From vern at icir.org Sun Sep 7 18:31:47 2008 From: vern at icir.org (Vern Paxson) Date: Sun, 07 Sep 2008 18:31:47 -0700 Subject: [Bro] License In-Reply-To: <20080809202355.4a9b5ec4@dhcp-lab-189.englab.brq.redhat.com> (Sat, 09 Aug 2008 20:23:55 +0200). Message-ID: <200809080131.m881VkQJ031741@pork.ICSI.Berkeley.EDU> [sorry for the delay - this got buried in a big pile that accumulated while I was away] > I'm a little confused about the license under which is Bro distributed. > Is it "BSD" or "BSD with advertising"? It looks like that in the > COPYING file is "BSD with advertising" and on > http://bro-ids.org/license.html "BSD". Could you please tell me > which one is the right one? Argh, yeah, they're inconsistent :-(. It should just be "BSD". I'll see if we can incorporate this change in the 1.4 release, which will go out in a few days. Vern From geek00l at gmail.com Mon Sep 8 21:40:20 2008 From: geek00l at gmail.com (CS Lee) Date: Tue, 9 Sep 2008 12:40:20 +0800 Subject: [Bro] wiki account Message-ID: <1bb5dd90809082140s4666d7bam5abacff1e2744801@mail.gmail.com> hi all, I would like to edit the content in Bro wiki as a lot of them(especially in User Manual) are outdated. I'm requesting user account for Bro wiki. Thanks. -- Best Regards, CS Lee http://geek00l.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080909/0eaf3b2c/attachment.html From robin at icir.org Tue Sep 9 12:26:42 2008 From: robin at icir.org (Robin Sommer) Date: Tue, 9 Sep 2008 12:26:42 -0700 Subject: [Bro] wiki account In-Reply-To: <1bb5dd90809082140s4666d7bam5abacff1e2744801@mail.gmail.com> References: <1bb5dd90809082140s4666d7bam5abacff1e2744801@mail.gmail.com> Message-ID: <20080909192642.GA49394@icir.org> On Tue, Sep 09, 2008 at 12:40 +0800, you wrote: > I would like to edit the content in Bro wiki as a lot of them(especially in > User Manual) are outdated. I'm requesting user account for Bro wiki. Great, I've created an account for you. You should receive more information in a separate mail. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From geek00l at gmail.com Tue Sep 9 20:12:11 2008 From: geek00l at gmail.com (CS Lee) Date: Wed, 10 Sep 2008 11:12:11 +0800 Subject: [Bro] wiki account In-Reply-To: <20080909192642.GA49394@icir.org> References: <1bb5dd90809082140s4666d7bam5abacff1e2744801@mail.gmail.com> <20080909192642.GA49394@icir.org> Message-ID: <1bb5dd90809092012l2d70b8f0hc2e65ddef579ff5d@mail.gmail.com> hi Robin, Thank! On Wed, Sep 10, 2008 at 3:26 AM, Robin Sommer wrote: > > On Tue, Sep 09, 2008 at 12:40 +0800, you wrote: > > > I would like to edit the content in Bro wiki as a lot of them(especially > in > > User Manual) are outdated. I'm requesting user account for Bro wiki. > > Great, I've created an account for you. You should receive more > information in a separate mail. > > Robin > > -- > Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -- Best Regards, CS Lee http://geek00l.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080910/12451046/attachment.html From jimbo.redneck at gmail.com Wed Sep 10 08:22:27 2008 From: jimbo.redneck at gmail.com (Jim Bo) Date: Wed, 10 Sep 2008 11:22:27 -0400 Subject: [Bro] configure: error: cannot compute sizeof (long long), 77 Message-ID: <86f40f0e0809100822t3a88f6b2x692f7717e516a5bd@mail.gmail.com> I am trying to install BRO-1.3.2 and I get the following error when I run ./configure: checking for union semun... no checking for struct sembuf... yes checking for struct sockaddr_in.sin_len... no checking for long long... yes checking size of long long... configure: error: cannot compute sizeof (long long), 77 I can install version 1.2 without problems. Does anyone know how to solve this error? The error also happens with 1.4 Thanks, Jimbo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080910/e689ae98/attachment.html From christian at whoop.org Thu Sep 11 04:28:06 2008 From: christian at whoop.org (Christian Kreibich) Date: Thu, 11 Sep 2008 13:28:06 +0200 Subject: [Bro] configure: error: cannot compute sizeof (long long), 77 In-Reply-To: <86f40f0e0809100822t3a88f6b2x692f7717e516a5bd@mail.gmail.com> References: <86f40f0e0809100822t3a88f6b2x692f7717e516a5bd@mail.gmail.com> Message-ID: <1221132486.4849.138.camel@strangepork> Hi, On Wed, 2008-09-10 at 11:22 -0400, Jim Bo wrote: > I am trying to install BRO-1.3.2 On what platform and using which compiler version? > and I get the following error when I run ./configure: > > checking for union semun... no > checking for struct sembuf... yes > checking for struct sockaddr_in.sin_len... no > checking for long long... yes > checking size of long long... configure: error: cannot compute sizeof > (long long), 77 Could you post or send to me the relevant part of config.log? (Do a quick search for "long long" in it; in your case it should be right at the end of the file.) Usually what happens in situations like yours is that an earlier problem spills over into the flags passed into subsequent build checks. -- Cheers, Christian From jimbo.redneck at gmail.com Thu Sep 11 05:50:22 2008 From: jimbo.redneck at gmail.com (Jim Bo) Date: Thu, 11 Sep 2008 08:50:22 -0400 Subject: [Bro] GEOIP Message-ID: <86f40f0e0809110550k2ae6a3d1j6e47875d337ecd9b@mail.gmail.com> Does anyone have a GeoIP example that will check all http/https connections and log attempts from non XX countries? Thanks, Jimbo From hall.692 at osu.edu Thu Sep 11 06:26:57 2008 From: hall.692 at osu.edu (Seth Hall) Date: Thu, 11 Sep 2008 09:26:57 -0400 Subject: [Bro] GEOIP In-Reply-To: <86f40f0e0809110550k2ae6a3d1j6e47875d337ecd9b@mail.gmail.com> References: <86f40f0e0809110550k2ae6a3d1j6e47875d337ecd9b@mail.gmail.com> Message-ID: On Sep 11, 2008, at 8:50 AM, Jim Bo wrote: > Does anyone have a GeoIP example that will check all http/https > connections and log attempts from non XX countries? Checking https connections doesn't make much sense because there are no distinguishing features from any other SSL encrypted session other than maybe the port number, but that's not very definitive. You could watch for SSL sessions in general (using DPD) to sort of catch https sessions. For http, I attached a script I just wrote to do what you want. It takes a list of country codes as a configuration option and will log all requests that aren't going to or coming from one of your defined countries. I haven't tested the code at all (I think it should work), but it should give you a general idea of how to do this. Another concern I have about this script is that I'm not completely sure how well the geoip library can handle extremely high levels of queries against. I've heard in certain circumstances that if you do too many lookups in Bro (many, many thousands per second) it will begin to return incorrect data. So, if you start using this, keep an eye on the data you're getting and make sure it's what you expect. .Seth -------------- next part -------------- A non-text attachment was scrubbed... Name: http-geo-logging.bro Type: application/octet-stream Size: 856 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080911/bc9a2cd9/attachment.obj -------------- next part -------------- --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From jimbo.redneck at gmail.com Thu Sep 11 09:23:31 2008 From: jimbo.redneck at gmail.com (Jim Bo) Date: Thu, 11 Sep 2008 12:23:31 -0400 Subject: [Bro] GEOIP In-Reply-To: References: <86f40f0e0809110550k2ae6a3d1j6e47875d337ecd9b@mail.gmail.com> Message-ID: <86f40f0e0809110923l2034bcb3p2b1f7e868f241c6d@mail.gmail.com> Thanks for the reply. I have played around with the script but I keep getting the following error: /usr/local/bro/policy/http-entity.bro, line 9: error: unknown identifier lookup_http_request_stream, at or near "lookup_http_request_stream" On Thu, Sep 11, 2008 at 9:26 AM, Seth Hall wrote: > > On Sep 11, 2008, at 8:50 AM, Jim Bo wrote: > >> Does anyone have a GeoIP example that will check all http/https >> connections and log attempts from non XX countries? > > Checking https connections doesn't make much sense because there are no > distinguishing features from any other SSL encrypted session other than > maybe the port number, but that's not very definitive. You could watch for > SSL sessions in general (using DPD) to sort of catch https sessions. > > For http, I attached a script I just wrote to do what you want. It takes a > list of country codes as a configuration option and will log all requests > that aren't going to or coming from one of your defined countries. I > haven't tested the code at all (I think it should work), but it should give > you a general idea of how to do this. > > Another concern I have about this script is that I'm not completely sure how > well the geoip library can handle extremely high levels of queries against. > I've heard in certain circumstances that if you do too many lookups in Bro > (many, many thousands per second) it will begin to return incorrect data. > So, if you start using this, keep an eye on the data you're getting and > make sure it's what you expect. > > .Seth > > > > > > --- > Seth Hall > Network Security - Office of the CIO > The Ohio State University > Phone: 614-292-9721 > > > From hall.692 at osu.edu Thu Sep 11 09:35:09 2008 From: hall.692 at osu.edu (Seth Hall) Date: Thu, 11 Sep 2008 12:35:09 -0400 Subject: [Bro] GEOIP In-Reply-To: <86f40f0e0809110923l2034bcb3p2b1f7e868f241c6d@mail.gmail.com> References: <86f40f0e0809110550k2ae6a3d1j6e47875d337ecd9b@mail.gmail.com> <86f40f0e0809110923l2034bcb3p2b1f7e868f241c6d@mail.gmail.com> Message-ID: <4A3525A1-F327-4A0E-98BB-BA3FCFCF84A4@osu.edu> On Sep 11, 2008, at 12:23 PM, Jim Bo wrote: > /usr/local/bro/policy/http-entity.bro, line 9: error: unknown > identifier lookup_http_request_stream, at or near > "lookup_http_request_stream" Fixed version. I had several bugs :) -------------- next part -------------- A non-text attachment was scrubbed... Name: http-geo-logging.bro Type: application/octet-stream Size: 915 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080911/a81f2540/attachment.obj -------------- next part -------------- --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From hall.692 at osu.edu Fri Sep 12 05:44:19 2008 From: hall.692 at osu.edu (Seth Hall) Date: Fri, 12 Sep 2008 08:44:19 -0400 Subject: [Bro] GEOIP In-Reply-To: <86f40f0e0809120533r38d5c0c2vbe4e115a432e1980@mail.gmail.com> References: <86f40f0e0809110550k2ae6a3d1j6e47875d337ecd9b@mail.gmail.com> <86f40f0e0809110923l2034bcb3p2b1f7e868f241c6d@mail.gmail.com> <4A3525A1-F327-4A0E-98BB-BA3FCFCF84A4@osu.edu> <86f40f0e0809120533r38d5c0c2vbe4e115a432e1980@mail.gmail.com> Message-ID: <1ACD4339-5E29-4A40-9E8D-4F83E67B4ED4@osu.edu> On Sep 12, 2008, at 8:33 AM, Jim Bo wrote: > Is there a way to extract the incoming IP addresses on ports 80 and > 443 and run the IP addresses through GeoIP. That's more or less what the script does that I sent to the list. (except for port 443). I guess I just don't know what end result you're looking to get. > Also is there any sort of > documentation or even books that I can look at / buy that would help > me with this type of stuff so that I dont have to keep bothering you. The best current documentation is in the slides and related exercises from Bro workshop that took place last summer. http://bro-ids.org/wiki/index.php/WorkshopMaterial A *little* bit of documentation about the libGeoIP support can be found here: http://bro-ids.org/wiki/index.php/GeoLocation There is also a lot of good material to be found in the manuals: http://bro-ids.org/wiki/index.php/User_Manual http://bro-ids.org/wiki/index.php/Reference_Manual Hopefully that helps. Feel free to keep asking questions though. .Seth From jchambers at ucla.edu Fri Sep 12 12:46:39 2008 From: jchambers at ucla.edu (Jason Chambers) Date: Fri, 12 Sep 2008 12:46:39 -0700 Subject: [Bro] Network capture cards -- your experience Message-ID: <48CAC71F.2040907@ucla.edu> Hello all, I've read a number of research papers on using commodity hardware for high speed network capture and I'd like to solicit real world feedback on performance. Endace products work great, however I'm interested to know of other cards that prove to be worthwhile. If your running a custom built implementation that is processing >= 700Mbps on average then your the person I want to hear from. Off-list replies are fine. I'll summarize the results if people are interested. Thanks ! --Jason Here are some metrics off the top of my head... Card type (vendor, model, pci-e or pci-x) - Card traffic is x or >= 700Mbps ? - Device traffic is >= 1 Gbps (multiple 1 gig cards) ? - Packets per second (average/max) ? - Percentage of dropped traffic ? - Operating system / device polling or MMAP used ? - Processor type / number of cores ? - Average CPU utilization ? - Multiple applications connecting to the same pcap chain ? - From jebrahimi at bivio.net Fri Sep 12 14:43:40 2008 From: jebrahimi at bivio.net (Joel Ebrahimi) Date: Fri, 12 Sep 2008 14:43:40 -0700 Subject: [Bro] Network capture cards -- your experience In-Reply-To: <48CAC71F.2040907@ucla.edu> References: <48CAC71F.2040907@ucla.edu> Message-ID: Hi Jason, I work for Bivio Networks and we have deployed Bro on our hardware and achieved multi-gig monitoring throughput. Our hardware is a specialty networking appliance and not commodity hardware with an accelerator card. Our appliance is a Linux based operating system with a distributed multi-core architecture. In the system I ran testing on this on it was a 12 core system. Our systems can actually be daisy chained together using a backplane cable, which would provide more cores for more horsepower. The configuration of Bro, size of the packets, and type of traffic that is sent to the system can have significant impact on processing throughput. In most of the tests I ran I saw performance between 500Mb/s to 6Gb/s. Im not really sure if that is information you are looking for but its another option for high speed bro processing. // Joel -----Original Message----- From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Jason Chambers Sent: Friday, September 12, 2008 12:47 PM To: bro at bro-ids.org Subject: [Bro] Network capture cards -- your experience Hello all, I've read a number of research papers on using commodity hardware for high speed network capture and I'd like to solicit real world feedback on performance. Endace products work great, however I'm interested to know of other cards that prove to be worthwhile. If your running a custom built implementation that is processing >= 700Mbps on average then your the person I want to hear from. Off-list replies are fine. I'll summarize the results if people are interested. Thanks ! --Jason Here are some metrics off the top of my head... Card type (vendor, model, pci-e or pci-x) - Card traffic is x or >= 700Mbps ? - Device traffic is >= 1 Gbps (multiple 1 gig cards) ? - Packets per second (average/max) ? - Percentage of dropped traffic ? - Operating system / device polling or MMAP used ? - Processor type / number of cores ? - Average CPU utilization ? - Multiple applications connecting to the same pcap chain ? - _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From mcuttler at bnl.gov Fri Sep 12 15:54:41 2008 From: mcuttler at bnl.gov (Matt Cuttler) Date: Fri, 12 Sep 2008 18:54:41 -0400 Subject: [Bro] Network capture cards -- your experience In-Reply-To: Message-ID: On 9/12/08 5:43 PM, "Joel Ebrahimi" wrote: > Hi Jason, > > I work for Bivio Networks and we have deployed Bro on our hardware and > achieved multi-gig monitoring throughput. Our hardware is a specialty > networking appliance and not commodity hardware with an accelerator > card. > > Our appliance is a Linux based operating system with a distributed > multi-core architecture. In the system I ran testing on this on it was a > 12 core system. Our systems can actually be daisy chained together using > a backplane cable, which would provide more cores for more horsepower. > > The configuration of Bro, size of the packets, and type of traffic that > is sent to the system can have significant impact on processing > throughput. In most of the tests I ran I saw performance between > 500Mb/s to 6Gb/s. > > Im not really sure if that is information you are looking for but its > another option for high speed bro processing. Joel, Please understand that this post is not intended to be antagonistic in any way, but I remember Bivio claiming to (briefly) natively support Bro (with a custom and/or pre-compiled and/or optimized-for-hardware version; IIRC it was called "Brooklyn"). Policy prevents me from publicly endorsing any product/service/vendor (etc..). I will say, though, that your appliances perform appx. as well as the sales documents claim they do, in real-world use. Which brings me to my question: is there a resurgence in Bro interest within your company? Or are you simply stating above that you have a platform which can run a NIDS stack at high speeds? Public or private reply is O.K. Thanks, Matt Cuttler From jebrahimi at bivio.net Fri Sep 12 16:20:16 2008 From: jebrahimi at bivio.net (Joel Ebrahimi) Date: Fri, 12 Sep 2008 16:20:16 -0700 Subject: [Bro] Network capture cards -- your experience In-Reply-To: References: Message-ID: Hi Matt, I know there has been work with Bro in the past but I do not know to what extent nor do I have any past information. I come from an open-source/security background and my roll at Bivio is solutions engineer. Since I have been here I have worked to make a number of open-source tools into Bivio packages that work natively. Bro is one of the ones I have had a chance to work on. We do have customers who are currently using Bro on our platform and are quite happy with the results. I Hope that answers you question. My goal is not to "market" to this list so if you have questions about our solutions or what native applications we offer feel free to drop me an email directly. // Joel -----Original Message----- From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Matt Cuttler Sent: Friday, September 12, 2008 3:55 PM To: bro at bro-ids.org Subject: Re: [Bro] Network capture cards -- your experience On 9/12/08 5:43 PM, "Joel Ebrahimi" wrote: > Hi Jason, > > I work for Bivio Networks and we have deployed Bro on our hardware and > achieved multi-gig monitoring throughput. Our hardware is a specialty > networking appliance and not commodity hardware with an accelerator > card. > > Our appliance is a Linux based operating system with a distributed > multi-core architecture. In the system I ran testing on this on it was a > 12 core system. Our systems can actually be daisy chained together using > a backplane cable, which would provide more cores for more horsepower. > > The configuration of Bro, size of the packets, and type of traffic that > is sent to the system can have significant impact on processing > throughput. In most of the tests I ran I saw performance between > 500Mb/s to 6Gb/s. > > Im not really sure if that is information you are looking for but its > another option for high speed bro processing. Joel, Please understand that this post is not intended to be antagonistic in any way, but I remember Bivio claiming to (briefly) natively support Bro (with a custom and/or pre-compiled and/or optimized-for-hardware version; IIRC it was called "Brooklyn"). Policy prevents me from publicly endorsing any product/service/vendor (etc..). I will say, though, that your appliances perform appx. as well as the sales documents claim they do, in real-world use. Which brings me to my question: is there a resurgence in Bro interest within your company? Or are you simply stating above that you have a platform which can run a NIDS stack at high speeds? Public or private reply is O.K. Thanks, Matt Cuttler _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From mcuttler at bnl.gov Fri Sep 12 16:34:34 2008 From: mcuttler at bnl.gov (Matt Cuttler) Date: Fri, 12 Sep 2008 19:34:34 -0400 Subject: [Bro] Network capture cards -- your experience In-Reply-To: Message-ID: On 9/12/08 7:20 PM, "Joel Ebrahimi" wrote: > Hi Matt, > > I know there has been work with Bro in the past but I do not know to > what extent nor do I have any past information. I come from a > open-source/security background and my roll at Bivio is solutions > engineer. Since I have been here I have worked to make a number of > open-source tools into Bivio packages that work natively. > > Bro is one of the ones I have had a chance to work on. We do have > customers who are currently using Bro on our platform and are quite > happy with the results. > > I Hope that answers you question. My goal is not to "market" to this > list so if you have questions about our solutions or what native > applications we offer feel free to drop me an email directly. Hi Joel, Didn't mean to accuse (or imply accusation) -- that you were marketing to this list; I hope it didn't come across that way. I'd like to hear more about the throughput results you've gotten with Bro on your company's platform, and any build/compile-time tweaks you've got to share. For the sake of saving bandwidth/inbox space etc., you can reply off-list (or if you feel it's on-topic, we can communicate on-list). Thanks, Matt Cuttler From jchambers at ucla.edu Fri Sep 12 16:54:23 2008 From: jchambers at ucla.edu (Jason Chambers) Date: Fri, 12 Sep 2008 16:54:23 -0700 Subject: [Bro] Network capture cards -- your experience In-Reply-To: References: Message-ID: <48CB012F.3090502@ucla.edu> Matt Cuttler wrote: > On 9/12/08 5:43 PM, "Joel Ebrahimi" wrote: > >> I work for Bivio Networks and we have deployed Bro on our hardware and >> achieved multi-gig monitoring throughput. Our hardware is a specialty >> networking appliance and not commodity hardware with an accelerator >> card. >> > Joel, > > Please understand that this post is not intended to be antagonistic in any > way, but I remember Bivio claiming to (briefly) natively support Bro (with a > custom and/or pre-compiled and/or optimized-for-hardware version; IIRC it > was called "Brooklyn"). > I talked to their sales group briefly about this. They report having a specialized package for Bro to work with their environment (the Bivio API)... at least thats how I understood it. Another reader pointed out http://www.pcapexpress.com/ which looks interesting as they support FreeBSD as well as Linux. I'll wait for a couple days and post the anonymized results to the wiki. In the absence of confirmed performance results at the least the potential to seed the next research paper exists. Many of the papers I've read only compare commodity hardware to Endace. --Jason From christian at whoop.org Sat Sep 13 02:19:24 2008 From: christian at whoop.org (Christian Kreibich) Date: Sat, 13 Sep 2008 11:19:24 +0200 Subject: [Bro] configure: error: cannot compute sizeof (long long), 77 In-Reply-To: <1221132486.4849.138.camel@strangepork> References: <86f40f0e0809100822t3a88f6b2x692f7717e516a5bd@mail.gmail.com> <1221132486.4849.138.camel@strangepork> Message-ID: <1221297564.5318.51.camel@strangepork> Fyi, Jim has indicated to me that he solved the problem by changing his dynamic linker search path, which suggests the problem was indeed rooted elsewhere. While I know no further details, it's likely the termcap linking problem that has crept up before: http://mailman.icsi.berkeley.edu/pipermail/bro/2006-June/002427.html -- Cheers, Christian From zak.noah at gmail.com Mon Sep 15 09:05:58 2008 From: zak.noah at gmail.com (noah zak) Date: Mon, 15 Sep 2008 12:05:58 -0400 Subject: [Bro] Attachment Extraction Message-ID: <43d31ea30809150905s4fa52bc5re513429aecc97ae@mail.gmail.com> All, Does anyone have a script that will extract attachments from incoming email. I need to extract the attachments for further analysis. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080915/6d9f45d1/attachment.html From noreply at mail.goodreads.com Sun Sep 14 11:56:31 2008 From: noreply at mail.goodreads.com (Ar) Date: Sun, 14 Sep 2008 11:56:31 -0700 Subject: [Bro] Ar invited you to compare books Message-ID: <48cd5e5f7b4dd_6d8d..fdbf2c384602908a@dv3.goodreads.com.tmail> bro, Ar added you as a friend on Goodreads. We need you to confirm that you are, in fact, friends with Ar. To confirm this friend request, follow the below link: http://www.goodreads.com/friend/i?n=bro&i=LTM2MDU1Njk4NDQ6MzY2 &e=bro at icsi.berkeley.edu&utm_medium=email&utm_source=invite - Ar (ar-605 at hotmail.com) To opt-out of future invites to Goodreads please follow this link: http://www.goodreads.com/user/block_email?inviter_id=1527834&utm_medium=email&utm_source=invite This email was sent by request to bro at icsi.berkeley.edu. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080914/a86b151d/attachment.html From vern at icir.org Mon Sep 15 13:28:00 2008 From: vern at icir.org (Vern Paxson) Date: Mon, 15 Sep 2008 13:28:00 -0700 Subject: [Bro] Attachment Extraction In-Reply-To: <43d31ea30809150905s4fa52bc5re513429aecc97ae@mail.gmail.com> (Mon, 15 Sep 2008 12:05:58 EDT). Message-ID: <200809152027.m8FKRwGo000656@pork.ICSI.Berkeley.EDU> > Does anyone have a script that will extract attachments from incoming email. See policy/mime.bro. It logs only the beginning of attachments, but it has the hooks necessary to fully extract them if that's what you need. Vern From renaud.luca at gmail.com Mon Sep 15 20:15:54 2008 From: renaud.luca at gmail.com (Luca Renaud) Date: Tue, 16 Sep 2008 04:15:54 +0100 Subject: [Bro] Some results from basic testing of bro-1.4prerelease. Message-ID: <628233b10809152015k7e6f6e64h9f5ef5da5117172e@mail.gmail.com> Some facts derived from the testing of bro-1.4prerelease: First,I run bro on a DebianLinuxPPC workstation,which I use for webbrowsing(ADSL connection) and offline use(for several purposes). I capture the traffic with tcpdump and bro does the analysis of the captured traffic.As only the related http traffic services/ports are enabled it's not a specially rich testing.Anyway,I get a much less number of weird events(I have never had more troublesome notices) than when I do the analysis of the same files with bro-1.2.1. As weird events are generally considered traffic that "should never happen",shouldn't both versions signal approximately the same number of weird events? The compiling of bro-1.4prerelease on the above system(Debian testing) was done normally,I got some compiler warnings but at first sight the usual harmless ones. As I run both bro versions on the same files I got warnings like that: line 1: run-time error: wrong data format, expected version 13 but got version 18 (running bro-1.2.1) line 1: run-time error: wrong data format, expected version 18 but got version 13 (running bro-1.4prerelease) It seems related to the use of both versions of bro in the same computer session. When I do bro -r tcpdumpcapturefile backdoor.bro I get: (using 1.4release) line 1: warning: event handlers never invoked: line 1: warning: Drop::restore_dropped_address When I do bro -r tcpdumpcapturefile I don't get the 2 above lines. (using 1.4release). -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080916/60c65e05/attachment.html From robin at icir.org Tue Sep 16 10:54:31 2008 From: robin at icir.org (Robin Sommer) Date: Tue, 16 Sep 2008 10:54:31 -0700 Subject: [Bro] Some results from basic testing of bro-1.4prerelease. In-Reply-To: <628233b10809152015k7e6f6e64h9f5ef5da5117172e@mail.gmail.com> References: <628233b10809152015k7e6f6e64h9f5ef5da5117172e@mail.gmail.com> Message-ID: <20080916175431.GC25834@icir.org> On Tue, Sep 16, 2008 at 04:15 +0100, you wrote: > Some facts derived from the testing of bro-1.4prerelease: Thanks for testing 1.4. > As weird events are generally considered traffic that "should never > happen",shouldn't both versions signal approximately the same number > of weird events? Generally, yes, though there might be changes which change how things are interpreted (in some cases there's no crisp definition of whether something's weird or not). I don't remember anything specific for HTTP in this context though. It would be very helpful if you could single out a connection or two which show the difference between 1.2 and 1.4 and sent us the trace file as well as the command-line you're using. > line 1: run-time error: wrong data format, expected version 13 but got > version 18 [...] > It seems related to the use of both versions of bro in the same > computer session. Right, each run creates a .state directory where any persistent state is stored. The format of the state file is not compatible between 1.2 and 1.4, i.e., one Bro version cannot read the files generated by the other. > line 1: warning: event handlers never invoked: > line 1: warning: Drop::restore_dropped_address > When I do bro -r tcpdumpcapturefile I don't get the 2 above lines. > (using 1.4release). That's an intentional change as these warning are often not very helpful and are therefore now suppressed by default. You can turn them back on by setting check_for_unused_event_handlers=T. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Tue Sep 16 10:54:31 2008 From: robin at icir.org (Robin Sommer) Date: Tue, 16 Sep 2008 10:54:31 -0700 Subject: [Bro] Some results from basic testing of bro-1.4prerelease. In-Reply-To: <628233b10809152015k7e6f6e64h9f5ef5da5117172e@mail.gmail.com> References: <628233b10809152015k7e6f6e64h9f5ef5da5117172e@mail.gmail.com> Message-ID: <20080916175431.GC25834@icir.org> On Tue, Sep 16, 2008 at 04:15 +0100, you wrote: > Some facts derived from the testing of bro-1.4prerelease: Thanks for testing 1.4. > As weird events are generally considered traffic that "should never > happen",shouldn't both versions signal approximately the same number > of weird events? Generally, yes, though there might be changes which change how things are interpreted (in some cases there's no crisp definition of whether something's weird or not). I don't remember anything specific for HTTP in this context though. It would be very helpful if you could single out a connection or two which show the difference between 1.2 and 1.4 and sent us the trace file as well as the command-line you're using. > line 1: run-time error: wrong data format, expected version 13 but got > version 18 [...] > It seems related to the use of both versions of bro in the same > computer session. Right, each run creates a .state directory where any persistent state is stored. The format of the state file is not compatible between 1.2 and 1.4, i.e., one Bro version cannot read the files generated by the other. > line 1: warning: event handlers never invoked: > line 1: warning: Drop::restore_dropped_address > When I do bro -r tcpdumpcapturefile I don't get the 2 above lines. > (using 1.4release). That's an intentional change as these warning are often not very helpful and are therefore now suppressed by default. You can turn them back on by setting check_for_unused_event_handlers=T. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From vern at icir.org Tue Sep 16 11:10:14 2008 From: vern at icir.org (Vern Paxson) Date: Tue, 16 Sep 2008 11:10:14 -0700 Subject: [Bro] Some results from basic testing of bro-1.4prerelease. In-Reply-To: <20080916175431.GC25834@icir.org> (Tue, 16 Sep 2008 10:54:31 PDT). Message-ID: <200809161810.m8GIAB7d026026@pork.ICSI.Berkeley.EDU> > > As weird events are generally considered traffic that "should never > > happen",shouldn't both versions signal approximately the same number > > of weird events? > > Generally, yes, though there might be changes which change how > things are interpreted Also, there have been some bug fixes that previously led to inappropriate Weird's. Vern From fuyiyang at gmail.com Tue Sep 16 20:22:35 2008 From: fuyiyang at gmail.com (fu yiyang) Date: Wed, 17 Sep 2008 11:22:35 +0800 Subject: [Bro] about signature match Message-ID: hi, all: I'm a new comer. I have read the documents about bro. I want to performs off-line analysis using -r ,but i don't know how to activate signature engine. Could sonmebody tell me how to use signature engine in bro? Thanks very much! eyoung -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080917/9740f5df/attachment.html From fuyiyang at gmail.com Wed Sep 17 19:53:10 2008 From: fuyiyang at gmail.com (fu yiyang) Date: Thu, 18 Sep 2008 10:53:10 +0800 Subject: [Bro] signature match Message-ID: I have read the whole Bro Reference Manual and others in www.bro-ids.org. The bro is running normally when using policy. I know how to write a signature, but these signatures had never been matched. I have used the local.lite.bro to activate Signature Engine, and the signature.log is nothing even using the simplest signature. I didn't find the reason. Someone can help me! Thanks! eyoung -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080918/136cef3e/attachment.html From fuyiyang at gmail.com Sat Sep 20 06:41:35 2008 From: fuyiyang at gmail.com (fu yiyang) Date: Sat, 20 Sep 2008 21:41:35 +0800 Subject: [Bro] Policy debug Message-ID: hi all! When I used Dynamic Protocol Detection, I found can't activate event handler http_request. If commentted use_dpd, the event can be activated. The next is my process in detail.The bro version is 1.2.1-stable. The cmd line is : src/bro -d -r (pcap) http_lite.bro case 1: comment const use_dpd = T in http_lite.bro Policy file debugging ON. set breakpoint at http-request.bro:http_request Then input c cmd, bro can hit breakpoint http_request. case 2: uncomment const use_dpd = T in http_lite.bro set breakpoint at http-request.bro:http_request and detect-protocols-http.bro:http_request. Then input c cmd, bro hit neither and finish. Could someone can tell the reason? Thanks very much! Regards eyoung -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080920/018e8c21/attachment.html From vern at icir.org Sun Sep 21 13:04:44 2008 From: vern at icir.org (Vern Paxson) Date: Sun, 21 Sep 2008 13:04:44 -0700 Subject: [Bro] Policy debug In-Reply-To: (Sat, 20 Sep 2008 21:41:35 +0800). Message-ID: <200809212004.m8LK4mjG015265@pork.ICSI.Berkeley.EDU> > The cmd line is : src/bro -d -r (pcap) http_lite.bro What is http_lite.bro? In particular, the problem you are running into sounds like the packet-capture filter isn't set to a value that matches the traffic you want to analyze. You can see what the filter is by adding print-filter.bro to your command line, which will cause Bro to print the filter and exit. Also note that the interactive debugger (-d) has not been maintained for a while and has some significant problems :-(, so unfortunately you shouldn't trust it for tracking down script bugs. Vern From renaud.luca at gmail.com Mon Sep 22 11:54:37 2008 From: renaud.luca at gmail.com (Luca Renaud) Date: Mon, 22 Sep 2008 19:54:37 +0100 Subject: [Bro] Comparison data between bro-1.4prerelease and bro-1.2.1. Message-ID: <628233b10809221154h66471c88h3611b86c080f9883@mail.gmail.com> I ran the two bro versions with 6 tcpdump files and registered the differences on the following table: tcpdumpfile1,tcpdumpfile2,tcpdumpfile3,...,tcpdumpfile6 1.2-1.4,1.2-1.4,1.2-1.4,1.2-1.4,...,1.2-1.4 spontaneous_RST 15-1,4-3,4-1,11-19,32-1,56-1 spontaneous_FIN 10-1,8-0,9-0,85-55,25-2,71-1 window_recision 26-26,29-29,0-0,48-48,0-0,52-52 SYN_seq_jump 1-1,0-0,0-0,1-1,0-0,0-0 SYN_inside_connection 1-1,0-0,0-0,0-0,0-0,0-0 active_connection_reuse 1-0,0-0,0-0,0-0,0-0,0-0 unsolicited_SYN_response 1-0,7-7,0-0,1-1,0-0,0-0 SYN_after_close 0-1,0-0,0-0,0-0,0-0,0-0 above_hole_data_without_any_acks 0-0,1-1,0-0,0-0,0-0,0-0 data_before_established 0-0,0-0,0-0,1-1,0-0,0-0 So,the difference is essentially around spontaneous_RST and spontaneous_FIN weird events.The dump files are for webbrowsing only traffic.I don't know if this has any practical interest but that's what I get using bro-1.4prerelease,for this very small sample and very limited network protocols. The command line I use: export BROPATH=/usr/local/bro-1.2.1/policy:/usr/local/bro-1.2.1/site /usr/local/bro-1.2.1/bin/bro -r tcpdumpfile The same for bro-1.4prerelease,but here the bro environment is set up for the directories where the policy and sig files are: /usr/local/bro1.4prerelease/share/bro:/usr/local/bro1.4prerelease/share/bro/sigs -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080922/59531cac/attachment.html From vern at icir.org Mon Sep 22 15:04:25 2008 From: vern at icir.org (Vern Paxson) Date: Mon, 22 Sep 2008 15:04:25 -0700 Subject: [Bro] Comparison data between bro-1.4prerelease and bro-1.2.1. In-Reply-To: <628233b10809221154h66471c88h3611b86c080f9883@mail.gmail.com> (Mon, 22 Sep 2008 19:54:37 BST). Message-ID: <200809222204.m8MM4U44016553@pork.ICSI.Berkeley.EDU> > So,the difference is essentially around spontaneous_RST and spontaneous_FIN > weird events. These then are harmless differences. Those will vary in unimportant ways depending on the setting of timers and details of connection tear-down. Vern From robin at icir.org Tue Sep 23 10:32:19 2008 From: robin at icir.org (Robin Sommer) Date: Tue, 23 Sep 2008 10:32:19 -0700 Subject: [Bro] signature match In-Reply-To: References: Message-ID: <20080923173219.GI50588@icir.org> On Thu, Sep 18, 2008 at 10:53 +0800, fu yiyang wrote: > nothing even using the simplest signature. I didn't find the reason. Does this blog posting help? http://blog.icir.org/2008/06/bro-signature-engine.html Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From zak.noah at gmail.com Fri Sep 26 10:58:16 2008 From: zak.noah at gmail.com (noah zak) Date: Fri, 26 Sep 2008 13:58:16 -0400 Subject: [Bro] SSL.BRO question Message-ID: <43d31ea30809261058k6ece5fb0kb10310e7d34fbd70@mail.gmail.com> I am trying to use ssl.bro, but every time I try to start bro I get the following errors: /usr/local/bro/etc/bro.rc --start bro.rc: Starting .bro.rc: Failed to start Bro listening on eth2 listening on eth3 line 1: warning: event handlers never invoked: line 1: warning: account_tried 1222451479.369347 (3F:A4:71:FE:35:57:6C:5B:DD:01:39:99:92:30:84:2C:FF:3B:DB:6A:42:BB:33:88:3E:F7:8E:7F:F1:70:5D:55): bad tag in Val::CONVERTER (string/table) ............ FAILED /usr/local/bro/etc/bro.rc --start bro.rc: Starting .bro.rc: Failed to start Bro listening on eth2 listening on eth3 line 1: warning: event handlers never invoked: line 1: warning: account_tried 1222451520.898128 (74:92:51:04:2D:F2:72:40:9F:44:10:98:46:B9:29:6F:58:2F:94:64:1D:80:86:16:CB:0D:3B:3C:EE:9A:8D:F5): bad tag in Val::CONVERTER (string/table) ............ FAILED Any ideas? I am using bro 1.3.2 Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080926/8651db65/attachment.html From vern at icir.org Tue Sep 30 23:26:15 2008 From: vern at icir.org (Vern Paxson) Date: Tue, 30 Sep 2008 23:26:15 -0700 Subject: [Bro] SSL.BRO question In-Reply-To: <43d31ea30809261058k6ece5fb0kb10310e7d34fbd70@mail.gmail.com> (Fri, 26 Sep 2008 13:58:16 EDT). Message-ID: <200810010626.m916QIuN026480@pork.ICSI.Berkeley.EDU> > I am trying to use ssl.bro, but every time I try to start bro I get the > following errors: (1) When reporting a problem like this, we pretty much always need a pcap trace that reproduces the problem, along with specifics regarding what OS you're running, what version of Bro (which you included), and what scripts. There's no way to try to diagnose this based on only the sort of information in your posting. (2) You might want to first try the Bro 1.4 pre-release, which you can get from http://www.icir.org/robin/tmp/bro-1.4.prerelease.1.tar.gz . - Vern