From lothar.braun at googlemail.com Tue Jun 1 08:57:47 2010 From: lothar.braun at googlemail.com (Lothar Braun) Date: Tue, 1 Jun 2010 17:57:47 +0200 Subject: [Bro] Segmentation fault with dns-anonymizer In-Reply-To: References: Message-ID: Hi again, replying to my own message: I found the reason for the segmentation fault. The problem is that my trace contains DNS traffic that is sent over TCP. DNS.cc creates a DNS_Rewriter for DNS over UDP only. Hence, all DNS traffic over TCP will be rewritten by a TCP_Rewriter object, which is created in TCP.cc, TCP_Analyzer::Init() The problem kicks in because Bro correctly identifies the DNS traffic within the TCP connection and therefore tries to rewrite them with bro_rewrite_dns_reply_question() bro_rewrite_dns_reply_question() gets the rewriter object, checks if the object is valid: and then casts the Rewriter into a DNS_Rewriter. This is an error because the Rewriter is a TCP_Rewriter instead of a DNS_Rewriter, leading to the segmentation fault that I described yesterday when DNS_Rewriter::DnsCopyQuery() is called. Is DNS_Rewriter able to correctly rewrite DNS traffic in TCP packets and can it be created in DNS.cc for TCP, too? If the rewriter is not able to handle TCP packets, the methods in dns-rw.bif could be changed from DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@); dnsrewriter->DnsCopyCNAME(ans, name->AsString()); to something like this DNS_Rewriter* dnsrewriter = dynamic_cast(@TRACE@); if (!dnsrewriter) { printf("No suitable rewriter for this kind of DNS traffic!\n"); return NULL; } This inhibits Bro from segfaulting and gives a hint to the user that some DNS traffic is not handled correctly (e.g. not anonymized correctly?). Does someone have a better idea? Best regards, Lothar On Mon, May 31, 2010 at 1:45 PM, Lothar Braun wrote: > Hi, > > I'm trying to anonymize a DNS trace while running bro 1.5.1 and get a > segmentation fault while running > > bro -r trace.pcap dns-anonymizer.bro -w output.pcap > > The segmentation fault results in this back trace: > > #0 ?0x000000000064c474 in __ns_name_pack () > #1 ?0x000000000064cd32 in __ns_name_compress () > #2 ?0x00000000005d5ae8 in DNS_Rewriter::DnsCopyQuery (this=0x2830fb0, > query=0x2834c40, qtype=6, qclass=1) > ? ?at DNS_Rewriter.cc:100 > #3 ?0x000000000045e713 in bro_rewrite_dns_reply_question > (frame=0x2825f20, BiF_ARGS=0x2832440) at dns-rw.bif:23 > #4 ?0x00000000004daaa7 in BuiltinFunc::Call (this=0x22c0050, > args=0x2832440, parent=0x2825f20) at Func.cc:451 > #5 ?0x00000000004a5081 in CallExpr::Eval (this=0x276e6d0, f=0x2825f20) > at Expr.cc:4629 > #6 ?0x000000000058618f in ExprStmt::Exec (this=0x276e770, f=0x2825f20, > flow=@0x7fff72d90aa4) at Stmt.cc:397 > #7 ?0x000000000058723a in StmtList::Exec (this=0x276dba0, f=0x2825f20, > flow=@0x7fff72d90aa4) at Stmt.cc:1432 > #8 ?0x00000000004e1ea0 in BroFunc::Call (this=0x2645ee0, > args=0x282fec0, parent=0x0) at Func.cc:308 > #9 ?0x0000000000485a0d in EventHandler::Call (this=0x2123a40, > vl=0x282fec0, no_remote=false) at EventHandler.cc:67 > #10 0x000000000040c835 in Event::Dispatch (this=0x2833810, > no_remote=false) at Event.h:43 > #11 0x0000000000485439 in EventMgr::Dispatch (this=0x95b760) at Event.cc:107 > #12 0x00000000004854a6 in EventMgr::Drain (this=0x95b760) at Event.cc:119 > #13 0x000000000051aa68 in net_packet_dispatch (t=1275291343.0222969, > hdr=0x22c1fe0, pkt=0x276e812 "", hdr_size=14, > ? ?src_ps=0x22c1fa0, pkt_elem=0x0) at Net.cc:436 > #14 0x000000000051acb5 in net_packet_arrival (t=1275291343.0222969, > hdr=0x22c1fe0, pkt=0x276e812 "", hdr_size=14, > ? ?src_ps=0x22c1fa0) at Net.cc:498 > #15 0x000000000052e198 in PktSrc::Process (this=0x22c1fa0) at PktSrc.cc:199 > #16 0x000000000051adf1 in net_run () at Net.cc:528 > #17 0x000000000040a4df in main (argc=6, argv=0x7fff72d915c8) at main.cc:999 > > The crash happens within dn_comp in > > len = dn_comp(dname, pkt + pkt_size, DNS_PKT_SIZE - pkt_size, dn_ptrs, > last_dn_ptr); > > at some point within the trace. This does not happen on the first DNS > packet in the trace, but somewhere in the middle. > Hence, there where successful calls to DNS_Rewriter::DnsCopyQuery() > before the segmentation fault. > > I tried to debug the issue and found that the crash is probably due to > uninitialized variables dn_ptrs and last_dn_ptr. Digging deeper into > the problem, I found that the DNS_Rewriter object (this = 0x2830fb0) > has never been initialized (the constructor of that object has never > been called). > > Is this a known problem? I could not find any issue at the bug tracker > that seems to be related. > > Can someone give me a hint on how to further debug the problem? > > Best regards, > ?Lothar > From sridhar.basam at gmail.com Tue Jun 1 09:07:59 2010 From: sridhar.basam at gmail.com (sridhar basam) Date: Tue, 1 Jun 2010 12:07:59 -0400 Subject: [Bro] Forcing analyser on partial connections Message-ID: I have some very long lived http connections where the capture file doesn't have the tcp setup packets. Is there a way to force the analyser to run on such partial connections? Anyway to twiddle the connection recods to run the analyser you want? thanks -- Sridhar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100601/e8ca1af5/attachment.html From vern at icir.org Tue Jun 1 10:46:50 2010 From: vern at icir.org (Vern Paxson) Date: Tue, 01 Jun 2010 10:46:50 -0700 Subject: [Bro] Segmentation fault with dns-anonymizer In-Reply-To: (Tue, 01 Jun 2010 17:57:47 +0200). Message-ID: <201006011746.o51Hko3Q031635@pork.ICSI.Berkeley.EDU> > Is DNS_Rewriter able to correctly rewrite DNS traffic in TCP packets > and can it be created in DNS.cc for TCP, too? It wouldn't surprise me if it's not able to do so. It's code that we haven't used much; it was added for a research project that we later suspended. It would be helpful if you could enter this as a ticket in the Tracker (http://tracker.icir.org/bro). Vern From vern at icir.org Tue Jun 1 10:51:25 2010 From: vern at icir.org (Vern Paxson) Date: Tue, 01 Jun 2010 10:51:25 -0700 Subject: [Bro] Forcing analyser on partial connections In-Reply-To: (Tue, 01 Jun 2010 12:07:59 EDT). Message-ID: <201006011751.o51HpPGS031712@pork.ICSI.Berkeley.EDU> > I have some very long lived http connections where the capture file doesn't > have the tcp setup packets. Is there a way to force the analyser to run on > such partial connections? Which version of Bro are you using, and with what options? In 1.5.1, the settings are such that HTTP analysis should work on partial connections if you're not running with --use-binpac. (By default, this is indeed off.) Vern From sridhar.basam at gmail.com Tue Jun 1 10:58:55 2010 From: sridhar.basam at gmail.com (sridhar basam) Date: Tue, 1 Jun 2010 13:58:55 -0400 Subject: [Bro] Forcing analyser on partial connections In-Reply-To: <201006011751.o51HpPGS031712@pork.ICSI.Berkeley.EDU> References: <201006011751.o51HpPGS031712@pork.ICSI.Berkeley.EDU> Message-ID: On Tue, Jun 1, 2010 at 1:51 PM, Vern Paxson wrote: > > I have some very long lived http connections where the capture file > doesn't > > have the tcp setup packets. Is there a way to force the analyser to run > on > > such partial connections? > > Which version of Bro are you using, and with what options? In 1.5.1, the > settings are such that HTTP analysis should work on partial connections > if you're not running with --use-binpac. (By default, this is indeed off.) > > Vern > Thanks, i will upgrade to 1.5.1. I am currently using 1.4. Sridhar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100601/531b5588/attachment.html From sridhar.basam at gmail.com Wed Jun 2 07:23:16 2010 From: sridhar.basam at gmail.com (sridhar basam) Date: Wed, 2 Jun 2010 10:23:16 -0400 Subject: [Bro] Forcing analyser on partial connections In-Reply-To: References: <201006011751.o51HpPGS031712@pork.ICSI.Berkeley.EDU> Message-ID: Tried it on bro 1.5.1 but am unable to get it to run the http analyzer on a partial trace. I have attached the trace in question to this email, if you want to try it out. I am using the following command to get it to pick up the http requests, "bro -C -f 'tcp' -r partial.pcap http http-request http-reply Sridhar On Tue, Jun 1, 2010 at 1:58 PM, sridhar basam wrote: > > > On Tue, Jun 1, 2010 at 1:51 PM, Vern Paxson wrote: > >> > I have some very long lived http connections where the capture file >> doesn't >> > have the tcp setup packets. Is there a way to force the analyser to run >> on >> > such partial connections? >> >> Which version of Bro are you using, and with what options? In 1.5.1, the >> settings are such that HTTP analysis should work on partial connections >> if you're not running with --use-binpac. (By default, this is indeed >> off.) >> >> Vern >> > > Thanks, i will upgrade to 1.5.1. I am currently using 1.4. > > Sridhar > -- Sridhar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100602/85c98873/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: partial.pcap Type: application/octet-stream Size: 32250 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100602/85c98873/attachment.obj From vern at icir.org Wed Jun 2 08:11:39 2010 From: vern at icir.org (Vern Paxson) Date: Wed, 02 Jun 2010 08:11:39 -0700 Subject: [Bro] Forcing analyser on partial connections In-Reply-To: (Wed, 02 Jun 2010 10:23:16 EDT). Message-ID: <201006021511.o52FBdee022808@pork.ICSI.Berkeley.EDU> > Tried it on bro 1.5.1 but am unable to get it to run the http analyzer on a > partial trace. I have attached the trace in question to this email, if you > want to try it out. Oops, I now see that I was running on a modified 1.5.1 that was specifically hacked a while ago to avoid this problem too! Patched appended. Vern Index: src/HTTP.cc =================================================================== --- src/HTTP.cc (revision 6988) +++ src/HTTP.cc (working copy) @@ -794,7 +794,7 @@ { TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); - if ( TCP() && TCP()->IsPartial() ) + if ( TCP() && TCP()->IsPartial() && 0 ) return; const char* line = reinterpret_cast(data); From ml at grid.einherjar.de Thu Jun 3 01:34:10 2010 From: ml at grid.einherjar.de (Thorkill) Date: Thu, 03 Jun 2010 10:34:10 +0200 Subject: [Bro] Bro 1.5.1, FreeBSD, Mirror-Port questions Message-ID: <4C076902.5040608@grid.einherjar.de> Hello List, I am running bro since 0.9 version and I am very happy with it. You do grate job. Currently we need to move BRO to other box where it will monitor the network on a mirror/monitor-port and not as now on a transparent bridge. We configured a mirror/monitor port on our network equipment, we have an gigabit interface without an IP-Address where all traffic is monitored. BRO is monitoring two class-C (/24) networks and is running on FreeBSD-7.1-Release compiled from .tar.gz and not using ports-management. -- Our start policy @load brolite @load site @load file-flush @load ssh redef log_rotate_interval = 15 min; redef local_nets: set[subnet] = { 10.20.20.0/24, 10.20.21.0/24 }; redef interfaces = "em1"; Now what is happening: - bro does see all external and internal connections which are logged in conn.log - bro does see and log some scan attempts - bro does NOT log any SSH-Connections (client/server version) when coming from external but does log some when internal - it was tested with a policy like this: event ssh_client_version(c: connection, version: string) { print version; } - bro does NOT log any sensitive_URIs when coming from external but does log it when such attempts are internal - bro does NOT log any or just partial informations about FTP/SMTP/HTTP-Requests - in older versions like 1.1d in example username was logged for FTP now it is just partial for some connections - we do not see any packet drops and packets has been proceeded My question is - it is normal behavior now or something is broken? I would really like to see the traffic/logs on connections from external to internal for FTP/SMTP/HTTP/SSH - any hints? Thank you in advance, thorkill PS. Internal connections means on 10.20.20.0/24 and between those two class-C networks. --- loaded scripts loading /usr/local/bro/share/bro//bro.init loading /usr/local/bro/share/bro//const.bif.bro loading /usr/local/bro/share/bro//strings.bif.bro loading /usr/local/bro/share/bro//bro.bif.bro loading /usr/local/bro/share/bro//event.bif.bro loading /usr/local/bro/share/bro//common-rw.bif.bro loading /usr/local/bro/share/bro//finger-rw.bif.bro loading /usr/local/bro/share/bro//ftp-rw.bif.bro loading /usr/local/bro/share/bro//ident-rw.bif.bro loading /usr/local/bro/share/bro//smtp-rw.bif.bro loading /usr/local/bro/share/bro//http-rw.bif.bro loading /usr/local/bro/share/bro//dns-rw.bif.bro loading /usr/local/bro/share/bro//pcap.bro loading /usr/local/bro/share/bro//server-ports.bro loading /usr/local/bro/share/bro//brolite.bro loading /usr/local/bro/share/bro//site.bro loading /usr/local/bro/share/bro//tcp.bro loading /usr/local/bro/share/bro//conn.bro loading /usr/local/bro/share/bro//notice.bro loading /usr/local/bro/share/bro//drop.bro loading /usr/local/bro/share/bro//notice-action-filters.bro loading /usr/local/bro/share/bro//terminate-connection.bro loading /usr/local/bro/share/bro//hot.bro loading /usr/local/bro/share/bro//port-name.bro loading /usr/local/bro/share/bro//netstats.bro loading /usr/local/bro/share/bro//conn-id.bro loading /usr/local/bro/share/bro//weird.bro loading /usr/local/bro/share/bro//frag.bro loading /usr/local/bro/share/bro//print-resources.bro loading /usr/local/bro/share/bro//scan.bro loading /usr/local/bro/share/bro//trw-impl.bro loading /usr/local/bro/share/bro//trw.bro loading /usr/local/bro/share/bro//http.bro loading /usr/local/bro/share/bro//http-request.bro loading /usr/local/bro/share/bro//http-reply.bro loading /usr/local/bro/share/bro//http-entity.bro loading /usr/local/bro/share/bro//software.bro loading /usr/local/bro/share/bro//ftp.bro loading /usr/local/bro/share/bro//hot-ids.bro loading /usr/local/bro/share/bro//ftp-cmd-arg.bro loading /usr/local/bro/share/bro//portmapper.bro loading /usr/local/bro/share/bro//tftp.bro loading /usr/local/bro/share/bro//udp-common.bro loading /usr/local/bro/share/bro//login.bro loading /usr/local/bro/share/bro//demux.bro loading /usr/local/bro/share/bro//irc.bro loading /usr/local/bro/share/bro//signatures.bro loading /usr/local/bro/share/bro//blaster.bro loading /usr/local/bro/share/bro//stepping.bro loading /usr/local/bro/share/bro//alarm.bro loading /usr/local/bro/share/bro//synflood.bro loading /usr/local/bro/share/bro//smtp.bro loading /usr/local/bro/share/bro//notice-policy.bro loading /usr/local/bro/share/bro//inactivity.bro loading /usr/local/bro/share/bro//stats.bro loading /usr/local/bro/share/bro//rotate-logs.bro loading /var/spool/bro//site/crns.bro loading /usr/local/bro/share/bro//file-flush.bro loading /usr/local/bro/share/bro//ssh.bro pcap bufsize = 32768 listening on em1 From Tyler.Schoenke at colorado.edu Thu Jun 3 11:33:38 2010 From: Tyler.Schoenke at colorado.edu (Tyler T. Schoenke) Date: Thu, 03 Jun 2010 12:33:38 -0600 Subject: [Bro] Trying to get drop_source_and_terminate working Message-ID: <4C07F582.8030306@colorado.edu> Hi everyone, I'm running bro version 1.5.2.2. I am trying to get the drop_source_and_terminate function working. I have a test notice set up that calls drop_source_and_terminate. It is logging the NOTICE_DROP, but the terminate_connection(n$conn) doesn't seem to be working. I'm not seeing TerminatingConnection or TerminatingConnectionIgnored notices, and am getting the following error: 1275573771.744509 /usr/local/bro/share/bro/notice-action-filters.bro, line 74 (terminate_connection): run-time error, value used but not set Any ideas? Tyler -- -- Tyler Schoenke Network Security Analyst IT Security Office University of Colorado - Boulder From ml at grid.einherjar.de Thu Jun 3 15:05:49 2010 From: ml at grid.einherjar.de (Thorkill) Date: Fri, 04 Jun 2010 00:05:49 +0200 Subject: [Bro] Bro 1.5.1, FreeBSD, Mirror-Port questions In-Reply-To: <4C076902.5040608@grid.einherjar.de> References: <4C076902.5040608@grid.einherjar.de> Message-ID: <4C08273D.1080304@grid.einherjar.de> Hello List, Thorkill wrote: > Hello List, > Currently we need to move BRO to other box where it will monitor the > network on a mirror/monitor-port and not as now on a transparent bridge. > > We configured a mirror/monitor port on our network equipment, we have an > gigabit interface without an IP-Address where all traffic is monitored. It seems that the problem lays on the network - I can not see in example SYN+ACK packets on the mirror port. I made tcpdump-traces at both points - bridge and mirroring-port of the same connection and ran bro on it. -- on mirroring-port 1275600294.796861 2.990471 62.xx.xx.xx 10.20.20.54 ssh 54305 22 tcp 1636 ? SH X cc=1 1275600303.621237 ? 62.xx.xx.xx 10.20.20.54 ssh 55537 22 tcp ? ? S0 X cc=1 -- same connection on bridge 1275599866.464086 2.992575 62.xx.xx.xx 10.20.20.54 ssh 54305 22 tcp 1637 2120 SF X Sorry for the 'false-alarm'. Regards, thorkill From sridhar.basam at gmail.com Fri Jun 4 07:44:06 2010 From: sridhar.basam at gmail.com (sridhar basam) Date: Fri, 4 Jun 2010 10:44:06 -0400 Subject: [Bro] Workshop 2010? Message-ID: Are there any plans to hold a workshop this calendar year? Sridhar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100604/17ead03d/attachment.html From vern at icir.org Fri Jun 4 14:26:30 2010 From: vern at icir.org (Vern Paxson) Date: Fri, 04 Jun 2010 14:26:30 -0700 Subject: [Bro] Trying to get drop_source_and_terminate working In-Reply-To: <4C07F582.8030306@colorado.edu> (Thu, 03 Jun 2010 12:33:38 MDT). Message-ID: <201006042126.o54LQU2F000377@pork.ICSI.Berkeley.EDU> > 1275573771.744509 /usr/local/bro/share/bro/notice-action-filters.bro, > line 74 (terminate_connection): run-time error, value used but not set > > Any ideas? Try the appended patch and let me know if it fixes the problem. Vern Index: policy/notice-action-filters.bro =================================================================== --- policy/notice-action-filters.bro (revision 6988) +++ policy/notice-action-filters.bro (working copy) @@ -67,11 +67,10 @@ return NOTICE_DROP; } -global terminate_connection: function(c: connection); function drop_source_and_terminate(n: notice_info, a: NoticeAction): NoticeAction { if ( n?$conn ) - terminate_connection(n$conn); + TerminateConnection::terminate_connection(n$conn); return NOTICE_DROP; } From soehlert at ncsa.uiuc.edu Fri Jun 4 14:48:55 2010 From: soehlert at ncsa.uiuc.edu (Sam Oehlert) Date: Fri, 4 Jun 2010 16:48:55 -0500 (CDT) Subject: [Bro] Bro Cluster Help In-Reply-To: <1654750295.5282.1275687858798.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Message-ID: <1038827859.5299.1275688135353.JavaMail.root@zimbra-1.ncsa.uiuc.edu> I am attempting to figure out how to get a Bro Cluster up and running, but all documentation I see is outdated. I am trying to use the latest SVN (though if you know how to do it with 1.5, I'll figure out the differences between the two), and I am having problems. First of all, I have the manager and proxy nodes as the main box, with two workers being in virtualized OSes. They can all ping each other, so I know they are connected. I do not know how to start up bro in this method though. Should I be starting bro on the workers, then broctl on the manager? Vice Versa? Only start broctl? My other problem is a new one, I am now getting an error when I try to start broctl on the manager node. It keeps telling me that the broctl start script can only be run on a manager node, is there some place to tell it this is the manager (it was working before, the errors I got were related to the workers, not the manager). Sorry for the long email, but I have been working for quite a while and I can't figure this out. I have also spent a long time searching for help that's out there already, sorry if I missed it. Thank you. Sam From Tyler.Schoenke at colorado.edu Fri Jun 4 15:55:51 2010 From: Tyler.Schoenke at colorado.edu (Tyler T. Schoenke) Date: Fri, 4 Jun 2010 16:55:51 -0600 Subject: [Bro] Trying to get drop_source_and_terminate working In-Reply-To: <201006042126.o54LQU2F000377@pork.ICSI.Berkeley.EDU> References: <4C07F582.8030306@colorado.edu> (Thu, 03 Jun 2010 12:33:38 MDT).,<201006042126.o54LQU2F000377@pork.ICSI.Berkeley.EDU> Message-ID: <0AA5D924DE90AF48BBD563CCD296B8FB3FBCA1C931@EXC2.ad.colorado.edu> Vern, Thanks for the patch, yes, that fixed the error message. I also had to remove the ./ from ./rst in terminate-connection.bro to get the rst utility to work. Should I add these to the tracker? --- terminate-connection.bro.orig 2010-06-04 16:21:02.000000000 -0600 +++ terminate-connection.bro 2010-06-04 16:46:51.000000000 -0600 @@ -32,7 +32,7 @@ { local local_init = is_local_addr(id$orig_h); - local term_cmd = fmt("./rst %s -n 32 -d 20 %s %d %d %s %d %d", + local term_cmd = fmt("rst %s -n 32 -d 20 %s %d %d %s %d %d", local_init ? "-R" : "", id$orig_h, id$orig_p, get_orig_seq(id), id$resp_h, id$resp_p, get_resp_seq(id)); @@ -43,7 +43,7 @@ NOTICE([$note=TerminatingConnection, $conn=c, $msg=term_cmd, $sub="first termination command"]); - term_cmd = fmt("./rst %s -r 2 -n 4 -s 512 -d 20 %s %d %d %s %d %d", + term_cmd = fmt("rst %s -r 2 -n 4 -s 512 -d 20 %s %d %d %s %d %d", local_init ? "-R" : "", id$orig_h, id$orig_p, get_orig_seq(id), id$resp_h, id$resp_p, get_resp_seq(id)); Tyler ________________________________________ From: Vern Paxson [vern at icir.org] Sent: Friday, June 04, 2010 3:26 PM To: Tyler T. Schoenke Cc: bro at ICSI.Berkeley.EDU Subject: Re: [Bro] Trying to get drop_source_and_terminate working > 1275573771.744509 /usr/local/bro/share/bro/notice-action-filters.bro, > line 74 (terminate_connection): run-time error, value used but not set > > Any ideas? Try the appended patch and let me know if it fixes the problem. Vern From vern at icir.org Fri Jun 4 16:01:34 2010 From: vern at icir.org (Vern Paxson) Date: Fri, 04 Jun 2010 16:01:34 -0700 Subject: [Bro] Trying to get drop_source_and_terminate working In-Reply-To: <0AA5D924DE90AF48BBD563CCD296B8FB3FBCA1C931@EXC2.ad.colorado.edu> (Fri, 04 Jun 2010 16:55:51 MDT). Message-ID: <201006042301.o54N1YX0001500@pork.ICSI.Berkeley.EDU> > Thanks for the patch, yes, that fixed the error message. Cool. > I also had to remove the ./ from ./rst in terminate-connection.bro to > get the rst utility to work. Should I add these to the tracker? No need, I'll check them in directly as fixes now. Vern From robin at icir.org Mon Jun 7 10:37:42 2010 From: robin at icir.org (Robin Sommer) Date: Mon, 7 Jun 2010 10:37:42 -0700 Subject: [Bro] Bro Cluster Help In-Reply-To: <1038827859.5299.1275688135353.JavaMail.root@zimbra-1.ncsa.uiuc.edu> References: <1654750295.5282.1275687858798.JavaMail.root@zimbra-1.ncsa.uiuc.edu> <1038827859.5299.1275688135353.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Message-ID: <20100607173742.GH91416@icir.org> On Fri, Jun 04, 2010 at 16:48 -0500, you wrote: > I am attempting to figure out how to get a Bro Cluster up and > running, but all documentation I see is outdated. The README.html coming with the distribution in aux/broctl is current: http://svn.icir.org/bro/trunk/bro/aux/broctl/README.html > First of all, I have the manager and proxy nodes as the main box, > with two workers being in virtualized OSes. They can all ping each > other, so I know they are connected. I do not know how to start up > bro in this method though. Should I be starting bro on the workers, > then broctl on the manager? Vice Versa? Only start broctl? I haven't tried such a setup yet but generally it shouldn't make a difference whether the workers are in VMs or not. Use broctl (only) on the manager, per the README. > broctl start script can only be run on a manager node, is there some > place to tell it this is the manager (it was working before, the > errors I got were related to the workers, not the manager). Depending on the version you're using, this patch might or might not be applied: http://tracker.icir.org/bro/attachment/ticket/190/is-local-manager.patch.txt If it is already applied, please delete spool/debug.log, run the start command again, and then send me the new spool/debug.log. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From vern at icir.org Mon Jun 7 10:39:33 2010 From: vern at icir.org (Vern Paxson) Date: Mon, 07 Jun 2010 10:39:33 -0700 Subject: [Bro] Workshop 2010? In-Reply-To: (Fri, 04 Jun 2010 10:44:06 EDT). Message-ID: <201006071739.o57HdXNH003834@pork.ICSI.Berkeley.EDU> > Are there any plans to hold a workshop this calendar year? So far we haven't put together any plans in this regard. It would help to get a sense of demand, so perhaps any folks who would be interested in attending one this year could send me a private note to that effect. Vern From apomeroy at networkforensics.org Wed Jun 9 10:20:52 2010 From: apomeroy at networkforensics.org (Allen Pomeroy) Date: Wed, 9 Jun 2010 11:20:52 -0600 (MDT) Subject: [Bro] Broccoli worker problems with TimeMachine Message-ID: <1276104052.738418968@192.168.2.230> I am trying to get Time Machine (tm-20090206) running with broccoli to support both interaction with Bro-IDS 1.5.1 and the command line tm-query interface within Time Machine. Time Machine configured, compiles and runs ok (including capturing packets and allowing queries on localhost 42042/tcp), however when I try to connect (anything) to the bro listener, the tm process panics and immediately abends (nothing useful when I run strace against it during the crash). The only related messages in the tm.log are: 1276102721.251917 broccoli-listen: listening for incoming connections on port 47757... 1276102721.251938 broccoli-init: listen_thread started [a5dc8b90] 1276102731.190267 broccoli-listen: accepted connection 1276102731.190405 broccoli-listen: started Broccoli worker [a4dc3b90] 1276102731.190435 broccoli-worker: running Broccoli worker [a4dc3b90] Where the broccoli-worker message appears immediately apon connection (via telnet localhost 47757), and the tm process immediately abends. I'm running on Linux (Ubuntu 9.04 32 bit 2.6.28-11-server) and all the code was compiled with gcc-4.3.3 and g++-4.3.3. The firewall (iptables) is also the Bro-IDS and TM system, and it's monitoring an attacker (backtrack 4.0) running against a web application on an apache 2.2.12 server (all on a MacBook Pro OS X 10.6.3 with VMware Fusion 3.0.1). Any ideas where I should start looking for the cause of the abends? Thanks, AP -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100609/5c261bbc/attachment.html From apomeroy at networkforensics.org Wed Jun 9 11:05:49 2010 From: apomeroy at networkforensics.org (Allen Pomeroy) Date: Wed, 9 Jun 2010 12:05:49 -0600 (MDT) Subject: [Bro] Broccoli worker problems with TimeMachine In-Reply-To: <20100609173800.GA2584@datacomm.albany.edu> References: <1276104052.738418968@192.168.2.230> <20100609173800.GA2584@datacomm.albany.edu> Message-ID: <1276106749.814214388@192.168.2.230> >On Wed, Jun 09, 2010 at 01:20:52PM -0400, Allen Pomeroy wrote: >> I am trying to get Time Machine (tm-20090206) running with broccoli to >> support both interaction with Bro-IDS 1.5.1 and the command line >> tm-query interface within Time Machine. Time Machine configured, >> compiles and runs ok (including capturing packets and allowing queries >> on localhost 42042/tcp), however when I try to connect (anything) to >> the bro listener, the tm process panics and immediately abends >> (nothing useful when I run strace against it during the crash). > >Try this patch: > >http://tracker.icir.org/time-machine/ticket/1 > >-- >-- Justin Azoff >-- Network Security & Performance Analyst Thanks Justin, that worked perfectly. Regards, AP -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100609/c5d88763/attachment.html From JAzoff at uamail.albany.edu Wed Jun 9 10:38:04 2010 From: JAzoff at uamail.albany.edu (Justin Azoff) Date: Wed, 9 Jun 2010 13:38:04 -0400 Subject: [Bro] Broccoli worker problems with TimeMachine In-Reply-To: <1276104052.738418968@192.168.2.230> References: <1276104052.738418968@192.168.2.230> Message-ID: <20100609173800.GA2584@datacomm.albany.edu> On Wed, Jun 09, 2010 at 01:20:52PM -0400, Allen Pomeroy wrote: > I am trying to get Time Machine (tm-20090206) running with broccoli to > support both interaction with Bro-IDS 1.5.1 and the command line > tm-query interface within Time Machine. Time Machine configured, > compiles and runs ok (including capturing packets and allowing queries > on localhost 42042/tcp), however when I try to connect (anything) to > the bro listener, the tm process panics and immediately abends > (nothing useful when I run strace against it during the crash). Try this patch: http://tracker.icir.org/time-machine/ticket/1 -- -- Justin Azoff -- Network Security & Performance Analyst -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100609/abdb4072/attachment.bin From alan.meeks at angelo.edu Thu Jun 10 13:17:12 2010 From: alan.meeks at angelo.edu (Alan J. Meeks) Date: Thu, 10 Jun 2010 15:17:12 -0500 Subject: [Bro] Multiple Capture Interfaces Message-ID: <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF74@EXSERVECLUS2.angelo.local> I am a new user of Bro. I've installed ver 1.5.1 and I can run just fine with a single interface (whichever one is specified in node.cfg) but I can't seem to get other capture interfaces running. I am set up with 4 ethernet interfaces, three of which are taps to different locations within my network and one to the local subnet where the server is located. What additional information can I provide that might help identify the issue? Alan Meeks Information Security Analyst Angelo State University www.angelo.edu 325-942-2333 phone 325-942-2109 fax -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100610/752f6752/attachment.html From soehlert at ncsa.uiuc.edu Thu Jun 10 13:20:23 2010 From: soehlert at ncsa.uiuc.edu (Sam Oehlert) Date: Thu, 10 Jun 2010 15:20:23 -0500 (CDT) Subject: [Bro] Multiple Capture Interfaces In-Reply-To: <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF74@EXSERVECLUS2.angelo.local> Message-ID: <1462302116.60529.1276201223358.JavaMail.root@zimbra-1.ncsa.uiuc.edu> What installation steps did you follow? I had problems getting a cluster up and running because I was installing it incorrectly at first. Sam ----- Original Message ----- From: "Alan J. Meeks" To: "bro at ICSI.Berkeley.EDU" Sent: Thursday, June 10, 2010 3:17:12 PM Subject: [Bro] Multiple Capture Interfaces I am a new user of Bro. I?ve installed ver 1.5.1 and I can run just fine with a single interface (whichever one is specified in node.cfg) but I can?t seem to get other capture interfaces running. I am set up with 4 ethernet interfaces, three of which are taps to different locations within my network and one to the local subnet where the server is located. What additional information can I provide that might help identify the issue? Alan Meeks Information Security Analyst Angelo State University www.angelo.edu 325-942-2333 phone 325-942-2109 fax _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From alan.meeks at angelo.edu Thu Jun 10 13:24:28 2010 From: alan.meeks at angelo.edu (Alan J. Meeks) Date: Thu, 10 Jun 2010 15:24:28 -0500 Subject: [Bro] Multiple Capture Interfaces In-Reply-To: <1462302116.60529.1276201223358.JavaMail.root@zimbra-1.ncsa.uiuc.edu> References: <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF74@EXSERVECLUS2.angelo.local> <1462302116.60529.1276201223358.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Message-ID: <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF75@EXSERVECLUS2.angelo.local> Sam, I believe I installed in a non-clustered or standalone mode. Ran the ./configure, make and make install after ensuring I got all the prereqs on the server. I also forgot to mention I was not in the position where I could pick and choose my hardware and could not get BSD installed. I had to fall back to CentOS 5.5. Not sure if that answers your question. -----Original Message----- From: Sam Oehlert [mailto:soehlert at ncsa.uiuc.edu] Sent: Thursday, June 10, 2010 3:20 PM To: Alan J. Meeks Cc: bro at ICSI.Berkeley.EDU Subject: Re: [Bro] Multiple Capture Interfaces What installation steps did you follow? I had problems getting a cluster up and running because I was installing it incorrectly at first. Sam ----- Original Message ----- From: "Alan J. Meeks" To: "bro at ICSI.Berkeley.EDU" Sent: Thursday, June 10, 2010 3:17:12 PM Subject: [Bro] Multiple Capture Interfaces I am a new user of Bro. I?ve installed ver 1.5.1 and I can run just fine with a single interface (whichever one is specified in node.cfg) but I can?t seem to get other capture interfaces running. I am set up with 4 ethernet interfaces, three of which are taps to different locations within my network and one to the local subnet where the server is located. What additional information can I provide that might help identify the issue? Alan Meeks Information Security Analyst Angelo State University www.angelo.edu 325-942-2333 phone 325-942-2109 fax _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From vern at icir.org Thu Jun 10 13:40:05 2010 From: vern at icir.org (Vern Paxson) Date: Thu, 10 Jun 2010 13:40:05 -0700 Subject: [Bro] Multiple Capture Interfaces In-Reply-To: <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF75@EXSERVECLUS2.angelo.local> (Thu, 10 Jun 2010 15:24:28 CDT). Message-ID: <201006102040.o5AKe5pQ003351@pork.ICSI.Berkeley.EDU> How are you pointing Bro at the different interfaces? Vern From alan.meeks at angelo.edu Thu Jun 10 13:49:16 2010 From: alan.meeks at angelo.edu (Alan J. Meeks) Date: Thu, 10 Jun 2010 15:49:16 -0500 Subject: [Bro] Multiple Capture Interfaces In-Reply-To: <201006102040.o5AKe5pQ003351@pork.ICSI.Berkeley.EDU> References: <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF75@EXSERVECLUS2.angelo.local> (Thu, 10 Jun 2010 15:24:28 CDT). <201006102040.o5AKe5pQ003351@pork.ICSI.Berkeley.EDU> Message-ID: <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF79@EXSERVECLUS2.angelo.local> Well, I've tried the command line switch -i to specify multiple interfaces by starting bro with "bro -i eth0 -i eth1" and so on but when I try to start bro with that way it will not start. The command will hang and bro won't start. I can start bro through ./broctl but can't pass it the interfaces as parameters that way. -----Original Message----- From: Vern Paxson [mailto:vern at icir.org] Sent: Thursday, June 10, 2010 3:40 PM To: Alan J. Meeks Cc: bro at ICSI.Berkeley.EDU Subject: Re: [Bro] Multiple Capture Interfaces How are you pointing Bro at the different interfaces? Vern From alan.meeks at angelo.edu Thu Jun 10 13:50:53 2010 From: alan.meeks at angelo.edu (Alan J. Meeks) Date: Thu, 10 Jun 2010 15:50:53 -0500 Subject: [Bro] Multiple Capture Interfaces In-Reply-To: <609506782.61000.1276202910469.JavaMail.root@zimbra-1.ncsa.uiuc.edu> References: <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF78@EXSERVECLUS2.angelo.local> <609506782.61000.1276202910469.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Message-ID: <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF7A@EXSERVECLUS2.angelo.local> Sam, Here is my node.cfg below: # $Id: node.cfg.standalone.in 6811 2009-07-06 20:41:10Z robin $ # # Node configuration for a non-cluster, single-instance setup. # [bro] type=standalone host=localhost interface=eth0 -----Original Message----- From: Sam Oehlert [mailto:soehlert at ncsa.uiuc.edu] Sent: Thursday, June 10, 2010 3:49 PM To: Alan J. Meeks Subject: Re: [Bro] Multiple Capture Interfaces I see, I didn't think you installed broctl. I wonder if that is why the command hangs. What does your node.cfg look like? Sam ----- Original Message ----- From: "Alan J. Meeks" To: "Sam Oehlert" Sent: Thursday, June 10, 2010 3:46:54 PM Subject: RE: [Bro] Multiple Capture Interfaces Well, you see that's interesting. I've been starting Bro through ./broctl. When I try to run Bro -i eth0 -i eth1 and so on, the command hangs and bro does not start. -----Original Message----- From: Sam Oehlert [mailto:soehlert at ncsa.uiuc.edu] Sent: Thursday, June 10, 2010 3:38 PM To: Alan J. Meeks Subject: Re: [Bro] Multiple Capture Interfaces I'm sure there is a better way to do this long term, but if you use the i flag when calling bro, you can use multiple interfaces. Look at the i flag here: http://www.bro-ids.org/Bro-reference-manual/Flags.html Sam ----- Original Message ----- From: "Alan J. Meeks" To: "Sam Oehlert" Sent: Thursday, June 10, 2010 3:32:30 PM Subject: RE: [Bro] Multiple Capture Interfaces The server has 4 ethernet interfaces in it that I have configured 3 connected to taps and one to a regular switchport/local subnet. My Bro installation can currently only capture from one at a time, whichever one I have specified in /user/local/bro/etc/node.cfg in the interface entry. I am hoping to be able to specify more than one capture interface at a time. -----Original Message----- From: Sam Oehlert [mailto:soehlert at ncsa.uiuc.edu] Sent: Thursday, June 10, 2010 3:30 PM To: Alan J. Meeks Subject: Re: [Bro] Multiple Capture Interfaces I'm sorry, I am not understanding which four interfaces you are talking about. ----- Original Message ----- From: "Alan J. Meeks" To: "Sam Oehlert" Sent: Thursday, June 10, 2010 3:27:32 PM Subject: RE: [Bro] Multiple Capture Interfaces Just trying to get the 4 interfaces recognized as capture interfaces. -----Original Message----- From: Sam Oehlert [mailto:soehlert at ncsa.uiuc.edu] Sent: Thursday, June 10, 2010 3:27 PM To: Alan J. Meeks Subject: Re: [Bro] Multiple Capture Interfaces Alan, That does answer the question I had. I just realized I may have misread your email, however. Are you attempting to use a cluster setup, or are you just wanting to use multiple NICs or what? Also, CentOS 5.5 is what I used for this too, so I have some experience getting it up and running on there. Sam ----- Original Message ----- From: "Alan J. Meeks" To: "Sam Oehlert" Cc: bro at ICSI.Berkeley.EDU Sent: Thursday, June 10, 2010 3:24:28 PM Subject: RE: [Bro] Multiple Capture Interfaces Sam, I believe I installed in a non-clustered or standalone mode. Ran the ./configure, make and make install after ensuring I got all the prereqs on the server. I also forgot to mention I was not in the position where I could pick and choose my hardware and could not get BSD installed. I had to fall back to CentOS 5.5. Not sure if that answers your question. -----Original Message----- From: Sam Oehlert [mailto:soehlert at ncsa.uiuc.edu] Sent: Thursday, June 10, 2010 3:20 PM To: Alan J. Meeks Cc: bro at ICSI.Berkeley.EDU Subject: Re: [Bro] Multiple Capture Interfaces What installation steps did you follow? I had problems getting a cluster up and running because I was installing it incorrectly at first. Sam ----- Original Message ----- From: "Alan J. Meeks" To: "bro at ICSI.Berkeley.EDU" Sent: Thursday, June 10, 2010 3:17:12 PM Subject: [Bro] Multiple Capture Interfaces I am a new user of Bro. I?ve installed ver 1.5.1 and I can run just fine with a single interface (whichever one is specified in node.cfg) but I can?t seem to get other capture interfaces running. I am set up with 4 ethernet interfaces, three of which are taps to different locations within my network and one to the local subnet where the server is located. What additional information can I provide that might help identify the issue? Alan Meeks Information Security Analyst Angelo State University www.angelo.edu 325-942-2333 phone 325-942-2109 fax _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jones at tacc.utexas.edu Thu Jun 10 15:10:26 2010 From: jones at tacc.utexas.edu (William Jones) Date: Thu, 10 Jun 2010 17:10:26 -0500 Subject: [Bro] Multiple Capture Interfaces In-Reply-To: <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF74@EXSERVECLUS2.angelo.local> References: <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF74@EXSERVECLUS2.angelo.local> Message-ID: I run taps too and the use the following config perwork: [worker-4] #NLR type=worker host=homey1.tacc.utexas.edu interface=eth4.3021 -i eth5.3021 aux_scripts=q1 The aux_scripts set up a filter so that worker only sees a portion of the ips space, in my cases ? per work per tap. Bill Jones From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Alan J. Meeks Sent: Thursday, June 10, 2010 3:17 PM To: 'bro at ICSI.Berkeley.EDU' Subject: [Bro] Multiple Capture Interfaces I am a new user of Bro. I've installed ver 1.5.1 and I can run just fine with a single interface (whichever one is specified in node.cfg) but I can't seem to get other capture interfaces running. I am set up with 4 ethernet interfaces, three of which are taps to different locations within my network and one to the local subnet where the server is located. What additional information can I provide that might help identify the issue? Alan Meeks Information Security Analyst Angelo State University www.angelo.edu 325-942-2333 phone 325-942-2109 fax -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100610/d4c926ba/attachment.html From seth at remor.com Thu Jun 10 23:09:08 2010 From: seth at remor.com (Seth Hall) Date: Fri, 11 Jun 2010 02:09:08 -0400 Subject: [Bro] Broccoli worker problems with TimeMachine In-Reply-To: <1276106749.814214388@192.168.2.230> References: <1276104052.738418968@192.168.2.230> <20100609173800.GA2584@datacomm.albany.edu> <1276106749.814214388@192.168.2.230> Message-ID: <7712C879-40DB-45C8-9EF2-717BAC725428@remor.com> On Jun 9, 2010, at 2:05 PM, Allen Pomeroy wrote: > Thanks Justin, that worked perfectly. This is *finally* fixed in the repository. Once I figure out where to place release tar.gz's, we can do a release that actually works with Bro. :) .Seth From alan.meeks at angelo.edu Fri Jun 11 07:04:33 2010 From: alan.meeks at angelo.edu (Alan J. Meeks) Date: Fri, 11 Jun 2010 09:04:33 -0500 Subject: [Bro] Multiple Capture Interfaces In-Reply-To: References: <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF74@EXSERVECLUS2.angelo.local> Message-ID: <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF7D@EXSERVECLUS2.angelo.local> Bill, Thank you. I had somehow missed that I could pass multiple interface arguments to broctl through the interface line in node.cfg that way. I've modified the interface line and bro is now capturing on all four interfaces simultaneously. From: William Jones [mailto:jones at tacc.utexas.edu] Sent: Thursday, June 10, 2010 5:10 PM To: Alan J. Meeks; 'bro at ICSI.Berkeley.EDU' Subject: RE: Multiple Capture Interfaces I run taps too and the use the following config perwork: [worker-4] #NLR type=worker host=homey1.tacc.utexas.edu interface=eth4.3021 -i eth5.3021 aux_scripts=q1 The aux_scripts set up a filter so that worker only sees a portion of the ips space, in my cases ? per work per tap. Bill Jones From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Alan J. Meeks Sent: Thursday, June 10, 2010 3:17 PM To: 'bro at ICSI.Berkeley.EDU' Subject: [Bro] Multiple Capture Interfaces I am a new user of Bro. I've installed ver 1.5.1 and I can run just fine with a single interface (whichever one is specified in node.cfg) but I can't seem to get other capture interfaces running. I am set up with 4 ethernet interfaces, three of which are taps to different locations within my network and one to the local subnet where the server is located. What additional information can I provide that might help identify the issue? Alan Meeks Information Security Analyst Angelo State University www.angelo.edu 325-942-2333 phone 325-942-2109 fax -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100611/c8391fa9/attachment.html From jones at tacc.utexas.edu Fri Jun 11 07:54:45 2010 From: jones at tacc.utexas.edu (William Jones) Date: Fri, 11 Jun 2010 09:54:45 -0500 Subject: [Bro] Multiple Capture Interfaces In-Reply-To: <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF7D@EXSERVECLUS2.angelo.local> References: <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF74@EXSERVECLUS2.angelo.local> <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF7D@EXSERVECLUS2.angelo.local> Message-ID: It easy to miss sense it's an undocumented feature :) From: Alan J. Meeks [mailto:alan.meeks at angelo.edu] Sent: Friday, June 11, 2010 9:05 AM To: William Jones; 'bro at ICSI.Berkeley.EDU' Subject: RE: Multiple Capture Interfaces Bill, Thank you. I had somehow missed that I could pass multiple interface arguments to broctl through the interface line in node.cfg that way. I've modified the interface line and bro is now capturing on all four interfaces simultaneously. From: William Jones [mailto:jones at tacc.utexas.edu] Sent: Thursday, June 10, 2010 5:10 PM To: Alan J. Meeks; 'bro at ICSI.Berkeley.EDU' Subject: RE: Multiple Capture Interfaces I run taps too and the use the following config perwork: [worker-4] #NLR type=worker host=homey1.tacc.utexas.edu interface=eth4.3021 -i eth5.3021 aux_scripts=q1 The aux_scripts set up a filter so that worker only sees a portion of the ips space, in my cases ? per work per tap. Bill Jones From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Alan J. Meeks Sent: Thursday, June 10, 2010 3:17 PM To: 'bro at ICSI.Berkeley.EDU' Subject: [Bro] Multiple Capture Interfaces I am a new user of Bro. I've installed ver 1.5.1 and I can run just fine with a single interface (whichever one is specified in node.cfg) but I can't seem to get other capture interfaces running. I am set up with 4 ethernet interfaces, three of which are taps to different locations within my network and one to the local subnet where the server is located. What additional information can I provide that might help identify the issue? Alan Meeks Information Security Analyst Angelo State University www.angelo.edu 325-942-2333 phone 325-942-2109 fax -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100611/0728da69/attachment.html From seth at remor.com Fri Jun 11 08:34:05 2010 From: seth at remor.com (Seth Hall) Date: Fri, 11 Jun 2010 11:34:05 -0400 Subject: [Bro] Multiple Capture Interfaces In-Reply-To: References: <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF74@EXSERVECLUS2.angelo.local> <97B87D8E97A0D84FAF596F69127F6A15AE22DDDF7D@EXSERVECLUS2.angelo.local> Message-ID: <4BD0BCCB-980A-48F7-B5EC-78E173615541@remor.com> On Jun 11, 2010, at 10:54 AM, William Jones wrote: > It easy to miss sense it?s an undocumented feature J Unfortunately, the reason it's undocumented is because (while it does work) it's not a recommended solution because it breaks several other features in broctl. Better ways to accomplish the same thing are to.. 1. Bridge your interfaces together in your operating system to present a single interface to Bro. 2. Run Bro as a cluster where each worker node runs on the same box but sniff different interfaces. .Seth From iqbalf at ucalgary.ca Fri Jun 11 16:48:58 2010 From: iqbalf at ucalgary.ca (Faisal Iqbal) Date: Fri, 11 Jun 2010 17:48:58 -0600 Subject: [Bro] Analayzing vlan + normal traffic concurrently Message-ID: <1276300138.1680.17.camel@ubuntu.cpsc.ucalgary.ca> Hi, I have few network traces to analyze [for traffic classification] which have vlan headers for certain subnets, and I'm not able to analyze them using bro. I can use "@load vlan" filter but then I'm only able to read vlan traffic, and makes Bro skip on normal [non-vlan] traffic. In my setup, some subnets in my traces are on vlan and further, these subnets have only inbound traffic on vlan while outbound traffic seems to be direct [no vlan header in outbound packets]. Due to above mentioned issue I have to pass each trace twice using different filters and I'm getting two uni-directional flows for each bidirectional flow. I searched Bro mailing list and from the previous posts, I feel that Bro does not support reading vlan and non-vlan traffic concurrently. Is this assumption correct or there is some way/hack to actually analyze them at the same time? Also since I'm using Bro for offline traces, does anyone know a way to somehow modify the trace file to *fix* vlan traffic and change it to the normal traffic. Thanks for the help :) -Faisal From vern at icir.org Sun Jun 13 23:01:24 2010 From: vern at icir.org (Vern Paxson) Date: Sun, 13 Jun 2010 23:01:24 -0700 Subject: [Bro] Analayzing vlan + normal traffic concurrently In-Reply-To: <1276300138.1680.17.camel@ubuntu.cpsc.ucalgary.ca> (Fri, 11 Jun 2010 17:48:58 MDT). Message-ID: <201006140601.o5E61OQ3009502@pork.ICSI.Berkeley.EDU> > ... I feel that Bro > does not support reading vlan and non-vlan traffic concurrently. Is this > assumption correct Yes. > Also since I'm using Bro for offline traces, does anyone know a way to > somehow modify the trace file to *fix* vlan traffic and change it to the > normal traffic. There's a handy utility "vstrip", written by Eli Dart, that will take a pcap file and remove VLAN headers in it. I've put a copy at: http://www.icir.org/vern/tmp/vstrip.tar I also have a modified version that can strip out multiple VLAN tags (which we've found some switches can generate). Let me know if you need that one. Vern From robin at icir.org Mon Jun 14 09:11:16 2010 From: robin at icir.org (Robin Sommer) Date: Mon, 14 Jun 2010 09:11:16 -0700 Subject: [Bro] Analayzing vlan + normal traffic concurrently In-Reply-To: <1276300138.1680.17.camel@ubuntu.cpsc.ucalgary.ca> References: <1276300138.1680.17.camel@ubuntu.cpsc.ucalgary.ca> Message-ID: <20100614161116.GC33644@icir.org> (This was written before Vern's response but I forgot to send it. The tool he mentions is probably the better one.) On Fri, Jun 11, 2010 at 17:48 -0600, you wrote: > I searched Bro mailing list and from the previous posts, I feel that Bro > does not support reading vlan and non-vlan traffic concurrently. Is this > assumption correct or there is some way/hack to actually analyze them at Yes, that's right, there's no support for this yet. It shouldn't be too hard too add though. I have an experimental patch for adding dynamic MPLS decapsulation and VLAN could probably be done in a similar way. Let me know if you're interested in that patch. > Also since I'm using Bro for offline traces, does anyone know a way to > somehow modify the trace file to *fix* vlan traffic and change it to the > normal traffic. Google finds this: http://www.life-gone-hazy.com/src/tcpdump-tools/tcpdump-strip-vlans.c Haven't tried it though ... Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From ager at net.in.tum.de Mon Jun 14 10:05:14 2010 From: ager at net.in.tum.de (Bernhard Ager) Date: Mon, 14 Jun 2010 19:05:14 +0200 Subject: [Bro] Analayzing vlan + normal traffic concurrently In-Reply-To: <20100614161116.GC33644@icir.org> References: <1276300138.1680.17.camel@ubuntu.cpsc.ucalgary.ca> <20100614161116.GC33644@icir.org> Message-ID: <20100614170513.GG21077@in.tum.de> On Mon, Jun 14, 2010 at 09:11:16AM -0700, Robin Sommer wrote: > Google finds this: > > http://www.life-gone-hazy.com/src/tcpdump-tools/tcpdump-strip-vlans.c For the record: tcprewrite also offers an option to strip vlan tags and can do a lot more. I haven't used it yet myself, though. Bernhard -- Technische Universit?t Berlin An-Institut Deutsche Telekom Laboratories FG INET, Research Group Anja Feldmann Sekr. TEL 4 Ernst-Reuter-Platz 7 D-10587 Berlin From iqbalf at ucalgary.ca Mon Jun 14 15:34:02 2010 From: iqbalf at ucalgary.ca (Faisal Iqbal) Date: Mon, 14 Jun 2010 16:34:02 -0600 Subject: [Bro] Analayzing vlan + normal traffic concurrently In-Reply-To: <20100614161116.GC33644@icir.org> References: <1276300138.1680.17.camel@ubuntu.cpsc.ucalgary.ca> <20100614161116.GC33644@icir.org> Message-ID: <1276554842.17095.9.camel@ubuntu.cpsc.ucalgary.ca> I would definitely be interested in the patch. It'd save me [and I hope several others] the time/space of stripping current and future traces off the vlan tags. For the moment, tcprewrite [pointed by Bernhard Ager] did the job perfectly. I found that vstrip would mess up with the timestamps after stripping but this might be a one off incident. Thanks for the help everyone :) -Faisal On Mon, 2010-06-14 at 09:11 -0700, Robin Sommer wrote: > (This was written before Vern's response but I forgot to send it. > The tool he mentions is probably the better one.) > > On Fri, Jun 11, 2010 at 17:48 -0600, you wrote: > > > I searched Bro mailing list and from the previous posts, I feel that Bro > > does not support reading vlan and non-vlan traffic concurrently. Is this > > assumption correct or there is some way/hack to actually analyze them at > > Yes, that's right, there's no support for this yet. It shouldn't be > too hard too add though. I have an experimental patch for adding > dynamic MPLS decapsulation and VLAN could probably be done in a > similar way. Let me know if you're interested in that patch. > > > Also since I'm using Bro for offline traces, does anyone know a way to > > somehow modify the trace file to *fix* vlan traffic and change it to the > > normal traffic. > > Google finds this: > > http://www.life-gone-hazy.com/src/tcpdump-tools/tcpdump-strip-vlans.c > > Haven't tried it though ... > > Robin > From estrada.veronica at gmail.com Thu Jun 17 23:09:59 2010 From: estrada.veronica at gmail.com (Veronica Estrada) Date: Fri, 18 Jun 2010 15:09:59 +0900 Subject: [Bro] Differences in processing multiple traces with BRO and ipsumdump Message-ID: Hi everyone, I am puzzled about the outcomes of using ipsumdump or BRO for processing multiple pcap files. I am using BRO to analyze anomalities in my 12 hours captured network traffic which was saved in 4 Gb pcap files. I want that BRO consider the cases when a connection may have been split in two or more files. I was using ipsumdump to solve this, but I found that some files have errors and cause ipsumdump to crush with this message: ToDump(bigPcap1.pcap): Inappropriate ioctl for device Using the capinfo tool I detected that some of my files have packet size larger than normal (65535), so using tshark I cut the part of the file with problems. For example: capinfos: An error occurred after reading 3830659 packets from "trace2.pcap": File contains a record that's not valid. (pcap: File has 4065648712-byte packet, bigger than maximum of 65535) So I create a reduced version of trace2.pcap with tshark: /usr/sbin/tshark -c 3830659 -r trace2.pcap -w trace2-new.pcap This solution seemed to work fine, all the ***-new.pcap have no errors while reading with capinfo or wireshark, but even so there are some that still cause problems for processing. For example: I processed the following files in 3 different ways: trace1.pcap, trace2-new.pcap, trace3.pcap (trace2.pcap was replaced because of the packet size error) FIRST TRY - using ipsumdump with collate option: ipsumdump --collate -w - trace* |bro -r - brolite myenvironment -f "tcp or udp or icmp" dpd_conn_logs=T dpd detect_protocols dyn_disable irc-bot proxy ftp Output> 9.7 MB conn.log with 114861 lines (number of connections) SECOND TRY - using ipsumpdump without collate option ipsumdump --collate -w - trace* |bro -r - brolite myenvironment -f "tcp or udp or icmp" dpd_conn_logs=T dpd detect_protocols dyn_disable irc-bot proxy ftp Output: 19 Mbytes conn.log with 228922 lines with 950 repeated connections THIRD TRY - without ipsumdump: /usr/local/bro/bin/bro -r trace1.pcap -r trace2-new.pcap -r trace3.pcap brolite todai -f "tcp or udp or icmp" dpd_conn_logs=T dpd detect-protocols dyn-disable irc-bot proxy ftp 2>bro-error3.log Output: 15 Mbytes conn.log with 169168 lines, connections are not repeated COMMENTS: pcap files has not overlap traffic (it was checked with trace-summary using first packet seen and last packet seen). I tried the ipsumdump with both collate and no collate option because when I used ipsumdump only (without bro), with collate option the resulted larger pcap file was a 7.9 GB file but without collate option the resulted file was 12.GB (trace1.pcap: 4 MB, trace2-new.pcap: 3.9GB, trace3.pcap: 4GB). Besides, while using ipsumpdump --collate alone, the progress bar showed something like this: 66%****************** |8017MB ETAToDump(LargerTrace.pcap): Success 100%****************************|12113MB But the progress bar for ipsumdump without the collate option didn't split and reach the 100% 12113MB. If anyone can illuminate this matter, it will be a great help. Veronica -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100618/f1087dd8/attachment.html From sridhar.basam at gmail.com Fri Jun 18 08:00:37 2010 From: sridhar.basam at gmail.com (sridhar basam) Date: Fri, 18 Jun 2010 11:00:37 -0400 Subject: [Bro] Differences in processing multiple traces with BRO and ipsumdump In-Reply-To: References: Message-ID: It looks like ipsumdump might be changing the snaplen to 2000 bytes when it writes out the pcap file. I don't see an runtime option to change the snaplen. Another tool you can try to merge those files is tcpslice from ftp://ftp.ee.lbl.gov/tcpslice.tar.gz. I have been able to preserve the snaplen using tcpslice. tcpslice trace*.pcap -w - | bro -r - ... Sri On Fri, Jun 18, 2010 at 2:09 AM, Veronica Estrada < estrada.veronica at gmail.com> wrote: > > Hi everyone, > > I am puzzled about the outcomes of using ipsumdump or BRO for processing > multiple pcap files. > > I am using BRO to analyze anomalities in my 12 hours captured network > traffic which was saved in 4 Gb pcap files. I want that BRO consider the > cases when a connection may have been split in two or more files. I was > using ipsumdump to solve this, but I found that some files have errors and > cause ipsumdump to crush with this message: > ToDump(bigPcap1.pcap): Inappropriate ioctl for device > > Using the capinfo tool I detected that some of my files have packet size > larger than normal (65535), so using tshark I cut the part of the file with > problems. For example: > capinfos: An error occurred after reading 3830659 packets from > "trace2.pcap": File contains a record that's not valid. > (pcap: File has 4065648712-byte packet, bigger than maximum of 65535) > So I create a reduced version of trace2.pcap with tshark: > /usr/sbin/tshark -c 3830659 -r trace2.pcap -w trace2-new.pcap > > This solution seemed to work fine, all the ***-new.pcap have no errors > while reading with capinfo or wireshark, but even so there are some that > still cause problems for processing. For example: > > I processed the following files in 3 different ways: > trace1.pcap, trace2-new.pcap, trace3.pcap (trace2.pcap was replaced because > of the packet size error) > > FIRST TRY - using ipsumdump with collate option: > ipsumdump --collate -w - trace* |bro -r - brolite myenvironment -f "tcp or > udp or icmp" dpd_conn_logs=T dpd detect_protocols dyn_disable irc-bot proxy > ftp > > Output> 9.7 MB conn.log with 114861 lines (number of connections) > > SECOND TRY - using ipsumpdump without collate option > ipsumdump --collate -w - trace* |bro -r - brolite myenvironment -f "tcp or > udp or icmp" dpd_conn_logs=T dpd detect_protocols dyn_disable irc-bot proxy > ftp > > Output: > 19 Mbytes conn.log with 228922 lines with 950 repeated connections > > THIRD TRY - without ipsumdump: > /usr/local/bro/bin/bro -r trace1.pcap -r trace2-new.pcap -r trace3.pcap > brolite todai -f "tcp or udp or icmp" dpd_conn_logs=T dpd detect-protocols > dyn-disable irc-bot proxy ftp 2>bro-error3.log > > Output: > 15 Mbytes conn.log with 169168 lines, connections are not repeated > > COMMENTS: > pcap files has not overlap traffic (it was checked with trace-summary using > first packet seen and last packet seen). > I tried the ipsumdump with both collate and no collate option because when > I used ipsumdump only (without bro), with collate option the resulted larger > pcap file was a 7.9 GB file but without collate option the resulted file was > 12.GB (trace1.pcap: 4 MB, trace2-new.pcap: 3.9GB, trace3.pcap: 4GB). > Besides, while using ipsumpdump --collate alone, the progress bar showed > something like this: > 66%****************** |8017MB ETAToDump(LargerTrace.pcap): > Success > 100%****************************|12113MB > But the progress bar for ipsumdump without the collate option didn't split > and reach the 100% 12113MB. > > If anyone can illuminate this matter, it will be a great help. > > Veronica > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Sridhar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100618/3fdcdc6e/attachment.html From estrada.veronica at gmail.com Sat Jun 26 08:35:34 2010 From: estrada.veronica at gmail.com (Veronica Estrada) Date: Sun, 27 Jun 2010 00:35:34 +0900 Subject: [Bro] Differences in processing multiple traces with BRO and ipsumdump In-Reply-To: References: Message-ID: Hi, Sridhar! I tried again with others tools (mergecap & tcpslice) and I found that all of them behaved in the same way. I got the same number of connections after analyzing with bro (same number of input several pcap files directly to bro - 169168 connections). Moreover, after doing other tests with other pcap files, I realized that ipsumdump was having problems with one of my files, although that file can be read with many tools without any problems. That is why bro found a different number of connections using the output of ipsumpdump. I still puzzled over ipsumdump because the difference in connection number is big and the tool does not give you any hint about the existence of a problem, thus it is easy to get a wrong analysis with bro. Veronica Estrada Nakao's Laboratory Univ. of Tokyo On Sat, Jun 19, 2010 at 12:00 AM, sridhar basam wrote: > It looks like ipsumdump might be changing the snaplen to 2000 bytes when it > writes out the pcap file. I don't see an runtime option to change the > snaplen. > > Another tool you can try to merge those files is tcpslice from > ftp://ftp.ee.lbl.gov/tcpslice.tar.gz. I have been able to preserve the > snaplen using tcpslice. > > tcpslice trace*.pcap -w - | bro -r - ... > > Sri > > On Fri, Jun 18, 2010 at 2:09 AM, Veronica Estrada < > estrada.veronica at gmail.com> wrote: > >> >> Hi everyone, >> >> I am puzzled about the outcomes of using ipsumdump or BRO for processing >> multiple pcap files. >> >> I am using BRO to analyze anomalities in my 12 hours captured network >> traffic which was saved in 4 Gb pcap files. I want that BRO consider the >> cases when a connection may have been split in two or more files. I was >> using ipsumdump to solve this, but I found that some files have errors and >> cause ipsumdump to crush with this message: >> ToDump(bigPcap1.pcap): Inappropriate ioctl for device >> >> Using the capinfo tool I detected that some of my files have packet size >> larger than normal (65535), so using tshark I cut the part of the file with >> problems. For example: >> capinfos: An error occurred after reading 3830659 packets from >> "trace2.pcap": File contains a record that's not valid. >> (pcap: File has 4065648712-byte packet, bigger than maximum of 65535) >> So I create a reduced version of trace2.pcap with tshark: >> /usr/sbin/tshark -c 3830659 -r trace2.pcap -w trace2-new.pcap >> >> This solution seemed to work fine, all the ***-new.pcap have no errors >> while reading with capinfo or wireshark, but even so there are some that >> still cause problems for processing. For example: >> >> I processed the following files in 3 different ways: >> trace1.pcap, trace2-new.pcap, trace3.pcap (trace2.pcap was replaced >> because of the packet size error) >> >> FIRST TRY - using ipsumdump with collate option: >> ipsumdump --collate -w - trace* |bro -r - brolite myenvironment -f "tcp or >> udp or icmp" dpd_conn_logs=T dpd detect_protocols dyn_disable irc-bot proxy >> ftp >> >> Output> 9.7 MB conn.log with 114861 lines (number of connections) >> >> SECOND TRY - using ipsumpdump without collate option >> ipsumdump --collate -w - trace* |bro -r - brolite myenvironment -f "tcp or >> udp or icmp" dpd_conn_logs=T dpd detect_protocols dyn_disable irc-bot proxy >> ftp >> >> Output: >> 19 Mbytes conn.log with 228922 lines with 950 repeated connections >> >> THIRD TRY - without ipsumdump: >> /usr/local/bro/bin/bro -r trace1.pcap -r trace2-new.pcap -r trace3.pcap >> brolite todai -f "tcp or udp or icmp" dpd_conn_logs=T dpd detect-protocols >> dyn-disable irc-bot proxy ftp 2>bro-error3.log >> >> Output: >> 15 Mbytes conn.log with 169168 lines, connections are not repeated >> >> COMMENTS: >> pcap files has not overlap traffic (it was checked with trace-summary >> using first packet seen and last packet seen). >> I tried the ipsumdump with both collate and no collate option because when >> I used ipsumdump only (without bro), with collate option the resulted larger >> pcap file was a 7.9 GB file but without collate option the resulted file was >> 12.GB (trace1.pcap: 4 MB, trace2-new.pcap: 3.9GB, trace3.pcap: 4GB). >> Besides, while using ipsumpdump --collate alone, the progress bar showed >> something like this: >> 66%****************** |8017MB ETAToDump(LargerTrace.pcap): >> Success >> 100%****************************|12113MB >> But the progress bar for ipsumdump without the collate option didn't split >> and reach the 100% 12113MB. >> >> If anyone can illuminate this matter, it will be a great help. >> >> Veronica >> >> >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > > > > -- > Sridhar > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100627/d6aa8e34/attachment.html From vern at icir.org Sat Jun 26 09:00:32 2010 From: vern at icir.org (Vern Paxson) Date: Sat, 26 Jun 2010 09:00:32 -0700 Subject: [Bro] Differences in processing multiple traces with BRO and ipsumdump In-Reply-To: (Sun, 27 Jun 2010 00:35:34 +0900). Message-ID: <201006261600.o5QG0WBW022937@pork.ICSI.Berkeley.EDU> > I still puzzled over ipsumdump because the difference in connection number > is big and the tool does not give you any hint about the existence of a > problem, thus it is easy to get a wrong analysis with bro. Hmmmm - we make heavy use of ipsumdump for trace analysis, and haven't run across this sort of problem before. If you can put together a demonstration of the problem, send it to Eddie Kohler (the ipsumdump developer), he's quite responsive in fixing bugs. Also, cc me on the note, as I'd like to understand the issue better. Vern From seth at remor.com Wed Jun 30 12:26:04 2010 From: seth at remor.com (Seth Hall) Date: Wed, 30 Jun 2010 15:26:04 -0400 Subject: [Bro] 64-bit? Message-ID: <63DE9DBE-06F0-4D52-9BB8-AF2FAA241707@remor.com> Does anyone run Bro build as a 64-bit binary on a 64-bit platform? Thanks, .Seth From ssakai at sdsc.edu Wed Jun 30 12:38:58 2010 From: ssakai at sdsc.edu (Scott Sakai) Date: Wed, 30 Jun 2010 12:38:58 -0700 Subject: [Bro] 64-bit? In-Reply-To: <63DE9DBE-06F0-4D52-9BB8-AF2FAA241707@remor.com> References: <63DE9DBE-06F0-4D52-9BB8-AF2FAA241707@remor.com> Message-ID: <4C2B9D52.6070805@sdsc.edu> I'm running Bro 1.5 on x86_64 Linux. No obvious issues here -- except with broccoli. On 06/30/2010 12:26 PM, Seth Hall wrote: > Does anyone run Bro build as a 64-bit binary on a 64-bit platform? > > Thanks, > .Seth > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Scott Sakai Security Analyst San Diego Supercomputer Center ssakai at sdsc.edu +1-858-822-0851 From Tyler.Schoenke at colorado.edu Wed Jun 30 12:57:38 2010 From: Tyler.Schoenke at colorado.edu (Tyler T. Schoenke) Date: Wed, 30 Jun 2010 13:57:38 -0600 Subject: [Bro] 64-bit? In-Reply-To: <63DE9DBE-06F0-4D52-9BB8-AF2FAA241707@remor.com> References: <63DE9DBE-06F0-4D52-9BB8-AF2FAA241707@remor.com> Message-ID: <4C2BA1B2.6090009@colorado.edu> It has been running fine on CentOS 5.3 x86_64 since late 2009. Tyler -- Tyler Schoenke Network Security Analyst IT Security Office University of Colorado - Boulder On 06/30/2010 01:26 PM, Seth Hall wrote: > Does anyone run Bro build as a 64-bit binary on a 64-bit platform? > > Thanks, > .Seth > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From robin at icir.org Wed Jun 30 13:02:30 2010 From: robin at icir.org (Robin Sommer) Date: Wed, 30 Jun 2010 13:02:30 -0700 Subject: [Bro] 64-bit? In-Reply-To: <4C2B9D52.6070805@sdsc.edu> References: <63DE9DBE-06F0-4D52-9BB8-AF2FAA241707@remor.com> <4C2B9D52.6070805@sdsc.edu> Message-ID: <20100630200230.GB63667@icir.org> On Wed, Jun 30, 2010 at 12:38 -0700, Scott Sakai wrote: > I'm running Bro 1.5 on x86_64 Linux. Current development version on x86_64 FreeBSD 8.0 here, also with no apparent problems. > No obvious issues here -- except with broccoli. What's the broccoli issue? Can you file a tracker ticket for that please? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From JAzoff at uamail.albany.edu Wed Jun 30 13:03:12 2010 From: JAzoff at uamail.albany.edu (Justin Azoff) Date: Wed, 30 Jun 2010 16:03:12 -0400 Subject: [Bro] 64-bit? In-Reply-To: <4C2B9D52.6070805@sdsc.edu> References: <63DE9DBE-06F0-4D52-9BB8-AF2FAA241707@remor.com> <4C2B9D52.6070805@sdsc.edu> Message-ID: <20100630200311.GD25513@datacomm.albany.edu> On Wed, Jun 30, 2010 at 03:38:58PM -0400, Scott Sakai wrote: > I'm running Bro 1.5 on x86_64 Linux. No obvious issues here -- except with > broccoli. I am as well.. but I haven't had any problems with broccoli. -- -- Justin Azoff -- Network Security & Performance Analyst From seth at remor.com Wed Jun 30 13:03:20 2010 From: seth at remor.com (Seth Hall) Date: Wed, 30 Jun 2010 16:03:20 -0400 Subject: [Bro] 64-bit? In-Reply-To: <4C2B9D52.6070805@sdsc.edu> References: <63DE9DBE-06F0-4D52-9BB8-AF2FAA241707@remor.com> <4C2B9D52.6070805@sdsc.edu> Message-ID: <782837E2-FBC5-4845-9549-9C5FBCC1C9E9@remor.com> On Jun 30, 2010, at 3:38 PM, Scott Sakai wrote: > I'm running Bro 1.5 on x86_64 Linux. No obvious issues here -- except with > broccoli. Ok, that's partly why I asked. It looks like broccoli needs to be built with -fPIC. I'll file a ticket in the tracker. .Seth From mej at lbl.gov Wed Jun 30 14:21:39 2010 From: mej at lbl.gov (Michael Jennings) Date: Wed, 30 Jun 2010 14:21:39 -0700 Subject: [Bro] 64-bit? In-Reply-To: <782837E2-FBC5-4845-9549-9C5FBCC1C9E9@remor.com> References: <63DE9DBE-06F0-4D52-9BB8-AF2FAA241707@remor.com> <4C2B9D52.6070805@sdsc.edu> <782837E2-FBC5-4845-9549-9C5FBCC1C9E9@remor.com> Message-ID: <20100630212138.GC20650@lbl.gov> On Wednesday, 30 June 2010, at 16:03:20 (-0400), Seth Hall wrote: > Ok, that's partly why I asked. It looks like broccoli needs to be > built with -fPIC. I'll file a ticket in the tracker. I built 32- and 64-bit RPM's of bro 1.4 without needing to force -fPIC anywhere. I haven't had a chance to update them to 1.5 yet, so it's possible that has changed. Michael -- Michael Jennings Linux Systems and Cluster Engineer High-Performance Computing Services Bldg 50B-3209E W: 510-495-2687 MS 050C-3396 F: 510-486-8615 From ssakai at sdsc.edu Wed Jun 30 14:43:07 2010 From: ssakai at sdsc.edu (Scott Sakai) Date: Wed, 30 Jun 2010 14:43:07 -0700 Subject: [Bro] 64-bit? In-Reply-To: <782837E2-FBC5-4845-9549-9C5FBCC1C9E9@remor.com> References: <63DE9DBE-06F0-4D52-9BB8-AF2FAA241707@remor.com> <4C2B9D52.6070805@sdsc.edu> <782837E2-FBC5-4845-9549-9C5FBCC1C9E9@remor.com> Message-ID: <4C2BBA6B.4010806@sdsc.edu> I encountered underruns and corruption while using bropipe to send datatypes involving an int (count, port...) to Bro. The underlying issue seems to be that broccoli is sending a 32-bit int and Bro is expecting a 64-bit one. In what is probably the Wrong Way(tm) to approach the problem, I patched broccoli to send 64-bit ints with the high 32 bits zeroed. On 06/30/2010 01:03 PM, Seth Hall wrote: > > On Jun 30, 2010, at 3:38 PM, Scott Sakai wrote: > >> I'm running Bro 1.5 on x86_64 Linux. No obvious issues here -- except with >> broccoli. > > Ok, that's partly why I asked. It looks like broccoli needs to be built with -fPIC. I'll file a ticket in the tracker. > > .Seth -- Scott Sakai Security Analyst San Diego Supercomputer Center ssakai at sdsc.edu +1-858-822-0851 From seth at remor.com Wed Jun 30 19:16:15 2010 From: seth at remor.com (Seth Hall) Date: Wed, 30 Jun 2010 22:16:15 -0400 Subject: [Bro] 64-bit? In-Reply-To: <4C2BBA6B.4010806@sdsc.edu> References: <63DE9DBE-06F0-4D52-9BB8-AF2FAA241707@remor.com> <4C2B9D52.6070805@sdsc.edu> <782837E2-FBC5-4845-9549-9C5FBCC1C9E9@remor.com> <4C2BBA6B.4010806@sdsc.edu> Message-ID: On Jun 30, 2010, at 5:43 PM, Scott Sakai wrote: > I encountered underruns and corruption while using bropipe to send > datatypes involving an int (count, port...) to Bro. The underlying issue > seems to be that broccoli is sending a 32-bit int and Bro is expecting a > 64-bit one. Did you have Bro built with --enable-int64? .Seth From gregor at net.t-labs.tu-berlin.de Wed Jun 30 22:27:40 2010 From: gregor at net.t-labs.tu-berlin.de (Gregor Maier) Date: Wed, 30 Jun 2010 22:27:40 -0700 Subject: [Bro] 64-bit? In-Reply-To: <63DE9DBE-06F0-4D52-9BB8-AF2FAA241707@remor.com> References: <63DE9DBE-06F0-4D52-9BB8-AF2FAA241707@remor.com> Message-ID: <4C2C274C.4070202@net.t-labs.tu-berlin.de> Seth Hall wrote: > Does anyone run Bro build as a 64-bit binary on a 64-bit platform? working fine for me. However, I do trace analysis with it without using broccoli or cluster.... cu gregor -- Gregor Maier gregor at net.t-labs.tu-berlin.de TU Berlin / Deutsche Telekom Labs gregor.maier at tu-berlin.de Sekr. TEL 4, FG INET www.net.t-labs.tu-berlin.de Ernst-Reuter-Platz 7 10587 Berlin, Germany -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100630/0a80120c/attachment.bin