From mcholste at gmail.com Tue Feb 1 12:26:14 2011 From: mcholste at gmail.com (Martin Holste) Date: Tue, 1 Feb 2011 14:26:14 -0600 Subject: [Bro] Announce: StreamDB Message-ID: I wanted to let these communities know about a new open-source project called StreamDB (http://code.google.com/p/streamdb/) I've just published that's proven to be extremely helpful for my analysts. It is a fast and simple tool for quickly viewing traffic related to IDS alerts (or any IP-based event) which specializes in ultra-fast retrievals from very large data sets. It can hook into Snorby as it is OpenFPC compatible. It is also very effective for PCRE searching traffic from a given source or destination IP address. Streams are rotated out based on configured retention size in a ring-buffer fashion. From the project home page: StreamDB is a high-performance framework for storing network streams. The current version uses Vortex IDS to read the streams from a file or network interface and saves them to an indexed DB and data file. Web code provides an URL-based query interface. There is also a command-line interface which includes the ability to read piped queries from STDIN. In addition to almost instant retrieval by IP address, StreamDB also allows PCRE searches and file type searches on streams if an IP address is provided as an initial filter. The system can handle recording gigabit line-speed networks and can retrieve arbitrary streams from terabytes of data in milliseconds. It is designed to be a complimentary tool to intrusion detection systems to aid security analysts. Here are some query examples: http://streamdb/?srcip=10.0.0.1 http://streamdb/?srcip=10.0.0.1&dstip=1.1.1.1&dstport!80 http://streamdb/?srcip=10.0.0.1&dstip=1.1.1.1&dstport=80&start=2 weeks ago&end=now http://streamdb/?srcip=10.0.0.1&pcre=example.com http://streamdb/?srcip=10.0.0.1&pcre=MZ.*PE\x00\x00 http://streamdb/?srcip=10.0.0.1&sort=1&as_hex=1 http://streamdb/?srcip=10.0.0.1&raw=1 http://streamdb/?srcip=10.0.0.1&offset=1000&limit=200 http://streamdb/?srcip=10.0.0.1&filetype=executable Examples from the CLI: ./sdb --srcip 10.0.0.1 --filetype pdf --headers-only tail -f /var/log/snort/alert | ./sdb > alert_streams.txt All of these queries will return in a second or two, assuming that the IP's referred to aren't busy web servers or NAT points. IP's with many connections will benefit from more specific search filters for time and/or destination IP address. Some non-scientific benchmarks on commodity hardware searching 5 TB of data: PCRE search for a given srcip with 1000 connections completes in about one second. A similar search for a srcip with 50,000 connections will take about two minutes. A lookup for a given srcip/dstip pair will complete in less than a second, including browser render time. Example output as text/plain: Returning 2 of 2 at offset 0 from Sun Jan 30 11:56:11 2011 to Sun Jan 30 11:56:11 2011 2011-01-30 11:56:11 192.168.58.52:4099 -> 131.243.2.191:80 13s 512 bytes FIN ASCII text, with CRLF line terminators GET /bro-workshop-2009-2/slides/Installation.pdf HTTP/1.1 Host: www.bro-ids.org User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Referer: http://www.bro-ids.org/bro-workshop-2009-2/slides/ X-Do-Not-Track: 1 Connection: keep-alive 2011-01-30 11:56:11 192.168.58.52:4099 <- 131.243.2.191:80 13s 778247 bytes FIN PDF document, version 1.3 200 OK Connection: Keep-Alive Date: Sun, 30 Jan 2011 17:56:11 GMT Accept-Ranges: bytes ETag: "8f724e-bde6b-47617252eebc0" Server: Apache/2.2.17 (FreeBSD) mod_ssl/2.2.17 OpenSSL/0.9.8e DAV/2 PHP/5.3.5 with Suhosin-Patch mod_python/3.3.1 Python/2.6.6 mod_wsgi/2.8 Content-Length: 777835 Content-Type: application/pdf Last-Modified: Sat, 17 Oct 2009 01:08:07 GMT Keep-Alive: timeout=5, max=100 X-HTTP-Version: 1.1 %PDF-1.3 %........... 4 0 obj << /Length 5 0 R /Filter /FlateDecode >> stream x..VM..7 ..W.T..z,i4....I.-.bS..!.a...nl..=. ...%O.Q.....|.Y.(..|.......). 9........l.h.'E....-....&.7]....... .}Fvr....}.x... .)...^k."U.rC.....w.N<...Z..u<..Z..e.j....4T.Hpj.........u...../g.....n.....o.......R....*.Do.9<.*]>...(...I8....ikJ_.T...:......c|..Ki..Q..>.U.MZ...*...!........jKik~7.qg.iw#.......|..............D/.\Yx..v...2<..d. O./...<...&.DDF....x..K. Qy...|..f F>.2k.v....^v..{^<..Q..v....t}.f;x.e.S..]...U.7......l..uD... I hope that others have found it as useful as we have for rapidly investigating IDS alerts. Please use the project page or email me to let me know about any questions, issues, or suggestions. Thanks, Martin From dopheide at ncsa.illinois.edu Fri Feb 4 09:00:49 2011 From: dopheide at ncsa.illinois.edu (Dop) Date: Fri, 04 Feb 2011 11:00:49 -0600 Subject: [Bro] bro cluster notification options Message-ID: We're moving from a single production Bro system to a Bro cluster while also upgrading to 1.5.2. I've got a few questions about customizing notifications. 1) We have a situation where one of the Bro workers may be monitoring a shared link. We want all the events sent centrally to the manager still, but there's a request that an outside entity have access to that worker's logs as well. One option is to set "redef suppress_local_output = F;" and export the logs from the worker directly, but there's also the issue of email alerts. Is there an option to specify a different mail_dest for a given worker node? 2) Related to that, we want to send some alerts to different email addresses. Our use case here is sending off new, untuned alerts to a different address than our normal incident response list. One option is to just write a function that does that emailing through a script, but I'm just checking to make sure there isn't a built-in variable for that. Thanks, Dop From dopheide at ncsa.illinois.edu Fri Feb 4 09:02:17 2011 From: dopheide at ncsa.illinois.edu (Dop) Date: Fri, 04 Feb 2011 11:02:17 -0600 Subject: [Bro] Bro cluster questions, round 2 Message-ID: Unrelated to notification, I have a couple more bro clustering questions. 1) A couple more months from now, asymmetric routing is going to be a real problem for us. My plan is to correlate possible_split_routing alerts to identify those situations. Other than writing an external script to process the logs on the manager node, can the manager do this within Bro? Essentially it would have to process an event based on an event handed to it from the worker nodes. I guess this is a more general question, can the manager programmatically respond to things seen by various workers that the workers themselves can't see as a whole? 2) It's probably too early to ask as we're just beginning to think about this, but is it possible to distribute a Time Machine setup across all the Bro workers? -Dop From dopheide at ncsa.illinois.edu Fri Feb 4 09:02:47 2011 From: dopheide at ncsa.illinois.edu (Dop) Date: Fri, 04 Feb 2011 11:02:47 -0600 Subject: [Bro] signatures Message-ID: (Last one for today, I promise) Given these two signatures: signature s2b-1939-4 { ip-proto == udp dst-port == 67 # Not supported: byte_test: 1,>,6,2 event "MISC bootp hardware address length overflow" payload /\x01/ } signature s2b-1940-3 { ip-proto == udp dst-port == 67 # Not supported: byte_test: 1,>,7,1 event "MISC bootp invalid hardware type" payload /\x01/ } We see both of them (which I'm about to ignore), but I don't understand why one is triggered over the other. Thanks, Dop From seth at icir.org Fri Feb 4 09:59:03 2011 From: seth at icir.org (Seth Hall) Date: Fri, 4 Feb 2011 12:59:03 -0500 Subject: [Bro] signatures In-Reply-To: References: Message-ID: <9008A75C-13DC-4885-A1AF-39BFFF856696@icir.org> On Feb 4, 2011, at 12:02 PM, Dop wrote: > signature s2b-1939-4 { > ip-proto == udp > dst-port == 67 > # Not supported: byte_test: 1,>,6,2 > event "MISC bootp hardware address length overflow" > payload /\x01/ > } > > signature s2b-1940-3 { > ip-proto == udp > dst-port == 67 > # Not supported: byte_test: 1,>,7,1 > event "MISC bootp invalid hardware type" > payload /\x01/ > } > > We see both of them (which I'm about to ignore), but I don't understand > why one is triggered over the other. It's definitely best to get rid of both of those signatures. They aren't even matching what they claim to be matching because of those "Not supported" lines. It's just an internal implementation detail as to which one gets triggered because the signature engine is going to look to see which one matched and it will trigger the first one that it finds and then stop. Pretty much anything that says "s2b" (snort2bro) will be gone from the next release and can even currently can be ignored. The snort2bro code has already been completely removed from the work repository .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From robin at icir.org Fri Feb 4 17:05:59 2011 From: robin at icir.org (Robin Sommer) Date: Fri, 4 Feb 2011 17:05:59 -0800 Subject: [Bro] Bro cluster questions, round 2 In-Reply-To: References: Message-ID: <20110205010559.GI66988@icir.org> On Fri, Feb 04, 2011 at 11:02 -0600, you wrote: > it from the worker nodes. I guess this is a more general question, can > the manager programmatically respond to things seen by various workers > that the workers themselves can't see as a whole? Yes. As long as the individual pieces of information arrive at the manager somehow, it can ran arbitrary further Bro script code on them for correlation. Here, it could do so with the possible_split_routing weird events (which by default are actually not forwarded to the manager, but that can be changed). More generally, one can use arbitrary events to send any information back and forth between workers and manager. > 2) It's probably too early to ask as we're just beginning to think about > this, but is it possible to distribute a Time Machine setup across all the > Bro workers? Generally, yes. We haven't formalized that model yet, but I've been wanting to do that for quite a while already. The basic setup is pretty straight-forward, you just start one TM instance on every worker. The interesting question is how to get packets out, and for that, one could run a TM proxy process on the manager system which receives queries for the TM (like from the command line client), relays them to all the backend TMs, and then collects their replies and forwards them to the original querier. Such a proxy should actually be pretty simple to implement. And once broctl gets the planned plugin API, it would be straight-forward to operate the "TM cluster" from there. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Feb 7 08:56:48 2011 From: robin at icir.org (Robin Sommer) Date: Mon, 7 Feb 2011 08:56:48 -0800 Subject: [Bro] bro cluster notification options In-Reply-To: References: Message-ID: <20110207165648.GA94570@icir.org> On Fri, Feb 04, 2011 at 11:00 -0600, you wrote: > directly, but there's also the issue of email alerts. Is there an > option to specify a different mail_dest for a given worker node? The direct answer to that question is, no, there's not right now, but it wouldn't be hard to add. However, there's a more general question here how to support such setups, as there are a number of things involved it seems. For example, what about alarms that cross the "worker boundary", like scans? Do you want them to go to the external entity? Perhaps only if one of their IPs gets scanned (which would be tricky though). Generally speaking, for all things not directly done on a single worker, but either correlated across workers (like scans), or derived on the manager (like notice policy), things could get a bit murky. Depending on the specifics of what you're monitoring, I can see another way of doing this: running the one worker independently of the others (i.e., no shared proxy with the others), and adding a second "slave manager". That guy would be receiving just stuff from this special worker, and could be configured with its own mail_dest, notice policy etc; it would also do its own logging, so you don't need to enable that locally on the worker. At the same time, the "normal" manager would just keep running as usual, being connected to that worker as well, and handle all the configuration (as well as also receive the logs). Generalizign this furher, we're getting to something Seth has been thinking about quite a bit already: a "deep cluster" where broctl sets up a hierarchy of worker/proxies/managers for monitoring different sub-parts of an organisation's network, all controlled for a central location. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Feb 7 08:57:09 2011 From: robin at icir.org (Robin Sommer) Date: Mon, 7 Feb 2011 08:57:09 -0800 Subject: [Bro] bro cluster notification options In-Reply-To: References: Message-ID: <20110207165709.GB94570@icir.org> On Fri, Feb 04, 2011 at 11:00 -0600, you wrote: > different address than our normal incident response list. One option is > to just write a function that does that emailing through a script, but I'm > just checking to make sure there isn't a built-in variable for that. Not a variable, but there's a function email_notice_to() you can use in your notice_policy, like this: redef notice_policy += { [$pred(n: notice_info) = { if ( n$note == HTTP::HTTP_SensitiveURI ) { if ( /INTERESTING-URL/ in n$URL ) email_notice_to(n, "guy at interested.in.this.url"); } return F; }; This mails out matching notices to the given address in addition to normal handling. If you only wanted to mail them out, but not be reported locally, that normal handling could just set them to NOTICE_FILE. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From david.network.security at gmail.com Wed Feb 9 06:40:22 2011 From: david.network.security at gmail.com (David Rodrigues) Date: Wed, 9 Feb 2011 15:40:22 +0100 Subject: [Bro] Signatures Message-ID: Hi all, I'm trying Bro Ids for the very first time. I want to have a log file where I can see which signatures have been triggered. So I have created a very simple signature and check if it is triggered with --debug-rules. Result: 1297262131.735271 SensitiveSignature 192.168.1.60: my signature So the signature is triggered. However no file is created. Am I missing something? I have read a lot of information and I didn't find anything. BTW, the Bro Reference Manual refers the Bro variable signatures_files. However it seems that the correct one is signature_files. Am I wrong? Many thanks, David From seth at icir.org Wed Feb 9 07:05:02 2011 From: seth at icir.org (Seth Hall) Date: Wed, 9 Feb 2011 10:05:02 -0500 Subject: [Bro] Signatures In-Reply-To: References: Message-ID: <8B214A4F-51F9-45C2-B281-3C17275C3295@icir.org> On Feb 9, 2011, at 9:40 AM, David Rodrigues wrote: > Result: > 1297262131.735271 SensitiveSignature 192.168.1.60: my signature > > So the signature is triggered. However no file is created. > > Am I missing something? I have read a lot of information and I didn't > find anything. I'm assuming you're loading the signatures.bro script? If you are, it should be creating a file named signatures.log in the current working directory. > BTW, the Bro Reference Manual refers the Bro variable > signatures_files. However it seems that the correct one is > signature_files. Am I wrong? Sorry about that. Much of that documentation will be going away before too long. We just started on a fairly major project to improve Bro and documentation is included in that, but we're in-progress on a lot of things at the moment. You are right though, it's signature_files. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From david.network.security at gmail.com Wed Feb 9 07:11:56 2011 From: david.network.security at gmail.com (David Rodrigues) Date: Wed, 9 Feb 2011 16:11:56 +0100 Subject: [Bro] Signatures In-Reply-To: <8B214A4F-51F9-45C2-B281-3C17275C3295@icir.org> References: <8B214A4F-51F9-45C2-B281-3C17275C3295@icir.org> Message-ID: You are right. It created a file named signatures.log in the current working directory (not in the log directory). However, it's empty :( Do I need to do something else? Thanks, David On Wed, Feb 9, 2011 at 4:05 PM, Seth Hall wrote: > > On Feb 9, 2011, at 9:40 AM, David Rodrigues wrote: > >> Result: >> 1297262131.735271 SensitiveSignature 192.168.1.60: my signature >> >> So the signature is triggered. However no file is created. >> >> Am I missing something? I have read a lot of information and I didn't >> find anything. > > I'm assuming you're loading the signatures.bro script? ?If you are, it should be creating a file named signatures.log in the current working directory. > >> BTW, the Bro Reference Manual refers the Bro variable >> signatures_files. However it seems that the correct one is >> signature_files. Am I wrong? > > > Sorry about that. ?Much of that documentation will be going away before too long. ?We just started on a fairly major project to improve Bro and documentation is included in that, but we're in-progress on a lot of things at the moment. > > You are right though, it's signature_files. :) > > ?.Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > From seth at icir.org Wed Feb 9 07:21:11 2011 From: seth at icir.org (Seth Hall) Date: Wed, 9 Feb 2011 10:21:11 -0500 Subject: [Bro] Signatures In-Reply-To: References: <8B214A4F-51F9-45C2-B281-3C17275C3295@icir.org> Message-ID: <03AFF7CE-5478-4020-8FEA-EA42995BD211@icir.org> On Feb 9, 2011, at 10:11 AM, David Rodrigues wrote: > You are right. It created a file named signatures.log in the current > working directory (not in the log directory). However, it's empty :( The log directory is used by BroControl. If you execute the bro binary on the command line, it won't have all of the nice BroControl log rotation and functionality for managing and running production Bro instances. > Do I need to do something else? Try loading the notice.bro script and see if you get the signature match output into the notice.log file. I'm not sure offhand why you aren't seeing the signature match in signatures.log. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From david.network.security at gmail.com Wed Feb 9 07:42:29 2011 From: david.network.security at gmail.com (David Rodrigues) Date: Wed, 9 Feb 2011 16:42:29 +0100 Subject: [Bro] Signatures In-Reply-To: <03AFF7CE-5478-4020-8FEA-EA42995BD211@icir.org> References: <8B214A4F-51F9-45C2-B281-3C17275C3295@icir.org> <03AFF7CE-5478-4020-8FEA-EA42995BD211@icir.org> Message-ID: Thanks Seth. But I still have no information in log files. My files are simple, but maybe something is wrong... local.site.bro: @load site @load signatures @load notice redef signature_files += "/opt/bro/site/signatures.sig"; signatures.sig: signature sig-1-1 { event "my signature" payload /.*my/ } I have also tried to change local.site.bro to: @load site @load signatures @load notice redef signature_files += "/opt/bro/site/signatures.sig"; redef signature_actions += { ["sig-1-1"] = SIG_FILE, }; ./bro --debug-rules -i eth2 /opt/bro/site/local.site.bro outputs: 1297265765.179661 SensitiveSignature 192.168.1.60: my signature But I still have empty log files (notice.log and signatures.log). On Wed, Feb 9, 2011 at 4:21 PM, Seth Hall wrote: > > On Feb 9, 2011, at 10:11 AM, David Rodrigues wrote: > >> You are right. It created a file named signatures.log in the current >> working directory (not in the log directory). However, it's empty :( > > The log directory is used by BroControl. ?If you execute the bro binary on the command line, it won't have all of the nice BroControl log rotation and functionality for managing and running production Bro instances. > >> Do I need to do something else? > > > Try loading the notice.bro script and see if you get the signature match output into the notice.log file. ?I'm not sure offhand why you aren't seeing the signature match in signatures.log. > > ?.Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > From david.network.security at gmail.com Wed Feb 9 08:05:23 2011 From: david.network.security at gmail.com (David Rodrigues) Date: Wed, 9 Feb 2011 17:05:23 +0100 Subject: [Bro] Signatures In-Reply-To: References: <8B214A4F-51F9-45C2-B281-3C17275C3295@icir.org> <03AFF7CE-5478-4020-8FEA-EA42995BD211@icir.org> Message-ID: It's working with the configuration bellow. I know understand the problem. I had to stop bro to get the results... Thanks Seth for your help. David On Wed, Feb 9, 2011 at 4:42 PM, David Rodrigues wrote: > Thanks Seth. But I still have no information in log files. > > My files are simple, but maybe something is wrong... > > local.site.bro: > @load site > @load signatures > @load notice > redef signature_files += "/opt/bro/site/signatures.sig"; > > signatures.sig: > signature sig-1-1 { > ?event "my signature" > ?payload /.*my/ > } > > I have also tried to change local.site.bro to: > @load site > @load signatures > @load notice > redef signature_files += "/opt/bro/site/signatures.sig"; > redef signature_actions += { > ?["sig-1-1"] = SIG_FILE, > }; > > ./bro --debug-rules -i eth2 /opt/bro/site/local.site.bro > outputs: > 1297265765.179661 SensitiveSignature 192.168.1.60: my signature > > But I still have empty log files (notice.log and signatures.log). > > On Wed, Feb 9, 2011 at 4:21 PM, Seth Hall wrote: >> >> On Feb 9, 2011, at 10:11 AM, David Rodrigues wrote: >> >>> You are right. It created a file named signatures.log in the current >>> working directory (not in the log directory). However, it's empty :( >> >> The log directory is used by BroControl. ?If you execute the bro binary on the command line, it won't have all of the nice BroControl log rotation and functionality for managing and running production Bro instances. >> >>> Do I need to do something else? >> >> >> Try loading the notice.bro script and see if you get the signature match output into the notice.log file. ?I'm not sure offhand why you aren't seeing the signature match in signatures.log. >> >> ?.Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro-ids.org/ >> >> > From seth at icir.org Wed Feb 9 09:47:12 2011 From: seth at icir.org (Seth Hall) Date: Wed, 9 Feb 2011 12:47:12 -0500 Subject: [Bro] Signatures In-Reply-To: References: <8B214A4F-51F9-45C2-B281-3C17275C3295@icir.org> <03AFF7CE-5478-4020-8FEA-EA42995BD211@icir.org> Message-ID: On Feb 9, 2011, at 11:05 AM, David Rodrigues wrote: > I had to stop bro to get the results... Ah, Bro buffers file writes so you have two options (one which you've already found). * Quit Bro so that files are flushed and closed. * Disable the buffering on the file you are interested in -- set_buf(sig_file, F); .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From seth at icir.org Wed Feb 9 10:20:14 2011 From: seth at icir.org (Seth Hall) Date: Wed, 9 Feb 2011 13:20:14 -0500 Subject: [Bro] Signatures In-Reply-To: References: <8B214A4F-51F9-45C2-B281-3C17275C3295@icir.org> <03AFF7CE-5478-4020-8FEA-EA42995BD211@icir.org> Message-ID: <82E626F1-2F2E-4A0C-A1A1-436EA575962D@icir.org> On Feb 9, 2011, at 1:14 PM, Neslog wrote: > How about the file_flush.bro? When I'm testing I lod that one with a > short time inerval. Good catch. I had a nagging feeling that I was missing something. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From mattern at caltech.edu Wed Feb 9 15:38:32 2011 From: mattern at caltech.edu (Blake Mattern) Date: Wed, 9 Feb 2011 15:38:32 -0800 Subject: [Bro] Install issue - Bro cluster Message-ID: <20110209233832.GB13842@OptiPlex-745> Greetings all, I'm having an issue with the install of Bro via cluster mode. I receive this error when I run make install-broctl: ( cd aux/broctl && make install-broctl ) make[1]: Entering directory `/home/bro1/bro/bro-1.5.2/aux/broctl' MAKE_DESTDIR= ./bin/make-wrapper install --make error: script must be run on manager node make[1]: *** [install-broctl] Error 1 make[1]: Leaving directory `/home/bro1/bro/bro-1.5.2/aux/broctl' make: *** [install-broctl] Error 2 This is on the machine I will use as the Managing / Proxy. I also have 2 other machines set as workers (they installed fine - No issues) Any ideas? Thanks, =-=Blake -- Blake Mattern Information Security California Institute of Technology 626-395-3512 mattern at caltech.edu From david.network.security at gmail.com Thu Feb 10 01:57:47 2011 From: david.network.security at gmail.com (David Rodrigues) Date: Thu, 10 Feb 2011 10:57:47 +0100 Subject: [Bro] Signatures In-Reply-To: <82E626F1-2F2E-4A0C-A1A1-436EA575962D@icir.org> References: <8B214A4F-51F9-45C2-B281-3C17275C3295@icir.org> <03AFF7CE-5478-4020-8FEA-EA42995BD211@icir.org> <82E626F1-2F2E-4A0C-A1A1-436EA575962D@icir.org> Message-ID: Thanks, using @load file-flush (with a dash) worked :) But now I'm running into another problem. The signature is only triggered once for the same host and for a given period of time. Is there a way to report every single signature match? On Wed, Feb 9, 2011 at 7:20 PM, Seth Hall wrote: > > On Feb 9, 2011, at 1:14 PM, Neslog wrote: > >> How about the file_flush.bro? ?When I'm testing I lod that one with a >> short time inerval. > > > Good catch. ?I had a nagging feeling that I was missing something. > > ?.Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From neslog at gmail.com Thu Feb 10 06:54:33 2011 From: neslog at gmail.com (Neslog) Date: Thu, 10 Feb 2011 09:54:33 -0500 Subject: [Bro] Signatures In-Reply-To: References: <8B214A4F-51F9-45C2-B281-3C17275C3295@icir.org> <03AFF7CE-5478-4020-8FEA-EA42995BD211@icir.org> <82E626F1-2F2E-4A0C-A1A1-436EA575962D@icir.org> Message-ID: Not sure within poicy but you may want to try tcpreplay and set to generate the traffic at wire speed instead of disk I/O. On 2/10/11, David Rodrigues wrote: > Thanks, > > using @load file-flush (with a dash) worked :) > > But now I'm running into another problem. > > The signature is only triggered once for the same host and for a given > period of time. > > Is there a way to report every single signature match? > > On Wed, Feb 9, 2011 at 7:20 PM, Seth Hall wrote: >> >> On Feb 9, 2011, at 1:14 PM, Neslog wrote: >> >>> How about the file_flush.bro? ?When I'm testing I lod that one with a >>> short time inerval. >> >> >> Good catch. ?I had a nagging feeling that I was missing something. >> >> ?.Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro-ids.org/ >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > -- Sent from my mobile device From dopheide at ncsa.illinois.edu Thu Feb 10 08:42:50 2011 From: dopheide at ncsa.illinois.edu (Dop) Date: Thu, 10 Feb 2011 10:42:50 -0600 Subject: [Bro] Install issue - Bro cluster In-Reply-To: <20110209233832.GB13842@OptiPlex-745> Message-ID: Blake, Do you have an existing Bro installation at your target install location? I think I ran into this when I had 1.5.1 installation and tried to put 1.5.2 on top of it. If you can't remove the existing install I'd try creating/editing your etc/node.cfg and setting the current system as the manager. Then next thing you'll want to do is edit share/bro/broctl/cluster-addrs.hot.bro and comment out line 3 (the only line). -Dop -----Original Message----- From: Blake Mattern Date: Wed, 9 Feb 2011 15:38:32 -0800 To: Subject: [Bro] Install issue - Bro cluster >Greetings all, > > I'm having an issue with the install of Bro via cluster mode. I receive >this error when I run make install-broctl: > >( cd aux/broctl && make install-broctl ) >make[1]: Entering directory `/home/bro1/bro/bro-1.5.2/aux/broctl' >MAKE_DESTDIR= ./bin/make-wrapper install --make >error: script must be run on manager node >make[1]: *** [install-broctl] Error 1 >make[1]: Leaving directory `/home/bro1/bro/bro-1.5.2/aux/broctl' >make: *** [install-broctl] Error 2 > >This is on the machine I will use as the Managing / Proxy. I also have 2 >other machines set as workers (they installed fine - No issues) > >Any ideas? > >Thanks, > > =-=Blake > >-- >Blake Mattern >Information Security >California Institute of Technology >626-395-3512 >mattern at caltech.edu >_______________________________________________ >Bro mailing list >bro at bro-ids.org >http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From mattern at caltech.edu Thu Feb 10 12:12:09 2011 From: mattern at caltech.edu (Blake Mattern) Date: Thu, 10 Feb 2011 12:12:09 -0800 Subject: [Bro] Install issue - Bro cluster In-Reply-To: References: <20110209233832.GB13842@OptiPlex-745> Message-ID: <20110210201209.GH13842@OptiPlex-745> Thanks for the info, I did as you said, and the recompile and install went well. (no errors) But now I seem to get an error when trying to start /usr/loca/bro/bin/./broctl # ./broctl error: script must be run on manager node here is what the node.cfg looks like: manager] type=manager host=is-bro1.is [proxy-1] type=proxy host=is-bro1.is [worker-1] type=worker host=is-bro2.is interface=eth2 [worker-2] type=worker host=is-bro3.is interface=eth2 Thanks, =-=Blake On Thu, Feb 10, 2011 at 10:42:50AM -0600, Dop wrote: > Blake, > > Do you have an existing Bro installation at your target install location? > I think I ran into this when I had 1.5.1 installation and tried to put > 1.5.2 on top of it. If you can't remove the existing install I'd try > creating/editing your etc/node.cfg and setting the current system as the > manager. > > Then next thing you'll want to do is edit > share/bro/broctl/cluster-addrs.hot.bro and comment out line 3 (the only > line). > > -Dop > > -----Original Message----- > From: Blake Mattern > Date: Wed, 9 Feb 2011 15:38:32 -0800 > To: > Subject: [Bro] Install issue - Bro cluster > > >Greetings all, > > > > I'm having an issue with the install of Bro via cluster mode. I receive > >this error when I run make install-broctl: > > > >( cd aux/broctl && make install-broctl ) > >make[1]: Entering directory `/home/bro1/bro/bro-1.5.2/aux/broctl' > >MAKE_DESTDIR= ./bin/make-wrapper install --make > >error: script must be run on manager node > >make[1]: *** [install-broctl] Error 1 > >make[1]: Leaving directory `/home/bro1/bro/bro-1.5.2/aux/broctl' > >make: *** [install-broctl] Error 2 > > > >This is on the machine I will use as the Managing / Proxy. I also have 2 > >other machines set as workers (they installed fine - No issues) > > > >Any ideas? > > > >Thanks, > > > > =-=Blake > > > >-- > >Blake Mattern > >Information Security > >California Institute of Technology > >626-395-3512 > >mattern at caltech.edu > >_______________________________________________ > >Bro mailing list > >bro at bro-ids.org > >http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > -- Blake Mattern Information Security California Institute of Technology 626-395-3512 mattern at caltech.edu From mfw113 at psu.edu Thu Feb 10 12:21:34 2011 From: mfw113 at psu.edu (Mike Waite) Date: Thu, 10 Feb 2011 15:21:34 -0500 Subject: [Bro] Install issue - Bro cluster In-Reply-To: <20110210201209.GH13842@OptiPlex-745> References: <20110209233832.GB13842@OptiPlex-745> <20110210201209.GH13842@OptiPlex-745> Message-ID: <4D5448CE.80607@psu.edu> Blake, Are running this on a linux machine and are you running broctl as root? In my install I would get this error if /sbin was not in my path. Michael Waite Enterprise Security Analyst Enterprise Information Privacy and Security Services (EIPSs) Security Operations and Services (SOS) Information Technology Services (ITS) The Pennsylvania State University (PSU) Direct Telephone: 814-865-2297 ITS-SOS Telephone: 814-863-9533 ITS-SOS E-Mail: security at psu.edu On 02/10/2011 03:12 PM, Blake Mattern wrote: > Thanks for the info, > > I did as you said, and the recompile and install went well. > (no errors) But now I seem to get an error when trying to start /usr/loca/bro/bin/./broctl > > # ./broctl > error: script must be run on manager node > > > here is what the node.cfg looks like: > > manager] > type=manager > host=is-bro1.is > > [proxy-1] > type=proxy > host=is-bro1.is > > [worker-1] > type=worker > host=is-bro2.is > interface=eth2 > > [worker-2] > type=worker > host=is-bro3.is > interface=eth2 > > > Thanks, > > =-=Blake > > On Thu, Feb 10, 2011 at 10:42:50AM -0600, Dop wrote: >> Blake, >> >> Do you have an existing Bro installation at your target install location? >> I think I ran into this when I had 1.5.1 installation and tried to put >> 1.5.2 on top of it. If you can't remove the existing install I'd try >> creating/editing your etc/node.cfg and setting the current system as the >> manager. >> >> Then next thing you'll want to do is edit >> share/bro/broctl/cluster-addrs.hot.bro and comment out line 3 (the only >> line). >> >> -Dop >> >> -----Original Message----- >> From: Blake Mattern >> Date: Wed, 9 Feb 2011 15:38:32 -0800 >> To: >> Subject: [Bro] Install issue - Bro cluster >> >>> Greetings all, >>> >>> I'm having an issue with the install of Bro via cluster mode. I receive >>> this error when I run make install-broctl: >>> >>> ( cd aux/broctl && make install-broctl ) >>> make[1]: Entering directory `/home/bro1/bro/bro-1.5.2/aux/broctl' >>> MAKE_DESTDIR= ./bin/make-wrapper install --make >>> error: script must be run on manager node >>> make[1]: *** [install-broctl] Error 1 >>> make[1]: Leaving directory `/home/bro1/bro/bro-1.5.2/aux/broctl' >>> make: *** [install-broctl] Error 2 >>> >>> This is on the machine I will use as the Managing / Proxy. I also have 2 >>> other machines set as workers (they installed fine - No issues) >>> >>> Any ideas? >>> >>> Thanks, >>> >>> =-=Blake >>> >>> -- >>> Blake Mattern >>> Information Security >>> California Institute of Technology >>> 626-395-3512 >>> mattern at caltech.edu >>> _______________________________________________ >>> Bro mailing list >>> bro at bro-ids.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>> >> >> > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 553 bytes Desc: OpenPGP digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110210/f9ba8103/attachment.bin From seth at icir.org Thu Feb 10 12:35:27 2011 From: seth at icir.org (Seth Hall) Date: Thu, 10 Feb 2011 15:35:27 -0500 Subject: [Bro] Install issue - Bro cluster In-Reply-To: <4D5448CE.80607@psu.edu> References: <20110209233832.GB13842@OptiPlex-745> <20110210201209.GH13842@OptiPlex-745> <4D5448CE.80607@psu.edu> Message-ID: <55B7357B-F586-4732-8F49-2F5B744B83B6@icir.org> On Feb 10, 2011, at 3:21 PM, Mike Waite wrote: > In my install I would get this error if /sbin was not in my path. Yep, that's the problem. You need to make sure that the ifconfig binary is in your path before running broctl. I'll file a ticket now to make sure we address that before the next release. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From mattern at caltech.edu Thu Feb 10 12:36:52 2011 From: mattern at caltech.edu (Blake Mattern) Date: Thu, 10 Feb 2011 12:36:52 -0800 Subject: [Bro] Install issue - Bro cluster In-Reply-To: <4D5448CE.80607@psu.edu> References: <20110209233832.GB13842@OptiPlex-745> <20110210201209.GH13842@OptiPlex-745> <4D5448CE.80607@psu.edu> Message-ID: <20110210203652.GI13842@OptiPlex-745> Mike, Yes, this is a Linux setup RHEL 5.5 - and the user is root (not the safest but it will work for the test purpose). Thanks =-=Blake On Thu, Feb 10, 2011 at 03:21:34PM -0500, Mike Waite wrote: > Blake, > > Are running this on a linux machine and are you running broctl as root? > > In my install I would get this error if /sbin was not in my path. > > Michael Waite > Enterprise Security Analyst > Enterprise Information Privacy and Security Services (EIPSs) > Security Operations and Services (SOS) > Information Technology Services (ITS) > The Pennsylvania State University (PSU) > > Direct Telephone: 814-865-2297 > ITS-SOS Telephone: 814-863-9533 > ITS-SOS E-Mail: security at psu.edu > > On 02/10/2011 03:12 PM, Blake Mattern wrote: > > Thanks for the info, > > > > I did as you said, and the recompile and install went well. > > (no errors) But now I seem to get an error when trying to start /usr/loca/bro/bin/./broctl > > > > # ./broctl > > error: script must be run on manager node > > > > > > here is what the node.cfg looks like: > > > > manager] > > type=manager > > host=is-bro1.is > > > > [proxy-1] > > type=proxy > > host=is-bro1.is > > > > [worker-1] > > type=worker > > host=is-bro2.is > > interface=eth2 > > > > [worker-2] > > type=worker > > host=is-bro3.is > > interface=eth2 > > > > > > Thanks, > > > > =-=Blake > > > > On Thu, Feb 10, 2011 at 10:42:50AM -0600, Dop wrote: > >> Blake, > >> > >> Do you have an existing Bro installation at your target install location? > >> I think I ran into this when I had 1.5.1 installation and tried to put > >> 1.5.2 on top of it. If you can't remove the existing install I'd try > >> creating/editing your etc/node.cfg and setting the current system as the > >> manager. > >> > >> Then next thing you'll want to do is edit > >> share/bro/broctl/cluster-addrs.hot.bro and comment out line 3 (the only > >> line). > >> > >> -Dop > >> > >> -----Original Message----- > >> From: Blake Mattern > >> Date: Wed, 9 Feb 2011 15:38:32 -0800 > >> To: > >> Subject: [Bro] Install issue - Bro cluster > >> > >>> Greetings all, > >>> > >>> I'm having an issue with the install of Bro via cluster mode. I receive > >>> this error when I run make install-broctl: > >>> > >>> ( cd aux/broctl && make install-broctl ) > >>> make[1]: Entering directory `/home/bro1/bro/bro-1.5.2/aux/broctl' > >>> MAKE_DESTDIR= ./bin/make-wrapper install --make > >>> error: script must be run on manager node > >>> make[1]: *** [install-broctl] Error 1 > >>> make[1]: Leaving directory `/home/bro1/bro/bro-1.5.2/aux/broctl' > >>> make: *** [install-broctl] Error 2 > >>> > >>> This is on the machine I will use as the Managing / Proxy. I also have 2 > >>> other machines set as workers (they installed fine - No issues) > >>> > >>> Any ideas? > >>> > >>> Thanks, > >>> > >>> =-=Blake > >>> > >>> -- > >>> Blake Mattern > >>> Information Security > >>> California Institute of Technology > >>> 626-395-3512 > >>> mattern at caltech.edu > >>> _______________________________________________ > >>> Bro mailing list > >>> bro at bro-ids.org > >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > >>> > >> > >> > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Blake Mattern Information Security California Institute of Technology 626-395-3512 mattern at caltech.edu From robin at icir.org Thu Feb 10 14:32:14 2011 From: robin at icir.org (Robin Sommer) Date: Thu, 10 Feb 2011 14:32:14 -0800 Subject: [Bro] Install issue - Bro cluster In-Reply-To: <55B7357B-F586-4732-8F49-2F5B744B83B6@icir.org> References: <20110209233832.GB13842@OptiPlex-745> <20110210201209.GH13842@OptiPlex-745> <4D5448CE.80607@psu.edu> <55B7357B-F586-4732-8F49-2F5B744B83B6@icir.org> Message-ID: <20110210223214.GH5345@icir.org> On Thu, Feb 10, 2011 at 15:35 -0500, Seth Hall wrote: > Yep, that's the problem. You need to make sure that the ifconfig > binary is in your path before running broctl. I'll file a ticket now > to make sure we address that before the next release. Actually we have already: http://tracker.icir.org/bro/ticket/293 Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From mattern at caltech.edu Thu Feb 10 15:01:30 2011 From: mattern at caltech.edu (Blake Mattern) Date: Thu, 10 Feb 2011 15:01:30 -0800 Subject: [Bro] Install issue - Bro cluster In-Reply-To: <4D5448CE.80607@psu.edu> References: <20110209233832.GB13842@OptiPlex-745> <20110210201209.GH13842@OptiPlex-745> <4D5448CE.80607@psu.edu> Message-ID: <20110210230130.GK13842@OptiPlex-745> I think I set the /sbin correctly. Now I get this error: [root at is-bro1 bin]# ./broctl install error: cannot use localhost/127.0.0.1 for manager host in nodes configuration Thanks, =-=Blake On Thu, Feb 10, 2011 at 03:21:34PM -0500, Mike Waite wrote: > Blake, > > Are running this on a linux machine and are you running broctl as root? > > In my install I would get this error if /sbin was not in my path. > > Michael Waite > Enterprise Security Analyst > Enterprise Information Privacy and Security Services (EIPSs) > Security Operations and Services (SOS) > Information Technology Services (ITS) > The Pennsylvania State University (PSU) > > Direct Telephone: 814-865-2297 > ITS-SOS Telephone: 814-863-9533 > ITS-SOS E-Mail: security at psu.edu > > On 02/10/2011 03:12 PM, Blake Mattern wrote: > > Thanks for the info, > > > > I did as you said, and the recompile and install went well. > > (no errors) But now I seem to get an error when trying to start /usr/loca/bro/bin/./broctl > > > > # ./broctl > > error: script must be run on manager node > > > > > > here is what the node.cfg looks like: > > > > manager] > > type=manager > > host=is-bro1.is > > > > [proxy-1] > > type=proxy > > host=is-bro1.is > > > > [worker-1] > > type=worker > > host=is-bro2.is > > interface=eth2 > > > > [worker-2] > > type=worker > > host=is-bro3.is > > interface=eth2 > > > > > > Thanks, > > > > =-=Blake > > > > On Thu, Feb 10, 2011 at 10:42:50AM -0600, Dop wrote: > >> Blake, > >> > >> Do you have an existing Bro installation at your target install location? > >> I think I ran into this when I had 1.5.1 installation and tried to put > >> 1.5.2 on top of it. If you can't remove the existing install I'd try > >> creating/editing your etc/node.cfg and setting the current system as the > >> manager. > >> > >> Then next thing you'll want to do is edit > >> share/bro/broctl/cluster-addrs.hot.bro and comment out line 3 (the only > >> line). > >> > >> -Dop > >> > >> -----Original Message----- > >> From: Blake Mattern > >> Date: Wed, 9 Feb 2011 15:38:32 -0800 > >> To: > >> Subject: [Bro] Install issue - Bro cluster > >> > >>> Greetings all, > >>> > >>> I'm having an issue with the install of Bro via cluster mode. I receive > >>> this error when I run make install-broctl: > >>> > >>> ( cd aux/broctl && make install-broctl ) > >>> make[1]: Entering directory `/home/bro1/bro/bro-1.5.2/aux/broctl' > >>> MAKE_DESTDIR= ./bin/make-wrapper install --make > >>> error: script must be run on manager node > >>> make[1]: *** [install-broctl] Error 1 > >>> make[1]: Leaving directory `/home/bro1/bro/bro-1.5.2/aux/broctl' > >>> make: *** [install-broctl] Error 2 > >>> > >>> This is on the machine I will use as the Managing / Proxy. I also have 2 > >>> other machines set as workers (they installed fine - No issues) > >>> > >>> Any ideas? > >>> > >>> Thanks, > >>> > >>> =-=Blake > >>> > >>> -- > >>> Blake Mattern > >>> Information Security > >>> California Institute of Technology > >>> 626-395-3512 > >>> mattern at caltech.edu > >>> _______________________________________________ > >>> Bro mailing list > >>> bro at bro-ids.org > >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > >>> > >> > >> > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Blake Mattern Information Security California Institute of Technology 626-395-3512 mattern at caltech.edu From soehlert at ncsa.uiuc.edu Thu Feb 10 15:20:58 2011 From: soehlert at ncsa.uiuc.edu (Sam Oehlert) Date: Thu, 10 Feb 2011 17:20:58 -0600 (CST) Subject: [Bro] Install issue - Bro cluster In-Reply-To: <20110210230130.GK13842@OptiPlex-745> Message-ID: <423026721.7819.1297380058759.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Blake, I was running into the same issues you are facing when first setting up my bro cluster. I just took a peek at my nodes.cfg and instead of using localhost or 127.0.0.1 to represent the manager/proxy, I used the IP that the worker nodes saw the manager at. I see you are using hostnames instead of IP addresses for this, so I don't know how much help this will be, but this works for me. I also am not sure if this is the best method, but I can confirm it works. Sam ----- Original Message ----- From: "Blake Mattern" To: "Mike Waite" Cc: bro at bro-ids.org Sent: Thursday, February 10, 2011 5:01:30 PM Subject: Re: [Bro] Install issue - Bro cluster I think I set the /sbin correctly. Now I get this error: [root at is-bro1 bin]# ./broctl install error: cannot use localhost/127.0.0.1 for manager host in nodes configuration Thanks, =-=Blake On Thu, Feb 10, 2011 at 03:21:34PM -0500, Mike Waite wrote: > Blake, > > Are running this on a linux machine and are you running broctl as root? > > In my install I would get this error if /sbin was not in my path. > > Michael Waite > Enterprise Security Analyst > Enterprise Information Privacy and Security Services (EIPSs) > Security Operations and Services (SOS) > Information Technology Services (ITS) > The Pennsylvania State University (PSU) > > Direct Telephone: 814-865-2297 > ITS-SOS Telephone: 814-863-9533 > ITS-SOS E-Mail: security at psu.edu > > On 02/10/2011 03:12 PM, Blake Mattern wrote: > > Thanks for the info, > > > > I did as you said, and the recompile and install went well. > > (no errors) But now I seem to get an error when trying to start /usr/loca/bro/bin/./broctl > > > > # ./broctl > > error: script must be run on manager node > > > > > > here is what the node.cfg looks like: > > > > manager] > > type=manager > > host=is-bro1.is > > > > [proxy-1] > > type=proxy > > host=is-bro1.is > > > > [worker-1] > > type=worker > > host=is-bro2.is > > interface=eth2 > > > > [worker-2] > > type=worker > > host=is-bro3.is > > interface=eth2 > > > > > > Thanks, > > > > =-=Blake > > > > On Thu, Feb 10, 2011 at 10:42:50AM -0600, Dop wrote: > >> Blake, > >> > >> Do you have an existing Bro installation at your target install location? > >> I think I ran into this when I had 1.5.1 installation and tried to put > >> 1.5.2 on top of it. If you can't remove the existing install I'd try > >> creating/editing your etc/node.cfg and setting the current system as the > >> manager. > >> > >> Then next thing you'll want to do is edit > >> share/bro/broctl/cluster-addrs.hot.bro and comment out line 3 (the only > >> line). > >> > >> -Dop > >> > >> -----Original Message----- > >> From: Blake Mattern > >> Date: Wed, 9 Feb 2011 15:38:32 -0800 > >> To: > >> Subject: [Bro] Install issue - Bro cluster > >> > >>> Greetings all, > >>> > >>> I'm having an issue with the install of Bro via cluster mode. I receive > >>> this error when I run make install-broctl: > >>> > >>> ( cd aux/broctl && make install-broctl ) > >>> make[1]: Entering directory `/home/bro1/bro/bro-1.5.2/aux/broctl' > >>> MAKE_DESTDIR= ./bin/make-wrapper install --make > >>> error: script must be run on manager node > >>> make[1]: *** [install-broctl] Error 1 > >>> make[1]: Leaving directory `/home/bro1/bro/bro-1.5.2/aux/broctl' > >>> make: *** [install-broctl] Error 2 > >>> > >>> This is on the machine I will use as the Managing / Proxy. I also have 2 > >>> other machines set as workers (they installed fine - No issues) > >>> > >>> Any ideas? > >>> > >>> Thanks, > >>> > >>> =-=Blake > >>> > >>> -- > >>> Blake Mattern > >>> Information Security > >>> California Institute of Technology > >>> 626-395-3512 > >>> mattern at caltech.edu > >>> _______________________________________________ > >>> Bro mailing list > >>> bro at bro-ids.org > >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > >>> > >> > >> > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Blake Mattern Information Security California Institute of Technology 626-395-3512 mattern at caltech.edu _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From seth at icir.org Thu Feb 10 18:13:04 2011 From: seth at icir.org (Seth Hall) Date: Thu, 10 Feb 2011 21:13:04 -0500 Subject: [Bro] Install issue - Bro cluster In-Reply-To: <20110210223214.GH5345@icir.org> References: <20110209233832.GB13842@OptiPlex-745> <20110210201209.GH13842@OptiPlex-745> <4D5448CE.80607@psu.edu> <55B7357B-F586-4732-8F49-2F5B744B83B6@icir.org> <20110210223214.GH5345@icir.org> Message-ID: <48E3C5A7-DF99-4B36-BCE0-4F83105B4764@icir.org> On Feb 10, 2011, at 5:32 PM, Robin Sommer wrote: > > Actually we have already: Oops, totally missed that one. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From david.network.security at gmail.com Thu Feb 10 23:56:47 2011 From: david.network.security at gmail.com (David Rodrigues) Date: Fri, 11 Feb 2011 08:56:47 +0100 Subject: [Bro] Signatures In-Reply-To: References: <8B214A4F-51F9-45C2-B281-3C17275C3295@icir.org> <03AFF7CE-5478-4020-8FEA-EA42995BD211@icir.org> <82E626F1-2F2E-4A0C-A1A1-436EA575962D@icir.org> Message-ID: I'm using 'nc' to see how BroIDS behaves. For now, it's not a problem of speed. Maybe later... I want to use it in a 10Gbps network speed. Maybe 100Gps in 1/2 years. On Thu, Feb 10, 2011 at 3:54 PM, Neslog wrote: > Not sure within poicy but you may want to try tcpreplay and set to > generate the traffic at wire speed instead of disk I/O. > > On 2/10/11, David Rodrigues wrote: >> Thanks, >> >> using @load file-flush (with a dash) worked :) >> >> But now I'm running into another problem. >> >> The signature is only triggered once for the same host and for a given >> period of time. >> >> Is there a way to report every single signature match? >> >> On Wed, Feb 9, 2011 at 7:20 PM, Seth Hall wrote: >>> >>> On Feb 9, 2011, at 1:14 PM, Neslog wrote: >>> >>>> How about the file_flush.bro? ?When I'm testing I lod that one with a >>>> short time inerval. >>> >>> >>> Good catch. ?I had a nagging feeling that I was missing something. >>> >>> ?.Seth >>> >>> -- >>> Seth Hall >>> International Computer Science Institute >>> (Bro) because everyone has a network >>> http://www.bro-ids.org/ >>> >>> _______________________________________________ >>> Bro mailing list >>> bro at bro-ids.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>> >> > > -- > Sent from my mobile device > From seth at icir.org Wed Feb 16 11:33:35 2011 From: seth at icir.org (Seth Hall) Date: Wed, 16 Feb 2011 14:33:35 -0500 Subject: [Bro] Signatures In-Reply-To: References: <8B214A4F-51F9-45C2-B281-3C17275C3295@icir.org> <03AFF7CE-5478-4020-8FEA-EA42995BD211@icir.org> <82E626F1-2F2E-4A0C-A1A1-436EA575962D@icir.org> Message-ID: On Feb 10, 2011, at 4:57 AM, David Rodrigues wrote: > using @load file-flush (with a dash) worked :) Oops! > The signature is only triggered once for the same host and for a given > period of time. > > Is there a way to report every single signature match? Sorry to sort of disappear on you for a few days. I haven't had a chance to test yet, but I'm surprised that you are only seeing this trigger once. Could you capture some traffic and send the signature you are using? By default, it should be triggering on every match for a host. Thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From david.network.security at gmail.com Mon Feb 21 01:02:17 2011 From: david.network.security at gmail.com (David Rodrigues) Date: Mon, 21 Feb 2011 10:02:17 +0100 Subject: [Bro] Signatures In-Reply-To: References: <8B214A4F-51F9-45C2-B281-3C17275C3295@icir.org> <03AFF7CE-5478-4020-8FEA-EA42995BD211@icir.org> <82E626F1-2F2E-4A0C-A1A1-436EA575962D@icir.org> Message-ID: I'm sorry. I'll be more precise. The signature is only triggered once for the same host and for a given period of time (and for the same tcp connection). If I close and restart the connection the signature is always triggered. Is that normal? Thanks, David On Wed, Feb 16, 2011 at 8:33 PM, Seth Hall wrote: > > On Feb 10, 2011, at 4:57 AM, David Rodrigues wrote: > >> using @load file-flush (with a dash) worked :) > > Oops! > >> The signature is only triggered once for the same host and for a given >> period of time. >> >> Is there a way to report every single signature match? > > > Sorry to sort of disappear on you for a few days. ?I haven't had a chance to test yet, but I'm surprised that you are only seeing this trigger once. ?Could you capture some traffic and send the signature you are using? ?By default, it should be triggering on every match for a host. > > Thanks, > ?.Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > From seth at icir.org Tue Feb 22 21:08:28 2011 From: seth at icir.org (Seth Hall) Date: Wed, 23 Feb 2011 00:08:28 -0500 Subject: [Bro] Signatures In-Reply-To: References: <8B214A4F-51F9-45C2-B281-3C17275C3295@icir.org> <03AFF7CE-5478-4020-8FEA-EA42995BD211@icir.org> <82E626F1-2F2E-4A0C-A1A1-436EA575962D@icir.org> Message-ID: On Feb 21, 2011, at 4:02 AM, David Rodrigues wrote: > The signature is only triggered once for the same host and for a given > period of time (and for the same tcp connection). > > If I close and restart the connection the signature is always triggered. > > Is that normal? Ah! I believe that is normal. I don't think that the same signature will trigger multiple times in the same TCP connection. Can you give any more details about the scenario in which you need this? The example doesn't have enough context for me to know if there is another way of implementing what you are trying to accomplish. Thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From david.network.security at gmail.com Wed Feb 23 02:24:42 2011 From: david.network.security at gmail.com (David Rodrigues) Date: Wed, 23 Feb 2011 11:24:42 +0100 Subject: [Bro] Signatures In-Reply-To: References: <8B214A4F-51F9-45C2-B281-3C17275C3295@icir.org> <03AFF7CE-5478-4020-8FEA-EA42995BD211@icir.org> <82E626F1-2F2E-4A0C-A1A1-436EA575962D@icir.org> Message-ID: First I though it was a bug. I only realized that it only concerned the same tcp connections after my first e-mail. But the behavior is different for Suricata. That's why I asked if it was a bug or normal behavior for Bro. But now it's crystal clear. Thanks a lot, David On Wed, Feb 23, 2011 at 6:08 AM, Seth Hall wrote: > > On Feb 21, 2011, at 4:02 AM, David Rodrigues wrote: > >> The signature is only triggered once for the same host and for a given >> period of time (and for the same tcp connection). >> >> If I close and restart the connection the signature is always triggered. >> >> Is that normal? > > > Ah! ?I believe that is normal. ?I don't think that the same signature will trigger multiple times in the same TCP connection. > > Can you give any more details about the scenario in which you need this? ?The example doesn't have enough context for me to know if there is another way of implementing what you are trying to accomplish. > > Thanks, > ?.Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > From robin at icir.org Wed Feb 23 15:13:28 2011 From: robin at icir.org (Robin Sommer) Date: Wed, 23 Feb 2011 15:13:28 -0800 Subject: [Bro] Summer Internship Message-ID: <20110223231328.GF18720@icir.org> The Bro project is looking for an exceptional intern for three months during the summer of 2011. If you are interesteded in helping us improve Bro and develop new functionality, please apply! We are looking for candidates who have excellent programming skills in C/C++ and Python, are familiar with Unix-style systems, and have a solid background in network technology. Having implemented network protocols before is a plus, as is prior involvement with open source projects. This position is a paid engineering internship at the International Computer Science Institute in Berkeley, CA. ICSI will cover travel to Berkeley as well as provide support with obtaining a temporary US visa if required. The deadline for applications is Friday, April 8, 2011. Applicants will be notified of decisions by March 15, 2011. If you are interested, please send an application including a cover letter and a resume to info at bro-ids.org (TXT or PDF format only please). Make sure to mention any relevant programming projects that you have been working on in the past and describe what your role in them was. Please also include the name of at least one reference, and arrange for the reference to submit a supporting letter to info at bro-ids.org via email by the submission deadline. -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Wed Feb 23 15:42:01 2011 From: robin at icir.org (Robin Sommer) Date: Wed, 23 Feb 2011 15:42:01 -0800 Subject: [Bro] Summer Internship In-Reply-To: <20110223231328.GF18720@icir.org> References: <20110223231328.GF18720@icir.org> Message-ID: <20110223234201.GB21997@icir.org> On Wed, Feb 23, 2011 at 15:13 -0800, I wrote: > The deadline for applications is Friday, April 8, 2011. Applicants > will be notified of decisions by March 15, 2011. That should read "decisions by *April* 15". The corrected version is also online here: http://www.bro-ids.org/intern.html Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org