From gc355804 at ohio.edu Sun Dec 2 17:30:55 2012 From: gc355804 at ohio.edu (Clark, Gilbert) Date: Sun, 2 Dec 2012 20:30:55 -0500 Subject: [Bro] Bro & malloc implementations In-Reply-To: Message-ID: Hi Jim: Re: #3, here's what I did: First, I ran './configure' After successfully running configure, I opened up build/CMakeCache.txt and found: CMAKE_EXE_LINKER_FLAGS:STRING=' ' I modified that line to read: CMAKE_EXE_LINKER_FLAGS:STRING=-L/path/to/jemalloc/lib/dir -ljemalloc Then I did make clean / make / make install. To verify bro was linked against jemalloc, I ran otool -L /path/to/bro and verified that jemalloc was in the list of libraries I found there. Also, other stuff I found to be useful: * Exporting VERBOSE=1 before executing make will tell Cmake to dump the complete compilation string to the console. This can be used to manually verify that -ljemalloc is included in the flags when the bro binary is being linked. * The above will link all executables output during the build process with the linker flags specified in CMAKE_EXE_LINKER_FLAGS. Since some of the utilities generated earlier in the build are used later in the process, the runtime library path needs to include libjemalloc before make is run. Hope that helps, Gilbert Clark From: Jim Mellander Date: Mon, 19 Nov 2012 14:18:15 -0500 To: "bro at bro-ids.org List" Subject: [Bro] Bro & malloc implementations I wanted to share my experiences with bro and various malloc implementations. These are all running various versions of bro on SL 6.2 - a recompile of RedHat Enterprise Linux from Fermi Lab - https://www.scientificlinux.org/ 1. We are running a legacy Bro 1.5 installation currently supporting our old Instrumented SSHd infrastructure - http://code.google.com/p/auditing-sshd/ - we found that the standard malloc uses more memory than either of tcmalloc or jemalloc. I build bro with --enable-perftools to test tcmalloc, with a smaller memory footprint. To use jemalloc I just set LIBS=-ljemalloc - at this point we are using jemalloc, as it seems even a bit more memory thrifty than tcmalloc 2. As part of the Instrumented SSHd infrastructure, we also have a perl script (ssllogmux) that runs a select loop accepting connections from all the Instrumented SSHd clients - typically several thousand at once. This is also in the Instrumented SSHd distribution. Perl is compiled to not use its own malloc, but to use the system. However, using the system malloc, this program would freeze after a day or so of operation. By using LD_PRELOAD, we forced it to use alternate malloc libraries - under both tcmalloc and jemalloc, it runs reliably. 3. On another system, we ran Bro 2.0 (now running 2.1), and bro was (un)reliably freezing after a day or two - running but capturing no data when compiled with --enable-perftools - when compiled with --disable-perftools, it has been rock solid. I don't know enough yet about Cmake to have it use another malloc implementation easily - hopefully someone else knows how to do that - I want to test jemalloc So thats our current state of play - I would be interested in other folks experience. From dwyschogrod at bbn.com Sun Dec 2 18:47:36 2012 From: dwyschogrod at bbn.com (Daniel Wyschogrod) Date: Sun, 2 Dec 2012 21:47:36 -0500 Subject: [Bro] Problem with Broccoli connection Message-ID: <0EE7AD79-CD6D-4000-9E35-F9C771923019@bbn.com> Hello, I'm just getting up to speed on Bro and Broccoli in an attempt to port some of our existing sensors to the Bro environment. I've been trying to connect unsuccessfully to a Bro server using the Barnyard2 alert_bro mechanism. The initial connection fails with a "Could not connect to Bro!" message. I attempted the same connection using py-broccoli and I get an IOError message. I've modified the local.bro script to contain: @load policy/frameworks/communication/listen redef Communication::listen_port = 47757/tcp; @load policy/integration/barnyard2 redef Communication::nodes += { ["local"] = [$host=127.0.0.1, $class="barnyard",$events=/Barnyard2:barnyard_alert/,$connect=F] }; From examining the spo_alert_bro.c code in a debugger, it seems that the socket call in try_connect in the broccoli bro_openssl.c is failing. Is my local.bro code correct? It seems that Bro is not accepting Broccoli connections. Any help would be greatly appreciated. Thanks, Dan ____________________ Dan Wyschogrod Senior Scientist Cyber Security Raytheon/BBN Technologies dwyschogrod at bbn.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2593 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121202/4e7d076c/attachment.bin From seth at icir.org Sun Dec 2 21:04:39 2012 From: seth at icir.org (Seth Hall) Date: Mon, 3 Dec 2012 00:04:39 -0500 Subject: [Bro] Problem with Broccoli connection In-Reply-To: <0EE7AD79-CD6D-4000-9E35-F9C771923019@bbn.com> References: <0EE7AD79-CD6D-4000-9E35-F9C771923019@bbn.com> Message-ID: <792A2560-3030-4B7A-B3DF-093B19F33149@icir.org> On Dec 2, 2012, at 9:47 PM, Daniel Wyschogrod wrote: > ["local"] = [$host=127.0.0.1, $class="barnyard",$events=/Barnyard2:barnyard_alert/,$connect=F] > }; You need two commas in that event name. Sorry I didn't get that integration done in the Barnyard2 integration scripts already, I really should have. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From seth at icir.org Mon Dec 3 05:53:59 2012 From: seth at icir.org (Seth Hall) Date: Mon, 3 Dec 2012 08:53:59 -0500 Subject: [Bro] Problem with Broccoli connection In-Reply-To: <792A2560-3030-4B7A-B3DF-093B19F33149@icir.org> References: <0EE7AD79-CD6D-4000-9E35-F9C771923019@bbn.com> <792A2560-3030-4B7A-B3DF-093B19F33149@icir.org> Message-ID: <96F9953F-454C-421D-BF59-B40946C1E074@icir.org> On Dec 3, 2012, at 12:04 AM, Seth Hall wrote: > > On Dec 2, 2012, at 9:47 PM, Daniel Wyschogrod wrote: > >> ["local"] = [$host=127.0.0.1, $class="barnyard",$events=/Barnyard2:barnyard_alert/,$connect=F] >> }; > > You need two commas in that event name. Arg! Two colons. :) You could even just use /Barnyard2::.*/ .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From dwyschogrod at bbn.com Mon Dec 3 06:34:04 2012 From: dwyschogrod at bbn.com (Daniel Wyschogrod) Date: Mon, 3 Dec 2012 09:34:04 -0500 Subject: [Bro] Problem with Broccoli connection In-Reply-To: <96F9953F-454C-421D-BF59-B40946C1E074@icir.org> References: <0EE7AD79-CD6D-4000-9E35-F9C771923019@bbn.com> <792A2560-3030-4B7A-B3DF-093B19F33149@icir.org> <96F9953F-454C-421D-BF59-B40946C1E074@icir.org> Message-ID: <86D264CC-128B-4ECF-A0CB-F54343220BD2@bbn.com> Seth, Thanks for the quick reply. Turns out that the missing colon was just a transcription error in hand copying the code to my email computer. The original had two colons. The problem seems to be that the instance of Bro never sees the connection from Broccoli. There's no indication in the logs that the connection was attempted and the barnyard2 instance dies with the message: --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/home/dwyschogrod/suricata-local/etc/barnyard2.conf" Log directory = /home/dwyschogrod/suricata-local/logs alert_bro Connecting to Bro (127.0.0.1:12345)...ERROR: failed! Could not connect to Bro! Fatal Error, Quitting.. The latest version of my local.bro code (I've changed the listen_port): @load policy/frameworks/communication/listen redef Communication::listen_port = 12345/tcp; #redef Communication::listen_interface = 127.0.0.1; redef Communication::listen_ssl = F; @load policy/integration/barnyard2 redef Communication::nodes += { ["local"] = [$host=127.0.0.1, $class="barnyard", $events=/Barnyard2::.*/, $connect = F, $ssl = F] }; Thanks again for the help. Dan ____________________ Dan Wyschogrod Senior Scientist Cyber Security Raytheon/BBN Technologies dwyschogrod at bbn.com On Dec 3, 2012, at 8:53 AM, Seth Hall wrote: > > On Dec 3, 2012, at 12:04 AM, Seth Hall wrote: > >> >> On Dec 2, 2012, at 9:47 PM, Daniel Wyschogrod wrote: >> >>> ["local"] = [$host=127.0.0.1, $class="barnyard",$events=/Barnyard2:barnyard_alert/,$connect=F] >>> }; >> >> You need two commas in that event name. > > Arg! Two colons. :) You could even just use /Barnyard2::.*/ > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2593 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121203/773db76d/attachment.bin From miguellvrz9 at gmail.com Mon Dec 3 08:15:43 2012 From: miguellvrz9 at gmail.com (Miguel Alvarez) Date: Mon, 3 Dec 2012 09:15:43 -0700 Subject: [Bro] bro-2.1.1-1.src.rpm Message-ID: Hi, I'm running an old version of bro and was looking for the bro-2.1.1-1.src.rpm SRPM that was generated when the Bro-2.1-Linux-x86_64.rpm was built. Can anyone point me in the right direction? Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121203/dfb90534/attachment.html From dwyschogrod at bbn.com Mon Dec 3 08:28:30 2012 From: dwyschogrod at bbn.com (Daniel Wyschogrod) Date: Mon, 3 Dec 2012 11:28:30 -0500 Subject: [Bro] Problem with Broccoli connection In-Reply-To: <96F9953F-454C-421D-BF59-B40946C1E074@icir.org> References: <0EE7AD79-CD6D-4000-9E35-F9C771923019@bbn.com> <792A2560-3030-4B7A-B3DF-093B19F33149@icir.org> <96F9953F-454C-421D-BF59-B40946C1E074@icir.org> Message-ID: Seth, I think I've tracked down the problem, but it leads to another mystery. In my local.bro file, as I've pointed out, I have inserted the line: redef Communication::listen_port = 12345/tcp; In the barnyard2.conf file, I've added: output alert_bro: 127.0.0.1:12345 I'm expecting, of course, a connection on port 12345. However, when I did a "netstat -l", I discovered that the bro process was listening on port 47760! The output from netstat -l was: tcp 0 0 0.0.0.0:47760 0.0.0.0:* LISTEN 6326/bro When I changed the barnyard2.conf to: output alert_bro: 127.0.0.1:47760 the connection took place as expected. In addition, py-broccoli makes the connection as well when i use: Connection("127.0.0.1:47760") On further investigation, I found that a bro file was generated in spool/installed-scripts-do-not-touch/auto called standalone-layout.bro. Its content is: # Automatically generated. Do not edit. redef Communication::listen_port = 47760/tcp; redef Communication::nodes += { ["control"] = [$host=127.0.0.1, $zone_id="", $class="control", $events=Control::controller_events], }; The 47760 port is the same in the standalone-layout.bro no matter what I set the listen_port to in local.bro. Where does the 47760 port come from and what can I do to use a different port? Thanks again, Dan ____________________ Dan Wyschogrod Senior Scientist Cyber Security Raytheon/BBN Technologies dwyschogrod at bbn.com On Dec 3, 2012, at 8:53 AM, Seth Hall wrote: > > On Dec 3, 2012, at 12:04 AM, Seth Hall wrote: > >> >> On Dec 2, 2012, at 9:47 PM, Daniel Wyschogrod wrote: >> >>> ["local"] = [$host=127.0.0.1, $class="barnyard",$events=/Barnyard2:barnyard_alert/,$connect=F] >>> }; >> >> You need two commas in that event name. > > Arg! Two colons. :) You could even just use /Barnyard2::.*/ > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2593 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121203/9fd080a9/attachment.bin From jsiwek at illinois.edu Mon Dec 3 08:28:43 2012 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Mon, 3 Dec 2012 16:28:43 +0000 Subject: [Bro] bro-2.1.1-1.src.rpm In-Reply-To: References: Message-ID: > I'm running an old version of bro and was looking for the bro-2.1.1-1.src.rpm SRPM that was generated when the Bro-2.1-Linux-x86_64.rpm was built. Can anyone point me in the right direction? There's no SRPM, but [1] is the corresponding source tarball from which I had CMake/CPack generate the binary package (using the pkg/make-rpm-packages script). Jon [1] http://www.bro-ids.org/downloads/release/bro-2.1.tar.gz From seth at icir.org Mon Dec 3 08:38:31 2012 From: seth at icir.org (Seth Hall) Date: Mon, 3 Dec 2012 11:38:31 -0500 Subject: [Bro] Problem with Broccoli connection In-Reply-To: References: <0EE7AD79-CD6D-4000-9E35-F9C771923019@bbn.com> <792A2560-3030-4B7A-B3DF-093B19F33149@icir.org> <96F9953F-454C-421D-BF59-B40946C1E074@icir.org> Message-ID: On Dec 3, 2012, at 11:28 AM, Daniel Wyschogrod wrote: > I think I've tracked down the problem, but it leads to another mystery. In my local.bro file, as I've pointed out, I have inserted the line: Oh, are you running this through BroControl? BroControl configures the communication framework for you. All you need to do is add another value to the Communication::nodes variable with the events to listen to. redef Communication::nodes += { ["barnyard2"] = [$host=127.0.0.1, $class="Barnyard2", $events=/Barnyard2::.*/], }; You *should* now be able to connect to the process, but you'll have to connect on port 47760/tcp. Is there a particular reason that you want to change that? You can't really do that in any BroControl deployment at the moment, and the communication code only can listen on a single port per Bro process. This is a somewhat undefined area of operation because there hasn't been a lot of work to integrated external applications on clusters like this yet. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From dwyschogrod at bbn.com Mon Dec 3 09:00:03 2012 From: dwyschogrod at bbn.com (Daniel Wyschogrod) Date: Mon, 3 Dec 2012 12:00:03 -0500 Subject: [Bro] Problem with Broccoli connection In-Reply-To: References: <0EE7AD79-CD6D-4000-9E35-F9C771923019@bbn.com> <792A2560-3030-4B7A-B3DF-093B19F33149@icir.org> <96F9953F-454C-421D-BF59-B40946C1E074@icir.org> Message-ID: Seth, Thanks for clarifying that. I can certainly live with port 47760 now that I know that it's the "official" port. It probably would be a good idea to add to the documentation that BroControl uses this port, though I might have missed it. Going forward, we hope to contribute some of our work with external sensors. Thanks again for your help. Dan ____________________ Dan Wyschogrod Senior Scientist Cyber Security Raytheon/BBN Technologies dwyschogrod at bbn.com On Dec 3, 2012, at 11:38 AM, Seth Hall wrote: > > On Dec 3, 2012, at 11:28 AM, Daniel Wyschogrod wrote: > >> I think I've tracked down the problem, but it leads to another mystery. In my local.bro file, as I've pointed out, I have inserted the line: > > Oh, are you running this through BroControl? BroControl configures the communication framework for you. All you need to do is add another value to the Communication::nodes variable with the events to listen to. > > redef Communication::nodes += { > ["barnyard2"] = [$host=127.0.0.1, $class="Barnyard2", $events=/Barnyard2::.*/], > }; > > You *should* now be able to connect to the process, but you'll have to connect on port 47760/tcp. Is there a particular reason that you want to change that? You can't really do that in any BroControl deployment at the moment, and the communication code only can listen on a single port per Bro process. > > This is a somewhat undefined area of operation because there hasn't been a lot of work to integrated external applications on clusters like this yet. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2593 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121203/bfb5465d/attachment.bin From jsiwek at illinois.edu Mon Dec 3 09:22:04 2012 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Mon, 3 Dec 2012 17:22:04 +0000 Subject: [Bro] Problem with Broccoli connection In-Reply-To: References: <0EE7AD79-CD6D-4000-9E35-F9C771923019@bbn.com> <792A2560-3030-4B7A-B3DF-093B19F33149@icir.org> <96F9953F-454C-421D-BF59-B40946C1E074@icir.org> Message-ID: > Going forward, we hope to contribute some of our work with external sensors. Just to bring it to your attention, I did do a patch [1] to the Barnyard2 output plugin for Bro that fixed some bugs, but it doesn't look like it's in a release yet. So if you run in to more issues, that might be your answer (or your problem). Jon https://github.com/firnsy/barnyard2/pull/25 From paul.halliday at gmail.com Mon Dec 3 09:45:39 2012 From: paul.halliday at gmail.com (Paul Halliday) Date: Mon, 3 Dec 2012 13:45:39 -0400 Subject: [Bro] Configuring MAIL FROM: Message-ID: Stumped! Where does bro get the host value from? This is the error I am getting: Dec 3 13:01:12 host sSMTP[7223]: MAIL FROM: Dec 3 13:01:12 host sSMTP[7223]: 504 Need Fully Qualified Address I need 'host' to expand to 'host.my.domain' Thanks. -- Paul Halliday http://www.pintumbler.org/ From seth at icir.org Mon Dec 3 10:39:19 2012 From: seth at icir.org (Seth Hall) Date: Mon, 3 Dec 2012 13:39:19 -0500 Subject: [Bro] Configuring MAIL FROM: In-Reply-To: References: Message-ID: <566B2349-65D0-4824-A94F-D9F55FA64F7A@icir.org> On Dec 3, 2012, at 12:45 PM, Paul Halliday wrote: > Stumped! > > Where does bro get the host value from? Technically from the "hostname" command by default. You can change it by using a FQDN in broctl.cfg like this? mailfrom = Big Brother .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From christopher.p.crawford at gmail.com Mon Dec 3 15:03:27 2012 From: christopher.p.crawford at gmail.com (Chris Crawford) Date: Mon, 3 Dec 2012 18:03:27 -0500 Subject: [Bro] Event Suppression Message-ID: I'd like to tell bro to tell me about a certain event, but then suppress itself for a while. I am running bro version 2.1. I think I'm on the right track, but I'm not getting the results I expect. Here's my script: I expect that after seeing a certain DNS query in my log, there should be, at a minimum, a 10 second delay until the next entry. However, when I visit a few known domains that cause a DNS SERVFAIL, there's no evidence that there was any suppression: 2012-12-03T17:50:17-0500 VwaSrYrTxi 10.10.10.1 foo.org SERVFAIL 2012-12-03T17:50:17-0500 UqKgxpLZXdl 10.10.10.1 foo.org SERVFAIL 2012-12-03T17:50:38-0500 RYIqIhSukA3 10.10.10.1 foo.org SERVFAIL 2012-12-03T17:50:35-0500 mUI17wg5yTc 10.10.10.1 foo.org SERVFAIL 2012-12-03T17:50:38-0500 KemCuIc90gg 10.10.10.1 foo.org SERVFAIL 2012-12-03T17:50:29-0500 8lhNeEBFhpk 10.10.10.1 bar.com SERVFAIL 2012-12-03T17:50:30-0500 OIaKdzZRoVg 10.10.10.1 bar.com SERVFAIL 2012-12-03T17:50:34-0500 Z7dzjrZq2hg 10.10.10.1 foo.org SERVFAIL 2012-12-03T17:50:43-0500 8xWwzjhwtJ3 10.10.10.1 bar.com SERVFAIL 2012-12-03T17:50:44-0500 0wgsg6dNt75 10.10.10.1 bar.com SERVFAIL 2012-12-03T17:50:45-0500 MLQiHZEsHFg 10.10.10.1 bar.com SERVFAIL 2012-12-03T17:50:47-0500 ebViJIKgTsa 10.10.10.1 bar.com SERVFAIL 2012-12-03T17:50:55-0500 6rmI6q4oc5c 10.10.10.1 bar.com SERVFAIL 2012-12-03T17:50:56-0500 rJJziyz3Snk 10.10.10.1 bar.com SERVFAIL 2012-12-03T17:51:07-0500 OVppLHtXjPf 10.10.10.1 bar.com SERVFAIL 2012-12-03T17:51:08-0500 2B20RG46gtl 10.10.10.1 bar.com SERVFAIL 2012-12-03T17:51:19-0500 1OSfSKiNIL2 10.10.10.1 bar.com SERVFAIL 2012-12-03T17:51:20-0500 LK7pwe5inc1 10.10.10.1 bar.com SERVFAIL Any tips on what I'm doing wrong? -Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121203/410ea8ec/attachment.html From JAzoff at albany.edu Mon Dec 3 15:29:25 2012 From: JAzoff at albany.edu (Justin Azoff) Date: Mon, 3 Dec 2012 18:29:25 -0500 Subject: [Bro] Event Suppression In-Reply-To: References: Message-ID: <20121203232925.GR21152@datacomm.albany.edu> On Mon, Dec 03, 2012 at 06:03:27PM -0500, Chris Crawford wrote: > I'd like to tell bro to tell me about a certain event, but then suppress itself > for a while. > > I am running bro version 2.1. > > I think I'm on the right track, but I'm not getting the results I expect. > > Here's my script: ... > NOTICE([$note=DNS_SERV_FAIL, $msg=fmt("Check > out %s. It failed to resolve%s.", rec$id$orig_h, rec$query), $suppress_for= > 10sec, $identifier=cat(rec$query)]); ... > I expect that after seeing a certain DNS query in my log, there should be, at a > minimum, a 10 second delay until the next entry. the suppress_for there only applies to NOTICE. If you look at your notice.log you'll see the behavior you expect. If you want the regular log to have the same behavior you can implement the supression yourself.. You just need to create something like seen_domains: set[string] &create_expire=10sec &synchronized; then use something like this in your 'pred' if(rec$query !in seen_domains) { add seen_domains[rec$query]; return T; } else { return F; } or maybe cleaner as if(rec$query in seen_domains) return F; add seen_domains[rec$query]; return T; -- -- Justin Azoff -- Network Security & Performance Analyst From miguellvrz9 at gmail.com Mon Dec 3 15:47:56 2012 From: miguellvrz9 at gmail.com (Miguel Alvarez) Date: Tue, 4 Dec 2012 00:47:56 +0100 Subject: [Bro] bro-2.1.1-1.src.rpm In-Reply-To: References: Message-ID: Thank you, Jon. Is there a spec file that was created or anything? I'd just like to take a look as to how things were compiled. Cheers On Mon, Dec 3, 2012 at 5:28 PM, Siwek, Jonathan Luke wrote: > > > I'm running an old version of bro and was looking for the > bro-2.1.1-1.src.rpm SRPM that was generated when the > Bro-2.1-Linux-x86_64.rpm was built. Can anyone point me in the right > direction? > > There's no SRPM, but [1] is the corresponding source tarball from which I > had CMake/CPack generate the binary package (using the > pkg/make-rpm-packages script). > > Jon > > [1] http://www.bro-ids.org/downloads/release/bro-2.1.tar.gz -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121204/a19a83f9/attachment.html From jsiwek at illinois.edu Tue Dec 4 07:59:32 2012 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Tue, 4 Dec 2012 15:59:32 +0000 Subject: [Bro] bro-2.1.1-1.src.rpm In-Reply-To: References: Message-ID: > Is there a spec file that was created or anything? I'd just like to take a look as to how things were compiled. After running `./configure --prefix=/opt/bro --pkg-name-prefix=Bro --binary-package && ( cd build && make package )`, CMake/CPack generated the attached spec file in ./build/_CPack_Packages/Linux/RPM/SPECS/bro.spec. I don't think anyone's attached to this way of creating the binary packages, so comments/suggestions are welcome. Jon -------------- next part -------------- A non-text attachment was scrubbed... Name: bro.spec Type: application/octet-stream Size: 22088 bytes Desc: bro.spec Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121204/763f570b/attachment.obj From miguellvrz9 at gmail.com Tue Dec 4 08:40:58 2012 From: miguellvrz9 at gmail.com (Miguel Alvarez) Date: Tue, 4 Dec 2012 17:40:58 +0100 Subject: [Bro] bro-2.1.1-1.src.rpm In-Reply-To: References: Message-ID: Thank you very much, Jon. Is python >= 2.4.0 actually a requirement for bro-2.x or is that just what's installed on your build system? Cheers On Tue, Dec 4, 2012 at 4:59 PM, Siwek, Jonathan Luke wrote: > > Is there a spec file that was created or anything? I'd just like to > take a look as to how things were compiled. > > After running `./configure --prefix=/opt/bro --pkg-name-prefix=Bro > --binary-package && ( cd build && make package )`, CMake/CPack generated > the attached spec file in ./build/_CPack_Packages/Linux/RPM/SPECS/bro.spec. > I don't think anyone's attached to this way of creating the binary > packages, so comments/suggestions are welcome. > > Jon > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121204/69db5e13/attachment.html From jsiwek at illinois.edu Tue Dec 4 08:57:49 2012 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Tue, 4 Dec 2012 16:57:49 +0000 Subject: [Bro] bro-2.1.1-1.src.rpm In-Reply-To: References: Message-ID: > Thank you very much, Jon. Is python >= 2.4.0 actually a requirement for bro-2.x or is that just what's installed on your build system? I think that may have been the requirement for Bro 2.0, but it should now actually be python >= 2.6. Jon From paul.halliday at gmail.com Tue Dec 4 11:24:18 2012 From: paul.halliday at gmail.com (Paul Halliday) Date: Tue, 4 Dec 2012 15:24:18 -0400 Subject: [Bro] Configuring MAIL FROM: In-Reply-To: <566B2349-65D0-4824-A94F-D9F55FA64F7A@icir.org> References: <566B2349-65D0-4824-A94F-D9F55FA64F7A@icir.org> Message-ID: On Mon, Dec 3, 2012 at 2:39 PM, Seth Hall wrote: > > On Dec 3, 2012, at 12:45 PM, Paul Halliday wrote: > >> Stumped! >> >> Where does bro get the host value from? > > Technically from the "hostname" command by default. You can change it by using a FQDN in broctl.cfg like this? > > mailfrom = Big Brother > Should it be mailfrom or MailFrom? either way it didn't appear to influence anything. I did fix it so that `hostname` now returns host.domain.ca. this didn't help either. I turned on debugging for ssmtp: Dec 4 14:01:21 hostname sSMTP[75788]: Set Root="postmaster" Dec 4 14:01:21 hostname sSMTP[75788]: Set MailHub="mail.domain.ca" Dec 4 14:01:21 hostname sSMTP[75788]: Set RemotePort="25" Dec 4 14:01:21 hostname sSMTP[75788]: Set RewriteDomain="domain.ca" Dec 4 14:01:21 hostname sSMTP[75788]: Set HostName="hostname.nscc.ca" Dec 4 14:01:21 hostname sSMTP[75788]: Set FromLineOverride="True" Dec 4 14:01:21 hostname sSMTP[75788]: Set MailHub="mail.domain.ca" Dec 4 14:01:21 hostname sSMTP[75788]: via SMTP Port Number="25" Dec 4 14:01:21 hostname sSMTP[75788]: 220 mail.domain.ca ESMTP (blahblahblahblah) Dec 4 14:01:21 hostname sSMTP[75788]: HELO hostname.domain.ca Dec 4 14:01:21 hostname sSMTP[75788]: 250 mail.domain.ca Hello hostname.domain.ca [1.2.3.4], pleased to meet you Dec 4 14:01:21 hostname sSMTP[75788]: MAIL FROM: Dec 4 14:01:21 hostname sSMTP[75788]: 504 Need Fully Qualified Address Dec 4 14:01:21 hostname sSMTP[75788]: 504 Need Fully Qualified Address Just doing: `mail me at domain.ca` from the command line works. Thoughts? Thanks. From scastle at bouldercounty.org Tue Dec 4 11:57:52 2012 From: scastle at bouldercounty.org (Castle, Shane) Date: Tue, 4 Dec 2012 19:57:52 +0000 Subject: [Bro] Configuring MAIL FROM: In-Reply-To: References: <566B2349-65D0-4824-A94F-D9F55FA64F7A@icir.org> Message-ID: <21DD7C64179C9843B756C6DD491634DB252D193B@Mailbox1.boco.co.boulder.co.us> Hmm - I found this in ./base/frameworks/notice/mail.bro: ## Address that emails will be from. const mail_from = "Big Brother " &redef; ## Reply-to address used in outbound email. const reply_to = "" &redef; So it looks like you need to add redef Notice::mail_from = "Big Brother "; to your local.bro, and possibly change "reply_to" as well. Then run broctl check;broctl install;broctl restart (wash, rinse, spin) as usual. -- Shane Castle Data Security Mgr, Boulder County IT -----Original Message----- From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Paul Halliday Sent: Tuesday, December 04, 2012 12:24 To: Seth Hall Cc: bro at bro-ids.org Subject: Re: [Bro] Configuring MAIL FROM: On Mon, Dec 3, 2012 at 2:39 PM, Seth Hall wrote: > > On Dec 3, 2012, at 12:45 PM, Paul Halliday wrote: > >> Stumped! >> >> Where does bro get the host value from? > > Technically from the "hostname" command by default. You can change it by using a FQDN in broctl.cfg like this... > > mailfrom = Big Brother > Should it be mailfrom or MailFrom? either way it didn't appear to influence anything. I did fix it so that `hostname` now returns host.domain.ca. this didn't help either. I turned on debugging for ssmtp: Dec 4 14:01:21 hostname sSMTP[75788]: Set Root="postmaster" Dec 4 14:01:21 hostname sSMTP[75788]: Set MailHub="mail.domain.ca" Dec 4 14:01:21 hostname sSMTP[75788]: Set RemotePort="25" Dec 4 14:01:21 hostname sSMTP[75788]: Set RewriteDomain="domain.ca" Dec 4 14:01:21 hostname sSMTP[75788]: Set HostName="hostname.nscc.ca" Dec 4 14:01:21 hostname sSMTP[75788]: Set FromLineOverride="True" Dec 4 14:01:21 hostname sSMTP[75788]: Set MailHub="mail.domain.ca" Dec 4 14:01:21 hostname sSMTP[75788]: via SMTP Port Number="25" Dec 4 14:01:21 hostname sSMTP[75788]: 220 mail.domain.ca ESMTP (blahblahblahblah) Dec 4 14:01:21 hostname sSMTP[75788]: HELO hostname.domain.ca Dec 4 14:01:21 hostname sSMTP[75788]: 250 mail.domain.ca Hello hostname.domain.ca [1.2.3.4], pleased to meet you Dec 4 14:01:21 hostname sSMTP[75788]: MAIL FROM: Dec 4 14:01:21 hostname sSMTP[75788]: 504 Need Fully Qualified Address Dec 4 14:01:21 hostname sSMTP[75788]: 504 Need Fully Qualified Address Just doing: `mail me at domain.ca` from the command line works. Thoughts? Thanks. _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From paul.halliday at gmail.com Wed Dec 5 06:16:19 2012 From: paul.halliday at gmail.com (Paul Halliday) Date: Wed, 5 Dec 2012 10:16:19 -0400 Subject: [Bro] Configuring MAIL FROM: In-Reply-To: <21DD7C64179C9843B756C6DD491634DB252D193B@Mailbox1.boco.co.boulder.co.us> References: <566B2349-65D0-4824-A94F-D9F55FA64F7A@icir.org> <21DD7C64179C9843B756C6DD491634DB252D193B@Mailbox1.boco.co.boulder.co.us> Message-ID: Worked like a charm. Thanks! On Tue, Dec 4, 2012 at 3:57 PM, Castle, Shane wrote: > Hmm - I found this in ./base/frameworks/notice/mail.bro: > > ## Address that emails will be from. > const mail_from = "Big Brother " &redef; > ## Reply-to address used in outbound email. > const reply_to = "" &redef; > > So it looks like you need to add > > redef Notice::mail_from = "Big Brother "; > > to your local.bro, and possibly change "reply_to" as well. Then run broctl check;broctl install;broctl restart (wash, rinse, spin) as usual. > > -- > Shane Castle > Data Security Mgr, Boulder County IT > > > -----Original Message----- > From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Paul Halliday > Sent: Tuesday, December 04, 2012 12:24 > To: Seth Hall > Cc: bro at bro-ids.org > Subject: Re: [Bro] Configuring MAIL FROM: > > On Mon, Dec 3, 2012 at 2:39 PM, Seth Hall wrote: >> >> On Dec 3, 2012, at 12:45 PM, Paul Halliday wrote: >> >>> Stumped! >>> >>> Where does bro get the host value from? >> >> Technically from the "hostname" command by default. You can change it by using a FQDN in broctl.cfg like this... >> >> mailfrom = Big Brother >> > > Should it be mailfrom or MailFrom? either way it didn't appear to > influence anything. > > I did fix it so that `hostname` now returns host.domain.ca. this > didn't help either. > > I turned on debugging for ssmtp: > > Dec 4 14:01:21 hostname sSMTP[75788]: Set Root="postmaster" > Dec 4 14:01:21 hostname sSMTP[75788]: Set MailHub="mail.domain.ca" > Dec 4 14:01:21 hostname sSMTP[75788]: Set RemotePort="25" > Dec 4 14:01:21 hostname sSMTP[75788]: Set RewriteDomain="domain.ca" > Dec 4 14:01:21 hostname sSMTP[75788]: Set HostName="hostname.nscc.ca" > Dec 4 14:01:21 hostname sSMTP[75788]: Set FromLineOverride="True" > Dec 4 14:01:21 hostname sSMTP[75788]: Set MailHub="mail.domain.ca" > Dec 4 14:01:21 hostname sSMTP[75788]: via SMTP Port Number="25" > Dec 4 14:01:21 hostname sSMTP[75788]: 220 mail.domain.ca ESMTP > (blahblahblahblah) > Dec 4 14:01:21 hostname sSMTP[75788]: HELO hostname.domain.ca > Dec 4 14:01:21 hostname sSMTP[75788]: 250 mail.domain.ca Hello > hostname.domain.ca [1.2.3.4], pleased to meet you > Dec 4 14:01:21 hostname sSMTP[75788]: MAIL FROM: > Dec 4 14:01:21 hostname sSMTP[75788]: 504 Need Fully Qualified Address > Dec 4 14:01:21 hostname sSMTP[75788]: 504 Need Fully Qualified Address > > Just doing: `mail me at domain.ca` from the command line works. > > Thoughts? > > Thanks. > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Paul Halliday http://www.pintumbler.org/ From seth at icir.org Wed Dec 5 06:19:28 2012 From: seth at icir.org (Seth Hall) Date: Wed, 5 Dec 2012 09:19:28 -0500 Subject: [Bro] Configuring MAIL FROM: In-Reply-To: References: <566B2349-65D0-4824-A94F-D9F55FA64F7A@icir.org> <21DD7C64179C9843B756C6DD491634DB252D193B@Mailbox1.boco.co.boulder.co.us> Message-ID: <29FA0302-19F0-47DC-831D-E7CDC69BDD26@icir.org> On Dec 5, 2012, at 9:16 AM, Paul Halliday wrote: >> redef Notice::mail_from = "Big Brother "; The mailfrom (or MailFrom, it's case insensitive) option in broctl.cfg actually sets this same variable. It's likely overwriting what you are setting in local.bro anyway. :) Glad it's working now. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From scastle at bouldercounty.org Wed Dec 5 11:45:25 2012 From: scastle at bouldercounty.org (Castle, Shane) Date: Wed, 5 Dec 2012 19:45:25 +0000 Subject: [Bro] Configuring MAIL FROM: In-Reply-To: <29FA0302-19F0-47DC-831D-E7CDC69BDD26@icir.org> References: <566B2349-65D0-4824-A94F-D9F55FA64F7A@icir.org> <21DD7C64179C9843B756C6DD491634DB252D193B@Mailbox1.boco.co.boulder.co.us> <29FA0302-19F0-47DC-831D-E7CDC69BDD26@icir.org> Message-ID: <21DD7C64179C9843B756C6DD491634DB252D35C1@Mailbox1.boco.co.boulder.co.us> I browsed some of the broctl doc online, and glanced at the source code, and what Seth says is correct - the mods to broctl.cfg should have done the job. I can only surmise that the broctl.cfg you modified was not the one that was being used, or perhaps the wash-rinse-spin sequence failed somehow. Hmm the only thing I can't find is how the Notice::mail_from var is set given the info in the mailfrom config var. That one escapes me. Running "broctl config" shows it but it is not what is being used by Notice, as far as I can tell. -- Shane Castle Data Security Mgr, Boulder County IT -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Wednesday, December 05, 2012 07:19 To: Paul Halliday Cc: Castle, Shane; Seth Hall; bro at bro-ids.org Subject: Re: [Bro] Configuring MAIL FROM: On Dec 5, 2012, at 9:16 AM, Paul Halliday wrote: >> redef Notice::mail_from = "Big Brother "; The mailfrom (or MailFrom, it's case insensitive) option in broctl.cfg actually sets this same variable. It's likely overwriting what you are setting in local.bro anyway. :) Glad it's working now. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jsiwek at illinois.edu Wed Dec 5 12:05:50 2012 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Wed, 5 Dec 2012 20:05:50 +0000 Subject: [Bro] Configuring MAIL FROM: In-Reply-To: <21DD7C64179C9843B756C6DD491634DB252D35C1@Mailbox1.boco.co.boulder.co.us> References: <566B2349-65D0-4824-A94F-D9F55FA64F7A@icir.org> <21DD7C64179C9843B756C6DD491634DB252D193B@Mailbox1.boco.co.boulder.co.us> <29FA0302-19F0-47DC-831D-E7CDC69BDD26@icir.org> <21DD7C64179C9843B756C6DD491634DB252D35C1@Mailbox1.boco.co.boulder.co.us> Message-ID: > Hmm the only thing I can't find is how the Notice::mail_from var is set given the info in the mailfrom config var. That one escapes me. Running "broctl config" shows it but it is not what is being used by Notice, as far as I can tell. There's code in BroControl/install.py that automatically adds associated "redefs" for some config options when doing `broctl install`, but I don't see one that uses MailFrom to add a "redef Notice::mail_from=?". So I think that's a bug. Jon From seth at icir.org Wed Dec 5 13:02:36 2012 From: seth at icir.org (Seth Hall) Date: Wed, 5 Dec 2012 16:02:36 -0500 Subject: [Bro] Configuring MAIL FROM: In-Reply-To: References: <566B2349-65D0-4824-A94F-D9F55FA64F7A@icir.org> <21DD7C64179C9843B756C6DD491634DB252D193B@Mailbox1.boco.co.boulder.co.us> <29FA0302-19F0-47DC-831D-E7CDC69BDD26@icir.org> <21DD7C64179C9843B756C6DD491634DB252D35C1@Mailbox1.boco.co.boulder.co.us> Message-ID: On Dec 5, 2012, at 3:05 PM, "Siwek, Jonathan Luke" wrote: >> but I don't see one that uses MailFrom to add a "redef Notice::mail_from=?". So I think that's a bug. Arg! Thanks Jon. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From lieuctk32 at gmail.com Wed Dec 5 21:07:50 2012 From: lieuctk32 at gmail.com (Nhok Maruko) Date: Thu, 6 Dec 2012 12:07:50 +0700 Subject: [Bro] Bro IDS Message-ID: Hi everyone. I'm a newbie in BRO IDS. I have done install BRO. But i don't know how to use it. Someone tell me what should i do to detec some attack if happen in my network, please!. Tell me where i read notice and alarm too. I'm very grateful and thank for your help. Lieu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121206/8f7f512b/attachment.html From justin at justinthomas.name Wed Dec 5 21:55:48 2012 From: justin at justinthomas.name (Justin Thomas) Date: Wed, 5 Dec 2012 21:55:48 -0800 Subject: [Bro] Basic Question Message-ID: I'm pretty new to Bro and am just trying to understand how to go about getting events programmatically from the sensor (10.0.0.1). Here's my test scenario. I see entries constantly being added to the ssl.log file. Since this is a pretty busy file, I decide to try to register an event handler (using ipython) to capture those events on a separate system (using the python interface): from broccoli import * bc = Connection("10.0.0.1:47760") @event def ssl_conn_attempt(connection, version, ciphers): print connection, version, ciphers while True: bc.processInput() But I never see my callback triggered even though I see constant activity in the ssl.log file. What am I doing wrong? Thanks in advance! Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121205/6177de00/attachment.html From seth at icir.org Thu Dec 6 06:51:31 2012 From: seth at icir.org (Seth Hall) Date: Thu, 6 Dec 2012 09:51:31 -0500 Subject: [Bro] Basic Question In-Reply-To: References: Message-ID: On Dec 6, 2012, at 12:55 AM, Justin Thomas wrote: > @event > def ssl_conn_attempt(connection, version, ciphers): Where did you get this event from? That is an old event that was removed prior to the 2.0 release. You can refer to the following link for all of our current (2.1 release) analyzer generated events: http://bro-ids.org/documentation/scripts/base/event.bif.html Are you running Bro with BroControl in standalone mode too? If you run a cluster and you only connect to your manager you won't see these events either because the protocol events aren't being generated on the manager. It looks like you're doing the right things in your python script though. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From carlopmart at gmail.com Thu Dec 6 07:08:56 2012 From: carlopmart at gmail.com (carlopmart) Date: Thu, 06 Dec 2012 15:08:56 +0000 Subject: [Bro] Bro-IDS ready for OpenBSD 5.2? Message-ID: <50C0B508.9060806@gmail.com> Hi all, I have two OpenBSD 5.2 IDS sensors with snort installed acting as a transparent bridges with CARP configured. After some time testing Bro-IDS under a one CentOS sensor, I would like to try bro-ids under these OpenBSD boxes as a workers and one CentOS host as a proxy and management node but according to Bro-IDS FAQ: "Generally, please note that we do not regularly test OpenBSD builds. We appreciate any patches that improve Bro?s support for this platform." Then, is not Bro-IDS ready for OpenBSD platforms for production environments?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com From slagell at illinois.edu Thu Dec 6 07:17:35 2012 From: slagell at illinois.edu (Slagell, Adam J) Date: Thu, 6 Dec 2012 15:17:35 +0000 Subject: [Bro] Bro-IDS ready for OpenBSD 5.2? In-Reply-To: <50C0B508.9060806@gmail.com> References: <50C0B508.9060806@gmail.com> Message-ID: <558D23D33781EF45A69229CDAC6BF15110B45CEC@CITESMBX6.ad.uillinois.edu> We have not included OpenBSD in our nightly build & test environment, but have considered it. Mostly we test against common Linux distros, FreeBSD, and the latest Mac OS. So right now we can't really say as we haven't specifically tested it for OpenBSD compatibility. On Dec 6, 2012, at 9:08 AM, carlopmart wrote: > Hi all, > > I have two OpenBSD 5.2 IDS sensors with snort installed acting as a > transparent bridges with CARP configured. After some time testing > Bro-IDS under a one CentOS sensor, I would like to try bro-ids under > these OpenBSD boxes as a workers and one CentOS host as a proxy and > management node but according to Bro-IDS FAQ: > > "Generally, please note that we do not regularly test OpenBSD builds. We > appreciate any patches that improve Bro?s support for this platform." > > Then, is not Bro-IDS ready for OpenBSD platforms for production > environments?? > > Thanks. > -- > CL Martinez > carlopmart {at} gmail {d0t} com > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > ------ Adam J. Slagell, CISO, CISSP Chief Information Security Officer National Center for Supercomputing Applications University of Illinois at Urbana-Champaign www.slagell.info 217.244.8965 "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." From tyler.schoenke at colorado.edu Thu Dec 6 08:39:53 2012 From: tyler.schoenke at colorado.edu (Tyler T. Schoenke) Date: Thu, 06 Dec 2012 09:39:53 -0700 Subject: [Bro] Bro IDS In-Reply-To: References: Message-ID: <50C0CA59.2040207@colorado.edu> Although I haven't used it in a while, probably the easiest way for you to get started is install Security Onion on an Ubuntu virtual or physical computer. It should take about 15 minutes to get Ubuntu installed, and 15 minutes to get Security Onion installed. From there, just look at the various log files. After that, watch the videos and go through the exercises from the 2011 Bro Workshop. http://www.bro-ids.org/bro-workshop-2011/index.html Tyler -- Tyler Schoenke Network Security Manager IT Security Office University of Colorado at Boulder On 12/5/12 10:07 PM, Nhok Maruko wrote: > Hi everyone. > I'm a newbie in BRO IDS. I have done install BRO. But i don't know how > to use it. Someone tell me what should i do to detec some attack if > happen in my network, please!. Tell me where i read notice and alarm too. > I'm very grateful and thank for your help. > Lieu > > > From justin at justinthomas.name Thu Dec 6 08:56:52 2012 From: justin at justinthomas.name (Justin Thomas) Date: Thu, 6 Dec 2012 08:56:52 -0800 Subject: [Bro] Basic Question In-Reply-To: References: Message-ID: >From here: http://www-old.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_Events I guess the "old" in the URL should have tipped me off. I had some trouble finding descriptions of built-in events, so I just grabbed the first thing that looked reasonable. I'll look over the document you linked below. I did try using the "new_connection" event with similar results (i.e., none), so your comment on the cluster configuration may also be a sticking point for me. I'll look over my configuration with that note about the manager not generating the protocol events in mind; I'm not sure on the specifics (if I recall correctly, I think I configured it as a cluster for future expansion but am only running on one machine right now). On Thu, Dec 6, 2012 at 6:51 AM, Seth Hall wrote: > > On Dec 6, 2012, at 12:55 AM, Justin Thomas > wrote: > > > @event > > def ssl_conn_attempt(connection, version, ciphers): > > Where did you get this event from? That is an old event that was removed > prior to the 2.0 release. You can refer to the following link for all of > our current (2.1 release) analyzer generated events: > http://bro-ids.org/documentation/scripts/base/event.bif.html > > Are you running Bro with BroControl in standalone mode too? If you run a > cluster and you only connect to your manager you won't see these events > either because the protocol events aren't being generated on the manager. > It looks like you're doing the right things in your python script though. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121206/02737c85/attachment.html From justin at justinthomas.name Thu Dec 6 09:14:23 2012 From: justin at justinthomas.name (Justin Thomas) Date: Thu, 6 Dec 2012 09:14:23 -0800 Subject: [Bro] Basic Question In-Reply-To: References: Message-ID: It actually is configured as standalone - my mistake. I changed my python script to: from broccoli import * bc = Connection("10.0.0.1:47760") @event def new_connection(event): On Thu, Dec 6, 2012 at 8:56 AM, Justin Thomas wrote: > From here: > http://www-old.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_Events > > I guess the "old" in the URL should have tipped me off. I had some trouble > finding descriptions of built-in events, so I just grabbed the first thing > that looked reasonable. I'll look over the document you linked below. I did > try using the "new_connection" event with similar results (i.e., none), so > your comment on the cluster configuration may also be a sticking point for > me. > > I'll look over my configuration with that note about the manager not > generating the protocol events in mind; I'm not sure on the specifics (if I > recall correctly, I think I configured it as a cluster for future expansion > but am only running on one machine right now). > > > On Thu, Dec 6, 2012 at 6:51 AM, Seth Hall wrote: > >> >> On Dec 6, 2012, at 12:55 AM, Justin Thomas >> wrote: >> >> > @event >> > def ssl_conn_attempt(connection, version, ciphers): >> >> Where did you get this event from? That is an old event that was removed >> prior to the 2.0 release. You can refer to the following link for all of >> our current (2.1 release) analyzer generated events: >> http://bro-ids.org/documentation/scripts/base/event.bif.html >> >> Are you running Bro with BroControl in standalone mode too? If you run a >> cluster and you only connect to your manager you won't see these events >> either because the protocol events aren't being generated on the manager. >> It looks like you're doing the right things in your python script though. >> >> .Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro-ids.org/ >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121206/2b71f03e/attachment.html From justin at justinthomas.name Thu Dec 6 09:18:21 2012 From: justin at justinthomas.name (Justin Thomas) Date: Thu, 6 Dec 2012 09:18:21 -0800 Subject: [Bro] Basic Question In-Reply-To: References: Message-ID: Argh - no tabs in Gmail. @event def new_connection(connection): print connection while True: bc.processInput() ...and still don't see any activity despite seeing lots of messages in conn.log. Any troubleshooting tips? I also know that the connection to the sensor is being established - I'm entering the script interactively via ipython and no errors are generated (and I see the connected socket via netstat on the sensor). On Thu, Dec 6, 2012 at 9:14 AM, Justin Thomas wrote: > It actually is configured as standalone - my mistake. > > I changed my python script to: > > from broccoli import * > bc = Connection("10.0.0.1:47760") > > @event > def new_connection(event): > > > On Thu, Dec 6, 2012 at 8:56 AM, Justin Thomas wrote: > >> From here: >> http://www-old.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_Events >> >> I guess the "old" in the URL should have tipped me off. I had some >> trouble finding descriptions of built-in events, so I just grabbed the >> first thing that looked reasonable. I'll look over the document you linked >> below. I did try using the "new_connection" event with similar results >> (i.e., none), so your comment on the cluster configuration may also be a >> sticking point for me. >> >> I'll look over my configuration with that note about the manager not >> generating the protocol events in mind; I'm not sure on the specifics (if I >> recall correctly, I think I configured it as a cluster for future expansion >> but am only running on one machine right now). >> >> >> On Thu, Dec 6, 2012 at 6:51 AM, Seth Hall wrote: >> >>> >>> On Dec 6, 2012, at 12:55 AM, Justin Thomas >>> wrote: >>> >>> > @event >>> > def ssl_conn_attempt(connection, version, ciphers): >>> >>> Where did you get this event from? That is an old event that was >>> removed prior to the 2.0 release. You can refer to the following link for >>> all of our current (2.1 release) analyzer generated events: >>> http://bro-ids.org/documentation/scripts/base/event.bif.html >>> >>> Are you running Bro with BroControl in standalone mode too? If you run >>> a cluster and you only connect to your manager you won't see these events >>> either because the protocol events aren't being generated on the manager. >>> It looks like you're doing the right things in your python script though. >>> >>> .Seth >>> >>> -- >>> Seth Hall >>> International Computer Science Institute >>> (Bro) because everyone has a network >>> http://www.bro-ids.org/ >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121206/c8d8d059/attachment.html From justin at justinthomas.name Thu Dec 6 13:54:40 2012 From: justin at justinthomas.name (Justin Thomas) Date: Thu, 6 Dec 2012 13:54:40 -0800 Subject: [Bro] Basic Question In-Reply-To: References: Message-ID: Here is a gist with my current efforts: https://gist.github.com/4227811 I've tried all kinds of things - including adding my client node to the "Communication::nodes" table on the bro sensor. That allowed me to see "peerstatus" information using broctl when I connected using the Python script, but my callback still never fired despite all kinds of connections being logged in conn.log. I'm not sure where to look next - I've read every example I can find. Any tips would be helpful. Thanks! On Thu, Dec 6, 2012 at 9:18 AM, Justin Thomas wrote: > Argh - no tabs in Gmail. > > @event > def new_connection(connection): > print connection > > while True: > bc.processInput() > > ...and still don't see any activity despite seeing lots of messages in > conn.log. > > Any troubleshooting tips? I also know that the connection to the sensor is > being established - I'm entering the script interactively via ipython and > no errors are generated (and I see the connected socket via netstat on the > sensor). > > On Thu, Dec 6, 2012 at 9:14 AM, Justin Thomas wrote: > >> It actually is configured as standalone - my mistake. >> >> I changed my python script to: >> >> from broccoli import * >> bc = Connection("10.0.0.1:47760") >> >> @event >> def new_connection(event): >> >> >> On Thu, Dec 6, 2012 at 8:56 AM, Justin Thomas wrote: >> >>> From here: >>> http://www-old.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_Events >>> >>> I guess the "old" in the URL should have tipped me off. I had some >>> trouble finding descriptions of built-in events, so I just grabbed the >>> first thing that looked reasonable. I'll look over the document you linked >>> below. I did try using the "new_connection" event with similar results >>> (i.e., none), so your comment on the cluster configuration may also be a >>> sticking point for me. >>> >>> I'll look over my configuration with that note about the manager not >>> generating the protocol events in mind; I'm not sure on the specifics (if I >>> recall correctly, I think I configured it as a cluster for future expansion >>> but am only running on one machine right now). >>> >>> >>> On Thu, Dec 6, 2012 at 6:51 AM, Seth Hall wrote: >>> >>>> >>>> On Dec 6, 2012, at 12:55 AM, Justin Thomas >>>> wrote: >>>> >>>> > @event >>>> > def ssl_conn_attempt(connection, version, ciphers): >>>> >>>> Where did you get this event from? That is an old event that was >>>> removed prior to the 2.0 release. You can refer to the following link for >>>> all of our current (2.1 release) analyzer generated events: >>>> http://bro-ids.org/documentation/scripts/base/event.bif.html >>>> >>>> Are you running Bro with BroControl in standalone mode too? If you run >>>> a cluster and you only connect to your manager you won't see these events >>>> either because the protocol events aren't being generated on the manager. >>>> It looks like you're doing the right things in your python script though. >>>> >>>> .Seth >>>> >>>> -- >>>> Seth Hall >>>> International Computer Science Institute >>>> (Bro) because everyone has a network >>>> http://www.bro-ids.org/ >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121206/c19f749d/attachment.html From jsiwek at illinois.edu Thu Dec 6 14:28:12 2012 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Thu, 6 Dec 2012 22:28:12 +0000 Subject: [Bro] Basic Question In-Reply-To: References: Message-ID: > Any troubleshooting tips? I also know that the connection to the sensor is being established - I'm entering the script interactively via ipython and no errors are generated (and I see the connected socket via netstat on the sensor). You could use tcpdump to see if any packets are actually sent after the connection is made. Sometimes communication.log can have relevant information. And there's some pybroccoli documentation at [1] if you haven't read it yet. You might also try to get an even more minimal test to work first, like instead of using broctl, run bro from the command line as `bro -b -i ./test.bro`. test.bro: @load frameworks/communication/listen redef Communication::listen_port = 47760/tcp; global my_event: event(cid: conn_id); event new_connection(c: connection) { print "new_connection", c$id; event my_event(c$id); } test.py: #! /usr/bin/env python from broccoli import * conn_id = record_type("orig_h", "orig_p", "resp_h", "resp_p") @event(conn_id) def my_event(cid): print "my_event", cid bc = Connection("127.0.0.1:47760") while True: bc.processInput() And if that works, then you can try moving the event declaration/handler in to share/bro/site/local.bro to see test.py works from your standalone broctl setup. A couple other things about the example above: 1) For events that have record type parameters, they have to be defined in the python script. 2) The "connection" type parameter for the "new_connection" event is pretty complex, so I've declared "my_event" to be more deliberate in picking out only a few fields. Jon [1] http://www.bro-ids.org/documentation/components/broccoli-python/README.html From justin at justinthomas.name Thu Dec 6 14:41:55 2012 From: justin at justinthomas.name (Justin Thomas) Date: Thu, 6 Dec 2012 14:41:55 -0800 Subject: [Bro] Basic Question In-Reply-To: References: Message-ID: You're a miracle worker! Instead of running it locally, I first tried just modifying site/local.bro by adding your snippet: global my_event: event(cid: conn_id); event new_connection(c: connection) { print "new_connection", c$id; event my_event(c$id); } ...and changing my Python script as you described below (pointing to my sensor instead of localhost). Sure enough, it's printing all kinds of stuff now. I'll work with this some more to be sure I fully understand it. My working assumption is that the lack of the proper record_type in Python was my main hang-up. Thanks! On Thu, Dec 6, 2012 at 2:28 PM, Siwek, Jonathan Luke wrote: > > > Any troubleshooting tips? I also know that the connection to the sensor > is being established - I'm entering the script interactively via ipython > and no errors are generated (and I see the connected socket via netstat on > the sensor). > > You could use tcpdump to see if any packets are actually sent after the > connection is made. Sometimes communication.log can have relevant > information. And there's some pybroccoli documentation at [1] if you > haven't read it yet. You might also try to get an even more minimal test > to work first, like instead of using broctl, run bro from the command line > as `bro -b -i ./test.bro`. > > test.bro: > > @load frameworks/communication/listen > redef Communication::listen_port = 47760/tcp; > > global my_event: event(cid: conn_id); > > event new_connection(c: connection) > { > print "new_connection", c$id; > event my_event(c$id); > } > > test.py: > > #! /usr/bin/env python > > from broccoli import * > > conn_id = record_type("orig_h", "orig_p", "resp_h", "resp_p") > > @event(conn_id) > def my_event(cid): > print "my_event", cid > > bc = Connection("127.0.0.1:47760") > > while True: > bc.processInput() > > And if that works, then you can try moving the event declaration/handler > in to share/bro/site/local.bro to see test.py works from your standalone > broctl setup. > > A couple other things about the example above: > > 1) For events that have record type parameters, they have to be defined in > the python script. > > 2) The "connection" type parameter for the "new_connection" event is > pretty complex, so I've declared "my_event" to be more deliberate in > picking out only a few fields. > > Jon > > [1] > http://www.bro-ids.org/documentation/components/broccoli-python/README.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121206/7b3f6bff/attachment.html From carlopmart at gmail.com Fri Dec 7 09:51:47 2012 From: carlopmart at gmail.com (carlopmart) Date: Fri, 07 Dec 2012 17:51:47 +0000 Subject: [Bro] Bro-IDS ready for OpenBSD 5.2? In-Reply-To: <558D23D33781EF45A69229CDAC6BF15110B45CEC@CITESMBX6.ad.uillinois.edu> References: <50C0B508.9060806@gmail.com> <558D23D33781EF45A69229CDAC6BF15110B45CEC@CITESMBX6.ad.uillinois.edu> Message-ID: <50C22CB3.5040700@gmail.com> On 12/06/2012 03:17 PM, Slagell, Adam J wrote: > We have not included OpenBSD in our nightly build & test environment, but have considered it. Mostly we test against common Linux distros, FreeBSD, and the latest Mac OS. So right now we can't really say as we haven't specifically tested it for OpenBSD compatibility. > > On Dec 6, 2012, at 9:08 AM, carlopmart wrote: > Thanks Adam. Th only prerequisite is to use gmake instead of make that comes with openbsd, correct?? -- CL Martinez carlopmart {at} gmail {d0t} com From jsiwek at illinois.edu Fri Dec 7 10:46:49 2012 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Fri, 7 Dec 2012 18:46:49 +0000 Subject: [Bro] Bro-IDS ready for OpenBSD 5.2? In-Reply-To: <50C22CB3.5040700@gmail.com> References: <50C0B508.9060806@gmail.com> <558D23D33781EF45A69229CDAC6BF15110B45CEC@CITESMBX6.ad.uillinois.edu> <50C22CB3.5040700@gmail.com> Message-ID: > Thanks Adam. Th only prerequisite is to use gmake instead of make that > comes with openbsd, correct?? It should just be the top-level Makefile that depends on gmake, but you don't have to use it. After `./configure`, you can change in to the "./build" directory and instead use the Makefile there for doing the typical `make` and `make install` tasks. Jon From carlopmart at gmail.com Fri Dec 7 10:53:29 2012 From: carlopmart at gmail.com (carlopmart) Date: Fri, 07 Dec 2012 18:53:29 +0000 Subject: [Bro] Bro-IDS ready for OpenBSD 5.2? In-Reply-To: References: <50C0B508.9060806@gmail.com> <558D23D33781EF45A69229CDAC6BF15110B45CEC@CITESMBX6.ad.uillinois.edu> <50C22CB3.5040700@gmail.com> Message-ID: <50C23B29.9030302@gmail.com> On 12/07/2012 06:46 PM, Siwek, Jonathan Luke wrote: > >> Thanks Adam. Th only prerequisite is to use gmake instead of make that >> comes with openbsd, correct?? > > It should just be the top-level Makefile that depends on gmake, but you don't have to use it. After `./configure`, you can change in to the "./build" directory and instead use the Makefile there for doing the typical `make` and `make install` tasks. > > Jon Thanks Jon. -- CL Martinez carlopmart {at} gmail {d0t} com From justin at justinthomas.name Fri Dec 7 17:35:14 2012 From: justin at justinthomas.name (Justin Thomas) Date: Fri, 7 Dec 2012 17:35:14 -0800 Subject: [Bro] ANALYZER_* resolution Message-ID: Another (I think) simple question: how do I resolve the "count" constant to its appropriate ANALYZER_* name string? I think I need to do something with dpd_config, but can't seem to find the right information. I can see (through observation) that 34 is ANALYZER_SSL, 9 is ANALYZER_DNS and 13 is ANALYZER_HTTP, but I can't find those associations anywhere in the code. What I want to do is have a script that validates the protocol of a flow for a web application I'm using. So I'm getting that data out of Bro with a Python script using this snippet in site/local.bro: global protocol_confirmation_custom: event(cid: conn_id, atype: count); event protocol_confirmation(c: connection, atype: count, aid: count) { event protocol_confirmation_custom(c$id, atype); } My script then gets data like: protocol_confirmation {'orig_p': '34850/tcp', 'orig_h': 'x.x.x.x', 'resp_p': '80/tcp', 'resp_h': 'x.x.x.x'} 13 Instead of that "13" at the end, I want "ANALYZE_HTTP". But obviously, I don't want to just make that association manually - I'm sure there must be a way to get the analyzer name programmatically, I just can't seem to find it. Thanks for your help! Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121207/63cc511e/attachment.html From seth at icir.org Fri Dec 7 18:33:43 2012 From: seth at icir.org (Seth Hall) Date: Fri, 7 Dec 2012 21:33:43 -0500 Subject: [Bro] ANALYZER_* resolution In-Reply-To: References: Message-ID: On Dec 7, 2012, at 8:35 PM, Justin Thomas wrote: > Instead of that "13" at the end, I want "ANALYZE_HTTP". But obviously, I don't want to just make that association manually - I'm sure there must be a way to get the analyzer name programmatically, I just can't seem to find it. ## Translate an analyzer type to an ASCII string. ## ## aid: The analyzer ID. ## ## Returns: The analyzer *aid* as string. ## ## .. bro:see:: expect_connection disable_analyzer current_analyzer function analyzer_name%(aid: count%) : string That should work. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From justin at justinthomas.name Fri Dec 7 21:09:39 2012 From: justin at justinthomas.name (Justin Thomas) Date: Fri, 7 Dec 2012 21:09:39 -0800 Subject: [Bro] ANALYZER_* resolution In-Reply-To: References: Message-ID: I'll get the hang of this one way another; thanks for the pointer. On Fri, Dec 7, 2012 at 6:33 PM, Seth Hall wrote: > > On Dec 7, 2012, at 8:35 PM, Justin Thomas > wrote: > > > Instead of that "13" at the end, I want "ANALYZE_HTTP". But obviously, I > don't want to just make that association manually - I'm sure there must be > a way to get the analyzer name programmatically, I just can't seem to find > it. > > ## Translate an analyzer type to an ASCII string. > ## > ## aid: The analyzer ID. > ## > ## Returns: The analyzer *aid* as string. > ## > ## .. bro:see:: expect_connection disable_analyzer current_analyzer > function analyzer_name%(aid: count%) : string > > That should work. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121207/f63b34c1/attachment.html From robin at icir.org Sat Dec 8 12:00:09 2012 From: robin at icir.org (Robin Sommer) Date: Sat, 8 Dec 2012 12:00:09 -0800 Subject: [Bro] ANALYZER_* resolution In-Reply-To: References: Message-ID: <20121208200009.GC43048@icir.org> On Fri, Dec 07, 2012 at 21:09 -0800, you wrote: > I'll get the hang of this one way another; thanks for the pointer. In case it helps, the values come originally from a C++ enum: see Tag in src/AnalyzerTags.h (and yeah, these autogenerated constats are pretty nasty actually ...) Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From scastle at bouldercounty.org Mon Dec 10 07:03:34 2012 From: scastle at bouldercounty.org (Castle, Shane) Date: Mon, 10 Dec 2012 15:03:34 +0000 Subject: [Bro] Request: summarize-connections and email Message-ID: <21DD7C64179C9843B756C6DD491634DB252D8C41@Mailbox1.boco.co.boulder.co.us> I'd like to stop the hourly emails sent by the summarize-connections script. There is not an option to turn these off; all I can do is comment out the line that calls ${scriptsdir}/send-mail. It would be nice to have a configurable switch to disable these. -- Shane Castle Data Security Mgr, Boulder County IT From robin at icir.org Mon Dec 10 08:24:50 2012 From: robin at icir.org (Robin Sommer) Date: Mon, 10 Dec 2012 08:24:50 -0800 Subject: [Bro] Request: summarize-connections and email In-Reply-To: <21DD7C64179C9843B756C6DD491634DB252D8C41@Mailbox1.boco.co.boulder.co.us> References: <21DD7C64179C9843B756C6DD491634DB252D8C41@Mailbox1.boco.co.boulder.co.us> Message-ID: <20121210162450.GH66949@icir.org> On Mon, Dec 10, 2012 at 15:03 +0000, you wrote: > I'd like to stop the hourly emails sent by the summarize-connections > script. There is not an option to turn these off; Adding a line "TraceSummary=" to broctl.cfg (i.e., clearing that option) should disable them. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From scastle at bouldercounty.org Mon Dec 10 08:28:06 2012 From: scastle at bouldercounty.org (Castle, Shane) Date: Mon, 10 Dec 2012 16:28:06 +0000 Subject: [Bro] Request: summarize-connections and email In-Reply-To: <20121210162450.GH66949@icir.org> References: <21DD7C64179C9843B756C6DD491634DB252D8C41@Mailbox1.boco.co.boulder.co.us> <20121210162450.GH66949@icir.org> Message-ID: <21DD7C64179C9843B756C6DD491634DB252D8F45@Mailbox1.boco.co.boulder.co.us> I don't want to disable the scan summaries; they can be useful. I just want to disable the emails of them. I can still see them in the log hierarchy if I want to. -- Shane Castle Data Security Mgr, Boulder County IT -----Original Message----- From: Robin Sommer [mailto:robin at icir.org] Sent: Monday, December 10, 2012 09:25 To: Castle, Shane Cc: bro at bro-ids.org Subject: Re: [Bro] Request: summarize-connections and email On Mon, Dec 10, 2012 at 15:03 +0000, you wrote: > I'd like to stop the hourly emails sent by the summarize-connections > script. There is not an option to turn these off; Adding a line "TraceSummary=" to broctl.cfg (i.e., clearing that option) should disable them. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From christopher.p.crawford at gmail.com Tue Dec 11 13:26:50 2012 From: christopher.p.crawford at gmail.com (Chris Crawford) Date: Tue, 11 Dec 2012 16:26:50 -0500 Subject: [Bro] Getting the Output From system() Message-ID: Say I wanted a bro script to call out to an external program, and I wanted to get the output from the external program into my bro script. This thread shows that I can call an external program with system(): http://mailman.icsi.berkeley.edu/pipermail/bro/2004-August/001555.html Based on the old bro wiki, it looks like the output from that command gets redirected to stderr: http://www-old.bro-ids.org/wiki/index.php/Reference_Manual:_Predefined_Variables_and_Functions#system_.28s:_string.29:_int Is there anything like system() that returns the output of an external command? -Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121211/97322dc0/attachment.html From seth at icir.org Tue Dec 11 13:47:08 2012 From: seth at icir.org (Seth Hall) Date: Tue, 11 Dec 2012 16:47:08 -0500 Subject: [Bro] Getting the Output From system() In-Reply-To: References: Message-ID: On Dec 11, 2012, at 4:26 PM, Chris Crawford wrote: > Is there anything like system() that returns the output of an external command? I hate that I'm even pointing this out on the mailing list, but here it goes? You can do it with the input framework and system command together. I have a minimal example that I wrote for the SecurityOnion guys for their Bro installation. This script runs the hostname command and collects the output. https://github.com/sethhall/bro-securityonion/blob/master/hostname.bro Have fun. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From slagell at illinois.edu Mon Dec 17 11:42:41 2012 From: slagell at illinois.edu (Slagell, Adam J) Date: Mon, 17 Dec 2012 19:42:41 +0000 Subject: [Bro] A chance to run your own 100+ GB Bro playground Message-ID: <558D23D33781EF45A69229CDAC6BF15110B74784@CITESMBX6.ad.uillinois.edu> We are looking for a new head of security operations at the NCSA [1], a part of the University of Illinois at Urbana-Champaign. This person will be responsible for day-to-day security operations, leading the incident response team, and managing some really innovative technologies. Bro experience is a highly desired skill for us. Bro is a key part of our security infrastructure, where we currently use it to monitor two dozen 10G links, with plans to add another 100G link and more. If you are interested, you can follow the link below to apply. [1] https://jobs.illinois.edu/search-jobs/job-details?jobID=27835&job=senior-security-engineer-national-center-for-supercomputing-applications-a1200647 From anthony.kasza at gmail.com Tue Dec 18 13:17:32 2012 From: anthony.kasza at gmail.com (anthony kasza) Date: Tue, 18 Dec 2012 15:17:32 -0600 Subject: [Bro] Bro Signature Question Message-ID: Hello Bro Community, I am looking for help in understanding more about Bro's signatures and in troubleshooting a problem I have encountered. I would like to write chains of signatures using 'requires-signature' in hopes of easing maintainability and increasing signature matching speed. Below are the beginning of the chains I have written. signature prematch_udp { ip-proto == udp } signature prematch_tcp { ip-proto == tcp tcp-state established, originator } signature prematch_tcp_80 { requires-signature prematch_tcp dst-port == 80 } signature evil { requires-signature prematch_tcp_80 payload /GET / event "evil" } signature otherEvil { requires-signature prematch_tcp dst-port == 8080 payload /GET / event "otherEvil" } I understand a signature will 'fire' once per stream, but in this scenario different signatures should be 'firing' for a single stream. I have tested these signatures and cannot get them to match a stream unless I remove the requires-signature options. Does anyone have any advice or thoughts on why this would be happening? Many thanks, -AK From zaafar.tahir at gmail.com Wed Dec 19 06:14:14 2012 From: zaafar.tahir at gmail.com (Zaafar Ahmed) Date: Wed, 19 Dec 2012 19:14:14 +0500 Subject: [Bro] bro 2.0 port to OpenWrt Message-ID: Hello, While working on a project in SysNet lab, we needed intrusion detection system capability at router level. In order to achieve our goals we ported the bro-ids on OpenWrt router with limited flash memory. Click here , for more details and downloading OpenWrt image with bro-ids installed. Regards, ZAAFAR AHMED POSTGRADUATE COMPUTER SCIENCE NUCES ISLAMABAD Telephone: 0092-51-5730135 | Email: zaafar.tahir at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121219/24154b74/attachment.html From Liam.Randall at gigaco.com Fri Dec 28 17:11:04 2012 From: Liam.Randall at gigaco.com (Liam Randall) Date: Fri, 28 Dec 2012 20:11:04 -0500 Subject: [Bro] minor documentation error Message-ID: <2697B86A359F6C43BF6FD44F8403D7175A14BF@giga-dc001.GigaCo.local> Came up on the SO list. http://www.bro-ids.org/bro-workshop-2011/solutions/logs/index.html Solution for: Exercise What are the top 10 hosts (originators) that send the most traffic? The final sort should be "sort-rnk 2" Credits Shane Castle Happy Holidays All, Liam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121228/83dfe3ee/attachment.html From charles.fair at mac.com Fri Dec 28 18:29:55 2012 From: charles.fair at mac.com (Charles A. Fair) Date: Fri, 28 Dec 2012 20:29:55 -0600 Subject: [Bro] minor documentation error In-Reply-To: <2697B86A359F6C43BF6FD44F8403D7175A14BF@giga-dc001.GigaCo.local> References: <2697B86A359F6C43BF6FD44F8403D7175A14BF@giga-dc001.GigaCo.local> Message-ID: A Charles "Chuck" A. Fair charles at charlesfair.com charles.fair at me.com 405-326-5041 SSG Charles "Chuck" A. Fair, CISSP-Exam, CEH Cyber Threat Intelligence Analyst/Plans CNDT-OK, OKARNG J6 charles.fair at us.army.[smil].mil +1-405-326-5041 On Dec 28, 2012, at 19:11, Liam Randall wrote: > Came up on the SO list. > > http://www.bro-ids.org/bro-workshop-2011/solutions/logs/index.html > > Solution for: > Exercise > What are the top 10 hosts (originators) that send the most traffic? > > The final sort should be ?sort-rnk 2? > > Credits Shane Castle > > Happy Holidays All, > > Liam > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121228/254e2b0b/attachment.html From scastle at bouldercounty.org Mon Dec 31 09:33:18 2012 From: scastle at bouldercounty.org (Castle, Shane) Date: Mon, 31 Dec 2012 17:33:18 +0000 Subject: [Bro] minor documentation error In-Reply-To: <2697B86A359F6C43BF6FD44F8403D7175A14BF@giga-dc001.GigaCo.local> References: <2697B86A359F6C43BF6FD44F8403D7175A14BF@giga-dc001.GigaCo.local> Message-ID: <21DD7C64179C9843B756C6DD491634DB252F0AA7@Mailbox1.boco.co.boulder.co.us> I found another issue with this script. The Unix/POSIX sort command will not sort IP addresses correctly unless it is told to explicitly: "sort -t '.' -k 1,1n -k 2,2n -k 3,3n -k 4,4n". This defect causes the script to lie about who is using how many bytes. If you want a nice example, just access a reasonably busy Bro system, go to one of the compressed log directories, and try: "zcat conn.*.gz | bro-cut id.orig_h orig_bytes | sort | less" You will see it sorting addresses like 192.168.6.48 and 192.168.64.8 the same. This causes the subsequent awk script to fail rather badly. And that brings up another point: many times the orig_bytes field will be nonnumeric, containing a "-" or a blank instead of a number. I don't know how the awk script deals with these, offhand. I am trying to find out, and create a true toptalkers script that really works. -- Shane Castle Data Security Mgr, Boulder County IT -----Original Message----- From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Liam Randall Sent: Friday, December 28, 2012 18:11 To: bro at bro-ids.org Subject: [Bro] minor documentation error Came up on the SO list. http://www.bro-ids.org/bro-workshop-2011/solutions/logs/index.html Solution for: Exercise What are the top 10 hosts (originators) that send the most traffic? The final sort should be "sort-rnk 2" Credits Shane Castle Happy Holidays All, Liam From scastle at bouldercounty.org Mon Dec 31 10:46:50 2012 From: scastle at bouldercounty.org (Castle, Shane) Date: Mon, 31 Dec 2012 18:46:50 +0000 Subject: [Bro] minor documentation error In-Reply-To: <21DD7C64179C9843B756C6DD491634DB252F0AA7@Mailbox1.boco.co.boulder.co.us> References: <2697B86A359F6C43BF6FD44F8403D7175A14BF@giga-dc001.GigaCo.local> <21DD7C64179C9843B756C6DD491634DB252F0AA7@Mailbox1.boco.co.boulder.co.us> Message-ID: <21DD7C64179C9843B756C6DD491634DB252F0B1A@Mailbox1.boco.co.boulder.co.us> I think I may have this script working correctly now. There were several errors in the original script: the first sort, the last sort, and in the awk script. Here is the final, I believe correct version: bro-cut id.orig_h orig_bytes < conn.log \ | sort -t '.' -k 1,1n -k 2,2n -k 3,3n -k 4,4n \ | awk 'BEGIN { size=0;host="" } \ { if (host != $1) { \ if (size != 0) \ print host, size; \ host=$1; \ if ($2 != "-") \ size=$2 \ } else \ if ($2 != "-") \ size += $2 \ } \ END { \ if (size != 0) \ print host, size \ }' \ | sort -rnk 2 \ | head -n 10 Note the "print" command in the awk script. Originally, it was "print $1, size". This is incorrect since it will print the *current* field and not the *last* field, causing the sum for that host to be associated with the next address rather than the last one. The first sort has been changed so that it will do what we really want, and the last sort has been changed to sort reverse numerically. I added in the test for the bytes to be "-", but that might be superfluous. My old PA senses were tweaked by the lack of variable initialization, and the first assignment to size glared at me as well. As it was originally written, the first time the IP address changed, the size would be set to zero and the first value of orig_bytes would be thrown away. Testing has shown that the above script works correctly. -- Shane Castle Data Security Mgr, Boulder County IT -----Original Message----- From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Castle, Shane Sent: Monday, December 31, 2012 10:33 To: Liam Randall; bro at bro-ids.org Subject: Re: [Bro] minor documentation error I found another issue with this script. The Unix/POSIX sort command will not sort IP addresses correctly unless it is told to explicitly: "sort -t '.' -k 1,1n -k 2,2n -k 3,3n -k 4,4n". This defect causes the script to lie about who is using how many bytes. If you want a nice example, just access a reasonably busy Bro system, go to one of the compressed log directories, and try: "zcat conn.*.gz | bro-cut id.orig_h orig_bytes | sort | less" You will see it sorting addresses like 192.168.6.48 and 192.168.64.8 the same. This causes the subsequent awk script to fail rather badly. And that brings up another point: many times the orig_bytes field will be nonnumeric, containing a "-" or a blank instead of a number. I don't know how the awk script deals with these, offhand. I am trying to find out, and create a true toptalkers script that really works. -- Shane Castle Data Security Mgr, Boulder County IT -----Original Message----- From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Liam Randall Sent: Friday, December 28, 2012 18:11 To: bro at bro-ids.org Subject: [Bro] minor documentation error Came up on the SO list. http://www.bro-ids.org/bro-workshop-2011/solutions/logs/index.html Solution for: Exercise What are the top 10 hosts (originators) that send the most traffic? The final sort should be "sort-rnk 2" Credits Shane Castle Happy Holidays All, Liam _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro