From pachinko.tw at gmail.com Thu Oct 2 02:15:07 2008 From: pachinko.tw at gmail.com (Po-Ching Lin) Date: Thu, 02 Oct 2008 17:15:07 +0800 Subject: [Bro] Bro 1.4, another pre-release In-Reply-To: <20080811231016.GC5066@icir.org> References: <200808010619.m716JHId001843@pork.ICSI.Berkeley.EDU> <20080811231016.GC5066@icir.org> Message-ID: <48E4911B.2050709@gmail.com> I got an error message when executing the pre-release with icmp.bro. [pclin at roland bin]$ ./bro -r ~/http.trace icmp ../share/bro/conn.bro, line 332: error: unknown identifier Hot::check_hot, at or near "Hot::check_hot" The export of the Hot::check_hot looks normal. Did I miss anything, or is it a bug? Po-Ching Robin Sommer mentioned: > We have made another Bro 1.4 pre-release available at > > http://www.icir.org/robin/tmp/bro-1.4.prerelease.1.tar.gz > > Let us know if you encounter anything unexpected. > > Since the earlier pre-release, some minor issues have been fixed > (mainly platform incompatibilities). > > Robin > > From rreitz at fnal.gov Thu Oct 2 13:18:30 2008 From: rreitz at fnal.gov (Randolph Reitz) Date: Thu, 02 Oct 2008 15:18:30 -0500 Subject: [Bro] Connection records in a database? Message-ID: <69F11659-A1E3-46E1-92FF-478D7C2D6573@fnal.gov> I want to stuff connections records into a relational database (likely postgres). Has anyone done this? My first shot will be to write a simple python process that tails the conn.* log file and inserts records. I'm wondering if there is a more elegant way to collect and insert connection records? As far as motivation, at FNAL we have a issue tracking system which includes email notification. I would like to use bro to find 'issues' and then create an event in the issue tracking system. The tracking system workflow will resolve a local IP address into a specific machine, find the registered user(s) and send a notification email (informational, warning, critical). It would be useful if this email contained a list of recent connections for the system. This would help the recipient understand what recent computer use caused the network activity that triggered the issue. Hence, having recent connections in a database would be helpful. I think time machine might be too much. Currently I'm thinking of saving a small time period - say a rolling week's worth of connections (or whatever fits). I've previously used splunk (http:// www.splunk.com) to suck in connection records for later searches. This worked, however splunk introduced a delay in retrieval that caused problems formatting the notification email. Thanks, Randy Reitz Fermilab From hall.692 at osu.edu Thu Oct 2 20:00:44 2008 From: hall.692 at osu.edu (Seth Hall) Date: Thu, 2 Oct 2008 23:00:44 -0400 Subject: [Bro] Connection records in a database? In-Reply-To: <69F11659-A1E3-46E1-92FF-478D7C2D6573@fnal.gov> References: <69F11659-A1E3-46E1-92FF-478D7C2D6573@fnal.gov> Message-ID: On Oct 2, 2008, at 4:18 PM, Randolph Reitz wrote: > I want to stuff connections records into a relational database (likely > postgres). Has anyone done this? I don't push my connection records, but I'm pushing a number of my other logs into postgres. > My first shot will be to write a simple python process that tails the > conn.* log file and inserts records. I'm wondering if there is a more > elegant way to collect and insert connection records? I have a threaded ruby script that uses the "COPY FROM" technique to push blocks of rows into the database. It's still early and messy, but it does work fairly well and it keeps up with a brisk pace of INSERTs. I'm going to get started on a C or C++ application soon that will use Broccoli to listen to some event which would be intended for database logging. You would have to run a Bro script that would throw the database logging event for each connection, but that should be fairly easy to write. We'll see how far I make it with that. :) .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From sychan at lbl.gov Fri Oct 3 00:06:39 2008 From: sychan at lbl.gov (Stephen Chan) Date: Fri, 03 Oct 2008 00:06:39 -0700 Subject: [Bro] Connection records in a database? In-Reply-To: References: <69F11659-A1E3-46E1-92FF-478D7C2D6573@fnal.gov> Message-ID: <48E5C47F.4000301@lbl.gov> Seth Hall wrote: > > I'm going to get started on a C or C++ application soon that will use > Broccoli to listen to some event which would be intended for database > logging. Hi Seth, I've got one written already, if you're interested I can send you the source. Steve From hall.692 at osu.edu Fri Oct 3 04:20:40 2008 From: hall.692 at osu.edu (Seth Hall) Date: Fri, 3 Oct 2008 07:20:40 -0400 Subject: [Bro] Connection records in a database? In-Reply-To: <48E5C47F.4000301@lbl.gov> References: <69F11659-A1E3-46E1-92FF-478D7C2D6573@fnal.gov> <48E5C47F.4000301@lbl.gov> Message-ID: On Oct 3, 2008, at 3:06 AM, Stephen Chan wrote: > Seth Hall wrote: >> >> I'm going to get started on a C or C++ application soon that will use >> Broccoli to listen to some event which would be intended for database >> logging. > Hi Seth, > I've got one written already, if you're interested I can send you > the source. Please! I actually just wrote one which is getting close to working, but I'd be happy to see your implementation. .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From cjmanders at gmail.com Fri Oct 3 09:26:21 2008 From: cjmanders at gmail.com (Christopher Jay Manders) Date: Fri, 3 Oct 2008 09:26:21 -0700 Subject: [Bro] Connection records in a database? In-Reply-To: References: <69F11659-A1E3-46E1-92FF-478D7C2D6573@fnal.gov> <48E5C47F.4000301@lbl.gov> Message-ID: Hi, I have written a similar program in C. It imports over 2 Mill. connection log lines in just about 20 minutes. Other scripted methods, such as via Perl, appear to take a bit more time, CPU and RAM, which is why I chose C. It parses logs (conn.log only right now) from Bro and puts the contents into MySQL. The code is autoconf'ed, so you might want to give it a try. I also include the SQL Table layout I used. I have the code up here: https://sourceforge.net/projects/bro-tools/ HTH Cheers! --Christopher On Fri, Oct 3, 2008 at 4:20 AM, Seth Hall wrote: > > On Oct 3, 2008, at 3:06 AM, Stephen Chan wrote: > > > Seth Hall wrote: > >> > >> I'm going to get started on a C or C++ application soon that will use > >> Broccoli to listen to some event which would be intended for database > >> logging. > > Hi Seth, > > I've got one written already, if you're interested I can send you > > the source. > > > Please! I actually just wrote one which is getting close to working, > but I'd be happy to see your implementation. > > .Seth > > --- > Seth Hall > Network Security - Office of the CIO > The Ohio State University > Phone: 614-292-9721 > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081003/f9faeeec/attachment.html From hall.692 at osu.edu Fri Oct 3 09:32:45 2008 From: hall.692 at osu.edu (Seth Hall) Date: Fri, 3 Oct 2008 12:32:45 -0400 Subject: [Bro] Connection records in a database? In-Reply-To: References: <69F11659-A1E3-46E1-92FF-478D7C2D6573@fnal.gov> <48E5C47F.4000301@lbl.gov> Message-ID: <56730D35-9F04-4A37-B978-1D8D807E4332@osu.edu> On Oct 3, 2008, at 12:26 PM, Christopher Jay Manders wrote: > I have the code up here: https://sourceforge.net/projects/bro-tools/ I'm not seeing any files there. .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From cjmanders at gmail.com Fri Oct 3 10:52:58 2008 From: cjmanders at gmail.com (Christopher Jay Manders) Date: Fri, 3 Oct 2008 10:52:58 -0700 Subject: [Bro] Connection records in a database? In-Reply-To: <56730D35-9F04-4A37-B978-1D8D807E4332@osu.edu> References: <69F11659-A1E3-46E1-92FF-478D7C2D6573@fnal.gov> <48E5C47F.4000301@lbl.gov> <56730D35-9F04-4A37-B978-1D8D807E4332@osu.edu> Message-ID: Hi Seth, My error. I have associated the file with the release at: http://sourceforge.net/projects/bro-tools/ . HTH Cheers! --Christopher On Fri, Oct 3, 2008 at 9:32 AM, Seth Hall wrote: > > On Oct 3, 2008, at 12:26 PM, Christopher Jay Manders wrote: > > I have the code up here: https://sourceforge.net/projects/bro-tools/ >> > > > I'm not seeing any files there. > > > .Seth > > --- > Seth Hall > Network Security - Office of the CIO > The Ohio State University > Phone: 614-292-9721 > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081003/8244b714/attachment.html From Leonardo.Francalanci at commprove.com Fri Oct 3 11:37:56 2008 From: Leonardo.Francalanci at commprove.com (Leonardo Francalanci) Date: Fri, 3 Oct 2008 19:37:56 +0100 Subject: [Bro] about binpac processchunk Message-ID: Hi, I'm using http://bro-ids.org/wiki/index.php/BinPAC_Userguide to build an http parser. 1) binpac_pcre.h, as specified in the doc, doesn't compile; there is a double "}" at the end of int Compile() { 2) I can't use "processchunk" as decribed in "binpac: A yacc for Writing Application Protocol Parsers" because I get: ./http-protocol.pac:114: syntax error, at or near "&" (yychar=38) where line 114 is: &processchunk($context.flow.process_body($chunk)); I couldn't find (using grep) any reference to the string "processchunk" in the sources. How am I supposed to read the $chunk buffer of the body? Thank you Leonardo From cjmanders at gmail.com Fri Oct 3 14:10:41 2008 From: cjmanders at gmail.com (Christopher Jay Manders) Date: Fri, 3 Oct 2008 14:10:41 -0700 Subject: [Bro] A replacement for bro.rc (Bro-Lite): bw (Bro-Watcher) Message-ID: Hi All, I spent a bit of time coding up a replacement for the bro.rc script (in C, instead of shell or Perl code) due to our issues with it here at UCSF. Basically, bw (Bro Watcher) handles only: Start, Stop and Checkpointing of the Bro process. It watches for Bro and if it dies it cleans up and restarts cleanly. It reads in a bw.cfg file and then instantiates bro, assuming bw.cfg has all of the correct stuff. It cleans itself up nicely, is small, and responds to kill signals (1/HUP causes an immediate checkpointing to occur, kill alone kills both bw and any running bro process, a 9 signal causes bw to leave bro running while killing itself. This is a preliminary version, but works fairly well and we are testing it out currently. I wanted to release it to get any feedback or improvements, ideas, etc. I hope it is useful to others. Please let me know what thoughts folks have about the framework, code, etc. The code is available here: http://sourceforge.net/projects/bro-tools/ Cheers! --Christopher -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081003/aeecbc3f/attachment.html From mel at hackinthebox.org Fri Oct 3 23:53:14 2008 From: mel at hackinthebox.org (mel) Date: Sat, 04 Oct 2008 14:53:14 +0800 Subject: [Bro] Connection records in a database? In-Reply-To: References: <69F11659-A1E3-46E1-92FF-478D7C2D6573@fnal.gov> Message-ID: <48E712DA.4000201@hackinthebox.org> Seth Hall wrote: >> My first shot will be to write a simple python process that tails the >> conn.* log file and inserts records. I'm wondering if there is a more >> elegant way to collect and insert connection records? I have something[1] similar written late last year, which parses Bro logs and inserts the data to PostgreSQL[2]. I also have an extremely alpha version of the web frontend, written in PHP with Symfony framework. I stopped working on it (due to work commitment, mainly) after realizing that the best way to do it is by using Broccoli - which up until now I haven't got around to do. > I'm going to get started on a C or C++ application soon that will use > Broccoli to listen to some event which would be intended for database > logging. You would have to run a Bro script that would throw the > database logging event for each connection, but that should be fairly > easy to write. We'll see how far I make it with that. :) Keep us updated! > Seth Hall --mel [1] http://security.org.my/brologs2db.rb [2] http://security.org.my/brodb.sql.txt From has2an1 at yahoo.com Sat Oct 4 08:16:47 2008 From: has2an1 at yahoo.com (hasssan ibra) Date: Sat, 4 Oct 2008 08:16:47 -0700 (PDT) Subject: [Bro] (no subject) Message-ID: <340964.41126.qm@web37606.mail.mud.yahoo.com> Hi, I'm a new user to Linux, I'm using Ubuntu 8.0.4 with its KDE I have this tow questions: do you know how I can share the logs folder in Bro to read its files from a program in windows?? can this Bro IDS give me the connections in a XML so I can get it from share to use it by my C# programm?? I will be very grateful if you helped me, Thanks in advance to your help, Hassan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081004/19c9e028/attachment.html From taosecurity at gmail.com Sat Oct 4 13:22:13 2008 From: taosecurity at gmail.com (Richard Bejtlich) Date: Sat, 4 Oct 2008 16:22:13 -0400 Subject: [Bro] Connection records in a database? In-Reply-To: <69F11659-A1E3-46E1-92FF-478D7C2D6573@fnal.gov> References: <69F11659-A1E3-46E1-92FF-478D7C2D6573@fnal.gov> Message-ID: <120ef0530810041322t4294c6f7q98b63c7d78db6348@mail.gmail.com> On Thu, Oct 2, 2008 at 4:18 PM, Randolph Reitz wrote: > I think time machine might be too much. Currently I'm thinking of > saving a small time period - say a rolling week's worth of connections > (or whatever fits). I've previously used splunk (http:// > www.splunk.com) to suck in connection records for later searches. This > worked, however splunk introduced a delay in retrieval that caused > problems formatting the notification email. > > Thanks, > Randy Reitz > Fermilab Randy, Can you or anyone else add details on your experiences using Bro with Splunk? I'm considering pairing the two. Thank you, Richard From vern at icir.org Sat Oct 4 13:50:57 2008 From: vern at icir.org (Vern Paxson) Date: Sat, 04 Oct 2008 13:50:57 -0700 Subject: [Bro] Bro 1.4, another pre-release In-Reply-To: <48E4911B.2050709@gmail.com> (Thu, 02 Oct 2008 17:15:07 +0800). Message-ID: <200810042050.m94KoxuI008924@pork.ICSI.Berkeley.EDU> > [pclin at roland bin]$ ./bro -r ~/http.trace icmp > ../share/bro/conn.bro, line 332: error: unknown identifier > Hot::check_hot, at or near "Hot::check_hot" Thanks for flagging this. It's a bug, and the upcoming 1.4 release will include a fix for it (which, weirdly, is to remove the @load of conn.bro from notice-action-filters.bro). Vern From vern at icir.org Sat Oct 4 16:31:41 2008 From: vern at icir.org (Vern Paxson) Date: Sat, 04 Oct 2008 16:31:41 -0700 Subject: [Bro] Connection records in a database? In-Reply-To: <69F11659-A1E3-46E1-92FF-478D7C2D6573@fnal.gov> (Thu, 02 Oct 2008 15:18:30 CDT). Message-ID: <200810042331.m94NVhV1010558@pork.ICSI.Berkeley.EDU> > I want to stuff connections records into a relational database (likely > postgres). Has anyone done this? Note, we have a significant research project underway for exporting Bro events into a high-performance database for purposes of both forensics and real-time detection of previously described activity. We describe the vision in our recent HotSecurity paper: http://www.icir.org/vern/papers/awareness-hotsec08/index.html The underlying technology is partially implemented, but won't be ready for use by others for a good while. Vern From vern at icir.org Sat Oct 4 16:34:24 2008 From: vern at icir.org (Vern Paxson) Date: Sat, 04 Oct 2008 16:34:24 -0700 Subject: [Bro] (no subject) In-Reply-To: <340964.41126.qm@web37606.mail.mud.yahoo.com> (Sat, 04 Oct 2008 08:16:47 PDT). Message-ID: <200810042334.m94NYQPY010587@pork.ICSI.Berkeley.EDU> > do you know how I can share the logs folder in Bro to read its files from > a program in windows?? That question is pretty much out of scope for this list, since it's really about interfacing Linux to Windows, rather than about Bro. > can this Bro IDS give me the connections in a XML so I can get it from share to use it by > my C# programm?? Such a capability would definitely be useful, but is not currently supported. You could however write a wrapper that reads Bro's ASCII connection log entries and recodes them as XML - that should be fairly straight-forward to implement. Vern From has2an1 at yahoo.com Sun Oct 5 15:03:58 2008 From: has2an1 at yahoo.com (hasssan ibra) Date: Sun, 5 Oct 2008 15:03:58 -0700 (PDT) Subject: [Bro] (no subject) Message-ID: <149130.96878.qm@web37603.mail.mud.yahoo.com> Hi to All, does any body know how can I get the hot attribute from the connection record structure to be a column in the connection log file and also the same for the attribute logged in which determine if the host is logged in ( 1 ) or not ( 0 ) to be more clear I trying to get a log file from Bro which is similar to the KDD'99 data set it has those attribute duration, protocol_type, theService, flag (== state in Bro connection record struct), src_bytes, dst_bytes, hot, logged_in, theCount, srv_count, serror_rate, rerror_rate, srv_rerror_rate, same_srv_rate, diff_srv_rate, srv_diff_host_rate, dst_host_count, dst_host_srv_count, dst_host_diff_srv_rate, dst_host_same_src_port_rate, dst_host_serror_rate, dst_host_srv_serror_rate, dst_host_rerror_rate, dst_host_srv_rerror_rate, attack_type and many others the red attributes are important to me and natively this dataset is generated by using Bro and another programme I will be very grateful if you helped me, Thanks in advance to your help, Hassan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081005/827076dc/attachment.html From talebihossain at gmail.com Mon Oct 6 01:12:23 2008 From: talebihossain at gmail.com (hossein talebi) Date: Mon, 6 Oct 2008 11:42:23 +0330 Subject: [Bro] offline analysis Message-ID: <4806f1a30810060112u1a3d771cs6adcd0e4d466f123@mail.gmail.com> how to perform offline analysis and view analysis statistic ? -- Talebi Mazraeh Shahi Hossein -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081006/56f9baa6/attachment.html From hall.692 at osu.edu Mon Oct 6 08:04:55 2008 From: hall.692 at osu.edu (Seth Hall) Date: Mon, 6 Oct 2008 11:04:55 -0400 Subject: [Bro] Connection records in a database? In-Reply-To: <48E712DA.4000201@hackinthebox.org> References: <69F11659-A1E3-46E1-92FF-478D7C2D6573@fnal.gov> <48E712DA.4000201@hackinthebox.org> Message-ID: <991ACE0A-1DC4-44FC-A71D-B4C211538339@osu.edu> On Oct 4, 2008, at 2:53 AM, mel wrote: > I have something[1] similar written late last year, which parses Bro > logs and inserts the data to PostgreSQL[2]. I also have an extremely > alpha version of the web frontend, written in PHP with Symfony > framework. Nice! I'd be interested to take a look at it. I've been working on something similar recently. I checked out your log importer too, but I noticed that you're doing individual inserts for each record. In my testing, doing individual inserts doesn't scale for high data rates, the database can't insert data quickly enough. I have been using the COPY [1] method for inserting data in batches and it turns out that even at high data rates the database can keep up just fine. >> I'm going to get started on a C or C++ application soon that will use >> Broccoli to listen to some event which would be intended for database >> logging. You would have to run a Bro script that would throw the >> database logging event for each connection, but that should be fairly >> easy to write. We'll see how far I make it with that. :) > > Keep us updated! On Friday, I got an initial version of my C++ database logger functioning. :) Here's how it will work... In your bro scripts, you'll call something like this (field names and values don't have to have the same name)... event db_log("http_logs", [$orig_h=orig_h, $resp_h=resp_h, $resp_p=resp_p, $method=method, $url=url]); The database logger will listen for the db_log event and dynamically create the following SQL query... COPY http_logs (orig_h, resp_h, resp_p, method, url) FROM STDIN Every time the db_log event is called for that table, it will send another row of data to the database. Once a certain number of rows have been pushed to the database it will end the COPY query and all of the data you have already pushed to the database will be inserted. The COPY query will then be executed again and the cycle repeats. For any data you want to insert to a database, all you have to do is make sure that your database has the necessary fields in it, then throw the proper db_log event. I'll be releasing the code under the BSD license as soon as I get a few more features added to it. .Seth [1] http://www.postgresql.org/docs/current/static/libpq-copy.html#LIBPQ-COPY-SEND --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From Leonardo.Francalanci at commprove.com Mon Oct 6 08:12:40 2008 From: Leonardo.Francalanci at commprove.com (Leonardo Francalanci) Date: Mon, 6 Oct 2008 16:12:40 +0100 Subject: [Bro] about binpac processchunk In-Reply-To: References: Message-ID: Anyone? How are you supposed to process chunks of data from binpac? -----Original Message----- From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Leonardo Francalanci Sent: venerd? 3 ottobre 2008 13.38 To: bro at ICSI.Berkeley.EDU Subject: [Bro] about binpac processchunk Hi, I'm using http://bro-ids.org/wiki/index.php/BinPAC_Userguide to build an http parser. 1) binpac_pcre.h, as specified in the doc, doesn't compile; there is a double "}" at the end of int Compile() { 2) I can't use "processchunk" as decribed in "binpac: A yacc for Writing Application Protocol Parsers" because I get: ./http-protocol.pac:114: syntax error, at or near "&" (yychar=38) where line 114 is: &processchunk($context.flow.process_body($chunk)); I couldn't find (using grep) any reference to the string "processchunk" in the sources. How am I supposed to read the $chunk buffer of the body? Thank you Leonardo _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From robin at icir.org Mon Oct 6 09:24:37 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 6 Oct 2008 09:24:37 -0700 Subject: [Bro] Connection records in a database? In-Reply-To: <991ACE0A-1DC4-44FC-A71D-B4C211538339@osu.edu> References: <69F11659-A1E3-46E1-92FF-478D7C2D6573@fnal.gov> <48E712DA.4000201@hackinthebox.org> <991ACE0A-1DC4-44FC-A71D-B4C211538339@osu.edu> Message-ID: <20081006162437.GD44710@icir.org> On Mon, Oct 06, 2008 at 11:04 -0400, Seth Hall wrote: > event db_log("http_logs", [$orig_h=orig_h, $resp_h=resp_h, > $resp_p=resp_p, $method=method, $url=url]); > > The database logger will listen for the db_log event and dynamically > create the following SQL query... I like this approach! Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From jean-philippe.luiggi at didconcept.com Mon Oct 6 18:52:03 2008 From: jean-philippe.luiggi at didconcept.com (jean-philippe luiggi) Date: Mon, 6 Oct 2008 21:52:03 -0400 Subject: [Bro] offline analysis In-Reply-To: <4806f1a30810060112u1a3d771cs6adcd0e4d466f123@mail.gmail.com> References: <4806f1a30810060112u1a3d771cs6adcd0e4d466f123@mail.gmail.com> Message-ID: <20081006215203.195fe96d@mygw.lan.mynetwork.local> Hello Hossein, First idea, capture the network packets using something likes "tcpdump -i ethx -w foo.cap", then use "Bro" to read "foo.cap". With regards, Jean-Philippe. On Mon, 6 Oct 2008 11:42:23 +0330 "hossein talebi" wrote: > how to perform offline analysis and view analysis statistic ? > > -- > Talebi Mazraeh Shahi Hossein > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From talebihossain at gmail.com Tue Oct 7 22:51:34 2008 From: talebihossain at gmail.com (hossein talebi) Date: Wed, 8 Oct 2008 09:21:34 +0330 Subject: [Bro] hossein talebi has invited you to open a Google mail account Message-ID: <4806f1a30810072251y276dd9ffv@mail.gmail.com> I've been using Gmail and thought you might like to try it out. Here's an invitation to create an account. ----------------------------------------------------------------------- hossein talebi has invited you to open a free Gmail account. To accept this invitation and register for your account, visit http://mail.google.com/mail/a-3e1c680be3-820331c428-424c216334 Once you create your account, hossein talebi will be notified with your new email address so you can stay in touch with Gmail! If you haven't already heard about Gmail, it's a new search-based webmail service that offers: - Over 2,700 megabytes (two gigabytes) of free storage - Built-in Google search that instantly finds any message you want - Automatic arrangement of messages and related replies into "conversations" - Powerful spam protection using innovative Google technology - No large, annoying ads--just small text ads and related pages that are relevant to the content of your messages To learn more about Gmail before registering, visit: http://mail.google.com/mail/help/benefits.html And, to see how easy it can be to switch to a new email service, check out our new switch guide: http://mail.google.com/mail/help/switch/ We're still working every day to improve Gmail, so we might ask for your comments and suggestions periodically. We hope you'll like Gmail. We do. And, it's only going to get better. Thanks, The Gmail Team (If clicking the URLs in this message does not work, copy and paste them into the address bar of your browser). From talebihossain at gmail.com Tue Oct 7 22:51:18 2008 From: talebihossain at gmail.com (hossein talebi) Date: Wed, 8 Oct 2008 09:21:18 +0330 Subject: [Bro] how to present network analysis results in bro graphically Message-ID: <4806f1a30810072251te3255a8o5de4a90e6f403abf@mail.gmail.com> hi i running bro on trace files are captured by tcpdump i use following command: bro -r tracefile conn i want to plot a graph to understand how many connection using http service(during time) can bro plot graph? if can't how to do this work? -- Talebi Mazraeh Shahi Hossein -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081008/6b2a0b77/attachment.html From has2an1 at yahoo.com Wed Oct 8 00:51:39 2008 From: has2an1 at yahoo.com (hasssan ibra) Date: Wed, 8 Oct 2008 00:51:39 -0700 (PDT) Subject: [Bro] (no subject) Message-ID: <905274.11961.qm@web37601.mail.mud.yahoo.com> Hi to All, does any body know how can I get the hot attribute from the connection record structure to be a column in the connection log file and also the same for the attribute logged in which determine if the host is logged in ( 1 ) or not ( 0 ) to be more clear I trying to get a log file from Bro which is similar to the KDD'99 data set it has those attribute duration, protocol_type, theService, flag (== state in Bro connection record struct), src_bytes, dst_bytes, hot, logged_in, theCount, srv_count, serror_rate, rerror_rate, srv_rerror_rate, same_srv_rate, diff_srv_rate, srv_diff_host_rate, dst_host_count, dst_host_srv_count, dst_host_diff_srv_rate, dst_host_same_src_port_rate, dst_host_serror_rate, dst_host_srv_serror_rate, dst_host_rerror_rate, dst_host_srv_rerror_rate, attack_type and many others the red attributes are important to me and natively this dataset is generated by using Bro and another programme I will be very grateful if you helped me, Thanks in advance to your help, Hassan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081008/412fdc7b/attachment.html From jean-philippe.luiggi at didconcept.com Wed Oct 8 04:27:24 2008 From: jean-philippe.luiggi at didconcept.com (jean-philippe luiggi) Date: Wed, 8 Oct 2008 07:27:24 -0400 Subject: [Bro] how to present network analysis results in bro graphically In-Reply-To: <4806f1a30810072251te3255a8o5de4a90e6f403abf@mail.gmail.com> References: <4806f1a30810072251te3255a8o5de4a90e6f403abf@mail.gmail.com> Message-ID: <20081008072724.7ac424c0@mygw.lan.mynetwork.local> Hello Hossein, There're some tools around : - xplot - afterglow - picviz May i suggest you take a look to : www.secviz.org, you'll get some ideas of what you can get as pictures (with related tools).. With regards, Jean-Philippe. On Wed, 8 Oct 2008 09:21:18 +0330 "hossein talebi" wrote: > hi > i running bro on trace files are captured by tcpdump > i use following command: > bro -r tracefile conn > > i want to plot a graph to understand how many connection using http > service(during time) > > can bro plot graph? > if can't how to do this work? > > -- > Talebi Mazraeh Shahi Hossein > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From mel at hackinthebox.org Wed Oct 8 08:53:47 2008 From: mel at hackinthebox.org (mel) Date: Wed, 08 Oct 2008 23:53:47 +0800 Subject: [Bro] how to present network analysis results in bro graphically In-Reply-To: <4806f1a30810072251te3255a8o5de4a90e6f403abf@mail.gmail.com> References: <4806f1a30810072251te3255a8o5de4a90e6f403abf@mail.gmail.com> Message-ID: <48ECD78B.90004@hackinthebox.org> hossein talebi wrote: > i want to plot a graph to understand how many connection using http > service(during time) Here's an example of plotting connection using afterglow: http://www.security.org.my/index.php?/archives/Bro-+-Afterglow-Flow-Insight-with-Link-Graph.html --mel From wcl5303 at sohu.com Thu Oct 9 00:34:19 2008 From: wcl5303 at sohu.com (wcl5303 at sohu.com) Date: Thu, 09 Oct 2008 07:34:19 GMT Subject: [Bro] =?utf-8?b?5Zue5aSNOiBCcm8gRGlnZXN0LCBWb2wgMzAsIElzc3VlIDc=?= In-Reply-To: References: Message-ID: <1223537659.wcl5303@sohu.com> hi,all: I try to use "bro -r cap file local.lite" to test bro's signature function. I found that the log file signatures.log cannot be appended. Everytime when rule is matched the file signatures.log would be rewrited, so every time the file has only one record. how to make signatures.log can be appended log. regards wcl -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081009/9a2d6aad/attachment.html From robin at icir.org Thu Oct 9 08:47:54 2008 From: robin at icir.org (Robin Sommer) Date: Thu, 9 Oct 2008 08:47:54 -0700 Subject: [Bro] =?utf-8?b?5Zue5aSNOiBCcm8gRGlnZXN0LCBWb2wgMzAsIElzc3VlIDc=?= In-Reply-To: <1223537659.wcl5303@sohu.com> References: <1223537659.wcl5303@sohu.com> Message-ID: <20081009154754.GB70861@icir.org> On Thu, Oct 09, 2008 at 07:34 +0000, wcl5303 at sohu.com wrote: > appended. Everytime when rule is matched the file signatures.log > would be rewrited, so every time the file has only one record. > how to make signatures.log can be appended log. I would expect signature.log to be emptied everytime you *start* Bro. Is that what you're saying? Or are you seeing that *during* a single run, every signature match creates a new signature.log? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From acferen at yahoo.com Thu Oct 9 15:07:30 2008 From: acferen at yahoo.com (Andrew Feren) Date: Thu, 09 Oct 2008 18:07:30 -0400 Subject: [Bro] Bro and NetFlow Message-ID: <48EE80A2.3040303@yahoo.com> I built 1.4.prerelease.12 the other day to play around with several parts of Bro including the NetFlow policies. I'm having good luck with the rest of my investigations, but I can't seem to get Bro to react to the NetFlow that is coming in. I get a netflow.log file, but nothing ever gets logged. NetFlow Version is 5. I read through the policies and .pac files and I don't see a problem, but I'm new to Bro and there is a lot to sort through. Any thoughts on where I should start? -Andrew From pw at seclab.tuwien.ac.at Fri Oct 10 01:40:48 2008 From: pw at seclab.tuwien.ac.at (Peter Wurzinger) Date: Fri, 10 Oct 2008 10:40:48 +0200 Subject: [Bro] Error building Bro 1.2 on Debian Lenny Message-ID: <48EF1510.8090608@seclab.tuwien.ac.at> Hi! I am trying to build Bro 1.2.1 (tarball from website) on a freshly installed up-to-date Debian Lenny machine. I successfully ran 'configure'. However, 'make' terminates with the following screen output: ../src/builtin-func.y: In function ?char* concat(char*, char*)?: ../src/builtin-func.y:78: error: ?strlen? was not declared in this scope ../src/builtin-func.y:83: error: ?memcpy? was not declared in this scope ../src/builtin-func.y: In function ?int yyparse()?: ../src/builtin-func.y:178: error: ?strlen? was not declared in this scope ../src/builtin-func.y:545: warning: deprecated conversion from string constant to ?char*? ../src/builtin-func.y:554: warning: deprecated conversion from string constant to ?char*? ../src/builtin-func.y: In function ?void print_msg(const char*)?: ../src/builtin-func.y:566: error: ?strlen? was not declared in this scope I have tried gcc versions 4.3 and 3.4, but to no avail. Bro version 1.3.2 fails to compile as well. I have successfully installed Bro on Ubuntu or Debian Etch machines. Just on two Lenny machines there is this problem. I'd be happy about any help i can get on this problem. Does the error message look familiar? Has Bro generally been tested on Lenny, and does it normally work? Thanks in advance, and best regards, Peter. From ager at net.in.tum.de Fri Oct 10 03:08:31 2008 From: ager at net.in.tum.de (Bernhard Ager) Date: Fri, 10 Oct 2008 12:08:31 +0200 Subject: [Bro] Bro and NetFlow In-Reply-To: <48EE80A2.3040303@yahoo.com> References: <48EE80A2.3040303@yahoo.com> Message-ID: <20081010100831.GW7066@in.tum.de> On Thu, Oct 09, 2008 at 06:07:30PM -0400, Andrew Feren wrote: > I built 1.4.prerelease.12 the other day to play around with several > parts of Bro including the NetFlow policies. I'm having good luck with > the rest of my investigations, but I can't seem to get Bro to react to > the NetFlow that is coming in. > > I get a netflow.log file, but nothing ever gets logged. I assume you are trying to extract netflow data from a dumped trace or by sniffing on a network device. However the Bro NetFlow support is an IO source, which either listens for incoming flows on a UDP socket or reads flows from a file. You find the details in the current CHANGES file . Especially read the subsection about "auxiliary programs" in case you want to use files as input. Regards, Bernhard -- Technische Universit?t Berlin An-Institut Deutsche Telekom Laboratories FG INET, Research Group Anja Feldmann Sekr. TEL 4 Ernst-Reuter-Platz 7 D-10587 Berlin From robin at icir.org Fri Oct 10 08:23:23 2008 From: robin at icir.org (Robin Sommer) Date: Fri, 10 Oct 2008 08:23:23 -0700 Subject: [Bro] Error building Bro 1.2 on Debian Lenny In-Reply-To: <48EF1510.8090608@seclab.tuwien.ac.at> References: <48EF1510.8090608@seclab.tuwien.ac.at> Message-ID: <20081010152323.GI75397@icir.org> On Fri, Oct 10, 2008 at 10:40 +0200, Peter Wurzinger wrote: > I am trying to build Bro 1.2.1 (tarball from website) on a freshly > installed up-to-date Debian Lenny machine. I successfully ran Very likely this is fixed in current versions. Can you try a 1.4 prerelease or current svn? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Fri Oct 10 08:23:23 2008 From: robin at icir.org (Robin Sommer) Date: Fri, 10 Oct 2008 08:23:23 -0700 Subject: [Bro] Error building Bro 1.2 on Debian Lenny In-Reply-To: <48EF1510.8090608@seclab.tuwien.ac.at> References: <48EF1510.8090608@seclab.tuwien.ac.at> Message-ID: <20081010152323.GI75397@icir.org> On Fri, Oct 10, 2008 at 10:40 +0200, Peter Wurzinger wrote: > I am trying to build Bro 1.2.1 (tarball from website) on a freshly > installed up-to-date Debian Lenny machine. I successfully ran Very likely this is fixed in current versions. Can you try a 1.4 prerelease or current svn? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From has2an1 at yahoo.com Fri Oct 10 09:49:35 2008 From: has2an1 at yahoo.com (hasssan ibra) Date: Fri, 10 Oct 2008 09:49:35 -0700 (PDT) Subject: [Bro] Hi Message-ID: <50447.4655.qm@web37607.mail.mud.yahoo.com> Hi, I want to reconfigure the bro, what to do (type)? in the user guide they said: rerun the bro_config but it didn't work this give this error make*** No rule to make target 'install-brolite' . Stop. and I don't know how to edit the bro.cfg caz I couldn't save it (not root) best, Hassan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081010/b7878606/attachment.html From acferen at yahoo.com Fri Oct 10 13:13:06 2008 From: acferen at yahoo.com (Andrew Feren) Date: Fri, 10 Oct 2008 16:13:06 -0400 Subject: [Bro] Bro and NetFlow In-Reply-To: References: <48EE80A2.3040303@yahoo.com> Message-ID: <48EFB752.1010200@yahoo.com> An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081010/284d9f15/attachment.html -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ACF.bro Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081010/284d9f15/attachment.ksh From renaud.luca at gmail.com Fri Oct 10 16:14:42 2008 From: renaud.luca at gmail.com (Luca Renaud) Date: Sat, 11 Oct 2008 00:14:42 +0100 Subject: [Bro] Error building Bro 1.2 on Debian Lenny. Message-ID: <628233b10810101614r62cb816dp39e9c3c79bd6cdfb@mail.gmail.com> I had the same issue when I upgraded from Etch to Lenny,the specific warnings I do not remember if were the same as you, I am using a PowerPC computer.However,I used the same bro installation I had on Etch,on Lenny.The needed libraries are fundamentally the same(the versions are not so different on Etch and Lenny),so I assumed that compatibility problems would not show.I was correct so far,bro-1.2.1 run smoothly on Lenny,however I only do bulk trace analysis of dump files,I do not have a complete installation of bro.With the more recent bro1.4prerelease on LennyPPC the compilation was O.K.,so probably you can achieve the same result. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081011/960618ed/attachment.html From talebihossain at gmail.com Sun Oct 12 07:32:12 2008 From: talebihossain at gmail.com (hossein talebi) Date: Sun, 12 Oct 2008 18:02:12 +0330 Subject: [Bro] what is brooery and where i can download its? Message-ID: <4806f1a30810120732u11b17df5o24e98ab03be6e86b@mail.gmail.com> brooery what is brooery and where i can download its? i want download its but i not know where can download its -- Talebi Mazraeh Shahi Hossein -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081012/52cbaa76/attachment.html From has2an1 at yahoo.com Tue Oct 14 07:17:58 2008 From: has2an1 at yahoo.com (hasssan ibra) Date: Tue, 14 Oct 2008 07:17:58 -0700 (PDT) Subject: [Bro] (no subject) Message-ID: <616214.35130.qm@web37603.mail.mud.yahoo.com> Hi to All, I have this problem : when I start bro it works fine, then I stopped it and then start again this time it creates the logs files but it didn't write any thing in them although I know that there is a traffic so any body know why?? also I want to ask about the Autorestart , what is this and does it has a relation to my problem now it is (Autorestart: ON) Bye' Hassan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081014/a7c5f7dd/attachment.html From christian at whoop.org Tue Oct 14 17:34:57 2008 From: christian at whoop.org (Christian Kreibich) Date: Wed, 15 Oct 2008 02:34:57 +0200 Subject: [Bro] what is brooery and where i can download its? In-Reply-To: <4806f1a30810120732u11b17df5o24e98ab03be6e86b@mail.gmail.com> References: <4806f1a30810120732u11b17df5o24e98ab03be6e86b@mail.gmail.com> Message-ID: <1224030897.3066.92.camel@strangepork> On Sun, 2008-10-12 at 18:02 +0330, hossein talebi wrote: > brooery > > what is brooery and where i can download its? > i want download its but i not know where can download its Brooery was an experimental GUI for browsing Bro logs. It is no longer supported, since we have not yet developed a database backend for Bro that such a GUI should be based upon. Given the revived interest in a database backend, we'll hopefully be able to provide a solution in the 1.5 release. -- Cheers, Christian From mel at hackinthebox.org Wed Oct 15 08:49:27 2008 From: mel at hackinthebox.org (mel) Date: Wed, 15 Oct 2008 23:49:27 +0800 Subject: [Bro] Bro's regular expression Message-ID: <48F61107.8050507@hackinthebox.org> Hi all, Where can I find more documentation/information about Bro's regular expression? Bro's regex is different from PCRE that I am familiar with. Cheers, --mel From vern at icir.org Wed Oct 15 09:41:31 2008 From: vern at icir.org (Vern Paxson) Date: Wed, 15 Oct 2008 09:41:31 -0700 Subject: [Bro] Bro's regular expression In-Reply-To: <48F61107.8050507@hackinthebox.org> (Wed, 15 Oct 2008 23:49:27 +0800). Message-ID: <200810151641.m9FGfaaZ012731@pork.ICSI.Berkeley.EDU> > Where can I find more documentation/information about Bro's regular > expression? It's the same as used by the "flex" tool, which is installed on many systems either by that name or as simply "lex". Vern From rreitz at fnal.gov Wed Oct 15 11:48:27 2008 From: rreitz at fnal.gov (Randolph Reitz) Date: Wed, 15 Oct 2008 13:48:27 -0500 Subject: [Bro] Connection records in a database? In-Reply-To: <991ACE0A-1DC4-44FC-A71D-B4C211538339@osu.edu> References: <69F11659-A1E3-46E1-92FF-478D7C2D6573@fnal.gov> <48E712DA.4000201@hackinthebox.org> <991ACE0A-1DC4-44FC-A71D-B4C211538339@osu.edu> Message-ID: <2E2AD00F-1914-40C7-98A0-862EC808D0EE@fnal.gov> On Oct 6, 2008, at 10:04, Seth Hall wrote: > I checked out your log importer too, but I noticed that you're doing > individual inserts for each record. In my testing, doing individual > inserts doesn't scale for high data rates, the database can't insert > data quickly enough. I have been using the COPY [1] method for > inserting data in batches and it turns out that even at high data > rates the database can keep up just fine. Yes, individual inserts don't work! Here is the conn.log file on my BRO installation... [brother at dtmb ~]$ s=$(wc -l spool/bro/conn.log | awk '{print $1}'); while true; do sleep 10;s1=$(wc -l spool/bro/conn.log | awk '{print $1}');printf "%d\n" $((s1 - s));s=$s1;done 4750 4728 4565 4243 4926 4379 ^C Looks like conn.log is adding ~450 connections per second. Here is what happens with a python script that tails conn.log and inserts each record into a Postgres DB... [brother at dtmb ~]$ l=$(echo "select count(*) from bro_connections" | psql -h nimisrv nimi_dev | awk '/^ [0-9]/ { print $1}');while true;do sleep 10;n=$(echo "select count(*) from bro_connections" | psql -h nimisrv nimi_dev | awk '/^ [0-9]/ { print $1}');printf "%d\n" $((n- l));l=$n;done 1756 1625 1631 1667 1670 1838 ^C Maybe ~160 records per second. Not even close. It's always nice to know what not to do. Randy From hall.692 at osu.edu Wed Oct 15 12:01:47 2008 From: hall.692 at osu.edu (Seth Hall) Date: Wed, 15 Oct 2008 15:01:47 -0400 Subject: [Bro] bro-dblogger Message-ID: <3348AD31-BA2A-46DC-A474-F5FB91CAFEAE@osu.edu> Hi all, Here's my first functional release of a tool for inserting data from Bro into a PostgreSQL database in realtime. There are still quite a few things to work on, but this version works and is already being used here. Site at github: http://github.com/sethhall/bro-dblogger Zip: http://github.com/sethhall/bro-dblogger/zipball/release1 Tar.gz: http://github.com/sethhall/bro-dblogger/tarball/release1 Check out the README and the examples directory if you are interested in using it. If you have any questions or comments, please let me know. Thanks! .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From mel at hackinthebox.org Wed Oct 15 17:23:12 2008 From: mel at hackinthebox.org (mel) Date: Thu, 16 Oct 2008 08:23:12 +0800 Subject: [Bro] identifying bro peers Message-ID: <48F68970.3040908@hackinthebox.org> Hi all, When another Bro is receiving events from a Bro peer, is there any way to add the peer's name/identifier into the log file? --mel From hall.692 at osu.edu Wed Oct 15 18:39:52 2008 From: hall.692 at osu.edu (Seth Hall) Date: Wed, 15 Oct 2008 21:39:52 -0400 Subject: [Bro] identifying bro peers In-Reply-To: <48F68970.3040908@hackinthebox.org> References: <48F68970.3040908@hackinthebox.org> Message-ID: On Oct 15, 2008, at 8:23 PM, mel wrote: > When another Bro is receiving events from a Bro peer, is there any way > to add the peer's name/identifier into the log file? The peer_description variable is what you're looking for and the prefixed_id function which helps with using it. # Prepend the peer description, if set. function prefixed_id(id: count): string { if ( peer_description == "" ) return fmt("%s", id); else return cat(peer_description, "-", id); } You give it a "count" and it will prepend the name of the peer where the currently handled event originated. .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From hall.692 at osu.edu Wed Oct 15 21:38:45 2008 From: hall.692 at osu.edu (Seth Hall) Date: Thu, 16 Oct 2008 00:38:45 -0400 Subject: [Bro] bro-dblogger In-Reply-To: <3348AD31-BA2A-46DC-A474-F5FB91CAFEAE@osu.edu> References: <3348AD31-BA2A-46DC-A474-F5FB91CAFEAE@osu.edu> Message-ID: On Oct 15, 2008, at 3:01 PM, Seth Hall wrote: > > Here's my first functional release of a tool for inserting data from > Bro into a PostgreSQL database in realtime. There are still quite a > few things to work on, but this version works and is already being > used here. I forgot to mention that in order to use this, you'll need to be linking against the version of Broccoli in trunk or broccoli from the soon-to-be 1.4 release. .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From mel at hackinthebox.org Thu Oct 16 00:16:12 2008 From: mel at hackinthebox.org (mel) Date: Thu, 16 Oct 2008 15:16:12 +0800 Subject: [Bro] identifying bro peers In-Reply-To: References: <48F68970.3040908@hackinthebox.org> Message-ID: <48F6EA3C.7030103@hackinthebox.org> Seth Hall wrote: > The peer_description variable is what you're looking for and the > prefixed_id function which helps with using it. > > # Prepend the peer description, if set. > function prefixed_id(id: count): string > { > if ( peer_description == "" ) > return fmt("%s", id); > else > return cat(peer_description, "-", id); > } > > You give it a "count" and it will prepend the name of the peer where the > currently handled event originated. Thanks! Just what I need. --mel From geek00l at gmail.com Thu Oct 16 18:50:44 2008 From: geek00l at gmail.com (CS Lee) Date: Fri, 17 Oct 2008 09:50:44 +0800 Subject: [Bro] http-identified-files.bro Message-ID: <1bb5dd90810161850v7aa5558flab496ab482095ff1@mail.gmail.com> hi seth, In http transaction, some of the executable files are transfer via this mime type - application/octet-stream I have appended it for watched_mime_types in http-identified-files.bro and it works fine. Cheers ;] -- Best Regards, CS Lee http://geek00l.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081017/7d2401aa/attachment.html From uchekuru at gmail.com Thu Oct 16 19:20:29 2008 From: uchekuru at gmail.com (uday chekuri) Date: Thu, 16 Oct 2008 22:20:29 -0400 Subject: [Bro] segmentation fault Message-ID: Hi, i am using the current version of bro-ids 1.3.2, i am getting segmentation fault error while running on a pcap file. I saw that frag.cc has to be modified previously *@@ -161,10 +161,11 @@ if ( b->next ) { // We have a hole. - **if ( b->seq >= frag_size ) + if ( b->upper >= frag_size ) { IP_Hdr proto_h((const struct ip*) proto_hdr); s->Weird("fragment_size_inconsistency", &proto_h); + frag_size = b->upper; } else return; @@ -174,6 +175,7 @@ { IP_Hdr proto_h((const struct ip*) proto_hdr); s->Weird("fragment_size_inconsistency", &proto_h); + frag_size = last_block->upper; } else if ( last_block->upper < frag_size ) * i found the only one change to be modified in Frag.cc (bolded one), do I need to remove few lines after return in the file. Only adding the bolded line and again make and make install.... still it is giving me segmentation fault... i am having older version of bro in the same system... does it affect in any way..... thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081016/89b019c4/attachment.html From hall.692 at osu.edu Thu Oct 16 19:42:01 2008 From: hall.692 at osu.edu (Seth Hall) Date: Thu, 16 Oct 2008 22:42:01 -0400 Subject: [Bro] http-identified-files.bro In-Reply-To: <1bb5dd90810161850v7aa5558flab496ab482095ff1@mail.gmail.com> References: <1bb5dd90810161850v7aa5558flab496ab482095ff1@mail.gmail.com> Message-ID: <5D5A196E-0346-457F-9AA0-CEEACF2C205C@osu.edu> On Oct 16, 2008, at 9:50 PM, CS Lee wrote: > In http transaction, some of the executable files are transfer via > this mime type - > > application/octet-stream You might want to check the description for those files. There are a lot of other files that are identified as octet-streams, or at least as far as I can remember when I was working on that script a while ago. :) .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From mel at hackinthebox.org Thu Oct 16 19:46:51 2008 From: mel at hackinthebox.org (mel) Date: Fri, 17 Oct 2008 10:46:51 +0800 Subject: [Bro] bro-dblogger In-Reply-To: References: <3348AD31-BA2A-46DC-A474-F5FB91CAFEAE@osu.edu> Message-ID: <48F7FC9B.4070400@hackinthebox.org> Seth Hall wrote: > I forgot to mention that in order to use this, you'll need to be > linking against the version of Broccoli in trunk or broccoli from the > soon-to-be 1.4 release. I'm getting compile time error: c++ -g -Wall -I/usr/local/include -L/usr/local/lib -L/usr/local/lib/postgresql -I/usr/local/include/postgresql -L/usr/local/bro14/lib -I/usr/local/bro14/include -lbroccoli -lpq bro-dblogger.cc -o bro-dblogger bro-dblogger.cc: In function 'void db_log_event_handler(BroConn*, void*, BroEvMeta*)': bro-dblogger.cc:281: error: 'bro_record_get_nth_name' was not declared in this scope *** Error code 1 > .Seth --mel From hall.692 at osu.edu Thu Oct 16 20:09:09 2008 From: hall.692 at osu.edu (Seth Hall) Date: Thu, 16 Oct 2008 23:09:09 -0400 Subject: [Bro] bro-dblogger In-Reply-To: <48F7FC9B.4070400@hackinthebox.org> References: <3348AD31-BA2A-46DC-A474-F5FB91CAFEAE@osu.edu> <48F7FC9B.4070400@hackinthebox.org> Message-ID: <4E0E8F53-E9DF-4876-A786-7A4218700F7B@osu.edu> On Oct 16, 2008, at 10:46 PM, mel wrote: > Seth Hall wrote: > >> I forgot to mention that in order to use this, you'll need to be >> linking against the version of Broccoli in trunk or broccoli from the >> soon-to-be 1.4 release. > bro-dblogger.cc:281: error: 'bro_record_get_nth_name' was not declared Oh, I guess I forgot to mention that it will only work with the upcoming 1.4 final (or current trunk). That was a small update that was included after the 1.4 pre-releases. Sorry about that! .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From mcuttler at bnl.gov Fri Oct 17 11:22:06 2008 From: mcuttler at bnl.gov (Matt Cuttler) Date: Fri, 17 Oct 2008 14:22:06 -0400 Subject: [Bro] Where's the ./configure? Message-ID: <48F8D7CE.5050406@bnl.gov> I grabbed 1.4 from svn checkout last night. I can't seem to find the ./configure script. Am I doing something wrong (possibly egregiously dumb), or is it missing? Here's what I've got: [root at box /usr/src/bro]# ls .svn TODO-For-Next-Release example-attacks AUTHORS VERSION install-sh CHANGES acinclude.m4 libpcap.bufsize.patch COPYING autogen.sh linux-include ChangeLog aux missing Checklist-for-Release compile policy FILES.bin config.guess scripts INSTALL config.sub shtool Makefile.am configure.in src NEWS depcomp testing README doc [root at box /usr/src/bro]# find ./* -iname configure* ./aux/binpac/configure.in ./aux/broccoli/configure.in ./configure.in [root at box /usr/src/bro]# cat VERSION 1.4 Thanks, Matt Cuttler From mcuttler at bnl.gov Fri Oct 17 11:22:53 2008 From: mcuttler at bnl.gov (Matt Cuttler) Date: Fri, 17 Oct 2008 14:22:53 -0400 Subject: [Bro] Where's the ./configure? In-Reply-To: <48F8D7CE.5050406@bnl.gov> References: <48F8D7CE.5050406@bnl.gov> Message-ID: <48F8D7FD.4060203@bnl.gov> Matt Cuttler wrote: > I grabbed 1.4 from svn checkout last night. > > I can't seem to find the ./configure script. Am I doing something wrong > (possibly egregiously dumb), or is it missing? > Never mind, I see that autogen.sh generates the ./configure -Matt Cuttler From vern at icir.org Fri Oct 17 11:47:01 2008 From: vern at icir.org (Vern Paxson) Date: Fri, 17 Oct 2008 11:47:01 -0700 Subject: [Bro] Bro 1.4 release now available Message-ID: <200810171847.m9HIl63a006848@pork.ICSI.Berkeley.EDU> Bro release 1.4 is now available from: ftp://bro-ids.org/bro-1.4.tar.gz This release includes significant new functionality as well as numerous refinements and fixes, per the appended changelog entries. Previous releases are available at http://www.bro-ids.org/download.html . We do not anticipate making any further changes to them. Vern -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1.4 Fri Oct 17 11:08:52 PDT 2008 - We are no longer supporting a previous Bro release as the "stable" version. Rather, the model now is that the current public release will aim for increasing stability (occasionally updated with fixes), and those who wish to use a "bleeding-edge" snapshot can do so via access to the public SVN source code repository, as explained at http://bro-ids.org/wiki/index.php/Subversion#Public_Access Note that all previous releases remain available from the download page; what is changing is that we no longer commit to support for the most recent of these. - We have clarified the copyright statement that covers most of the code to remove the "advertising clause" that derived from older BSD licenses, and we have removed copyright wording from most source code files. See COPYING for the current wording and a list of files that retain their own copyright notices. - Bro now supports analyzing NetFlow v5 data, i.e., from Cisco routers (Bernhard Ager). NetFlow can be useful for intrusion detection as it allows analysis of traffic from many different points in the network. Bro can now read NetFlow data from a UDP socket, as well as (mostly for debugging purposes) from a file in a specialized format. You can create these files with the programs given in aux/nftools. Command line switches: -Y|--netflow :[=] | read flow from socket This is the usual way of getting NetFlow data into Bro by opening a UDP socket on : and reading all incoming packets. Setting the to 0.0.0.0 should work on most platforms. Optionally you may set an identifier for the source - useful if there are many different sources you want to analyze in parallel. This might also be necessary if you want to use this feature with a clustered Bro. Examples: bro -Y 0.0.0.0:5555 netflow bro -i eth0 -Y 10.0.0.1:1234=src1 brolite netflow -y|--flowfile [=] Used to read from a file. You can optionally include an identifier for the source. Examples: bro -y myflowfile netflow bro -y myflowfile=src1 otherflowfile=src2 netflow Netflow Events: event netflow_v5_header(h: nf_v5_header) Generated upon reading a new NetFlow PDU, as summarized in the argument. The field h_id gives the flow source identifier and a serial number. You can use this field to associate subsequent netflow_v5_record events with their header. event netflow_v5_record (r: nf_v5_record) Every record within a NFv5 PDU generates a corresponding netflow_v5_record() event. The relatively complex timestamp format of NFv5 is already converted to Bro's time type, and the TCP header flags are separated into bools. The distribution includes an example analysis script, netflow.bro. It simply dumps received NetFlow records. If netflow_restitch is T (the default), then Bro performs flow restitching as well, and two script variables become relevant: global netflow_finished_conn_expire = 310 sec &redef; specifies how long to wait for additional flow records after a RST or FIN for const netflow_table_expire = 31 min; Its setting only affects table declarations, and therefore cannot be usefully redef'd. Auxiliary programs: Bro uses a custom format for flow data stored in files, to enable preserving timestamps of the PDU arrivals and the exporter's IP address. The tools nfcollector and ftwire2bro in aux/nftools/ provide ways to manipulate the Bro NF file format. The first dumps NetFlow data from a UDP socket to stdout or to a file in Bro format. The second converts NetFlow data in "wire" format to Bro format, and, while doing so, fakes up the exporter's IP address and timestamp. You can get "wire" format from normal flow-tools files, e.g., by using 'flow-export -f 4'. Please note that the Bro format is just a hack to allow for easier debugging. Therefore the format is not in fact platform independent, and not suitable for data storage. - A new DHCP analyzer generates the following events (Po-Ching Lin): event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr) event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr, event dhcp_request(c: connection, msg: dhcp_msg, event dhcp_decline(c: connection, msg: dhcp_msg) event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, event dhcp_nak(c: connection, msg: dhcp_msg) event dhcp_release(c: connection, msg: dhcp_msg) event dhcp_inform(c: connection, msg: dhcp_msg) where dhcp_msg values look like: type dhcp_msg: record { op: count; # 1 = BOOTREQUEST, 2 = BOOTREPLY m_type: count; # the type of DHCP message xid: count; # transaction ID of a DHCP session h_addr: string; # hardware address of the client ciaddr: addr; # original IP address of the client yiaddr: addr; # IP address assigned to the client }; See dhcp.bro for the corresponding analysis script (which could probably use some refinements). Note, this analyzer is implemented using BinPAC, so you will need to specify --use-binpac to activate it. - A BitTorrent analyzer is now available (Nadi Sarrar). See the policy scripts bittorrent.bro and bt-tracker.bro for the events generated for analyzing transfers and tracker dialogs, respectively. - The "Bro Lite" configuration is now deprecated and will not in general be supported (Robin Sommer & Vern Paxson). - "make install" now only installs a core set of files (Robin Sommer). Policy files are now installed in /share/bro/* (or whatever configure determines $datadir to be), which is now in Bro's default search path. It creates a directory /share/bro/site for local policy files, and the default BROPATH is extended to include this. The default path no longer includes policy/local. You can install the additional files used by the (now deprecated) "Bro Lite" configuration using "make install-brolite". - Substantial updates to Broccoli, including support for container types (tables and sets) as well as a new metadata structure for event callbacks, facilitating truly generic event handler implementations (Christian Kreibich, Seth Hall and Robin Sommer). See aux/broccoli/ChangeLog for details. - Extensive changes to allow Bro to process packets captured in the past intermingled with those captured in real-time (Matthias Vallentin and Robin Sommer). This operation reflects combining Bro with use of "Time Machine" functionality for packet capture. - We have unfortunately had to disable support for configuring Bro to use ClamAV, since it turns out that the key interface we need for processing blocks of memory directly rather than whole files is no longer supported by the package, and in fact was buggy even when it was (Robin Sommer). - The new signature option "http-body //" matches on the body data of HTTP entities (Robin Sommer). The matching is done after decompressing the body, if necessary. - The new built-in function identify_data(data: string, return_mime: bool) analyzes the string "data" and returns its type according to libmagic, if installed (Seth Hall). The second argument controls whether it should be returned as a MIME-type or just an identifying string. For example, identify_data("MZpofigu", F) returns the string "MS-DOS executable", and print identify_data("MZpofigu", T) returns "application/x-dosexec". - The new analysis script http-identified-files.bro identifies the type of items returned by Web servers using libMagic (if available) and generates notices for interesting types and mismatches between URLs and types (Seth Hall). You configure it using two variables. watched_mime_types is a pattern (default /application\/x-dosexec/ | /application\/x-executable/ ) for which any MIME type matching the pattern generates a HTTP_WatchedMIMEType notice. mime_types_extensions is a table mapping strings to patterns specifying how URLs for the given MIME type should appear. (Ideally, this would be a table mapping patterns to patterns, but Bro doesn't currently support that.) It defaults to: ["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL][lL])/ i.e., do Windows executables end in .exe or .dll. You can also redef the pattern ignored_urls to specify URLs that should not generate complaints. It defaults to matching Windows Update. - The new script http-extract-items.bro extracts the items from HTTP traffic into individual files (Vern Paxson). Files are named: .._._. where is a redef'able prefix (default: "http-item"), is a number uniquely identifying the item, the next four are describe the connection tuple, and is "orig" if the item was transferred from the originator to the responder, "resp" otherwise. - The workings of how Bro interfaces to external programs for dropping/ restoring connectivity of misbehaving hosts has been significantly reworked (Brian Tierney and Robin Sommer). First, dropping decisions used to be made directly by analyzer scripts, such as scan.bro directly calling drop_address(). Now instead the scripts generate Notices and then the notice policy can have an action of NOTICE_DROP to codify that the response to the given Notice is to drop the source. The new notice_action_filter of drop_source drops the source of notices, and drop_source_and_terminate both drops the source and terminates the corresponding connection. So, to drop all sources triggering a specific notice, one can now, e.g., write: redef notice_action_filters += { [Hot::SSH_Overflow] = drop_source }; Related to this change, notice_info has a new field $dropped, set to true if the Notice triggered a (successful) drop. Second, by redef'ing Drop::use_catch_release to T (default F) you can activate "catch-and-release" logic. You use this mode when you need to manage a limited number of possible blocks, or to build in automatic "forgiveness" in situations where blocked sources might become benign (such as due to dynamic IP addresses). If a source has been idle for Drop::drop_time, then it is unblocked. However, if it is again seen as block-worthy, then it is blocked for an interval of Drop::long_drop_time. Third, ICMP scanning is now reported by its own notice, ICMPAddressScan, rather than Scan::AddressScan. - Google's perftools have replaced mpatrol for leak-checking and heap-profiling (Robin Sommer). If Bro is compiled with --enable-perftools and configure finds the perftools, there are two command-line options available: -m turns on leak checking of the main packet loop, with some uninteresting leaks are suppressed. Currently, with one exception (the RPC analyzer; problem not yet found), it reports no leaks when running the test suite. -M turns on heap profiling: Bro will take a snapshot of the heap before starting the main packet loop and another one when finished. These snapshots can then be analyzed with pprof. For more information about the perftools see http://code.google.com/p/google-perftools - Notice tags are now generated in a pseudo-unique fashion that, with high probability, ensures that tags generated by separate Bro processes don't clash when logged to a common location, such as for a Bro cluster (Robin Sommer). Tags are now string's rather than count's, and are associated with all notices, not just that are connection-related. You can however redef the string notice_tag_prefix or the function new_notice_tag to further control how such tags are generated. - Four new built-ins for type conversion (Robin Sommer): function double_to_interval(d: double): interval function addr_to_count(a: addr): count function port_to_count(p: port): count function count_to_port(c: count, t: transport_proto): port - Many policy scripts have been modified to use modules & scoping (Robin Sommer and Matthias Vallentin), which may require updates to existing scripts/refinements. - The new script variable dpd_conn_logs (default F), if true, changes the semantics of the service field in connection logs written to conn.log, as follows (Robin Sommer). It becomes a comma-separated list of analyzers confirmed by DPD to parse the connection's payload. If no analyzer could confirm its protocol, but the connection uses a well-known port, the service is the name of the port with "?" appended (e.g., "http?"), as long as the corresponding analyzer has not declined the connection. In addition, ftp-data sessions are labeled "ftp-data" and portmapper connections are labeled with the specific method-call (just as before). dpd_conn_logs defaults to F because the change in semantics may break scripts that parse conn.logs; but it will likely change to the default in the future. With dpd_conn_logs turned off, conn logs are generated as they used to be, with a few rare exceptions (with previous versions, the service field was sometimes determined while the connection was still alive; now it's always determined at the time when the conn.log entry is written out). - The SSL analyzer has been rewritten using BinPAC, with a number of robustness improvements (Tobias Kiesling). It currently is only used if you execute with --use-binpac. - Python bindings for Broccoli are now available in aux/broccoli/bindings/python/ (Robin Sommer). See README/README.html in that director for details. - The new "auth" option in remote.bro indicates whether a given side is considered "authoritative" for shared state, in which case it sends its initial state to &sync'ed peers (Robin Sommer). When two peers synchronize their state, one side sends its current set of state to the other as soon as the remote connection is established. The one sending the state used to be the one who has been running longer; now it can also be explicitly set via the "auth" flag in the Remote::Destination. - Two new tuning parameters for scan.bro (Robin Sommer): ignore_scanners_threshold (default 0): If a host has scanned more than this many hosts, it is completely excluded from further scan detection. 0 disables. addr_scan_trigger (default 0): A host is only tracked for address scanning once it has contacted this many different hosts. Primarily intended for using a two-stage scan detection with a Bro cluster: first, each node searches locally for scanners by looking for hosts contacting more than addr_scan_trigger destinations. Those hosts which do are then globally tracked throughout the cluster by &synchronizing the scan detector tables. - When Bro serializes functions, it now does so by default using only their name, rather than their full value (Robin Sommer). This prevents propagation of expiration functions associated with tables and sets. Note, currently there is no mechanism provided to switch from the default behavior, but the internal hooks are in place to do so. - The new built-in variable trace_output_file gives the name of the -w output trace file (Robin Sommer). - Bro no longer installs new file rotation timers when shutting down (Robin Sommer). - The new policy scripts remote-print-id{,-reply}.bro support convenient access to printing the identifiers of a remote Bro (Robin Sommer). You use the script remote-print-id.bro to request and receive the printing; the remote Bro must have loaded remote-print-id-reply.bro in order to process the request. Example use: bro -e 'redef PrintID::dst="" PrintID::id=""' remote-print-id - scan.bro has been heavily modified to better support distributed scan analysis (Matthias Vallentin and Robin Sommer). - The check for unused event handlers is now turned off by default (Robin Sommer). To enable, use "redef check_for_unused_event_handlers = T". - The new script drop.bro has been split off from scan.bro to isolate the logic concerning dropping addresses to block scans (Robin Sommer). - The new -l flag lists each script as it is loaded (Robin Sommer). - Textual descriptions of identifiers now include their attributes (Robin Sommer). - The new predefined function prefixed_id() returns a session identifier with its peer-ID prepended if it's associated with a remote Bro (Robin Sommer). This is now used when generating writing log files. - remote.bro now assigns a priority of -10 to its bro_init() event handler to allow others a chance to modify destinations (Robin Sommer). - A large number of BinPAC updates (Ruoming Pang and Robin Sommer). - The new built-in type_name(v): string returns the name of the type of the value v (Vern Paxson). For example, "typename(5.2)" returns "double". This function is mainly for internal debugging (i.e., finding mismatches between values generated by the event engine versus how their type is expected by the script layer). - The new built-in str_shell_escape() does some basic escaping on strings that will be passed to system() (Christian Kreibich). Note, this function isn't ready (robust enough) for routine use, however. - The new built-in disable_print_hook(file) acts the same as the attribute &disable_print_hook (Robin Sommer). - The new script terminate-connection.bro factors out the terminate_connection() functionality that used to be in conn.bro (Robin Sommer). - The new attribute &group= can be associated with event handlers to group them together into a set that can be manipulated as a whole (Robin Sommer). is a string reflecting the name given to the group. The built-in enable_event_group(group: string) turns on all the analyzers in a given group, and disable_event_group(group: string) deactivates them. - The new attribute &raw_output applies to variables of type file, disabling escaping of non-printable characters (Seth Hall). - You can now iterate over the characters in a string value using a "for" loop, e.g., "for ( c in str ) ..." (Robin Sommer). - The new built-in function cat_sep%(sep: string, def: string, ...%): string works similarly to cat(), except that it (a) separates the values by "sep" and (b) substitutes "def" for empty strings (Seth Hall). - The function string_escape() now takes a string of characters to escape rather than a single character (Robin Sommer). Each character in the string is preceded by '\' in the return value (also any embedded '\'s, as before). - The new built-in function global_ids() returns a table of all global identifiers along with associated information (Robin Sommer). The return value has type table[string] of script_id, indexed by the name of the identifier and yielding records with the following fields: type script_id: record { type_name: string; exported: bool; constant: bool; enum_constant: bool; redefinable: bool; value: any &optional; }; - The new script function find_last(str: string, re: pattern) returns the last occurrence of the given pattern in the given string, or an empty string if no match (Robin Sommer). Note that this function returns the match that starts at the largest index in the string, which is not necessarily the longest match. For example, a pattern of /.*/ will return just the final character in the string. - The new script variable record_all_packets, if redef'd to T (default F), instructs Bro to record every packet it processes (Robin Sommer). Prior to introducing this variable, Bro applied a few heuristics to reduce recording volume. Setting this variable also causes packets to be recorded very early in processing, which can be helpful for debugging crashes. - If the new script flag ssl_log_ciphers is set to T (default), ssl.bro logs the ciphers seen (Robin Sommer). - Much more expanded Time Machine support, now located in policy/time-machine/ (Robin Sommer), - The new command line option --status-file (alias -U) specifies the name of a file into which Bro will write an indicator of its current processing status (Robin Sommer). Possible values include "INITIALIZING", "RUNNING", "TERMINATING", "TERMINATED". - The new policy script targeted-scan.bro looks for repeated access from the same source to the same server, to detect things like SSH password-guessing attacks (Jim Mellander). - The "alternative" style for printing strings (i.e., a fmt() argument of "%As") now renders the raw string, other than escape-expanding embedded NULs (Vern Paxson). This change may be temporary, pending development of more fine-grained control over string rendering. - For now we have removed the %S functionality for fmt() (Robin Sommer). %S was meant to print "raw" strings, but later processing of such printing still introduces artifacts. - GeoIP information now includes latitude and longitude (Seth Hall). - ssh.bro now supports the variable skip_processing_after_handshake which directs the event engine to omit any further processing of an SSH connection after its initial handshake (Seth Hall and Robin Sommer). This can help with performance for large file transfers but precludes some kinds of analyses (e.g., tracking connection size). This change also adds a scope of "SSH". - Email notification of notices now allows for separate destinations depending on notice type (in particular, a regular mail destination versus a pager destination), and also escapes the notice to prevent injection attacks (Seth Hall and Robin Sommer). - The new policy script conn-flood.bro is a simple connection-flooding detector, mainly meant as a demonstration (Robin Sommer). - A large number of additions to the TLS/SSL known-ciphers suite (Seth Hall). - Serialization now uses 64-bit IDs to cache items rather than 32-bit, for robustness during long-running execution (Robin Sommer). - The new script variable tcp_max_initial_window specifies, for flows for which ACKs have never been seen, the maximum volume of initial data after which Bro will assume that it is seeing only one side of the connection and will not buffer data for consistency checking awaiting the later arrival of ACKs (Robin Sommer). It defaults to 4 KB. (Note, this used to be an internal value, so the behavior is not new.) Set to 0 to turn off this functionality and have Bro attempt to track all such flows. - The new script variable tcp_max_above_hole_without_any_acks specifies, for flows for which ACKs have never been seen, the maximum volume of data above a sequence hole that Bro will tolerate for a connection before giving up on tracking the flow (Robin Sommer). It defaults to 4 KB. (Note, this differs from tcp_max_initial_window in that this threshold applies to sequence holes rather than the beginning of flows. Like tcp_max_initial_window this used to be an internal value.) Set to 0 to turn off this functionality. - The new script variable tcp_excessive_data_without_further_acks specifies a threshold similar to tcp_max_above_hole_without_any_acks, but for flows for which Bro has seen ACKs (Robin Sommer). It defaults to 10 MB. Set to 0 to turn off the functionality. - Equal signs ("=") in text for notices are now escaped when using the tagged format to keep them unambiguous from the "=" delimiters (Robin Sommer). - The final tallies for notices are now processed as NoticeTally NOTICE's rather than directly alarm'd (Robin Sommer). - WeirdActivity notices now include an associated connection when appropriate (Robin Sommer). - Support for large (> 2^32 bytes) pcap trace files (Po-Ching Lin). - Scoped names ("...::...") are now allowed in signature "eval" constructs (Christian Kreibich). - scan.bro is now decoupled from conn.bro, i.e., you can @load the latter without getting the former (Vern Paxson). As part of this change, the logic to invoke TRW is now in scan.bro. - weird.bro has been updated with a number of missing Weird's (Vern Paxson). - If when using inter-Bro communication the child Bro process terminates, it now also terminates the parent process (Robin Sommer). - BinPAC analyzers now interoperate with DPD (Robin Sommer). - Some http.bro processing options are now exported so they can be accessed in other scripts (Robin Sommer). - SMTP analysis now applies to port 587/tcp as well as 25/tcp (Robin Sommer). - $conn is now set in ServerFound notices (Robin Sommer). - You can now create empty sets and tables using set() and table(), i.e., the usual set/table constructors with no arguments (Vern Paxson). By themselves, these have an unspecified type - you can't use them directly other than to assign them. For example, local bad_guys: set[addr]; ... bad_guys = set(); # start over assuming no bad guys - A number of scripts have been (slightly) simplified to use the new empty set()/table() constructors (Vern Paxson). Note that these still aren't usable for field assignments in record constructors, nor for attributes like &default = ... - Removed unused syntax for declaring sets based on a list of initial values (Vern Paxson). - set() and table() can now be used as arguments to function calls (Vern Paxson). - The vestigial &match attribute has been removed. - POP3 is now recognized using Dynamic Protocol Detection (Seth Hall). - The new event expected_connection_seen(c: connection, a: AnalyzerTag) is generated whenever a connection is seen for which we have previously scheduled an analyzer via expect_connection() (Robin Sommer). - The new built-in capture_state_updates logs all changes applied to &synchronized variables, in a fashion similar to the capture_events() built-in (Robin Sommer). An accompanying policy script, capture-state-updates.bro, turns this on to the file state-updates.bst. - If the new script variable suppress_local_output is set (default: F), Bro suppresses printing to local files if there's a receiver for print_hook events (Robin Sommer). This option is however ignored for files with a &disable_print_hook attribute. - The new notice action filter function file_if_remote specifies that notices from sent from remote source addresses should have an action NOTICE_FILE (Robin Sommer). - The new notice action filter function file_local_bro_notices specifies that notices generated by the local Bro instance (as opposed to a remote peer) should have an action NOTICE_FILE (Robin Sommer). - An arbitrary tag can now be past to post-processors for log rotation (Robin Sommer). - Default inactivity timeouts for interactive services shortened to 1 hour (Robin Sommer). - The scanning variables distinct_{peers,ports,low_ports} are now redef'able (Robin Sommer). - The new -S (--summary-only) option for site-report.pl directs to only generate connection summaries (Brian Tierney) - More useful default config file for edit-brorule.pl (Brian Tierney). - Bro now includes a test suite in testing/istate/ for its "independent state" functionality (Robin Sommer). - Support for parallel builds via make -j (Christian Kreibich). - Bro's default search path now includes includes policy/sigs/ and policy/time-machine/ (Robin Sommer). - Bro's internal processing of interprocess communication has been significantly overhauled to prevent potentially fatal race conditions (Robin Sommer). - Bro now checks calls to fmt() at compile-time to ensure that the correct number of arguments are present (Vern Paxson). This is useful in addition to Bro's run-time checking for arguments matching their corresponding format-specifiers in the case of rarely-executed statements that might not generate such run-time checks in routine testing. - The ports associated with Telnet and Rlogin are now redef'able (Robin Sommer). - MIME processing now removes leading whitespace from MIME headers (Sanmeet Bhatia and Robin Sommer). - TCP "weird" events reported by the connection compressor now match (other than a few rare corner-cases) those produced for normal TCP processing (rmkml and Robin Sommer). - Added Scan::suppress_UDP_scan_checks to control false positives on scan detection in environments with P2P protocols that use UDP (Vern Paxson). - The internal analyzer interface now includes an EndOfData() method that analyzers can use to report that all of a message has been delivered (Robin Sommer). - Fix for a significant memory leak in processing UDP when using -w (Robin Sommer). Note: this change turns off by default trace rewriting for generic UDP traffic. - Two serious regular expression bugs fixed (Vern Paxson). In the first, searching for a regular expression inside a string would fail if the pattern occurred only after an embedded newline. In the second, insufficient buffer was allocated when compiling regular expressions, leading to memory corruption. - Base64 decoding bug fixes (Christian Kreibich and Ruoming Pang). - Automatic rotation of files is now disabled for contents files written by the TCP reassembler, which otherwise leads to mangled files (Robin Sommer). - Bro now ships with an updated version of libpcap (0.9.8), which hopefully fixes problems managing trace files > 4 GB in size. - Significant bug fixes for gzip- and deflate-encoded Web items (Robin Sommer). - Bug fix for secondary-filter.bro (Vern Paxson). - Removed a naming ambiguity regarding TCP states (Vern Paxson). - Bug fix for signature scanner not matching all of its input (Vern Paxson). - Bug fix for using port values in signatures (Robin Sommer). - Minor policy script tweaks: state management for weird's, processing of Notice tags associated with connections, and dependencies for irc-bot.bro (Robin Sommer). - aux/ portability fixes (Vern Paxson). - Workarounds added for a BinPAC deficiency, which is that code in %cleanup clauses can also be executed during recovery from exceptions when parsing new data. This means that any delete's or Unref()'s need to also set the corresponding pointer to nil (Vern Paxson). - Bug fix for crashes with the non-BinPAC SSL analyzer (Robin Sommer). - Tweak to peer-status.bro since Bro now requires events to be declared prior to reference in a "schedule" statement (Robin Sommer). - The signature keyword "enable" now optionally accepts the syntax "foo:bar" to specify "activate analyzer bar as a child of analyzer foo" (Robin Sommer). This is used for example for an XML-over-HTTP analyzer that's in the works. - irc-bot-syslog.bro now uses open_log_file() for its log file (including the logging suffix) rather than a direct open (Vern Paxson). - Bug fix for tracking Blaster across a Bro Cluster (Robin Sommer). - Bug fix for the HTTP BinPAC analyzer chopping the trailing character off of HTTP headers when generating the http_all_headers event (Gregor Maier). - Bug fix for HTTP chunked items for which the chunk size line was terminated by CRLF but the CR and LF came in separate packets (Gregor Maier). - A bug has been fixed that would cause partial lines (for line-oriented protocols) to fail to be processed when a connection terminated (Robin Sommer). - Bro no longer treats a signal arriving before a previous signal has been processed as fatal, nor does it attempt processing of a termination signal if seemingly there are no race conditions to worry about (Robin Sommer). Both of these changes are an attempt to improve Bro's robustness. - Fix for attributes such as &encrypt not working in initial declarations but only in later redef's (Seth Hall and Robin Sommer). - Fixes for memory leaks in SSL processing (Seth Hall and Robin Sommer). - Fix for POP3 analyzer to not treat lines like "." as message terminators (Robin Sommer). - Bug fix for crashes arising from nil pointers in list expressions (Seth Hall and Robin Sommer). - Bug fix: a signature's "enable" would activate the corresponding analyzer even if no event handlers were defined for it (Robin Sommer). - Bug fixes to prevent crashes when mixing set_contents_file() with subsequent explicit close(), and to ensure all data written to file upon connection tear-down (Gert Doering and Robin Sommer). - Configuration support for MacPorts and Fink package management systems (Christian Kreibich & Vern Paxson). - Communication-only Bro's now send out email alarms (Robin Sommer). - Writes to a file that fail due are now run-time errors rather than fatal internal errors, since often these occur due to the disk being full (Robin Sommer). - Byte-order bug fix for lookup_location() (Robin Sommer). - BinPAC portability fix for 64-bit machines (Bernhard Ager and Robin Sommer). - Portability fixes for newer versions of gcc (Jan Gerrit Goebel and Robin Sommer). - Some support for porting to Solaris (Stephan Toggweiler). - Connection compressor bug fix for source and destination having the same IP address, such as when monitoring loopback (Robin Sommer). - Connection compressor bug fix for connections with multiple SYNs (Robin Sommer). - Bug fix for using already-declared local variables for looping over vectors in a "for" loop (Robin Sommer & Vern Paxson). - Bug fix for not processing truncated UDP packets (Tom Kho and Robin Sommer). - Bounds-check added to BinPAC-generated code (Tom Kho and Robin Sommer). - Bug fix for checking whether an IPv6 address is part of a subnet (Seth Hall). - Bug fixes for crashes relating to asynchronous DNS lookups performed at start-up (Robin Sommer). These changes also lowered the timeout before assuming failure from 20 seconds down to 5 seconds. - Portability and const-ness fixes (Kevin Lo and Robin Sommer). - Suppression of some content-gap complaints when running on traces that have been filtered down to only TCP control packets (Robin Sommer). - Removed unnecessary dependency in notice-action-filters.bro that led to errors when loading icmp.bro by itself (Vern Paxson). - Bug fix for potential infinite loop in client communiation (Robin Sommer). - Bug fix in reference counting that could eventually lead to roll-over (Robin Sommer). - Bug fix in communication initialization (Robin Sommer). - Internal documentation fix: timers are specified using absolute time, not relative (Robin Sommer). - Performance improvement for built-in find_all() function when running on large strings (Robin Sommer). - Memory leak fixes (Robin Sommer, Bernhard Ager, Christian Kreibich). - Bug fix for error recovery when encountering an unknown link layer (Bernhard Ager). - Bug fix for reversing client & server in a connection (Po-Ching Lin). - Bug fix for packet_contents when capture length exceeds the IP payload length due to Ethernet frame padding (Christian Kreibich). - Bug fix for tcp_packet event erroneously including Ethernet padding in its contents (Vern Paxson). - Bug fix for lookup_connection built-in (Seth Hall). - Portability nit for libedit tarball (Vern Paxson). - Broccoli portability fix for NetBSD (Christoph Leuzinger). - Type-checking for script-level event invocation was completedly broken - now fixed (Vern Paxson). - Portability fixes for different versions of g++/STL (Nicholas Weaver and Vern Paxson). - Fix for dynamic detection of SSL via DPD (Robin Sommer). - IPv6 portability fix for BinPAC-based DNS analyzer (Vern Paxson). Note, more portability work is needed for it. - Bug fix for bifcl error messages (Vern Paxson). - Minor bug fix for remote communication, plus some improved communication logging (Robin Sommer). - Bug fix for &printhook (Robin Sommer). - Bug fix for error message output (Robin Sommer). - Bug fix for termination cleanup (Robin Sommer). - Bug fix for some Rlogin corner cases (Robin Sommer & Vern Paxson). - Bug fix for bifcl generation of "interval" types (Vern Paxson). - Bug fix for getting connection memory statistics when Bro is exiting (Robin Sommer). - Config fix: --enable-debug now turns off -O2 for gcc (Robin Sommer). - Bug fixes for "heavy" analysis (Vern Paxson). - Broccoli bug fixes for types net and port (Robin Sommer). - Bug fixes for Telnet environment options (Robin Sommer). - Bug fix for accessing remote peer description (Robin Sommer). - A fix for the connection compressor generating new_connection too late (Robin Sommer). - Fixes for DAG support, including configuration and multiple interfaces (Robin Sommer). - Bug fix for serializing time-stamps of table entries (Robin Sommer). - Bug fix for dealing with peer IDs for remote communication (Robin Sommer). - Bug fix to avoid installing timers when timers have already been canceled (Robin Sommer). - Bug fix for interplay between serializing connections and connection compressor (Robin Sommer). - Memory leak fix for enum's (Robin Sommer). - Bug fix for files being closed prior to bro_done() (Vern Paxson). - aux/broccoli/contrib was not included in distribution (Robin Sommer). - Auto-configuration bug fix for BinPAC (Craig Leres). - Bug fix for dynamic protocol detection (Robin Sommer). - A number of configuration fixes for installation and portability (Christian Kreibich, Brian Tierney, Robin Sommer, Dan Kopecek). From aashish at uiuc.edu Fri Oct 17 15:30:09 2008 From: aashish at uiuc.edu (Aashish Sharma) Date: Fri, 17 Oct 2008 17:30:09 -0500 Subject: [Bro] Bro 1.4 release now available In-Reply-To: <200810171847.m9HIl63a006848@pork.ICSI.Berkeley.EDU> References: <200810171847.m9HIl63a006848@pork.ICSI.Berkeley.EDU> Message-ID: <20081017223009.GE6354@uiuc.edu> Congratulations for the new release. I was looking forward for this. Reading changelog says brolite may be deprecated. I see current 1.4 release is missing ../etc/bro.rc, ../etc/bro.cfg and ../site/local.site.bro files amongst others even after running "make install-brolite". Is there any other recommended way to start/stop/run bro ? Thanks, Aashish On Fri, Oct 17, 2008 at 11:47:01AM -0700, Vern Paxson wrote: > Bro release 1.4 is now available from: > > ftp://bro-ids.org/bro-1.4.tar.gz > > This release includes significant new functionality as well as numerous From robin at icir.org Sat Oct 18 11:21:20 2008 From: robin at icir.org (Robin Sommer) Date: Sat, 18 Oct 2008 11:21:20 -0700 Subject: [Bro] segmentation fault In-Reply-To: References: Message-ID: <20081018182120.GA29419@icir.org> On Thu, Oct 16, 2008 at 22:20 -0400, you wrote: > i am using the current version of bro-ids 1.3.2, i am getting segmentation > fault error while running on a pcap file. I saw that frag.cc has to be > modified previously Can you please try the 1.4 version? If you still see the problem with that one, please send us a small trace to reproduce the problem. Thanks, Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Sat Oct 18 11:33:48 2008 From: robin at icir.org (Robin Sommer) Date: Sat, 18 Oct 2008 11:33:48 -0700 Subject: [Bro] Bro 1.4 release now available In-Reply-To: <20081017223009.GE6354@uiuc.edu> References: <200810171847.m9HIl63a006848@pork.ICSI.Berkeley.EDU> <20081017223009.GE6354@uiuc.edu> Message-ID: <20081018183348.GB29419@icir.org> On Fri, Oct 17, 2008 at 17:30 -0500, you wrote: > Reading changelog says brolite may be deprecated. I see current > 1.4 release is missing ../etc/bro.rc, ../etc/bro.cfg and > ../site/local.site.bro files amongst others even after running > "make install-brolite". Hmmm... We'll look into that to see if it's an easy fix to get these installed by "make install-brolite". > Is there any other recommended way to start/stop/run bro ? There's is nothigng which ships with 1.4 at this point but the "Cluster Shell" we are working on has a "standalone mode" which makes it suitable for normal, single-box installation as well. See http://blog.icir.org/2008/04/interactive-shell-for-operating-bro.html This will likely become the standard installation scheme at some point. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Sat Oct 18 11:33:48 2008 From: robin at icir.org (Robin Sommer) Date: Sat, 18 Oct 2008 11:33:48 -0700 Subject: [Bro] Bro 1.4 release now available In-Reply-To: <20081017223009.GE6354@uiuc.edu> References: <200810171847.m9HIl63a006848@pork.ICSI.Berkeley.EDU> <20081017223009.GE6354@uiuc.edu> Message-ID: <20081018183348.GB29419@icir.org> On Fri, Oct 17, 2008 at 17:30 -0500, you wrote: > Reading changelog says brolite may be deprecated. I see current > 1.4 release is missing ../etc/bro.rc, ../etc/bro.cfg and > ../site/local.site.bro files amongst others even after running > "make install-brolite". Hmmm... We'll look into that to see if it's an easy fix to get these installed by "make install-brolite". > Is there any other recommended way to start/stop/run bro ? There's is nothigng which ships with 1.4 at this point but the "Cluster Shell" we are working on has a "standalone mode" which makes it suitable for normal, single-box installation as well. See http://blog.icir.org/2008/04/interactive-shell-for-operating-bro.html This will likely become the standard installation scheme at some point. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From rreitz at fnal.gov Sat Oct 18 18:06:50 2008 From: rreitz at fnal.gov (Randolph Reitz) Date: Sat, 18 Oct 2008 20:06:50 -0500 Subject: [Bro] Bro 1.4 release now available In-Reply-To: <20081018183348.GB29419@icir.org> References: <200810171847.m9HIl63a006848@pork.ICSI.Berkeley.EDU> <20081017223009.GE6354@uiuc.edu> <20081018183348.GB29419@icir.org> Message-ID: <564B23B5-4450-49AD-BEE0-DF507D5355E0@fnal.gov> On Oct 18, 2008, at 1:33 PM, Robin Sommer wrote: > > On Fri, Oct 17, 2008 at 17:30 -0500, you wrote: > >> Reading changelog says brolite may be deprecated. I see current >> 1.4 release is missing ../etc/bro.rc, ../etc/bro.cfg and >> ../site/local.site.bro files amongst others even after running >> "make install-brolite". > > Hmmm... We'll look into that to see if it's an easy fix to get these > installed by "make install-brolite". > >> Is there any other recommended way to start/stop/run bro ? > > There's is nothigng which ships with 1.4 at this point but the > "Cluster Shell" we are working on has a "standalone mode" which > makes it suitable for normal, single-box installation as well. See > > http://blog.icir.org/2008/04/interactive-shell-for-operating-bro.html > > This will likely become the standard installation scheme at some > point. I have been using the "cluster shell" with BRO 1.4. I recently needed to hook in a process I want to start when BRO starts. I happily modified etc/bro.rc-hooks.sh, but this doesn't work. It seems that the cluster shell does not use etc/bro.rc for BRO startup and shutdown. Does the cluster shell have a mechanism (Er, hook) for starting an external process? Thanks, Randy > > > Robin > > -- > Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From has2an1 at yahoo.com Sun Oct 19 06:36:39 2008 From: has2an1 at yahoo.com (hasssan ibra) Date: Sun, 19 Oct 2008 06:36:39 -0700 (PDT) Subject: [Bro] (no subject) Message-ID: <477222.40416.qm@web37602.mail.mud.yahoo.com> Hi, I'm trying to use the connection log file ONLY, Is there any way to run Bro as just a capture and connection recorder?? Does any body has any figure that shows how to connect the my work station (which has the bro IDS ) with the its 3 interfaces to the network in the DMZ zone, I couldn't get what is in the manual bye Hassan __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081019/8e42dda7/attachment.html From mel at hackinthebox.org Sun Oct 19 20:10:02 2008 From: mel at hackinthebox.org (mel) Date: Mon, 20 Oct 2008 11:10:02 +0800 Subject: [Bro] bro 1.4 - pybroccoli error Message-ID: <48FBF68A.30608@hackinthebox.org> Hi all, On Freebsd 7: bro-sensor# python -c 'import broccoli' Traceback (most recent call last): File "", line 1, in File "broccoli.py", line 6, in from _broccoli_intern import * ImportError: /usr/local/lib/python2.5/site-packages/_broccoli_intern.so: Undefined symbol "BIO_ctrl" This does not happen on Gentoo Linux. --mel From Tobias.Limmer at informatik.uni-erlangen.de Mon Oct 20 09:21:01 2008 From: Tobias.Limmer at informatik.uni-erlangen.de (Tobias Limmer) Date: Mon, 20 Oct 2008 18:21:01 +0200 Subject: [Bro] Problem accessing additional Field in connection record Message-ID: <48FCAFED.7080407@informatik.uni-erlangen.de> Hi everybody, I've got a problem accessing a custom added field in the connection record. My version of Bro is 1.3.2. In detail: I added a new field called "flow_start" inside the connection record in file bro.init. This variable is also added in file Conn.h and Conn.cc to fill it with an appropriate value in the constructor Connection::Connection. Additionally, I changed file conn.bro to output the content of the variable in function "record_connection". I'm doing this, as I want to record the time of the first packet of the flow belonging to the connection. When I start Bro with "conn.bro" as parameter now, it starts working, outputs a first connection correctly including my new field, but at the second call of "record_connection", Bro exits with the error 1212999573.377278 ./conn.bro, line 211 (c$flow_start): internal error: field value missing What am I doing wrong? It seems that my variable is correctly set the first time, but afterwards it isn't? It is strange, as the variable should always be set in Connection::Connection. I attached the (rather short) diff of my changes. Thanks in advance & bye, Tobi -- Dipl.-Inf. Tobias Limmer Computer Networks and Communication Systems University of Erlangen-Nuremberg, Germany Phone: +49 (9131) 85-27931 Fax: +49 (9131) 85-27409 eMail: tobias.limmer .at. informatik.uni-erlangen.de WWW: http://www7.informatik.uni-erlangen.de/~limmer -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: diff Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081020/4ff2dab5/attachment.ksh From robin at icir.org Mon Oct 20 09:44:36 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 20 Oct 2008 09:44:36 -0700 Subject: [Bro] bro 1.4 - pybroccoli error In-Reply-To: <48FBF68A.30608@hackinthebox.org> References: <48FBF68A.30608@hackinthebox.org> Message-ID: <20081020164436.GB83925@icir.org> On Mon, Oct 20, 2008 at 11:10 +0800, you wrote: > On Freebsd 7: > Undefined symbol "BIO_ctrl" > This does not happen on Gentoo Linux. Are there different OpenSSL versions installed on these systems? Could you try one of the Broccoli test programs in aux/broccoli/test to see if the problem occurs without the Python bindings as well? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Oct 20 09:44:36 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 20 Oct 2008 09:44:36 -0700 Subject: [Bro] bro 1.4 - pybroccoli error In-Reply-To: <48FBF68A.30608@hackinthebox.org> References: <48FBF68A.30608@hackinthebox.org> Message-ID: <20081020164436.GB83925@icir.org> On Mon, Oct 20, 2008 at 11:10 +0800, you wrote: > On Freebsd 7: > Undefined symbol "BIO_ctrl" > This does not happen on Gentoo Linux. Are there different OpenSSL versions installed on these systems? Could you try one of the Broccoli test programs in aux/broccoli/test to see if the problem occurs without the Python bindings as well? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Oct 20 09:46:31 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 20 Oct 2008 09:46:31 -0700 Subject: [Bro] Bro 1.4 release now available In-Reply-To: <564B23B5-4450-49AD-BEE0-DF507D5355E0@fnal.gov> References: <200810171847.m9HIl63a006848@pork.ICSI.Berkeley.EDU> <20081017223009.GE6354@uiuc.edu> <20081018183348.GB29419@icir.org> <564B23B5-4450-49AD-BEE0-DF507D5355E0@fnal.gov> Message-ID: <20081020164631.GD83925@icir.org> On Sat, Oct 18, 2008 at 20:06 -0500, you wrote: > etc/bro.rc-hooks.sh, but this doesn't work. It seems that the cluster > shell does not use etc/bro.rc for BRO startup and shutdown. That's right. If the cron job is set up as described in the documentation, it will take care of restarting the cluster when the system starts up. Adding a bro.rc-like script which starts/stops the cluster directly shouldn't be too hard though. > Does the cluster shell have a mechanism (Er, hook) for starting an external > process? No, it hasn't but that would be an easy extension as well. What exactly would you need? Just the capability to run an arbitrary script whenever the cluster start/stop commands are performed? (And if so, on any node's start/stop?) Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Oct 20 10:08:33 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 20 Oct 2008 10:08:33 -0700 Subject: [Bro] Problem accessing additional Field in connection record In-Reply-To: <48FCAFED.7080407@informatik.uni-erlangen.de> References: <48FCAFED.7080407@informatik.uni-erlangen.de> Message-ID: <20081020170833.GK83925@icir.org> On Mon, Oct 20, 2008 at 18:21 +0200, Tobias Limmer wrote: > What am I doing wrong? It seems that my variable is correctly set the first > time, but afterwards it isn't? It is strange, as the variable should always > be set in Connection::Connection. Does it help to start Bro with "use_connection_compressor=F"? There is another location inside the Compressor where connection records are created (ConnCompressor::Event in ConnCompressor.cc). Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Oct 20 11:07:47 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 20 Oct 2008 11:07:47 -0700 Subject: [Bro] (no subject) In-Reply-To: <477222.40416.qm@web37602.mail.mud.yahoo.com> References: <477222.40416.qm@web37602.mail.mud.yahoo.com> Message-ID: <20081020180747.GM83925@icir.org> On Sun, Oct 19, 2008 at 06:36 -0700, hasssan ibra wrote: > I'm trying to use the connection log file ONLY, Is there any way to run Bro as just a capture and connection recorder?? Try loading only the "tcp" script. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Oct 20 11:07:47 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 20 Oct 2008 11:07:47 -0700 Subject: [Bro] (no subject) In-Reply-To: <477222.40416.qm@web37602.mail.mud.yahoo.com> References: <477222.40416.qm@web37602.mail.mud.yahoo.com> Message-ID: <20081020180747.GM83925@icir.org> On Sun, Oct 19, 2008 at 06:36 -0700, hasssan ibra wrote: > I'm trying to use the connection log file ONLY, Is there any way to run Bro as just a capture and connection recorder?? Try loading only the "tcp" script. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From Tobias.Limmer at informatik.uni-erlangen.de Tue Oct 21 00:13:43 2008 From: Tobias.Limmer at informatik.uni-erlangen.de (Tobias Limmer) Date: Tue, 21 Oct 2008 09:13:43 +0200 Subject: [Bro] Problem accessing additional Field in connection record In-Reply-To: <20081020170833.GK83925@icir.org> References: <48FCAFED.7080407@informatik.uni-erlangen.de> <20081020170833.GK83925@icir.org> Message-ID: <3A8931BE-6F15-4695-AE6B-50C78C8F9C33@informatik.uni-erlangen.de> Hi Robin, it was the Compressor. Thanks a lot, it works now! bye, Tobi On 20.10.2008, at 19:08, Robin Sommer wrote: > > On Mon, Oct 20, 2008 at 18:21 +0200, Tobias Limmer wrote: > >> What am I doing wrong? It seems that my variable is correctly set >> the first >> time, but afterwards it isn't? It is strange, as the variable >> should always >> be set in Connection::Connection. > > Does it help to start Bro with "use_connection_compressor=F"? There > is another location inside the Compressor where connection records > are created (ConnCompressor::Event in ConnCompressor.cc). > > Robin > > -- > Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -- Dipl.-Inf. Tobias Limmer Computer Networks and Communication Systems University of Erlangen-Nuremberg, Germany Phone: +49 (9131) 85-27931 Fax: +49 (9131) 85-27409 eMail: limmer .at. informatik.uni-erlangen.de WWW: http://www7.informatik.uni-erlangen.de/~limmer From mel at hackinthebox.org Tue Oct 21 00:20:56 2008 From: mel at hackinthebox.org (mel) Date: Tue, 21 Oct 2008 15:20:56 +0800 Subject: [Bro] bro 1.4 - pybroccoli error In-Reply-To: <20081020164436.GB83925@icir.org> References: <48FBF68A.30608@hackinthebox.org> <20081020164436.GB83925@icir.org> Message-ID: <48FD82D8.6030803@hackinthebox.org> Robin Sommer wrote: > Are there different OpenSSL versions installed on these systems? Freebsd: OpenSSL 0.9.8e 23 Feb 2007 Gentoo: OpenSSL 0.9.8h 28 May 2008 bro-1.4-prerelease does not have such errors on both systems. > Could you try one of the Broccoli test programs in aux/broccoli/test > to see if the problem occurs without the Python bindings as well? The test scripts fail on FreeBSD. The pybroccoli from svn also generates the same error on FreeBSD. > Robin --mel From mel at hackinthebox.org Tue Oct 21 00:44:11 2008 From: mel at hackinthebox.org (mel) Date: Tue, 21 Oct 2008 15:44:11 +0800 Subject: [Bro] bro 1.4 - pybroccoli error In-Reply-To: <48FD82D8.6030803@hackinthebox.org> References: <48FBF68A.30608@hackinthebox.org> <20081020164436.GB83925@icir.org> <48FD82D8.6030803@hackinthebox.org> Message-ID: <48FD884B.5020609@hackinthebox.org> mel wrote: > Freebsd: OpenSSL 0.9.8e 23 Feb 2007 I've built it using the latest OpenSSL from FreeBSD ports (0.8.9i), and it is still giving the same error. --mel From mel at hackinthebox.org Tue Oct 21 03:38:53 2008 From: mel at hackinthebox.org (mel) Date: Tue, 21 Oct 2008 18:38:53 +0800 Subject: [Bro] bro 1.4 - pybroccoli error In-Reply-To: <48FBF68A.30608@hackinthebox.org> References: <48FBF68A.30608@hackinthebox.org> Message-ID: <48FDB13D.3040708@hackinthebox.org> mel wrote: > bro-sensor# python -c 'import broccoli' > Traceback (most recent call last): > File "", line 1, in > File "broccoli.py", line 6, in > from _broccoli_intern import * > ImportError: /usr/local/lib/python2.5/site-packages/_broccoli_intern.so: > Undefined symbol "BIO_ctrl" In Bro 1.4 release, running autogen.sh followed by the normal ./configure fixes this issue. --mel From geek00l at gmail.com Tue Oct 21 07:49:31 2008 From: geek00l at gmail.com (CS Lee) Date: Tue, 21 Oct 2008 22:49:31 +0800 Subject: [Bro] tm-capture.bro Message-ID: <1bb5dd90810210749pee5ec5bhe0a1182b9856e050@mail.gmail.com> hi robin, Small better, the tm-capture.bro has this line global dbg = open_log_file("tm-capture.log") As .log is automatically appended to the log file, it become tm-capture.log.log. Cheers ;] -- Best Regards, CS Lee http://geek00l.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081021/d5344400/attachment.html From robin at icir.org Tue Oct 21 12:25:04 2008 From: robin at icir.org (Robin Sommer) Date: Tue, 21 Oct 2008 12:25:04 -0700 Subject: [Bro] tm-capture.bro In-Reply-To: <1bb5dd90810210749pee5ec5bhe0a1182b9856e050@mail.gmail.com> References: <1bb5dd90810210749pee5ec5bhe0a1182b9856e050@mail.gmail.com> Message-ID: <20081021192504.GP6210@icir.org> On Tue, Oct 21, 2008 at 22:49 +0800, you wrote: > As .log is automatically appended to the log file, it become > tm-capture.log.log. Fixed, thanks, Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Tue Oct 21 12:25:54 2008 From: robin at icir.org (Robin Sommer) Date: Tue, 21 Oct 2008 12:25:54 -0700 Subject: [Bro] bro 1.4 - pybroccoli error In-Reply-To: <48FDB13D.3040708@hackinthebox.org> References: <48FBF68A.30608@hackinthebox.org> <48FDB13D.3040708@hackinthebox.org> Message-ID: <20081021192554.GQ6210@icir.org> On Tue, Oct 21, 2008 at 18:38 +0800, you wrote: > In Bro 1.4 release, running autogen.sh followed by the normal > ./configure fixes this issue. That's good to know, thanks! Not sure what the underlying problem is but we'll see if we can find something. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Tue Oct 21 12:25:54 2008 From: robin at icir.org (Robin Sommer) Date: Tue, 21 Oct 2008 12:25:54 -0700 Subject: [Bro] bro 1.4 - pybroccoli error In-Reply-To: <48FDB13D.3040708@hackinthebox.org> References: <48FBF68A.30608@hackinthebox.org> <48FDB13D.3040708@hackinthebox.org> Message-ID: <20081021192554.GQ6210@icir.org> On Tue, Oct 21, 2008 at 18:38 +0800, you wrote: > In Bro 1.4 release, running autogen.sh followed by the normal > ./configure fixes this issue. That's good to know, thanks! Not sure what the underlying problem is but we'll see if we can find something. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From isara.a at gmail.com Tue Oct 21 14:33:38 2008 From: isara.a at gmail.com (Isara Anantavrasilp) Date: Tue, 21 Oct 2008 23:33:38 +0200 Subject: [Bro] Offline/Tracefile Traffic Classification with Bro Message-ID: Hi, I am completely new to Bro and have a few *naive* questions. I have already tried to find the answer myself but to no avail. I have to classify and isolate Internet traffics (or Internet flows) which are stored in several trace files which are stored in compressed pcap format. For instance, given a trace file A, and a specific protocol, say, SSH, what I have to do is generate another trace file which contains only SSH packets from the trace A. I do not need the SSH trace file automatically. But I need at least the 5-tuple of the SSH flows that reside in the trace A so that I can extract the SSH packets later. As far as I understand from Bro wiki, Bro can recognize flows from the tcpdump traces which is the same as pcap trace. (Here is where I found it: http://www.bro-ids.org/wiki/index.php/User_Manual:_Bulk_Traces_and_Off-line_Analysis) Here are the questions: 1) Can I somehow obtain the flows or packets in the flows that match some certain Bro rules and isolate them? 2) If so, how to do it? I have looked through online documents but cannot get a concrete answer. 3) If not, can I at least identify which flows that match the rules? 4) Is there any rules-repository for Bro (like Snort rules)? Thank you very much. :) Cheers, Isara Anantavrasilp From robtobfli at gmx.net Tue Oct 21 14:42:19 2008 From: robtobfli at gmx.net (Bogdan Koziol) Date: Tue, 21 Oct 2008 21:42:19 +0000 (UTC) Subject: [Bro] =?utf-8?q?How_to_write_a_signature_definition_for_=28event?= =?utf-8?b?X0EgQU5EIGV2ZW50XyBCKT8=?= Message-ID: Hallo everybody, I'm a new and unexperienced user of the really interesting BRO detection framework. I want to write a signature definition for event A and B, which triggers only after event A and B happend. My approach so far: signature s1 {event "Pattern A"} signature s2 {event "Pattern B" requires-signature s1 } If i understood the documentation correctly, i can define an event sequence with the "requires-signature" condition. But this one only matches events (A, B) and not (B, A). Is it possible to write an event expression (A AND B)? Kind regards, Bogdan. From geek00l at gmail.com Tue Oct 21 19:43:26 2008 From: geek00l at gmail.com (CS Lee) Date: Wed, 22 Oct 2008 10:43:26 +0800 Subject: [Bro] Bro to TM Message-ID: <1bb5dd90810211943i16c67df2r8de020995be35edd@mail.gmail.com> hi all, Is there any quick example to show how to connect time machine using bro, I have remote console enable and also port binded at time machine, but need to use bro with it. Thanks. -- Best Regards, CS Lee http://geek00l.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081022/2c6ff2e7/attachment.html From rmkml at free.fr Tue Oct 21 21:55:06 2008 From: rmkml at free.fr (rmkml) Date: Wed, 22 Oct 2008 06:55:06 +0200 (CEST) Subject: [Bro] Dns Analyzer Update RR length pb without binpac Message-ID: Hi, Congratulation for this new version and very interesting project ! During my testing, Im found this event: weird.log:1224565229.149226 10.100.11.225/61643 > 141.202.248.31/dns: DNS_RR_length_mismatch weird.log:1224565229.149226 10.100.11.225/61643 > 141.202.248.31/dns: DNS_truncated_RR_rdlength_lt_len Start bro with: bro140ipv6 -r bro140_dns_rr_length_two_problems.pcap dns Bro print scripts: bro140ipv6 -r bro140_dns_rr_length_two_problems.pcap dns -l -> policy/bro.init -> policy/const.bif.bro -> policy/strings.bif.bro -> policy/bro.bif.bro -> policy/event.bif.bro -> policy/common-rw.bif.bro -> policy/finger-rw.bif.bro -> policy/ftp-rw.bif.bro -> policy/ident-rw.bif.bro -> policy/smtp-rw.bif.bro -> policy/http-rw.bif.bro -> policy/dns-rw.bif.bro -> policy/pcap.bro -> policy/server-ports.bro -> policy/dns.bro -> policy/notice.bro -> policy/drop.bro -> policy/notice-action-filters.bro -> policy/site.bro -> policy/terminate-connection.bro -> policy/weird.bro -> policy/port-name.bro -> policy/udp-common.bro -> policy/hot.bro -> policy/conn.bro -> policy/netstats.bro -> policy/conn-id.bro -> policy/scan.bro -> policy/trw-impl.bro -> policy/dns-info.bro and dns.log file contains: 1224565229.149226 #1 10.100.11.225/61643 > 141.202.248.31/dns start 1224565229.149226 #1 10.100.11.225 security.com Trunc:F Recurs:F 1224565229.149226 #1 10.100.11.225 SOA security.com = CNAME hp.security.com RCode:NOERROR AA=F TR=F 1/2/0/0 TTL=0 1224565229.293102 #1 finish If I start bro with binpac, I have NO "error" in weird.log file: bro140ipv6 --use-binpac -r bro140_dns_rr_length_two_problems.pcap dns and dns.log file contains: 1224565229.149226 #1 10.100.11.225/61643 > 141.202.248.31/dns start 1224565229.149226 #1 10.100.11.225 security.com Trunc:F Recurs:F 1224565229.149226 #1 10.100.11.225 SOA security.com = CNAME RCode:NOERROR AA=F TR=F 1/2/0/0 TTL=0 1224565229.149226 #1 10.100.11.225 10.100.11.225 RCode:NOERROR AA=F TR=F 1/2/0/0 TTL=0 1224565229.293102 #1 finish Joigned pcap file. Regards Rmkml Crusoe-Researches.com -------------- next part -------------- A non-text attachment was scrubbed... Name: bro140_dns_rr_length_two_problems.pcap.gz Type: application/octet-stream Size: 223 bytes Desc: Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081022/eb68ba16/attachment.obj From aashish at uiuc.edu Wed Oct 22 09:31:25 2008 From: aashish at uiuc.edu (Aashish Sharma) Date: Wed, 22 Oct 2008 11:31:25 -0500 Subject: [Bro] Notes from testing/running bro-1.4 with cluster shell Message-ID: <20081022163125.GB4730@uiuc.edu> Here are some notes I needed to get bro 1.4 running with clustershell. Hopefully this documentation will help others too. http://blog.ncsa.uiuc.edu/aashish/2008/10/21/moving-to-bro-14/ Aashish From robin at icir.org Wed Oct 22 14:37:04 2008 From: robin at icir.org (Robin Sommer) Date: Wed, 22 Oct 2008 14:37:04 -0700 Subject: [Bro] How to write a signature definition for (event_A AND event_ B)? In-Reply-To: References: Message-ID: <20081022213704.GG66645@icir.org> On Tue, Oct 21, 2008 at 21:42 +0000, you wrote: > Is it possible to write an event expression (A AND B)? Not directly with the signature language. You can however write a Bro script (i.e., a script in Bro's primary language) which keeps track of which signatures have matched so far. This way you can implement arbitrary dependencies. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Wed Oct 22 14:37:04 2008 From: robin at icir.org (Robin Sommer) Date: Wed, 22 Oct 2008 14:37:04 -0700 Subject: [Bro] How to write a signature definition for (event_A AND event_ B)? In-Reply-To: References: Message-ID: <20081022213704.GG66645@icir.org> On Tue, Oct 21, 2008 at 21:42 +0000, you wrote: > Is it possible to write an event expression (A AND B)? Not directly with the signature language. You can however write a Bro script (i.e., a script in Bro's primary language) which keeps track of which signatures have matched so far. This way you can implement arbitrary dependencies. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Wed Oct 22 14:41:11 2008 From: robin at icir.org (Robin Sommer) Date: Wed, 22 Oct 2008 14:41:11 -0700 Subject: [Bro] Offline/Tracefile Traffic Classification with Bro In-Reply-To: References: Message-ID: <20081022214111.GH66645@icir.org> On Tue, Oct 21, 2008 at 23:33 +0200, you wrote: > For instance, given a trace file A, and a specific protocol, say, SSH, > what I have to do is generate another trace file which contains only > SSH packets from the trace A. > I do not need the SSH trace file automatically. > But I need at least the 5-tuple of the SSH flows that reside in the > trace A so that I can extract the SSH packets later. Is this what you're looking for? zcat A | tcpdump -r - -w - port 22 | bro -r - tcp; cat conn.log Or if you need just the packets, skip Bro alltogether. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From isara.a at gmail.com Wed Oct 22 15:07:23 2008 From: isara.a at gmail.com (Isara Anantavrasilp) Date: Thu, 23 Oct 2008 00:07:23 +0200 Subject: [Bro] Offline/Tracefile Traffic Classification with Bro In-Reply-To: <20081022214111.GH66645@icir.org> References: <20081022214111.GH66645@icir.org> Message-ID: Hi, thanks a lot for the answer. That is what I am looking for, but not entirely. As far as I understand from the syntax, it pushes every packet that has TCP port 22 into Bro. Bro then summarizes the connections in the conn.log (using tcp policy). And you are right, I want just the packets so that I can process later. However, it might work with SSH, but the reason I need Bro here is that some applications that I am interested in require payload signatures. And even though it is SSH, I would like to be sure that it is actually SSH (by analyzing the payload not just port number). I just found out that with switch "-w ", Bro can output the packets. If I use sth like bro -r inputtrace.pcap -w outputtrace.pcap somesignature.bro, would Bro return packets of all flows that match the policy in somesignature.bro? Another question, can Bro handle the compressed trace file by itself or I always have to use zcat? Thank you very much! -- Isara On Wed, Oct 22, 2008 at 11:41 PM, Robin Sommer wrote: > > On Tue, Oct 21, 2008 at 23:33 +0200, you wrote: > >> For instance, given a trace file A, and a specific protocol, say, SSH, >> what I have to do is generate another trace file which contains only >> SSH packets from the trace A. >> I do not need the SSH trace file automatically. >> But I need at least the 5-tuple of the SSH flows that reside in the >> trace A so that I can extract the SSH packets later. > > Is this what you're looking for? > > zcat A | tcpdump -r - -w - port 22 | bro -r - tcp; cat conn.log > > Or if you need just the packets, skip Bro alltogether. > > Robin > > -- > Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > From christian at whoop.org Wed Oct 22 17:02:03 2008 From: christian at whoop.org (Christian Kreibich) Date: Wed, 22 Oct 2008 17:02:03 -0700 Subject: [Bro] bro 1.4 - pybroccoli error In-Reply-To: <20081021192554.GQ6210@icir.org> References: <48FBF68A.30608@hackinthebox.org> <48FDB13D.3040708@hackinthebox.org> <20081021192554.GQ6210@icir.org> Message-ID: <1224720123.27175.302.camel@strangepork> On Tue, 2008-10-21 at 12:25 -0700, Robin Sommer wrote: > On Tue, Oct 21, 2008 at 18:38 +0800, you wrote: > > > In Bro 1.4 release, running autogen.sh followed by the normal > > ./configure fixes this issue. > > That's good to know, thanks! Not sure what the underlying problem is > but we'll see if we can find something. We have identified the cause of the problem. On FreeBSD 7, the libtool script we include in the Broccoli tree does not correctly create a .so symlink in the local build directory. This causes the Python module to be statically linked against Broccli, which in turn causes the additional dependencies of libssl and libcrypto to remain unresolved at runtime. For the time being, re-running autogen.sh in aux/broccoli is the correct workaround. Alternatively you can apply this patch to aux/broccoli/bindings/python/setup.py: --- setup.py~ 2008-07-14 19:17:59.000000000 -0400 +++ setup.py 2008-10-21 19:55:53.000000000 -0400 @@ -14,6 +14,6 @@ ext_modules = [ Extension("_broccoli_intern", ["broccoli_intern_wrap.c"], library_dirs=["../../src/.libs"], - libraries=["broccoli"])] + libraries=["broccoli", "ssl", "crypto"])] ) We'll fix the issue in the 1.4.1 release. -- Cheers, Christian From has2an1 at yahoo.com Thu Oct 23 04:46:09 2008 From: has2an1 at yahoo.com (hasssan ibra) Date: Thu, 23 Oct 2008 04:46:09 -0700 (PDT) Subject: [Bro] Hi Message-ID: <928044.20574.qm@web37605.mail.mud.yahoo.com> Hi, I want to use the bro to listen to two interfaces " eth0 eth1", but each one alone ( switch between them )? Is there any command to switch between them without entering the bro.cfg and edit it?? thanks in advance for any answer. bye, Hassan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081023/d3bfc006/attachment.html From akkala at Colorado.edu Fri Oct 24 04:04:38 2008 From: akkala at Colorado.edu (Sirisha) Date: Fri, 24 Oct 2008 05:04:38 -0600 (MDT) Subject: [Bro] Problem with installing Bro1.4 Message-ID: <20081024050438.AFD08185@riddler.int.colorado.edu> Hi I downloaded and installed Bro1.4, the 'current release' on the downloads page. But in the target directory, the following folders are not created - site, logs, var, reports, archive, policy scripts Should I do something else after 'make' & 'make install' for these folders to get created? thanks,sirisha. From robin at icir.org Fri Oct 24 13:30:54 2008 From: robin at icir.org (Robin Sommer) Date: Fri, 24 Oct 2008 13:30:54 -0700 Subject: [Bro] Bro to TM In-Reply-To: <1bb5dd90810211943i16c67df2r8de020995be35edd@mail.gmail.com> References: <1bb5dd90810211943i16c67df2r8de020995be35edd@mail.gmail.com> Message-ID: <20081024203054.GC29834@icir.org> On Wed, Oct 22, 2008 at 10:43 +0800, you wrote: > Is there any quick example to show how to connect time machine using bro, I > have remote console enable and also port binded at time machine, but need to > use bro with it. There's no real example available yet. I'm planing to write something up for our blog but I haven't got to that yet. Essentially you need to do two things: (i) configure remote.bro to connect to the TM (ii) and use the functions in time-machine/time-machine.bro to query/control the TM. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From has2an1 at yahoo.com Sun Oct 26 05:48:48 2008 From: has2an1 at yahoo.com (hasssan ibra) Date: Sun, 26 Oct 2008 05:48:48 -0700 (PDT) Subject: [Bro] (no subject) Message-ID: <66222.9045.qm@web37604.mail.mud.yahoo.com> Hi Does any body know how can I define my LAN in the Bro because there is a variable somewhere (I don't know where) have to be set!! thanks in advance for any help Hassan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081026/0d1268f0/attachment.html From christoph.leuzinger at cs.uni-dortmund.de Tue Oct 28 09:07:28 2008 From: christoph.leuzinger at cs.uni-dortmund.de (Christoph Leuzinger) Date: Tue, 28 Oct 2008 17:07:28 +0100 Subject: [Bro] Broken scan.bro script Message-ID: <20081028170728.4ab037de.christoph.leuzinger@cs.uni-dortmund.de> Hi, I'm running Bro 1.4-release and tried to use scan.bro as BRO_START_POLICY. I get an error on startup, however: chris at charon:~/sw/bro$ sudo ~/sw/bro/etc/bro.rc start bro.rc: Starting /home/chris/sw/bro/bin/bro -W -i ne2 scan.bro BROPATH: /home/chris/sw/bro/share/bro/site:/home/chris/sw/bro/share/bro:/home/chris/sw/bro/share/bro/sigs:/home/chris/sw/bro/share/bro/time-machine /home/chris/sw/bro/share/bro/scan.bro, line 560: error: unknown identifier conn_state, at or near "conn_state" Loading the conn.bro script in scan.bro helps (though I'm not sure if this is the right thing to do). Bro is starting without complaining now and port scans are being detected. Cheers, Christoph -------------- next part -------------- A non-text attachment was scrubbed... Name: scan_bro.patch Type: text/x-diff Size: 251 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081028/c409d3c5/attachment.bin From talebihossain at gmail.com Wed Oct 29 02:28:35 2008 From: talebihossain at gmail.com (hossein talebi) Date: Wed, 29 Oct 2008 12:58:35 +0330 Subject: [Bro] how to split a substring from string? Message-ID: <4806f1a30810290228o4696956etc408f6b9f82e7731@mail.gmail.com> Hi i have a local variable and i want split a substring from this variable for example: "abccadfjmklma" i want to split from 5th character to 8th character -- Talebi Mazraeh Shahi Hossein -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081029/6a83446d/attachment.html From talebihossain at gmail.com Wed Oct 29 04:49:40 2008 From: talebihossain at gmail.com (hossein talebi) Date: Wed, 29 Oct 2008 15:19:40 +0330 Subject: [Bro] how to append to file? Message-ID: <4806f1a30810290449q3b12c6eep97651e0b6d77dbd9@mail.gmail.com> Hi i have write scripts (inside a policy) i have write following line : "global result_file = open_log_file("result_file")" this led to create a new file with result_file in current directory i want to run my policy to multi file and put output per file in "result_file" but while i run my policy are create new file and overwrite to old "result_file" how to append output to old "result_file" without create new file(overwrite) -- Talebi Mazraeh Shahi Hossein -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081029/85e98013/attachment.html From hall.692 at osu.edu Wed Oct 29 07:19:57 2008 From: hall.692 at osu.edu (Seth Hall) Date: Wed, 29 Oct 2008 10:19:57 -0400 Subject: [Bro] how to split a substring from string? In-Reply-To: <4806f1a30810290228o4696956etc408f6b9f82e7731@mail.gmail.com> References: <4806f1a30810290228o4696956etc408f6b9f82e7731@mail.gmail.com> Message-ID: On Oct 29, 2008, at 5:28 AM, hossein talebi wrote: > i have a local variable and i want split a substring from this > variable > for example: "abccadfjmklma" > i want to split from 5th character to 8th character You can use the sub_bytes built in function. event bro_init() { local var = "abccadfjmklma"; print sub_bytes(var, 5, 4); } That function and all other string-centric BiFs are defined in strings.bif.bro in your policy directory. .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From vern at icir.org Wed Oct 29 07:25:00 2008 From: vern at icir.org (Vern Paxson) Date: Wed, 29 Oct 2008 07:25:00 -0700 Subject: [Bro] how to append to file? In-Reply-To: <4806f1a30810290449q3b12c6eep97651e0b6d77dbd9@mail.gmail.com> (Wed, 29 Oct 2008 15:19:40 +0330). Message-ID: <200810291425.m9TEP4AI026976@pork.ICSI.Berkeley.EDU> There's a built-in function open_for_append(). Vern From hall.692 at osu.edu Wed Oct 29 07:29:27 2008 From: hall.692 at osu.edu (Seth Hall) Date: Wed, 29 Oct 2008 10:29:27 -0400 Subject: [Bro] how to append to file? In-Reply-To: <4806f1a30810290449q3b12c6eep97651e0b6d77dbd9@mail.gmail.com> References: <4806f1a30810290449q3b12c6eep97651e0b6d77dbd9@mail.gmail.com> Message-ID: <87257FAB-F7C0-4FE3-94C5-66871929A1A8@osu.edu> On Oct 29, 2008, at 7:49 AM, hossein talebi wrote: > i have write scripts (inside a policy) > i have write following line : > "global result_file = open_log_file("result_file")" > this led to create a new file with result_file in current directory > i want to run my policy to multi file and put output per file in > "result_file" > but while i run my policy are create new file and overwrite to old > "result_file" I'm not sure what you're asking here. > how to append output to old "result_file" without create new > file(overwrite) You can make appending the default behavior for all of your log files by loading the "log-append" script. .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From pw at seclab.tuwien.ac.at Wed Oct 29 11:02:32 2008 From: pw at seclab.tuwien.ac.at (Peter Wurzinger) Date: Wed, 29 Oct 2008 19:02:32 +0100 Subject: [Bro] NUL-related error messages Message-ID: <4908A538.5080101@seclab.tuwien.ac.at> Hi! In my notice.log files i frequently find the following two error messages: run-time error: string with embedded NUL run-time error: string without NUL terminator I cannot give specific information about what packets trigger these errors, but it seems that often it is NetBios. I am running Bro 1.4. What could be the problem that causes the errors, and how could I avoid them? Do these errors have an impact on signature matching (or other Bro functionality)? Peter. From pw at seclab.tuwien.ac.at Thu Oct 30 02:27:15 2008 From: pw at seclab.tuwien.ac.at (Peter Wurzinger) Date: Thu, 30 Oct 2008 10:27:15 +0100 Subject: [Bro] NUL-related error messages In-Reply-To: <4908A538.5080101@seclab.tuwien.ac.at> References: <4908A538.5080101@seclab.tuwien.ac.at> Message-ID: <49097DF3.7070508@seclab.tuwien.ac.at> I noticed that my question was quite undetailled. I'll try to make it clearer. My code looks like this: event signature_match( state: signature_state, msg: string, data: string) { local token: pattern; token = string_to_pattern( "abcde", F ); match_pattern( data, token ); } When running this code i get the mentioned error messages. They come from the match_pattern call. As mentioned before, it doesn't happen for every packet, only for some, and these are often NetBios. Do i need to somehow preprocess the data string before matching it? How can I make Bro successfully match such payloads? Peter. Peter Wurzinger wrote: > Hi! > > In my notice.log files i frequently find the following two error messages: > > run-time error: string with embedded NUL > run-time error: string without NUL terminator > > I cannot give specific information about what packets trigger these > errors, but it seems that often it is NetBios. I am running Bro 1.4. > > What could be the problem that causes the errors, and how could I avoid > them? Do these errors have an impact on signature matching (or other Bro > functionality)? > > Peter. > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From zak.noah at gmail.com Thu Oct 30 08:49:00 2008 From: zak.noah at gmail.com (noah zak) Date: Thu, 30 Oct 2008 11:49:00 -0400 Subject: [Bro] Log Rotate Message-ID: <43d31ea30810300849x41bccb04h19930630bde0b9fd@mail.gmail.com> When running the rotate-logs script I want the logs to be moved into a separate directory that the newly created logs. For example when the logs rotate on the hour I want conn.old to be moved to /usr/local/old and conn.new to stay in /usr/local/bro/logs. Does anyone know how to do this? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20081030/38cddf14/attachment.html From isara.a at gmail.com Thu Oct 30 10:10:48 2008 From: isara.a at gmail.com (Isara Anantavrasilp) Date: Thu, 30 Oct 2008 18:10:48 +0100 Subject: [Bro] Offline/Tracefile Traffic Classification with Bro In-Reply-To: References: <20081022214111.GH66645@icir.org> Message-ID: Hi Thanks for the advice and sorry for the late reply. I have looked into wireshark even before Bro. The problem that I have is that I have to classify the flows in several extra-large traces. And it cannot be done without some automated tools. Up to now I have written a simple classifier based on libtrace but I am not sure if my own signatures (as well as the algorithm) are valid. And since Bro is designed to do the classification and it already has signatures available. I am hoping that with Bro mechanism, I can classify packets/flows easier with higher accuracy. -- Isara On Thu, Oct 23, 2008 at 6:23 AM, rmkml wrote: > Hi Isara, > maybe check with ngrep or wireshark, this last support pcap compressed > file+heuristic/filter dissectors... > Regards > Rmkml > Crusoe-Researches.com > > On Thu, 23 Oct 2008, Isara Anantavrasilp wrote: > >> Date: Thu, 23 Oct 2008 00:07:23 +0200 >> From: Isara Anantavrasilp >> To: Robin Sommer >> Cc: bro at ICSI.Berkeley.EDU >> Subject: Re: [Bro] Offline/Tracefile Traffic Classification with Bro >> >> Hi, >> >> thanks a lot for the answer. >> That is what I am looking for, but not entirely. >> >> As far as I understand from the syntax, it pushes every packet that >> has TCP port 22 into Bro. >> Bro then summarizes the connections in the conn.log (using tcp policy). >> And you are right, I want just the packets so that I can process later. >> >> However, it might work with SSH, but the reason I need Bro here is >> that some applications that I am interested in require payload >> signatures. >> And even though it is SSH, I would like to be sure that it is actually >> SSH (by analyzing the payload not just port number). >> >> I just found out that with switch "-w ", Bro can output the >> packets. >> If I use sth like >> >> bro -r inputtrace.pcap -w outputtrace.pcap somesignature.bro, >> >> would Bro return packets of all flows that match the policy in >> somesignature.bro? >> >> Another question, can Bro handle the compressed trace file by itself >> or I always have to use zcat? >> >> Thank you very much! >> >> -- Isara >> >> >> On Wed, Oct 22, 2008 at 11:41 PM, Robin Sommer wrote: >>> >>> On Tue, Oct 21, 2008 at 23:33 +0200, you wrote: >>> >>>> For instance, given a trace file A, and a specific protocol, say, SSH, >>>> what I have to do is generate another trace file which contains only >>>> SSH packets from the trace A. >>>> I do not need the SSH trace file automatically. >>>> But I need at least the 5-tuple of the SSH flows that reside in the >>>> trace A so that I can extract the SSH packets later. >>> >>> Is this what you're looking for? >>> >>> zcat A | tcpdump -r - -w - port 22 | bro -r - tcp; cat conn.log >>> >>> Or if you need just the packets, skip Bro alltogether. >>> >>> Robin >>> >>> -- >>> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org >>> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org >>> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> >