From scastle at bouldercounty.org Wed Jan 2 13:29:10 2013 From: scastle at bouldercounty.org (Castle, Shane) Date: Wed, 2 Jan 2013 21:29:10 +0000 Subject: [Bro] Bro Exchange 2012 videos? Message-ID: <21DD7C64179C9843B756C6DD491634DB252F2656@Mailbox1.boco.co.boulder.co.us> I'd love to see the videos of the presentations at the Bro Exchange 2012. I was there, but now that Security Onion has been rebuilt with ELSA tightly integrated, I'd really like to see the ELSA presentation again. -- Shane Castle Data Security Mgr, Boulder County IT From roger.larsen at hig.no Sun Jan 6 08:33:20 2013 From: roger.larsen at hig.no (Roger Larsen) Date: Sun, 6 Jan 2013 17:33:20 +0100 Subject: [Bro] Slow Port Scanning and Bro? Message-ID: <001401cdec2b$8a1df3a0$9e59dae0$@hig.no> Dear Bro Community, How is Bro handling so-called ? I have not found any documentation regarding this issue in either Bro's web site or Google search in general. Thanks! Best Regards, Roger Larsen InfoSec student @ www.hig.no -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130106/8f302a1d/attachment.html From sconzo at visiblerisk.com Mon Jan 7 15:48:38 2013 From: sconzo at visiblerisk.com (Mike Sconzo) Date: Mon, 7 Jan 2013 17:48:38 -0600 Subject: [Bro] Issue with small pcap files and -r Message-ID: When running bro in stand alone mode is there a size cutoff for it to do anything with a pcap file? In bro 2.0 and 2.1 if I run, on a small pcap (76k through 6mb): bro -C -r ./input.pcap /usr/local/bro/share/bro/site/local.bro it only creates loaded_scripts.log notice_policy.log packet_filter.log However, if I run the same commandline on a larger pcap 512mb it produces more "normal" logs. conn.log http.log etc... I've looked through the pcaps in snort, wireshark, tcpdump, and tshark and none of them have issues reading any of the small pcap files (snort will also flag alerts where appropriate). There is app data where expected in packet payloads and multiple setup/teardowns per pcap. I skimmed through the trace file and didn't see anything that looked like an error. Am I missing something simple? Does this have implications with running bro in production? Thanks, -=Mike -- cat ~/.bash_history > documentation.txt From robin at icir.org Mon Jan 7 16:25:09 2013 From: robin at icir.org (Robin Sommer) Date: Mon, 7 Jan 2013 16:25:09 -0800 Subject: [Bro] Issue with small pcap files and -r In-Reply-To: References: Message-ID: <20130108002509.GN50062@icir.org> On Mon, Jan 07, 2013 at 17:48 -0600, Mike Sconzo wrote: > When running bro in stand alone mode is there a size cutoff for it to > do anything with a pcap file? No, small traces should produce the expected output. We have indeed a larger number of unit tests that rely on that; see, e.g., testing/btest/scripts/base/protocols/smtp/basic.test for one using a rather small SMTP trace. My best guess is that's indeed something with your trace. Try some of the small traces in testing/btest/Traces and see what they give you. > I've looked through the pcaps in snort, wireshark, tcpdump, and tshark One difference between these and Bro is that Bro tracks the TCP state; if there's trouble with that, Bro might abort processing, even though the other tools continue with their packet-based analysis. Do you get a conn.log? That should show up in any case. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From sconzo at visiblerisk.com Mon Jan 7 18:06:55 2013 From: sconzo at visiblerisk.com (Mike Sconzo) Date: Mon, 7 Jan 2013 20:06:55 -0600 Subject: [Bro] Issue with small pcap files and -r In-Reply-To: <20130108002509.GN50062@icir.org> References: <20130108002509.GN50062@icir.org> Message-ID: There are 3-way handshakes and no conn log is produced. The pcaps used for the tests worked correctly when I tried them. However, the pcaps I'm testing on have a GRE tunnel in them. After digging around a bit more it seems like this might be the issue. I didn't look close enough in wireshark, and the rest of the tools do the decapsulation before showing results Thanks for the quick response. -=Mike On Mon, Jan 7, 2013 at 6:25 PM, Robin Sommer wrote: > > > On Mon, Jan 07, 2013 at 17:48 -0600, Mike Sconzo wrote: > >> When running bro in stand alone mode is there a size cutoff for it to >> do anything with a pcap file? > > No, small traces should produce the expected output. We have indeed a > larger number of unit tests that rely on that; see, e.g., > testing/btest/scripts/base/protocols/smtp/basic.test for one using a > rather small SMTP trace. > > My best guess is that's indeed something with your trace. Try some of > the small traces in testing/btest/Traces and see what they give you. > >> I've looked through the pcaps in snort, wireshark, tcpdump, and tshark > > One difference between these and Bro is that Bro tracks the TCP state; > if there's trouble with that, Bro might abort processing, even though > the other tools continue with their packet-based analysis. Do you get > a conn.log? That should show up in any case. > > Robin > > -- > Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org -- cat ~/.bash_history > documentation.txt From robin at icir.org Tue Jan 8 08:00:27 2013 From: robin at icir.org (Robin Sommer) Date: Tue, 8 Jan 2013 08:00:27 -0800 Subject: [Bro] Issue with small pcap files and -r In-Reply-To: References: <20130108002509.GN50062@icir.org> Message-ID: <20130108160027.GE68892@icir.org> On Mon, Jan 07, 2013 at 20:06 -0600, you wrote: > However, the pcaps I'm testing on have a GRE tunnel in them. Ah, that explains it, GRE support isn't there yet (but should pretty straight-forward to add; we have a ticket for that http://tracker.bro-ids.org/bro/ticket/867) Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From sconzo at visiblerisk.com Tue Jan 8 13:49:50 2013 From: sconzo at visiblerisk.com (Mike Sconzo) Date: Tue, 8 Jan 2013 15:49:50 -0600 Subject: [Bro] Issue with small pcap files and -r In-Reply-To: <20130108160027.GE68892@icir.org> References: <20130108002509.GN50062@icir.org> <20130108160027.GE68892@icir.org> Message-ID: I might have some free cycles to poke at adding this functionality, it may be entirely out of may capability at the moment but any help of "if I were going to add it this is where it would need to go" would be helpful in figuring out if I can do it or not. If it's done in binpac++ I'll just bow out now. :) On Tue, Jan 8, 2013 at 10:00 AM, Robin Sommer wrote: > > > On Mon, Jan 07, 2013 at 20:06 -0600, you wrote: > >> However, the pcaps I'm testing on have a GRE tunnel in them. > > Ah, that explains it, GRE support isn't there yet (but should pretty > straight-forward to add; we have a ticket for that > http://tracker.bro-ids.org/bro/ticket/867) > > Robin > > -- > Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org -- cat ~/.bash_history > documentation.txt From jsiwek at illinois.edu Tue Jan 8 14:24:35 2013 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Tue, 8 Jan 2013 22:24:35 +0000 Subject: [Bro] Issue with small pcap files and -r In-Reply-To: References: <20130108002509.GN50062@icir.org> <20130108160027.GE68892@icir.org> Message-ID: > I might have some free cycles to poke at adding this functionality, it > may be entirely out of may capability at the moment but any help of > "if I were going to add it this is where it would need to go" would be > helpful in figuring out if I can do it or not. I think GRE tunnel decapsulation should look pretty similar to IP tunnel decapsulation which is coded in NetSessions::DoNextPacket() of Sessions.cc -- look for the switch statement cases for IPPROTO_IPV4/IPPROTO_IPV6. You might be able to simply lump IPPROTO_GRE in with that code block if you modify NetSessions::ParseIPPacket() to be able to extract the inner IP packet from a GRE encapsulation (possibly generating a some new "gre_packet_header" event with the parsed header fields) and also change the EncapsulatingConn constructor to explicitly require the type of tunnel as an argument. Enum values for the tunnel types are defined in types.bif; it would make sense to add a new GRE type there. Jon From mbower2 at gmail.com Wed Jan 9 09:06:22 2013 From: mbower2 at gmail.com (Michael Bower) Date: Wed, 9 Jan 2013 12:06:22 -0500 Subject: [Bro] Adding trusted cert to Bro (Security Onion) Message-ID: Im looking to add our internal domain CA to Bro so it can validate certs that are generated from the server. I am new to Bro, so Im not sure where to start. I found this: http://www.bro-ids.org/bro-workshop-2011/solutions/extending/index.html Which sounds like it is exactly what I need to do, Im just not sure how to go about it. My SO deployment is a distributed setup (1 Master, 2 sensors so far). On the sensors, I have checked /opt/bro/share/bro/site/local.bro and found the following: # This script enables SSL/TLS certificate validation. @load protocols/ssl/validate-certs Checking the protocols/ssl directory, I don't see that script. My question is, will it get loaded if I created the validate-certs script its looking for? Any help will be appreciated. Thanks! -- Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130109/041a1723/attachment.html From scastle at bouldercounty.org Wed Jan 9 09:21:06 2013 From: scastle at bouldercounty.org (Castle, Shane) Date: Wed, 9 Jan 2013 17:21:06 +0000 Subject: [Bro] Adding trusted cert to Bro (Security Onion) In-Reply-To: References: Message-ID: <21DD7C64179C9843B756C6DD491634DB252F9B02@Mailbox1.boco.co.boulder.co.us> First, you need to look in policy/protocols/ssl, if you're checking the share/bro hierarchy. Also, look at this: http://mailman.icsi.berkeley.edu/pipermail/bro/2012-February/005333.html -- Shane Castle Data Security Mgr, Boulder County IT -----Original Message----- From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Michael Bower Sent: Wednesday, January 09, 2013 10:06 To: bro at bro-ids.org Subject: [Bro] Adding trusted cert to Bro (Security Onion) Im looking to add our internal domain CA to Bro so it can validate certs that are generated from the server. I am new to Bro, so Im not sure where to start. I found this: http://www.bro-ids.org/bro-workshop-2011/solutions/extending/index.html Which sounds like it is exactly what I need to do, Im just not sure how to go about it. My SO deployment is a distributed setup (1 Master, 2 sensors so far). On the sensors, I have checked /opt/bro/share/bro/site/local.bro and found the following: # This script enables SSL/TLS certificate validation. @load protocols/ssl/validate-certs Checking the protocols/ssl directory, I don't see that script. My question is, will it get loaded if I created the validate-certs script its looking for? Any help will be appreciated. Thanks! -- Mike From srunnels at gmail.com Wed Jan 9 09:24:47 2013 From: srunnels at gmail.com (Scott Runnels) Date: Wed, 9 Jan 2013 12:24:47 -0500 Subject: [Bro] Adding trusted cert to Bro (Security Onion) In-Reply-To: References: Message-ID: Michael, In my recent (read: default) build for Security Onion, I have validate-certs.bro. scott at SO-511:/opt/bro$ find . -iname "*validate*" ./share/bro/policy/protocols/ssl/validate-certs.bro Do you not have the same? v/r Scott On Wed, Jan 9, 2013 at 12:06 PM, Michael Bower wrote: > Im looking to add our internal domain CA to Bro so it can validate certs > that are generated from the server. I am new to Bro, so Im not sure where > to start. > > I found this: > http://www.bro-ids.org/bro-workshop-2011/solutions/extending/index.html > > Which sounds like it is exactly what I need to do, Im just not sure how to > go about it. > > My SO deployment is a distributed setup (1 Master, 2 sensors so far). On > the sensors, I have checked /opt/bro/share/bro/site/local.bro and found the > following: > > # This script enables SSL/TLS certificate validation. > @load protocols/ssl/validate-certs > > Checking the protocols/ssl directory, I don't see that script. My > question is, will it get loaded if I created the validate-certs script its > looking for? > > Any help will be appreciated. > > Thanks! > > -- > > Mike > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Scott Runnels -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130109/772dcfd9/attachment.html From mbower2 at gmail.com Wed Jan 9 09:34:12 2013 From: mbower2 at gmail.com (Michael Bower) Date: Wed, 9 Jan 2013 12:34:12 -0500 Subject: [Bro] Adding trusted cert to Bro (Security Onion) In-Reply-To: References: Message-ID: ugh, sorry...it IS there. I was in base. So where do I add the cert? Dump it here? share/bro/base/protocols/ssl/ On Wed, Jan 9, 2013 at 12:24 PM, Scott Runnels wrote: > Michael, > > In my recent (read: default) build for Security Onion, I have > validate-certs.bro. > > scott at SO-511:/opt/bro$ find . -iname "*validate*" > ./share/bro/policy/protocols/ssl/validate-certs.bro > > Do you not have the same? > > v/r > Scott > > > > > On Wed, Jan 9, 2013 at 12:06 PM, Michael Bower wrote: > >> Im looking to add our internal domain CA to Bro so it can validate certs >> that are generated from the server. I am new to Bro, so Im not sure where >> to start. >> >> I found this: >> http://www.bro-ids.org/bro-workshop-2011/solutions/extending/index.html >> >> Which sounds like it is exactly what I need to do, Im just not sure how >> to go about it. >> >> My SO deployment is a distributed setup (1 Master, 2 sensors so far). On >> the sensors, I have checked /opt/bro/share/bro/site/local.bro and found the >> following: >> >> # This script enables SSL/TLS certificate validation. >> @load protocols/ssl/validate-certs >> >> Checking the protocols/ssl directory, I don't see that script. My >> question is, will it get loaded if I created the validate-certs script its >> looking for? >> >> Any help will be appreciated. >> >> Thanks! >> >> -- >> >> Mike >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > > > > -- > Scott Runnels > > -- Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130109/6432ee6d/attachment.html From srunnels at gmail.com Wed Jan 9 09:39:00 2013 From: srunnels at gmail.com (Scott Runnels) Date: Wed, 9 Jan 2013 12:39:00 -0500 Subject: [Bro] Adding trusted cert to Bro (Security Onion) In-Reply-To: References: Message-ID: Hi Michael, Were it me, I would place it in /opt/bro/share/bro/site/ then issue install and restart from within broctl. v/r Scott Runnels On Wed, Jan 9, 2013 at 12:34 PM, Michael Bower wrote: > ugh, sorry...it IS there. I was in base. So where do I add the cert? > Dump it here? share/bro/base/protocols/ssl/ > > > On Wed, Jan 9, 2013 at 12:24 PM, Scott Runnels wrote: > >> Michael, >> >> In my recent (read: default) build for Security Onion, I have >> validate-certs.bro. >> >> scott at SO-511:/opt/bro$ find . -iname "*validate*" >> ./share/bro/policy/protocols/ssl/validate-certs.bro >> >> Do you not have the same? >> >> v/r >> Scott >> >> >> >> >> On Wed, Jan 9, 2013 at 12:06 PM, Michael Bower wrote: >> >>> Im looking to add our internal domain CA to Bro so it can validate certs >>> that are generated from the server. I am new to Bro, so Im not sure where >>> to start. >>> >>> I found this: >>> http://www.bro-ids.org/bro-workshop-2011/solutions/extending/index.html >>> >>> Which sounds like it is exactly what I need to do, Im just not sure how >>> to go about it. >>> >>> My SO deployment is a distributed setup (1 Master, 2 sensors so far). >>> On the sensors, I have checked /opt/bro/share/bro/site/local.bro and found >>> the following: >>> >>> # This script enables SSL/TLS certificate validation. >>> @load protocols/ssl/validate-certs >>> >>> Checking the protocols/ssl directory, I don't see that script. My >>> question is, will it get loaded if I created the validate-certs script its >>> looking for? >>> >>> Any help will be appreciated. >>> >>> Thanks! >>> >>> -- >>> >>> Mike >>> >>> _______________________________________________ >>> Bro mailing list >>> bro at bro-ids.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>> >> >> >> >> -- >> Scott Runnels >> >> > > > -- > > Mike > -- Scott Runnels -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130109/2cf95a87/attachment.html From mbower2 at gmail.com Wed Jan 9 09:44:47 2013 From: mbower2 at gmail.com (Michael Bower) Date: Wed, 9 Jan 2013 12:44:47 -0500 Subject: [Bro] Adding trusted cert to Bro (Security Onion) In-Reply-To: References: Message-ID: Any way to push that bro script out from my SO master? On Wed, Jan 9, 2013 at 12:39 PM, Scott Runnels wrote: > Hi Michael, > > Were it me, I would place it in /opt/bro/share/bro/site/ > > then issue install and restart from within broctl. > > v/r > Scott Runnels > > > > > On Wed, Jan 9, 2013 at 12:34 PM, Michael Bower wrote: > >> ugh, sorry...it IS there. I was in base. So where do I add the cert? >> Dump it here? share/bro/base/protocols/ssl/ >> >> >> On Wed, Jan 9, 2013 at 12:24 PM, Scott Runnels wrote: >> >>> Michael, >>> >>> In my recent (read: default) build for Security Onion, I have >>> validate-certs.bro. >>> >>> scott at SO-511:/opt/bro$ find . -iname "*validate*" >>> ./share/bro/policy/protocols/ssl/validate-certs.bro >>> >>> Do you not have the same? >>> >>> v/r >>> Scott >>> >>> >>> >>> >>> On Wed, Jan 9, 2013 at 12:06 PM, Michael Bower wrote: >>> >>>> Im looking to add our internal domain CA to Bro so it can validate >>>> certs that are generated from the server. I am new to Bro, so Im not sure >>>> where to start. >>>> >>>> I found this: >>>> http://www.bro-ids.org/bro-workshop-2011/solutions/extending/index.html >>>> >>>> Which sounds like it is exactly what I need to do, Im just not sure how >>>> to go about it. >>>> >>>> My SO deployment is a distributed setup (1 Master, 2 sensors so far). >>>> On the sensors, I have checked /opt/bro/share/bro/site/local.bro and found >>>> the following: >>>> >>>> # This script enables SSL/TLS certificate validation. >>>> @load protocols/ssl/validate-certs >>>> >>>> Checking the protocols/ssl directory, I don't see that script. My >>>> question is, will it get loaded if I created the validate-certs script its >>>> looking for? >>>> >>>> Any help will be appreciated. >>>> >>>> Thanks! >>>> >>>> -- >>>> >>>> Mike >>>> >>>> _______________________________________________ >>>> Bro mailing list >>>> bro at bro-ids.org >>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>>> >>> >>> >>> >>> -- >>> Scott Runnels >>> >>> >> >> >> -- >> >> Mike >> > > > > -- > Scott Runnels > > -- Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130109/cf2d5e2d/attachment.html From mbower2 at gmail.com Wed Jan 9 09:49:50 2013 From: mbower2 at gmail.com (Michael Bower) Date: Wed, 9 Jan 2013 12:49:50 -0500 Subject: [Bro] Adding trusted cert to Bro (Security Onion) In-Reply-To: References: Message-ID: Also, creating something like this will work too? http://www.bro-ids.org/bro-workshop-2011/solutions/extending/mytrust.bro On Wed, Jan 9, 2013 at 12:44 PM, Michael Bower wrote: > Any way to push that bro script out from my SO master? > > > On Wed, Jan 9, 2013 at 12:39 PM, Scott Runnels wrote: > >> Hi Michael, >> >> Were it me, I would place it in /opt/bro/share/bro/site/ >> >> then issue install and restart from within broctl. >> >> v/r >> Scott Runnels >> >> >> >> >> On Wed, Jan 9, 2013 at 12:34 PM, Michael Bower wrote: >> >>> ugh, sorry...it IS there. I was in base. So where do I add the cert? >>> Dump it here? share/bro/base/protocols/ssl/ >>> >>> >>> On Wed, Jan 9, 2013 at 12:24 PM, Scott Runnels wrote: >>> >>>> Michael, >>>> >>>> In my recent (read: default) build for Security Onion, I have >>>> validate-certs.bro. >>>> >>>> scott at SO-511:/opt/bro$ find . -iname "*validate*" >>>> ./share/bro/policy/protocols/ssl/validate-certs.bro >>>> >>>> Do you not have the same? >>>> >>>> v/r >>>> Scott >>>> >>>> >>>> >>>> >>>> On Wed, Jan 9, 2013 at 12:06 PM, Michael Bower wrote: >>>> >>>>> Im looking to add our internal domain CA to Bro so it can validate >>>>> certs that are generated from the server. I am new to Bro, so Im not sure >>>>> where to start. >>>>> >>>>> I found this: >>>>> http://www.bro-ids.org/bro-workshop-2011/solutions/extending/index.html >>>>> >>>>> Which sounds like it is exactly what I need to do, Im just not sure >>>>> how to go about it. >>>>> >>>>> My SO deployment is a distributed setup (1 Master, 2 sensors so far). >>>>> On the sensors, I have checked /opt/bro/share/bro/site/local.bro and found >>>>> the following: >>>>> >>>>> # This script enables SSL/TLS certificate validation. >>>>> @load protocols/ssl/validate-certs >>>>> >>>>> Checking the protocols/ssl directory, I don't see that script. My >>>>> question is, will it get loaded if I created the validate-certs script its >>>>> looking for? >>>>> >>>>> Any help will be appreciated. >>>>> >>>>> Thanks! >>>>> >>>>> -- >>>>> >>>>> Mike >>>>> >>>>> _______________________________________________ >>>>> Bro mailing list >>>>> bro at bro-ids.org >>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>>>> >>>> >>>> >>>> >>>> -- >>>> Scott Runnels >>>> >>>> >>> >>> >>> -- >>> >>> Mike >>> >> >> >> >> -- >> Scott Runnels >> >> > > > -- > > Mike > -- Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130109/cc54f3b1/attachment.html From srunnels at gmail.com Wed Jan 9 09:59:23 2013 From: srunnels at gmail.com (Scott Runnels) Date: Wed, 9 Jan 2013 12:59:23 -0500 Subject: [Bro] Adding trusted cert to Bro (Security Onion) In-Reply-To: References: Message-ID: Michael, There isn't. You'll need to place it manually on each sensor. v/r Scott On Wed, Jan 9, 2013 at 12:49 PM, Michael Bower wrote: > Also, creating something like this will work too? > > http://www.bro-ids.org/bro-workshop-2011/solutions/extending/mytrust.bro > > > On Wed, Jan 9, 2013 at 12:44 PM, Michael Bower wrote: > >> Any way to push that bro script out from my SO master? >> >> >> On Wed, Jan 9, 2013 at 12:39 PM, Scott Runnels wrote: >> >>> Hi Michael, >>> >>> Were it me, I would place it in /opt/bro/share/bro/site/ >>> >>> then issue install and restart from within broctl. >>> >>> v/r >>> Scott Runnels >>> >>> >>> >>> >>> On Wed, Jan 9, 2013 at 12:34 PM, Michael Bower wrote: >>> >>>> ugh, sorry...it IS there. I was in base. So where do I add the cert? >>>> Dump it here? share/bro/base/protocols/ssl/ >>>> >>>> >>>> On Wed, Jan 9, 2013 at 12:24 PM, Scott Runnels wrote: >>>> >>>>> Michael, >>>>> >>>>> In my recent (read: default) build for Security Onion, I have >>>>> validate-certs.bro. >>>>> >>>>> scott at SO-511:/opt/bro$ find . -iname "*validate*" >>>>> ./share/bro/policy/protocols/ssl/validate-certs.bro >>>>> >>>>> Do you not have the same? >>>>> >>>>> v/r >>>>> Scott >>>>> >>>>> >>>>> >>>>> >>>>> On Wed, Jan 9, 2013 at 12:06 PM, Michael Bower wrote: >>>>> >>>>>> Im looking to add our internal domain CA to Bro so it can validate >>>>>> certs that are generated from the server. I am new to Bro, so Im not sure >>>>>> where to start. >>>>>> >>>>>> I found this: >>>>>> http://www.bro-ids.org/bro-workshop-2011/solutions/extending/index.html >>>>>> >>>>>> Which sounds like it is exactly what I need to do, Im just not sure >>>>>> how to go about it. >>>>>> >>>>>> My SO deployment is a distributed setup (1 Master, 2 sensors so far). >>>>>> On the sensors, I have checked /opt/bro/share/bro/site/local.bro and found >>>>>> the following: >>>>>> >>>>>> # This script enables SSL/TLS certificate validation. >>>>>> @load protocols/ssl/validate-certs >>>>>> >>>>>> Checking the protocols/ssl directory, I don't see that script. My >>>>>> question is, will it get loaded if I created the validate-certs script its >>>>>> looking for? >>>>>> >>>>>> Any help will be appreciated. >>>>>> >>>>>> Thanks! >>>>>> >>>>>> -- >>>>>> >>>>>> Mike >>>>>> >>>>>> _______________________________________________ >>>>>> Bro mailing list >>>>>> bro at bro-ids.org >>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Scott Runnels >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> Mike >>>> >>> >>> >>> >>> -- >>> Scott Runnels >>> >>> >> >> >> -- >> >> Mike >> > > > > -- > > Mike > -- Scott Runnels -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130109/b2b3b47e/attachment.html From mbower2 at gmail.com Wed Jan 9 10:01:14 2013 From: mbower2 at gmail.com (Michael Bower) Date: Wed, 9 Jan 2013 13:01:14 -0500 Subject: [Bro] Adding trusted cert to Bro (Security Onion) In-Reply-To: References: Message-ID: Cool, thanks for the help! On Wed, Jan 9, 2013 at 12:59 PM, Scott Runnels wrote: > Michael, > > There isn't. You'll need to place it manually on each sensor. > > v/r > Scott > > > On Wed, Jan 9, 2013 at 12:49 PM, Michael Bower wrote: > >> Also, creating something like this will work too? >> >> http://www.bro-ids.org/bro-workshop-2011/solutions/extending/mytrust.bro >> >> >> On Wed, Jan 9, 2013 at 12:44 PM, Michael Bower wrote: >> >>> Any way to push that bro script out from my SO master? >>> >>> >>> On Wed, Jan 9, 2013 at 12:39 PM, Scott Runnels wrote: >>> >>>> Hi Michael, >>>> >>>> Were it me, I would place it in /opt/bro/share/bro/site/ >>>> >>>> then issue install and restart from within broctl. >>>> >>>> v/r >>>> Scott Runnels >>>> >>>> >>>> >>>> >>>> On Wed, Jan 9, 2013 at 12:34 PM, Michael Bower wrote: >>>> >>>>> ugh, sorry...it IS there. I was in base. So where do I add the cert? >>>>> Dump it here? share/bro/base/protocols/ssl/ >>>>> >>>>> >>>>> On Wed, Jan 9, 2013 at 12:24 PM, Scott Runnels wrote: >>>>> >>>>>> Michael, >>>>>> >>>>>> In my recent (read: default) build for Security Onion, I have >>>>>> validate-certs.bro. >>>>>> >>>>>> scott at SO-511:/opt/bro$ find . -iname "*validate*" >>>>>> ./share/bro/policy/protocols/ssl/validate-certs.bro >>>>>> >>>>>> Do you not have the same? >>>>>> >>>>>> v/r >>>>>> Scott >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Jan 9, 2013 at 12:06 PM, Michael Bower wrote: >>>>>> >>>>>>> Im looking to add our internal domain CA to Bro so it can validate >>>>>>> certs that are generated from the server. I am new to Bro, so Im not sure >>>>>>> where to start. >>>>>>> >>>>>>> I found this: >>>>>>> http://www.bro-ids.org/bro-workshop-2011/solutions/extending/index.html >>>>>>> >>>>>>> Which sounds like it is exactly what I need to do, Im just not sure >>>>>>> how to go about it. >>>>>>> >>>>>>> My SO deployment is a distributed setup (1 Master, 2 sensors so >>>>>>> far). On the sensors, I have checked /opt/bro/share/bro/site/local.bro and >>>>>>> found the following: >>>>>>> >>>>>>> # This script enables SSL/TLS certificate validation. >>>>>>> @load protocols/ssl/validate-certs >>>>>>> >>>>>>> Checking the protocols/ssl directory, I don't see that script. My >>>>>>> question is, will it get loaded if I created the validate-certs script its >>>>>>> looking for? >>>>>>> >>>>>>> Any help will be appreciated. >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> Mike >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Bro mailing list >>>>>>> bro at bro-ids.org >>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Scott Runnels >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Mike >>>>> >>>> >>>> >>>> >>>> -- >>>> Scott Runnels >>>> >>>> >>> >>> >>> -- >>> >>> Mike >>> >> >> >> >> -- >> >> Mike >> > > > > -- > Scott Runnels > > -- Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130109/d8b274c2/attachment.html From pschmehl_lists at tx.rr.com Wed Jan 9 11:03:02 2013 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Wed, 09 Jan 2013 13:03:02 -0600 Subject: [Bro] Just getting started Message-ID: <046AC75901061D5720A1BA86@utd71538.campus.ad.utdallas.edu> I just installed Bro (on FreeBSD 8.3) and got it up and running. I'm working my way through the docs, and I decided to do the local.bro edit for the Invalid SSL Certs that's described in the docs. However, when I launched broctl and typed check, I got this: waiting for lock ..................................cannot get lock I got the same thing when I typed stop as well as diag. When I started broctl initially, I typed "install" and then "start". Then I closed broctl. Apparently you're supposed to leave broctl running? If so, that seems rather inconvenient. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell From scastle at bouldercounty.org Wed Jan 9 11:28:08 2013 From: scastle at bouldercounty.org (Castle, Shane) Date: Wed, 9 Jan 2013 19:28:08 +0000 Subject: [Bro] Just getting started In-Reply-To: <046AC75901061D5720A1BA86@utd71538.campus.ad.utdallas.edu> References: <046AC75901061D5720A1BA86@utd71538.campus.ad.utdallas.edu> Message-ID: <21DD7C64179C9843B756C6DD491634DB252F9E1E@Mailbox1.boco.co.boulder.co.us> You must use sudo: "sudo broctl check". Followed by rinse, spin (install, restart). ;) Unless you're already root. That message is the result I always get when I forget sudo. -- Shane Castle Data Security Mgr, Boulder County IT -----Original Message----- From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of Paul Schmehl Sent: Wednesday, January 09, 2013 12:03 To: Bro List Subject: [Bro] Just getting started I just installed Bro (on FreeBSD 8.3) and got it up and running. I'm working my way through the docs, and I decided to do the local.bro edit for the Invalid SSL Certs that's described in the docs. However, when I launched broctl and typed check, I got this: waiting for lock ..................................cannot get lock I got the same thing when I typed stop as well as diag. When I started broctl initially, I typed "install" and then "start". Then I closed broctl. Apparently you're supposed to leave broctl running? If so, that seems rather inconvenient. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From robin at icir.org Wed Jan 9 11:40:13 2013 From: robin at icir.org (Robin Sommer) Date: Wed, 9 Jan 2013 11:40:13 -0800 Subject: [Bro] Just getting started In-Reply-To: <046AC75901061D5720A1BA86@utd71538.campus.ad.utdallas.edu> References: <046AC75901061D5720A1BA86@utd71538.campus.ad.utdallas.edu> Message-ID: <20130109194013.GN91545@icir.org> On Wed, Jan 09, 2013 at 13:03 -0600, Paul Schmehl wrote: > I just installed Bro (on FreeBSD 8.3) and got it up and running. I'm > working my way through the docs, and I decided to do the local.bro edit for > the Invalid SSL Certs that's described in the docs. > > However, when I launched broctl and typed check, I got this: waiting for > lock ..................................cannot get lock > > I got the same thing when I typed stop as well as diag. > > When I started broctl initially, I typed "install" and then "start". Then > I closed broctl. Apparently you're supposed to leave broctl running? No, it's not supposed to be running, however it sounds like a previous run didn't terminate. Did you do the crontab entry as described in the docs? If so, it could be that the cron job was just running as you tried to check the config; there can only be one broctl at a time. But if the problem persists, an earlier broctl process probably hangs; check with ps and just kill it. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From pschmehl_lists at tx.rr.com Wed Jan 9 11:42:52 2013 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Wed, 09 Jan 2013 13:42:52 -0600 Subject: [Bro] Just getting started In-Reply-To: <21DD7C64179C9843B756C6DD491634DB252F9E1E@Mailbox1.boco.co.boulder.co.us> References: <046AC75901061D5720A1BA86@utd71538.campus.ad.utdallas.edu> <21DD7C64179C9843B756C6DD491634DB252F9E1E@Mailbox1.boco.co.boulder.co.us> Message-ID: --On January 9, 2013 7:28:08 PM +0000 "Castle, Shane" wrote: > You must use sudo: "sudo broctl check". Followed by rinse, spin (install, > restart). ;) > > Unless you're already root. > I am. > That message is the result I always get when I forget sudo. Good to know. In my case it was caused by exiting out of broctl by using Control-C instead of typing exit. Once I figured that out, all was well. Now if I can just figure out what to do with bro..... :-) -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell From pschmehl_lists at tx.rr.com Wed Jan 9 11:56:11 2013 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Wed, 09 Jan 2013 13:56:11 -0600 Subject: [Bro] Is this normal? Message-ID: <3491071799295984A8726139@utd71538.campus.ad.utdallas.edu> Again, I'm just getting started with bro, so I'm reading through the docs carefully and following the instructions to the letter. I setup a cron job per the docs, and now I have this: # ps -auxw | grep bro root 94327 102.3 37.5 5912288 4703120 ?? S 7:06PM 47:22.82 /usr/local/bin/bro -i bce1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/au root 93616 0.0 0.0 10260 2312 ?? I 7:06PM 0:00.03 bash /usr/local/share/broctl/scripts/run-bro -i bce1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl b root 94331 0.0 0.2 42864 21440 ?? RN 7:06PM 0:11.13 /usr/local/bin/bro -i bce1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/au root 94377 0.0 0.1 48332 10948 ?? Is 7:10PM 0:00.25 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 94416 0.0 0.1 48332 10948 ?? Is 7:15PM 0:00.12 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 94434 0.0 0.1 48332 10948 ?? Is 7:20PM 0:00.17 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 94458 0.0 0.1 48332 10948 ?? Is 7:25PM 0:00.22 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 94470 0.0 0.1 48332 10948 ?? Is 7:30PM 0:00.21 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 94494 0.0 0.1 48332 10948 ?? Is 7:35PM 0:00.17 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 94506 0.0 0.1 48332 10948 ?? Is 7:40PM 0:00.12 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 94530 0.0 0.1 48332 10948 ?? Is 7:45PM 0:00.12 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 94542 0.0 0.1 48332 10948 ?? Is 7:50PM 0:00.11 /usr/local/bin/python2.7 /usr/local/bin/broctl cron Should I really have this many processes running? Or did I do something wrong? It seems like the cron job would kill the previously running process when starting a new one. Here's the cron job: # crontab -l | grep bro 0-59/5 * * * * /usr/local/bin/broctl cron -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell From vladg at cmu.edu Wed Jan 9 12:13:02 2013 From: vladg at cmu.edu (Vlad Grigorescu) Date: Wed, 9 Jan 2013 20:13:02 +0000 Subject: [Bro] Just getting started In-Reply-To: <29066_1357760633_r09Jhqgp017076_E3BAF7E733BD640ADAF77997@utd71538.campus.ad.utdallas.edu> References: <046AC75901061D5720A1BA86@utd71538.campus.ad.utdallas.edu> <21DD7C64179C9843B756C6DD491634DB252F9E1E@Mailbox1.boco.co.boulder.co.us> <29066_1357760633_r09Jhqgp017076_E3BAF7E733BD640ADAF77997@utd71538.campus.ad.utdallas.edu> Message-ID: <1202BE242E080642B0CD0AD0A03E855284DF65@PGH-MSGMB-03.andrew.ad.cmu.edu> On Jan 9, 2013, at 2:42 PM, Paul Schmehl wrote: > --On January 9, 2013 7:28:08 PM +0000 "Castle, Shane" wrote: > >> You must use sudo: "sudo broctl check". Followed by rinse, spin (install, >> restart). ;) >> >> Unless you're already root. >> > > I am. I actually avoid running bro as root. I create a bro user, and have it run as that instead. Apart from making sure that has the right permissions, I just need to set the privileges as mentioned in the documentation[1]: > sudo setcap cap_net_raw,cap_net_admin=eip /bin/bro If anyone's interested, I have a very much work-in-progress Puppet module for setting up the Bro directories with the proper permissions. --Vlad 1 - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130109/fa639f0b/attachment.bin From pschmehl_lists at tx.rr.com Wed Jan 9 13:18:31 2013 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Wed, 09 Jan 2013 15:18:31 -0600 Subject: [Bro] Errors from trace-summary Message-ID: <37EBCBDA5213A0790A5FA80A@utd71538.campus.ad.utdallas.edu> I obviously missed something during the install, because I'm getting these errors: Traceback (most recent call last): File "/usr/local/bin/trace-summary", line 19, in import SubnetTree ImportError: No module named SubnetTree 1.06 real 0.04 user 0.78 sys I installed ipsumdump. What else should I have done? A configure option? -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell From mcholste at gmail.com Wed Jan 9 14:30:50 2013 From: mcholste at gmail.com (Martin Holste) Date: Wed, 9 Jan 2013 16:30:50 -0600 Subject: [Bro] Just getting started In-Reply-To: <1202BE242E080642B0CD0AD0A03E855284DF65@PGH-MSGMB-03.andrew.ad.cmu.edu> References: <046AC75901061D5720A1BA86@utd71538.campus.ad.utdallas.edu> <21DD7C64179C9843B756C6DD491634DB252F9E1E@Mailbox1.boco.co.boulder.co.us> <29066_1357760633_r09Jhqgp017076_E3BAF7E733BD640ADAF77997@utd71538.campus.ad.utdallas.edu> <1202BE242E080642B0CD0AD0A03E855284DF65@PGH-MSGMB-03.andrew.ad.cmu.edu> Message-ID: A Puppet module would be really good. I too run as "bro" and it's obnoxious because after the beautiful simplicity of "broctl install" to update code for each node, I then have to do a bash loop to SSH in to each node and manually setcap, and only then can I perform the "start." On Wed, Jan 9, 2013 at 2:13 PM, Vlad Grigorescu wrote: > On Jan 9, 2013, at 2:42 PM, Paul Schmehl wrote: > > > --On January 9, 2013 7:28:08 PM +0000 "Castle, Shane" < > scastle at bouldercounty.org> wrote: > > > >> You must use sudo: "sudo broctl check". Followed by rinse, spin > (install, > >> restart). ;) > >> > >> Unless you're already root. > >> > > > > I am. > > > I actually avoid running bro as root. I create a bro user, and have it run > as that instead. Apart from making sure that has the right > permissions, I just need to set the privileges as mentioned in the > documentation[1]: > > > sudo setcap cap_net_raw,cap_net_admin=eip /bin/bro > > If anyone's interested, I have a very much work-in-progress Puppet module > for setting up the Bro directories with the proper permissions. > > --Vlad > > 1 - < > http://www.bro-ids.org/bro-workshop-2011/exercises/getting-started/index.html > > > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130109/25049cc7/attachment.html From jsiwek at illinois.edu Fri Jan 11 07:59:55 2013 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Fri, 11 Jan 2013 15:59:55 +0000 Subject: [Bro] Errors from trace-summary In-Reply-To: <37EBCBDA5213A0790A5FA80A@utd71538.campus.ad.utdallas.edu> References: <37EBCBDA5213A0790A5FA80A@utd71538.campus.ad.utdallas.edu> Message-ID: On Jan 9, 2013, at 3:18 PM, Paul Schmehl wrote: > I obviously missed something during the install, because I'm getting these > errors: > > Traceback (most recent call last): > File "/usr/local/bin/trace-summary", line 19, in > import SubnetTree > ImportError: No module named SubnetTree > 1.06 real 0.04 user 0.78 sys > > I installed ipsumdump. What else should I have done? A configure option? Are you running trace-summary manually? The SubnetTree module its complaining about should get installed by default in $prefix/lib/broctl/SubnetTree.py and broctl at least can automatically find it there. But if you run trace-summary manually you may have to alter your PYTHONPATH for it to be found. E.g: PYTHONPATH=/usr/local/bro/lib/broctl /usr/local/bro/bin/trace-summary Or is SubnetTree.py just missing completely? Jon From pschmehl_lists at tx.rr.com Fri Jan 11 09:22:56 2013 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Fri, 11 Jan 2013 11:22:56 -0600 Subject: [Bro] Errors from trace-summary In-Reply-To: References: <37EBCBDA5213A0790A5FA80A@utd71538.campus.ad.utdallas.edu> Message-ID: <60E0381617A58798B8812F6B@utd71538.campus.ad.utdallas.edu> It apparently never got installed. The FreeBSD port wasn't well maintained. I've tried to fix it but apparently missed that one. Looks like I need -DINSTALL_AUX_TOOLS: BOOL=ON? --On January 11, 2013 3:59:55 PM +0000 "Siwek, Jonathan Luke" wrote: > > On Jan 9, 2013, at 3:18 PM, Paul Schmehl wrote: > >> I obviously missed something during the install, because I'm getting >> these errors: >> >> Traceback (most recent call last): >> File "/usr/local/bin/trace-summary", line 19, in >> import SubnetTree >> ImportError: No module named SubnetTree >> 1.06 real 0.04 user 0.78 sys >> >> I installed ipsumdump. What else should I have done? A configure >> option? > > > Are you running trace-summary manually? > > The SubnetTree module its complaining about should get installed by > default in $prefix/lib/broctl/SubnetTree.py and broctl at least can > automatically find it there. But if you run trace-summary manually you > may have to alter your PYTHONPATH for it to be found. E.g: > > PYTHONPATH=/usr/local/bro/lib/broctl /usr/local/bro/bin/trace-summary > > Or is SubnetTree.py just missing completely? > > Jon -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell From jsiwek at illinois.edu Fri Jan 11 11:30:05 2013 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Fri, 11 Jan 2013 19:30:05 +0000 Subject: [Bro] Errors from trace-summary In-Reply-To: <60E0381617A58798B8812F6B@utd71538.campus.ad.utdallas.edu> References: <37EBCBDA5213A0790A5FA80A@utd71538.campus.ad.utdallas.edu> <60E0381617A58798B8812F6B@utd71538.campus.ad.utdallas.edu> Message-ID: On Jan 11, 2013, at 11:22 AM, Paul Schmehl wrote: > It apparently never got installed. The FreeBSD port wasn't well maintained. I've tried to fix it but apparently missed that one. Looks like I need -DINSTALL_AUX_TOOLS: BOOL=ON? That's for toggling the install of stuff under aux/bro-aux. If you look at the configure output, does it give a summary for PySubnetTree? That should indicate where it installed it. If you're not using the ./configure script, but CMake directly and don't -DPY_MOD_INSTALL_DIR:PATH=$prefix/lib/broctl, then I think it will install it in to $HOME/lib/python. Jon From pschmehl_lists at tx.rr.com Fri Jan 11 13:07:13 2013 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Fri, 11 Jan 2013 15:07:13 -0600 Subject: [Bro] Errors from trace-summary In-Reply-To: References: <37EBCBDA5213A0790A5FA80A@utd71538.campus.ad.utdallas.edu> <60E0381617A58798B8812F6B@utd71538.campus.ad.utdallas.edu> Message-ID: <3ED5966DE6A7252CB3BCDB19@utd71538.campus.ad.utdallas.edu> --On January 11, 2013 7:30:05 PM +0000 "Siwek, Jonathan Luke" wrote: > > If you look at the configure output, does it give a summary for > PySubnetTree? That should indicate where it installed it. If you're not > using the ./configure script, but CMake directly and don't > -DPY_MOD_INSTALL_DIR:PATH=$prefix/lib/broctl, then I think it will > install it in to $HOME/lib/python. > I figured that out and reinstalled bro. It's working now. Thanks. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell From vern at icir.org Mon Jan 14 12:10:51 2013 From: vern at icir.org (Vern Paxson) Date: Mon, 14 Jan 2013 12:10:51 -0800 Subject: [Bro] Slow Port Scanning and Bro? In-Reply-To: <001401cdec2b$8a1df3a0$9e59dae0$@hig.no> (Sun, 06 Jan 2013 17:33:20 +0100). Message-ID: <20130114201051.B62372C4009@rock.ICSI.Berkeley.EDU> (Apologies it took a while to follow up on this.) > How is Bro handling so-called ? It would help for you to frame more specifically what you have in mind. The main scan detection algorithm that ships with Bro doesn't incorporate an explicit notion of time. It does, however, have state-management knobs that will control over how much time Bro tracks per-source state. Those settings will affect just how slow of a scan Bro can detect. In addition, there's the TRW scan detection algorithm that we developed a number of years ago. It can detect very modest scanning activity (based on observing as little as ~5 connections). It also does not have an explicit notion of time in its detection, though likewise requires state management in practice that will limit its scope. In the past we've run both of these algorithms using 24-hour windows, meaning TRW could detect scanners who did as little as ~5 connections/day. Bro's approach to scan detection is changing with the upcoming 2.2 release, in part to better support detection when activity is spread across multiple cluster nodes. Seth Hall can speak more about the particulars. Finally, we have a research project on detecting slow SSH bruteforcing that's distributed across multiple hosts. Hopefully we'll have a paper on that coming out sometime this year. Vern From dmandelb at bbn.com Mon Jan 14 14:09:39 2013 From: dmandelb at bbn.com (David Mandelberg) Date: Mon, 14 Jan 2013 17:09:39 -0500 Subject: [Bro] effects of &synchronized and &mergeable Message-ID: <1358201379.3357.302.camel@titan> Hi, I'm trying to write a script to count how many ICMP Destination Unreachable messages hosts receive. To do that, I'm thinking of using a table like the below and incrementing the value for each destination unreachable message. global icmp_too_many_destination_unreachable_table: table[addr] of count = {} &default=0 &create_expire=icmp_too_many_destination_unreachable_window &synchronized &mergeable; I'm a bit unclear about exactly what &synchronized and &mergeable do though: Is increment a single atomic operation or is it implemented as multiple atomic operations (fetch, locally add one, store, return)? I.e. if two cluster nodes do ++icmp_too_many_destination_unreachable_table[host] at the same time for the same host, is the value guaranteed to be incremented twice? Is it guaranteed that the value returned by the two increments will be different? If increment is atomic, is it still atomic when incrementing a default value? I.e., if a host isn't in the table when two nodes simultaneously increment its count, is the count always properly set to two? If a host is in the table and one node deletes it while another node increments it, is the resulting value always either 0 or 1, or can the value be old_value + 1? Does it matter if the delete is because of &create_expire or because of an explicit delete? Is &mergeable necessary in this case? I couldn't figure out from the documentation if &mergeable applies to the outer table or to its values if those values are container types. From robin at icir.org Tue Jan 15 09:39:28 2013 From: robin at icir.org (Robin Sommer) Date: Tue, 15 Jan 2013 09:39:28 -0800 Subject: [Bro] effects of &synchronized and &mergeable In-Reply-To: <1358201379.3357.302.camel@titan> References: <1358201379.3357.302.camel@titan> Message-ID: <20130115173928.GK44960@icir.org> On Mon, Jan 14, 2013 at 17:09 -0500, you wrote: > global icmp_too_many_destination_unreachable_table: table[addr] of count = {} > &default=0 > &create_expire=icmp_too_many_destination_unreachable_window > &synchronized > &mergeable; Short version: using &synchronized (wo/ &mergeable, not needed here) should work but there's a better solution coming up. Longer version follows. First, regarding your questions: > Is increment a single atomic operation or is it implemented as multiple > atomic operations (fetch, locally add one, store, return)? Neither. :) What happens is (fetch, locally add one, send "add one" over the other nodes, store, return). The other nodes receive "add one" and replay that operation locally. In other words, each node applies the same operation locally and will eventually reach the same value (because all will see, e.g., two increments when two nodes do that simultaneously), but they don't have a consistent view at all times (because there's a delay in propagating the updates, and no locking in place that would guarantee global consistency.). There are a number design decisions/trade-offs behind this scheme; if you're curious, the details are here: http://www.icir.org/robin/papers/acsac05.pdf > If increment is atomic, is it still atomic when incrementing a default > value? I.e., if a host isn't in the table when two nodes simultaneously > increment its count, is the count always properly set to two? Yes, likewise because what's actually send is two increments, and both nodes with still start with the default. > If a host is in the table and one node deletes it while another node > increments it, is the resulting value always either 0 or 1, or can > the value be old_value + 1? Now it's getting tricky and I'm not quite sure off the top of my head, but I believe this leads to a race condition and depends on order of the operations (per the paper linked to above, we deliberately accept race conditions and do a "best effort synchronization"). > Does it matter if the delete is because of &create_expire or because > of an explicit delete? Does not matter iirc ... > Is &mergeable necessary in this case? I couldn't figure out from the > documentation if &mergeable applies to the outer table or to its values > if those values are container types. It's the latter. I'm impressed that you even got so far in figuring that out. :) Second, two more notes: - in some sense &synchronized is a legacy mechanism. It works and and is supported, but we're moving away from using it. One replacement is the new upcoming "metrics framework", which is a general mechanism to measure/count "stuff". It will have cluster transparency built in that "just works" and should support your counting application nicely. Internally that framework sends evetns around rather than using &synchronized. It's scheduled to be part of Bro 2.2. - we have been kicking around the idea of removing &synchronized completely. it has a number of drawbacks (the loose semantics and race condition; a lack of control for which nodes gets updates) and internally it's very complex to implement. The idea is to replace it with something simpler but more well-defined (like a distributed key-value store) that would be wrapped with script-layer frameworks to provide for easy use. But that's probably more than you wanted to know. :) Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From jsiwek at illinois.edu Tue Jan 15 10:31:28 2013 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Tue, 15 Jan 2013 18:31:28 +0000 Subject: [Bro] effects of &synchronized and &mergeable In-Reply-To: <20130115173928.GK44960@icir.org> References: <1358201379.3357.302.camel@titan> <20130115173928.GK44960@icir.org> Message-ID: >> If a host is in the table and one node deletes it while another node >> increments it, is the resulting value always either 0 or 1, or can >> the value be old_value + 1? > > Now it's getting tricky and I'm not quite sure off the top of my head, > but I believe this leads to a race condition and depends on order of > the operations (per the paper linked to above, we deliberately accept > race conditions and do a "best effort synchronization"). Was doing some code skimming and found that the "remote_check_sync_consistency" flag and "remote_state_inconsistency" event might be something that can at least be used to check if an operation has led to inconsistent state. Jon From robin at icir.org Tue Jan 15 10:34:06 2013 From: robin at icir.org (Robin Sommer) Date: Tue, 15 Jan 2013 10:34:06 -0800 Subject: [Bro] effects of &synchronized and &mergeable In-Reply-To: References: <1358201379.3357.302.camel@titan> <20130115173928.GK44960@icir.org> Message-ID: <20130115183406.GC46634@icir.org> On Tue, Jan 15, 2013 at 18:31 +0000, Jonathan Siwek wrote: > Was doing some code skimming and found that the > "remote_check_sync_consistency" flag and "remote_state_inconsistency" > event might be something that can at least be used to check if an > operation has led to inconsistent state. That's right but it's also more expensive because Bro then includes the expected values into the communication. Depends on communication volume if it matters. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From pschmehl_lists at tx.rr.com Tue Jan 15 14:17:09 2013 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Tue, 15 Jan 2013 16:17:09 -0600 Subject: [Bro] Cron Message-ID: <2E5677B7165B41D4A2B0F1D6@utd71538.campus.ad.utdallas.edu> I didn't see an exit anywhere in the cron script. Not being familiar with python syntax, I checked on the web, but it seems one is not required. The problem is, my crons sit around forever and never exit. I'm pretty sure this is not normal behavior, but what could be wrong? # ps -auxwwww | grep "broctl cron" root 58597 0.0 0.1 48332 10900 ?? Is 9:10PM 0:00.17 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58621 0.0 0.1 48332 10900 ?? Is 9:15PM 0:00.12 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58633 0.0 0.1 48332 10900 ?? Is 9:20PM 0:00.17 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58657 0.0 0.1 48332 10900 ?? Is 9:25PM 0:00.15 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58669 0.0 0.1 48332 10900 ?? Is 9:30PM 0:00.17 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58693 0.0 0.1 48332 10900 ?? Is 9:35PM 0:00.12 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58705 0.0 0.1 48332 10900 ?? Is 9:40PM 0:00.17 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58729 0.0 0.1 48332 10900 ?? Is 9:45PM 0:00.17 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58741 0.0 0.1 48332 10900 ?? Is 9:50PM 0:00.12 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58768 0.0 0.1 48332 11052 ?? Is 9:55PM 0:00.12 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58797 0.0 0.1 48332 11052 ?? Is 10:00PM 0:00.13 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 59888 0.0 0.1 48332 11052 ?? Is 10:05PM 0:00.17 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 59988 0.0 0.1 48332 11052 ?? Is 10:10PM 0:00.17 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 60013 0.0 0.1 48332 11052 ?? Is 10:15PM 0:00.12 /usr/local/bin/python2.7 /usr/local/bin/broctl cron -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell From dmandelb at bbn.com Thu Jan 17 08:50:21 2013 From: dmandelb at bbn.com (David Mandelberg) Date: Thu, 17 Jan 2013 11:50:21 -0500 Subject: [Bro] effects of &synchronized and &mergeable In-Reply-To: <20130115173928.GK44960@icir.org> References: <1358201379.3357.302.camel@titan> <20130115173928.GK44960@icir.org> Message-ID: <1358441421.3357.402.camel@titan> On Tue, 2013-01-15 at 09:39 -0800, Robin Sommer wrote: > On Mon, Jan 14, 2013 at 17:09 -0500, you wrote: > > If a host is in the table and one node deletes it while another node > > increments it, is the resulting value always either 0 or 1, or can > > the value be old_value + 1? > > Now it's getting tricky and I'm not quite sure off the top of my head, > but I believe this leads to a race condition and depends on order of > the operations (per the paper linked to above, we deliberately accept > race conditions and do a "best effort synchronization"). So if I understand correctly, there's a race condition where some nodes have 0 and some have 1, but none have old_value + 1, right? I think 0 and 1 are close enough for this application that this should be fine. > - in some sense &synchronized is a legacy mechanism. It works and > and is supported, but we're moving away from using it. One > replacement is the new upcoming "metrics framework", which is a > general mechanism to measure/count "stuff". It will have cluster > transparency built in that "just works" and should support your > counting application nicely. Internally that framework sends > evetns around rather than using &synchronized. It's scheduled to > be part of Bro 2.2. Is it usable in a testing environment yet? Is the interface with external scripts mostly stable? Where do you recommend I start reading (code or documentation) to learn how to use it? > - we have been kicking around the idea of removing &synchronized > completely. it has a number of drawbacks (the loose semantics > and race condition; a lack of control for which nodes gets > updates) and internally it's very complex to implement. The idea > is to replace it with something simpler but more well-defined > (like a distributed key-value store) that would be wrapped with > script-layer frameworks to provide for easy use. It sounds like this is still in design stages, is that right? > But that's probably more than you wanted to know. :) Not at all, thanks for the explanations! From robin at icir.org Thu Jan 17 08:58:14 2013 From: robin at icir.org (Robin Sommer) Date: Thu, 17 Jan 2013 08:58:14 -0800 Subject: [Bro] Cron In-Reply-To: <2E5677B7165B41D4A2B0F1D6@utd71538.campus.ad.utdallas.edu> References: <2E5677B7165B41D4A2B0F1D6@utd71538.campus.ad.utdallas.edu> Message-ID: <20130117165814.GO68818@icir.org> > The problem is, my crons sit around forever and never exit. There should be a debug.log in the spool directory that may provide some clue. Kill all the running broctls, delete the old debug.log, then run "broctl cron" from the command line. The new debug.log should then show where it's hanging (feel free to send if you can't figure it out) Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Fri Jan 18 09:01:47 2013 From: robin at icir.org (Robin Sommer) Date: Fri, 18 Jan 2013 09:01:47 -0800 Subject: [Bro] effects of &synchronized and &mergeable In-Reply-To: <1358441421.3357.402.camel@titan> References: <1358201379.3357.302.camel@titan> <20130115173928.GK44960@icir.org> <1358441421.3357.402.camel@titan> Message-ID: <20130118170147.GP3352@icir.org> On Thu, Jan 17, 2013 at 11:50 -0500, you wrote: > So if I understand correctly, there's a race condition where some nodes > have 0 and some have 1, but none have old_value + 1, right? I think 0 > and 1 are close enough for this application that this should be fine. I'd describe it as they all have "old_value + x" but for a while that might be different "x" per node. They all converge on the right "new_value" soon though, with "new_value = old_value + "" > Is it usable in a testing environment yet? Is the interface with > external scripts mostly stable? It looks like we're going to do one more iteration on the API exposed to external scripts, likely soon. The current code is in topic/seth/metrics-merge. > It sounds like this is still in design stages, is that right? yeah, actually it's even still the "is this right way to go forward?" stage ... :) Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From rawiramdhan at gmail.com Mon Jan 21 05:04:17 2013 From: rawiramdhan at gmail.com (Rawi Ramdhan) Date: Mon, 21 Jan 2013 14:04:17 +0100 Subject: [Bro] Bro programming question Message-ID: Hi All, Im a student at the university of Amsterdam currently working on BRO in combination with SNORT. I would like BRO to execute a script (create ACL or static route via ssh). If i'm correct BRO should first needs to notice the data and send it to the manager. The following should log all data from 192.168.101.1 with TCP on port 0. And print it in a log file (which one?) event new_connection(c: connection) { if (c$id$orig_h == 192.168.101.1 && c$id$resp_p == 0/tcp) print fmt("New Connection => Source IP: %s, Source Port: %s, Destination IP: %s, Destination Port: %s", c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p); } When I run this on a worker it works fine: bro at ubuntu:~$ /usr/local/bro/bin/bro -r testfile.pcap first.bro New Connection => Source IP: 192.168.101.1, Source Port: 0/tcp, Destination IP: 192.168.103.1, Destination Port: 0/tcp The script is located in site and I do a check install restart via the broctl. But when I send data to this worker I cant see any logs generated. I must do a lot of things wrong but I cant figure out what. And where do I put the script to check the payload from this data and with that information execute a shell script via piped_exec(program: string, to_write: string): bool. I'm sorry for my bad explanation I'm not a programmer but I would like to make this prove of concept. Kind regards, Rawi Ramdhan From seth at icir.org Mon Jan 21 17:31:04 2013 From: seth at icir.org (Seth Hall) Date: Mon, 21 Jan 2013 20:31:04 -0500 Subject: [Bro] Bro programming question In-Reply-To: References: Message-ID: On Jan 21, 2013, at 8:04 AM, Rawi Ramdhan wrote: > Im a student at the university of Amsterdam currently working on BRO in combination with SNORT. I don't know what you're planning on doing, but have you noticed that Barnyard2 has support for a Bro output plugin? Each alert in the unified2 log file from Snort is turned into a Bro event. https://github.com/firnsy/barnyard2 > The following should log all data from 192.168.101.1 with TCP on port 0. And print it in a log file (which one?) You're using the print statement so it will only print to stdout. You have to use the logging framework if you want actual logs. :) > And where do I put the script to check the payload from this data and with that information execute a shell script via piped_exec(program: string, to_write: string): bool. Just call your program with the full path in the program field and it should work fine. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From robin at icir.org Tue Jan 22 17:02:01 2013 From: robin at icir.org (Robin Sommer) Date: Tue, 22 Jan 2013 17:02:01 -0800 Subject: [Bro] Summer internship Message-ID: <20130123010201.GA1023@icir.org> The Bro Project has an opening for a three month summer internship. If you are a student interested in helping us improve Bro and develop new functionality, please apply! http://www.bro-ids.org/intern.html Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From alizade.ce at gmail.com Wed Jan 23 05:08:12 2013 From: alizade.ce at gmail.com (Fahime Alizade) Date: Wed, 23 Jan 2013 14:08:12 +0100 Subject: [Bro] piped_exec Message-ID: Hi, I have a question about notices in Bro. We installed Bro cluster and we made signature file to detect sources that their generated traffic matches the signature. Then we expect our notice.log file (/bro/logs/current/notice.log) be filled all the information about that sources. To do so, we created a bro file(located in / bro/share/bro/site/ourfile. bro) to redefine the notice. Now the only thing it does is printing the information in our desired format in notice.log file. Till now every thing goes well but we need to execute a shell script file when ever the signature matches. So we thought maybe there is a way to execute the script file in notice redefinition file. I used function piped_exec. The problem is when I run the following command, /usr/local/bro/bin/ ./bro -r pcapFile.pcap broFile.bro every thing goes well with worker. The script will be run but in manager side it does not execute the shell script file. Do you think I should use different command for manager? I've uploaded the files on github: https://github.com/falizade/bro_scripts/blob/master/first_v0.bro Best regards, Fahimeh Alizadeh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130123/afacb6a8/attachment.html From seth at icir.org Wed Jan 23 06:15:54 2013 From: seth at icir.org (Seth Hall) Date: Wed, 23 Jan 2013 09:15:54 -0500 Subject: [Bro] piped_exec In-Reply-To: References: Message-ID: On Jan 23, 2013, at 8:08 AM, Fahime Alizade wrote: > every thing goes well with worker. The script will be run but in manager side it does not execute the shell script file. If you run that script on a cluster, the piped_exec command will be run where the traffic is being seen (the worker). The manager will never run it. What you likely want to do is allow your workers to generate notices and use the Notice::policy to make your manager execute your shell script. Something like this? redef Notice::policy += { [$pred(n: Notice::Info) = { if ( n$note == TCP::TEST ) { local cmd = fmt("/usr/local/bro/share/bro/site/test.sh"); piped_exec(cmd, fmt("%s", n$id$orig_h)); } return F; }, $action=Notice::ACTION_NONE] }; I haven't tested this code so there may be some issue(s) with it. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From rawiramdhan at gmail.com Wed Jan 23 07:25:09 2013 From: rawiramdhan at gmail.com (Rawi Ramdhan) Date: Wed, 23 Jan 2013 16:25:09 +0100 Subject: [Bro] Traffic type dispersion Message-ID: <774450FF-818B-47F1-867D-19077009840D@gmail.com> All, I'm a student at the university of Amsterdam currently working on a research project on deep packet inspection in high bandwidth networks (AMS-IX, DE-CIX LINX.). In order to test my proof of concept I need to create Internet like traffic. To do this I need to know the traffic dispersion on protocol level (HTTP, DNS etc.) but I am also helped with transport layer information (TCP, UDP). Furthermore I would like to know the amount of packets per second and their size and the amount of events per n packets. All information will be removed after research and only published with your approval. Needles to say that cooperation is greatly appreciated and mentioned in the paper. kind regards, Rawi Ramdan Student at the University of Amsterdam System and Network Engineering From roger.larsen at hig.no Thu Jan 24 15:50:23 2013 From: roger.larsen at hig.no (Roger Larsen) Date: Fri, 25 Jan 2013 00:50:23 +0100 Subject: [Bro] Error in ./configure process in fresh Bro 2.1 GIT with requirements in order ( I think) Message-ID: <000301cdfa8d$941d3fd0$bc57bf70$@hig.no> Dear Bro Forum and developers, I'm running a physical server with FreeBSD. Here is my output from command "uname -a": FreeBSD bigbro 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243826: Tue Dec 4 06:55:39 UTC 2012 I cloned Bro today from GIT repository : git://git.bro-ids.org/bro.git (twice, same results) I have the following software installed (from pkg_info command) : autoconf-2.69 Automatically configure source code on many Un*x platforms autoconf-wrapper-20101119 Wrapper script for GNU autoconf automake-1.12.6 GNU Standards-compliant Makefile generator automake-wrapper-20101119 Wrapper script for GNU automake bash-4.2.42 The GNU Project's Bourne Again SHell bison-2.5.1,1 A parser generator from FSF, (mostly) compatible with Yacc ca_root_nss-3.14.1 The root certificate bundle from the Mozilla Project cmake-2.8.9 A cross-platform Makefile generator cmake-modules-2.8.9 Modules and Templates for CMake curl-7.24.0_1 Non-interactive tool to get files from FTP, GOPHER, HTTP(S) cvsps-2.1_1 Create patchset information from CVS db41-4.1.25_4 The Berkeley DB package, revision 4.1 expat-2.0.1_2 XML 1.0 parser written in C flex-2.5.37 Fast lexical analyzer generator gettext-0.18.1.1 GNU gettext package git-1.8.1.1 Distributed source code management tool gmake-3.82_1 GNU version of 'make' utility help2man-1.40.13 Automatically generating simple manual pages from program o libbind-6.0_1 Standard C resolver library libiconv-1.14 A character set conversion library libpcap-1.3.0 Ubiquitous network traffic capture library libtool-2.4.2 Generic shared library support script libzip-0.10.1 C library for reading, creating, and modifying ZIP archives m4-1.4.16_1,1 GNU m4 makedepend-1.0.3,1 A dependency generator for makefiles openssl-1.0.1_4 SSL and crypto library p5-Error-0.17019 Perl module to provide Error/exception support for perl: Er p5-File-LibMagic-0.96 Nice wrapper for libmagic p5-IO-Socket-IP-0.18 A drop-in replacement for IO::Socket::INET supporting IPv4 p5-IO-Socket-SSL-1.81 Perl5 interface to SSL sockets p5-Locale-gettext-1.05_3 Message handling functions p5-Net-SMTP-SSL-1.01_1 An SMTP client supporting SSL p5-Net-SSLeay-1.52 Perl5 interface to SSL p5-Socket-2.007 Networking constants and support functions pcre-8.32 Perl Compatible Regular Expressions library perl-5.14.2_2 Practical Extraction and Report Language pkgconf-0.8.9 Utility to help to configure compiler and linker flags portupgrade-2.4.10.4,2 FreeBSD ports/packages administration and management tool s python27-2.7.3_6 An interpreted object-oriented programming language ruby-1.8.7.371,1 An object-oriented interpreted scripting language ruby18-bdb-0.6.6 Ruby interface to Sleepycat's Berkeley DB revision 2 or lat swig-2.0.8_1 Generate wrappers for calling C/C++ code from other languag xproto-7.0.22 X11 protocol headers When I try to run the ./configure command - I get the following non explaining output (at least for me): [Thu Jan 24 23:10:11 root at bigbro:~/bro/bro ] # ./configure Build Directory : build Source Directory: /root/bro/bro -- The C compiler identification is GNU 4.2.1 -- The CXX compiler identification is GNU 4.2.1 -- Check for working C compiler: /usr/bin/gcc -- Check for working C compiler: /usr/bin/gcc -- works -- Detecting C compiler ABI info -- Detecting C compiler ABI info - done -- Check for working CXX compiler: /usr/bin/c++ -- Check for working CXX compiler: /usr/bin/c++ -- works -- Detecting CXX compiler ABI info -- Detecting CXX compiler ABI info - done CMake Error at CMakeLists.txt:3 (include): include could not find load file: cmake/CommonCMakeConfig.cmake CMake Error at CMakeLists.txt:38 (include): include could not find load file: FindRequiredPackage -- Found sed: /usr/bin/sed CMake Error at CMakeLists.txt:50 (FindRequiredPackage): Unknown CMake command "FindRequiredPackage". -- Configuring incomplete, errors occurred! Thank You - and sorry for the long email J Best Regards, Roger Larsen /Writing about Bro in my master thesis/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130125/039e45d7/attachment.html From bernhard at ICSI.Berkeley.EDU Thu Jan 24 16:13:51 2013 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Thu, 24 Jan 2013 16:13:51 -0800 Subject: [Bro] Error in ./configure process in fresh Bro 2.1 GIT with requirements in order ( I think) In-Reply-To: <000301cdfa8d$941d3fd0$bc57bf70$@hig.no> References: <000301cdfa8d$941d3fd0$bc57bf70$@hig.no> Message-ID: <06C675F4-020D-456B-8B37-86405CA9025A@icsi.berkeley.edu> Hello Roger, I think you forgot to add --recursive while cloning the git repository. Clone the repository using git clone --recursive git://git.bro-ids.org/bro and try again :) Bernhard On Jan 24, 2013, at 3:50 PM, "Roger Larsen" wrote: > Dear Bro Forum and developers, > > I?m running a physical server with FreeBSD. Here is my output from command ?uname ?a?: > FreeBSD bigbro 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243826: Tue Dec 4 06:55:39 UTC 2012 > > I cloned Bro today from GIT repository : git://git.bro-ids.org/bro.git (twice, same results) > > I have the following software installed (from pkg_info command) : > autoconf-2.69 Automatically configure source code on many Un*x platforms > autoconf-wrapper-20101119 Wrapper script for GNU autoconf > automake-1.12.6 GNU Standards-compliant Makefile generator > automake-wrapper-20101119 Wrapper script for GNU automake > bash-4.2.42 The GNU Project's Bourne Again SHell > bison-2.5.1,1 A parser generator from FSF, (mostly) compatible with Yacc > ca_root_nss-3.14.1 The root certificate bundle from the Mozilla Project > cmake-2.8.9 A cross-platform Makefile generator > cmake-modules-2.8.9 Modules and Templates for CMake > curl-7.24.0_1 Non-interactive tool to get files from FTP, GOPHER, HTTP(S) > cvsps-2.1_1 Create patchset information from CVS > db41-4.1.25_4 The Berkeley DB package, revision 4.1 > expat-2.0.1_2 XML 1.0 parser written in C > flex-2.5.37 Fast lexical analyzer generator > gettext-0.18.1.1 GNU gettext package > git-1.8.1.1 Distributed source code management tool > gmake-3.82_1 GNU version of 'make' utility > help2man-1.40.13 Automatically generating simple manual pages from program o > libbind-6.0_1 Standard C resolver library > libiconv-1.14 A character set conversion library > libpcap-1.3.0 Ubiquitous network traffic capture library > libtool-2.4.2 Generic shared library support script > libzip-0.10.1 C library for reading, creating, and modifying ZIP archives > m4-1.4.16_1,1 GNU m4 > makedepend-1.0.3,1 A dependency generator for makefiles > openssl-1.0.1_4 SSL and crypto library > p5-Error-0.17019 Perl module to provide Error/exception support for perl: Er > p5-File-LibMagic-0.96 Nice wrapper for libmagic > p5-IO-Socket-IP-0.18 A drop-in replacement for IO::Socket::INET supporting IPv4 > p5-IO-Socket-SSL-1.81 Perl5 interface to SSL sockets > p5-Locale-gettext-1.05_3 Message handling functions > p5-Net-SMTP-SSL-1.01_1 An SMTP client supporting SSL > p5-Net-SSLeay-1.52 Perl5 interface to SSL > p5-Socket-2.007 Networking constants and support functions > pcre-8.32 Perl Compatible Regular Expressions library > perl-5.14.2_2 Practical Extraction and Report Language > pkgconf-0.8.9 Utility to help to configure compiler and linker flags > portupgrade-2.4.10.4,2 FreeBSD ports/packages administration and management tool s > python27-2.7.3_6 An interpreted object-oriented programming language > ruby-1.8.7.371,1 An object-oriented interpreted scripting language > ruby18-bdb-0.6.6 Ruby interface to Sleepycat's Berkeley DB revision 2 or lat > swig-2.0.8_1 Generate wrappers for calling C/C++ code from other languag > xproto-7.0.22 X11 protocol headers > > > When I try to run the ./configure command ? I get the following non explaining output (at least for me): > > [Thu Jan 24 23:10:11 root at bigbro:~/bro/bro ] # ./configure > Build Directory : build > Source Directory: /root/bro/bro > -- The C compiler identification is GNU 4.2.1 > -- The CXX compiler identification is GNU 4.2.1 > -- Check for working C compiler: /usr/bin/gcc > -- Check for working C compiler: /usr/bin/gcc -- works > -- Detecting C compiler ABI info > -- Detecting C compiler ABI info - done > -- Check for working CXX compiler: /usr/bin/c++ > -- Check for working CXX compiler: /usr/bin/c++ -- works > -- Detecting CXX compiler ABI info > -- Detecting CXX compiler ABI info - done > CMake Error at CMakeLists.txt:3 (include): > include could not find load file: > > cmake/CommonCMakeConfig.cmake > > CMake Error at CMakeLists.txt:38 (include): > include could not find load file: > > FindRequiredPackage > > -- Found sed: /usr/bin/sed > CMake Error at CMakeLists.txt:50 (FindRequiredPackage): > Unknown CMake command "FindRequiredPackage". > > -- Configuring incomplete, errors occurred! > > Thank You ? and sorry for the long email J > > Best Regards, > Roger Larsen > /Writing about Bro in my master thesis/ > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130124/502c88ee/attachment.html From seth at icir.org Thu Jan 24 17:49:43 2013 From: seth at icir.org (Seth Hall) Date: Thu, 24 Jan 2013 20:49:43 -0500 Subject: [Bro] Error in ./configure process in fresh Bro 2.1 GIT with requirements in order ( I think) In-Reply-To: <06C675F4-020D-456B-8B37-86405CA9025A@icsi.berkeley.edu> References: <000301cdfa8d$941d3fd0$bc57bf70$@hig.no> <06C675F4-020D-456B-8B37-86405CA9025A@icsi.berkeley.edu> Message-ID: <43D921AB-0EA4-480D-906A-EEBB93009ECD@icir.org> On Jan 24, 2013, at 7:13 PM, Bernhard Amann wrote: > Clone the repository using git clone --recursive git://git.bro-ids.org/bro > and try again :) Alternately, cd into the repository and run: git submodule update --init --recursive .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130124/5043984c/attachment.bin From seth at icir.org Tue Jan 29 08:43:08 2013 From: seth at icir.org (Seth Hall) Date: Tue, 29 Jan 2013 11:43:08 -0500 Subject: [Bro] Bro code samples? Message-ID: <81C5DD32-7B90-4CA5-B657-B5968EF117A4@icir.org> I just learned of a new "instagram for code" site here: http://instacode.linology.info/ The coolest part is that it seems to use pygments for syntax highlighting and therefore supports Bro! Here's a bit a code from the TimeMachine framework that I started working on yesterday: http://instacode.linology.info/18637 .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130129/5324d216/attachment.bin