From robin at icir.org Tue Oct 6 08:50:53 2009 From: robin at icir.org (Robin Sommer) Date: Tue, 6 Oct 2009 08:50:53 -0700 Subject: [Bro] Bro Workshop Agenda Message-ID: <20091006155053.GC6386@icir.org> Hi all, the agenda for the Bro workshop next week is now available at: http://www.icir.org/robin/bro/workshop09-2/agenda.html If you haven't registered yet, we still have a few slots available; see the workshop's web page for more information at http://www.icir.org/robin/bro/workshop09-2 Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From kosinovsky1 at llnl.gov Thu Oct 8 12:28:59 2009 From: kosinovsky1 at llnl.gov (Greg Kosinovsky) Date: Thu, 08 Oct 2009 12:28:59 -0700 Subject: [Bro] Problem running Bro in command line In-Reply-To: <7.1.0.9.2.20090728110016.02550740@llnl.gov> References: <7.1.0.9.2.20090728110016.02550740@llnl.gov> Message-ID: <80955b$27n52q@smtp.llnl.gov> I have an application from which I invoke bro with libcap input expected on stdin (using "-r -"). I then pipe pckets to stdin of this process. It works well for small files. For large files something goes wrong (looks like the pipe going to bro stdin backs up, or something). I used to have problems on bro not flusing to stdout, so I used flush_all() after print statements in my bro script and that seemed to work. Is there a similar command to force bro to read data in stdin? Thank you Greg Kosinovsky From robin at icir.org Thu Oct 8 22:00:26 2009 From: robin at icir.org (Robin Sommer) Date: Thu, 8 Oct 2009 22:00:26 -0700 Subject: [Bro] Problem running Bro in command line In-Reply-To: <80955b$27n52q@smtp.llnl.gov> References: <7.1.0.9.2.20090728110016.02550740@llnl.gov> <80955b$27n52q@smtp.llnl.gov> Message-ID: <20091009050026.GB31012@icir.org> On Thu, Oct 08, 2009 at 12:28 -0700, you wrote: > I used to have problems on bro not flusing to stdout, so I used > flush_all() after print statements in my bro script and that seemed to work. > Is there a similar command to force bro to read data in stdin? Hmm, that's sounds strange, I wouldn't think Bro can block on stdin as long there's data coming in. Is there any chance the problem is with the pipe *writer*? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From vern at icir.org Thu Oct 8 22:09:47 2009 From: vern at icir.org (Vern Paxson) Date: Thu, 08 Oct 2009 22:09:47 -0700 Subject: [Bro] Problem running Bro in command line In-Reply-To: <80955b$27n52q@smtp.llnl.gov> (Thu, 08 Oct 2009 12:28:59 PDT). Message-ID: <200910090509.n9959qAA007766@pork.ICSI.Berkeley.EDU> When reporting Bro problems like this, it's important to say under what system you're running and what version of Bro you're using. > For large files something goes wrong (looks like the pipe going to > bro stdin backs up, or something). We feed Bro very large files via -r and haven't encountered this problem. The first step is to attach a debugger (after configuring with --enable-debug and rebuilding) to see whether it's indeed blocked waiting for input, or instead stuck doing something else. > I used to have problems on bro not flusing to stdout, so I used > flush_all() after print statements in my bro script and that seemed to work. > Is there a similar command to force bro to read data in stdin? No, and it definitely shouldn't be needed. Vern From rmkml at free.fr Sat Oct 10 05:23:20 2009 From: rmkml at free.fr (rmkml) Date: Sat, 10 Oct 2009 14:23:20 +0200 (CEST) Subject: [Bro] seg fault on bro v1.5 pre-release svn 10oct2009 with policy/all.bro Message-ID: Hi, When Im start bro v1.5 pre-release svn 10oct2009: bro -r hacklu2009_jubrowska_capture1.pcap all ... [sshd_conn_new] = 56, [rewrite_dns_TXT_reply] = 56, [NetFlow::flows] = 384, [disable_event_group] = 56 } Erreur de segmentation bro is compiled with ipv6 (no other flags). linux fedora core 7 i386 2.6.23.17-88.fc7 (SMP) version gcc 4.1.2 20070925 (Red Hat 4.1.2-27) Do you need more information ? Regards Rmkml Crusoe-Researches.com From rmkml at free.fr Sat Oct 10 05:26:18 2009 From: rmkml at free.fr (rmkml) Date: Sat, 10 Oct 2009 14:26:18 +0200 (CEST) Subject: [Bro] seg fault on bro v1.5 pre-release svn 10oct2009 with policy/all.bro In-Reply-To: References: Message-ID: oops missed important information, on policy/all.bro: #@load capture-events disabled this line: bro no crash. Rmkml On Sat, 10 Oct 2009, rmkml wrote: > Hi, > When Im start bro v1.5 pre-release svn 10oct2009: > bro -r hacklu2009_jubrowska_capture1.pcap all > ... > [sshd_conn_new] = 56, > [rewrite_dns_TXT_reply] = 56, > [NetFlow::flows] = 384, > [disable_event_group] = 56 > } > Erreur de segmentation > > bro is compiled with ipv6 (no other flags). > linux fedora core 7 i386 2.6.23.17-88.fc7 (SMP) > version gcc 4.1.2 20070925 (Red Hat 4.1.2-27) > > Do you need more information ? > Regards > Rmkml > Crusoe-Researches.com > > From robin at icir.org Sat Oct 10 16:56:08 2009 From: robin at icir.org (Robin Sommer) Date: Sat, 10 Oct 2009 16:56:08 -0700 Subject: [Bro] seg fault on bro v1.5 pre-release svn 10oct2009 with policy/all.bro In-Reply-To: References: Message-ID: <20091010235608.GB2536@icir.org> On Sat, Oct 10, 2009 at 14:26 +0200, rmkml wrote: > #@load capture-events Ok, that helps to pinpoint it somewhat already. If you're familiar with gdb, can you send a stack-backtrace? See http://blog.icir.org/2009/01/how-to-report-bro-problem.html for more information on how to get that. Thanks! Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From rmkml at free.fr Sat Oct 10 16:49:11 2009 From: rmkml at free.fr (rmkml) Date: Sun, 11 Oct 2009 01:49:11 +0200 (CEST) Subject: [Bro] seg fault on bro v1.5 pre-release svn 10oct2009 with policy/all.bro In-Reply-To: <20091010235608.GB2536@icir.org> References: <20091010235608.GB2536@icir.org> Message-ID: Thx for your very good job Robin (and team)! ok run bro with gdb: ... [rewrite_dns_PTR_reply] = 56, [FTP::ftp_ports] = 472, [Drop::never_drop_nets] = 336 } Program received signal SIGSEGV, Segmentation fault. 0x0817c778 in Serializer::StartSerialization (this=0x9f96718, info=0xbfe7a0b8, descr=0x824a0a9 "call", tag=101 'e') at Serializer.cc:60 60 format->StartWrite(); (gdb) bt full #0 0x0817c778 in Serializer::StartSerialization (this=0x9f96718, info=0xbfe7a0b8, descr=0x824a0a9 "call", tag=101 'e') at Serializer.cc:60 __PRETTY_FUNCTION__ = "bool Serializer::StartSerialization(SerialInfo*, const char*, char)" #1 0x0817caf9 in Serializer::Serialize (this=0x9f96718, info=0xbfe7a0b8, func=0x8bbe1f8 "rotate_interval", args=0x9f21c38) at Serializer.cc:133 a = i = #2 0x080ecf73 in BroFile::CloseCachedFiles () at Event.h:40 vl = (val_list *) 0x9f21c38 event = (class Event *) 0x8baef50 f = (BroFile *) 0x9fd2690 next = #3 0x0804e32f in termination_signal () at main.cc:301 sval = { = { = {_vptr.SerialObj = 0x8250108, static NEVER = 0, static ALWAYS = 1, static factories = 0x8b90930, static names = 0x8b90950, static time_counter = 5236}, in_ser_cache = false, location = 0x0, ref_cnt = 1, static suppress_runtime = 0}, static register_type = {}, tid = {id = 352301, static counter = 386311}, val = {int_val = 15, uint_val = 15, addr_val = 0xf, subnet_val = {net = {15, 167050090, 14, 167048488}, width = 3219628376}, double_val = 1.0661355626552263e-260, string_val = 0xf, func_val = 0xf, file_val = 0xf, re_val = 0xf, ---Type to continue, or q to quit--- table_val = 0xf, val_list_val = 0xf, vector_val = 0xf}, type = 0x8bbec70, attribs = 0x0} #4 0x0813f5a5 in net_run () at Net.cc:593 ts = 1231950283.285104 src = #5 0x0804f80f in main (argc=0, argv=0xbfe7a524) at main.cc:999 flow = FLOW_NEXT f = { = { = {_vptr.SerialObj = 0x8249f28, static NEVER = 0, static ALWAYS = 1, static factories = 0x8b90930, static names = 0x8b90950, static time_counter = 5236}, in_ser_cache = false, location = 0x0, ref_cnt = 1, static suppress_runtime = 0}, frame = 0x9fd8488, size = 2844, function = 0x0, func_args = 0x0, next_stmt = 0x0, break_before_next_stmt = false, break_on_return = false, trigger = 0x0, call = 0x0, delayed = false} interfaces = { = {entry = 0x8b94518, chunk_size = 10, max_entries = 10, num_entries = 0}, } read_files = { = {entry = 0x8b94548, chunk_size = 10, max_entries = 10, num_entries = 1}, } netflows = { = {entry = 0x8b94578, chunk_size = 10, max_entries = 10, num_entries = 0}, } flow_files = { = {entry = 0x8b945a8, chunk_size = 10, max_entries = 10, num_entries = 0}, } ---Type to continue, or q to quit--- rule_files = { = {entry = 0x8b945d8, chunk_size = 10, max_entries = 10, num_entries = 2}, } transformed_writefile = 0x0 bst_file = 0x0 id_name = 0x0 events_file = 0x0 seed_load_file = 0x0 seed_save_file = 0x0 seed = 0 dump_cfg = 0 do_watchdog = 0 override_ignore_checksums = 0 rule_debug = 0 RE_level = 4 dns_type = DNS_FAKE oldhandler = p = long_optsind = 137046432 opts = "A:a:B:D:e:f:I:i:K:n:p:R:r:s:T:t:U:w:x:X:y:Y:z:CFGHLOPSWdghlv", '\0' op = script_rule_files = tmp = 0x0 ---Type to continue, or q to quit--- s = bro_alarm_file = bro_init = {handler = 0x8baf118} dead_handlers = alive_handlers = long_opts = {{name = 0x82251d9 "debug-policy", has_arg = 0, flag = 0x0, val = 100}, {name = 0x82251e6 "dump-config", has_arg = 0, flag = 0x0, val = 103}, {name = 0x82251f2 "exec", has_arg = 1, flag = 0x0, val = 101}, {name = 0x823bc9d "filter", has_arg = 1, flag = 0x0, val = 102}, {name = 0x82251f7 "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x82251fc "iface", has_arg = 1, flag = 0x0, val = 105}, { name = 0x8225202 "print-scripts", has_arg = 0, flag = 0x0, val = 108}, { name = 0x82507d3 "prefix", has_arg = 1, flag = 0x0, val = 112}, { name = 0x8225210 "readfile", has_arg = 1, flag = 0x0, val = 114}, { name = 0x8225219 "flowfile", has_arg = 1, flag = 0x0, val = 121}, { name = 0x8225222 "netflow", has_arg = 1, flag = 0x0, val = 89}, { name = 0x822522a "rulefile", has_arg = 1, flag = 0x0, val = 115}, { name = 0x8225233 "tracefile", has_arg = 1, flag = 0x0, val = 116}, { name = 0x822523d "writefile", has_arg = 1, flag = 0x0, val = 119}, { name = 0x824698f "version", has_arg = 0, flag = 0x0, val = 118}, { name = 0x8225247 "print-state", has_arg = 1, flag = 0x0, val = 120}, { name = 0x8225253 "analyze", has_arg = 1, flag = 0x0, val = 122}, { name = 0x822525b "transfile", has_arg = 1, flag = 0x0, val = 65}, { ---Type to continue, or q to quit--- name = 0x8225265 "no-checksums", has_arg = 0, flag = 0x0, val = 67}, { name = 0x8225272 "dfa-cache", has_arg = 1, flag = 0x0, val = 68}, { name = 0x822527c "force-dns", has_arg = 0, flag = 0x0, val = 70}, { name = 0x8225286 "load-seeds", has_arg = 1, flag = 0x0, val = 71}, { name = 0x8225291 "save-seeds", has_arg = 1, flag = 0x0, val = 72}, { name = 0x822529c "set-seed", has_arg = 1, flag = 0x0, val = 74}, { name = 0x82252a5 "md5-hashkey", has_arg = 1, flag = 0x0, val = 75}, { name = 0x82252b1 "rule-benchmark", has_arg = 0, flag = 0x0, val = 76}, { name = 0x82252c0 "optimize", has_arg = 0, flag = 0x0, val = 79}, { name = 0x82252c9 "prime-dns", has_arg = 0, flag = 0x0, val = 80}, { name = 0x82252d3 "replay", has_arg = 1, flag = 0x0, val = 82}, { name = 0x82252da "debug-rules", has_arg = 0, flag = 0x0, val = 83}, { name = 0x82252e6 "re-level", has_arg = 1, flag = 0x0, val = 82}, { name = 0x82252ef "watchdog", has_arg = 0, flag = 0x0, val = 87}, { name = 0x82252f8 "print-id", has_arg = 1, flag = 0x0, val = 73}, { name = 0x8225301 "status-file", has_arg = 1, flag = 0x0, val = 85}, { name = 0x822530d "pseudo-realtime", has_arg = 2, flag = 0x0, val = 69}, { name = 0x822531d "use-binpac", has_arg = 0, flag = 0x82b3d48, val = 1}, { name = 0x0, has_arg = 0, flag = 0x0, val = 0}} (gdb) Do you need more information? Regards Rmkml Crusoe-Researches.com On Sat, 10 Oct 2009, Robin Sommer wrote: > > On Sat, Oct 10, 2009 at 14:26 +0200, rmkml wrote: > >> #@load capture-events > > Ok, that helps to pinpoint it somewhat already. If you're familiar > with gdb, can you send a stack-backtrace? See > http://blog.icir.org/2009/01/how-to-report-bro-problem.html for more > information on how to get that. Thanks! > > Robin > > -- > Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > From robin at icir.org Sun Oct 11 22:06:39 2009 From: robin at icir.org (Robin Sommer) Date: Sun, 11 Oct 2009 22:06:39 -0700 Subject: [Bro] seg fault on bro v1.5 pre-release svn 10oct2009 with policy/all.bro In-Reply-To: References: <20091010235608.GB2536@icir.org> Message-ID: <20091012050639.GA90220@icir.org> Thanks, I've created a ticket for it. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From mccreary at ucar.edu Tue Oct 13 14:00:26 2009 From: mccreary at ucar.edu (Sean McCreary) Date: Tue, 13 Oct 2009 15:00:26 -0600 Subject: [Bro] Black Hole Routes Message-ID: <4AD4EA6A.40804@ucar.edu> Has anyone worked on a policy for generating black-hole routes? I'd like to set up an automatic process for feeding host routes directly from bro into my quagga route server. I'm thinking a simple broccoli script would do the trick, with some judicious use of expect to talk to the quagga bgpd CLI. However, I'd like to build on others' experience, and perhaps build something more generic we can all use. From nweaver at ICSI.Berkeley.EDU Tue Oct 13 14:04:17 2009 From: nweaver at ICSI.Berkeley.EDU (Nicholas Weaver) Date: Tue, 13 Oct 2009 14:04:17 -0700 Subject: [Bro] Black Hole Routes In-Reply-To: <4AD4EA6A.40804@ucar.edu> References: <4AD4EA6A.40804@ucar.edu> Message-ID: drop.bro hooks into a drop-connectivity and restore-connectivity script to do this, by calling drop-connectivity with the address as an argument, and with a "catch and release" restore policy. On Oct 13, 2009, at 2:00 PM, Sean McCreary wrote: > Has anyone worked on a policy for generating black-hole routes? I'd > like to set up an automatic process for feeding host routes directly > from bro into my quagga route server. I'm thinking a simple broccoli > script would do the trick, with some judicious use of expect to talk > to > the quagga bgpd CLI. However, I'd like to build on others' > experience, > and perhaps build something more generic we can all use. > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From nanrenno.1 at qq.com Sat Oct 17 01:41:05 2009 From: nanrenno.1 at qq.com (=?gbk?B?sKLLubbZt8k=?=) Date: Sat, 17 Oct 2009 16:41:05 +0800 Subject: [Bro] [bro] package capture Message-ID: Can bro's mechanism of package capture deals well with a 300Mbps network? We are going to use bro at the gateway of our campus network but we have only one pc with common performance,so we want to know whether the way bro uses on package capture be efficient in our case. The traffic of network is about 300Mbps.We don't know how many packages go through it per second yet,so it's better someone tell me the best bro can do on a single pc. thanks a lot! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20091017/1bfec08a/attachment.html From vern at icir.org Wed Oct 21 11:24:25 2009 From: vern at icir.org (Vern Paxson) Date: Wed, 21 Oct 2009 11:24:25 -0700 Subject: [Bro] [bro] package capture In-Reply-To: (Sat, 17 Oct 2009 16:41:05 +0800). Message-ID: <200910211824.n9LIOUoQ008967@pork.ICSI.Berkeley.EDU> Regarding whether a single Bro system can deal with a 300 Mbps link doesn't have a simple answer. It will depend a great deal on your particular traffic mix (what applications dominate) versus what analysis you wish to perform (for example, are you aiming to analyze those dominant applications). It will also depend on the particular hardware and operating system (packet filter performance). All that said, my guess would be that if for example you want to your analysis to include HTTP responses, and if HTTP makes up a lot of your connections, then you may have problems doing so with a single system. Vern From JAzoff at uamail.albany.edu Fri Oct 23 06:53:23 2009 From: JAzoff at uamail.albany.edu (Justin Azoff) Date: Fri, 23 Oct 2009 09:53:23 -0400 Subject: [Bro] Standalone vs. Cluster on a single machine Message-ID: <20091023135322.GA25054@dell.datacomm.albany.edu> Are there any benefits or issues with running a bro cluster on a single machine instead of in standalone mode? I'm thinking that running it in cluster mode from the start may make it easier to move to a cluster configuration in the future, but I'm concerned that it might add unnecessary overhead in the mean time. -- -- Justin Azoff -- Network Performance Analyst From nanrenno.1 at qq.com Fri Oct 23 07:19:00 2009 From: nanrenno.1 at qq.com (=?gbk?B?sKLLubbZt8k=?=) Date: Fri, 23 Oct 2009 22:19:00 +0800 Subject: [Bro] intrusion detection Message-ID: I'm a new learner of bro,so I haven't known it well.My question is that the policy script is used to decide what kind of behavior is intusion but what principle should i base on to judge? If the answer is that bro only provides a platform for the users to detect intrusion according to their own philosophy how does bro do that in its original policy scripts? Thanks a lot for your answer! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20091023/6a0507e0/attachment.html From hall.692 at osu.edu Fri Oct 23 07:59:39 2009 From: hall.692 at osu.edu (Seth Hall) Date: Fri, 23 Oct 2009 10:59:39 -0400 Subject: [Bro] Standalone vs. Cluster on a single machine In-Reply-To: <20091023135322.GA25054@dell.datacomm.albany.edu> References: <20091023135322.GA25054@dell.datacomm.albany.edu> Message-ID: On Oct 23, 2009, at 9:53 AM, Justin Azoff wrote: > Are there any benefits or issues with running a bro cluster on a > single machine > instead of in standalone mode? I'm thinking that running it in > cluster mode > from the start may make it easier to move to a cluster configuration > in the > future, but I'm concerned that it might add unnecessary overhead in > the mean > time. I would just run in standalone mode. As far as I know (and Robin will know better), the only difference configuration-wise between standalone mode and cluster mode is the node.cfg file. If you run in cluster mode when you really only need standalone, you will have the overhead of extra bro processes running that aren't really necessary. I would recommend that you stick to standalone mode for node and if you build a cluster eventually, the configuration steps necessary are going to be the least of your worries. .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From hall.692 at osu.edu Fri Oct 23 08:16:08 2009 From: hall.692 at osu.edu (Seth Hall) Date: Fri, 23 Oct 2009 11:16:08 -0400 Subject: [Bro] intrusion detection In-Reply-To: References: Message-ID: On Oct 23, 2009, at 10:19 AM, ???? wrote: > I'm a new learner of bro,so I haven't known it well.My question is > that the policy script is used to decide what kind of behavior is > intusion but what principle should i base on to judge? The characteristics that you decide to watch for may be extremely specific to your environment so scripts may not exist already that detect the activity that you are interested in. However, once you learn the language and techniques, it's typically easy to write a script or set of scripts to begin monitoring for the activity. Primarily, my recommendation (and what we do here) is to sit around and talk with colleagues for a while about what network activity is ok and what isn't. This will frequently bring up thoughts about previous incidents that have been encountered or even misconfigurations that are not compromises but which could be detected by watching network traffic. Once you have a list of tasks to accomplish and activity to begin detecting it will at least give you a direction to go and ideas for how to construct your scripts. > If the answer is that bro only provides a platform for the users to > detect intrusion according to their own philosophy how does bro do > that in its original policy scripts? The shipped scripts do monitor for some activity such as network/port scanning and some possibly undesired application specific activity (irc, http, and ftp for example), but the scripts make no assumptions about what activity is undesired on your network. It's your job to define your local notice policy to indicate what's "bad" on your network. Robin has a post he wrote about how to use the notice framework in Bro to define what's "bad": http://blog.icir.org/2008/03/telling-bro-what-important.html He also has some slides from the last workshop where he spoke about the notice framework (you'll have to dig through for the notice framework part): http://www.bro-ids.org/bro-workshop-2009-2/slides/WalkThrough.pdf I also distribute some scripts that watch for additional activity and raise some of their own notices (in addition to logging like crazy): http://github.com/sethhall/bro_scripts The most important thing though is that you have to learn the Bro scripting language well if you want to be able be really effective with Bro. You are *always* going to find some sort of activity that you want to watch for which no one has written a script, or that an analyzer doesn't yet exist to even parse the traffic you are most interested in. .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From robin at icir.org Fri Oct 23 10:44:32 2009 From: robin at icir.org (Robin Sommer) Date: Fri, 23 Oct 2009 10:44:32 -0700 Subject: [Bro] Standalone vs. Cluster on a single machine In-Reply-To: References: <20091023135322.GA25054@dell.datacomm.albany.edu> Message-ID: <20091023174432.GE12261@icir.org> On Fri, Oct 23, 2009 at 10:59 -0400, Seth Hall wrote: > I would just run in standalone mode. As far as I know (and Robin will > know better), the only difference configuration-wise between > standalone mode and cluster mode is the node.cfg file. That's right, once it's running. During the initial installation, there's one more difference: the standalone puts the various *.cfg files in place, while the cluster installation only installs templates which one then has to copy to the right place oneself (because they need more editing). I would also recommend using the stand-alone mode as long as you don't want to try leveraging multiple cores in your box by running multiple processes. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From JAzoff at uamail.albany.edu Mon Oct 26 06:43:16 2009 From: JAzoff at uamail.albany.edu (Justin Azoff) Date: Mon, 26 Oct 2009 09:43:16 -0400 Subject: [Bro] Printing a header when a file is opened/rotated Message-ID: <20091026134316.GB2055@dell.datacomm.albany.edu> Prior to using broctl I was using a setup like this: const phish_log = open_log_file("phish") &raw_output; event bro_init() { print phish_log, cat_sep("\t", "\\N", "start", "orig_h", "mailfrom", "replyto", "subject"); } Now that I'm using broctl, it rotates the logs once a day to their new locations. My problem is that when the file is rotated nothing re-adds the header. I'm not sure what the best way to fix this is. I know I could disable the rotate interval and go back to restarting bro everyday at midnight. Could something like this work? event rotate_interval(f: file) &priority=10 { if (f$name == "phish.log"){ print f, cat_sep("\t", "\\N", "start", "orig_h", "mailfrom", "replyto", "subject"); } } I'm thinking that if there was a file_opened event then that could be used to handle both cases. -- -- Justin Azoff -- Network Performance Analyst From robin at icir.org Mon Oct 26 14:58:32 2009 From: robin at icir.org (Robin Sommer) Date: Mon, 26 Oct 2009 14:58:32 -0700 Subject: [Bro] Printing a header when a file is opened/rotated In-Reply-To: <20091026134316.GB2055@dell.datacomm.albany.edu> References: <20091026134316.GB2055@dell.datacomm.albany.edu> Message-ID: <20091026215832.GH69991@icir.org> On Mon, Oct 26, 2009 at 09:43 -0400, you wrote: > event rotate_interval(f: file) &priority=10 > { > if (f$name == "phish.log"){ > print f, cat_sep("\t", "\\N", "start", "orig_h", "mailfrom", "replyto", "subject"); > } > } Nice thought! It's kind of a hack but I think that could indeed work, except that instead of f$name you need to use the builtin function get_file_name(). I'm wondering if there's a race condition lurking somewhere here but I'm thinking it should be ok ... Another approach would be writing a shell wrapper around broctl's log archival script. BroControl sets the following: redef RotateLogs::default_postprocessor = "archive-log"; You could redef that to your own script, which first prepends the header to the rotated file (needs a bit of copying the data around unfortunately) and then continues by calling archive-log. However, I think the right way of solving your problem is indeed this: > I'm thinking that if there was a file_opened event then that could be used > to handle both cases. I like that. Please file a feature request with our tracker. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From renaud.luca at gmail.com Tue Oct 27 13:46:46 2009 From: renaud.luca at gmail.com (Luca Renaud) Date: Tue, 27 Oct 2009 20:46:46 +0000 Subject: [Bro] Difficulties Compiling Bro on Solaris. Message-ID: <628233b10910271346v20bad60fxf33baff6c0e56b69@mail.gmail.com> Trying to compile Bro-1.4 on OpenSolaris062009 I get: -from the the configure script: checking term.h presence... yes configure: WARNING: term.h: present but cannot be compiled configure: WARNING: term.h: check for missing prerequisite headers? configure: WARNING: term.h: see the Autoconf documentation configure: WARNING: term.h: section "Present But Cannot Be Compiled" configure: WARNING: term.h: proceeding with the preprocessor's result configure: WARNING: term.h: in the future, the compiler will take precedence configure: WARNING: ## ------------------------------------------ ## configure: WARNING: ## Report this to the AC_PACKAGE_NAME lists. ## configure: WARNING: ## ------------------------------------------ ## checking for term.h... yes from make: gcc -g -O2 -I/usr/lib/include -I/usr/include -L/usr/lib/lib -o hf hf.o setsignal.o version.o -lz -lpcap -lpcap -lssl -lcrypto -lnsl -lsocket -lpcap -ltermcap Undefined first referenced symbol in file _res hf.o (symbol belongs to implicit dependency /lib/libresolv.so.2) ld: fatal: symbol referencing errors. No output written to hf collect2: ld returned 1 exit status make[4]: *** [hf] Error 1 make[4]: Leaving directory `/export/home/luca/Downloads/bro-1.4/aux/hf' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/export/home/luca/Downloads/bro-1.4/aux' make[2]: *** [all] Error 2 make[2]: Leaving directory `/export/home/luca/Downloads/bro-1.4/aux' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/export/home/luca/Downloads/bro-1.4' make: *** [all] Error 2 Have anyone tried to compile Bro on the same platform and got the same issue?How to get over this? I have libncurses from sunfreeware.com P.S. Is it possible to convert Sun snoop dump files to libpcap format? I tried with wireshark on Linux but there seems to have some incompatibility between network interfaces(eth0 on Linux,rge0 on Solaris) and wireshark refuses to convert. Is there other way to analyze snoop format files through Bro? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20091027/fe0d4e62/attachment.html From jags0nhak3r at engineer.com Thu Oct 29 00:34:51 2009 From: jags0nhak3r at engineer.com (jags0nhak3r at engineer.com) Date: Thu, 29 Oct 2009 03:34:51 -0400 Subject: [Bro] failed to start BRO Message-ID: <8CC26816F6E0240-D08-24C1@web-mmc-d05.sysops.aol.com> Hi everyone I am new to Bro IDS 1.4, I have tried to install it on CentOs platform. well, at the beginning It was difficul, however I manage to install it with the same instructions ./configure make make install make install-brolite bro-lite did a very well job. It created all the directories in bro home directory /usr/local/bro [bro at localhost bro]$ ls archive bin etc include lib logs reports scripts share site var the problem I am facing is that when I try to start bro using bro.rc file with this {BROHOME}/etc/bro.rc start it fails and gives me this erro [bro at localhost ~]$ /usr/local/bro/etc/bro.rc start bro.rc: Starting ..........bro.rc: Failed to start Bro line 1: error: can't open localhost.localdomain.bro ... FAILED Note: i have tried to change my host name to localhost.localdomain.bro Any ideas please.. help -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20091029/5bf16e85/attachment.html From jean-philippe.luiggi at didconcept.com Thu Oct 29 17:58:38 2009 From: jean-philippe.luiggi at didconcept.com (jean-philippe luiggi) Date: Thu, 29 Oct 2009 20:58:38 -0400 Subject: [Bro] failed to start BRO In-Reply-To: <8CC26816F6E0240-D08-24C1@web-mmc-d05.sysops.aol.com> References: <8CC26816F6E0240-D08-24C1@web-mmc-d05.sysops.aol.com> Message-ID: <20091030005838.GB11601@192.168.2.103> * jags0nhak3r at engineer.com [2009-10-29 03:34:51 -0400]: > > Hi everyone > > I am new to Bro IDS 1.4, I have tried to install it on CentOs platform. well, at the beginning It was difficul, however I manage to install it with the same instructions > > ./configure > > make > make install > > make install-brolite > > bro-lite did a very well job. It created all the directories in bro home directory /usr/local/bro > > [bro at localhost bro]$ ls > archive bin etc include lib logs reports scripts share site var > > the problem I am facing is that when I try to start bro using bro.rc file with this {BROHOME}/etc/bro.rc start it fails and gives me this erro > > [bro at localhost ~]$ /usr/local/bro/etc/bro.rc start > bro.rc: Starting ..........bro.rc: Failed to start Bro > line 1: error: can't open localhost.localdomain.bro > ... FAILED > > Note: i have tried to change my host name to localhost.localdomain.bro > > Any ideas please.. help Hello, Bro is searching for a file called "localhost.localdomain.bro" in the various path defined in your BROPATH environment variable. So two questions : Do your file exists somewhere ? Is it in a directory specied in "BROPATH" ? Mine is defined as follow into my .bashrc : export BROPATH=/opt/share/bro/policy Cheers, Jean-Philippe. From jags0nhak3r at engineer.com Thu Oct 29 18:51:33 2009 From: jags0nhak3r at engineer.com (jags0nhak3r at engineer.com) Date: Thu, 29 Oct 2009 21:51:33 -0400 Subject: [Bro] failed to start BRO In-Reply-To: <20091030005838.GB11601@192.168.2.103> References: <8CC26816F6E0240-D08-24C1@web-mmc-d05.sysops.aol.com> <20091030005838.GB11601@192.168.2.103> Message-ID: <8CC271AA43AEB01-B0C-30B3@web-mmc-d19.sysops.aol.com> Hi, Thanks for your Re I figured out that localhost.localdomain.bro is file and BRO needs to open it when it starts. that file should be located at {BROPATH}, that is right. here is my BROPATH # Bro policy paths BROPATH="/usr/local/bro/share/bro/site:/usr/local/bro/share/bro:/usr/local/bro/share/bro/sigs:/usr/local/bro/share/bro/time-machine" export BROPATH # Filename of the Bro start policy. Must be located in one of the directories in $BROPATH BRO_START_POLICY="localhost.localdomain.bro" I wonder why the so called file localhost.localdomain.bro is not created in BROPATH by default. Thus, I created it in this PATH /usr/local/bro/share/bro manually and BRO successfully started. I also would like to know what is the purpose of that file what should be in it? btw, 1- what and how should I start to capture packets, analyze them? 2- what commands shall I run where the analysis files are stored? I read in the BRO user manual, it mentions that to run BRO type the following comman bro -[options] but when I run bro, which is a binary file, I get bash: bro: command not found what is wrong with my configuration... Please I need assistance, Regards -----Original Message----- From: jean-philippe luiggi To: jags0nhak3r at engineer.com Cc: bro at ICSI.Berkeley.EDU Sent: Fri, Oct 30, 2009 8:58 am Subject: Re: [Bro] failed to start BRO * jags0nhak3r at engineer.com [2009-10-29 03:34:51 -0400]: > > Hi everyone > > I am new to Bro IDS 1.4, I have tried to install it on CentOs platform. well, at the beginning It was difficul, however I manage to install it with the same instructions > > ./configure > > make > make install > > make install-brolite > > bro-lite did a very well job. It created all the directories in bro home directory /usr/local/bro > > [bro at localhost bro]$ ls > archive bin etc include lib logs reports scripts share site var > > the problem I am facing is that when I try to start bro using bro.rc file with this {BROHOME}/etc/bro.rc start it fails and gives me this erro > > [bro at localhost ~]$ /usr/local/bro/etc/bro.rc start > bro.rc: Starting ..........bro.rc: Failed to start Bro > line 1: error: can't open localhost.localdomain.bro > ... FAILED > > Note: i have tried to change my host name to localhost.localdomain.bro > > Any ideas please.. help Hello, Bro is searching for a file called "localhost.localdomain.bro" in the various path defined in your BROPATH environment variable. So two questions : Do your file exists somewhere ? Is it in a directory specied in "BROPATH" ? Mine is defined as follow into my .bashrc : export BROPATH=/opt/share/bro/policy Cheers, Jean-Philippe. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20091029/c25c667c/attachment.html From jean-philippe.luiggi at didconcept.com Fri Oct 30 04:55:54 2009 From: jean-philippe.luiggi at didconcept.com (jean-philippe luiggi) Date: Fri, 30 Oct 2009 07:55:54 -0400 Subject: [Bro] failed to start BRO In-Reply-To: <8CC271AA43AEB01-B0C-30B3@web-mmc-d19.sysops.aol.com> References: <8CC26816F6E0240-D08-24C1@web-mmc-d05.sysops.aol.com> <20091030005838.GB11601@192.168.2.103> <8CC271AA43AEB01-B0C-30B3@web-mmc-d19.sysops.aol.com> Message-ID: <20091030115554.GC11601@192.168.2.103> * jags0nhak3r at engineer.com [2009-10-29 21:51:33 -0400]: > > > > > Hi, > > Thanks for your Re > > I figured out that localhost.localdomain.bro is file and BRO needs to open it when it starts. that file should be located at {BROPATH}, that is right. > > here is my BROPATH > > # Bro policy paths > BROPATH="/usr/local/bro/share/bro/site:/usr/local/bro/share/bro:/usr/local/bro/share/bro/sigs:/usr/local/bro/share/bro/time-machine" > export BROPATH > > # Filename of the Bro start policy. Must be located in one of the directories in $BROPATH > BRO_START_POLICY="localhost.localdomain.bro" > > I wonder why the so called file localhost.localdomain.bro is not created in BROPATH by default. Thus, I created it in this PATH > /usr/local/bro/share/bro manually and BRO successfully started. > > I also would like to know what is the purpose of that file what should be in it? > > btw, > 1- what and how should I start to capture packets, analyze them? > 2- what commands shall I run where the analysis files are stored? > > I read in the BRO user manual, it mentions that to run BRO type the following comman > > bro -[options] > but when I run bro, which is a binary file, I get bash: bro: command not found > > what is wrong with my configuration... > > > Please I need assistance, > > Regards Hello, Bro is very good in various things and one of them is the customisation of it on behalf of your specific environment. You may need to tweak the NIDS in order to make it in accordance with your network, etc. so the reason of such a file (localhost.localdomain.bro). In order to capture data, you need to specify what do you want to catch so here are the various *.bro. my config file (bro.cfg) have : BRO_START_POLICY="mygw" and this file contains only one line : @load brolite ("brolite.bro" is found in one of the directory specified by BROPATH). Considering the analyze, apart from the BROPATH we talk about before, there's too a BROLOGS's environment variable. Here is mine : # Directory containing Bro logs BROLOGS="/opt/share/bro-1.4/logs" export BROLOGS So as soon as bro begins, it'll report various things in this directory. I've some (perhaps) stupid questions : Did you setup a "bro.cfg" (you can do it using "bro_config"). And do you run bro using "bro.rc" ? With regards, Jean-Philippe. From fh at open.ch Fri Oct 30 07:59:00 2009 From: fh at open.ch (Fabian Hugelshofer) Date: Fri, 30 Oct 2009 15:59:00 +0100 Subject: [Bro] BroPing Connection Failure Message-ID: <4AEAFF34.5000304@open.ch> Hi all, I am using Bro 1.4 stable on Linux and I'm having problems with Broccoli. On one machine with Ubuntu, everything works fine. But on another machine with a custom Linux distribution, I have problems to connect to Bro. The behaviour is not very consistent. My configure options are --without-openssl --disable-select-loop and --enable-debug. After compilation, I run in one terminal: $ src/bro -i eth0 -C aux/broccoli/test/broping.bro And in a second terminal: $ aux/broccoli/test/broping -c 1 Most of the time, this fails and the error message is: "Could not connect to Bro at 127.0.0.1:47758." The TCP connection however, is fully established, as I can verify with Tcpdump. The client is the one who sends the first FIN to tear the connection down. Some times, the connection can be established. Attached you find the remote.log of a successful (first) and an unsuccessful attempt. It looks like the handshake could not be completed. I further tried to debug by running $ aux/broccoli/test/broping -d -c 1 or $ strace aux/broccoli/test/broping -c 1 but in both cases, it was not possible to reproduce the error. It looks like some kind of race condition. Does anyone have an explanation for this behaviour or a clue about what the cause could be? In case you need more information, just let me know. Regards, Fabian libc 2.9 libm 2.9 Linux 2.6.26 i686 -------------- next part -------------- A non-text attachment was scrubbed... Name: remote.log Type: text/x-log Size: 2511 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20091030/4b95abfa/attachment.bin From robin at icir.org Fri Oct 30 10:13:41 2009 From: robin at icir.org (Robin Sommer) Date: Fri, 30 Oct 2009 10:13:41 -0700 Subject: [Bro] BroPing Connection Failure In-Reply-To: <4AEAFF34.5000304@open.ch> References: <4AEAFF34.5000304@open.ch> Message-ID: <20091030171341.GF13504@icir.org> On Fri, Oct 30, 2009 at 15:59 +0100, Fabian Hugelshofer wrote: > In case you need more information, just let me know. Sounds like a nasty race condition of some sort. The remote.log only shows that something weird is going on but isn't detailed enough to understand what's causing it. Please enable debugging output on both sides. For Broccoli, see here: http://www.icir.org/christian/broccoli/manual/c84.html#AEN814 For Bro, configure with --enable-debug and then run with "-B comm". That should produce a debug.log with lots of information. It would also be good if you could try it with the current development version from SVN to see if the problem still occurs with that one. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org