From jpl at didconcept.com  Tue Jun 14 18:42:55 2011
From: jpl at didconcept.com (jean-philippe luiggi)
Date: Tue, 14 Jun 2011 21:42:55 -0400
Subject: [Bro] Current IDS and Data Mining research
In-Reply-To: <BANLkTi=pfrxkgD6SzOmN5yrejS3G5MDJxg@mail.gmail.com>
References: <BANLkTi=pfrxkgD6SzOmN5yrejS3G5MDJxg@mail.gmail.com>
Message-ID: <4DF80E1F.4010305@didconcept.com>

Le 30/05/2011 2:23 AM, Suman Nandi a ?crit :
> Dear Bro Developer and contributer
> I have been working on IDS and Data Mining .I would like to know the current
> research in this area that IDS using Data Mining and what are the current
> reseach areas and objectives where Data Mining can provide solutions to IDS?
>
>
Hello,

Sorry for being so late with the response but I'm not sure data mining
should be used alone with "Bro" (I mean detection).  A possible solution
would be to use it with some others solutions likes ANN (neural net),
SVM (support vector machine), etc.
I think we are here at the crossroad between misuse and anomaly detection.

Cheers,

Jean-Philippe.




-- 
Ce message a ?t? v?rifi? par MailScanner
pour des virus ou des polluriels et rien de
suspect n'a ?t? trouv?.
For all your IT requirements visit: http://www.transtec.co.uk



From mdmonk at gmail.com  Wed Jun 15 12:08:58 2011
From: mdmonk at gmail.com (Chuck Little)
Date: Wed, 15 Jun 2011 13:08:58 -0600
Subject: [Bro] Bro workshop survey
Message-ID: <4DF9034A.9040308@gmail.com>

Did you folks decide on when/where the Bro workshop will be held? I'm
prob the only one who chose Champaign/Urbana as the training location. lol

-Chuck

##### in reply to #####
------------------------------

Date: Thu, 21 Apr 2011 13:52:27 -0400
From: Seth Hall <seth at icir.org>
Subject: [Bro] Bro workshop survey
To: "Bro List" <bro at bro-ids.org>

Hi all,

I just posted a survey for us to get more comprehensive feedback
regarding the next Bro workshop.  Please forward/retweet this survey to
anyone that you think might be interested.

The survey:
	http://bit.ly/fMR9n2

My tweet about the survey:
	https://twitter.com/remor/status/61124564507308032

Thanks!
  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/


From seth at icir.org  Wed Jun 15 12:19:06 2011
From: seth at icir.org (Seth Hall)
Date: Wed, 15 Jun 2011 15:19:06 -0400
Subject: [Bro] Bro workshop survey
In-Reply-To: <4DF9034A.9040308@gmail.com>
References: <4DF9034A.9040308@gmail.com>
Message-ID: <D9A6295E-0869-4438-A0BF-D400A088A688@icir.org>


On Jun 15, 2011, at 3:08 PM, Chuck Little wrote:

> Did you folks decide on when/where the Bro workshop will be held? I'm
> prob the only one who chose Champaign/Urbana as the training location. lol


It was actually split pretty evenly.  We haven't followed up yet because we're trying to get the next release nearer to being ready before announcing a workshop.  Hopefully soon!

I'm going to be doing a video very soon doing some trace file analysis with the in-progress version of Bro to hopefully build some more excitement about the release too.  We're already really excited about it. :)

 .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/




From mdmonk at gmail.com  Thu Jun 16 09:26:24 2011
From: mdmonk at gmail.com (Chuck Little)
Date: Thu, 16 Jun 2011 10:26:24 -0600
Subject: [Bro] Pcap Buffer = 0
Message-ID: <4DFA2EB0.609@gmail.com>

I have a fresh Bro-IDS install (ver 1.5.3), but I'm not really capturing
traffic. I know I'm missing something (config setting, etc) but am
unsure what it is. I consulted teh Google but didn't have much luck.
Could someone provide some insight/advice? Thanks!

-Chuck

Here are the particulars:

Possible symptom is that the pcap buffer = 0 (e.g. in
/raid/bro/spool/rigel-igb0/stderr.log).
Bro-IDS v1.5.3
FreeBSD v8.2-RELEASE
in /etc/rc.conf:
ifconfig_igb0="mtu 9000 promisc -arp up"
ifconfig_igb1="mtu 9000 promisc -arp up"
ifconfig_igb2="mtu 9000 promisc -arp up"
ifconfig_igb3="mtu 9000 promisc -arp up"
ifconfig_igb4="mtu 9000 promisc -arp up"
ifconfig_igb5="mtu 9000 promisc -arp up"

in /etc/sysctl.conf:
## Increase packet capture buffer sizes
net.bpf.maxbufsize=10485760
net.bpf.bufsize=10485760
## Increase socket buffer limits
kern.ipc.maxsockbuf=4194304

in /boot/loader.conf:
kern.ipc.nmbclusters="131072"
kern.ipc.nmbjumbo9="65536"

Output of `broctl config`:
[BroControl] > config
analysis-dns = 0
analysiscfg = /raid/bro/etc/analysis.dat
auxpostprocessors =
auxscriptsmanager =
auxscriptsstandalone =
auxscriptsworker =
bindir = /raid/bro/bin
bro = /raid/bro/bin/bro
broargs =
brobase = /raid/bro
broversion = 1.5.3
capstats = /raid/bro/bin/capstats
cfgdir = /raid/bro/etc
cflowaddr =
cflowpassword =
cflowuser =
cron = 0
cron-enabled = 1
croncmd =
cronenabled = 1
custominstallbin =
debug = 1
debuglog = /raid/bro/spool/debug.log
defsitepolicypath = /raid/bro/share/bro/site
devmode = 0
distdir = /root/WORKING/bro-1.5.3
havebroccoli =
havenfs = 0
helperdir = /raid/bro/share/broctl/scripts/helpers
home = /root
libdir = /raid/bro/lib
libdirinternal = /raid/bro/lib/broctl
localnetscfg = /raid/bro/etc/networks.cfg
lockfile = /raid/bro/spool/lock
logdir = /raid/bro/logs
logexpireinterval = 30
mailalarmprefix = ALERT:
mailalarms = 1
mailalarmsto = root at localhost
mailfrom = Big Brother <bro at rigel.nwsc.ucar.edu>
mailreplyto =
mailsubjectprefix = [Bro]
mailto = root at localhost
makearchivename = /raid/bro/share/broctl/scripts/make-archive-name
memlimit = unlimited
mindiskspace = 5
nodecfg = /raid/bro/etc/node.cfg
os = freebsd
policydir = /raid/bro/share/bro
policydirbroctl = /raid/bro/share/bro/broctl
policydirsiteinstall = /raid/bro/share/bro/.site
policydirsiteinstallauto = /raid/bro/share/bro/.site/auto
postprocdir = /raid/bro/share/broctl/scripts/postprocessors
prefixes = local
rigel-crashed = 0
rigel-igb0-crashed = 0
rigel-igb0-pid = 2543
rigel-igb0-port = 47762
rigel-igb1-crashed = 0
rigel-igb1-pid = 2544
rigel-igb1-port = 47763
rigel-igb2-crashed = 0
rigel-igb2-pid = 2545
rigel-igb2-port = 47764
rigel-igb3-crashed = 0
rigel-igb3-pid = 2542
rigel-igb3-port = 47765
rigel-igb4-crashed = 0
rigel-igb4-pid = 2541
rigel-igb4-port = 47766
rigel-igb5-crashed = 0
rigel-igb5-pid = 2546
rigel-igb5-port = 47767
rigel-p1-crashed = 0
rigel-p1-pid = 2426
rigel-p1-port = 47761
rigel-pid = 1967
rigel-port = 47760
savetraces = 0
scripts-manager = cluster-manager
scripts-proxy = cluster-proxy
scripts-standalone = standalone
scripts-worker = cluster-worker
scriptsdir = /raid/bro/share/broctl/scripts
sendmail = 1
sigint = 0
sitepolicymanager = local-manager
sitepolicypath = /raid/bro/share/bro/site
sitepolicystandalone = local.bro
sitepolicyworker = local-worker
spooldir = /raid/bro/spool
standalone = 0
statefile = /raid/bro/spool/broctl.dat
staticdir = /raid/bro/share/broctl
statsdir = /raid/bro/logs/stats
statslog = /raid/bro/spool/stats.log
templatedir = /raid/bro/share/broctl/templates
time = /usr/bin/time
timefmt = %d %b %H:%M:%S
timemachinehost =
timemachineport = 47757/tcp
tmpdir = /raid/bro/spool/tmp
tmpexecdir = /raid/bro/spool/tmp
tracesummary = /raid/bro/bin/trace-summary
version = 0.3



From JAzoff at uamail.albany.edu  Thu Jun 16 10:02:07 2011
From: JAzoff at uamail.albany.edu (Justin Azoff)
Date: Thu, 16 Jun 2011 13:02:07 -0400
Subject: [Bro] Pcap Buffer = 0
In-Reply-To: <4DFA2EB0.609@gmail.com>
References: <4DFA2EB0.609@gmail.com>
Message-ID: <20110616170207.GG1736@datacomm.albany.edu>

On Thu, Jun 16, 2011 at 12:26:24PM -0400, Chuck Little wrote:
> I have a fresh Bro-IDS install (ver 1.5.3), but I'm not really capturing
> traffic. I know I'm missing something (config setting, etc) but am
> unsure what it is. I consulted teh Google but didn't have much luck.
> Could someone provide some insight/advice? Thanks!
> 
> -Chuck

Does broctl capstats show your interfaces receiving packets?

-- 
-- Justin Azoff
-- Network Security & Performance Analyst


From mdmonk at gmail.com  Thu Jun 16 10:08:12 2011
From: mdmonk at gmail.com (Chuck Little)
Date: Thu, 16 Jun 2011 11:08:12 -0600
Subject: [Bro] Pcap Buffer = 0
In-Reply-To: <20110616170207.GG1736@datacomm.albany.edu>
References: <4DFA2EB0.609@gmail.com>
	<20110616170207.GG1736@datacomm.albany.edu>
Message-ID: <4DFA387C.90404@gmail.com>

Output:

[rigel /raid/bro/bin]# ./broctl capstats

Interface    kpps       mbps       (10s average)
------------------------------
rigel-igb0   0.0        0.0
rigel-igb1   39.7       147.0
rigel-igb2   19.2       96.7
rigel-igb3   24.1       137.3
rigel-igb4   0.0        0.0
rigel-igb5   0.0        0.0

Total        83.0       381.0


-Chuck

On 6/16/11 11:02 AM, Justin Azoff wrote:
> On Thu, Jun 16, 2011 at 12:26:24PM -0400, Chuck Little wrote:
>> I have a fresh Bro-IDS install (ver 1.5.3), but I'm not really capturing
>> traffic. I know I'm missing something (config setting, etc) but am
>> unsure what it is. I consulted teh Google but didn't have much luck.
>> Could someone provide some insight/advice? Thanks!
>>
>> -Chuck
> 
> Does broctl capstats show your interfaces receiving packets?
> 


From ssakai at sdsc.edu  Thu Jun 16 12:28:11 2011
From: ssakai at sdsc.edu (Scott Sakai)
Date: Thu, 16 Jun 2011 12:28:11 -0700
Subject: [Bro] Pcap Buffer = 0
In-Reply-To: <4DFA387C.90404@gmail.com>
References: <4DFA2EB0.609@gmail.com>	<20110616170207.GG1736@datacomm.albany.edu>
	<4DFA387C.90404@gmail.com>
Message-ID: <4DFA594B.9080509@sdsc.edu>

Hi Chuck,

Just a thought: Is the traffic that you're (not) capturing vlan tagged?

tcpdump with the '-e' argument and no filter will tell you for sure.

If so, you need to load the vlan policy, otherwise libpcap will apply the
filter rules to the wrong frame offsets.


On 06/16/2011 10:08 AM, Chuck Little wrote:
> Output:
> 
> [rigel /raid/bro/bin]# ./broctl capstats
> 
> Interface    kpps       mbps       (10s average)
> ------------------------------
> rigel-igb0   0.0        0.0
> rigel-igb1   39.7       147.0
> rigel-igb2   19.2       96.7
> rigel-igb3   24.1       137.3
> rigel-igb4   0.0        0.0
> rigel-igb5   0.0        0.0
> 
> Total        83.0       381.0
> 
> 
> -Chuck
> 
> On 6/16/11 11:02 AM, Justin Azoff wrote:
>> On Thu, Jun 16, 2011 at 12:26:24PM -0400, Chuck Little wrote:
>>> I have a fresh Bro-IDS install (ver 1.5.3), but I'm not really capturing
>>> traffic. I know I'm missing something (config setting, etc) but am
>>> unsure what it is. I consulted teh Google but didn't have much luck.
>>> Could someone provide some insight/advice? Thanks!
>>>
>>> -Chuck
>>
>> Does broctl capstats show your interfaces receiving packets?
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


-- 
Scott Sakai
Security Analyst
San Diego Supercomputer Center
ssakai at sdsc.edu
+1-858-822-0851


From robin at icir.org  Fri Jun 17 08:57:26 2011
From: robin at icir.org (Robin Sommer)
Date: Fri, 17 Jun 2011 08:57:26 -0700
Subject: [Bro] New Bro web site and blog
Message-ID: <20110617155726.GD67203@icir.org>

We're happy to announce that Bro has a completely new web site that's
now online at the well-known location:

    http://www.bro-ids.org

We now also have a Bro blog, http://blog.bro-ids.org; and if you like
you can follow us on Twitter @Bro_IDS.

The old web pages remain accessible for the time being at
www-old.bro-ids.org.

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


From mdmonk at gmail.com  Fri Jun 17 13:35:32 2011
From: mdmonk at gmail.com (Chuck Little)
Date: Fri, 17 Jun 2011 14:35:32 -0600
Subject: [Bro] Bro Digest, Vol 62, Issue 3
In-Reply-To: <mailman.1.1308337201.22180.bro@bro-ids.org>
References: <mailman.1.1308337201.22180.bro@bro-ids.org>
Message-ID: <4DFBBA94.9000901@gmail.com>

Thanks Scott! I forgot about the vlan part. So I added that policy to be
loaded, restarted bro, and it appears to be working. woo hoo!

I also had to make a couple additional mods to tunable kernel params:
# in /boot/loader.conf:
kern.ipc.nmbclusters="131072"
kern.ipc.nmbjumbo9="131072"
hw.igb.rxd="512"

# in /etc/sysctl.conf:
## Increase packet capture buffer sizes
net.bpf.maxbufsize=10485760
net.bpf.bufsize=10485760
## Increase socket buffer limits
kern.ipc.maxsockbuf=4194304

Which got rid of the "igb0: Could not setup receive structures" errors
at boot time (dmesg output). But I still have the "pcap bufsize = 0" in
each of the stderr.log log files.

I appreciate all the assistance folks!

-Chuck

On 6/17/11 1:00 PM, bro-request at bro-ids.org wrote:

> Today's Topics:
> 
>    1. Re: Pcap Buffer = 0 (Scott Sakai)
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 16 Jun 2011 12:28:11 -0700
> From: Scott Sakai <ssakai at sdsc.edu>
> Subject: Re: [Bro] Pcap Buffer = 0
> To: bro at bro-ids.org
> Message-ID: <4DFA594B.9080509 at sdsc.edu>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hi Chuck,
> 
> Just a thought: Is the traffic that you're (not) capturing vlan tagged?
> 
> tcpdump with the '-e' argument and no filter will tell you for sure.
> 
> If so, you need to load the vlan policy, otherwise libpcap will apply the
> filter rules to the wrong frame offsets.
> 
> 
> On 06/16/2011 10:08 AM, Chuck Little wrote:
>> Output:
>>
>> [rigel /raid/bro/bin]# ./broctl capstats
>>
>> Interface    kpps       mbps       (10s average)
>> ------------------------------
>> rigel-igb0   0.0        0.0
>> rigel-igb1   39.7       147.0
>> rigel-igb2   19.2       96.7
>> rigel-igb3   24.1       137.3
>> rigel-igb4   0.0        0.0
>> rigel-igb5   0.0        0.0
>>
>> Total        83.0       381.0
>>
>>
>> -Chuck
>>
>> On 6/16/11 11:02 AM, Justin Azoff wrote:
>>> On Thu, Jun 16, 2011 at 12:26:24PM -0400, Chuck Little wrote:
>>>> I have a fresh Bro-IDS install (ver 1.5.3), but I'm not really capturing
>>>> traffic. I know I'm missing something (config setting, etc) but am
>>>> unsure what it is. I consulted teh Google but didn't have much luck.
>>>> Could someone provide some insight/advice? Thanks!
>>>>
>>>> -Chuck
>>>


From robin at icir.org  Tue Jun 21 06:20:55 2011
From: robin at icir.org (Robin Sommer)
Date: Tue, 21 Jun 2011 06:20:55 -0700
Subject: [Bro] Bro communication via SSL
Message-ID: <20110621132055.GD35615@icir.org>

Hi all,

I'd like to understand to which degree folks are currently using Bro's
built-in support for doing Bro-to-Bro or Bro-to-Broccoli communication
via SSL.

My hunch is that not many installations are using this, though I know
a few that do (note that if you haven't configured SSL specifically,
you are not using it :-).

Those who do use SSL for Bro communication, would it be an option to
replace it with something externally like stunnel?

I'm asking because we're planing to rework the communication layer
quite a bit. Not only has supporting SSL directly been quite a pain in
the past, but we'd also be more flexbile in terms of leveraging
external libraries if SSL were not crucial.

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


From mcholste at gmail.com  Tue Jun 21 06:32:29 2011
From: mcholste at gmail.com (Martin Holste)
Date: Tue, 21 Jun 2011 08:32:29 -0500
Subject: [Bro] Bro communication via SSL
In-Reply-To: <20110621132055.GD35615@icir.org>
References: <20110621132055.GD35615@icir.org>
Message-ID: <BANLkTi=RM3RijVhLi7oPhsmdRyS=PL2g4w@mail.gmail.com>

I second this idea.  No encryption would help a lot and cut down on
compile requirements.  It can also make debugging easier.  To achieve
confidentiality, I wire all my NMS together using OpenVPN so they have
their own private network, though stunnel would work just fine as
you've pointed out.

On Tue, Jun 21, 2011 at 8:20 AM, Robin Sommer <robin at icir.org> wrote:
> Hi all,
>
> I'd like to understand to which degree folks are currently using Bro's
> built-in support for doing Bro-to-Bro or Bro-to-Broccoli communication
> via SSL.
>
> My hunch is that not many installations are using this, though I know
> a few that do (note that if you haven't configured SSL specifically,
> you are not using it :-).
>
> Those who do use SSL for Bro communication, would it be an option to
> replace it with something externally like stunnel?
>
> I'm asking because we're planing to rework the communication layer
> quite a bit. Not only has supporting SSL directly been quite a pain in
> the past, but we'd also be more flexbile in terms of leveraging
> external libraries if SSL were not crucial.
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL ? ?* Fax ? +1 (510) 666-2956 * ? www.icir.org
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



From seth at icir.org  Tue Jun 21 06:51:25 2011
From: seth at icir.org (Seth Hall)
Date: Tue, 21 Jun 2011 09:51:25 -0400
Subject: [Bro] Bro communication via SSL
In-Reply-To: <BANLkTi=RM3RijVhLi7oPhsmdRyS=PL2g4w@mail.gmail.com>
References: <20110621132055.GD35615@icir.org>
	<BANLkTi=RM3RijVhLi7oPhsmdRyS=PL2g4w@mail.gmail.com>
Message-ID: <F396638B-DFC5-47F1-A856-06D815FAA066@icir.org>


On Jun 21, 2011, at 9:32 AM, Martin Holste wrote:

> I second this idea.  No encryption would help a lot and cut down on
> compile requirements.

It actually won't cut down on compilation requirements due to OpenSSL being a required dependency for the next release.

 .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/




From robin at icir.org  Tue Jun 21 12:04:27 2011
From: robin at icir.org (Robin Sommer)
Date: Tue, 21 Jun 2011 12:04:27 -0700
Subject: [Bro] Bro communication via SSL
In-Reply-To: <F396638B-DFC5-47F1-A856-06D815FAA066@icir.org>
References: <20110621132055.GD35615@icir.org>
	<BANLkTi=RM3RijVhLi7oPhsmdRyS=PL2g4w@mail.gmail.com>
	<F396638B-DFC5-47F1-A856-06D815FAA066@icir.org>
Message-ID: <20110621190427.GE6039@icir.org>


On Tue, Jun 21, 2011 at 09:51 -0400, you wrote:

> It actually won't cut down on compilation requirements due to OpenSSL being a required dependency for the next release.

(Just to clarify, that dependency is due to new SSL protocol
*analyzer*.)

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


From dwyschogrod at bbn.com  Fri Jun 24 06:15:44 2011
From: dwyschogrod at bbn.com (Dan Wyschogrod)
Date: Fri, 24 Jun 2011 09:15:44 -0400
Subject: [Bro] Bro and ICMP
Message-ID: <1D3C0A82-4EEB-4B5E-A524-6E152A0625C0@bbn.com>

Several of us in the Cyber Security group at BBN are beginning to explore Bro for use in one of our projects.  Currently, we're thinking of using it to monitor ICMP traffic.  I've noticed that in the reference manual there's a not-filled-in entry on an ICMP analyzer and in the source code there's an ICMP analysis script and what appears to be an analyzer in the source code.  Is there active work going on in detecting ICMP irregularities using Bro?  Is there any interest in contributions to Bro of some ICMP sensors we've begun working on?

Thanks,
Dan Wyschogrod
____________________
Dan Wyschogrod

Cyber Security
Raytheon/BBN Technologies

dwyschogrod at bbn.com








From seth at icir.org  Fri Jun 24 06:23:55 2011
From: seth at icir.org (Seth Hall)
Date: Fri, 24 Jun 2011 09:23:55 -0400
Subject: [Bro] Bro and ICMP
In-Reply-To: <1D3C0A82-4EEB-4B5E-A524-6E152A0625C0@bbn.com>
References: <1D3C0A82-4EEB-4B5E-A524-6E152A0625C0@bbn.com>
Message-ID: <4980BF05-5265-4359-A75F-BC605E8B03F8@icir.org>


On Jun 24, 2011, at 9:15 AM, Dan Wyschogrod wrote:

> Several of us in the Cyber Security group at BBN are beginning to explore Bro for use in one of our projects.

Cool!

> Is there active work going on in detecting ICMP irregularities using Bro?  

Not too actively, but I'm deep in the midst of a complete shipped-scripts rewrite.  I have a new ICMP script mostly done, but I was a little lost about where to go with it.  Any clues would be greatly appreciated.

> Is there any interest in contributions to Bro of some ICMP sensors we've begun working on?


Absolutely.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/