From baxterw3232 at gmail.com Fri Apr 1 11:20:33 2011 From: baxterw3232 at gmail.com (Will) Date: Fri, 1 Apr 2011 14:20:33 -0400 Subject: [Bro] http-ext-identified-files Message-ID: Hey Seth, I recently updated one of our bro boxes focusing on http traffic with your 'ext' scripts. I am drawing blank on a few things. 1. The old way of flagging via 'HTTP_WatchedMIMEType' appears to have gone away in lieu of 'add si$tags["identified-files"];' The new 'redef signature_files += "http-ext-identified-files.sig";' looks to have replaced the magic_mime. I see that by default, file type in that signature file are ignored. For the time being, I have added the 'NOTICE' and 'HTTP_WatchedMIMEType' back in because I really want email alerts for any watched_mime_types not coming from a whitelisted location. So, what is the correct way to generate alerts? My botched version is below. 2. By adding the 'NOTICE' back in below, I think I botched the 'add si$tags["identified-files"];', because none of the files are getting logged to identified files. Thanks in advance! Will ----------------------------------------------------- /trun/bro/site]# cat http-ext-identified-files.bro @load global-ext @load http-ext @load http-reply @load http-body @load signatures redef signature_files += "http-ext-identified-files.sig"; module HTTP; export { redef enum Notice += { # This notice is thrown when the file extension doesn't # seem to match the file contents. HTTP_IncorrectFileType, # Generated when we see a MIME type we flagged for watching. HTTP_WatchedMIMEType, }; # MIME types that you'd like this script to identify and log. const watched_mime_types = /application\/x-dosexec/ | /application\/x-executable/ | /application\/octet-stream/ | /application\/x-compressed/ | /application\/x-gzip/ &redef; # URLs included here are not logged and notices are not thrown. # Take care when defining regexes to not be overly broad. const ignored_urls = /^http:\/\/(au\.|www\.)?download\.windowsupdate\.com\/msdownload\/update/ | /^http:\/\/.*\.sun\.com\// | /^http:\/\/.*\.macromedia\.com\// | /^http:\/\/download\.microsoft\.com\// | /^http:\/\/(platformdl\.|ardownload\.|fpdownload\.)adobe\.com\// &redef; # Create regexes that *should* in be in the urls for specifics mime types. # Notices are thrown if the pattern doesn't match the url for the file type. const mime_types_extensions: table[string] of pattern = { ["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL][lL])/, } &redef; } # Don't delete the http sessions at the end of the request! redef watch_reply=T; # Ignore the signatures used to match files redef ignored_signatures += /^matchfile-/; # This script uses the file tagging method to create a separate file. event bro_init() { # Add the tag for log file splitting. LOG::define_tag("http-ext", "identified-files"); } event signature_match(state: signature_state, msg: string, data: string) { # Only signatures matching file types are dealt with here. if ( /^matchfile/ !in state$id ) return; # Not much point in any of this if we don't know about the # HTTP-ness of the connection. if ( state$conn$id !in conn_info ) return; local si = conn_info[state$conn$id]; # Set the mime type seen. si$mime_type = msg; local message = fmt("%s %s %s", msg, si$method, si$url); if ( ignored_urls !in si$url ) { if ( watched_mime_types in msg ) { NOTICE([$note=HTTP_WatchedMIMEType, $msg=message, $conn=state$conn, $method=si$method, $URL=si$url]); # Add a tag for logging purposes. add si$tags["identified-files"]; } if ( msg in mime_types_extensions && mime_types_extensions[msg] !in si$url ) { NOTICE([$note=HTTP_IncorrectFileType, $msg=message, $conn=state$conn, $method=si$method, $URL=si$url]); } event file_transferred(state$conn, data, "", msg); } } -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110401/b124f25d/attachment.html From baxterw3232 at gmail.com Mon Apr 4 07:27:43 2011 From: baxterw3232 at gmail.com (Will) Date: Mon, 4 Apr 2011 10:27:43 -0400 Subject: [Bro] Trace Execution with broctl Message-ID: Hello, Is there currently a way to run an offline trace using broctl? I saw some posts about potentially having a 'read' command, but it doesn't appear to be implemented yet. I am really trying to understand how to modify a few things that are being done by the broctl scripts. I get my desired results when running bro by itself, but need to see exactly how broctl is making changes. I was able to make some of the changes in the template scripts that are used when broctl is installed, but there are some things I still seem to be missing. Thanks, Will -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110404/ae201e72/attachment.html From robin at icir.org Mon Apr 4 09:13:42 2011 From: robin at icir.org (Robin Sommer) Date: Mon, 4 Apr 2011 09:13:42 -0700 Subject: [Bro] Trace Execution with broctl In-Reply-To: References: Message-ID: <20110404161342.GB72308@icir.org> On Mon, Apr 04, 2011 at 10:27 -0400, Will wrote: > I saw some posts about potentially having a 'read' command, but it doesn't > appear to be implemented yet. No, it's not yet, but that would indeed be a good thing to have. I don't think we have a tracker ticket for that yet iirc, would you mind filing one at http://tracker.icir.org, describing what you'd like to see (and if you're up for it, perhaps even summarizing the earlier discussion?) (Note the tracker is currenlty reporting some errors while we are moving things to a new server; filing tickets is however working). > I am really trying to understand how to modify a few things that are being > done by the broctl scripts. Likewise, can you describe in a bit more detail what you'd like to do/see? We are planing to add a plugin interface to BroCtl, hopefully in time for the next release, that will allow to have custom code executed before/after any of the commands is run. We have a ticket for that: http://tracker.icir.org/bro/ticket/370. Feel free to add more thoughts to it. (The link to the proposal mentioned in the ticket is currently not public, again because we're working on the infrastructure; but here's a copy: http://www.icir.org/robin/tmp/broctl-plugins.html) Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From seth at icir.org Mon Apr 4 11:55:08 2011 From: seth at icir.org (Seth Hall) Date: Mon, 4 Apr 2011 14:55:08 -0400 Subject: [Bro] Trace Execution with broctl In-Reply-To: References: Message-ID: <8AAD2BC8-6CD1-4BE0-A15C-84A14DAF1D5D@icir.org> On Apr 4, 2011, at 10:27 AM, Will wrote: > Is there currently a way to run an offline trace using broctl? This is actually currently partially implemented in a branch. The problem with it is that it brings up a lot of questions about how it should work and how things should be handled from within BroControl. What I would personally like to see (but probably won't happen initially) is clustered tracefile processing. Once we figure out a way forward on the read command, we can get it finished and integrated. Please file the ticket still if you don't mind. If you could be especially explicit about what features you need/want or how you'd like it to work, that would be a huge help. Thanks! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From baxterw3232 at gmail.com Mon Apr 4 12:08:44 2011 From: baxterw3232 at gmail.com (Will) Date: Mon, 4 Apr 2011 15:08:44 -0400 Subject: [Bro] Trace Execution with broctl In-Reply-To: <20110404161342.GB72308@icir.org> References: <20110404161342.GB72308@icir.org> Message-ID: On Mon, Apr 4, 2011 at 12:13 PM, Robin Sommer wrote: > > On Mon, Apr 04, 2011 at 10:27 -0400, Will wrote: > > > I saw some posts about potentially having a 'read' command, but it > doesn't > > appear to be implemented yet. > > No, it's not yet, but that would indeed be a good thing to have. I > don't think we have a tracker ticket for that yet iirc, would you mind > filing one at http://tracker.icir.org, describing what you'd like to > see (and if you're up for it, perhaps even summarizing the earlier > discussion?) > > (Note the tracker is currenlty reporting some errors while we are > moving things to a new server; filing tickets is however working). > I would be happy to create a new ticket for the feature with additional info. This is a ticket from six months ago that is fairly close to what I would be requesting. http://tracker.icir.org/bro/ticket/273 Should I create a new one or add to this? > > I am really trying to understand how to modify a few things that are being > > done by the broctl scripts. > > Likewise, can you describe in a bit more detail what you'd like to > do/see? We are planing to add a plugin interface to BroCtl, hopefully > in time for the next release, that will allow to have custom code > executed before/after any of the commands is run. We have a ticket for > that: http://tracker.icir.org/bro/ticket/370. Feel free to add more > thoughts to it. (The link to the proposal mentioned in the ticket is > currently not public, again because we're working on the > infrastructure; but here's a copy: > http://www.icir.org/robin/tmp/broctl-plugins.html) > > Sounds good. Thanks for the info. > Robin > > -- > Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110404/dc172de7/attachment.html From baxterw3232 at gmail.com Mon Apr 4 12:23:27 2011 From: baxterw3232 at gmail.com (Will) Date: Mon, 4 Apr 2011 15:23:27 -0400 Subject: [Bro] Trace Execution with broctl In-Reply-To: <8AAD2BC8-6CD1-4BE0-A15C-84A14DAF1D5D@icir.org> References: <8AAD2BC8-6CD1-4BE0-A15C-84A14DAF1D5D@icir.org> Message-ID: On Mon, Apr 4, 2011 at 2:55 PM, Seth Hall wrote: > > On Apr 4, 2011, at 10:27 AM, Will wrote: > > > Is there currently a way to run an offline trace using broctl? > > This is actually currently partially implemented in a branch. The problem > with it is that it brings up a lot of questions about how it should work and > how things should be handled from within BroControl. What I would > personally like to see (but probably won't happen initially) is clustered > tracefile processing. > > Once we figure out a way forward on the read command, we can get it > finished and integrated. Please file the ticket still if you don't mind. > If you could be especially explicit about what features you need/want or > how you'd like it to work, that would be a huge help. > > I found cached versions of both files below and was going to see if I could get them working on our test box. source: broctl/BroControl/config.py @ 6683ca9 Revision 6683ca9, 14.5 KB checked in by seth, 3 months ago (diff) source: broctl/bin/broctl.in @ 6683ca9 Revision 6683ca9, 23.3 KB checked in by seth, 3 months ago (diff) "read" command for doing offline tracefile analysis through broctl. There is more work to go, but so far, reading a single tracefile on a standalone node works and it should work on a "localhost" cluster config too but hasn't been tested. Again, I would be happy to add what I would like to see as far as features. Initially, having the ability to create a 'trace execution file' that steps through policy execution of an offline pcap file would be fabulous. This is mostly because I am so new (*terrible) at programming and am learning C as I go. So, with that in mind, I may include something that clearly already exists or doesn't make any sense. > Thanks! > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > Will -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110404/413a8c36/attachment.html From robin at icir.org Mon Apr 4 13:32:56 2011 From: robin at icir.org (Robin Sommer) Date: Mon, 4 Apr 2011 13:32:56 -0700 Subject: [Bro] Trace Execution with broctl In-Reply-To: References: <20110404161342.GB72308@icir.org> Message-ID: <20110404203256.GZ72308@icir.org> On Mon, Apr 04, 2011 at 15:08 -0400, Will wrote: > http://tracker.icir.org/bro/ticket/273 > > Should I create a new one or add to this? Yes, please add to that one. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From lruppert at syr.edu Tue Apr 5 12:24:06 2011 From: lruppert at syr.edu (Louis F Ruppert) Date: Tue, 5 Apr 2011 15:24:06 -0400 Subject: [Bro] Access to new bro code? Message-ID: <32E412533D42EF41ACBCFA96B6C230F4018611B818D0@SUEX07-MBX-07.ad.syr.edu> Hello, Can someone tell me how I might alpha test the new bro code from the git repos? I tried to figure it out on my own, but only ended up on scary password-protected sites. Thanks, -Lou -- Lou Ruppert Intrusion Analyst, GCFA Information Security Syracuse University From robin at icir.org Tue Apr 5 21:33:21 2011 From: robin at icir.org (Robin Sommer) Date: Tue, 5 Apr 2011 21:33:21 -0700 Subject: [Bro] Access to new bro code? In-Reply-To: <32E412533D42EF41ACBCFA96B6C230F4018611B818D0@SUEX07-MBX-07.ad.syr.edu> References: <32E412533D42EF41ACBCFA96B6C230F4018611B818D0@SUEX07-MBX-07.ad.syr.edu> Message-ID: <20110406043321.GI31581@icir.org> On Tue, Apr 05, 2011 at 15:24 -0400, you wrote: > Can someone tell me how I might alpha test the new bro code from the > git repos? I tried to figure it out on my own, but only ended up on > scary password-protected sites. You must have hit our new web server. :) We are in the process of setting that up, it's not yet open to the public. But you can already browse the new git repositories at http://git.bro-ids.org. The instructions for working with them aren't online yet, but the short version is: git clone --recursive git://git.bro-ids.org/bro Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From mdmonk at gmail.com Thu Apr 7 10:44:52 2011 From: mdmonk at gmail.com (Chuck Little) Date: Thu, 07 Apr 2011 11:44:52 -0600 Subject: [Bro] Bro Workshop? Message-ID: <4D9DF814.1030401@gmail.com> I was wondering if there were any Bro-IDS workshops being planned, or if there is any training available? Thanks! -Chuck L. From Keith_Schoenefeld at baylor.edu Mon Apr 11 12:59:59 2011 From: Keith_Schoenefeld at baylor.edu (Schoenefeld, Keith P.) Date: Mon, 11 Apr 2011 14:59:59 -0500 Subject: [Bro] Running a Bro cluster diskless? Message-ID: <8B7F389B5AC9B94AA8D37FAC3598DDFD07C29FA199@FS1.baylor.edu> Background: With some guidance from Seth, Baylor is jumping into Bro in a 'timidly aggressive' (should I trademark that?) fashion. We are currently working to build a Bro cluster that can analyze up to 2Gb/s of traffic. We'll have about 900Mb/s of capacity once the upgrades to our exit are complete, with our real aggregate traffic measuring significantly below the 1.8Gb/s maximum. We have purchased six systems and a switch: one front end system to run Click!, four worker systems, and a manager system. A private network will be used between the frontend system and the workers and another will be used between the workers and the management system. I have a history with running diskless HPC systems leveraging JessWulf [1], and hope/plan to do the same with our Bro configuration. Simply put, JessWulf is an RPM based toolkit/guide for running RPM based Linux distributions in a master/node cluster environment, where all nodes are diskless. I hope to use the 'manager' server as the master and the worker server as the nodes in a JessWulf cluster to ease configuration and management. I will certainly have some small local ramdisk as well as local hard drives for non-persistent scratch space as needed. Now, for the question(s): Does anyone have experience running Bro diskless like this already? What are the common problems unique to this configuration, where will I likely want to leverage the local scratch space, and is this absolutely the wrong way to run a Bro cluster? Thanks for any help, -- KS [1] - https://wiki.uis.georgetown.edu/display/CCF/JessWulf+-+A+Diskless+Beowulf+Cluster+Toolkit Keith Schoenefeld Information Security Analyst Baylor University From seth at icir.org Mon Apr 11 13:23:30 2011 From: seth at icir.org (Seth Hall) Date: Mon, 11 Apr 2011 16:23:30 -0400 Subject: [Bro] Running a Bro cluster diskless? In-Reply-To: <8B7F389B5AC9B94AA8D37FAC3598DDFD07C29FA199@FS1.baylor.edu> References: <8B7F389B5AC9B94AA8D37FAC3598DDFD07C29FA199@FS1.baylor.edu> Message-ID: On Apr 11, 2011, at 3:59 PM, Schoenefeld, Keith P. wrote: > I hope to use the 'manager' server as the master and the worker server as the nodes in a JessWulf cluster to ease configuration and management. I will certainly have some small local ramdisk as well as local hard drives for non-persistent scratch space as needed. You will want the local disk space for the directory where you have Bro installed, I usually use /bro on clusters. The remote.log file is still kept locally on each worker and proxy node and the Bro binary is copied to each when you do the "install" command. There is a setting for BroControl named "HaveNFS" which is commented on here: http://svn.icir.org/bro/releases/release_1_5/bro/aux/broctl/README.html#_questions_and_answers > Does anyone have experience running Bro diskless like this already? What are the common problems unique to this configuration, where will I likely want to leverage the local scratch space, and is this absolutely the wrong way to run a Bro cluster? OSU ran very similarly to that for a very long time. I suppose it was actually how the first production cluster (with BroControl at least) was done but we backed away from it a bit due to all of the problems I was encountering. In the hands of a more experienced cluster admin, I expect the results would be much better. :) I think you'd probably be fine with this deployment scenario. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jwelcher at lbl.gov Mon Apr 11 13:41:39 2011 From: jwelcher at lbl.gov (James Welcher) Date: Mon, 11 Apr 2011 13:41:39 -0700 Subject: [Bro] Running a Bro cluster diskless? In-Reply-To: References: <8B7F389B5AC9B94AA8D37FAC3598DDFD07C29FA199@FS1.baylor.edu> Message-ID: On Mon, Apr 11, 2011 at 1:23 PM, Seth Hall wrote: > > On Apr 11, 2011, at 3:59 PM, Schoenefeld, Keith P. wrote: > > > Does anyone have experience running Bro diskless like this already? What > are the common problems unique to this configuration, where will I likely > want to leverage the local scratch space, and is this absolutely the wrong > way to run a Bro cluster? > > OSU ran very similarly to that for a very long time. I suppose it was > actually how the first production cluster (with BroControl at least) was > done but we backed away from it a bit due to all of the problems I was > encountering. In the hands of a more experienced cluster admin, I expect > the results would be much better. :) > I come from an HPC background and used beowulf/warewulf and perceus cluster software for scientific computing. This is linux software and we prefer FreeBSD for our bro clusters, but I've been laying the ground work for a memory file system bro cluster (with local scratch). Our next cluster will likely be built this way. But if you go down this path and want to compare notes, let me know. -- James Welcher 1.510.486.5543 Cyber Security, IT Division Lawrence Berkeley National Laboratory - http://www.lbl.gov -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110411/5417251f/attachment.html From robin at icir.org Tue Apr 12 07:35:33 2011 From: robin at icir.org (Robin Sommer) Date: Tue, 12 Apr 2011 07:35:33 -0700 Subject: [Bro] Collecting Bro publications Message-ID: <20110412143533.GC25715@icir.org> Hi all, we are working on a completely redesigned bro-ids.org web site. As part of that, we are collecting a list of research publications that make use of Bro in one way or the other (including improving Bro, but also just using it as a tool, like in a measurement study). Please let me know if you'd like any of your publications included on that page. Just send me the bibliographic information (bibtex would be perfect) and a download URL we can link to, and I'll make sure it gets into the list. Both recent and older publications are fine. Thanks, Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From edthoma at sandia.gov Thu Apr 21 08:26:56 2011 From: edthoma at sandia.gov (edthoma) Date: Thu, 21 Apr 2011 08:26:56 -0700 Subject: [Bro] Possible default policy improvements Message-ID: <44E9F655-5DED-41B7-8C32-D63545B6E0EA@sandia.gov> The connection references in the HTTP and FTP logs (lines with 'start' in them) are formatted differently: %n for HTTP, #n for FTP 'start' near the beginning for HTTP, at the end for FTP : separates IPs and ports for HTTP, / for FTP The port in the HTTP log is numeric by default, and named for FTP I haven't examined similar logs for other protocols yet. I'd like to suggest more consistency among protocol logs in the default .bro files distributed with the code. Also, I'd like to suggest that the HTTP log include, where applicable, X-Forwarded-For information. Proxies are very pervasive at this point, so I'd guess that such information would be of extreme value for many. I suspect this has been suggested before, so perhaps there is some history that I don't know about. Eric Thomas edthoma at sandia.gov From seth at icir.org Thu Apr 21 09:03:33 2011 From: seth at icir.org (Seth Hall) Date: Thu, 21 Apr 2011 12:03:33 -0400 Subject: [Bro] Possible default policy improvements In-Reply-To: <44E9F655-5DED-41B7-8C32-D63545B6E0EA@sandia.gov> References: <44E9F655-5DED-41B7-8C32-D63545B6E0EA@sandia.gov> Message-ID: <698568F7-CED8-41CF-A8B4-5E8D96170089@icir.org> On Apr 21, 2011, at 11:26 AM, edthoma wrote: > The connection references in the HTTP and FTP logs (lines with 'start' in them) are formatted differently: On the upside, both of those scripts are already rewritten for the next release and this is no longer a concern. > Also, I'd like to suggest that the HTTP log include, where applicable, X-Forwarded-For information This information along with the output from several other headers that indicate proxied connection are included in the new script by default. :) > . Proxies are very pervasive at this point, so I'd guess that such information would be of extreme value for many. I suspect this has been suggested before, so perhaps there is some history that I don't know about. At the very least, even if that data wasn't extracted by default in the next release, it would be *extremely* easy to add it to the logs due to the new logging framework. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From seth at icir.org Thu Apr 21 10:52:27 2011 From: seth at icir.org (Seth Hall) Date: Thu, 21 Apr 2011 13:52:27 -0400 Subject: [Bro] Bro workshop survey Message-ID: <0C87567A-D007-4F7F-8106-A67327157834@icir.org> Hi all, I just posted a survey for us to get more comprehensive feedback regarding the next Bro workshop. Please forward/retweet this survey to anyone that you think might be interested. The survey: http://bit.ly/fMR9n2 My tweet about the survey: https://twitter.com/remor/status/61124564507308032 Thanks! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From seth at icir.org Thu Apr 21 10:53:15 2011 From: seth at icir.org (Seth Hall) Date: Thu, 21 Apr 2011 13:53:15 -0400 Subject: [Bro] Bro Workshop? In-Reply-To: <4D9DF814.1030401@gmail.com> References: <4D9DF814.1030401@gmail.com> Message-ID: On Apr 7, 2011, at 1:44 PM, Chuck Little wrote: > I was wondering if there were any Bro-IDS workshops being planned, or if > there is any training available? Sorry for the delay, you should have just received the email on the list about our initial planning for the next workshop. Thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From misha2fun at gmail.com Tue Apr 26 21:45:31 2011 From: misha2fun at gmail.com (misha singhal) Date: Wed, 27 Apr 2011 10:15:31 +0530 Subject: [Bro] using bro-1.5.3 Message-ID: I am a new user of bro ids , wanted to know how to run a policy script. Iam running bro-1.5.3. what should be written after running ./broctl command to run any script. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110427/5936c442/attachment.html From misha2fun at gmail.com Thu Apr 28 20:57:30 2011 From: misha2fun at gmail.com (misha singhal) Date: Fri, 29 Apr 2011 09:27:30 +0530 Subject: [Bro] using bro-1.5.3 In-Reply-To: References: Message-ID: I am new to Bro-1.5.3. I installed it on Ubuntu 10.04 which is running as a guest OS on virtual machine and my host machine is windows 7. I am doing the UDP flood from host machine to guest machine and wants Bro to log it so I ran command bro -i eth0 udp.bro then i chekcd /spool/bro/conn.log but sometimes this file is empty or it says output can't be shown due to character encoding problem. I have checked networks.cfg file also for network addresses . 192.168.0.0/16is included in it also my guest machine's ip is set to 192.168.1.2 and host machine's ip is 192.168.1.4 so I think there is no problem due to this. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110429/e8fd46b9/attachment.html