Mon Mar 31 22:37:36 2008 From: bro1338 at yahoo.com (Navdeep Singh) Date: Mon, 31 Mar 2008 22:37:36 -0700 (PDT) Subject: [Bro] URL and datastructures..... In-Reply-To: <8790C77B-8B11-46F3-9512-6619756FBCE6@net.ohio-state.edu> Message-ID: <244449.85120.qm@web46316.mail.sp1.yahoo.com> Hello Mr.Seth the code you have provided is untested ....it not working and its not giving URL's....plz review it and send the exact code...i will be very thankful to you.... @load http-entity @load http-reply module HTTP; event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) { if ( is_orig ) { local s = lookup_http_request_stream(c); local msg = get_http_message(s, is_orig); local host = (s$next_request$host=="") ? fmt("%s", c$id$resp_h) : s $next_request$host; local url = fmt("%s http://%s%s", r$method, host, r$URI); print url; } } Thanks & Regards Navdeep Singh --------------------------------- Special deal for Yahoo! users & friends - No Cost. Get a month of Blockbuster Total Access now -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080331/83ac559f/attachment.html