From arunparmar1985 at gmail.com Tue Sep 1 22:31:41 2009 From: arunparmar1985 at gmail.com (Arun parmar) Date: Wed, 2 Sep 2009 11:01:41 +0530 Subject: [Bro] About bro Message-ID: <9f327ebd0909012231u53c4d6f1pe3093db6f722cfd1@mail.gmail.com> Dear sir We have installed BRO in our campus and it is working fine. We are exploring the detection capability of BRO. It detects scanning and generating alarm but only once for particular ip address, may be after that it is dropping packets from those particular ip address who have scanned the network. If is it, how we can stop bro for not dropping packets. If there is any configuration please let us know. We have gone through the document on the site, but we did not get exacty what to do. please reply with some explanation .......... :) Failure is success if we learn from it -------------------------------------------- Thanks & Regards Arun parmar http://trinetra.ncb.ernet.in/ Centre for Development of Advanced Computing(formerly NCST) Computer Networks & Internet Engineering Division 68, Electronics City, Bangalore 560 100, India phone : 91-9886380038 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090902/11b542ce/attachment.html From nikhil.m.agrawal at gmail.com Sat Sep 5 23:24:08 2009 From: nikhil.m.agrawal at gmail.com (Nikhil Agrawal) Date: Sat, 5 Sep 2009 23:24:08 -0700 (PDT) Subject: [Bro] Invitation to connect on LinkedIn Message-ID: <1357604614.690581.1252218248615.JavaMail.app@ech3-cdn11.prod> LinkedIn ------------ I'd like to add you to my professional network on LinkedIn. - Nikhil Accept Nikhil Agrawal's invite: https://www.linkedin.com/e/isd/720314348/XrVN2TEj/ ------ (c) 2009, LinkedIn Corporation -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090905/a475fab1/attachment.html From robin at icir.org Tue Sep 8 13:26:03 2009 From: robin at icir.org (Robin Sommer) Date: Tue, 8 Sep 2009 13:26:03 -0700 Subject: [Bro] Reminder: Bro Workshop In-Reply-To: <20090727173041.GE85031@icir.org> References: <20090727173041.GE85031@icir.org> Message-ID: <20090908202603.GE95541@icir.org> Just a reminder that it's still possible to register for the upcoming Bro workshop. See the workshop's web page for more information: http://www.icir.org/robin/bro/workshop09-2 Robin On Mon, Jul 27, 2009 at 10:30 -0700, I wrote: > Bro Workshop 2009, the 2nd. > =========================== > > The Bro team and the Lawrence Berkeley National Lab are pleased to > announce a further "Bro Workshop", a 2.5-day Bro training event that > will take place in Berkeley, CA, on October 13-15, 2009. > > The workshop is primarily targeted at site security personnel > wishing to learn more about how Bro works, how to use its scripting > language and how to generally customize the system based on a site's > local policy. > > Similar to previous workshops, the agenda will be an informal mix of > tutorial-style presentations and hands-on lab sessions. No prior > knowledge about using Bro is assumed though attendees should be > familiar with Unix shell usage as well as with typical networking > tools like tcpdump and Wireshark. > > All participants are expected to bring a Unix-based (Linux, Mac OS X, > FreeBSD) laptop with a working Bro configuration. We will provide > sample trace files to work with. > > This workshop will again be hosted by the Lawrence Berkeley National > Lab, and it will be located at the Hotel Durant in Berkeley. We will > soon provide a web site with more detailed registration and location > information. To facilitate a productive lab environment, the number > of attendees will be limited to 30 people. A registration fee of > $125 will be charged. > > We also expect to have time for 2-3 case-study presentations from > people using Bro in their environments. If you have something you > would like to talk about, please send me a mail. > > Looking forward to a great workshop, > > Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From la_arshadi at yahoo.com Sun Sep 13 05:27:19 2009 From: la_arshadi at yahoo.com (Laleh Arshadi) Date: Sun, 13 Sep 2009 05:27:19 -0700 (PDT) Subject: [Bro] Applying Bro on offline captured traffic? Message-ID: <104835.98523.qm@web44805.mail.sp1.yahoo.com> Dear Members, Is it possible to apply Bro on offline traffic? I have already some network traffic captured by tcpdump, can I feed this data to Bro & find the possible intrusions in that data? To be precise I must note that the captured traffic has been collected from an Ethernet network and consists of the packet headers & the whole payload. I thank you in advance for your help & appreciate your prompt reply. Best Regards Laleh Arshadi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090913/b83c23f8/attachment.html From la_arshadi at yahoo.com Sun Sep 13 05:28:33 2009 From: la_arshadi at yahoo.com (Laleh Arshadi) Date: Sun, 13 Sep 2009 05:28:33 -0700 (PDT) Subject: [Bro] Applying Bro on offline captured traffic? Message-ID: <442473.58435.qm@web44802.mail.sp1.yahoo.com> Dear Members, Is it possible to apply Bro on offline traffic? I have already some network traffic captured by tcpdump, can I feed this data to Bro & find the possible intrusions in that data? To be precise I must note that the captured traffic has been collected from an Ethernet network and consists of the packet headers & the whole payload. I thank you in advance for your help & appreciate your prompt reply. Best Regards Laleh Arshadi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090913/35baaba4/attachment.html From vern at icir.org Sun Sep 13 10:14:43 2009 From: vern at icir.org (Vern Paxson) Date: Sun, 13 Sep 2009 10:14:43 -0700 Subject: [Bro] Applying Bro on offline captured traffic? In-Reply-To: <104835.98523.qm@web44805.mail.sp1.yahoo.com> (Sun, 13 Sep 2009 05:27:19 PDT). Message-ID: <200909131714.n8DHEhY8021113@pork.ICSI.Berkeley.EDU> > Is it possible to apply Bro on offline traffic? Sure, use bro -r tracefile. For most forms of analysis it needs to have whole payload (via tcpdump -s0), but sounds like you indeed have that. Vern From robin at icir.org Thu Sep 17 11:02:53 2009 From: robin at icir.org (Robin Sommer) Date: Thu, 17 Sep 2009 11:02:53 -0700 Subject: [Bro] Bro tutorial at ACSAC Message-ID: <20090917180253.GC17078@icir.org> A quick heads-up for folks interested in learning more about using Bro effectively: in addition to the Bro workshop next month, Vern and I will also be giving a one-day Bro tutorial at this year's ACSAC conference in Honolulu: http://www.acsac.org/2009/program/tutorials/view.php?t=3 Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From la_arshadi at yahoo.com Thu Sep 24 01:33:11 2009 From: la_arshadi at yahoo.com (Laleh Arshadi) Date: Thu, 24 Sep 2009 01:33:11 -0700 (PDT) Subject: [Bro] "time" format in Bro log files Message-ID: <209440.1696.qm@web44806.mail.sp1.yahoo.com> Dear All I am just a beginner working with Bro IDS. This is a sample line of the conn.log file I have got as a result of running Bro on my capture file: 1235293253.403384 0.062331 79.127.0.27 81.31.174.213 http 51271 80 tcp ? 144 SHR X cc=1 The problem is I cannot interpret the time record (1235293253.403384). Can you please help me? Best Regards Laleh Arshadi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090924/7b79e4e3/attachment.html From robin at icir.org Thu Sep 24 02:29:30 2009 From: robin at icir.org (Robin Sommer) Date: Thu, 24 Sep 2009 02:29:30 -0700 Subject: [Bro] "time" format in Bro log files In-Reply-To: <209440.1696.qm@web44806.mail.sp1.yahoo.com> References: <209440.1696.qm@web44806.mail.sp1.yahoo.com> Message-ID: <20090924092930.GD78578@icir.org> On Thu, Sep 24, 2009 at 01:33 -0700, Laleh Arshadi wrote: > 1235293253.403384 0.062331 79.127.0.27 81.31.174.213 http 51271 80 tcp ? 144 SHR X cc=1 > > The problem is I cannot interpret the time record (1235293253.403384). Can you please help me? It's a Unix timestamp, i.e., seconds since Jan 1, 1970. To get something more readable, pipe the conn.log through the cf tool in aux/cf. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From dianazeaiter at hotmail.com Thu Sep 24 14:05:23 2009 From: dianazeaiter at hotmail.com (Diana Zeaiter Joumblatt) Date: Thu, 24 Sep 2009 21:05:23 +0000 Subject: [Bro] problem installing bro Message-ID: Hi, I get the following error when compiling bro: $make$g++ -fPIC -I/usr/include/python2.5 -c -I/usr/include/python2.5 -c patricia.c -o /traces/bro/aux/broctl/.python-build/temp.linux-x86_64-2.5/patricia.opatricia.c: In function 'prefix_t* New_Prefix2(int, void*, int, prefix_t*)':patricia.c:273: error: invalid conversion from 'void*' to 'prefix_t*'patricia.c: In function 'patricia_tree_t* New_Patricia(int)':patricia.c:417: error: invalid conversion from 'void*' to 'patricia_tree_t*'patricia.c: In function 'void Clear_Patricia(patricia_tree_t*, void (*)())':patricia.c:450: error: too many arguments to functionpatricia.c: In function 'void patricia_process(patricia_tree_t*, void (*)())':patricia.c:497: error: too many arguments to functionpatricia.c: In function 'patricia_node_t* patricia_lookup(patricia_tree_t*, prefix_t*)':patricia.c:686: error: invalid conversion from 'void*' to 'patricia_node_t*'patricia.c:797: error: invalid conversion from 'void*' to 'patricia_node_t*'patricia.c:849: error: invalid conversion from 'void*' to 'patricia_node_t*'error: command 'g++' failed with exit status 1 How can i fix this? diana _________________________________________________________________ Windows Live?: Keep your life in sync. Check it out! http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090924/5dd94042/attachment.html From kevinsteiner5 at gmail.com Sun Sep 27 08:49:23 2009 From: kevinsteiner5 at gmail.com (Kevin Steiner) Date: Sun, 27 Sep 2009 17:49:23 +0200 Subject: [Bro] bro traffic analysis Message-ID: <194b97b10909270849y3eec546ep8a386a30d3a1aa4e@mail.gmail.com> Hi, I just started using bro for offline traffic analysis. i don't know which timers to tune to make the analysis of traces go faster. On some of traces, the analysis never finishes and it is like bro is waiting for some timer to expire. any help? kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090927/13d78b06/attachment.html From kevinsteiner5 at gmail.com Sun Sep 27 09:04:57 2009 From: kevinsteiner5 at gmail.com (Kevin Steiner) Date: Sun, 27 Sep 2009 18:04:57 +0200 Subject: [Bro] Fwd: bro traffic analysis In-Reply-To: <194b97b10909270849y3eec546ep8a386a30d3a1aa4e@mail.gmail.com> References: <194b97b10909270849y3eec546ep8a386a30d3a1aa4e@mail.gmail.com> Message-ID: <194b97b10909270904n4c89469ema6fdda531e5ed724@mail.gmail.com> ---------- Forwarded message ---------- From: Kevin Steiner Date: 2009/9/27 Subject: bro traffic analysis To: bro at icsi.berkeley.edu Hi, I just started using bro for offline traffic analysis. i don't know which timers to tune to make the analysis of traces go faster. On some of traces, the analysis never finishes and it is like bro is waiting for some timer to expire. any help? kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090927/70cb9774/attachment.html From edward.dean3 at gmail.com Sun Sep 27 15:16:43 2009 From: edward.dean3 at gmail.com (Edward Dean) Date: Sun, 27 Sep 2009 18:16:43 -0400 Subject: [Bro] Empty Reports Message-ID: Good Day! Setting up bro on freebsd and noticing that the script to create reports (/usr/local/scripts/site-report.pl) is generating empty reports. The reports contain the expected formatting but no actual data. Not sure if this is relavent but to run the script, I did have to make the change to the "summary_only" variable as suggested here: http://tracker.icir.org/bro/ticket/54 Here is an example of the script's debug feedback: hosta# /usr/local/scripts/site-report.pl -r 36 -d 3 report-start time: Thu Sep 24 00:00:30 2009 (1253750430) report-end time: Fri Sep 25 12:00:30 2009 (1253880030) Starting search for alarm files List of alarm files which are within the time range -> /nsm/bro/logs/alarm.hosta.09-09-25_15.58.20 Finished search for alarm files Starting search for notice files List of notice files which are within the time range -> /nsm/bro/logs/notice.hosta.09-09-25_15.41.47 Finished search for notice files Starting search for conn files List of connection files which are within the time range -> /nsm/bro/logs/conn.hosta.09-09-25_15.58.20-09-09-25_15.58.20 Finshed search for conn files Starting processing of alarm files Finished processing alarm files Starting processing of conn file /nsm/bro/logs/conn.hosta.09-09-25_15.58.20-09-09-25_15.58.20 Finished processing conn file Generating report file: /nsm/bro/reports/my.domain.1253902342.90655.rpt Any suggestions would be much appreciated. Cheers! E From hall.692 at osu.edu Sun Sep 27 20:05:09 2009 From: hall.692 at osu.edu (Seth Hall) Date: Sun, 27 Sep 2009 23:05:09 -0400 Subject: [Bro] bro traffic analysis In-Reply-To: <194b97b10909270849y3eec546ep8a386a30d3a1aa4e@mail.gmail.com> References: <194b97b10909270849y3eec546ep8a386a30d3a1aa4e@mail.gmail.com> Message-ID: <982955DF-9392-46B1-912C-551A5DABD6F3@osu.edu> On Sep 27, 2009, at 11:49 AM, Kevin Steiner wrote: > I just started using bro for offline traffic analysis. i don't know > which timers to tune to make the analysis of traces go faster. On > some of traces, the analysis never finishes and it is like bro is > waiting for some timer to expire. I've been working with someone else having a problem similar to you. What would help most is if you were able to distribute one of the problematic tracefiles (hopefully, the smallest possible problematic file) so we could take a look at what's going on. Also, what version of Bro are you running? Thanks .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From gillsr at cymru.com Mon Sep 28 08:36:05 2009 From: gillsr at cymru.com (Stephen Gill) Date: Mon, 28 Sep 2009 08:36:05 -0700 Subject: [Bro] bro traffic analysis In-Reply-To: <982955DF-9392-46B1-912C-551A5DABD6F3@osu.edu> Message-ID: >> I just started using bro for offline traffic analysis. i don't know >> which timers to tune to make the analysis of traces go faster. On >> some of traces, the analysis never finishes and it is like bro is >> waiting for some timer to expire. > > > I've been working with someone else having a problem similar to you. > What would help most is if you were able to distribute one of the > problematic tracefiles (hopefully, the smallest possible problematic > file) so we could take a look at what's going on. >From what I've seen, I don't think the problem is only applicable to offline tracefiles - it appears to happen on live traffic as well. My best guess is that it is having a hard time when it only sees a portion of the full traffic due to a busy link, thus making state tracking more problematic. -- steve From edward.dean3 at gmail.com Mon Sep 28 09:17:50 2009 From: edward.dean3 at gmail.com (Edward Dean) Date: Mon, 28 Sep 2009 12:17:50 -0400 Subject: [Bro] site-report.pl script: undefined value as a SCALAR reference Message-ID: Good Day, My empty reports problem as been resolved, however, I am drying to dig a bit deeper into the site-report script error. An error is thrown if the script is run with summary_only variable is set to 1 (default.) There error says there is an undefined value as a SCALAR reference. While the error can be avoided by setting the summary-only variable to 0, you then will not get full reports generated. The error seems to be that several variables containing the reportable data are not set due to the if-statement on line 492. This if statement sets variables (header, incident_summ, incident_details, system_summ, scan_summ, signature_distribtution) only if summary_only is set to 0. I do not see any reason for this if statement and upon removing it, I am able to get full reports rather than just the summary. Does anyone who is more familiar with this script know why that if-statement is there and if removing it will have any negative consequences? Cheers, Edward From vern at icir.org Mon Sep 28 09:55:13 2009 From: vern at icir.org (Vern Paxson) Date: Mon, 28 Sep 2009 09:55:13 -0700 Subject: [Bro] bro traffic analysis In-Reply-To: (Mon, 28 Sep 2009 08:36:05 PDT). Message-ID: <200909281655.n8SGtIMP011608@pork.ICSI.Berkeley.EDU> > From what I've seen, I don't think the problem is only applicable to offline > tracefiles - it appears to happen on live traffic as well. Sure, that would simply mean that whatever's triggering it is (unsurprisingly) showing up in the live traffic. > My best guess is > that it is having a hard time when it only sees a portion of the full > traffic due to a busy link, thus making state tracking more problematic. That won't hang it or even partiuclarly burn up CPU. (We run in a lot of environments with busy links, so know this from experience.) We could realy use a trace that reproduces the problem to track this down. Very likely it's a bug in an analyzer that's entering an infinite loop. An alternative way to track it is to attach a debugger when it appears to be wedged and get a traceback to see what it's doing. This will only be effective if Bro has been built with ./configure --enable-debug. Vern From gillsr at cymru.com Mon Sep 28 10:08:31 2009 From: gillsr at cymru.com (Stephen Gill) Date: Mon, 28 Sep 2009 10:08:31 -0700 Subject: [Bro] bro traffic analysis In-Reply-To: <200909281655.n8SGtIMP011608@pork.ICSI.Berkeley.EDU> Message-ID: > Sure, that would simply mean that whatever's triggering it is (unsurprisingly) > showing up in the live traffic. Yep! Stopping a daemonized BRO shows the same general symptoms where the process does not die in a reasonable amount of time. >> My best guess is >> that it is having a hard time when it only sees a portion of the full >> traffic due to a busy link, thus making state tracking more problematic. > > That won't hang it or even partiuclarly burn up CPU. (We run in a lot of > environments with busy links, so know this from experience.) What I've seen is not so much the CPU hanging (though it was at 98% both in and out of wedge), but BRO ends up processing a lot of timers and events at this stage. Mostly rellated to conn.bro, but also in my case weird.bro, port-name.bro, hot.bro events were firing. It's not so much the amount of data I'm referring to but the data that makes it to BRO. Assuming high random packet drops on a saturated link, stateful tracking is problematic and most everything looks unatural because you're not necessarily seeing the full picture. At least in my case, I had to turn off ALL weird logging because it basically didn't apply to me. Things did complete on a tracefile eventually, but very slowly. That implied to me that it wasn't an infinite loop. The process looked something like this (pardon the layman's view): - Read pcap and process somewhat normally from start to finish - Reach the end of the pcap as evidenced by the tracefile output - Enter wedge state where the results take a very long time to complete presumably due to processing of events/sessions still in state. Unfortunately I'm not in a position to be able to provide tracefiles on this particular issue. -- steve From vern at icir.org Mon Sep 28 10:14:57 2009 From: vern at icir.org (Vern Paxson) Date: Mon, 28 Sep 2009 10:14:57 -0700 Subject: [Bro] bro traffic analysis In-Reply-To: (Mon, 28 Sep 2009 10:08:31 PDT). Message-ID: <200909281715.n8SHF2Ee012122@pork.ICSI.Berkeley.EDU> > Unfortunately I'm not in a position to be able to provide tracefiles on this > particular issue. A pity, as we do have quite a bit of machinery for analyzing performance problems like this. One you could try directly is including profiling.bro (and/or pkt-prof.bro) in your analysis scripts. Vern