From proy at netzary.com  Tue Jan  5 03:20:43 2010
From: proy at netzary.com (Priyadarsan Roy)
Date: Tue, 05 Jan 2010 16:50:43 +0530
Subject: [Bro] bro.rc file missing
Message-ID: <1262690443.2707.15.camel@pd-laptop>

Hi,

I downloaded the latest version of bro 1.5. On installation following

./configure --prefix=/usr/local/bro
make
sudo make install
sudo make install-brolite

towards the end of make install-brolite I got this

make[1]: Leaving directory `/root/products/bro-1.5.1/aux'
/bin/chown -R `cat scripts/bro_user_id` /usr/local/bro/
cat: scripts/bro_user_id: No such file or directory
/bin/chown: missing operand after `/usr/local/bro/'
Try `/bin/chown --help' for more information.
make: [install-brolite] Error 1 (ignored)
*********************************************************
Please run "/usr/local/bro/etc/bro.rc --start" to start bro
*********************************************************

Now I see that there is no file /usr/local/bro/etc/bro.rc on searching the archives I see that other users have got the same problem and 
that there is a patch file for an earlier version.

I am installing this on an Ubuntu installation version 8.10. Am I missing some thing here to solve this issue ?

Thanks and Regards,
P Roy


-- 
Netzary InfoDynamics
"Making IT to Work for You"

website         : http://www.netzary.com
hand Phone      : +91 8088503811
telephone       : +91 80 41738665
fax             : +91 80 22075212



From kevlo at kevlo.org  Tue Jan  5 07:30:41 2010
From: kevlo at kevlo.org (Kevin Lo)
Date: Tue, 05 Jan 2010 23:30:41 +0800
Subject: [Bro] bro.rc file missing
In-Reply-To: <1262690443.2707.15.camel@pd-laptop>
References: <1262690443.2707.15.camel@pd-laptop>
Message-ID: <1262705441.1940.6.camel@nsl>

Priyadarsan Roy wrote: 
> Hi,
> 
> I downloaded the latest version of bro 1.5. On installation following
> 
> ./configure --prefix=/usr/local/bro
> make
> sudo make install
> sudo make install-brolite
> 
> towards the end of make install-brolite I got this
> 
> make[1]: Leaving directory `/root/products/bro-1.5.1/aux'
> /bin/chown -R `cat scripts/bro_user_id` /usr/local/bro/
> cat: scripts/bro_user_id: No such file or directory
> /bin/chown: missing operand after `/usr/local/bro/'
> Try `/bin/chown --help' for more information.
> make: [install-brolite] Error 1 (ignored)
> *********************************************************
> Please run "/usr/local/bro/etc/bro.rc --start" to start bro
> *********************************************************
> 
> Now I see that there is no file /usr/local/bro/etc/bro.rc on searching the archives I see that other users have got the same problem and 
> that there is a patch file for an earlier version.
> 
> I am installing this on an Ubuntu installation version 8.10. Am I missing some thing here to solve this issue ?

Brolite is depreciated in 1.5.1, please use broctl instead.

> Thanks and Regards,
> P Roy

        Kevin




From robin at icir.org  Tue Jan  5 07:39:22 2010
From: robin at icir.org (Robin Sommer)
Date: Tue, 5 Jan 2010 07:39:22 -0800
Subject: [Bro] bro.rc file missing
In-Reply-To: <1262690443.2707.15.camel@pd-laptop>
References: <1262690443.2707.15.camel@pd-laptop>
Message-ID: <20100105153922.GB59860@icir.org>


On Tue, Jan 05, 2010 at 16:50 +0530, Priyadarsan Roy wrote:

> Now I see that there is no file /usr/local/bro/etc/bro.rc on
> searching the archives I see that other users have got the same
> problem and that there is a patch file for an earlier version.

Note that BroLite is no longer supported and will be removed in the
future. That said, there's a patch for 1.4 in the tracker, see
http://tracker.icir.org/bro/ticket/51 . The patch was however never
confirmed to fix the problem. It might or might not work (and is
completelty untested with 1.5 afaik).

Robin

-- 
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


From cryptowave at gmail.com  Thu Jan  7 08:01:30 2010
From: cryptowave at gmail.com (JRH)
Date: Thu, 7 Jan 2010 11:01:30 -0500
Subject: [Bro] Disabling PTR lookups in reporting
In-Reply-To: <ea07a8ab1001070750q9ef53a0q411ce21af60cc44d@mail.gmail.com>
References: <ea07a8ab1001070750q9ef53a0q411ce21af60cc44d@mail.gmail.com>
Message-ID: <ea07a8ab1001070801w2041b479q240193a03c245ea0@mail.gmail.com>

Hello,

I have looked at the documentation, wiki, and archive from the mailing
list, and some of the code, but I can't seem (perhaps overlooked) to
figure out how to disable PTR resolution in the site reports.
Depending on the category (bytes trans, top dest, etc) it has a
different "buffer" for each hostname and, in most cases, the PTR
record exceeds the buffer so you end up with an entry that is very
difficult to tie to an ip address for further investigation.

I am hoping some one has shared this same frustration and there is a
solution available.

Thanks for any insight!


From dklinedinst at lbl.gov  Mon Jan 11 14:29:29 2010
From: dklinedinst at lbl.gov (Dan Klinedinst)
Date: Mon, 11 Jan 2010 17:29:29 -0500
Subject: [Bro] xml / json parsers
Message-ID: <BF41294A-5230-41C7-BE01-880AC7DDDFF8@lbl.gov>

Hi all,
Has anyone out there written a generic xml and/or json parser for  
Bro?  I didn't see anything like that in the base or contributed  
scripts.

Thanks!
Dan


From bboe at cs.ucsb.edu  Mon Jan 11 15:53:18 2010
From: bboe at cs.ucsb.edu (Bryce Boe)
Date: Mon, 11 Jan 2010 15:53:18 -0800
Subject: [Bro] Missing check for python-dev library in autoconf
Message-ID: <c837f9021001111553s4e29c8f1xa7da594dabb670f7@mail.gmail.com>

Maybe this is fixed in SVN so I'll keep it short. The configure check
for bro1.5 doesn't verify that the python development libraries are
installed. I am running Ubuntu 9.10 x64. When running ./configure &&
make the following error pops up.

broccoli_intern_wrap.c:118:20: error: Python.h: No such file or directory

Installing the python-dev package on ubuntu allows me to compile but I
figure it'd be nice to add that check in the autoconf. Unfortunately I
don't know autoconf at all so I can't provide a patch which does that.

-Bryce


From robin at icir.org  Tue Jan 12 10:01:17 2010
From: robin at icir.org (Robin Sommer)
Date: Tue, 12 Jan 2010 10:01:17 -0800
Subject: [Bro] xml / json parsers
In-Reply-To: <BF41294A-5230-41C7-BE01-880AC7DDDFF8@lbl.gov>
References: <BF41294A-5230-41C7-BE01-880AC7DDDFF8@lbl.gov>
Message-ID: <20100112180117.GF4925@icir.org>


On Mon, Jan 11, 2010 at 17:29 -0500, you wrote:

> Has anyone out there written a generic xml and/or json parser for  
> Bro?  

Hi Dan,

yes and no. "No" because not in the traditional sense of manually
writing a parser. "Yes" because there's what I think is a very cool
piece for analyzing XML: we have an exerimental analyzer that
performs live xqueries: it looks for XML documents going over there
wire and then performs customizable queries to extract interesting
stuff; the results of the queries are then *automatically* turned
into events, for which which you can then write Bro script handlers
for further processing.

If you want to give it a try, you can find the analyzer in my work
branch (see CHANGES.features there). It is however indeed quite
experimental. The basic functionality is there and should be
working[1] but the main open question is performance: I have no idea
whether the XML libraries it uses are sufficientlt efficient for
realistic online operation. Nobody has really looked into that yet.
(The analyzer doens't have a maintainer anymore as the person who
wrote it has moved on to other things). 

Robin

[1] Hhaven't tried it in a while though; it pulls in these huge XML
libraries, and I remember some trouble gettting it to compile with
updated versions; that might take a few cycles again assuming
further library updates have come out in the meantime.

-- 
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


From robin at icir.org  Tue Jan 19 13:09:26 2010
From: robin at icir.org (Robin Sommer)
Date: Tue, 19 Jan 2010 13:09:26 -0800
Subject: [Bro] Poll: Bro deployments
Message-ID: <20100119210926.GB72748@icir.org>

Hello Sites Using Bro,

We'd like to ask for your help. We're in the process of preparing a
major funding proposal for improving Bro, focused on: improving the
end-user experience (things like comprehensive documentation,
polishing rough edges, fixing bugs); and improving performance.

This looks like a potentially excellent opportunity. However, a
major element of winning the funding is convincingly demonstrating
to the funders that Bro is already well-established across a large &
diverse user community.

To develop that framing, we'd like to ask as many of you folks as
possible to fill out the small questionaire below. Please send the
replies to Robin personally, not to the list (just replying to this
mail should do the right thing). Assuming sufficient feedback, we'll
post an anonymized summary to the list.

(Of course we already know about many of you, but collecting this
information more systematically will allow us to put together a
better overall view of the Bro community.)

Thanks a lot in advance, 

Vern and Robin

--------- Please send to robin at icir.org -----------------------------

1.  Name of deployment site [optional]: 

2.  We are using Bro

    [ ] not yet, but we plan to
    [ ] experimentally
    [ ] operationally 

3.  We have done so for about _N_ years.

4.  Our site is best described as 

    [ ] Academia
    [ ] Research Lab
    [ ] Government
    [ ] Industry
    [ ] Other (please explain)

5.  In its current use, Bro monitors about _N_ systems.

6.  Would you be fine with us listing your site by name as a Bro user?

    [ ] Yes, however you wish.
    [ ] Yes in private to the funders in your grant application, but not publicly.
    [ ] No, please use this information only in an anonymized form.

7.  Optionally, list up to three improvements you would like to see
    in the "Bro world":


From vsankar at foretell.ca  Tue Jan 19 13:51:29 2010
From: vsankar at foretell.ca (Vijay Sankar)
Date: Tue, 19 Jan 2010 15:51:29 -0600
Subject: [Bro] Poll: Bro deployments
In-Reply-To: <20100119210926.GB72748@icir.org>
References: <20100119210926.GB72748@icir.org>
Message-ID: <4B562961.90809@foretell.ca>

Robin Sommer wrote:
> Hello Sites Using Bro,
> 
> We'd like to ask for your help. We're in the process of preparing a
> major funding proposal for improving Bro, focused on: improving the
> end-user experience (things like comprehensive documentation,
> polishing rough edges, fixing bugs); and improving performance.
> 
> This looks like a potentially excellent opportunity. However, a
> major element of winning the funding is convincingly demonstrating
> to the funders that Bro is already well-established across a large &
> diverse user community.
> 
> To develop that framing, we'd like to ask as many of you folks as
> possible to fill out the small questionaire below. Please send the
> replies to Robin personally, not to the list (just replying to this
> mail should do the right thing). Assuming sufficient feedback, we'll
> post an anonymized summary to the list.
> 
> (Of course we already know about many of you, but collecting this
> information more systematically will allow us to put together a
> better overall view of the Bro community.)
> 
> Thanks a lot in advance, 
> 
> Vern and Robin
> 
> --------- Please send to robin at icir.org -----------------------------
> 
> 1.  Name of deployment site [optional]: ForeTell Technologies Limited and two customer sites
> 
> 2.  We are using Bro
> 
>     [ ] not yet, but we plan to
>     [X] experimentally
>     [X] operationally 
> 
> 3.  We have done so for about _3_ years.
> 
> 4.  Our site is best described as 
> 
>     [ ] Academia
>     [ ] Research Lab
>     [ ] Government
>     [X] Industry
>     [X] Other (please explain) Customer Sites
> 
> 5.  In its current use, Bro monitors about _600_ systems.
> 
> 6.  Would you be fine with us listing your site by name as a Bro user?
> 
>     [ ] Yes, however you wish.
>     [ ]] Yes in private to the funders in your grant application, but not publicly.
>     [X] No, please use this information only in an anonymized form.
> 
> 7.  Optionally, list up to three improvements you would like to see
>     in the "Bro world":

1) Better documentation
2) Guidance on best practices
3) Better Support for OpenBSD


> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 

-- 
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: (204) 885-9535, E-Mail: vsankar at foretell.ca




From jones at tacc.utexas.edu  Wed Jan 20 14:49:26 2010
From: jones at tacc.utexas.edu (William  Jones)
Date: Wed, 20 Jan 2010 16:49:26 -0600
Subject: [Bro] Poll: Bro deployments
In-Reply-To: <20100119210926.GB72748@icir.org>
References: <20100119210926.GB72748@icir.org>
Message-ID: <CF3466DD76A94945B5723C073FE74B0A69E610B613@MAIL02.austin.utexas.edu>

Site: UT Austin TACC see www.tacc.utexas.edu

-----Original Message-----
From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Robin Sommer
Sent: Tuesday, January 19, 2010 3:09 PM
To: bro at bro-ids.org
Cc: Vern Paxson
Subject: [Bro] Poll: Bro deployments

Hello Sites Using Bro,

We'd like to ask for your help. We're in the process of preparing a
major funding proposal for improving Bro, focused on: improving the
end-user experience (things like comprehensive documentation,
polishing rough edges, fixing bugs); and improving performance.

This looks like a potentially excellent opportunity. However, a
major element of winning the funding is convincingly demonstrating
to the funders that Bro is already well-established across a large &
diverse user community.

To develop that framing, we'd like to ask as many of you folks as
possible to fill out the small questionaire below. Please send the
replies to Robin personally, not to the list (just replying to this
mail should do the right thing). Assuming sufficient feedback, we'll
post an anonymized summary to the list.

(Of course we already know about many of you, but collecting this
information more systematically will allow us to put together a
better overall view of the Bro community.)

Thanks a lot in advance, 

Vern and Robin

--------- Please send to robin at icir.org -----------------------------

1.  Name of deployment site [optional]: 

2.  We are using Bro

    [ ] not yet, but we plan to
    [ ] experimentally
    [x] operationally 

3.  We have done so for about _3_ years.

4.  Our site is best described as 

    [x] Academia
    [ ] Research Lab
    [ ] Government
    [ ] Industry
    [ ] Other (please explain)

5.  In its current use, Bro monitors about _4_ systems.

6.  Would you be fine with us listing your site by name as a Bro user?

    [x] Yes, however you wish.
    [ ] Yes in private to the funders in your grant application, but not publicly.
    [ ] No, please use this information only in an anonymized form.

7.  Optionally, list up to three improvements you would like to see
    in the "Bro world":
    
  
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



From taosecurity at gmail.com  Thu Jan 21 10:21:31 2010
From: taosecurity at gmail.com (Richard Bejtlich)
Date: Thu, 21 Jan 2010 13:21:31 -0500
Subject: [Bro] Poll: Bro deployments
In-Reply-To: <20100119210926.GB72748@icir.org>
References: <20100119210926.GB72748@icir.org>
Message-ID: <120ef0531001211021u31662691u1e6e97cd834d55a8@mail.gmail.com>

On Tue, Jan 19, 2010 at 4:09 PM, Robin Sommer <robin at icir.org> wrote:
> Hello Sites Using Bro,
>
> We'd like to ask for your help.

1.  Name of deployment site [optional]:

General Electric

2.  We are using Bro

    [X] not yet, but we plan to
    [ ] experimentally
    [ ] operationally

3.  We have done so for about _1_ years.

4.  Our site is best described as

    [ ] Academia
    [ ] Research Lab
    [ ] Government
    [X] Industry
    [ ] Other (please explain)

5.  In its current use, Bro monitors about _N/A_ systems.  In
production it could monitor over 300,000 systems.

6.  Would you be fine with us listing your site by name as a Bro user?

    [ ] Yes, however you wish.
    [X] Yes in private to the funders in your grant application, but
not publicly.
    [ ] No, please use this information only in an anonymized form.

7.  Optionally, list up to three improvements you would like to see
    in the "Bro world":

a. Documentation -- ideally we would like to see a book-length and
book-quality document explaining how to deploy and use Bro, from
beginner to advanced level.
b. Deployment assistance -- creating wizards or other interfaces that
guide a new installation to implement desired functionality.
c. User conferences -- gathering Bro users together to discuss how
they use the product, share leading practices, and form a community to
help advise requirements and development

Thank you,

Richard


From jones at nics.utk.edu  Fri Jan 22 08:19:40 2010
From: jones at nics.utk.edu (Nicholas Jones)
Date: Fri, 22 Jan 2010 11:19:40 -0500
Subject: [Bro] Bug when running broctl cron
Message-ID: <1B6C24D9-50F3-4C2B-B4E4-6F9C8CB8F6D2@nics.utk.edu>


I have a fresh installation of Bro 1.5.1, and I am encountering an error when running 'broctl cron'. It appears that when broctl attempts to do a df, the % symbol is not stripped before python tries to convert it to a float. This throws a python error, as you can see below.

I made the error disappear by changing avail=float(df[3]) to avail=float(df[3].strip("%"))

Thanks,

Nick Jones


# broctl cron
warning: removing stale lock
Traceback (most recent call last):
 File "/usr/local/bro/bin/broctl", line 726, in ?
   loop.onecmd(line)
 File "/usr/lib64/python2.4/cmd.py", line 219, in onecmd
   return func(arg)
 File "/usr/local/bro/bin/broctl", line 341, in do_cron
   cron.doCron()
 File "/usr/local/bro/lib/broctl/BroControl/cron.py", line 41, in doCron
   _checkDiskSpace()
 File "/usr/local/bro/lib/broctl/BroControl/cron.py", line 150, in _checkDiskSpace
   avail = float(df[3])
ValueError: invalid literal for float(): 2%




From hall.692 at osu.edu  Fri Jan 22 08:40:38 2010
From: hall.692 at osu.edu (Seth Hall)
Date: Fri, 22 Jan 2010 11:40:38 -0500
Subject: [Bro] Bug when running broctl cron
In-Reply-To: <1B6C24D9-50F3-4C2B-B4E4-6F9C8CB8F6D2@nics.utk.edu>
References: <1B6C24D9-50F3-4C2B-B4E4-6F9C8CB8F6D2@nics.utk.edu>
Message-ID: <C089661D-4134-4D5D-B2F0-4B9215D533EC@osu.edu>

On Jan 22, 2010, at 11:19 AM, Nicholas Jones wrote:

> I have a fresh installation of Bro 1.5.1, and I am encountering an  
> error when running 'broctl cron'. It appears that when broctl  
> attempts to do a df, the % symbol is not stripped before python  
> tries to convert it to a float. This throws a python error, as you  
> can see below.
>
> I made the error disappear by changing avail=float(df[3]) to  
> avail=float(df[3].strip("%"))


What operating system are you running this on?

   .Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721



From jones at nics.utk.edu  Fri Jan 22 10:47:17 2010
From: jones at nics.utk.edu (Nicholas Jones)
Date: Fri, 22 Jan 2010 13:47:17 -0500
Subject: [Bro] Bug when running broctl cron
In-Reply-To: <C089661D-4134-4D5D-B2F0-4B9215D533EC@osu.edu>
References: <1B6C24D9-50F3-4C2B-B4E4-6F9C8CB8F6D2@nics.utk.edu>
	<C089661D-4134-4D5D-B2F0-4B9215D533EC@osu.edu>
Message-ID: <9A0B545A-D752-4FD0-9561-EF516FA24156@nics.utk.edu>

Centos 5.4 with Python 2.4.3


On Jan 22, 2010, at 11:40 AM, Seth Hall wrote:

> On Jan 22, 2010, at 11:19 AM, Nicholas Jones wrote:
> 
>> I have a fresh installation of Bro 1.5.1, and I am encountering an error when running 'broctl cron'. It appears that when broctl attempts to do a df, the % symbol is not stripped before python tries to convert it to a float. This throws a python error, as you can see below.
>> 
>> I made the error disappear by changing avail=float(df[3]) to avail=float(df[3].strip("%"))
> 
> 
> What operating system are you running this on?
> 
>  .Seth
> 
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721
> 




From robin at icir.org  Fri Jan 22 11:23:05 2010
From: robin at icir.org (Robin Sommer)
Date: Fri, 22 Jan 2010 11:23:05 -0800
Subject: [Bro] Bug when running broctl cron
In-Reply-To: <9A0B545A-D752-4FD0-9561-EF516FA24156@nics.utk.edu>
References: <1B6C24D9-50F3-4C2B-B4E4-6F9C8CB8F6D2@nics.utk.edu>
	<C089661D-4134-4D5D-B2F0-4B9215D533EC@osu.edu>
	<9A0B545A-D752-4FD0-9561-EF516FA24156@nics.utk.edu>
Message-ID: <20100122192305.GH65101@icir.org>


On Fri, Jan 22, 2010 at 13:47 -0500, Nicholas Jones wrote:

> Centos 5.4 with Python 2.4.3

Can you please file a ticket with the tracker at
http://tracker.icir.org/bro

Thanks!

Robin

-- 
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


From kevlo at kevlo.org  Sat Jan 23 02:16:41 2010
From: kevlo at kevlo.org (Kevin Lo)
Date: Sat, 23 Jan 2010 18:16:41 +0800
Subject: [Bro] Poll: Bro deployments
In-Reply-To: <4B562961.90809@foretell.ca>
References: <20100119210926.GB72748@icir.org>  <4B562961.90809@foretell.ca>
Message-ID: <1264241801.23180.11.camel@srg.kevlo.org>

On Tue, 2010-01-19 at 15:51 -0600, Vijay Sankar wrote:
> Robin Sommer wrote:
> > Hello Sites Using Bro,
> > 
> > We'd like to ask for your help. We're in the process of preparing a
> > major funding proposal for improving Bro, focused on: improving the
> > end-user experience (things like comprehensive documentation,
> > polishing rough edges, fixing bugs); and improving performance.
> > 
> > This looks like a potentially excellent opportunity. However, a
> > major element of winning the funding is convincingly demonstrating
> > to the funders that Bro is already well-established across a large &
> > diverse user community.
> > 
> > To develop that framing, we'd like to ask as many of you folks as
> > possible to fill out the small questionaire below. Please send the
> > replies to Robin personally, not to the list (just replying to this
> > mail should do the right thing). Assuming sufficient feedback, we'll
> > post an anonymized summary to the list.
> > 
> > (Of course we already know about many of you, but collecting this
> > information more systematically will allow us to put together a
> > better overall view of the Bro community.)
> > 
> > Thanks a lot in advance, 
> > 
> > Vern and Robin
> > 
> > --------- Please send to robin at icir.org -----------------------------
> > 
> > 1.  Name of deployment site [optional]: ForeTell Technologies Limited and two customer sites
> > 
> > 2.  We are using Bro
> > 
> >     [ ] not yet, but we plan to
> >     [X] experimentally
> >     [X] operationally 
> > 
> > 3.  We have done so for about _3_ years.
> > 
> > 4.  Our site is best described as 
> > 
> >     [ ] Academia
> >     [ ] Research Lab
> >     [ ] Government
> >     [X] Industry
> >     [X] Other (please explain) Customer Sites
> > 
> > 5.  In its current use, Bro monitors about _600_ systems.
> > 
> > 6.  Would you be fine with us listing your site by name as a Bro user?
> > 
> >     [ ] Yes, however you wish.
> >     [ ]] Yes in private to the funders in your grant application, but not publicly.
> >     [X] No, please use this information only in an anonymized form.
> > 
> > 7.  Optionally, list up to three improvements you would like to see
> >     in the "Bro world":
> 
> 1) Better documentation
> 2) Guidance on best practices
> 3) Better Support for OpenBSD

Bro runs fine on OpenBSD. If you want to help, please test an updated
diff of bro that I sent on ports@ and feedback to me, thanks!

http://marc.info/?l=openbsd-ports&m=126295957409387&w=2

	Kevin



From ttruong at soleilit.com  Sun Jan 24 00:29:28 2010
From: ttruong at soleilit.com (ttruong at soleilit.com)
Date: Sun, 24 Jan 2010 03:29:28 -0500 (EST)
Subject: [Bro] Poll: Bro deployments
In-Reply-To: <mailman.1.1264276800.144.bro@ICSI.Berkeley.EDU>
References: <mailman.1.1264276800.144.bro@ICSI.Berkeley.EDU>
Message-ID: <1622.72.83.127.17.1264321768.squirrel@soleilit.com>

Greetings

 >>> 1.  Name of deployment site [optional]: Soleil IT Services, Inc.
 >>>
 >>> 2.  We are using Bro
 >>>
 >>>     [ ] not yet, but we plan to
 >>>     [X] experimentally
 >>>     [X] operationally
 >>>
 >>> 3.  We have done so for about _6_ months.
 >>>
 >>> 4.  Our site is best described as
 >>>
 >>>     [ ] Academia
 >>>     [ ] Research Lab
 >>>     [ ] Government
 >>>     [X] Industry
 >>>     [X] Other (please explain) Federal agency in planning stage
 >>>
 >>> 5.  In its current use, Bro monitors about _10_ systems along with
Sourcefire/SNORT.
 >>>
 >>> 6.  Would you be fine with us listing your site by name as a Bro
user?
 >>>
 >>>     [x] Yes, however you wish.
 >>>     [ ]] Yes in private to the funders in your grant application,
but not publicly.
 >>>     [ ] No, please use this information only in an anonymized form.
 >>>
 >>> 7.  Optionally, list up to three improvements you would like to see
 >>>     in the "Bro world":
 >> 1) Better documentation
 >> 2) Guidance on best practices
 >> 3) Better Support for LINUX/OpenBSD

---
Very best regards,
---

Mr. Thuan V. Truong
Soleil IT Services, Inc
1568 Spring Hill Rd, Suite 201, McLean, VA 22102
Direct: (703) 861 1610, Fax: (703) 917 8881
Web: http://SOLEILit.com/



bro-request at ICSI.Berkeley.EDU wrote:
> Send Bro mailing list submissions to
> 	bro at ICSI.Berkeley.EDU
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
> 	bro-request at ICSI.Berkeley.EDU
>
> You can reach the person managing the list at
> 	bro-owner at ICSI.Berkeley.EDU
>
> When replying, please edit your Subject line so it is more specific than
"Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
>    1. Re: Poll: Bro deployments (Kevin Lo)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 23 Jan 2010 18:16:41 +0800
> From: Kevin Lo <kevlo at kevlo.org>
> Subject: Re: [Bro] Poll: Bro deployments
> To: vsankar at foretell.ca
> Cc: bro at bro-ids.org, Vern Paxson <vern at icir.org>, Robin Sommer
> 	<robin at icir.org>
> Message-ID: <1264241801.23180.11.camel at srg.kevlo.org>
> Content-Type: text/plain; charset="us-ascii"
>
> On Tue, 2010-01-19 at 15:51 -0600, Vijay Sankar wrote:
>> Robin Sommer wrote:
>>> Hello Sites Using Bro,
>>> We'd like to ask for your help. We're in the process of preparing a
major funding proposal for improving Bro, focused on: improving the
end-user experience (things like comprehensive documentation,
>>> polishing rough edges, fixing bugs); and improving performance. This
looks like a potentially excellent opportunity. However, a major
element of winning the funding is convincingly demonstrating to the
funders that Bro is already well-established across a large & diverse
user community.
>>> To develop that framing, we'd like to ask as many of you folks as
possible to fill out the small questionaire below. Please send the
replies to Robin personally, not to the list (just replying to this
mail should do the right thing). Assuming sufficient feedback, we'll
post an anonymized summary to the list.
>>> (Of course we already know about many of you, but collecting this
information more systematically will allow us to put together a better
overall view of the Bro community.)
>>> Thanks a lot in advance,
>>> Vern and Robin
>>> --------- Please send to robin at icir.org -----------------------------
1.  Name of deployment site [optional]: ForeTell Technologies Limited
and two customer sites
>>> 2.  We are using Bro
>>>     [ ] not yet, but we plan to
>>>     [X] experimentally
>>>     [X] operationally
>>> 3.  We have done so for about _3_ years.
>>> 4.  Our site is best described as
>>>     [ ] Academia
>>>     [ ] Research Lab
>>>     [ ] Government
>>>     [X] Industry
>>>     [X] Other (please explain) Customer Sites
>>> 5.  In its current use, Bro monitors about _600_ systems.
>>> 6.  Would you be fine with us listing your site by name as a Bro user?
>>>     [ ] Yes, however you wish.
>>>     [ ]] Yes in private to the funders in your grant application, but
not publicly.
>>>     [X] No, please use this information only in an anonymized form.
>>> 7.  Optionally, list up to three improvements you would like to see
>>>     in the "Bro world":
>> 1) Better documentation
>> 2) Guidance on best practices
>> 3) Better Support for OpenBSD
>
> Bro runs fine on OpenBSD. If you want to help, please test an updated
diff of bro that I sent on ports@ and feedback to me, thanks!
>
> http://marc.info/?l=openbsd-ports&m=126295957409387&w=2
>
> 	Kevin
>
>
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro at ICSI.Berkeley.EDU
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 45, Issue 7
> **********************************







From daniela.miao at utoronto.ca  Sun Jan 24 14:15:47 2010
From: daniela.miao at utoronto.ca (daniela.miao at utoronto.ca)
Date: Sun, 24 Jan 2010 17:15:47 -0500
Subject: [Bro] Questions about Bro's DNS Parser
Message-ID: <20100124171547.w6numhp8kksw840s@webmail.utoronto.ca>

Dear Mr. Paxton/Bro contributors,

My name is Daniela Miao, and I am currently a 3rd year Computer
Engineering Student at the University of Toronto. I have a couple of
questions regarding bro's current DNS parser, I hope this will not
take up too much of your time.

Being currently involved in a Bell Canada research project, I am
responsible for analyzing some DNS data traffic, captured in a pcap
file. I discovered Bro's DNS parser, which is rather robust, and
performs the exact operations that I need. However, I've run into some
problems with certain packets that contain DNS responses with errors.
I'm not sure what the exact problem is, but it seems that the bro
parser is having trouble recognizing all the returned error codes
(indicating "malformed packets", "no such name exists", "server
failure" etc.) I have attached a fragment of the log file to
illustrate my point, as you can see, all the responses containing
errors simply turn into "A requested domain name")

I suspect that I have to customize the parser a bit, so that it can
recognize all the error codes. However, since I'm not familiar with
the source code, I wanted to get some advice from you regarding this
problem, before I blindly dive in.

I apologize if you are not the correct person I should be contacting.
If you could provide some resources/other contacts from whom I can
gain some direction, or advice, I would be very thankful.

Thank you for your time. I hope you have a nice day.

Sincerely,

Daniela
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dns.log
Type: text/x-log
Size: 2293 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100124/e3fe38a0/attachment.bin 

From hall.692 at osu.edu  Sun Jan 24 19:21:54 2010
From: hall.692 at osu.edu (Seth Hall)
Date: Sun, 24 Jan 2010 22:21:54 -0500
Subject: [Bro] Questions about Bro's DNS Parser
In-Reply-To: <20100124171547.w6numhp8kksw840s@webmail.utoronto.ca>
References: <20100124171547.w6numhp8kksw840s@webmail.utoronto.ca>
Message-ID: <5AD11EEF-CABC-4455-BDC5-DE93B7E01A7A@osu.edu>


On Jan 24, 2010, at 5:15 PM, daniela.miao at utoronto.ca wrote:

> However, I've run into some
> problems with certain packets that contain DNS responses with errors.
> I'm not sure what the exact problem is, but it seems that the bro
> parser is having trouble recognizing all the returned error codes
> (indicating "malformed packets", "no such name exists", "server
> failure" etc.) I have attached a fragment of the log file to
> illustrate my point, as you can see, all the responses containing
> errors simply turn into "A requested domain name")


Are you using the binpac based parser?  I was just running into  
trouble last night with error codes being returned incorrectly from  
the binpac parser.  The hand written parser was working fine for me  
though.

   .Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721



From daniela.miao at utoronto.ca  Sun Jan 24 20:17:57 2010
From: daniela.miao at utoronto.ca (daniela.miao at utoronto.ca)
Date: Sun, 24 Jan 2010 23:17:57 -0500
Subject: [Bro] Questions about Bro's DNS Parser
In-Reply-To: <5AD11EEF-CABC-4455-BDC5-DE93B7E01A7A@osu.edu>
References: <20100124171547.w6numhp8kksw840s@webmail.utoronto.ca>
	<5AD11EEF-CABC-4455-BDC5-DE93B7E01A7A@osu.edu>
Message-ID: <20100124231757.dfegdeh3c4c8k00w@webmail.utoronto.ca>

Hey Seth,

Thanks for your help. However, I wasn't even aware of the binpac  
parser till you just mentioned it, so I think I am already using the  
hand written one.

Just in case, this is the command I'm using:

bro -r test.pcap dns

I believe this is correct?

Thanks,

Daniela

Quoting Seth Hall <hall.692 at osu.edu>:

>
> On Jan 24, 2010, at 5:15 PM, daniela.miao at utoronto.ca wrote:
>
>> However, I've run into some
>> problems with certain packets that contain DNS responses with errors.
>> I'm not sure what the exact problem is, but it seems that the bro
>> parser is having trouble recognizing all the returned error codes
>> (indicating "malformed packets", "no such name exists", "server
>> failure" etc.) I have attached a fragment of the log file to
>> illustrate my point, as you can see, all the responses containing
>> errors simply turn into "A requested domain name")
>
>
> Are you using the binpac based parser?  I was just running into trouble
> last night with error codes being returned incorrectly from the binpac
> parser.  The hand written parser was working fine for me though.
>
>   .Seth
>
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721






From cryptowave at gmail.com  Sun Jan 24 20:24:45 2010
From: cryptowave at gmail.com (JRH)
Date: Sun, 24 Jan 2010 23:24:45 -0500
Subject: [Bro] Truncated DNS entries in reporting
Message-ID: <ea07a8ab1001242024p60e036f5y46959082b9198a2e@mail.gmail.com>

Hi Folks,

In BRO reports, if a hostname (PTR lookup) exceeds a certain amount of
characters, it gets truncated. Is there an option to turn the PTR
lookup off?

I have looked at the documentation and even the code and I am stumped.

Thanks for any pointers ;)


From mattern at caltech.edu  Mon Jan 25 09:38:39 2010
From: mattern at caltech.edu (Blake Mattern)
Date: Mon, 25 Jan 2010 09:38:39 -0800
Subject: [Bro] Poll: Bro deployments
In-Reply-To: <20100119210926.GB72748@icir.org>
References: <20100119210926.GB72748@icir.org>
Message-ID: <20100125173839.GB2408@atreides>

On Tue, Jan 19, 2010 at 01:09:26PM -0800, Robin Sommer wrote:
> Hello Sites Using Bro,
> 
> We'd like to ask for your help. We're in the process of preparing a
> major funding proposal for improving Bro, focused on: improving the
> end-user experience (things like comprehensive documentation,
> polishing rough edges, fixing bugs); and improving performance.
> 
> This looks like a potentially excellent opportunity. However, a
> major element of winning the funding is convincingly demonstrating
> to the funders that Bro is already well-established across a large &
> diverse user community.
> 
> To develop that framing, we'd like to ask as many of you folks as
> possible to fill out the small questionaire below. Please send the
> replies to Robin personally, not to the list (just replying to this
> mail should do the right thing). Assuming sufficient feedback, we'll
> post an anonymized summary to the list.
> 
> (Of course we already know about many of you, but collecting this
> information more systematically will allow us to put together a
> better overall view of the Bro community.)
> 
> Thanks a lot in advance, 
> 
> Vern and Robin
> 
> --------- Please send to robin at icir.org -----------------------------
> 
> 1.  Name of deployment site [optional]: California Institute of Technology.
> 
> 2.  We are using Bro
> 
>     [ ] not yet, but we plan to
>     [x] experimentally
>     [ ] operationally 
> 
> 3.  We have done so for about _6_ months.
> 
> 4.  Our site is best described as 
> 
>     [x] Academia
>     [ ] Research Lab
>     [ ] Government
>     [ ] Industry
>     [ ] Other (please explain)
> 
> 5.  In its current use, Bro monitors about _50_ systems.
> 
> 6.  Would you be fine with us listing your site by name as a Bro user?
> 
>     [ ] Yes, however you wish.
>     [ ] Yes in private to the funders in your grant application, but not publicly.
>     [x] No, please use this information only in an anonymized form.
> 
> 7.  Optionally, list up to three improvements you would like to see
>     in the "Bro world":
>	
>	--Documentation
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


From hall.692 at osu.edu  Mon Jan 25 12:21:53 2010
From: hall.692 at osu.edu (Seth Hall)
Date: Mon, 25 Jan 2010 15:21:53 -0500
Subject: [Bro] Questions about Bro's DNS Parser
In-Reply-To: <20100124231757.dfegdeh3c4c8k00w@webmail.utoronto.ca>
References: <20100124171547.w6numhp8kksw840s@webmail.utoronto.ca>
	<5AD11EEF-CABC-4455-BDC5-DE93B7E01A7A@osu.edu>
	<20100124231757.dfegdeh3c4c8k00w@webmail.utoronto.ca>
Message-ID: <6F0ADD9A-40E8-47A8-91DE-B05DD2A2A216@osu.edu>


On Jan 24, 2010, at 11:17 PM, daniela.miao at utoronto.ca wrote:

> bro -r test.pcap dns
>
> I believe this is correct?


Yes, that should be correct.  Can you share the tracefile?

   .Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721



From powellsm at musc.edu  Tue Jan 26 13:24:32 2010
From: powellsm at musc.edu (Powell, Scott)
Date: Tue, 26 Jan 2010 16:24:32 -0500
Subject: [Bro] Core dump on a new Bro Cluster
Message-ID: <C3C47765BDE06740BD2E48C88EBB2EE29530D07E58@EVS5.clinlan.local>

Bro Community,

We have begun looking at the Bro NIDS here at MUSC so I have been working on setting up a cluster on some new security infrastructure equipment. We're running on RedHat Enterprise Linux 5.4, 64-bit with Bro 1.5.1 (latest current release on the bro-ids.org download page).

I compiled and setup the cluster and then started it up with "broctl start". My workers fired up and began collecting data from our network TAP. However, the worker with the TAP (worker-4) continues to "crash" repeatedly. If I issue a "broctl diag" it reveals a core dump.

I ran a gdb on the core file that was produced and got the same results as the diag output below.

Any ideas?

[BroControl] > status
Name       Type       Host       Status        Pid    Peers  Started
worker-4   worker     zoyd4      crashed
manager    manager    bombe4     running       3693   4      26 Jan 15:35:54
proxy-1    proxy      bombe4     running       3729   4      26 Jan 15:35:57
worker-1   worker     sigma4     running       10799  2      26 Jan 15:35:59
worker-2   worker     forensics4 running       21174  2      26 Jan 15:35:59
worker-3   worker     reaper4    running       8954   2      26 Jan 15:35:59
[BroControl] > diag worker-4
[worker-4]
==== stderr.log
pcap bufsize = 8256
listening on eth1
/var/local/bro/share/broctl/scripts/run-bro: line 73:  2837 Segmentation fault      (core dumped) nohup $tmpbro $@
==== stdout.log

==== .status
RUNNING [net_run]

==== No prof.log.

core.2837
Core was generated by `/var/local/bro/spool/tmp/bro -i eth1 -U .status -p broctl -p cluster -p local -'.
Program terminated with signal 11, Segmentation fault.
[New process 2837]
#0  FragReassembler::DeleteTimer (this=0x23219450) at Frag.h:62
62          void ClearReassembler() { f = 0; }

Thanks,

Scott Powell
Unix Systems Engineer / Information Security Analyst
Office of the CIO - Information Systems (OCIO-IS)
Medical University of South Carolina
powellsm at musc.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100126/0c1974dd/attachment.html 

From daniela.miao at utoronto.ca  Fri Jan 29 08:40:45 2010
From: daniela.miao at utoronto.ca (daniela.miao at utoronto.ca)
Date: Fri, 29 Jan 2010 11:40:45 -0500
Subject: [Bro] Questions about Bro's DNS Parser
In-Reply-To: <6F0ADD9A-40E8-47A8-91DE-B05DD2A2A216@osu.edu>
References: <20100124171547.w6numhp8kksw840s@webmail.utoronto.ca>
	<5AD11EEF-CABC-4455-BDC5-DE93B7E01A7A@osu.edu>
	<20100124231757.dfegdeh3c4c8k00w@webmail.utoronto.ca>
	<6F0ADD9A-40E8-47A8-91DE-B05DD2A2A216@osu.edu>
Message-ID: <20100129114045.cdbvnxwmbs4k4wck@webmail.utoronto.ca>

Hey Seth,

Sorry about the delay in response, there is some confidentiality issue  
involved so I had to first get the okay from my supervising professor.

Anyhow, I have attached a sample capture from the trace file, which  
contains DNS packets with returned errors (some response packets). I  
also took a look at dns.bro, if I'm not mistaken the parser does not  
have any error code interpreting feature, it seems all to be group  
into Weird::WEIRD_FILE. I suspect I'll just have to redefine that  
object.

Thank you very much for your help,

Daniela

Quoting Seth Hall <hall.692 at osu.edu>:

>
> On Jan 24, 2010, at 11:17 PM, daniela.miao at utoronto.ca wrote:
>
>> bro -r test.pcap dns
>>
>> I believe this is correct?
>
>
> Yes, that should be correct.  Can you share the tracefile?
>
>   .Seth
>
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721


-------------- next part --------------
?????
?~kI?GG??
w?E
9?d9??@??/	?5%?a;

3f0x03biz

?~kI5?G^
f??E9????/	@?5?%a;??
3f0x03biz

?~kIG?U??
w?EG?M@?
=?	?53
4Sl


792159189in-addrarpa
?~kIH?Q??
w?EC?R@?_
J?/	?5/??n

photos-hakfbcdnnet

?~kI?UU^
f??EG?@??/	????53??

792159189in-addrarpa
?~kIN??^
f??E??@??/	A_
J5???n??
photos-hakfbcdnnet

?
?photos-dakfacebookcom	edgesuite??
*?a998mm1akamai??

`y
?

`y#?~kI
?GG??
w?E9'@?\2??/	?5%%?


i
lcnnnet

?~kI??NN^
f??E@???/	???t5,?
a1642
gakamainet

?~kI?QQ??
w?EC
??9A_?p?/	?5/?<

brmw023	chemetallnet
?~kI?QQ^
f??EC?@??/	?M7??5/?
brmw023	chemetallnet
?~kI?d??
w?E
V\:?F&?/	?B??
NOM-D1BE5F559C7
no-domain-set
bellcanada

?~kIA??^
f??E?j???/	F&???

NOM-D1BE5F559C7
no-domain-set
bellcanada


m@
AROOT-SERVERSNETNSTLDVERISIGN-GRSCOMw??	:?
Q??~kIpHH??
w?E:?@??4Y?/	?5&?6?

llatdmtcom

?~kI???^
f??E}!?@??/	E?4Y5?i???
llatdmtcom

?
?atlasdmtvollnwdnet?

???	?

???I?~kI?XX??
w?EJ
@????/	?56???
193234164207IN-ADDRARPA
?~kI?XX??
w?EJ??E?oH?/	?6F#?

stumbleuponstumble-uponcom

?~kI:	??^
f??Es!?@??/	F??5?_??

193234164207IN-ADDRARPA
?

<?toroon63dnsvp1srvrbellca?~kI`	nn??^
eE`@8?i???/	5?tL???
a1642
gakamainet

?

`y?

`y?~kI?	??^
f??E?@??/	E?oH5????
stumbleuponstumble-uponcom

?

stumble-uponcom1122o7net?


lB??


lB??


lB??


lB??


lB??


lB??


lB??~kI.
??^
f??E?!?@??/	A\2?5?????

i
lcnnnet

?


icdnturnercom	edgesuite??
<?a1642
gakamai??

`y?

`y?~kI9UU??
w?EG?9D.E??	??53|5AX

141133572IN-ADDRARPA
?~kI?UU^
f??EG!?@??/	?0???53:f
141133572IN-ADDRARPA
?~kIHLL^
f??E>?j@??/	A\5?*???
wwwbhejacrycom

?~kIhLL^
f??E>?k@??/	A\5?*???
wwwbhejacrycom

?~kI?XX??
w?EJ@
@??c??/	?56TG

193234164207IN-ADDRARPA
?~kI?TT??
w?EF:qF0BF?/	?52p'{V

wwwbestsampleresumecom

?~kI??^
f??Es!?@??/	E?c?5?_G??

193234164207IN-ADDRARPA
?

<?toroon63dnsvp1srvrbellca?~kIJdd^
f??EV!?@??/	F0BF5?B{V??

wwwbestsampleresumecom

?


?H??~kI?[[??
w?EM.?9???/	?9?gJ

Hilary
no-domain-set
bellcanada

?~kI???^
f??E??@??/	@?5?gJ??

Hilary
no-domain-set
bellcanada


?@
AROOT-SERVERSNETNSTLDVERISIGN-GRSCOMw??	:?
Q??~kI????^
eE?@0???/	5@???

12519941216in-addrarpa
?

Q?2
chi-dal-dhcpatriot-atm1-ws-378dsl	chibardunnet?

Q?ns2??

Q?ns1??

X???

XA??~kI????
w?E?? @7?_?0??/	5??o??f?

141133572IN-ADDRARPA
?

 0ns1	fusepointcomdnsadm?Ikfs@
?~kI?GG??
w?E9?N9Y?JD	?/	?%?
F=

wwwbellca

?~kI??^
f??E?!?@??/	?{s5??s???

12519941216in-addrarpa
?

Q?2
chi-dal-dhcpatriot-atm1-ws-378dsl	chibardunnet?~kIR??^
f??E?!?@??/	E???oAX??

141133572IN-ADDRARPA
?

 0ns1	fusepointcomdnsadm?Ikfs@
?~kI?WW^
f??EI!?@??/	JD	5?F=??

wwwbellca

?

???~kI?KK??
w?E=??9?_???/	?5)?-

metricsnflcom

?~kIF??^
f??E???/	A_??5??-??
	metricsnflcom

?
?nflcom1122o7net?

B??

B??

B??

B??

B??

B??

B??

B??~kI?KK??
w?E=?9?CG~??/	?)?i?


rkatalogropl

?~kIS
KK^
f??E=!?@??/	?B?5)?

rkatalogropl

?~kI^
TT??^
uEF@3????/	5?2???
60699692in-addrarpa
?~kI?TT^
f??EF?@??/	?
Qn52??
60699692in-addrarpa
?~kIZ????^
eE?@3?h?/	5J????	?

1241335565_v480mymsnhotmailmsncom_ac_TRE-TRETIS16wrs
trendmicrocom
?
X3ns1?AllofTWURLfilteringdl?IH??XuX?~kI?HH??
w?E:#?z
2F4??/	r?5&??

llatdmtcom

?~kI??^
f??E? ?@??/	F6
??&?

1241335565_v480mymsnhotmailmsncom_ac_TRE-TRETIS16wrs
trendmicrocom
?
X3ns1?AllofTWURLfilteringdl?IH??XuX?~kIH ??^
f??E}T@??/	F4?5r?i/???
llatdmtcom

?
?atlasdmtvollnwdnet?

???I?

???	?~kIT LL??
w?E>+@?GV_?/	?5* 3??

cdnmapquestcom

?~kI? NN^
f??E@???/	???
5,?
a1044
gakamainet

?~kI?SS??
w?EExx??@??/	;51?

AIR_CANADA	aircanadaca

?~kI)"??^
f??E|!?@??/	@?5;h??


AIR_CANADA	aircanadaca

?
9+dns1mtsnetmtsdns?w?ZU?	:?