From carlopmart at gmail.com Sat Oct 1 10:28:23 2011 From: carlopmart at gmail.com (carlopmart) Date: Sat, 01 Oct 2011 19:28:23 +0200 Subject: [Bro] Some sample using bro as a post correlator? Message-ID: <4E874DB7.7070409@gmail.com> Hi all, I have configured a pcap output filter on my snort sensor. Can I use bro-ids as realtime correlator using this configuration?? Some sample how can I do this?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com From carlopmart at gmail.com Tue Oct 4 05:25:25 2011 From: carlopmart at gmail.com (carlopmart) Date: Tue, 04 Oct 2011 14:25:25 +0200 Subject: [Bro] Some sample using bro as a post correlator? In-Reply-To: <4E874DB7.7070409@gmail.com> References: <4E874DB7.7070409@gmail.com> Message-ID: <4E8AFB35.6010604@gmail.com> On 10/01/2011 07:28 PM, carlopmart wrote: > Hi all, > > I have configured a pcap output filter on my snort sensor. Can I use > bro-ids as realtime correlator using this configuration?? Some sample > how can I do this?? > > Thanks. Any hints?? -- CL Martinez carlopmart {at} gmail {d0t} com From seth at icir.org Tue Oct 4 07:18:11 2011 From: seth at icir.org (Seth Hall) Date: Tue, 4 Oct 2011 10:18:11 -0400 Subject: [Bro] Some sample using bro as a post correlator? In-Reply-To: <4E8AFB35.6010604@gmail.com> References: <4E874DB7.7070409@gmail.com> <4E8AFB35.6010604@gmail.com> Message-ID: <3B003896-49EB-427E-82EB-DBFF3624D777@icir.org> On Oct 4, 2011, at 8:25 AM, carlopmart wrote: > On 10/01/2011 07:28 PM, carlopmart wrote: >> I have configured a pcap output filter on my snort sensor. Can I use >> bro-ids as realtime correlator using this configuration?? Some sample >> how can I do this?? > > Any hints?? I'm not exactly sure what you would be trying to accomplish in this scenario but what I would expect is that you would receive individual packets that caused a snort rule to trigger. Individual packets are going to be somewhat useless to Bro since Bro's analysis model is to fully reassemble streams and analyze the protocols contained within. Alternately, you can use the Bro output plugin that Barnyard2 has. The next release of Bro has a script for taking the output from Snort/Suricata from Barnyard2 and logging it. At some point once we identify beneficial correlation techniques we will probably start adding out of the box correlations for Snort/Suricata rules. Right now you will have to write you own script if you want to do correlation or suppression of Snort/Suricata alerts. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From carlopmart at gmail.com Thu Oct 6 04:07:11 2011 From: carlopmart at gmail.com (carlopmart) Date: Thu, 06 Oct 2011 13:07:11 +0200 Subject: [Bro] Some sample using bro as a post correlator? In-Reply-To: <3B003896-49EB-427E-82EB-DBFF3624D777@icir.org> References: <4E874DB7.7070409@gmail.com> <4E8AFB35.6010604@gmail.com> <3B003896-49EB-427E-82EB-DBFF3624D777@icir.org> Message-ID: <4E8D8BDF.1010709@gmail.com> On 10/04/2011 04:18 PM, Seth Hall wrote: > > On Oct 4, 2011, at 8:25 AM, carlopmart wrote: > >> On 10/01/2011 07:28 PM, carlopmart wrote: >>> I have configured a pcap output filter on my snort sensor. Can I use >>> bro-ids as realtime correlator using this configuration?? Some sample >>> how can I do this?? >> >> Any hints?? > > > I'm not exactly sure what you would be trying to accomplish in this scenario but what I would expect is that you would receive individual packets that caused a snort rule to trigger. Individual packets are going to be somewhat useless to Bro since Bro's analysis model is to fully reassemble streams and analyze the protocols contained within. > > Alternately, you can use the Bro output plugin that Barnyard2 has. The next release of Bro has a script for taking the output from Snort/Suricata from Barnyard2 and logging it. At some point once we identify beneficial correlation techniques we will probably start adding out of the box correlations for Snort/Suricata rules. Right now you will have to write you own script if you want to do correlation or suppression of Snort/Suricata alerts. > > .Seth > > -- Sorry Seth for my later response. At this moment, my "problem" can be resolved if bro-ids can take output from barnyard2. Is it possible do this using 1.5.3 release or do I need to use release from git repository?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com From mcholste at gmail.com Thu Oct 6 06:34:31 2011 From: mcholste at gmail.com (Martin Holste) Date: Thu, 6 Oct 2011 08:34:31 -0500 Subject: [Bro] Some sample using bro as a post correlator? In-Reply-To: <4E8D8BDF.1010709@gmail.com> References: <4E874DB7.7070409@gmail.com> <4E8AFB35.6010604@gmail.com> <3B003896-49EB-427E-82EB-DBFF3624D777@icir.org> <4E8D8BDF.1010709@gmail.com> Message-ID: Just curious, what is it you want to do initially with the imported Snort alerts? What kind of correlation are you planning to do? On Thu, Oct 6, 2011 at 6:07 AM, carlopmart wrote: > On 10/04/2011 04:18 PM, Seth Hall wrote: >> >> On Oct 4, 2011, at 8:25 AM, carlopmart wrote: >> >>> On 10/01/2011 07:28 PM, carlopmart wrote: >>>> I have configured a pcap output filter on my snort sensor. Can I use >>>> bro-ids as realtime correlator using this configuration?? Some sample >>>> how can I do this?? >>> >>> Any hints?? >> >> >> I'm not exactly sure what you would be trying to accomplish in this scenario but what I would expect is that you would receive individual packets that caused a snort rule to trigger. ?Individual packets are going to be somewhat useless to Bro since Bro's analysis model is to fully reassemble streams and analyze the protocols contained within. >> >> Alternately, you can use the Bro output plugin that Barnyard2 has. ?The next release of Bro has a script for taking the output from Snort/Suricata from Barnyard2 and logging it. ?At some point once we identify beneficial correlation techniques we will probably start adding out of the box correlations for Snort/Suricata rules. ?Right now you will have to write you own script if you want to do correlation or suppression of Snort/Suricata alerts. >> >> ? ?.Seth >> >> -- > > Sorry Seth for my later response. At this moment, my "problem" can be > resolved if bro-ids can take output from barnyard2. Is it possible do > this using 1.5.3 release or do I need to use release from git repository?? > > Thanks. > > > -- > CL Martinez > carlopmart {at} gmail {d0t} com > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From baxterw3232 at gmail.com Mon Oct 10 22:18:53 2011 From: baxterw3232 at gmail.com (Will) Date: Tue, 11 Oct 2011 00:18:53 -0500 Subject: [Bro] Bro Cluster on RHEL Server 5-6 Message-ID: Is/has anyone run a bro cluster on RHEL Server 5 or 6? Successfully? Are there any issues, concerns or significant performance differences to be aware of? Thanks! Will -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111011/6f0ed20d/attachment.html From slagell at ncsa.illinois.edu Tue Oct 11 04:51:57 2011 From: slagell at ncsa.illinois.edu (Adam Slagell) Date: Tue, 11 Oct 2011 06:51:57 -0500 (CDT) Subject: [Bro] Bro Cluster on RHEL Server 5-6 In-Reply-To: References: Message-ID: <85B0E93D-B363-497C-9178-CE4C9502C94C@ncsa.illinois.edu> That is what we use at the NCSA. On Oct 11, 2011, at 12:19 AM, Will wrote: > Is/has anyone run a bro cluster on RHEL Server 5 or 6? Successfully? > > Are there any issues, concerns or significant performance differences to be aware of? > > Thanks! > > Will > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111011/2887cc80/attachment.html From baxterw3232 at gmail.com Tue Oct 11 09:29:55 2011 From: baxterw3232 at gmail.com (Will) Date: Tue, 11 Oct 2011 11:29:55 -0500 Subject: [Bro] Bro Cluster on RHEL Server 5-6 In-Reply-To: <20111011053700.GA7890@wolrab.ncsa.illinois.edu> References: <20111011053700.GA7890@wolrab.ncsa.illinois.edu> Message-ID: On Tue, Oct 11, 2011 at 12:37 AM, James J. Barlow wrote: > On Tue, Oct 11, 2011 at 12:18:53AM -0500, Will wrote: > > > > Is/has anyone run a bro cluster on RHEL Server 5 or 6? Successfully? > > Are there any issues, concerns or significant performance differences > to be > > aware of? > > Thanks! > > We have a 15 node cluster running on RHEL 6, as well as another standalone > RHEL 6 box. Have not seemed to experience any problems with the OS or > install, and we are also running PF_RING on those hosts to optimize > for the multi-cores. I just wish I could say that our network > aggregator/balancer hardware that we purchased worked as well. :/ > > Thanks for the info! Is your aggregator/balancer appliance designed to do load balancing based on session hashing and MAC re-writing? Or are you load balancing based on protocol, etc. and using PF_RING to load balance among nodes? Will > > -- > James J. Barlow > Head of Security Operations and Incident Response > National Center for Supercomputing Applications Office : (217)244-6403 > 1205 West Clark Street, Urbana, IL 61801 Cell : (217)840-0601 > http://www.ncsa.illinois.edu/~jbarlow Fax : (217)244-1987 > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111011/f10d8dc6/attachment.html From seth at icir.org Tue Oct 11 09:40:43 2011 From: seth at icir.org (Seth Hall) Date: Tue, 11 Oct 2011 12:40:43 -0400 Subject: [Bro] Bro Cluster on RHEL Server 5-6 In-Reply-To: References: <20111011053700.GA7890@wolrab.ncsa.illinois.edu> Message-ID: On Oct 11, 2011, at 12:29 PM, Will wrote: > Thanks for the info! Is your aggregator/balancer appliance designed to do load balancing based on session hashing and MAC re-writing? Or are you load balancing based on protocol, etc. and using PF_RING to load balance among nodes? It's a mix between the two. There is a frontend device that is splitting the traffic out to some 10G interfaces (not actually MAC address rewriting in this case, sending sessions directly to physical ports). Each worker is splitting the traffic further with PF_RING clustering. If the frontend box was doing MAC address rewriting, there wouldn't even be a need for PF_RING on each box since a number of MAC addresses could be passed directly to each worker and filtered with BPF filters. Sorry if it sounds complicated and vague, it's just that there are a lot of options in how you build your own system. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From baxterw3232 at gmail.com Tue Oct 11 11:38:50 2011 From: baxterw3232 at gmail.com (Will) Date: Tue, 11 Oct 2011 13:38:50 -0500 Subject: [Bro] Bro Cluster on RHEL Server 5-6 In-Reply-To: References: <20111011053700.GA7890@wolrab.ncsa.illinois.edu> Message-ID: On Tue, Oct 11, 2011 at 11:40 AM, Seth Hall wrote: > > On Oct 11, 2011, at 12:29 PM, Will wrote: > > > Thanks for the info! Is your aggregator/balancer appliance designed to do > load balancing based on session hashing and MAC re-writing? Or are you load > balancing based on protocol, etc. and using PF_RING to load balance among > nodes? > > It's a mix between the two. There is a frontend device that is splitting > the traffic out to some 10G interfaces (not actually MAC address rewriting > in this case, sending sessions directly to physical ports). Each worker is > splitting the traffic further with PF_RING clustering. If the frontend box > was doing MAC address rewriting, there wouldn't even be a need for PF_RING > on each box since a number of MAC addresses could be passed directly to each > worker and filtered with BPF filters. > > Sorry if it sounds complicated and vague, it's just that there are a lot of > options in how you build your own system. :) > It is complicated, and once you understand it, it's not so vague really. I have a better understanding than ever that there are an unlimited number of options for designing and configuring your own cluster environment. What has helped me the most is hearing about what is working well for folks out there and get ideas for which direction I should be going. I really appreciated Martin's quick start guide as well as his other posts on clusters and PF_RING. I think it is good to get some documentation out there about a few of the more mainstream cluster configurations (hardware and software) that people can use. For me, it was hard (understandably so) to garner support by just saying, "Bro is awesome and does amazing things!" But when it actually started to work and I was asked how we go about the hardware design, I really didn't have any good answers, other than remain "vague" and says, "it's complicated!" lol When things finally do get off the ground, I will be happy to share how we ended up doing it and how it's working. Thanks again! Will > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111011/c0716e85/attachment.html From wseemann at gmail.com Thu Oct 13 14:38:00 2011 From: wseemann at gmail.com (William Seemann) Date: Thu, 13 Oct 2011 16:38:00 -0500 Subject: [Bro] Bro Scripting Question Message-ID: <4E975A38.8060804@gmail.com> Hello, I'm new to the world of Bro but I'm attempting to complete a small project for a graduate level class at the University of Illinois. The concept of the project is to define a set of policy files for a few core host services (SMTP, DNS, WEB SERVER). Each service specific policy file would ensure that only allowed hosts are running that service. The policy file would also ensure that each allowed host is only running a specified set of services. With that said, I started writing the policy files but had a few questions. From what I can gather is seems like the new_connection event would be an obvious place to perform my checks since it is called for inbound and outbound connections. Does this sound like the correct approach? Also, is there a simple way to determine what service(s) a host is running (smtp, ssh, etc)? In other words, if a host is making an outbound connection is there any easy way to tie the traffic to a specific service? Right now I'm just logging connections but I'm wondering if there is an easier way to determine the service other then trying to tie port traffic to a potential service. I would appreciate any suggestions or advice you could send my way. Thanks in advance - William Seemann From neslog at gmail.com Thu Oct 13 15:22:06 2011 From: neslog at gmail.com (Neslog) Date: Thu, 13 Oct 2011 18:22:06 -0400 Subject: [Bro] Bro Scripting Question In-Reply-To: <4E975A38.8060804@gmail.com> References: <4E975A38.8060804@gmail.com> Message-ID: Check out the bro workshop a few years ago. They had you create a learning policy that would baseline hosts and alarm on deviations. Same could be done for the other policies I believe. Seth will have some great insight though. J On 10/13/11, William Seemann wrote: > Hello, > I'm new to the world of Bro but I'm attempting to complete a small > project for a graduate level class at the University of Illinois. The > concept of the project is to define a set of policy files for a few core > host services (SMTP, DNS, WEB SERVER). Each service specific policy > file would ensure that only allowed hosts are running that service. The > policy file would also ensure that each allowed host is only running a > specified set of services. With that said, I started writing the policy > files but had a few questions. > > From what I can gather is seems like the new_connection event would be > an obvious place to perform my checks since it is called for inbound and > outbound connections. Does this sound like the correct approach? Also, > is there a simple way to determine what service(s) a host is running > (smtp, ssh, etc)? In other words, if a host is making an outbound > connection is there any easy way to tie the traffic to a specific > service? Right now I'm just logging connections but I'm wondering if > there is an easier way to determine the service other then trying to tie > port traffic to a potential service. > > I would appreciate any suggestions or advice you could send my way. > Thanks in advance - William Seemann > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Sent from my mobile device From seth at icir.org Fri Oct 14 06:40:58 2011 From: seth at icir.org (Seth Hall) Date: Fri, 14 Oct 2011 09:40:58 -0400 Subject: [Bro] Bro Scripting Question In-Reply-To: <4E975A38.8060804@gmail.com> References: <4E975A38.8060804@gmail.com> Message-ID: On Oct 13, 2011, at 5:38 PM, William Seemann wrote: > From what I can gather is seems like the new_connection event would be > an obvious place to perform my checks since it is called for inbound and > outbound connections. Does this sound like the correct approach? Also, > is there a simple way to determine what service(s) a host is running > (smtp, ssh, etc)? There is a script in the next release that is a variant on what you are looking to do. I even went back and fixed it recently since it was pretty badly broken. Clone our git repository[1] and look at the script: scripts/policy/protocols/conn/known-services.bro [2] 1. http://www.bro-ids.org/documentation/quickstart.html#compiling-bro-source-code 2. http://git.bro-ids.org/bro.git/blob/HEAD:/scripts/policy/protocols/conn/known-services.bro .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From wseemann at gmail.com Sun Oct 16 17:59:56 2011 From: wseemann at gmail.com (William Seemann) Date: Sun, 16 Oct 2011 19:59:56 -0500 Subject: [Bro] Bro Scripting Question In-Reply-To: References: <4E975A38.8060804@gmail.com> Message-ID: <4E9B7E0C.2050909@gmail.com> Thank you, both of the responses I've received have been extremely helpful. I have another question. I read through snippets from the Bro documentation but I can't seem to find a way to generate an email alert in a script. I've redefined the "mail_dest" as follows: redef Notice::mail_dest = "wseemann at gmail.com"; I can't seem to find a way to actually generate the email notification from within my script, all my attempts produce syntax errors. Can anyone suggest a script to look at? Thanks again, William On 10/14/2011 08:40 AM, Seth Hall wrote: > On Oct 13, 2011, at 5:38 PM, William Seemann wrote: > >> From what I can gather is seems like the new_connection event would be >> an obvious place to perform my checks since it is called for inbound and >> outbound connections. Does this sound like the correct approach? Also, >> is there a simple way to determine what service(s) a host is running >> (smtp, ssh, etc)? > There is a script in the next release that is a variant on what you are looking to do. I even went back and fixed it recently since it was pretty badly broken. > > Clone our git repository[1] and look at the script: scripts/policy/protocols/conn/known-services.bro [2] > > 1. http://www.bro-ids.org/documentation/quickstart.html#compiling-bro-source-code > 2. http://git.bro-ids.org/bro.git/blob/HEAD:/scripts/policy/protocols/conn/known-services.bro > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > From jsiwek at ncsa.illinois.edu Mon Oct 17 09:11:36 2011 From: jsiwek at ncsa.illinois.edu (Jonathan Siwek) Date: Mon, 17 Oct 2011 11:11:36 -0500 Subject: [Bro] Bro Scripting Question In-Reply-To: <4E9B7E0C.2050909@gmail.com> References: <4E975A38.8060804@gmail.com> <4E9B7E0C.2050909@gmail.com> Message-ID: > I can't seem to find a way to actually generate the email notification > from within my script, all my attempts produce syntax errors. Can anyone > suggest a script to look at? Thanks again, William base/frameworks/notice/main.bro (from the git repos) might give you some hints at how to do it, but here's a couple examples. If you'd like to make a certain type of notice (either a predefined or one you created) generate an email, you can augment the Notice::policy like this example: redef Notice::mail_dest = "jsiwek at ncsa.illinois.edu"; redef Notice::policy += { [$result = Notice::ACTION_EMAIL, $pred(n: Notice::Info) = { return n$note == PacketFilter::Dropped_Packets; } ] }; Or if you really need a more raw way to generate a mail at any point in a script you could do something like: event bro_init() { local msg = Notice::email_headers("Test Email Subject", "jsiwek at ncsa.illinois.edu"); local body = "Here's the test email's body content."; msg = string_cat(msg, "\n", body); piped_exec(fmt("%s -t -oi", Notice::sendmail), msg); } Which would just send a mail once at startup. - Jon From seth at icir.org Mon Oct 17 09:58:05 2011 From: seth at icir.org (Seth Hall) Date: Mon, 17 Oct 2011 12:58:05 -0400 Subject: [Bro] Bro Scripting Question In-Reply-To: <4E9B7E0C.2050909@gmail.com> References: <4E975A38.8060804@gmail.com> <4E9B7E0C.2050909@gmail.com> Message-ID: <7BC18609-2B5E-4A5B-85D1-8F283B5C8AC2@icir.org> On Oct 16, 2011, at 8:59 PM, William Seemann wrote: > redef Notice::mail_dest = "wseemann at gmail.com"; > > I can't seem to find a way to actually generate the email notification from within my script, all my attempts produce syntax errors. Can anyone suggest a script to look at? Thanks again, William Ironically I finally started writing this documentation last night (the notice framework has been completely rewritten). If you have a particular notice that you want to send to send to email every time the notice is generated you can add the notice a set that acts like a shorthand for modifying your Notice::policy. Here's an example... redef Notice::emailed_types += { HTTP::SQL_Injection_Attack_Against }; .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From laizhiquan at gmail.com Wed Oct 19 09:02:21 2011 From: laizhiquan at gmail.com (zhiquan lai) Date: Thu, 20 Oct 2011 00:02:21 +0800 Subject: [Bro] A question about loading signature files Message-ID: HI ALL, I wrote a simple Bro policy file test.bro to load signatures in snort-default.sig file by redef "signature_files". However, when Bro loaded test.bro, many errors like "smtp_servers(http_servers ...) didn't defined". Should I define these variables in my test.bro file? Or is there any common configure file to defined them? Thanks in advance Quan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111020/ee647ebf/attachment.html From robin at icir.org Wed Oct 19 18:56:33 2011 From: robin at icir.org (Robin Sommer) Date: Wed, 19 Oct 2011 18:56:33 -0700 Subject: [Bro] A question about loading signature files In-Reply-To: References: Message-ID: <20111020015633.GG21245@icir.org> On Thu, Oct 20, 2011 at 00:02 +0800, you wrote: > However, when Bro loaded test.bro, many errors like > "smtp_servers(http_servers ...) didn't defined". These are defined in snort.bro, you can just load that. However, frankly, I don't recommend using the Snort signature at all anymore. They are not only very old, but also generally not really useful with Bro. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From rodrigue.alahassa at gmail.com Sat Oct 22 09:45:05 2011 From: rodrigue.alahassa at gmail.com (Rodrigue ALAHASSA) Date: Sat, 22 Oct 2011 18:45:05 +0200 Subject: [Bro] Bro signatures Message-ID: Hi, I get a little confused about content conditions for Bro signature. I'm working to automate generation of signature compliant with Bro. I would like to know how Bro behaves in two cases. I tried to provide many content-conditions for one signature. Let's say that I want to detect the following patterns in a stream (just some examples): 1- common 2- attack 3- vulnerabilities If i use the following condition, it will detect all occurrences of common followed by attack and vulnerabilities, payload /.*common.*attack.*vulnerabilities.*/ What if I use a combination of those expressions: payload /*common.*attack.*/ payload /*vulnerabilities*/ I looked around, but did not find anything to help me understand how the signature engine will behave in these cases. Thanks in advance for your help. R. ALAHASSA -- SLt COC ALAHASSA 161 POL Professeur Georges LEMAITRE -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111022/62632dd3/attachment.html From robin at icir.org Sun Oct 23 21:35:03 2011 From: robin at icir.org (Robin Sommer) Date: Sun, 23 Oct 2011 21:35:03 -0700 Subject: [Bro] Bro signatures In-Reply-To: References: Message-ID: <20111024043503.GD58364@icir.org> On Sat, Oct 22, 2011 at 18:45 +0200, you wrote: > What if I use a combination of those expressions: > > payload /*common.*attack.*/ > payload /*vulnerabilities*/ Both need to match, but independently. I.e, it's ok if /vulnerabilities/ matches before (or even overlapping with). /*common.*attack.*/. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From wseemann at gmail.com Sun Oct 23 22:57:26 2011 From: wseemann at gmail.com (William Seemann) Date: Mon, 24 Oct 2011 00:57:26 -0500 Subject: [Bro] Detecting Local Hosts In-Reply-To: <7BC18609-2B5E-4A5B-85D1-8F283B5C8AC2@icir.org> References: <4E975A38.8060804@gmail.com> <4E9B7E0C.2050909@gmail.com> <7BC18609-2B5E-4A5B-85D1-8F283B5C8AC2@icir.org> Message-ID: <4EA4FE46.9000306@gmail.com> Can someone tell me if there is an easy way to detect of a connection is being made by a local host rather then an external one? For instance, if I have a cluster of machines and an instance of Bro running is there any easy way to distinguish connections made by these machines vs. external ones? Is maintaining a list of local hosts and performing a check (shown below) the only way to accomplish this? if (c$id$resp_h !in local_hosts) do something... From seth at icir.org Mon Oct 24 07:36:50 2011 From: seth at icir.org (Seth Hall) Date: Mon, 24 Oct 2011 10:36:50 -0400 Subject: [Bro] Detecting Local Hosts In-Reply-To: <4EA4FE46.9000306@gmail.com> References: <4E975A38.8060804@gmail.com> <4E9B7E0C.2050909@gmail.com> <7BC18609-2B5E-4A5B-85D1-8F283B5C8AC2@icir.org> <4EA4FE46.9000306@gmail.com> Message-ID: <086820C9-2B1D-4601-8E62-9C8003AC6ECB@icir.org> On Oct 24, 2011, at 1:57 AM, William Seemann wrote: > Can someone tell me if there is an easy way to detect of a connection is > being made by a local host rather then an external one? For instance, if > I have a cluster of machines and an instance of Bro running is there any > easy way to distinguish connections made by these machines vs. external > ones? Is maintaining a list of local hosts and performing a check (shown > below) the only way to accomplish this? There is a shorthand function for getting this information: is_local_addr. You give it an address and it returns T or F. In the upcoming release it has moved into the Site:: namespace though so it will be Site::is_local_addr (I don't know if you are working with the git master or 1.5.x). Regardless, you still need to be careful and give it the correct address to check. It sounds like this will work for you... if ( is_local_addr(c$id$orig) ) { # do something } In order for is_local_addr function to work, you need to also be sure you have populated the local_nets variable (Site::local_nets in the repository). Here's an example: redef local_nets += { 1.2.3.0/24, 4.3.2.0/24 }; .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From robin at icir.org Fri Oct 28 14:34:14 2011 From: robin at icir.org (Robin Sommer) Date: Fri, 28 Oct 2011 14:34:14 -0700 Subject: [Bro] Bro 2.0 Beta is out! Message-ID: <20111028213414.GA12567@icir.org> We are very excited to announce a public beta of Bro 2.0! Please give it a try and let us know what you think. More information here: http://blog.bro-ids.org/2011/10/public-beta-of-bro-20-released.html Thanks to everybody who worked on this, it shaped up really nicely I think! Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From jones at tacc.utexas.edu Fri Oct 28 16:22:22 2011 From: jones at tacc.utexas.edu (William Jones) Date: Fri, 28 Oct 2011 23:22:22 +0000 Subject: [Bro] Bro 2.0 Beta is out! In-Reply-To: <20111028213414.GA12567@icir.org> References: <20111028213414.GA12567@icir.org> Message-ID: Just installed Bro 2.0 Beta on Redhat 5.7. I had to change a few line of the broctl script of the form: proc.fromchild = proc.stdout if proc.stdout != None else [] The version of python on Readhat 5.7, Python 2.4.3, cann't handle this type of construct. Which versions of python was used to develop Bro 2.0 Beta? Bill Jones -----Original Message----- From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Robin Sommer Sent: Friday, October 28, 2011 4:34 PM To: bro at bro-ids.org Subject: [Bro] Bro 2.0 Beta is out! We are very excited to announce a public beta of Bro 2.0! Please give it a try and let us know what you think. More information here: http://blog.bro-ids.org/2011/10/public-beta-of-bro-20-released.html Thanks to everybody who worked on this, it shaped up really nicely I think! Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From robin at icir.org Fri Oct 28 16:37:57 2011 From: robin at icir.org (Robin Sommer) Date: Fri, 28 Oct 2011 16:37:57 -0700 Subject: [Bro] Bro 2.0 Beta is out! In-Reply-To: References: <20111028213414.GA12567@icir.org> Message-ID: <20111028233757.GB19551@icir.org> On Fri, Oct 28, 2011 at 23:22 +0000, William Jones wrote: > The version of python on Readhat 5.7, Python 2.4.3, cann't handle this type of construct. Yeah, it needs Python 2.6 right now. If we can make it 2.4-compatible with just a few small tweaks, that sounds worth it. We did already do that for some of the other Python code in the package. So if with your changes you find it to work fine with 2.4, could you file a patch with the tracker? Thanks, Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From jones at tacc.utexas.edu Fri Oct 28 16:42:29 2011 From: jones at tacc.utexas.edu (William Jones) Date: Fri, 28 Oct 2011 23:42:29 +0000 Subject: [Bro] Bro 2.0 Beta is out! In-Reply-To: <20111028213414.GA12567@icir.org> References: <20111028213414.GA12567@icir.org> Message-ID: The new log formats are a lot easier to read. There are quite a few new check that are going to be very user full. Thanks to every for all the work that you put into this version of bro. It is really quite nice! -----Original Message----- From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Robin Sommer Sent: Friday, October 28, 2011 4:34 PM To: bro at bro-ids.org Subject: [Bro] Bro 2.0 Beta is out! We are very excited to announce a public beta of Bro 2.0! Please give it a try and let us know what you think. More information here: http://blog.bro-ids.org/2011/10/public-beta-of-bro-20-released.html Thanks to everybody who worked on this, it shaped up really nicely I think! Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jones at tacc.utexas.edu Fri Oct 28 17:58:49 2011 From: jones at tacc.utexas.edu (William Jones) Date: Sat, 29 Oct 2011 00:58:49 +0000 Subject: [Bro] Bro 2.0 Beta is out! In-Reply-To: <20111028233757.GB19551@icir.org> References: <20111028213414.GA12567@icir.org> <20111028233757.GB19551@icir.org> Message-ID: Sure I can do a patch. Are there any scripts like the old stats.bro scrip that will print packets processed. -----Original Message----- From: Robin Sommer [mailto:robin at icir.org] Sent: Friday, October 28, 2011 6:38 PM To: William Jones Cc: bro at bro-ids.org Subject: Re: [Bro] Bro 2.0 Beta is out! On Fri, Oct 28, 2011 at 23:22 +0000, William Jones wrote: > The version of python on Readhat 5.7, Python 2.4.3, cann't handle this type of construct. Yeah, it needs Python 2.6 right now. If we can make it 2.4-compatible with just a few small tweaks, that sounds worth it. We did already do that for some of the other Python code in the package. So if with your changes you find it to work fine with 2.4, could you file a patch with the tracker? Thanks, Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 From vallentin at icir.org Fri Oct 28 21:50:40 2011 From: vallentin at icir.org (Matthias Vallentin) Date: Fri, 28 Oct 2011 21:50:40 -0700 Subject: [Bro] Bro 2.0 Beta is out! In-Reply-To: References: <20111028213414.GA12567@icir.org> Message-ID: <1319863584-sup-6834@samurai.local> > The new log formats are a lot easier to read. Don't forget to check out the new log processing tool bro-cut in the aux directory: bro-cut [options] Extracts the given columns from an ASCII Bro log on standard input. By default, bro-cut does not include format header blocks into the output. Example: cat conn.log | bro-cut -d ts id.orig_h id.orig_p -c Include the first format header block into the output. -C Include all format header blocks into the output. -d Convert time values into human-readable format (needs gawk). -D Like -d, but specify format for time (see strtime(3) for syntax). For the time conversion, the format string can also be specified by setting an environment variable BRO_CUT_TIMEFMT. Here are some more examples (output abbreviated): % bro-cut ts id.orig_h id.resp_p < conn.log 1319742168.465601 192.150.187.147 80 1319742167.737945 192.150.187.147 80 % bro-cut host uri < http.log | awk '{ print $1$2 }' s0.2mdn.net/879366/flashwrite_1_2.js maps.google.com/mapfiles/home3.html % bro-cut -d ts < conn.log 2011-10-27T12:02:48-0700 % bro-cut -D '%s' ts orig_bytes resp_bytes \ < conn.log \ | sort -n \ | awk '{ if ($1 == ts) { size+=$2+$3 } \ else { if (size != 0) print $1, size; \ ts=$1; size=0 } }' 1319742168 33628 1319742169 22814 Enjoy, Matthias From djteller at gmail.com Sun Oct 30 02:46:16 2011 From: djteller at gmail.com (Tomer Teller) Date: Sun, 30 Oct 2011 11:46:16 +0200 Subject: [Bro] Bro performance issues In-Reply-To: References: Message-ID: Hey all, I am testing Bro's performance using tcpreplay for some project of mine. I am using a packet capture of 680000 packets using different rates to check for packet loss. tcpreplay -i eth0 --mbps=X 680000.pcap (where X = 1000,500,100,10) I am registered on the new_packet event in order to count packets like so: global ctr = 0; event new_packet (c: connection,p: pkt_hdr) { ctr = ctr + 1; ... } I write to log every time ctr % 100,000 = 0 to avoid unnecessary I/O to disk. On the sender side i see that all packet was transmitted successfully as well as on the receiver side (using tcpdump), i.e. it is not libpcap issue. Bro on the other hand, doesn't see all 680000, he sees around 540,000. I also used smaller packet captures (10/30/100 packets), again, bro does not see all packets. Note! Packet captures are valid (checksum) HTTP connections that i recorded for testing. I tried removing some analyzers using broctl as well as modifying local.bro. Also followed the Bro performance tuning. Nothing helps, Bro does not see all the packets. Any ideas what is the problem? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111030/9f5ad294/attachment.html From adayadil.thomas at gmail.com Sun Oct 30 18:45:24 2011 From: adayadil.thomas at gmail.com (Adayadil Thomas) Date: Sun, 30 Oct 2011 21:45:24 -0400 Subject: [Bro] Bro performance issues In-Reply-To: References: Message-ID: The bro policy that you have must be setting some BPF (libpcap) filter so that Bro analyzes only the traffic that it wants to see. On Sun, Oct 30, 2011 at 5:46 AM, Tomer Teller wrote: > Hey all, > > I am testing Bro's performance using tcpreplay for some project of mine. > I am using a packet capture of 680000 packets using different rates to check > for packet loss. > tcpreplay ?-i eth0 --mbps=X?680000.pcap (where X =?1000,500,100,10) > I am registered?on the new_packet event in order to count packets like so: > global ctr = 0; > event new_packet (c: connection,p: pkt_hdr) > { > ? ?ctr = ctr + 1; > ? ?... > } > I write to log every time ctr % 100,000 = 0 to avoid?unnecessary?I/O to > disk. > On the sender side i see that all packet was transmitted successfully as > well as on the?receiver?side (using tcpdump), i.e. it is not libpcap issue. > Bro on the other hand, doesn't see all?680000, he sees around 540,000. > I also used smaller packet captures (10/30/100 packets), again, bro does not > see all packets. > Note! Packet captures are valid (checksum) HTTP connections that i recorded > for testing. > I tried removing some analyzers using broctl as well as modifying local.bro. > Also followed the Bro performance tuning. > Nothing helps, Bro does not see all the packets. > Any ideas what is the problem? > > > > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From seth at icir.org Sun Oct 30 21:27:21 2011 From: seth at icir.org (Seth Hall) Date: Mon, 31 Oct 2011 00:27:21 -0400 Subject: [Bro] Bro performance issues In-Reply-To: References: Message-ID: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> On Oct 30, 2011, at 5:46 AM, Tomer Teller wrote: > event new_packet (c: connection,p: pkt_hdr) > Nothing helps, Bro does not see all the packets. > Any ideas what is the problem? If I remember correctly, the new_packet event is only fired for IPv4 packets. Internally it can't deal with IPv6 packets but it also doesn't work with non-IP packets. Do the numbers you're getting match the number of IPv4 packets in your traffic trace file? .SEth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From djteller at gmail.com Mon Oct 31 03:45:14 2011 From: djteller at gmail.com (Tomer Teller) Date: Mon, 31 Oct 2011 12:45:14 +0200 Subject: [Bro] Bro performance issues In-Reply-To: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> Message-ID: All the packets are valid IPv4, I just noticed that my CPU goes to 92% so I am probably suffering drops due to load. I decided to set up a cluster to utilize my machine's 4 cores. 1 for Manager, 1 for Proxy and 2 for Workers. To avoid installing click router and rewrite packets I want to load worker-1 and worker-2 with different policies so they won't handle traffic twice. worker1-policy.bro: redef restrict_filters += { ["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 0" }; worker2-policy.bro: redef restrict_filters += { ["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 1" }; If this possible and recommended? (Just trying to pump up performance) How do I load worker-1 with 'worker1-policy.bro' and worker-2 with 'worker2-policy.bro' ? The documentation only talks about 'local-worker.bro' that is being loaded by all the workers. Thanks On Mon, Oct 31, 2011 at 6:27 AM, Seth Hall wrote: > > On Oct 30, 2011, at 5:46 AM, Tomer Teller wrote: > > > event new_packet (c: connection,p: pkt_hdr) > > > Nothing helps, Bro does not see all the packets. > > Any ideas what is the problem? > > If I remember correctly, the new_packet event is only fired for IPv4 > packets. Internally it can't deal with IPv6 packets but it also doesn't > work with non-IP packets. Do the numbers you're getting match the number > of IPv4 packets in your traffic trace file? > > .SEth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111031/e479906e/attachment.html From seth at icir.org Mon Oct 31 05:35:54 2011 From: seth at icir.org (Seth Hall) Date: Mon, 31 Oct 2011 08:35:54 -0400 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> Message-ID: On Oct 31, 2011, at 6:45 AM, Tomer Teller wrote: > All the packets are valid IPv4, I just noticed that my CPU goes to 92% so I am probably suffering drops due to load. Very likely. I usually try not to send more than 80-100Mbps of traffic to a single core. > How do I load worker-1 with 'worker1-policy.bro' and worker-2 with 'worker2-policy.bro' ? The documentation only talks about 'local-worker.bro' that is being loaded by all the workers. What version are you using? 1.5.x or the 2.0 beta we just released on friday? The answers to all of your questions will be different based on it. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From djteller at gmail.com Mon Oct 31 05:52:08 2011 From: djteller at gmail.com (Tomer Teller) Date: Mon, 31 Oct 2011 14:52:08 +0200 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> Message-ID: I am using version 1.5.3 Running on 2 x Intel Xeon 2.33GHz with 4GB *FBDIMM and *8 Cores For now I just want to test that 2 cores. This is my node.cfg [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=bg0 [worker-2] type=worker host=localhost interface=bg0 I want to load balance my traffic between 2 cores using the mentioned restrict filter (due to NAT, maybe it will be wise to filter by Source port, even -> worker-1, odd -> worker-2) On Mon, Oct 31, 2011 at 2:35 PM, Seth Hall wrote: > > On Oct 31, 2011, at 6:45 AM, Tomer Teller wrote: > > > All the packets are valid IPv4, I just noticed that my CPU goes to 92% > so I am probably suffering drops due to load. > > Very likely. I usually try not to send more than 80-100Mbps of traffic to > a single core. > > > How do I load worker-1 with 'worker1-policy.bro' and worker-2 with > 'worker2-policy.bro' ? The documentation only talks about > 'local-worker.bro' that is being loaded by all the workers. > > What version are you using? 1.5.x or the 2.0 beta we just released on > friday? The answers to all of your questions will be different based on > it. :) > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111031/7a2845c4/attachment.html From seth at icir.org Mon Oct 31 06:05:32 2011 From: seth at icir.org (Seth Hall) Date: Mon, 31 Oct 2011 09:05:32 -0400 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> Message-ID: On Oct 31, 2011, at 8:51 AM, Tomer Teller wrote: > I want to load balance my traffic between 2 cores using the mentioned restrict filter (due to NAT, maybe it will be wise to filter by Source port, even -> worker-1, odd -> worker-2) Use this.... event bro_init() { if ( peer_description == "worker-1" ) restrict_filters += { ["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 0" }; if ( peer_description == "worker-2" ) restrict_filters += { ["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 1" }; } .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From JAzoff at albany.edu Mon Oct 31 06:22:50 2011 From: JAzoff at albany.edu (Justin Azoff) Date: Mon, 31 Oct 2011 09:22:50 -0400 Subject: [Bro] Bro performance issues In-Reply-To: References: Message-ID: <20111031132250.GJ30686@datacomm.albany.edu> On Sun, Oct 30, 2011 at 11:46:16AM +0200, Tomer Teller wrote: > Hey all, > > I am testing Bro's performance using tcpreplay for some project of mine. > > I am using a packet capture of 680000 packets using different rates to > check for packet loss. > > tcpreplay -i eth0 --mbps=X 680000.pcap (where X = 1000,500,100,10) ... > Bro on the other hand, doesn't see all 680000, he sees around 540,000. As a sanity check, what does bro report if you run it with something like this: 'bro -f ip -C -r 680000.pcap your_counter_policy.bro' -- -- Justin Azoff -- Network Security & Performance Analyst From seth at icir.org Mon Oct 31 07:35:30 2011 From: seth at icir.org (Seth Hall) Date: Mon, 31 Oct 2011 10:35:30 -0400 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> Message-ID: <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> On Oct 31, 2011, at 10:15 AM, Tomer Teller wrote: > However, I can't surround it with an if statement so I cannot check peer_description. > > Any suggestions? Sorry about that... event bro_init() { if ( peer_description == "worker-1" ) restrict_filters += table(["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 0"); if ( peer_description == "worker-2" ) restrict_filters += table(["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 1"); } .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From djteller at gmail.com Mon Oct 31 09:39:20 2011 From: djteller at gmail.com (Tomer Teller) Date: Mon, 31 Oct 2011 18:39:20 +0200 Subject: [Bro] Bro performance issues In-Reply-To: <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> Message-ID: event bro_init() { if ( peer_description == "worker-1" ) restrict_filters += table(["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 0"); if ( peer_description == "worker-2" ) restrict_filters += table(["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 1"); } Is causing the following error: line 58 (restrict_filters += table(capture even src/dest pairs only = (ip[12:4] + ip[16:4]) & 1 == 0)): error, *requires two arithmetic or two string operands* On Mon, Oct 31, 2011 at 4:35 PM, Seth Hall wrote: > > On Oct 31, 2011, at 10:15 AM, Tomer Teller wrote: > > > However, I can't surround it with an if statement so I cannot check > peer_description. > > > > Any suggestions? > > Sorry about that... > > event bro_init() > { > if ( peer_description == "worker-1" ) > restrict_filters += table(["capture even src/dest pairs > only"] = "(ip[12:4] + ip[16:4]) & 1 == 0"); > if ( peer_description == "worker-2" ) > restrict_filters += table(["capture even src/dest pairs > only"] = "(ip[12:4] + ip[16:4]) & 1 == 1"); > } > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111031/5cecaa8c/attachment.html From mcholste at gmail.com Mon Oct 31 09:49:50 2011 From: mcholste at gmail.com (Martin Holste) Date: Mon, 31 Oct 2011 11:49:50 -0500 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> Message-ID: Is there a reason you can't use PF_RING for this? It sure makes things easier like this easier. On Mon, Oct 31, 2011 at 11:39 AM, Tomer Teller wrote: > event bro_init() > ? ? ? ?{ > ? ? ? ?if ( peer_description == "worker-1" ) > ? ? ? ? ? ? ? ?restrict_filters += table(["capture even src/dest pairs > only"] = "(ip[12:4] + ip[16:4]) & 1 == 0"); > ? ? ? ?if ( peer_description == "worker-2" ) > ? ? ? ? ? ? ? ?restrict_filters += table(["capture even src/dest pairs > only"] = "(ip[12:4] + ip[16:4]) & 1 == 1"); > ? ? ? ?} > Is causing the following error: > line 58 (restrict_filters += table(capture even src/dest pairs only = > (ip[12:4] + ip[16:4]) & 1 == 0)): error, requires two arithmetic or two > string operands > > > > On Mon, Oct 31, 2011 at 4:35 PM, Seth Hall wrote: >> >> On Oct 31, 2011, at 10:15 AM, Tomer Teller wrote: >> >> > However, I can't surround it with an if statement so I cannot check >> > peer_description. >> > >> > Any suggestions? >> >> Sorry about that... >> >> event bro_init() >> ? ? ? ?{ >> ? ? ? ?if ( peer_description == "worker-1" ) >> ? ? ? ? ? ? ? ?restrict_filters += table(["capture even src/dest pairs >> only"] = "(ip[12:4] + ip[16:4]) & 1 == 0"); >> ? ? ? ?if ( peer_description == "worker-2" ) >> ? ? ? ? ? ? ? ?restrict_filters += table(["capture even src/dest pairs >> only"] = "(ip[12:4] + ip[16:4]) & 1 == 1"); >> ? ? ? ?} >> >> ?.Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro-ids.org/ >> > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From djteller at gmail.com Mon Oct 31 10:08:50 2011 From: djteller at gmail.com (Tomer Teller) Date: Mon, 31 Oct 2011 19:08:50 +0200 Subject: [Bro] Bro performance issues In-Reply-To: References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> Message-ID: <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> Do you mean PF_RING with front-end solution such as click router? Is it possible to run everything on a single machine? On Oct 31, 2011, at 18:49, Martin Holste wrote: > Is there a reason you can't use PF_RING for this? It sure makes > things easier like this easier. > > On Mon, Oct 31, 2011 at 11:39 AM, Tomer Teller wrote: >> event bro_init() >> { >> if ( peer_description == "worker-1" ) >> restrict_filters += table(["capture even src/dest pairs >> only"] = "(ip[12:4] + ip[16:4]) & 1 == 0"); >> if ( peer_description == "worker-2" ) >> restrict_filters += table(["capture even src/dest pairs >> only"] = "(ip[12:4] + ip[16:4]) & 1 == 1"); >> } >> Is causing the following error: >> line 58 (restrict_filters += table(capture even src/dest pairs only = >> (ip[12:4] + ip[16:4]) & 1 == 0)): error, requires two arithmetic or two >> string operands >> >> >> >> On Mon, Oct 31, 2011 at 4:35 PM, Seth Hall wrote: >>> >>> On Oct 31, 2011, at 10:15 AM, Tomer Teller wrote: >>> >>>> However, I can't surround it with an if statement so I cannot check >>>> peer_description. >>>> >>>> Any suggestions? >>> >>> Sorry about that... >>> >>> event bro_init() >>> { >>> if ( peer_description == "worker-1" ) >>> restrict_filters += table(["capture even src/dest pairs >>> only"] = "(ip[12:4] + ip[16:4]) & 1 == 0"); >>> if ( peer_description == "worker-2" ) >>> restrict_filters += table(["capture even src/dest pairs >>> only"] = "(ip[12:4] + ip[16:4]) & 1 == 1"); >>> } >>> >>> .Seth >>> >>> -- >>> Seth Hall >>> International Computer Science Institute >>> (Bro) because everyone has a network >>> http://www.bro-ids.org/ >>> >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> From seth at icir.org Mon Oct 31 10:33:03 2011 From: seth at icir.org (Seth Hall) Date: Mon, 31 Oct 2011 13:33:03 -0400 Subject: [Bro] Bro performance issues In-Reply-To: <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> References: <07A5E826-EAD3-4042-AA50-FA534F5CD60E@icir.org> <9A26BFF3-4476-4847-AD5C-92DFD5378B84@icir.org> <2004522A-DE1B-46D2-BA55-0BB7070DDFBE@gmail.com> Message-ID: <65F835FB-A3B9-4E0F-BDF9-82F9FF6B4ABE@icir.org> On Oct 31, 2011, at 1:08 PM, Tomer Teller wrote: > Do you mean PF_RING with front-end solution such as click router? > Is it possible to run everything on a single machine? Martin is referring to clustering in PF_RING. It will split your traffic into bidirectional flows within your kernel and it easy to configure with Bro 2.0-beta (I wouldn't try it with 1.5, it would be a bit of a mess). If you're running with broctl it will mostly just work with PF_RING out of the box including clustering, you just need to make sure you're building against the correct libpcap using PF_RING's libpcap wrapper and then all of your workers you configure in broctl's node.cfg file should sniff the same interface. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From robin at icir.org Mon Oct 31 20:58:05 2011 From: robin at icir.org (Robin Sommer) Date: Mon, 31 Oct 2011 20:58:05 -0700 Subject: [Bro] Bro 2.0 Beta is out! In-Reply-To: References: <20111028213414.GA12567@icir.org> <20111028233757.GB19551@icir.org> Message-ID: <20111101035805.GJ31754@icir.org> On Sat, Oct 29, 2011 at 00:58 +0000, you wrote: > Are there any scripts like the old stats.bro scrip that will print > packets processed. No, I don't think we have an equivalent for that right now. But that would be good to add. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From seth at icir.org Mon Oct 31 21:15:56 2011 From: seth at icir.org (Seth Hall) Date: Tue, 1 Nov 2011 00:15:56 -0400 Subject: [Bro] Bro 2.0 Beta is out! In-Reply-To: <20111101035805.GJ31754@icir.org> References: <20111028213414.GA12567@icir.org> <20111028233757.GB19551@icir.org> <20111101035805.GJ31754@icir.org> Message-ID: <30F1B48E-0FA9-4F4E-9C0E-5167DFA6C12E@icir.org> On Oct 31, 2011, at 11:58 PM, Robin Sommer wrote: > On Sat, Oct 29, 2011 at 00:58 +0000, you wrote: > >> Are there any scripts like the old stats.bro scrip that will print >> packets processed. > > No, I don't think we have an equivalent for that right now. But that > would be good to add. Hm, I totally missed that one. I'll work on it after the workshop, it should be fairly easy and really belongs in 2.0 anyway. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/