From talebihossain at gmail.com Sat Nov 1 04:59:03 2008 From: talebihossain at gmail.com (hossein talebi) Date: Sat, 1 Nov 2008 15:29:03 +0330 Subject: [Bro] what is rang of "count" type in Bro? Message-ID: <4806f1a30811010459kdc9164r77751ba1da4c8ec6@mail.gmail.com> Hi 1.what is rang of count type? 2.how to access higher range? 3.what is equivalent "double" in Bro? regard -- Talebi Mazraeh Shahi Hossein -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081101/d882faf5/attachment.html From mayank at in.niksun.com Sat Nov 1 05:55:40 2008 From: mayank at in.niksun.com (mayank at in.niksun.com) Date: Sat, 1 Nov 2008 18:25:40 +0530 Subject: [Bro] what is rang of "count" type in Bro? In-Reply-To: <4806f1a30811010459kdc9164r77751ba1da4c8ec6@mail.gmail.com> References: <4806f1a30811010459kdc9164r77751ba1da4c8ec6@mail.gmail.com> Message-ID: <200811011825.40990.mayank@in.niksun.com> On Saturday 01 Nov 2008 5:29:03 pm hossein talebi wrote: > Hi Hi, I am not sure but it looks like > > 1.what is rang of count type? misc_integer so may be range should be (2**31) .. (2**31-1) on 32-bit architectures, and -(2**63) .. (2**63-1) on 64-bit architectures. > 2.how to access higher range? How much higher you want to go for ? > 3.what is equivalent "double" in Bro? > > regard -- ---------------------------------------------------------------------------- Regards Mayank Jain Nawal Software Engineer, VoIP & Media Solns, mayank at in.niksun.com Voice: +91(124) 2316012 x201 From talebihossain at gmail.com Sat Nov 1 23:43:37 2008 From: talebihossain at gmail.com (hossein talebi) Date: Sun, 2 Nov 2008 10:13:37 +0330 Subject: [Bro] How to obtain RTT in Bro? Message-ID: <4806f1a30811012343o218ff717vcc5fbc4678af0376@mail.gmail.com> How to obtain RTT in Bro? -- Talebi Mazraeh Shahi Hossein -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081102/39c7a10a/attachment.html From christoph.leuzinger at cs.uni-dortmund.de Mon Nov 3 07:38:08 2008 From: christoph.leuzinger at cs.uni-dortmund.de (Christoph Leuzinger) Date: Mon, 3 Nov 2008 16:38:08 +0100 Subject: [Bro] Small Cluster Shell Portability Fix Message-ID: <20081103163808.642ec2e2.christoph.leuzinger@cs.uni-dortmund.de> Hi, I just tried the cluster shell in standalone mode on NetBSD, and it works fine. One minor glitch: The top command doesn't work. I think cluster-helper/get-childs contains some Linuxism; furthermore I added a suitable top command for NetBSD to cluster-helper/top.in. The attached patch (against Rev. 6342 in Robin's development branch) should fix both issues. Cheers, Christoph -------------- next part -------------- A non-text attachment was scrubbed... Name: cluster-helper-portability.patch Type: text/x-diff Size: 977 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081103/e1591dad/attachment.bin From robin at icir.org Mon Nov 3 10:33:18 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 3 Nov 2008 10:33:18 -0800 Subject: [Bro] Offline/Tracefile Traffic Classification with Bro In-Reply-To: References: <20081022214111.GH66645@icir.org> Message-ID: <20081103183318.GG5795@icir.org> On Thu, Oct 30, 2008 at 18:10 +0100, you wrote: > I am hoping that with Bro mechanism, I can classify packets/flows > easier with higher accuracy. Bro cannot directly classify the connections *and* extract all of their packets. You could use Bro to classify them first, and then use some other tool to extract all relevant connections. Perhaps NetDude might come in handy as well, see http://netdude.sourceforge.net/plugins-libnetdude.html#appdemux and perhaps http://netdude.sourceforge.net/plugins-libnetdude.html#demux I'm sure one could also write a NetDude plugins which takes a list of connections and then writes all packets belonging to one of them into the output file. >> Another question, can Bro handle the compressed trace file by itself >> or I always have to use zcat? You need to use zcat but that's usually not a problem. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Nov 3 10:43:59 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 3 Nov 2008 10:43:59 -0800 Subject: [Bro] NUL-related error messages In-Reply-To: <49097DF3.7070508@seclab.tuwien.ac.at> References: <4908A538.5080101@seclab.tuwien.ac.at> <49097DF3.7070508@seclab.tuwien.ac.at> Message-ID: <20081103184359.GH5795@icir.org> On Thu, Oct 30, 2008 at 10:27 +0100, you wrote: > Do i need to somehow preprocess the data string before matching it? How > can I make Bro successfully match such payloads? I think match_pattern() does indeed not deal well with strings containing null bytes. Not sure how easy it would be to fix that. Depending, on what exactly you want to do, you could try to work around that: - ignore the warnings if you aren't interested in these particular strings anyway - use the "/pattern/ in data" operator if that's sufficient - see if one of the other string functions in string.bif provide enough functionality and work better (likely not) - escape the data with string_escape() and adjust the regexp if necessary All not very nice, admitably. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Nov 3 10:43:59 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 3 Nov 2008 10:43:59 -0800 Subject: [Bro] NUL-related error messages In-Reply-To: <49097DF3.7070508@seclab.tuwien.ac.at> References: <4908A538.5080101@seclab.tuwien.ac.at> <49097DF3.7070508@seclab.tuwien.ac.at> Message-ID: <20081103184359.GH5795@icir.org> On Thu, Oct 30, 2008 at 10:27 +0100, you wrote: > Do i need to somehow preprocess the data string before matching it? How > can I make Bro successfully match such payloads? I think match_pattern() does indeed not deal well with strings containing null bytes. Not sure how easy it would be to fix that. Depending, on what exactly you want to do, you could try to work around that: - ignore the warnings if you aren't interested in these particular strings anyway - use the "/pattern/ in data" operator if that's sufficient - see if one of the other string functions in string.bif provide enough functionality and work better (likely not) - escape the data with string_escape() and adjust the regexp if necessary All not very nice, admitably. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Nov 3 10:52:43 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 3 Nov 2008 10:52:43 -0800 Subject: [Bro] Small Cluster Shell Portability Fix In-Reply-To: <20081103163808.642ec2e2.christoph.leuzinger@cs.uni-dortmund.de> References: <20081103163808.642ec2e2.christoph.leuzinger@cs.uni-dortmund.de> Message-ID: <20081103185243.GK5795@icir.org> > suitable top command for NetBSD to cluster-helper/top.in. The attached > patch (against Rev. 6342 in Robin's development branch) should fix both > issues. Applied, thanks! Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Nov 3 10:52:43 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 3 Nov 2008 10:52:43 -0800 Subject: [Bro] Small Cluster Shell Portability Fix In-Reply-To: <20081103163808.642ec2e2.christoph.leuzinger@cs.uni-dortmund.de> References: <20081103163808.642ec2e2.christoph.leuzinger@cs.uni-dortmund.de> Message-ID: <20081103185243.GK5795@icir.org> > suitable top command for NetBSD to cluster-helper/top.in. The attached > patch (against Rev. 6342 in Robin's development branch) should fix both > issues. Applied, thanks! Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Nov 3 10:58:17 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 3 Nov 2008 10:58:17 -0800 Subject: [Bro] Broken scan.bro script In-Reply-To: <20081028170728.4ab037de.christoph.leuzinger@cs.uni-dortmund.de> References: <20081028170728.4ab037de.christoph.leuzinger@cs.uni-dortmund.de> Message-ID: <20081103185817.GA49374@icir.org> On Tue, Oct 28, 2008 at 17:07 +0100, Christoph Leuzinger wrote: > Loading the conn.bro script in scan.bro helps (though I'm not sure if > this is the right thing to do). Bro is starting without complaining now > and port scans are being detected. Yes, that's the right solution. We'll fix it, thanks. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Nov 3 10:58:17 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 3 Nov 2008 10:58:17 -0800 Subject: [Bro] Broken scan.bro script In-Reply-To: <20081028170728.4ab037de.christoph.leuzinger@cs.uni-dortmund.de> References: <20081028170728.4ab037de.christoph.leuzinger@cs.uni-dortmund.de> Message-ID: <20081103185817.GA49374@icir.org> On Tue, Oct 28, 2008 at 17:07 +0100, Christoph Leuzinger wrote: > Loading the conn.bro script in scan.bro helps (though I'm not sure if > this is the right thing to do). Bro is starting without complaining now > and port scans are being detected. Yes, that's the right solution. We'll fix it, thanks. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Nov 3 11:00:33 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 3 Nov 2008 11:00:33 -0800 Subject: [Bro] Log Rotate In-Reply-To: <43d31ea30810300849x41bccb04h19930630bde0b9fd@mail.gmail.com> References: <43d31ea30810300849x41bccb04h19930630bde0b9fd@mail.gmail.com> Message-ID: <20081103190033.GB49374@icir.org> On Thu, Oct 30, 2008 at 11:49 -0400, noah zak wrote: > When running the rotate-logs script I want the logs to be moved into a > separate directory that the newly created logs. You can define a postprocessor to be run after rotation which can move the files somewhere else. There's actually a script in the distribution to do just that, see aux/scripts/mvfile (the beginning of the script explains how to set this up). Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Nov 3 11:00:33 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 3 Nov 2008 11:00:33 -0800 Subject: [Bro] Log Rotate In-Reply-To: <43d31ea30810300849x41bccb04h19930630bde0b9fd@mail.gmail.com> References: <43d31ea30810300849x41bccb04h19930630bde0b9fd@mail.gmail.com> Message-ID: <20081103190033.GB49374@icir.org> On Thu, Oct 30, 2008 at 11:49 -0400, noah zak wrote: > When running the rotate-logs script I want the logs to be moved into a > separate directory that the newly created logs. You can define a postprocessor to be run after rotation which can move the files somewhere else. There's actually a script in the distribution to do just that, see aux/scripts/mvfile (the beginning of the script explains how to set this up). Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From talebihossain at gmail.com Tue Nov 4 04:49:25 2008 From: talebihossain at gmail.com (hossein talebi) Date: Tue, 4 Nov 2008 16:19:25 +0330 Subject: [Bro] How to install linux(fedora 8)from network? Message-ID: <4806f1a30811040449n72feffddp8844b414991ff05a@mail.gmail.com> Hi i want install linux(Fedora core 8) but i have not DVD Rom for install linux on my pc and i want install its from network i have equipment following : 1.there is one DVD ROM on other pc(how to install from this DVD ROM?) 2.there is a back up fedora dvd on other pcs (how to install from this) 3.there is a back up fedora dvd (iso version) on my pc and other pc (how to install from these) note i wont install linux by vmware -- Talebi Mazraeh Shahi Hossein -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081104/b3983a0d/attachment.html From talebihossain at gmail.com Tue Nov 4 05:34:52 2008 From: talebihossain at gmail.com (hossein talebi) Date: Tue, 4 Nov 2008 17:04:52 +0330 Subject: [Bro] How to obtain RTT in Bro? In-Reply-To: References: <4806f1a30811012343o218ff717vcc5fbc4678af0376@mail.gmail.com> Message-ID: <4806f1a30811040534i7dc451e1sed1c3a3a8c93ad6f@mail.gmail.com> hi i want obtain RTT for establishment phase for tcp connections i.e. obtain time between send SYN and receive SYN-ACK i look at policy/remote-ping.bro and run on pacap file but i not receive no output and i not understand its note: 1.i use bro-ids version :1.2 2.i am working offline on pcap tace files for analysis network please help me On Mon, Nov 3, 2008 at 11:01 PM, rmkml wrote: > hi hossein, > what RTT is for you please ? > it is Round Tripe Time ? > maybe found on: > bro-1.4/src/RemoteSerializer.cc > bro-1.4/policy/remote-ping.bro > Regards > Rmkml > Crusoe-Researches.com > > On Sun, 2 Nov 2008, hossein talebi wrote: > > Date: Sun, 2 Nov 2008 10:13:37 +0330 >> From: hossein talebi >> To: Bro-ids >> Subject: [Bro] How to obtain RTT in Bro? >> >> How to obtain RTT in Bro? >> >> -- >> Talebi Mazraeh Shahi Hossein >> >> >> -- Talebi Mazraeh Shahi Hossein -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081104/623539f1/attachment.html From vern at icir.org Tue Nov 4 07:41:07 2008 From: vern at icir.org (Vern Paxson) Date: Tue, 04 Nov 2008 07:41:07 -0800 Subject: [Bro] How to install linux(fedora 8)from network? In-Reply-To: <4806f1a30811040449n72feffddp8844b414991ff05a@mail.gmail.com> (Tue, 04 Nov 2008 16:19:25 +0330). Message-ID: <200811041541.mA4FfBrk006374@pork.ICSI.Berkeley.EDU> > i want install linux(Fedora core 8) This is not an appropriate question for this mailing list. Vern From vern at icir.org Tue Nov 4 07:44:34 2008 From: vern at icir.org (Vern Paxson) Date: Tue, 04 Nov 2008 07:44:34 -0800 Subject: [Bro] How to obtain RTT in Bro? In-Reply-To: <4806f1a30811040534i7dc451e1sed1c3a3a8c93ad6f@mail.gmail.com> (Tue, 04 Nov 2008 17:04:52 +0330). Message-ID: <200811041544.mA4FibjN006435@pork.ICSI.Berkeley.EDU> > i look at policy/remote-ping.bro and run on pacap file Please do more research before posting to the mailing list. If you read the comments at the top of policy/remote-ping.bro, you'll see it's for use between multiple Bro's that are communicating with one another, and has nothing to do with measuring RTT in traces. If you searched on /RTT/ in the Bro sources & scripts you'll see there's no mention of it - Bro does not compute this value. Vern From bec_agarcia at correo.seguridad.unam.mx Tue Nov 4 15:05:32 2008 From: bec_agarcia at correo.seguridad.unam.mx (Armin =?iso-8859-1?b?R2FyY+1hIA==?= =?iso-8859-1?b?TPNwZXo=?=) Date: Tue, 04 Nov 2008 17:05:32 -0600 Subject: [Bro] Looking for selecting tLooking for a thesis topic in the area of IDS for my master Message-ID: <20081104170532.60bu25o1noccokc0@correo.seguridad.unam.mx> Hi !!! I am looking for a thesis topic in the area of IDS for my Computer Science Major degree, any ideas, any help would be greatly appreciated thanks so much Ing. Armin Garc?a L?pez Proyecto Honeynet-UNAM Departamento de Seguridad en C?mputo DGSCA UNAM-CERT - - - - - - - - - - - www.seguridad.unam.mx Tel. 5622-8169/5622-8047 ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From zak.noah at gmail.com Tue Nov 4 15:48:36 2008 From: zak.noah at gmail.com (noah zak) Date: Tue, 4 Nov 2008 18:48:36 -0500 Subject: [Bro] Log Rotate In-Reply-To: <20081103190033.GB49374@icir.org> References: <43d31ea30810300849x41bccb04h19930630bde0b9fd@mail.gmail.com> <20081103190033.GB49374@icir.org> Message-ID: <43d31ea30811041548t288aa910nd76c056d351d98fc@mail.gmail.com> Thank you, that is how I was able to accomplish the task. On Mon, Nov 3, 2008 at 2:00 PM, Robin Sommer wrote: > > On Thu, Oct 30, 2008 at 11:49 -0400, noah zak wrote: > > > When running the rotate-logs script I want the logs to be moved into a > > separate directory that the newly created logs. > > You can define a postprocessor to be run after rotation which can > move the files somewhere else. There's actually a script in the > distribution to do just that, see aux/scripts/mvfile (the beginning > of the script explains how to set this up). > > Robin > > -- > Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081104/b1cee8e8/attachment.html From zak.noah at gmail.com Tue Nov 4 15:48:36 2008 From: zak.noah at gmail.com (noah zak) Date: Tue, 4 Nov 2008 18:48:36 -0500 Subject: [Bro] Log Rotate In-Reply-To: <20081103190033.GB49374@icir.org> References: <43d31ea30810300849x41bccb04h19930630bde0b9fd@mail.gmail.com> <20081103190033.GB49374@icir.org> Message-ID: <43d31ea30811041548t288aa910nd76c056d351d98fc@mail.gmail.com> Thank you, that is how I was able to accomplish the task. On Mon, Nov 3, 2008 at 2:00 PM, Robin Sommer wrote: > > On Thu, Oct 30, 2008 at 11:49 -0400, noah zak wrote: > > > When running the rotate-logs script I want the logs to be moved into a > > separate directory that the newly created logs. > > You can define a postprocessor to be run after rotation which can > move the files somewhere else. There's actually a script in the > distribution to do just that, see aux/scripts/mvfile (the beginning > of the script explains how to set this up). > > Robin > > -- > Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081104/b1cee8e8/attachment-0001.html From akkala at Colorado.edu Tue Nov 4 19:05:12 2008 From: akkala at Colorado.edu (Sirisha) Date: Tue, 4 Nov 2008 20:05:12 -0700 (MST) Subject: [Bro] Problem installing Bro Message-ID: <20081104200512.AFI83810@riddler.int.colorado.edu> Hi I'm trying to install Bro from the source code in Robin's work branch. When I try the command ' ./autogen.sh && ./configure && make', BRO Build Tools Setup and Binpac Build Tools Setup go smoothly. but it errors out on Broccoli Build Tools Setup. following is the message. aclocal ---------------------------------------------------- running autoheader ---------------------------------------------------- running automake ---------------------------------------------------- src/Makefile.am:94: Libtool library used but `LIBTOOL' is undefined src/Makefile.am:94: src/Makefile.am:94: The usual way to define `LIBTOOL' is to add `AC_PROG_LIBTOOL' src/Makefile.am:94: to `configure.in' and run `aclocal' and `autoconf' again. *** ERROR(broccoli), aborting. *** ERROR(bro), aborting. I have libtool ver 2.2.6 installed on my computer. can you please tell me what might be wrong? thanks,sirisha. From pw at seclab.tuwien.ac.at Wed Nov 5 09:22:44 2008 From: pw at seclab.tuwien.ac.at (Peter Wurzinger) Date: Wed, 05 Nov 2008 18:22:44 +0100 Subject: [Bro] crash with std::bad_alloc Message-ID: <4911D664.802@seclab.tuwien.ac.at> Hi! I am running my own bro policy script (bro 1.4, debian lenny), together with a set of signatures that should be matched. After a few hours of runtime bro always and repeatably crashes, with the following error message: terminate called after throwing an instance of 'std::bad_alloc' what(): std::bad_alloc Bit by bit I stripped parts from my script in order to find the critical part, and I ended up with a script as trivial as: @load conn @load notice @load notice-action-filters redef use_connection_compressor = F; redef capture_filters = {["ALL"] = ""}; redef dpd_match_only_beginning = F; redef local_nets[...]; redef signature_files += "./my_signatures.sig"; The critical part seems to be the signature matching. When including my signatures, the error occurs. When outcommenting the last redef line, it works without crashing (at least for a much longer time until I terminate it deliberately, I cannot be totally sure that it hadn't crashed later). Note, that I don't even handle the signature matches anymore, still the error occurs. My signature file is approx 100Kb, contains more than 600 signatures, and all of them look like: signature xxx { dst-ip == local_nets event "xxx" payload /xxx/ } I'd be very happy about learning what exactly causes the error, and of course how to avoid it. Regards, Peter. From robin at icir.org Wed Nov 5 09:58:57 2008 From: robin at icir.org (Robin Sommer) Date: Wed, 5 Nov 2008 09:58:57 -0800 Subject: [Bro] crash with std::bad_alloc In-Reply-To: <4911D664.802@seclab.tuwien.ac.at> References: <4911D664.802@seclab.tuwien.ac.at> Message-ID: <20081105175857.GD49777@icir.org> On Wed, Nov 05, 2008 at 18:22 +0100, Peter Wurzinger wrote: > terminate called after throwing an instance of 'std::bad_alloc' > what(): std::bad_alloc That sounds like Bro is running out of memory. What's the process' size just before it crashes and how much memory does the machine have? > matches anymore, still the error occurs. My signature file is approx > 100Kb, contains more than 600 signatures, and all of them look like: If it's indeed memory exhaustion, then it looks like either a memory leak in the signature engine or a general problem of handling the many regexps. Generally, the engine can consume quite a bit of memory due to the DFAs it builds incrementally. How do your regexps look like? Do they contain many unanchored subparts (e.g., "foo.*bar")? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From vern at icir.org Wed Nov 5 10:10:47 2008 From: vern at icir.org (Vern Paxson) Date: Wed, 05 Nov 2008 10:10:47 -0800 Subject: [Bro] crash with std::bad_alloc In-Reply-To: <20081105175857.GD49777@icir.org> (Wed, 05 Nov 2008 09:58:57 PST). Message-ID: <200811051810.mA5IAoKr010892@pork.ICSI.Berkeley.EDU> Robin writes: > That sounds like Bro is running out of memory. What's the process' > size just before it crashes and how much memory does the machine > have? Note, you can track resource consumption over time by loading either stats.bro (lightweight) or profiling.bro (more info but larger performance hit). Vern From christian at whoop.org Wed Nov 5 11:50:04 2008 From: christian at whoop.org (Christian Kreibich) Date: Wed, 05 Nov 2008 11:50:04 -0800 Subject: [Bro] Problem installing Bro In-Reply-To: <20081104200512.AFI83810@riddler.int.colorado.edu> References: <20081104200512.AFI83810@riddler.int.colorado.edu> Message-ID: <1225914604.30165.85.camel@strangepork> On Tue, 2008-11-04 at 20:05 -0700, Sirisha wrote: > running automake > ---------------------------------------------------- > src/Makefile.am:94: Libtool library used but `LIBTOOL' is undefined > src/Makefile.am:94: > src/Makefile.am:94: The usual way to define `LIBTOOL' is to add `AC_PROG_LIBTOOL' > src/Makefile.am:94: to `configure.in' and run `aclocal' and `autoconf' again. > *** ERROR(broccoli), aborting. > *** ERROR(bro), aborting. > > > I have libtool ver 2.2.6 installed on my computer. can you please tell me what might be wrong? I'm afraid I cannot say, since AC_PROG_LIBTOOL is in fact used in Broccoli's configure.in, and we're not using a libtool this new on any of our systems. Sorry. -- Cheers, Christian From christian at whoop.org Wed Nov 5 11:52:37 2008 From: christian at whoop.org (Christian Kreibich) Date: Wed, 05 Nov 2008 11:52:37 -0800 Subject: [Bro] crash with std::bad_alloc In-Reply-To: <200811051810.mA5IAoKr010892@pork.ICSI.Berkeley.EDU> References: <200811051810.mA5IAoKr010892@pork.ICSI.Berkeley.EDU> Message-ID: <1225914757.30165.88.camel@strangepork> On Wed, 2008-11-05 at 10:10 -0800, Vern Paxson wrote: > Note, you can track resource consumption over time by loading > either stats.bro (lightweight) or profiling.bro (more info but > larger performance hit). Since this is a common problem people encounter, these policies are explained (to some extent) at: http://www.bro-ids.org/wiki/index.php/Development_HOWTOs#How_to_understand_memory_consumption -- Cheers, Christian From pw at seclab.tuwien.ac.at Thu Nov 6 03:23:19 2008 From: pw at seclab.tuwien.ac.at (Peter Wurzinger) Date: Thu, 06 Nov 2008 12:23:19 +0100 Subject: [Bro] crash with std::bad_alloc In-Reply-To: <20081105175857.GD49777@icir.org> References: <4911D664.802@seclab.tuwien.ac.at> <20081105175857.GD49777@icir.org> Message-ID: <4912D3A7.6080206@seclab.tuwien.ac.at> Robin Sommer wrote: > On Wed, Nov 05, 2008 at 18:22 +0100, Peter Wurzinger wrote: > >> terminate called after throwing an instance of 'std::bad_alloc' >> what(): std::bad_alloc > > That sounds like Bro is running out of memory. What's the process' > size just before it crashes and how much memory does the machine > have? I reran my code using profiling.bro. The memory consumption continuously increased, and the last lines before crashing were: Memory: total=3126520K total_adj=3116888K malloced: 2878549K Run-time: user+sys=2861.5 user=2528.8 sys=332.7 real=3390.1 Conns: total=915256 current=19795/19795 ext=0 mem=0K avg=0.0 table=0K connvals=0K ConnCompressor: pending=0 pending_in_mem=0 full_conns=0 pending+real=0 mem=0K avg=nan/nan Conns: tcp=7431/8335 udp=11845/20278 icmp=519/783 TCP-States: Inact. Syn. SA Part. Est. Fin. Rst. TCP-States:Inact. 16 159 2 3 TCP-States:Syn. 106 243 147 14 TCP-States:SA 1 185 64 1 TCP-States:Part. 38 1436 101 175 9 TCP-States:Est. 2052 1023 22 TCP-States:Fin. 3 258 1014 261 6 TCP-States:Rst. 8 12 63 9 Connections expired due to inactivity: 697053 Total reassembler data: 134947K Timers: current=30215 max=34256 mem=1652K lag=0.00s ConnectionDeleteTimer = 180 ConnectionInactivityTimer = 19688 NetworkTimer = 1 ScheduleTimer = 241 TableValTimer = 2 TCPConnectionAttemptTimer = 238 TCPConnectionExpireTimer = 9859 TCPConnectionResetTimer = 6 >> matches anymore, still the error occurs. My signature file is approx >> 100Kb, contains more than 600 signatures, and all of them look like: > > If it's indeed memory exhaustion, then it looks like either a memory > leak in the signature engine or a general problem of handling the > many regexps. Generally, the engine can consume quite a bit of > memory due to the DFAs it builds incrementally. How do your regexps > look like? Do they contain many unanchored subparts (e.g., > "foo.*bar")? Yes, '.*' is massively used. Actually, that is the only regexp feature that is used. The patterns generally look like: ".*byte_seq1.*byte_seq2.*byte_seq3.*" Peter. From david at vorant.com Thu Nov 6 07:31:52 2008 From: david at vorant.com (David J. Bianco) Date: Thu, 06 Nov 2008 10:31:52 -0500 Subject: [Bro] "unknown connection id" error Message-ID: <49130DE8.7010307@vorant.com> I have some code that's calling get_conn_transport_proto(), and it's usually working fine. Occasionally, though, it throws an error: 1225984851.691449 /usr/local/bro-1.4/site/restricted-outgoing.bro, line 54 (get_conn_transport_proto(RestrictedOutgoing::c$id) and [orig_h=x.x.x.x, orig_p=57475/tcp, resp_h=y.y.y.y, resp_p=80/tcp]): run-time error, unknown connection id in get_conn_transport_proto() The code itself looks like this: print restricted_outgoing_file, fmt("%.6f Restricted Outgoing Connection : %s %s", network_time(), id_string(c$id), get_conn_transport_proto(c$id)); This is part of a function that is called to handle the following events: connection_established connection_attempt connection_rejected connection_reset udp_request >From looking at the code in bro.bif, I can see that this error message is generated when the connection passes as the argument is not found in the list of active connections. I guess I must not be fully understanding something here. If any of the above events occur, shouldn't they occur on valid connections? Or are there some situations in which the connection might not be listed in the active list? Thanks, David From rmkml at free.fr Thu Nov 6 07:57:01 2008 From: rmkml at free.fr (rmkml) Date: Thu, 6 Nov 2008 16:57:01 +0100 (CET) Subject: [Bro] create team for update snort2bro script signature ? Message-ID: Hi, Congratulations Bro Team for a new version 1.4 ! I expected than bro is not a snort rules parser, but its interesting porting snort rules directly to bro... Im interested by update snort2bro signature, Im known snort rules, but I don't known how its implemented on bro script! Anyone interested ? First question: bro contains two script, one in perl and one in python, what is the "best" ? Second question: function not supported: 1)byte_test() is not supported, but it is possible bro contains similar function ? 2)byte_jump() is not supported, but it is possible bro contains similar function ? Regards Rmkml Crusoe-Researches.com From robin at icir.org Thu Nov 6 09:16:42 2008 From: robin at icir.org (Robin Sommer) Date: Thu, 6 Nov 2008 09:16:42 -0800 Subject: [Bro] "unknown connection id" error In-Reply-To: <49130DE8.7010307@vorant.com> References: <49130DE8.7010307@vorant.com> Message-ID: <20081106171641.GC41991@icir.org> On Thu, Nov 06, 2008 at 10:31 -0500, David J. Bianco wrote: > print restricted_outgoing_file, fmt("%.6f Restricted Outgoing Connection : %s > %s", network_time(), id_string(c$id), get_conn_transport_proto(c$id)); [...] > Or are there some situations in which the connection might not be > listed in the active list? Yes, that can happen. Event processing is decoupled from event generation so it might happen that at the time an event is processed the underlying connection has already been expunged from the internal session table. In your case, there's an easy fix, assuming the line above is the only problematic case. The transport protocol is also encoded inside the connection's port values, and there's a function to access that information without doing a session-table lookup, get_port_transport_proto(). So try something like this: print restricted_outgoing_file, fmt("%.6f Restricted Outgoing Connection : %s %s", network_time(), id_string(c$id), get_port_transport_proto(c$id$orig_p)); Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From david at vorant.com Thu Nov 6 11:37:56 2008 From: david at vorant.com (David J. Bianco) Date: Thu, 06 Nov 2008 14:37:56 -0500 Subject: [Bro] "unknown connection id" error In-Reply-To: <20081106171641.GC41991@icir.org> References: <49130DE8.7010307@vorant.com> <20081106171641.GC41991@icir.org> Message-ID: <49134794.9080403@vorant.com> Thanks Robin, that worked perfectly! David Robin Sommer wrote: > On Thu, Nov 06, 2008 at 10:31 -0500, David J. Bianco wrote: > >> print restricted_outgoing_file, fmt("%.6f Restricted Outgoing Connection : %s >> %s", network_time(), id_string(c$id), get_conn_transport_proto(c$id)); > [...] >> Or are there some situations in which the connection might not be >> listed in the active list? > > Yes, that can happen. Event processing is decoupled from event > generation so it might happen that at the time an event is processed > the underlying connection has already been expunged from the > internal session table. > > In your case, there's an easy fix, assuming the line above is the > only problematic case. The transport protocol is also encoded inside > the connection's port values, and there's a function to access that > information without doing a session-table lookup, > get_port_transport_proto(). > > So try something like this: > > print restricted_outgoing_file, fmt("%.6f Restricted Outgoing Connection : %s > %s", network_time(), id_string(c$id), get_port_transport_proto(c$id$orig_p)); > > Robin > From akkala at Colorado.edu Thu Nov 6 16:24:21 2008 From: akkala at Colorado.edu (Sirisha) Date: Thu, 6 Nov 2008 17:24:21 -0700 (MST) Subject: [Bro] Error configuring Bro Message-ID: <20081106172421.AFK01611@riddler.int.colorado.edu> Hi While running the './configure' command in 'work' directory I get the following error. any ideas about what might be causing the error? checking if we should declare socket and friends... no checking for gethostbyname... yes checking for socket... yes checking for putmsg in -lstr... no checking for local pcap library... not found checking for pcap_open_live in -lpcap... no checking for pcap_open_live in -lpcap... no configure: error: see the INSTALL doc for more info Thanks,sirisha. From mcuttler at bnl.gov Thu Nov 6 16:59:02 2008 From: mcuttler at bnl.gov (Matt Cuttler) Date: Thu, 06 Nov 2008 19:59:02 -0500 Subject: [Bro] Error configuring Bro In-Reply-To: <20081106172421.AFK01611@riddler.int.colorado.edu> Message-ID: ../configure --enable-shippedpcap (other options) might work out for you. What OS / platform? This may not be necessary.. Thanks, Matt Cuttler Quoting Sirisha from 11/6/08 7:24 PM > Hi > While running the './configure' command in 'work' directory I get the > following error. > > any ideas about what might be causing the error? > > checking if we should declare socket and friends... no > checking for gethostbyname... yes > checking for socket... yes > checking for putmsg in -lstr... no > checking for local pcap library... not found > checking for pcap_open_live in -lpcap... no > checking for pcap_open_live in -lpcap... no > configure: error: see the INSTALL doc for more info > > Thanks,sirisha. From fuyiyang at gmail.com Thu Nov 6 17:49:06 2008 From: fuyiyang at gmail.com (fu yiyang) Date: Fri, 7 Nov 2008 09:49:06 +0800 Subject: [Bro] about logs In-Reply-To: References: Message-ID: Hi! When running bro with command ' bro -r pcap *.bro', it will create 2 different logs which are http.log and http.log-date-time. The http.log is empty file, and the http.log-date-time is expected result. I can't find the reason.Someone can tell me. Thanks very much! My bro version is 1.2.1. eyoung From christian at whoop.org Thu Nov 6 17:49:51 2008 From: christian at whoop.org (Christian Kreibich) Date: Thu, 06 Nov 2008 17:49:51 -0800 Subject: [Bro] crash with std::bad_alloc In-Reply-To: <4912D3A7.6080206@seclab.tuwien.ac.at> References: <4911D664.802@seclab.tuwien.ac.at> <20081105175857.GD49777@icir.org> <4912D3A7.6080206@seclab.tuwien.ac.at> Message-ID: <1226022591.18616.36.camel@strangepork> On Thu, 2008-11-06 at 12:23 +0100, Peter Wurzinger wrote: > I reran my code using profiling.bro. The memory consumption continuously > increased, and the last lines before crashing were: > > Memory: total=3126520K total_adj=3116888K malloced: 2878549K Try running Bro for a limited amount of time and load print-globals.bro, as pointed out at: http://www.bro-ids.org/wiki/index.php/Development_HOWTOs#print-globals.bro Upon termination, Bro will tell you the amount of memory your global variables have accumulated. If you have a state-keeping problem in one of those variables, you'll spot the issue there. -- Cheers, Christian From rmkml at free.fr Thu Nov 6 21:24:11 2008 From: rmkml at free.fr (rmkml) Date: Fri, 7 Nov 2008 06:24:11 +0100 (CET) Subject: [Bro] crash with std::bad_alloc In-Reply-To: <1226022591.18616.36.camel@strangepork> References: <4911D664.802@seclab.tuwien.ac.at> <20081105175857.GD49777@icir.org> <4912D3A7.6080206@seclab.tuwien.ac.at> <1226022591.18616.36.camel@strangepork> Message-ID: Hi Peter, or another idea: load heavy-analysis.bro for reducing *_timeout. Regards Rmkml Crusoe-Researches.com On Thu, 6 Nov 2008, Christian Kreibich wrote: > Date: Thu, 06 Nov 2008 17:49:51 -0800 > From: Christian Kreibich > To: Peter Wurzinger > Cc: Bro at bro-ids.org, Robin Sommer > Subject: Re: [Bro] crash with std::bad_alloc > > On Thu, 2008-11-06 at 12:23 +0100, Peter Wurzinger wrote: >> I reran my code using profiling.bro. The memory consumption continuously >> increased, and the last lines before crashing were: >> >> Memory: total=3126520K total_adj=3116888K malloced: 2878549K > > Try running Bro for a limited amount of time and load print-globals.bro, > as pointed out at: > http://www.bro-ids.org/wiki/index.php/Development_HOWTOs#print-globals.bro > > Upon termination, Bro will tell you the amount of memory your global > variables have accumulated. If you have a state-keeping problem in one > of those variables, you'll spot the issue there. > > -- > Cheers, > Christian > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From robin at icir.org Thu Nov 6 22:49:23 2008 From: robin at icir.org (Robin Sommer) Date: Thu, 6 Nov 2008 22:49:23 -0800 Subject: [Bro] create team for update snort2bro script signature ? In-Reply-To: References: Message-ID: <20081107064923.GC59911@icir.org> On Thu, Nov 06, 2008 at 16:57 +0100, you wrote: > First question: bro contains two script, one in perl and one in python, Which Perl script are you refering to? > 1)byte_test() is not supported, but it is possible bro contains similar function ? > 2)byte_jump() is not supported, but it is possible bro contains similar function ? No, sorry, there is no such functionality yet. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From vern at icir.org Thu Nov 6 22:52:55 2008 From: vern at icir.org (Vern Paxson) Date: Thu, 06 Nov 2008 22:52:55 -0800 Subject: [Bro] crash with std::bad_alloc In-Reply-To: (Fri, 07 Nov 2008 06:24:11 +0100). Message-ID: <200811070652.mA76qw9U023842@pork.ICSI.Berkeley.EDU> > or another idea: load heavy-analysis.bro for reducing *_timeout. heavy-analysis does the opposite - raises timeouts and increases resource consumption. (It won't affect memory consumption due to massive .* regular expressions either way.) Vern From rmkml at free.fr Thu Nov 6 21:56:05 2008 From: rmkml at free.fr (rmkml) Date: Fri, 7 Nov 2008 06:56:05 +0100 (CET) Subject: [Bro] create team for update snort2bro script signature ? In-Reply-To: <20081107064923.GC59911@icir.org> References: <20081107064923.GC59911@icir.org> Message-ID: Hi Robin, thx for reply, bro-1.4/scripts/s2b/bin/s2b.pl ? do you known if it is possible adding this features ? Regards Rmkml Crusoe-Researches.com On Thu, 6 Nov 2008, Robin Sommer wrote: > Date: Thu, 6 Nov 2008 22:49:23 -0800 > From: Robin Sommer > To: bro at ICSI.Berkeley.EDU, rmkml > Subject: Re: [Bro] create team for update snort2bro script signature ? > > > On Thu, Nov 06, 2008 at 16:57 +0100, you wrote: > >> First question: bro contains two script, one in perl and one in python, > > Which Perl script are you refering to? > >> 1)byte_test() is not supported, but it is possible bro contains similar function ? >> 2)byte_jump() is not supported, but it is possible bro contains similar function ? > > No, sorry, there is no such functionality yet. > > Robin > > -- > Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > From robin at icir.org Thu Nov 6 23:10:35 2008 From: robin at icir.org (Robin Sommer) Date: Thu, 6 Nov 2008 23:10:35 -0800 Subject: [Bro] crash with std::bad_alloc In-Reply-To: <4912D3A7.6080206@seclab.tuwien.ac.at> References: <4911D664.802@seclab.tuwien.ac.at> <20081105175857.GD49777@icir.org> <4912D3A7.6080206@seclab.tuwien.ac.at> Message-ID: <20081107071035.GD59911@icir.org> On Thu, Nov 06, 2008 at 12:23 +0100, you wrote: > Memory: total=3126520K total_adj=3116888K malloced: 2878549K Yeah, that's a lot ... > ".*byte_seq1.*byte_seq2.*byte_seq3.*" I'm guessing that these are indeed the problem, assuming there's no leak somewhere. Having lots of such patterns is essentially the worst case for a DFA-based pattern matcher (recall that Bro internally combines many of these into a *one* regexp, which will let the number of states explode). Three things you could try: (a) there is a tuning option for the signature engine which tells Bro how many regexps to combine internally into Big Ones. It's called sig_max_group_size and the default is 50. It might help to reduce this quite a bit (e.g., 10 or 20). (b) you could split each signature into several, one for each component of the regexp (byte_seq1, byte_seq2, ...), and then either chain these signatures with requires_signature condititions, or raise an event for each one individually and correlate the matches on the script-level to find out when all have matched. Both approahces have the disadvantage that they don't consider the order in which the subpatterns appear. (c) this one is kind of scary. :) There's a configure option --expire-dfa-states which enables some internal code to limit the size of the DFAs Bro builds (by expiring less frequently used states and recalculating them later if necessary). Enabling this has quite a performance impact on the matching process but even more worse is the fact that this option has most likely not been used by anybody for >5 years ... I'd almost bet it's broken in some way but you can still give it a try ... Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From rmkml at free.fr Thu Nov 6 22:31:11 2008 From: rmkml at free.fr (rmkml) Date: Fri, 7 Nov 2008 07:31:11 +0100 (CET) Subject: [Bro] create team for update snort2bro script signature ? In-Reply-To: References: <20081107064923.GC59911@icir.org> Message-ID: two function like exist on bro policy but not avalaible for signatures ?: -snort threshold() => it appears (*count*) on policy/signatures.bro but not on src/rule-scan.l ? -snort flowbits:noalert => it appears (SigAction: SIG_QUIET) on policy/signatures.bro but not on src/rule-scan.l ? Regards Rmkml Crusoe-Researches.com On Fri, 7 Nov 2008, rmkml wrote: > Date: Fri, 7 Nov 2008 06:56:05 +0100 (CET) > From: rmkml > To: Robin Sommer > Cc: bro at ICSI.Berkeley.EDU > Subject: Re: [Bro] create team for update snort2bro script signature ? > > Hi Robin, > thx for reply, > bro-1.4/scripts/s2b/bin/s2b.pl ? > do you known if it is possible adding this features ? > Regards > Rmkml > Crusoe-Researches.com > > On Thu, 6 Nov 2008, Robin Sommer wrote: > >> Date: Thu, 6 Nov 2008 22:49:23 -0800 >> From: Robin Sommer >> To: bro at ICSI.Berkeley.EDU, rmkml >> Subject: Re: [Bro] create team for update snort2bro script signature ? >> >> >> On Thu, Nov 06, 2008 at 16:57 +0100, you wrote: >> >>> First question: bro contains two script, one in perl and one in python, >> >> Which Perl script are you refering to? >> >>> 1)byte_test() is not supported, but it is possible bro contains similar >>> function ? >>> 2)byte_jump() is not supported, but it is possible bro contains similar >>> function ? >> >> No, sorry, there is no such functionality yet. >> >> Robin >> >> -- >> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org >> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org >> > From andy.pyles at gmail.com Fri Nov 7 08:13:55 2008 From: andy.pyles at gmail.com (Andy Pyles) Date: Fri, 7 Nov 2008 11:13:55 -0500 Subject: [Bro] SIP Analyzer Message-ID: Hello, I understand there is a SIP analyzer available for BRO, as described here: www.bro-ids.org/bro-workshop-2007/slides/BroNews.pdf Is this publicly available? If so, where? thanks, Andy From gregor at net.t-labs.tu-berlin.de Fri Nov 7 11:30:09 2008 From: gregor at net.t-labs.tu-berlin.de (Gregor Maier) Date: Fri, 07 Nov 2008 11:30:09 -0800 Subject: [Bro] SIP Analyzer In-Reply-To: References: Message-ID: <49149741.9080707@net.t-labs.tu-berlin.de> Andy Pyles wrote: > Hello, I understand there is a SIP analyzer available for BRO, > as described here: www.bro-ids.org/bro-workshop-2007/slides/BroNews.pdf > > Is this publicly available? If so, where? Yes there is one, BUT: It's in not solidly tested and not performances tuned. (I.e., it's alpha). That's why it's not in the official release. If you're interested I can send you the code, but be warned that it might not (yet) be fit for use in a production environment. hth Gregor -- Gregor Maier gregor at net.t-labs.tu-berlin.de TU Berlin / Deutsche Telekom Labs gregor.maier at tu-berlin.de Sekr. TEL 4, FG INET www.net.t-labs.tu-berlin.de Ernst-Reuter-Platz 7 10587 Berlin, Germany From akkala at Colorado.edu Fri Nov 7 20:46:35 2008 From: akkala at Colorado.edu (Sirisha) Date: Fri, 7 Nov 2008 21:46:35 -0700 (MST) Subject: [Bro] error configuring Bro Message-ID: <20081107214635.AFK57553@riddler.int.colorado.edu> Hi I'm trying again to configure Bro with the following options ./configure --enable-shippedpcap --with-openssl=/usr/local/ssl checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes checking for OPENSSL_add_all_algorithms_conf in -lcrypto... no configure: error: cannot find libcrypto, sorry configure: error: ./configure failed for aux/broccoli there is a file libcrypto.a in /usr/local/ssl/lib, why is it not able to find? should I specify the path? with what option? thanks for your help. sirisha. From talebihossain at gmail.com Sat Nov 8 10:51:29 2008 From: talebihossain at gmail.com (hossein talebi) Date: Sat, 8 Nov 2008 22:21:29 +0330 Subject: [Bro] how to measure size of data that transfer in connection? Message-ID: <4806f1a30811081051v369210a6h2abd971f43bc9604@mail.gmail.com> Hi i want measure size of data thet transfer in per side(how many recieve and how many send) I have downloaded one file with size:almost 4MB and capture its with tcpdump(only with filtering on tcp header and on my IP ) and sum of received data in connections almost is:4MB (this sum have been measured in Bro via field of endpoint size in connection) then i filter same output of tcpdump only for tcpflags(SYN,SYN-ACK,FIN) and save with pcap format and sum of received data in connections almost is:1MB i don't know reason of this repugnance i need measure size of data that transfer in per side of connection realy while i have filter network traffic only for SYN,SYN-ACK,FIN packet header how to solve this problem? please help me thanks -- Talebi Mazraeh Shahi Hossein -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081108/0df4713e/attachment.html From sunke.bhavani at gmail.com Sat Nov 8 12:13:19 2008 From: sunke.bhavani at gmail.com (Bhavani) Date: Sat, 8 Nov 2008 14:13:19 -0600 Subject: [Bro] Problem with starting Bro Message-ID: When I type * ./bro.rc start* Failed: bro.init :line 1095 : internal error : function cap_sep missing When I searched bro.init There is no such function. What should I do to start BrO Thanks. bhavani -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081108/13569fa4/attachment.html From talebihossain at gmail.com Sat Nov 8 12:37:28 2008 From: talebihossain at gmail.com (hossein talebi) Date: Sun, 9 Nov 2008 00:07:28 +0330 Subject: [Bro] how to measure size of data that transfer in connection? In-Reply-To: References: <4806f1a30811081051v369210a6h2abd971f43bc9604@mail.gmail.com> Message-ID: <4806f1a30811081237g2cc98e49j7275f28184b55f4f@mail.gmail.com> Hi my problem is not filtering but my problem is obtain accurate size of transfer byte i have checked these policies and apply very much and understand them completly but apply conn policy on 2 tcpdump file(that one include all of packet headers and other include only SYN,SYN_ACK,FIN packet headers) have different results why???? thanks On Sat, Nov 8, 2008 at 11:25 PM, rmkml wrote: > Hi hossein, > do you have checked policy/conn.bro|load conn|conn.log ? > example: > 1225897841.708954 0.110102 10.100.11.8 192.168.25.192 https 44642 443 tcp > 926 3545 SF X > (926 and 3545) > for only tcp flags SYN,SYN-ACK,FIN: add tcpdump filter on bro cmd line ? > Regards > Rmkml > Crusoe-Researches.com > > On Sat, 8 Nov 2008, hossein talebi wrote: > > Date: Sat, 8 Nov 2008 22:21:29 +0330 >> From: hossein talebi >> To: Bro-ids >> Subject: [Bro] how to measure size of data that transfer in connection? >> >> >> Hi >> >> i want measure size of data thet transfer in per side(how many recieve and >> how many send) >> >> I have downloaded one file with size:almost 4MB >> and capture its with tcpdump(only with filtering on tcp header and on my >> IP ) >> and sum of received data in connections almost is:4MB (this sum have been >> measured in Bro via field of endpoint size in connection) >> then i filter same output of tcpdump only for tcpflags(SYN,SYN-ACK,FIN) >> and save with pcap format >> and sum of received data in connections almost is:1MB >> >> i don't know reason of this repugnance >> i need measure size of data that transfer in per side of connection realy >> while i have filter network traffic only >> for SYN,SYN-ACK,FIN packet header >> >> how to solve this problem? >> >> please help me >> thanks >> -- >> Talebi Mazraeh Shahi Hossein >> >> -- Talebi Mazraeh Shahi Hossein -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081109/d8c1abaa/attachment.html From talebihossain at gmail.com Sat Nov 8 23:17:45 2008 From: talebihossain at gmail.com (hossein talebi) Date: Sun, 9 Nov 2008 10:47:45 +0330 Subject: [Bro] how to measure size of data that transfer in connections? Message-ID: <4806f1a30811082317l4f8624f0i17e27e18019462c0@mail.gmail.com> Hi i run tcpdump while file(with 4MB size) is downloading with follow filter: "tcpdump -w pcapfile1 'tcp and host ' " then i apply filtering on pcapfile1: "tcpdump -r pcapfile1 -w pcapfile2 'tcp[tcpflags]&(tcp-syn|tcp-fin|tcp-rst)!=0 ' " then i measured size of data by Bro version :1.2.1 but results are different(on pcapfile1 is 4MB and on pcapfile2 is 1MB) OS: Linux(Fedora Core 8) you can perform this work and measure sum of data that is received for two files -- Talebi Mazraeh Shahi Hossein -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081109/7bf0d5c1/attachment.html From robin at icir.org Sun Nov 9 22:32:21 2008 From: robin at icir.org (Robin Sommer) Date: Sun, 9 Nov 2008 22:32:21 -0800 Subject: [Bro] create team for update snort2bro script signature ? In-Reply-To: References: <20081107064923.GC59911@icir.org> Message-ID: <20081110063221.GI51201@icir.org> On Fri, Nov 07, 2008 at 06:56 +0100, you wrote: > bro-1.4/scripts/s2b/bin/s2b.pl ? Ah, I see. That is actually a wrapper around the Python snort2bro which does some stuff on top of it. > do you known if it is possible adding this features ? Not sure. These options, iirc, are using packet-semantics which are hard to emulate in Bro's stream-model. They might be some approximation though which works suffiently well, don't know. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From talebihossain at gmail.com Mon Nov 10 04:19:31 2008 From: talebihossain at gmail.com (hossein talebi) Date: Mon, 10 Nov 2008 15:49:31 +0330 Subject: [Bro] Fwd: how to measure size of data that transfer in connections (SYN FIN RST)? Message-ID: <4806f1a30811100419w271ec7e2n4ad6bb1e30cd9ac6@mail.gmail.com> Hi i want measure size of data that transfer in per side(how many recieve and how many send) I have downloaded one file with size:almost 4MB and capture its with tcpdump(only with filtering on tcp header and on my IP ) and sum of received data in connections almost is:4MB (this sum have been measured in Bro via field of endpoint size in connection) then i filter same output of tcpdump only for tcpflags(*SYN,RST,FIN*) and save with pcap format and sum of received data in connections almost is:1MB (i run tcpdump while file(with 4MB size) is downloading with follow filter: "tcpdump -w pcapfile1 'tcp and host ' " then i apply filtering on pcapfile1: "tcpdump -r pcapfile1 -w pcapfile2 'tcp[tcpflags]&(tcp-syn|tcp-fin|tcp-rst)!=0 ' " then i measured size of data by Bro version :1.2.1 but results are different(on pcapfile1 is 4MB and on pcapfile2 is 1MB) OS: Linux(Fedora Core 8) ) you can perform this work and measure sum of data that is received for two files i don't know reason of this repugnance i need measure size of data that transfer in per side of connection really while i have filter network traffic only for *SYN,RST,FIN packet header* how to solve this problem? please help me thanks -- Talebi Mazraeh Shahi Hossein -- Talebi Mazraeh Shahi Hossein -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081110/1fd9f77b/attachment.html From ssmit7 at gmail.com Mon Nov 10 05:22:24 2008 From: ssmit7 at gmail.com (Stephen Smith) Date: Mon, 10 Nov 2008 08:22:24 -0500 Subject: [Bro] defining a table of sets Message-ID: Hello, I'm trying to use a table of sets in my policy, and can't figure out how to statically define values. The manual covers use of the add() function, but Scan.bro global distinct_peers: table[addr] of set[addr] redef SMITH::table_of_sets = { [ "a" ] = [ "alpha", "anchor", "armor" ], [ "b" ] = [ "bravo", "biscuit", "blue" ], }; smith.bro, line 150 (alpha, anchor, armor): bad tag in Val::CONVERTER (types/table) redef SMITH::table_of_sets = { [ "a" ] = { "alpha", "anchor", "armor" }, [ "b" ] = { "bravo", "biscuit", "blue" }, }; smith.bro, line 149: error: syntax error, at or near "{" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081110/cb06037b/attachment.html From ssmit7 at gmail.com Mon Nov 10 05:35:58 2008 From: ssmit7 at gmail.com (Stephen Smith) Date: Mon, 10 Nov 2008 08:35:58 -0500 Subject: [Bro] defining a table of sets In-Reply-To: References: Message-ID: Hello again, Sorry for the previous email fragment, apparently there is a hot-key in GMail that automagically sends the message. What I meant to say was.... I'm trying to use a table of sets in my policy, and can't figure out how to statically define values. The manual covers use of the add() function, but I would need to define them just as a redef in my startup policy. The objective here is a hash table of strings with chaining. I define the table as global table_of_sets: table[string] of set[string] after the similar definition in scan.bro of global distinct_peers: table[addr] of set[addr] Then I try to redef the table and add values: redef SMITH::table_of_sets = { [ "a" ] = { "alpha", "anchor", "armor" }, [ "b" ] = { "bravo", "biscuit", "blue" }, }; This gives me smith.bro, line 149: error: syntax error, at or near "{" Just to see what would happen I changed the curly brackets to square brackets, and that changes to error to smith.bro, line 150 (alpha, anchor, armor): bad tag in Val::CONVERTER (types/table) I can't seem to find this being done anywhere else the existing policies, it is always done through the add() function, but I can't imagine that it is not possible. Is there an explanation in the reference manual and I am just missing it? Thanks, Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081110/3c70434d/attachment.html From vcarela at ac.upc.edu Mon Nov 10 07:19:36 2008 From: vcarela at ac.upc.edu (vcarela) Date: Mon, 10 Nov 2008 16:19:36 +0100 Subject: [Bro] Use BRO as an offline L7-filter Message-ID: <1226330376.30109.25.camel@pcfalques.ac.upc.edu> Hi list, I'm trying to use BRO as an offline L7-filter. I would like to add a signature file to BRO (maybe to the DPD "module"??) and run on a trace to detect the applications. I have already written the signature file based on J. Erman thesis (last pages of http://www.cse.iitd.ernet.in/~mahanti/papers/erman.msc.thesis.pdf ). Now I'm a bit lost, where I have to copy the signatures? here? -> /usr/local/bro/share/bro/sigs/jerman.sig Which file I have to modify to add my signatures and remove the rest? Because when I run : " bin/bro -r trace.pcap dpd " I get outputs like: " 1217419201.228065 weird: spontaneous_FIN 1217419201.234297 weird: spontaneous_RST " I only want to get the l7 application detected. I don't care for the snort or other alerts with no relation with l7 applications. Thank you in advance, Valent?n From vern at icir.org Mon Nov 10 07:29:53 2008 From: vern at icir.org (Vern Paxson) Date: Mon, 10 Nov 2008 07:29:53 -0800 Subject: [Bro] defining a table of sets In-Reply-To: (Mon, 10 Nov 2008 08:22:24 EST). Message-ID: <200811101529.mAAFTuaV020196@pork.ICSI.Berkeley.EDU> > smith.bro, line 150 (alpha, anchor, armor): bad tag in Val::CONVERTER > (types/table) This is definitely a bug. A workaround is to use a temporary variable: global t1 = set( "alpha", "anchor", "armor" ); global distinct_peers: table[string] of set[string] = { [ "a" ] = t1, # this works }; - Vern From ssmit7 at gmail.com Mon Nov 10 07:52:45 2008 From: ssmit7 at gmail.com (Stephen Smith) Date: Mon, 10 Nov 2008 10:52:45 -0500 Subject: [Bro] defining a table of sets In-Reply-To: <200811101529.mAAFTuaV020196@pork.ICSI.Berkeley.EDU> References: <200811101529.mAAFTuaV020196@pork.ICSI.Berkeley.EDU> Message-ID: Thanks for the quick reply. The definition data needs to be in a static file, so perhaps I can use a generation function to parse the text and create the table. In the mean time I will see if I can get some further details out of gdb so maybe I can figure out what is going on. Just so I am clear though, the correct way to define this would be with square brackets enclosing the set? As in, [ "a" ] = [ "alpha", "anchor", "armor" ] Thanks, Stephen On Mon, Nov 10, 2008 at 10:29 AM, Vern Paxson wrote: > > smith.bro, line 150 (alpha, anchor, armor): bad tag in Val::CONVERTER > > (types/table) > > This is definitely a bug. > > A workaround is to use a temporary variable: > > global t1 = set( "alpha", "anchor", "armor" ); > global distinct_peers: table[string] of set[string] = { > [ "a" ] = t1, # this works > }; > > - Vern > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081110/7b42d158/attachment.html From vern at icir.org Mon Nov 10 08:08:24 2008 From: vern at icir.org (Vern Paxson) Date: Mon, 10 Nov 2008 08:08:24 -0800 Subject: [Bro] defining a table of sets In-Reply-To: (Mon, 10 Nov 2008 10:52:45 EST). Message-ID: <200811101608.mAAG8Rw9022427@pork.ICSI.Berkeley.EDU> > In the mean time I will see if I can get some further > details out of gdb so maybe I can figure out what is going on. I'm pretty sure I already know what the problem is. It comes from confusion deep inside the initialization code of what type to associate with the list value. It's messy to fix, which is why it's still there :-(. > Just so I am clear though, the correct way to define this would be with > square brackets enclosing the set? As in, > > [ "a" ] = [ "alpha", "anchor", "armor" ] Better would be: [ "a" ] = set("alpha", "anchor", "armor") We want to deprecate the [] set initializer. Vern From talebihossain at gmail.com Mon Nov 10 12:16:47 2008 From: talebihossain at gmail.com (hossein talebi) Date: Mon, 10 Nov 2008 23:46:47 +0330 Subject: [Bro] defining set of range of number Message-ID: <4806f1a30811101216o32f7d625m4af43d5a9b90752a@mail.gmail.com> Hi i want define set of number for example: a set that including follow ranges: 10-20 40-50 100-170 -- Talebi Mazraeh Shahi Hossein -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081110/8b0afbdd/attachment.html From randy at catapulta.org Mon Nov 10 21:07:23 2008 From: randy at catapulta.org (randy at catapulta.org) Date: Tue, 11 Nov 2008 00:07:23 -0500 Subject: [Bro] Dynamically Updating Signatures With Broccoli? Message-ID: <88C42EC6-3718-4518-B1D4-D829D511B8D7@catapulta.org> Greetings, The Broccoli documentation indicates that broccoli-based applications can remotely configure Bro without the need for a restart. Would it be possible to dynamically send signature updates to Bro using Broccoli? If so, I'd be happy to implement a reference example. Please advise. Thanks, Randy From akkala at Colorado.edu Mon Nov 10 22:15:31 2008 From: akkala at Colorado.edu (Sirisha) Date: Mon, 10 Nov 2008 23:15:31 -0700 (MST) Subject: [Bro] Installing Bro Message-ID: <20081110231531.AFL61860@riddler.int.colorado.edu> Hi. Configure worked fine. but 'make' gives me some error. If anyone gets a chance, please look into the error and help me fix. I'm pasting the config summary & the make error below. thanks. Bro Configuration Summary ========================================================== - Debugging enabled: no - OpenSSL support: yes - Non-blocking main loop: yes - Non-blocking resolver: yes - Installation prefix: /opt/bro - Perl interpreter: /usr/bin/perl - Using basic_string: yes - Using libmagic: No - Using perftools: no - Binpac used: shipped with Bro - Using libGeoIP: No - XQuery support: no - Pcap used: system-provided ----------------------------------------------------- 23:06:43-root at host2:/opt/bro/work#make make all-recursive make[1]: Entering directory `/opt/bro/work' Making all in aux make[2]: Entering directory `/opt/bro/work/aux' make all-recursive make[3]: Entering directory `/opt/bro/work/aux' Making all in adtrace make[4]: Entering directory `/opt/bro/work/aux/adtrace' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/opt/bro/work/aux/adtrace' Making all in binpac make[4]: Entering directory `/opt/bro/work/aux/binpac' make all-recursive make[5]: Entering directory `/opt/bro/work/aux/binpac' Making all in lib make[6]: Entering directory `/opt/bro/work/aux/binpac/lib' g++ -DHAVE_CONFIG_H -I. -I.. -g -O2 -MT binpac_buffer.o -MD -MP -MF .deps/bi npac_buffer.Tpo -c -o binpac_buffer.o binpac_buffer.cc mv -f .deps/binpac_buffer.Tpo .deps/binpac_buffer.Po g++ -DHAVE_CONFIG_H -I. -I.. -g -O2 -MT binpac_bytestring.o -MD -MP -MF .dep s/binpac_bytestring.Tpo -c -o binpac_bytestring.o binpac_bytestring.cc mv -f .deps/binpac_bytestring.Tpo .deps/binpac_bytestring.Po rm -f libbinpac.a ar cru libbinpac.a binpac_buffer.o binpac_bytestring.o ranlib libbinpac.a make[6]: Leaving directory `/opt/bro/work/aux/binpac/lib' Making all in src make[6]: Entering directory `/opt/bro/work/aux/binpac/src' /bin/sh ../ylwrap pac_parse.yy y.tab.c pac_parse.cc y.tab.h pac_parse.h y.output pac_parse.output -- yacc -d -t -v ../ylwrap: line 111: yacc: command not found make[6]: *** [pac_parse.cc] Error 1 make[6]: Leaving directory `/opt/bro/work/aux/binpac/src' make[5]: *** [all-recursive] Error 1 make[5]: Leaving directory `/opt/bro/work/aux/binpac' make[4]: *** [all] Error 2 make[4]: Leaving directory `/opt/bro/work/aux/binpac' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/opt/bro/work/aux' make[2]: *** [all] Error 2 make[2]: Leaving directory `/opt/bro/work/aux' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/bro/work' make: *** [all] Error 2 From talebihossain at gmail.com Tue Nov 11 00:06:08 2008 From: talebihossain at gmail.com (hossein talebi) Date: Tue, 11 Nov 2008 11:36:08 +0330 Subject: [Bro] defining set of ports Message-ID: <4806f1a30811110006m18b8497bn8d00e4ebe981ced2@mail.gmail.com> Hi i want define set of ports that some of member of set are rang of ports for example: const port_define :set[port] ={ 80/tcp , 443/tcp, 600-800/tcp, 1000-1024/tcp} is correct upon define, if is not correct how to do this work? thanks -- Talebi Mazraeh Shahi Hossein -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081111/ec8a1f52/attachment.html From r.gruyters at snow.nl Tue Nov 11 00:21:58 2008 From: r.gruyters at snow.nl (Robin Gruyters) Date: Tue, 11 Nov 2008 09:21:58 +0100 Subject: [Bro] ssh alternative ports Message-ID: <1226391718.491940a698f4b@scn.snow.nl> Hell all, I'm trying to add an alternative port for ssh in my policy file, but somehow it doesn't work. I get the following error message: bro at nsm$ bro -r test.lpc tcp weird alarm ssh test print-filter ./test.bro, line 12 (ssh_ports): error, "redef" used but not previously defined bro at nsm$ When I check the ssh.bro policy I can see that it is possible to redefine the ssh_ports: [ssh.bro] .. global ssh_ports = { 22/tcp, } &redef; .. [/ssh.bro] Below is my test policy file: [test.bro] @load site redef local_nets: set[subnet] = { 10.1.1.0/24, }; redef capture_filters += { ["ssh-alt"] = "tcp port 2122", }; redef ssh_ports += { 2122/tcp, }; [/test.bro] I have tried to add the module name, but no luck. bro at nsm$ bro -r test.lpc tcp weird alarm ssh test print-filter ./test.bro, line 12 (SSH::ssh_ports): error, "redef" used but not previously defined bro at nsm$ With kind regards, Robin Gruyters From christoph.leuzinger at cs.uni-dortmund.de Tue Nov 11 06:01:37 2008 From: christoph.leuzinger at cs.uni-dortmund.de (Christoph Leuzinger) Date: Tue, 11 Nov 2008 15:01:37 +0100 Subject: [Bro] Installing Bro In-Reply-To: <20081110231531.AFL61860@riddler.int.colorado.edu> References: <20081110231531.AFL61860@riddler.int.colorado.edu> Message-ID: <20081111150137.569ae758.christoph.leuzinger@cs.uni-dortmund.de> Hi, Sirisha wrote: > Making all in src > make[6]: Entering directory `/opt/bro/work/aux/binpac/src' > /bin/sh ../ylwrap pac_parse.yy y.tab.c pac_parse.cc y.tab.h > pac_parse.h y.output pac_parse.output -- yacc -d -t -v > ../ylwrap: line 111: yacc: command not found Seems that you're missing a parser generator. Make sure that you have a parser generator (e. g. bison) installed on your system and add it to your $PATH, so the ylwrap will be able to execute it. Cheers, Christoph From robin at icir.org Tue Nov 11 19:03:20 2008 From: robin at icir.org (Robin Sommer) Date: Tue, 11 Nov 2008 19:03:20 -0800 Subject: [Bro] Dynamically Updating Signatures With Broccoli? In-Reply-To: <88C42EC6-3718-4518-B1D4-D829D511B8D7@catapulta.org> References: <88C42EC6-3718-4518-B1D4-D829D511B8D7@catapulta.org> Message-ID: <20081112030320.GC22899@icir.org> On Tue, Nov 11, 2008 at 00:07 -0500, you wrote: > The Broccoli documentation indicates that broccoli-based applications > can remotely configure Bro without the need for a restart. Would it > be possible to dynamically send signature updates to Bro using > Broccoli? No, that's not possible. Bro doesn't have the internal infrastructure to recompile signatures on the fly. At the moment, the only part of the configuration which can be (reliably) updated on the fly are script-level variables declared as &redef. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Tue Nov 11 19:07:54 2008 From: robin at icir.org (Robin Sommer) Date: Tue, 11 Nov 2008 19:07:54 -0800 Subject: [Bro] ssh alternative ports In-Reply-To: <1226391718.491940a698f4b@scn.snow.nl> References: <1226391718.491940a698f4b@scn.snow.nl> Message-ID: <20081112030754.GD22899@icir.org> On Tue, Nov 11, 2008 at 09:21 +0100, you wrote: > bro at nsm$ bro -r test.lpc tcp weird alarm ssh test print-filter > ./test.bro, line 12 (SSH::ssh_ports): error, "redef" used but not previously defined You indeed need the SSH prefix. Using that, I get a different error message: # bro -r test.lpc tcp weird alarm ssh ./test.bro print-filter ./test.bro, line 11: error: identifier is not exported: SSH::ssh_ports Which is true: the id is not exported in ssh.bro and therefore can't be redefined (I think it should be exported though). Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Tue Nov 11 19:07:54 2008 From: robin at icir.org (Robin Sommer) Date: Tue, 11 Nov 2008 19:07:54 -0800 Subject: [Bro] ssh alternative ports In-Reply-To: <1226391718.491940a698f4b@scn.snow.nl> References: <1226391718.491940a698f4b@scn.snow.nl> Message-ID: <20081112030754.GD22899@icir.org> On Tue, Nov 11, 2008 at 09:21 +0100, you wrote: > bro at nsm$ bro -r test.lpc tcp weird alarm ssh test print-filter > ./test.bro, line 12 (SSH::ssh_ports): error, "redef" used but not previously defined You indeed need the SSH prefix. Using that, I get a different error message: # bro -r test.lpc tcp weird alarm ssh ./test.bro print-filter ./test.bro, line 11: error: identifier is not exported: SSH::ssh_ports Which is true: the id is not exported in ssh.bro and therefore can't be redefined (I think it should be exported though). Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Tue Nov 11 19:10:16 2008 From: robin at icir.org (Robin Sommer) Date: Tue, 11 Nov 2008 19:10:16 -0800 Subject: [Bro] Use BRO as an offline L7-filter In-Reply-To: <1226330376.30109.25.camel@pcfalques.ac.upc.edu> References: <1226330376.30109.25.camel@pcfalques.ac.upc.edu> Message-ID: <20081112031016.GE22899@icir.org> On Mon, Nov 10, 2008 at 16:19 +0100, you wrote: > Now I'm a bit lost, where I have to copy the signatures? Have you seen this (and the Wiki page it points to)? http://blog.icir.org/2008/06/bro-signature-engine.html Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From talebihossain at gmail.com Tue Nov 11 22:18:28 2008 From: talebihossain at gmail.com (hossein talebi) Date: Wed, 12 Nov 2008 09:48:28 +0330 Subject: [Bro] how to merge pcap files? Message-ID: <4806f1a30811112218y1c13b28cxc2a69509102c5af@mail.gmail.com> Hi how to merge pcap files saved by -w option? -- Talebi Mazraeh Shahi Hossein -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081112/a15ecdf0/attachment.html From vallentin at ICSI.Berkeley.EDU Tue Nov 11 22:32:14 2008 From: vallentin at ICSI.Berkeley.EDU (Matthias Vallentin) Date: Tue, 11 Nov 2008 22:32:14 -0800 Subject: [Bro] how to merge pcap files? In-Reply-To: <4806f1a30811112218y1c13b28cxc2a69509102c5af@mail.gmail.com> References: <4806f1a30811112218y1c13b28cxc2a69509102c5af@mail.gmail.com> Message-ID: <20081112063214.GW38938@icsi.berkeley.edu> On Wed, Nov 12, 2008 at 09:48:28AM +0330, hossein talebi wrote: > how to merge pcap files saved by -w option? This is clearly not a topic related to Bro. Please refrain from spamming the Bro mailing list with unrelated questions. Matthias -- Matthias Vallentin vallentin at icsi.berkeley.edu http://matthias.vallentin.cc From vern at icir.org Tue Nov 11 22:39:51 2008 From: vern at icir.org (Vern Paxson) Date: Tue, 11 Nov 2008 22:39:51 -0800 Subject: [Bro] how to merge pcap files? In-Reply-To: <4806f1a30811112218y1c13b28cxc2a69509102c5af@mail.gmail.com> (Wed, 12 Nov 2008 09:48:28 +0330). Message-ID: <200811120639.mAC6dsWx002252@pork.ICSI.Berkeley.EDU> [excessive addresses trimmed] > how to merge pcap files saved by -w option? The best tool for this is ipsumdump: ipsumdump --collate -w output.trace input1.trace input2.trace ... You can get it from http://www.cs.ucla.edu/~kohler/ipsumdump/ . Vern From akkala at Colorado.edu Wed Nov 12 00:07:06 2008 From: akkala at Colorado.edu (Sirisha Akkala) Date: Wed, 12 Nov 2008 01:07:06 -0700 (MST) Subject: [Bro] A few problems starting Bro Message-ID: <20081112010706.AFM29438@riddler.int.colorado.edu> 1. I specified --prefix=/opt/bro/work while compiling Bro and also during cluster installation. But 'cluster start' command was looking for cluster.cfg & node.cfg files in /usr/local/etc. Is there a way to change the path now? 2. For the timebeing I copied these two files to /usr/local/etc and started Bro. starting bro ... 1 0 bro terminated immediately after starting; check output with "diag" - this returns the following. ==== stderr.log /usr/local/policy/1.4-robin/cluster/cluster.bro, line 68: error: can't open cluster-layout I don't find cluster-layout in /usr/local dir or in the /opt/bro/... which I actually specified for installation. I quite diligently followed all the steps mentioned in 'README.hml#Standalone'. Any suggestion to fix this or reference to documentation that talks about initial setup in more detail will be very helpful. Thanks,Sirisha. P.S:Is there a Bro-beginner's forum :))) ? From r.gruyters at snow.nl Wed Nov 12 00:23:32 2008 From: r.gruyters at snow.nl (Robin Gruyters) Date: Wed, 12 Nov 2008 09:23:32 +0100 Subject: [Bro] ssh alternative ports In-Reply-To: <20081112030754.GD22899@icir.org> References: <1226391718.491940a698f4b@scn.snow.nl> <20081112030754.GD22899@icir.org> Message-ID: <1226478212.491a928492feb@scn.snow.nl> Robin, Okay, I have attached a patch for ssh.bro, which includes exported ssh_ports and ssh_log. With kind regards, Robin Gruyters Quoting Robin Sommer : > > On Tue, Nov 11, 2008 at 09:21 +0100, you wrote: > > > bro at nsm$ bro -r test.lpc tcp weird alarm ssh test print-filter > > ./test.bro, line 12 (SSH::ssh_ports): error, "redef" used but not > previously defined > > You indeed need the SSH prefix. Using that, I get a different error > message: > > # bro -r test.lpc tcp weird alarm ssh ./test.bro print-filter > ./test.bro, line 11: error: identifier is not exported: SSH::ssh_ports > > Which is true: the id is not exported in ssh.bro and therefore > can't be redefined (I think it should be exported though). > > Robin > > -- > Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh.bro.diff Type: application/octet-stream Size: 743 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081112/cd235333/attachment.obj From r.gruyters at snow.nl Wed Nov 12 00:23:32 2008 From: r.gruyters at snow.nl (Robin Gruyters) Date: Wed, 12 Nov 2008 09:23:32 +0100 Subject: [Bro] ssh alternative ports In-Reply-To: <20081112030754.GD22899@icir.org> References: <1226391718.491940a698f4b@scn.snow.nl> <20081112030754.GD22899@icir.org> Message-ID: <1226478212.491a928492feb@scn.snow.nl> Robin, Okay, I have attached a patch for ssh.bro, which includes exported ssh_ports and ssh_log. With kind regards, Robin Gruyters Quoting Robin Sommer : > > On Tue, Nov 11, 2008 at 09:21 +0100, you wrote: > > > bro at nsm$ bro -r test.lpc tcp weird alarm ssh test print-filter > > ./test.bro, line 12 (SSH::ssh_ports): error, "redef" used but not > previously defined > > You indeed need the SSH prefix. Using that, I get a different error > message: > > # bro -r test.lpc tcp weird alarm ssh ./test.bro print-filter > ./test.bro, line 11: error: identifier is not exported: SSH::ssh_ports > > Which is true: the id is not exported in ssh.bro and therefore > can't be redefined (I think it should be exported though). > > Robin > > -- > Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh.bro.diff Type: application/octet-stream Size: 743 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081112/cd235333/attachment-0001.obj From rmkml at free.fr Wed Nov 12 00:50:53 2008 From: rmkml at free.fr (rmkml) Date: Wed, 12 Nov 2008 09:50:53 +0100 (CET) Subject: [Bro] ssh alternative ports In-Reply-To: <1226478212.491a928492feb@scn.snow.nl> References: <1226391718.491940a698f4b@scn.snow.nl> <20081112030754.GD22899@icir.org> <1226478212.491a928492feb@scn.snow.nl> Message-ID: Hi, If I apply your patch to policy/ssh.bro (move to export{}) and if I change policy/snort.bro (for example): redef SSH::ssh_ports += { 2122/tcp }; bro work, but if I have a signature use ssh_ports is not work: signature sid-1812 { ip-proto == tcp # dst-port == ssh_ports # <----- event "EXPLOIT gobbles SSH exploit attempt" tcp-state established,originator payload /.*GOBBLES/ } brov140ipv6 error: Error in signature (.../policy/sigs/snort-default.sig:32): unknown script-level identifier (ssh_ports) Do you have an idea ? Regards Rmkml Crusoe-Researches.com On Wed, 12 Nov 2008, Robin Gruyters wrote: > Date: Wed, 12 Nov 2008 09:23:32 +0100 > From: Robin Gruyters > To: Robin Sommer > Cc: bro at bro-ids.org, bro at ICSI.Berkeley.EDU > Subject: Re: [Bro] ssh alternative ports > > Robin, > > Okay, I have attached a patch for ssh.bro, which includes exported ssh_ports and > ssh_log. > > With kind regards, > > Robin Gruyters > > > Quoting Robin Sommer : > >> >> On Tue, Nov 11, 2008 at 09:21 +0100, you wrote: >> >>> bro at nsm$ bro -r test.lpc tcp weird alarm ssh test print-filter >>> ./test.bro, line 12 (SSH::ssh_ports): error, "redef" used but not >> previously defined >> >> You indeed need the SSH prefix. Using that, I get a different error >> message: >> >> # bro -r test.lpc tcp weird alarm ssh ./test.bro print-filter >> ./test.bro, line 11: error: identifier is not exported: SSH::ssh_ports >> >> Which is true: the id is not exported in ssh.bro and therefore >> can't be redefined (I think it should be exported though). >> >> Robin >> >> -- >> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org >> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org >> > From r.gruyters at snow.nl Wed Nov 12 01:50:29 2008 From: r.gruyters at snow.nl (Robin Gruyters) Date: Wed, 12 Nov 2008 10:50:29 +0100 Subject: [Bro] ssh alternative ports In-Reply-To: References: <1226391718.491940a698f4b@scn.snow.nl> <20081112030754.GD22899@icir.org> <1226478212.491a928492feb@scn.snow.nl> Message-ID: <1226483429.491aa6e552f51@scn.snow.nl> Quoting rmkml : > Hi Robin, > You do not export capture_filters ? > Regards > Rmkml > Crusoe-Researches.com > This is already exported by pcap.bro. With kind regards, Robin Gruyters > On Wed, 12 Nov 2008, Robin Gruyters wrote: > > > Date: Wed, 12 Nov 2008 09:23:32 +0100 > > From: Robin Gruyters > > To: Robin Sommer > > Cc: bro at bro-ids.org, bro at ICSI.Berkeley.EDU > > Subject: Re: [Bro] ssh alternative ports > > > > Robin, > > > > Okay, I have attached a patch for ssh.bro, which includes exported > ssh_ports and > > ssh_log. > > > > With kind regards, > > > > Robin Gruyters > > > > > > Quoting Robin Sommer : > > > >> > >> On Tue, Nov 11, 2008 at 09:21 +0100, you wrote: > >> > >>> bro at nsm$ bro -r test.lpc tcp weird alarm ssh test print-filter > >>> ./test.bro, line 12 (SSH::ssh_ports): error, "redef" used but not > >> previously defined > >> > >> You indeed need the SSH prefix. Using that, I get a different error > >> message: > >> > >> # bro -r test.lpc tcp weird alarm ssh ./test.bro print-filter > >> ./test.bro, line 11: error: identifier is not exported: SSH::ssh_ports > >> > >> Which is true: the id is not exported in ssh.bro and therefore > >> can't be redefined (I think it should be exported though). > >> > >> Robin > >> > >> -- > >> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org > >> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > >> > > > From christian at whoop.org Wed Nov 12 13:23:59 2008 From: christian at whoop.org (Christian Kreibich) Date: Wed, 12 Nov 2008 13:23:59 -0800 Subject: [Bro] error configuring Bro In-Reply-To: <20081107214635.AFK57553@riddler.int.colorado.edu> References: <20081107214635.AFK57553@riddler.int.colorado.edu> Message-ID: <1226525039.16554.76.camel@strangepork> On Fri, 2008-11-07 at 21:46 -0700, Sirisha wrote: > Hi > I'm trying again to configure Bro with the following options > > ./configure --enable-shippedpcap --with-openssl=/usr/local/ssl > > checking openssl/ssl.h usability... yes > checking openssl/ssl.h presence... yes > checking for openssl/ssl.h... yes > checking for OPENSSL_add_all_algorithms_conf in -lcrypto... no > configure: error: cannot find libcrypto, sorry > configure: error: ./configure failed for aux/broccoli > > there is a file libcrypto.a in /usr/local/ssl/lib, why is it not able to find? should I specify the path? with what option? > thanks for your help. Hi, do you get the above output during Bro's configuration, or Broccoli's? As always, posting the relevant parts of config.log is going to be crucial in solving this one. -- Cheers, Christian From robin at icir.org Thu Nov 13 16:38:32 2008 From: robin at icir.org (Robin Sommer) Date: Thu, 13 Nov 2008 16:38:32 -0800 Subject: [Bro] ssh alternative ports In-Reply-To: References: <1226391718.491940a698f4b@scn.snow.nl> <20081112030754.GD22899@icir.org> <1226478212.491a928492feb@scn.snow.nl> Message-ID: <20081114003832.GE1409@icir.org> On Wed, Nov 12, 2008 at 09:50 +0100, you wrote: > Error in signature (.../policy/sigs/snort-default.sig:32): unknown script-level identifier (ssh_ports) Have you tried SSH::ssh_ports? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Thu Nov 13 16:38:32 2008 From: robin at icir.org (Robin Sommer) Date: Thu, 13 Nov 2008 16:38:32 -0800 Subject: [Bro] ssh alternative ports In-Reply-To: References: <1226391718.491940a698f4b@scn.snow.nl> <20081112030754.GD22899@icir.org> <1226478212.491a928492feb@scn.snow.nl> Message-ID: <20081114003832.GE1409@icir.org> On Wed, Nov 12, 2008 at 09:50 +0100, you wrote: > Error in signature (.../policy/sigs/snort-default.sig:32): unknown script-level identifier (ssh_ports) Have you tried SSH::ssh_ports? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From rmkml at free.fr Sat Nov 15 07:39:44 2008 From: rmkml at free.fr (rmkml) Date: Sat, 15 Nov 2008 16:39:44 +0100 (CET) Subject: [Bro] ssh alternative ports In-Reply-To: <20081114003832.GE1409@icir.org> References: <1226391718.491940a698f4b@scn.snow.nl> <20081112030754.GD22899@icir.org> <1226478212.491a928492feb@scn.snow.nl> <20081114003832.GE1409@icir.org> Message-ID: thx for reply and sorry for delay, ok I have changed signature to (for example): 30:signature sid-1812 { 31: ip-proto == tcp 32: dst-port == SSH::ssh_ports 33: event "EXPLOIT gobbles SSH exploit attempt" 34: tcp-state established,originator 35: payload /.*GOBBLES/ 36: } bro140ipv6 give an error: Error in signature (policy/sigs/snort-default.sig:32): unknown script-level identifier (SSH) Error in signature (policy/sigs/snort-default.sig:32): parse error Error in signature (policy/sigs/dpd.sig:1): parse error dpd.sig unmodified file first line is: # ALS signatures for protocol detection. another idea ? Regards Rmkml Crusoe-Researches.com On Thu, 13 Nov 2008, Robin Sommer wrote: > Date: Thu, 13 Nov 2008 16:38:32 -0800 > From: Robin Sommer > To: bro at ICSI.Berkeley.EDU, rmkml > Cc: bro at bro-ids.org > Subject: Re: [Bro] ssh alternative ports > > > On Wed, Nov 12, 2008 at 09:50 +0100, you wrote: > >> Error in signature (.../policy/sigs/snort-default.sig:32): unknown script-level identifier (ssh_ports) > > Have you tried SSH::ssh_ports? > > Robin > > > -- > Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > From robin at icir.org Sun Nov 16 20:46:02 2008 From: robin at icir.org (Robin Sommer) Date: Sun, 16 Nov 2008 20:46:02 -0800 Subject: [Bro] A few problems starting Bro In-Reply-To: <20081112010706.AFM29438@riddler.int.colorado.edu> References: <20081112010706.AFM29438@riddler.int.colorado.edu> Message-ID: <20081117044602.GA52206@icir.org> On Wed, Nov 12, 2008 at 01:07 -0700, you wrote: > 1. I specified --prefix=/opt/bro/work while compiling Bro and also > during cluster installation. But 'cluster start' command was looking > for cluster.cfg & node.cfg files in /usr/local/etc. Is there a way > to change the path now? You should be able to just reconfigure in aux/cluster with the right prefix and do another "make install" there. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Sun Nov 16 20:47:26 2008 From: robin at icir.org (Robin Sommer) Date: Sun, 16 Nov 2008 20:47:26 -0800 Subject: [Bro] ssh alternative ports In-Reply-To: References: <1226391718.491940a698f4b@scn.snow.nl> <20081112030754.GD22899@icir.org> <1226478212.491a928492feb@scn.snow.nl> <20081114003832.GE1409@icir.org> Message-ID: <20081117044726.GB52206@icir.org> On Sat, Nov 15, 2008 at 16:39 +0100, you wrote: > Error in signature (policy/sigs/snort-default.sig:32): unknown script-level identifier (SSH) > Error in signature (policy/sigs/snort-default.sig:32): parse error > Error in signature (policy/sigs/dpd.sig:1): parse error Oh, that looks like the signature parser can actually not deal with module prefixes. The signatures were there before we introduced modules and it looks like that never got adapted. :-( Something for the todo list. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Sun Nov 16 20:47:26 2008 From: robin at icir.org (Robin Sommer) Date: Sun, 16 Nov 2008 20:47:26 -0800 Subject: [Bro] ssh alternative ports In-Reply-To: References: <1226391718.491940a698f4b@scn.snow.nl> <20081112030754.GD22899@icir.org> <1226478212.491a928492feb@scn.snow.nl> <20081114003832.GE1409@icir.org> Message-ID: <20081117044726.GB52206@icir.org> On Sat, Nov 15, 2008 at 16:39 +0100, you wrote: > Error in signature (policy/sigs/snort-default.sig:32): unknown script-level identifier (SSH) > Error in signature (policy/sigs/snort-default.sig:32): parse error > Error in signature (policy/sigs/dpd.sig:1): parse error Oh, that looks like the signature parser can actually not deal with module prefixes. The signatures were there before we introduced modules and it looks like that never got adapted. :-( Something for the todo list. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From pw at seclab.tuwien.ac.at Mon Nov 17 07:31:29 2008 From: pw at seclab.tuwien.ac.at (Peter Wurzinger) Date: Mon, 17 Nov 2008 16:31:29 +0100 Subject: [Bro] How to interpret dropped packets numbers? Message-ID: <49218E51.1080403@seclab.tuwien.ac.at> Hello! I have a simple question concerning the log output of bro in terms of dropped packets. In my logs I find lines typically looking somewhat like the following: 1226932503.913993:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::762 packets dropped after filtering, 27140 received::@f1-2fa2-4a 1226932513.914576:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::762 packets dropped after filtering, 25282 received::@f1-2fa2-4b 1226932523.915773:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::762 packets dropped after filtering, 28475 received::@f1-2fa2-4c 1226932533.915773:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::762 packets dropped after filtering, 29652 received::@f1-2fa2-4d 1226932543.915927:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::762 packets dropped after filtering, 23517 received::@f1-2fa2-4e 1226932553.916319:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::762 packets dropped after filtering, 25519 received::@f1-2fa2-4f 1226932563.916847:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1181 packets dropped after filtering, 42911 received::@f1-2fa2-50 1226932573.916864:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1181 packets dropped after filtering, 24068 received::@f1-2fa2-51 1226932583.916923:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1181 packets dropped after filtering, 23854 received::@f1-2fa2-52 1226932593.916972:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1218 packets dropped after filtering, 26452 received::@f1-2fa2-53 1226932603.917322:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1218 packets dropped after filtering, 23351 received::@f1-2fa2-54 1226932613.917342:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1218 packets dropped after filtering, 22009 received::@f1-2fa2-55 1226932623.917497:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1218 packets dropped after filtering, 24184 received::@f1-2fa2-56 1226932633.918049:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1218 packets dropped after filtering, 22079 received::@f1-2fa2-57 1226932643.918297:DroppedPackets:NOTICE_ALARM_ALWAYS:::::::::::1218 packets dropped after filtering, 24630 received::@f1-2fa2-58 Obviously, every 10 seconds bro outputs a line with dropped packets information. Unfortunately, I am not sure about how exactly to interpret the numbers. Are they total counts since the beginning of the current bro execution, are they per 10 seconds timeslice, or something even different? I am confused by the fact that the dropped numbers are often the same but never decrease (which points towards a total count), and on the other hand the received numbers behave differently. What exactly does "received" mean? Does this include the dropped packets? I.e., do i need to subtract them if I want to know how many packets have actually been handled and processed by bro? If I wanted to calculate the percentage of dropped packets over the period of a log-file, how would I do it? Regards, Peter. From rmkml at free.fr Tue Nov 18 23:01:28 2008 From: rmkml at free.fr (rmkml) Date: Wed, 19 Nov 2008 08:01:28 +0100 (CET) Subject: [Bro] Bro ids extract and decompress FlateDecode stream on pdf file in http flow ? Message-ID: Hi, Anyone would have worked on extracting and decompressing FlateDecode stream on pdf file in http flow ? Regards Rmkml Crusoe-Researches.com From robin at icir.org Wed Nov 19 10:05:00 2008 From: robin at icir.org (Robin Sommer) Date: Wed, 19 Nov 2008 10:05:00 -0800 Subject: [Bro] Bro ids extract and decompress FlateDecode stream on pdf file in http flow ? In-Reply-To: References: Message-ID: <20081119180500.GE11405@icir.org> On Wed, Nov 19, 2008 at 08:01 +0100, rmkml wrote: > Anyone would have worked on extracting and decompressing FlateDecode > stream on pdf file in http flow ? Do you mean extracting "deflate" compressed HTTP bodies? 1.4 is able to do that. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From akkala at Colorado.edu Sat Nov 22 21:57:19 2008 From: akkala at Colorado.edu (Sirisha Akkala) Date: Sat, 22 Nov 2008 22:57:19 -0700 (MST) Subject: [Bro] starting Bro as different user Message-ID: <20081122225719.AFR61220@riddler.int.colorado.edu> Hi I had installed Bro as root. I have no trouble starting Bro logged in as root. When I try to start Bro, logged in as another user id, I get the error below. [BroCluster] > start error: cannot aquire lock: [Errno 13] Permission denied: '/opt/bro/work//spool/lock.9215' Any suggestions to fix this? Thanks,Sirisha. From hall.692 at osu.edu Sun Nov 23 10:02:56 2008 From: hall.692 at osu.edu (Seth Hall) Date: Sun, 23 Nov 2008 13:02:56 -0500 Subject: [Bro] starting Bro as different user In-Reply-To: <20081122225719.AFR61220@riddler.int.colorado.edu> References: <20081122225719.AFR61220@riddler.int.colorado.edu> Message-ID: On Nov 23, 2008, at 12:57 AM, Sirisha Akkala wrote: > [BroCluster] > start > error: cannot aquire lock: [Errno 13] Permission denied: '/opt/bro/ > work//spool/lock.9215' It looks like you ran the cluster shell as root. Just delete the 'lock.9215' file as root and make sure the /opt/bro tree is owned by the user that you'd like to run bro as. .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From masgad at gmail.com Mon Nov 24 07:34:46 2008 From: masgad at gmail.com (M. GAD) Date: Mon, 24 Nov 2008 16:34:46 +0100 Subject: [Bro] Problem running bro.rc --start Message-ID: <5174153c0811240734p43fd2c8bnc93af3b402bf40d1@mail.gmail.com> Hi everybody, I have installed Bro on UBUNTU. When I try to start it with "bro.rc --start", I receive the following error: bro.rc: Starting ..........bro.rc: Failed to start Bro line 1: error: can't open hostname.bro ... FAILED Any help or hint to fix this error? Thank you in advance for your kind help. Regards, Masgad From pw at iseclab.org Mon Nov 24 09:29:44 2008 From: pw at iseclab.org (Peter Wurzinger) Date: Mon, 24 Nov 2008 18:29:44 +0100 Subject: [Bro] crash with std::bad_alloc In-Reply-To: <20081107071035.GD59911@icir.org> References: <4911D664.802@seclab.tuwien.ac.at> <20081105175857.GD49777@icir.org> <4912D3A7.6080206@seclab.tuwien.ac.at> <20081107071035.GD59911@icir.org> Message-ID: <492AE488.4090901@iseclab.org> Hi! I have applied suggestion (a) and set sig_max_group_size = 10. That greatly improved the situation. I have been running Bro with my signature set for a week now without a problem concerning memory (before, it used to crash after hours), and from the prof.log it looks like there is still a lot of headroom. Thanks a bunch! Peter. Robin Sommer wrote: > On Thu, Nov 06, 2008 at 12:23 +0100, you wrote: > >> Memory: total=3126520K total_adj=3116888K malloced: 2878549K > > Yeah, that's a lot ... > >> ".*byte_seq1.*byte_seq2.*byte_seq3.*" > > I'm guessing that these are indeed the problem, assuming there's no > leak somewhere. Having lots of such patterns is essentially the > worst case for a DFA-based pattern matcher (recall that Bro > internally combines many of these into a *one* regexp, which will > let the number of states explode). > > Three things you could try: > > (a) there is a tuning option for the signature engine which tells > Bro how many regexps to combine internally into Big Ones. It's > called sig_max_group_size and the default is 50. It might help to > reduce this quite a bit (e.g., 10 or 20). > > (b) you could split each signature into several, one for each > component of the regexp (byte_seq1, byte_seq2, ...), and then either > chain these signatures with requires_signature condititions, or > raise an event for each one individually and correlate the matches > on the script-level to find out when all have matched. Both > approahces have the disadvantage that they don't consider the order > in which the subpatterns appear. > > (c) this one is kind of scary. :) There's a configure option > --expire-dfa-states which enables some internal code to limit the > size of the DFAs Bro builds (by expiring less frequently used states > and recalculating them later if necessary). Enabling this has quite > a performance impact on the matching process but even more worse is > the fact that this option has most likely not been used by anybody > for >5 years ... I'd almost bet it's broken in some way but you can > still give it a try ... > > Robin > From robin at icir.org Mon Nov 24 11:19:50 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 24 Nov 2008 11:19:50 -0800 Subject: [Bro] crash with std::bad_alloc In-Reply-To: <492AE488.4090901@iseclab.org> References: <4911D664.802@seclab.tuwien.ac.at> <20081105175857.GD49777@icir.org> <4912D3A7.6080206@seclab.tuwien.ac.at> <20081107071035.GD59911@icir.org> <492AE488.4090901@iseclab.org> Message-ID: <20081124191950.GB80994@icir.org> On Mon, Nov 24, 2008 at 18:29 +0100, Peter Wurzinger wrote: > I have applied suggestion (a) and set sig_max_group_size = 10. That > greatly improved the situation. I have been running Bro with my > signature set for a week now without a problem concerning memory Great to hear, thanks for the update. Do you see any significant change in CPU usage after the change? I'm wondering whether it might make send to change the default value. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Nov 24 11:19:50 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 24 Nov 2008 11:19:50 -0800 Subject: [Bro] crash with std::bad_alloc In-Reply-To: <492AE488.4090901@iseclab.org> References: <4911D664.802@seclab.tuwien.ac.at> <20081105175857.GD49777@icir.org> <4912D3A7.6080206@seclab.tuwien.ac.at> <20081107071035.GD59911@icir.org> <492AE488.4090901@iseclab.org> Message-ID: <20081124191950.GB80994@icir.org> On Mon, Nov 24, 2008 at 18:29 +0100, Peter Wurzinger wrote: > I have applied suggestion (a) and set sig_max_group_size = 10. That > greatly improved the situation. I have been running Bro with my > signature set for a week now without a problem concerning memory Great to hear, thanks for the update. Do you see any significant change in CPU usage after the change? I'm wondering whether it might make send to change the default value. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From jean-philippe.luiggi at didconcept.com Tue Nov 25 04:41:16 2008 From: jean-philippe.luiggi at didconcept.com (jean-philippe luiggi) Date: Tue, 25 Nov 2008 07:41:16 -0500 Subject: [Bro] Problem running bro.rc --start In-Reply-To: <5174153c0811240734p43fd2c8bnc93af3b402bf40d1@mail.gmail.com> References: <5174153c0811240734p43fd2c8bnc93af3b402bf40d1@mail.gmail.com> Message-ID: <20081125074116.4086087d@mygw.lan.mynetwork.local> On Mon, 24 Nov 2008 16:34:46 +0100 "M. GAD" wrote: > Hi everybody, > I have installed Bro on UBUNTU. When I try to start it with "bro.rc > --start", I receive the following error: > > bro.rc: Starting ..........bro.rc: Failed to start Bro > line 1: error: can't open hostname.bro > ... FAILED > > > Any help or hint to fix this error? > Thank you in advance for your kind help. > > Regards, > Masgad > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. Hello, Just take a look at the file "bro.cfg" and search for === # Bro policy paths BROPATH="/opt/share/bro-1.4/site:/opt/share/bro-1.4/share/bro:/opt/share/bro-1.4/share/bro/sigs:/opt/share/bro-1.4/share/bro/time-machine" export BROPATH === Check that "hostname.bro" is in one of these directories, if not create it. Hope this will help. With regards, Jean-Philippe. From masgad at gmail.com Tue Nov 25 09:29:39 2008 From: masgad at gmail.com (M. GAD) Date: Tue, 25 Nov 2008 18:29:39 +0100 Subject: [Bro] Problem running bro.rc --start In-Reply-To: <20081125074116.4086087d@mygw.lan.mynetwork.local> References: <5174153c0811240734p43fd2c8bnc93af3b402bf40d1@mail.gmail.com> <20081125074116.4086087d@mygw.lan.mynetwork.local> Message-ID: <5174153c0811250929l1d2df394q86b1623e0b282ae5@mail.gmail.com> Thank you all for your replies. I tried to compile Bro 1.4 on my Ubuntu following the link recommended by Sirisha Akkala: http://blog.ncsa.uiuc.edu/aashish/2008/10/21/moving-to-bro-14/ I had so many problems with autoconf and sisters, I managed to resolve them all but the one related to autoheader. It seems that Bro is more adapted for FreeBSD installations. I will try your suggestions later hoping that it can be done directly with "./configure & make" without needing autoconf. Best regards, Masgad On Tue, Nov 25, 2008 at 1:41 PM, jean-philippe luiggi wrote: > On Mon, 24 Nov 2008 16:34:46 +0100 > "M. GAD" wrote: > >> Hi everybody, >> I have installed Bro on UBUNTU. When I try to start it with "bro.rc >> --start", I receive the following error: >> >> bro.rc: Starting ..........bro.rc: Failed to start Bro >> line 1: error: can't open hostname.bro >> ... FAILED >> >> >> Any help or hint to fix this error? >> Thank you in advance for your kind help. >> >> Regards, >> Masgad >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. > > Hello, > > Just take a look at the file "bro.cfg" and search for > > === > # Bro policy paths > BROPATH="/opt/share/bro-1.4/site:/opt/share/bro-1.4/share/bro:/opt/share/bro-1.4/share/bro/sigs:/opt/share/bro-1.4/share/bro/time-machine" > export BROPATH > === > > Check that "hostname.bro" is in one of these directories, if not create > it. > > Hope this will help. > > With regards, > > Jean-Philippe. > > From jwebster at es.net Sat Nov 29 14:58:13 2008 From: jwebster at es.net (John Webster) Date: Sat, 29 Nov 2008 14:58:13 -0800 Subject: [Bro] Bro 1.4 no ChangeLog? Message-ID: <63BD7E813D29B2195D58F9FC@jw-laptop.local> The link to the change log on the download page points to nothing. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081129/d08ee2da/attachment.bin From vern at icir.org Sat Nov 29 15:31:49 2008 From: vern at icir.org (Vern Paxson) Date: Sat, 29 Nov 2008 15:31:49 -0800 Subject: [Bro] Bro 1.4 no ChangeLog? In-Reply-To: <63BD7E813D29B2195D58F9FC@jw-laptop.local> (Sat, 29 Nov 2008 14:58:13 PST). Message-ID: <200811292331.mATNVsOj019558@pork.ICSI.Berkeley.EDU> > The link to the change log on the download page points to nothing. Do you mean off of http://www.bro-ids.org/download.html ? It works for me, but it's an FTP URL, so perhaps your browser isn't able to fetch it due to firewalling/NATing. I've created a symlink so that http://bro-ids.org/bro-change-log.txt should now work too. Give it a try, and if it does I'll change the page to use that instead. Vern From robin at icir.org Sat Nov 29 15:37:44 2008 From: robin at icir.org (Robin Sommer) Date: Sat, 29 Nov 2008 15:37:44 -0800 Subject: [Bro] Bro 1.4 no ChangeLog? In-Reply-To: <63BD7E813D29B2195D58F9FC@jw-laptop.local> References: <63BD7E813D29B2195D58F9FC@jw-laptop.local> Message-ID: <20081129233744.GF53851@icir.org> On Sat, Nov 29, 2008 at 14:58 -0800, John Webster wrote: > The link to the change log on the download page points to nothing. Can't confirm that. It points to ftp://bro-ids.org/bro-change-log.txt and that works for me. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Sat Nov 29 15:37:44 2008 From: robin at icir.org (Robin Sommer) Date: Sat, 29 Nov 2008 15:37:44 -0800 Subject: [Bro] Bro 1.4 no ChangeLog? In-Reply-To: <63BD7E813D29B2195D58F9FC@jw-laptop.local> References: <63BD7E813D29B2195D58F9FC@jw-laptop.local> Message-ID: <20081129233744.GF53851@icir.org> On Sat, Nov 29, 2008 at 14:58 -0800, John Webster wrote: > The link to the change log on the download page points to nothing. Can't confirm that. It points to ftp://bro-ids.org/bro-change-log.txt and that works for me. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From jwebster at es.net Sat Nov 29 17:31:15 2008 From: jwebster at es.net (John Webster) Date: Sat, 29 Nov 2008 17:31:15 -0800 Subject: [Bro] Bro 1.4 no ChangeLog? In-Reply-To: <200811292331.mATNVsOj019558@pork.ICSI.Berkeley.EDU> References: <200811292331.mATNVsOj019558@pork.ICSI.Berkeley.EDU> Message-ID: <2355DCE7C75F2A89CCA716AE@jw-laptop.local> I'm sorry. You're absolutely correct. It was my host firewall. Sorry for the bother. jw --On November 29, 2008 3:31:49 PM -0800 Vern Paxson wrote: >> The link to the change log on the download page points to nothing. > > Do you mean off of http://www.bro-ids.org/download.html ? It works for > me, but it's an FTP URL, so perhaps your browser isn't able to fetch it > due to firewalling/NATing. > > I've created a symlink so that http://bro-ids.org/bro-change-log.txt should > now work too. Give it a try, and if it does I'll change the page to use > that instead. > > Vern > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081129/2f301f39/attachment.bin