From seth at icir.org Mon Jul 1 07:46:34 2013 From: seth at icir.org (Seth Hall) Date: Mon, 1 Jul 2013 10:46:34 -0400 Subject: [Bro] Flow blocking with iptables from Bro In-Reply-To: References: Message-ID: On Jun 30, 2013, at 9:23 PM, Kamran Khan wrote: > To anyone who might be interested I've posted a Bro module along with instructions for blocking traffic flows with a timeout (using iptables and bash): > > http://inspirated.com/2013/07/01/blocking-traffic-flows-selectively-with-a-timeout-from-bro-ids Cool! Nice to see that people are moving forward with trying to make standardized interfaces for this stuff. It's actually similar to part of the Reaction framework that I have a bit of work done on. We've been waiting on a few extra features to get into Bro first though. Are you planning on doing any additional work on this? We're always willing to prod people in the right direction if they're interested in working on Bro more closely. Thanks! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Mon Jul 1 07:50:24 2013 From: seth at icir.org (Seth Hall) Date: Mon, 1 Jul 2013 10:50:24 -0400 Subject: [Bro] Question about capture loss script vs. broctl netstats In-Reply-To: References: <20130627130908.B0E5A2C4002@rock.ICSI.Berkeley.EDU>

<51CCAB65.7000708@rsbac.org> Message-ID: <4F55CC5E-D2B4-403F-995A-344D35C1E6CE@icir.org> On Jun 30, 2013, at 6:25 PM, Kristoffer Bj?rk wrote: > myrinet seems to be pretty popular aswell, so i would guess work ok aswell, or? Yep, for people with 10G links they're monitoring I'd almost always go with Myricom with the sniffer drivers. They have commodity pricing on their NICs and they do the hash based load balancing and it's extremely easy to setup (and it works on freebsd and linux). .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jbabio at po-box.esu.edu Mon Jul 1 12:17:07 2013 From: jbabio at po-box.esu.edu (John Babio) Date: Mon, 1 Jul 2013 19:17:07 +0000 Subject: [Bro] ssh successful logins appear as failed Message-ID: I was testing out the script from the manual. I was trying to figure out why the notice logs were not triggering. It turns out bro is seeing successful logins as failures. This is really odd. From jbabio at po-box.esu.edu Mon Jul 1 12:22:35 2013 From: jbabio at po-box.esu.edu (John Babio) Date: Mon, 1 Jul 2013 19:22:35 +0000 Subject: [Bro] ssh In-Reply-To: Message-ID: Sorry forgot to mention the traffic is ssh. I review the ssh.log and it tells me failure. From jsiwek at illinois.edu Mon Jul 1 13:53:57 2013 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Mon, 1 Jul 2013 20:53:57 +0000 Subject: [Bro] ssh successful logins appear as failed In-Reply-To: References: Message-ID: On Jul 1, 2013, at 2:17 PM, John Babio wrote: > I was testing out the script from the manual. I was trying to figure out why the notice logs were not triggering. It turns out bro is seeing successful logins as failures. This is really odd. Typically, SSH user authentication protocol messages are already encrypted. A third-party snooping on the exchange can't be 100% positive of the results. See [1] for more on how Bro does it and for tuning options. If you're just manually testing things out with your own SSH sessions, make sure to actually do some stuff in your session so Bro will see enough data exchanged to guess a success instead of failure. - Jon [1] http://bro.org/sphinx/scripts/base/protocols/ssh/main.html From jbabio at po-box.esu.edu Mon Jul 1 14:50:20 2013 From: jbabio at po-box.esu.edu (John Babio) Date: Mon, 1 Jul 2013 21:50:20 +0000 Subject: [Bro] ssh successful logins appear as failed In-Reply-To: References: , Message-ID: Well here is what is interesting about it. I do a tcpdump and I see the traffic coming in the span port. I am not understanding why it thinks the sessions did not complete. ________________________________________ From: Siwek, Jonathan Luke [jsiwek at illinois.edu] Sent: Monday, July 01, 2013 4:53 PM To: John Babio Cc: bro at bro.org Subject: Re: [Bro] ssh successful logins appear as failed On Jul 1, 2013, at 2:17 PM, John Babio wrote: > I was testing out the script from the manual. I was trying to figure out why the notice logs were not triggering. It turns out bro is seeing successful logins as failures. This is really odd. Typically, SSH user authentication protocol messages are already encrypted. A third-party snooping on the exchange can't be 100% positive of the results. See [1] for more on how Bro does it and for tuning options. If you're just manually testing things out with your own SSH sessions, make sure to actually do some stuff in your session so Bro will see enough data exchanged to guess a success instead of failure. - Jon [1] http://bro.org/sphinx/scripts/base/protocols/ssh/main.html From jessebowling at gmail.com Mon Jul 1 16:41:57 2013 From: jessebowling at gmail.com (Jesse Bowling) Date: Mon, 1 Jul 2013 19:41:57 -0400 Subject: [Bro] ssh successful logins appear as failed In-Reply-To: References: Message-ID: Hi John, First, take this with a grain of salt, as I'm not an expert on Bro but expect if I'm incorrect about the below I'll be quickly corrected on-list. :) I believe you're confused regarding the use of 'session' at both layer 3/4 and higher layers...SSH is using TCP, and a TCP session is certainly established. What Bro is alerting on is how much data is exchanged in an active SSH session (carried over the TCP session). In other words, since SSH is encrypted after the initial key exchange, we can only guess if someone is logging in and immediately exitiing, or trying to log in 3 times and getting their session reset. This is the heuristic part. :) Essentially a variable is defined that says "if you see X amount of application data exchanged, assume the connection was successful, otherwise, assume the connection failed". Stated yet another way, Bro is attempting to guess whether someone was able to provide the proper authentication based on how much application data is transferred, not whether someone was able to successfully establish a TCP session with the port. The tricky part about this detection method is that you may run into erroneous results in that someone who connects on the first login attempt and then simply exits may exchange less application data than the limit that is defined. So while they were in fact successful in logging in, Bro falsely assumes that the session failed because so little data is transferred... Sound right everyone? Make sense John? Cheers, Jesse On Mon, Jul 1, 2013 at 5:50 PM, John Babio wrote: > Well here is what is interesting about it. I do a tcpdump and I see the > traffic coming in the span port. I am not understanding why it thinks the > sessions did not complete. > > ________________________________________ > From: Siwek, Jonathan Luke [jsiwek at illinois.edu] > Sent: Monday, July 01, 2013 4:53 PM > To: John Babio > Cc: bro at bro.org > Subject: Re: [Bro] ssh successful logins appear as failed > > On Jul 1, 2013, at 2:17 PM, John Babio wrote: > > > I was testing out the script from the manual. I was trying to figure out > why the notice logs were not triggering. It turns out bro is seeing > successful logins as failures. This is really odd. > > > Typically, SSH user authentication protocol messages are already > encrypted. A third-party snooping on the exchange can't be 100% positive > of the results. See [1] for more on how Bro does it and for tuning > options. If you're just manually testing things out with your own SSH > sessions, make sure to actually do some stuff in your session so Bro will > see enough data exchanged to guess a success instead of failure. > > - Jon > > [1] http://bro.org/sphinx/scripts/base/protocols/ssh/main.html > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Jesse Bowling -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130701/3e361be6/attachment.html From seth at icir.org Mon Jul 1 17:46:56 2013 From: seth at icir.org (Seth Hall) Date: Mon, 1 Jul 2013 20:46:56 -0400 Subject: [Bro] ssh successful logins appear as failed In-Reply-To: References: Message-ID: On Jul 1, 2013, at 7:41 PM, Jesse Bowling wrote: > The tricky part about this detection method is that you may run into erroneous results in that someone who connects on the first login attempt and then simply exits may exchange less application data than the limit that is defined. So while they were in fact successful in logging in, Bro falsely assumes that the session failed because so little data is transferred... Exactly right. Thanks! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From krkhan at inspirated.com Mon Jul 1 20:44:32 2013 From: krkhan at inspirated.com (Kamran Khan) Date: Mon, 1 Jul 2013 20:44:32 -0700 Subject: [Bro] Flow blocking with iptables from Bro In-Reply-To: References:

Message-ID: On Mon, Jul 1, 2013 at 7:46 AM, Seth Hall wrote: > It's actually similar to part of the Reaction framework that I have a bit > of work done on. We've been waiting on a few extra features to get into Bro > first though. Are you planning on doing any additional work on this? We're > always willing to prod people in the right direction if they're interested > in working on Bro more closely. I do plan on adding traffic shaping APIs which call tc so the Reaction framework does sound like a nice idea. Unfortunately I wasn't able to find out about it on the Bro website. Regards, -- Kamran Riaz Khan. http://inspirated.com/ From seth at icir.org Tue Jul 2 07:22:20 2013 From: seth at icir.org (Seth Hall) Date: Tue, 2 Jul 2013 10:22:20 -0400 Subject: [Bro] Flow blocking with iptables from Bro In-Reply-To: References:

Message-ID: <14DF156F-C113-43C9-B9EB-C0EAB5EFD9CB@icir.org> On Jul 1, 2013, at 11:44 PM, Kamran Khan wrote: > I do plan on adding traffic shaping APIs which call tc so the Reaction > framework does sound like a nice idea. Unfortunately I wasn't able to find out > about it on the Bro website. There isn't really anything written about it, but there has been a lot of internal discussion about it over the past couple of years. It's just taken us a while to get everything in place to do it right. :) What sort of traffic shaping primitives are you considering? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jbabio at po-box.esu.edu Tue Jul 2 10:44:41 2013 From: jbabio at po-box.esu.edu (John Babio) Date: Tue, 2 Jul 2013 17:44:41 +0000 Subject: [Bro] notice alerting Message-ID: Is there a way to alert or send notices based on strings displayed in any of the log files? From bregant2 at illinois.edu Wed Jul 3 08:51:49 2013 From: bregant2 at illinois.edu (Bregant, Bob) Date: Wed, 3 Jul 2013 15:51:49 +0000 Subject: [Bro] Bro-related Job Announcement: IT Security Analyst (Entry, Senior, or Lead) at University of Illinois Message-ID: <86BDA89FEFD2AE4FB30B152D0CAD79B175E2FDC9@chimbx4.ad.uillinois.edu> The University of Illinois at Urbana Champaign has an opening for an IT Security Analyst. The application closes July 19th, 2013. This position involves working with Bro and other tools to maintain the security of the main campus of Illinois' flagship state university. If anyone is interested, please feel free to apply. If you have any questions or want to know more about the position, feel free to contact me off-list. Responsibilities include: - Uses forensic, incident response, and process expertise to respond to and investigate system, service, or network attacks and breaches. - Works in one or more of the following domains including but not limited to Data Security, Digital Forensics, Incident Response and Analysis, IT Systems and Operations, Network Security, Systems and Applications Security or Vulnerability Management. - Applies security knowledge, skills, and abilities with supervision on projects and programs. - Works with IT Security Engineers to build proactive defenses into the campus IT infrastructure. - Works with local, State, and Federal law enforcement as well as with campus staff on personnel and other investigations involving regulated private information. - Maintains a professional expertise by attending outside seminars/courses and thorough review of published literature. - Participates in team discussions to formulate new or enhance existing processes, policies, and standards. - Work with operational staff across campus to review existing practices and implement campus standards and industry best practices for security. - Ensure excellent Customer Service throughout the IT Security Office. - Partner with the CITES Service Center by setting and managing the expectations of customers; acting as an advocate for CITES clients in service planning and deployment across the organization; and resolving customer satisfaction issues To view the job posting please see: Bob Bregant II IT Security Engineer, Office of Privacy and Information Assurance University of Illinois at Urbana-Champaign PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3EF5417746B6DF9E From jmellander at lbl.gov Wed Jul 3 09:51:25 2013 From: jmellander at lbl.gov (Jim Mellander) Date: Wed, 3 Jul 2013 09:51:25 -0700 Subject: [Bro] "Faking" connections and http records In-Reply-To: References: <4B8A0C7E-A77E-4A2E-A11E-520E7537B437@icir.org> Message-ID: Reviving my old thread - this project was on hiatus for a while, but is now generating useful data, although not yet in production. What I ended up doing was transport the syslogs of interest (apache logs) via stunnel to my bro box, which then runs a custom python script: 1. Parses and extracts the logs into python variables 2. Construct plausible http session conversation. 3. Packetize the session into TCP packets 4. Push tcp packets onto virtual interface 5. bro listening to virtual interface performs normal IDS monitoring of traffic. Here's an example: Syslog entry: Jul 3 09:34:54 128.55.22.194 httpd[4148]: www.nersc.gov 66.249.73.109 - - [03/Jul/2013:09:34:54 -0700] "GET /robots.txt HTTP/1.1" 200 82 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" Bro http logs: Jul 3 09:34:58 u3qPWFy8m9 66.249.73.109 64555 128.55.22.194 80 GET www.nersc.gov /robots.txt Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) 0 0 200 (empty) - - - - - - A few points: 1.Tested creating packets to make the conn logs show the correct amount of data returned by the server, as reported in the log, but eventually chose to not do that, as that is of limited value. 2. Support both ipv4 & ipv6 - if a host is dual homed, typically the syslog entry will be from the ipv4 address, but the requesting ip may be ipv6, in which case we convert both address to ipv6 using several strategies. The value of this, from our perspective, is that we can now perform the usual http IDS functions on https connections to our syslogging webservers, without having to store the certs in our bro system for decryption. We also have visibility on intrasite traffic to those same webservers. Alpha quality code available for the asking. Jim On Fri, Mar 22, 2013 at 2:18 PM, Jim Mellander wrote: > Well, its unfortunate that we can't feed in data from other sources > and subject it to the same policies that network traffic is subject > to. > > In the meantime, I may just write some code that fakes the data into > pcap files that can be read by bro directly. > > On Fri, Mar 22, 2013 at 1:54 PM, Seth Hall wrote: >> >> On Mar 22, 2013, at 4:04 PM, Jim Mellander wrote: >> >>> Does anyone have suggestions on how to proceed with this? >> >> >> It wouldn't work very well. :) >> >> Nearly all of the detections rely on the various http_ events. I would go down a slightly different route with logs than I would with raw traffic. This is something that I've been talking about for quite a while and I suspect something related to happen in the next year. >> >> I think it's really cool that you're importing logs into Bro! >> >> .Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro.org/ >> From krkhan at inspirated.com Wed Jul 3 11:34:51 2013 From: krkhan at inspirated.com (Kamran Khan) Date: Wed, 3 Jul 2013 11:34:51 -0700 Subject: [Bro] Flow blocking with iptables from Bro In-Reply-To: <14DF156F-C113-43C9-B9EB-C0EAB5EFD9CB@icir.org> References:

<14DF156F-C113-43C9-B9EB-C0EAB5EFD9CB@icir.org> Message-ID: On Tue, Jul 2, 2013 at 7:22 AM, Seth Hall wrote: > What sort of traffic shaping primitives are you considering? To start off with, we plan on exposing APIs in Bro which would let it: * Mark 5-tuple flows in mangle table * Define bandwidth rates for marked traffic It's pretty simplistic, but our goal is to allow Bro developers to say something along the lines: "Allocate more bandwidth to traffic that's going out to IP w.x.y.z." Regards, -- Kamran Riaz Khan. http://inspirated.com/ From blittle766 at gmail.com Mon Jul 8 05:11:37 2013 From: blittle766 at gmail.com (Brian Little) Date: Mon, 8 Jul 2013 12:11:37 +0000 Subject: [Bro] Broccoli + Intel framework Message-ID: Is there a recommended way to modify Bro data on the fly with Broccoli, and to have those changes saved upon a restart of Bro? I've looked at the Intel framework, thinking that broccoli could update files on disk (which then get automatically read into the intel framework), but it seems like a bit of a roundabout method. 1) What are other people using to update bro variables/configs/tables on the fly? Is Broccoli the best tool to use? 2) What is the best method of updating bro variables using broccoli so that they get kept between bro restarts? Thanks, B Little -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130708/6ff0f307/attachment.html From jsiwek at illinois.edu Mon Jul 8 08:06:39 2013 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Mon, 8 Jul 2013 15:06:39 +0000 Subject: [Bro] Broccoli + Intel framework In-Reply-To: References: Message-ID: On Jul 8, 2013, at 7:11 AM, Brian Little wrote: > 1) What are other people using to update bro variables/configs/tables on the fly? Is Broccoli the best tool to use? Broccoli does well for cases where transient data is handed of to a Bro peer for further processing and where that data can't easily originate from a different Bro process (for some tasks you might be able to have one long-running Bro process and just start up a different Bro process that connects to it and sends some events when you need to). > 2) What is the best method of updating bro variables using broccoli so that they get kept between bro restarts? Broccoli could probably also do alright for sending persistent data to Bro if you use the &persistent attribute on the variables of interest. A downside may be that the storage it uses won't be directly readable/modifiable by anything other than a Bro process. An alternative is to use the input framework for data that's supposed to persist across Bro restarts, but also be modifiable (by human or some other script/program) at runtime. The scripts at [1] are a working example of this. The intel framework may also be usable for your situation, but it's also just using the input framework internally which you can use directly if you need the flexibility. - Jon [1] https://github.com/jsiwek/bro_vetting From christopher.p.crawford at gmail.com Wed Jul 10 13:04:04 2013 From: christopher.p.crawford at gmail.com (Chris Crawford) Date: Wed, 10 Jul 2013 16:04:04 -0400 Subject: [Bro] Additional Records in DNS Message-ID: I'm trying to write a bro script that pulls out authoritative nameservers and additional records from DNS. I think I need the the dns_EDNS_addl event to get at that part of a DNS reply, since the dns_edns_additional structure seems like it has the information I'm looking for: http://trac.bro-ids.org/sphinx-git/scripts/base/init-bare.html#type-dns_edns_additional Unfortunately, it looks like dns_EDNS_addl isn't implemented yet: # scripts/base/protocols/dns/main.bro 318 # TODO: figure out how to handle these 324 #event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional) Has anyone worked out a way to grab this information from a DNS reply? If not, could anyone point me in the right direction so that I can roll my own solution? -Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130710/6ea1bb67/attachment.html From seth at icir.org Wed Jul 10 13:25:24 2013 From: seth at icir.org (Seth Hall) Date: Wed, 10 Jul 2013 16:25:24 -0400 Subject: [Bro] Additional Records in DNS In-Reply-To: References: Message-ID: On Jul 10, 2013, at 4:04 PM, Chris Crawford wrote: > # scripts/base/protocols/dns/main.bro > 318 # TODO: figure out how to handle these > 324 #event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional) > > Has anyone worked out a way to grab this information from a DNS reply? > > If not, could anyone point me in the right direction so that I can roll my own solution? The core analyzer part is implemented, the reason that comment is there is that I wasn't exactly sure how I should represent data from those events in the dns.log. You can handle that event and get the data. Please get in touch with me if you have ideas or scripts that show how that data could be represented sanely in the dns.log. thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From himself at louruppert.com Thu Jul 11 14:04:09 2013 From: himself at louruppert.com (Lou RUPPERT) Date: Thu, 11 Jul 2013 17:04:09 -0400 Subject: [Bro] Bro Tor SSL suppression Message-ID: <51DF1DC9.6000605@louruppert.com> Hey, I run a few networks that have some combination of Tor users and Tor servers. The SSL traffic is rather noisy, and on some networks I want to know which users are using Tor for tunnel-tracking purposes. I took jsiwek's example of Input Framework code and beat on it until it used a list of Tor servers to suppress SSL warnings and track Tor clients. Here it is: https://github.com/lruppert/bro-tor A couple questions: 1. Is there a way to get a table loaded via the Input framework on a cluster master to be visible by the cluster workers? You'd think &synchronized would be the ticket to awesomeness, but all it did was shame me. 2. Is there any nice sample code for hooking into the Software framework and logging software? It would be fun to log Tor clients and servers in the software log as well, or instead. 3. Is the tunnels log just a log of tunnels bro can bust open and feast on the entrails of, or would it be appropriate to log opaque tunnels like Tor or VPNs in there too? -- I prefer encrypted email. Get my key here: http://www.louruppert.com/keys/115DCF62.asc PGP Fingerprint: 3261 B9F9 9363 D512 56F8 12DD 127F 4D6A 115D CF62 From jsiwek at illinois.edu Thu Jul 11 15:03:46 2013 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Thu, 11 Jul 2013 22:03:46 +0000 Subject: [Bro] Bro Tor SSL suppression In-Reply-To: <51DF1DC9.6000605@louruppert.com> References: <51DF1DC9.6000605@louruppert.com> Message-ID: On Jul 11, 2013, at 4:04 PM, Lou RUPPERT wrote: > 1. Is there a way to get a table loaded via the Input framework on a > cluster master to be visible by the cluster workers? You'd think > &synchronized would be the ticket to awesomeness, but all it did was > shame me. One idea would be to have the manager feed back the table entries to worker nodes via an even and workers assign the entry in their local tablet. The manager could raise those events in an Input::update_finished or Input::end_of_data handler (depends on Bro version which to use). > 2. Is there any nice sample code for hooking into the Software framework > and logging software? It would be fun to log Tor clients and servers in > the software log as well, or instead. Maybe Seth or someone else can point to a particularly helpful example, but `grep -R Software::found scripts/` in the source code is probably what I would reference. > 3. Is the tunnels log just a log of tunnels bro can bust open and feast > on the entrails of, or would it be appropriate to log opaque tunnels > like Tor or VPNs in there too? Seems appropriate to me. Calling Tunnel::register() whenever a new tunnel is found should be enough to log/track it. E.g: module Tunnel; redef enum Tunnel::Type += { VPN }; event some_event(c: connection) { Tunnel::register(EncapsulatingConn($cid=c$id, $tunnel_type=Tunnel::VPN, $uid=c$uid)); } - Jon From christopher.p.crawford at gmail.com Fri Jul 12 08:05:39 2013 From: christopher.p.crawford at gmail.com (Chris Crawford) Date: Fri, 12 Jul 2013 11:05:39 -0400 Subject: [Bro] Additional Records in DNS In-Reply-To: References:

Message-ID: I wrote a short bro script to test out dns_EDNS_addl: event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional){ print c$uid; } But nothing happens when I run the script over some pcap that has DNS with additional records. I tried this with bro 2.1: $ bro -v bro version 2.1 Did the core analyzer part get implemented in an update on git after v 2.1? On Wed, Jul 10, 2013 at 4:25 PM, Seth Hall wrote: > > On Jul 10, 2013, at 4:04 PM, Chris Crawford < > christopher.p.crawford at gmail.com> wrote: > > > # scripts/base/protocols/dns/main.bro > > 318 # TODO: figure out how to handle these > > 324 #event dns_EDNS_addl(c: connection, msg: dns_msg, ans: > dns_edns_additional) > > > > Has anyone worked out a way to grab this information from a DNS reply? > > > > If not, could anyone point me in the right direction so that I can roll > my own solution? > > The core analyzer part is implemented, the reason that comment is there is > that I wasn't exactly sure how I should represent data from those events in > the dns.log. > > You can handle that event and get the data. Please get in touch with me > if you have ideas or scripts that show how that data could be represented > sanely in the dns.log. > > thanks, > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130712/89d0e58a/attachment.html From seth at icir.org Fri Jul 12 08:09:36 2013 From: seth at icir.org (Seth Hall) Date: Fri, 12 Jul 2013 11:09:36 -0400 Subject: [Bro] Additional Records in DNS In-Reply-To: References:

Message-ID: On Jul 12, 2013, at 11:05 AM, Chris Crawford wrote: > Did the core analyzer part get implemented in an update on git after v 2.1? I don't know. I thought those events were implemented, but perhaps not. It might be worthwhile looking through the analyzer itself to see if they are. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From la_arshadi at yahoo.com Sat Jul 20 23:11:25 2013 From: la_arshadi at yahoo.com (Laleh Arshadi) Date: Sat, 20 Jul 2013 23:11:25 -0700 (PDT) Subject: [Bro] connection states Message-ID: <1374387085.34901.YahooMailNeo@web140601.mail.bf1.yahoo.com> Dear all, ? Seems that Bro classifies connections into a number of states in its "connection summaries" log files. States such SF, REJ, etc. upon which it then classifies the connection into one of the three states "good", "bad' or "unkown". I was wondering if one could give me a direct pointer to a reference?in which these states are discussed thoroughly. ? Regards L. Arshadi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130720/2994e8bd/attachment.html From rjenkins at rmjconsulting.net Sun Jul 21 02:36:30 2013 From: rjenkins at rmjconsulting.net (Ron Jenkins) Date: Sun, 21 Jul 2013 09:36:30 +0000 Subject: [Bro] connection states In-Reply-To: <1374387085.34901.YahooMailNeo@web140601.mail.bf1.yahoo.com> References: <1374387085.34901.YahooMailNeo@web140601.mail.bf1.yahoo.com> Message-ID: <2314FB98-3062-467F-86A2-8C2757F79AD1@rmjconsulting.net> I too would be interested in knowing. Thanks Ron Jenkins (SnortCP,VCP 3 / 4,MCNE,MCPS,MCNPS,CCNA) RMJ Consulting, LLC. "Bringing Companies and Solutions Together" Owner / Senior Architect Physical Address 11715 Bricksome Ave STE B-7 Baton Rouge, LA 70816 Mail Address 7575 Jefferson Hwy #103 Baton Rouge, LA 70806 Toll. 855-448-5214 Direct. 225-448-5214 Fax. 225-448-5324 Cell. 225-931-1632 Email. rjenkins at rmjconsulting.net Web. http://www.rmjconsulting.net http://www.linkedin.com/in/ronmjenkins On Jul 21, 2013, at 1:14 AM, "Laleh Arshadi" > wrote: Dear all, Seems that Bro classifies connections into a number of states in its "connection summaries" log files. States such SF, REJ, etc. upon which it then classifies the connection into one of the three states "good", "bad' or "unkown". I was wondering if one could give me a direct pointer to a reference in which these states are discussed thoroughly. Regards L. Arshadi _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130721/d3a9c84f/attachment.html From rjenkins at rmjconsulting.net Sun Jul 21 03:30:29 2013 From: rjenkins at rmjconsulting.net (Ron Jenkins) Date: Sun, 21 Jul 2013 10:30:29 +0000 Subject: [Bro] connection states In-Reply-To: <1374387085.34901.YahooMailNeo@web140601.mail.bf1.yahoo.com> References: <1374387085.34901.YahooMailNeo@web140601.mail.bf1.yahoo.com> Message-ID: FYI I found the below link. Thanks http://www.icir.org/robin/rwth/bro-tour.pdf Ron Jenkins (SnortCP, VCP (3/4), MCNE, CNE6, MCP,CCNA) RMJ Consulting, LLC. "Bringing Companies and Solutions Together" Makers of Active Response System(ARS) & Log Siphon Owner / Senior Architect Physical Address 11715 Bricksome Ave STE B-7 Baton Rouge, LA 70816 Mail Address 7575 Jefferson Hwy #103 Baton Rouge, LA 70806 Toll: 855-448-5214 Direct. 225-448-5214 Fax. 225-448-5324 Cell. 225-931-1632 Email. rjenkins at rmjconsulting.net Web. http://www.rmjconsulting.net ARS. http://www.rmjars.com Log Siphon. http://www.logsiphon.com Linkedin. http://www.linkedin.com/profile/view?id=28564151&trk=tab_pro From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Laleh Arshadi Sent: Sunday, July 21, 2013 1:11 AM To: Bro IDS Subject: [Bro] connection states Dear all, Seems that Bro classifies connections into a number of states in its "connection summaries" log files. States such SF, REJ, etc. upon which it then classifies the connection into one of the three states "good", "bad' or "unkown". I was wondering if one could give me a direct pointer to a reference in which these states are discussed thoroughly. Regards L. Arshadi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130721/b7505a1a/attachment.html From banu.segar at gmail.com Sun Jul 21 04:35:48 2013 From: banu.segar at gmail.com (BanuSanjana) Date: Sun, 21 Jul 2013 17:05:48 +0530 Subject: [Bro] FEATURE EXTRACTION Message-ID: How to extract entire feature of DARPA99 data set please help me. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130721/33761f50/attachment.html From vladg at cmu.edu Sun Jul 21 06:11:44 2013 From: vladg at cmu.edu (Vlad Grigorescu) Date: Sun, 21 Jul 2013 13:11:44 +0000 Subject: [Bro] connection states In-Reply-To: <2314FB98-3062-467F-86A2-8C2757F79AD1@rmjconsulting.net> References: <1374387085.34901.YahooMailNeo@web140601.mail.bf1.yahoo.com> <2314FB98-3062-467F-86A2-8C2757F79AD1@rmjconsulting.net> Message-ID: <1202BE242E080642B0CD0AD0A03E8552D47000@PGH-MSGMB-03.andrew.ad.cmu.edu> Wow, a 17 line sig for a 2 line e-mail. That might be a new record. --Vlad On Jul 21, 2013, at 5:36 AM, Ron Jenkins wrote: > I too would be interested in knowing. > > > Thanks > > Ron Jenkins (SnortCP,VCP 3 / 4,MCNE,MCPS,MCNPS,CCNA) > RMJ Consulting, LLC. > "Bringing Companies and Solutions Together" > Owner / Senior Architect > Physical Address > 11715 Bricksome Ave STE B-7 > Baton Rouge, LA 70816 > Mail Address > 7575 Jefferson Hwy #103 > Baton Rouge, LA 70806 > Toll. 855-448-5214 > Direct. 225-448-5214 > Fax. 225-448-5324 > Cell. 225-931-1632 > Email. rjenkins at rmjconsulting.net > Web. http://www.rmjconsulting.net > http://www.linkedin.com/in/ronmjenkins > > On Jul 21, 2013, at 1:14 AM, "Laleh Arshadi" wrote: > >> Dear all, >> >> Seems that Bro classifies connections into a number of states in its "connection summaries" log files. States such SF, REJ, etc. upon which it then classifies the connection into one of the three states "good", "bad' or "unkown". I was wondering if one could give me a direct pointer to a reference in which these states are discussed thoroughly. >> >> Regards >> L. Arshadi >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From la_arshadi at yahoo.com Sun Jul 21 10:18:08 2013 From: la_arshadi at yahoo.com (Laleh Arshadi) Date: Sun, 21 Jul 2013 10:18:08 -0700 (PDT) Subject: [Bro] connection states In-Reply-To: References: <1374387085.34901.YahooMailNeo@web140601.mail.bf1.yahoo.com> Message-ID: <1374427088.88834.YahooMailNeo@web140603.mail.bf1.yahoo.com> Hi Ron ? Thanks for the?link but?unfortunately it does not contain all the information I am looking for. ? L. Arshadi ________________________________ FYI ? I found the below link. ? ? Thanks ? ? http://www.icir.org/robin/rwth/bro-tour.pdf ? ? ? Ron Jenkins (SnortCP, VCP (3/4), MCNE, CNE6, MCP,CCNA) ? ? Dear all, ? Seems that Bro classifies connections into a number of states in its "connection summaries" log files. States such SF, REJ, etc. upon which it then classifies the connection into one of the three states "good", "bad' or "unkown". I was wondering if one could give me a direct pointer to a reference?in which these states are discussed thoroughly. ? Regards L. Arshadi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130721/f2088887/attachment.html From alexwis at gmail.com Sun Jul 21 10:35:17 2013 From: alexwis at gmail.com (Alex Waher) Date: Sun, 21 Jul 2013 10:35:17 -0700 Subject: [Bro] connection states In-Reply-To: <1374427088.88834.YahooMailNeo@web140603.mail.bf1.yahoo.com> References: <1374387085.34901.YahooMailNeo@web140601.mail.bf1.yahoo.com> <1374427088.88834.YahooMailNeo@web140603.mail.bf1.yahoo.com> Message-ID: http://www.bro-project.org/sphinx-git/scripts/base/protocols/conn/main.html On Jul 21, 2013 10:20 AM, "Laleh Arshadi" wrote: > Hi Ron > > Thanks for the link but unfortunately it does not contain all the > information I am looking for. > > L. Arshadi > > > FYI > > I found the below link. > > > Thanks > > > http://www.icir.org/robin/rwth/bro-tour.pdf > > > > Ron Jenkins (SnortCP, VCP (3/4), MCNE, CNE6, MCP,CCNA) > > > > Dear all, > > Seems that Bro classifies connections into a number of states in its > "connection summaries" log files. States such SF, REJ, etc. upon which it > then classifies the connection into one of the three states "good", "bad' > or "unkown". I was wondering if one could give me a direct pointer to a > reference in which these states are discussed thoroughly. > > Regards > L. Arshadi > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130721/7afb03c9/attachment.html From seth at icir.org Mon Jul 22 06:53:40 2013 From: seth at icir.org (Seth Hall) Date: Mon, 22 Jul 2013 09:53:40 -0400 Subject: [Bro] connection states In-Reply-To: <1374387085.34901.YahooMailNeo@web140601.mail.bf1.yahoo.com> References: <1374387085.34901.YahooMailNeo@web140601.mail.bf1.yahoo.com> Message-ID: <73DC7685-AB9B-4637-8673-2FD15DD35BD4@icir.org> On Jul 21, 2013, at 2:11 AM, Laleh Arshadi wrote: > Seems that Bro classifies connections into a number of states in its "connection summaries" log files. States such SF, REJ, etc. upon which it then classifies the connection into one of the three states "good", "bad' or "unkown". I was wondering if one could give me a direct pointer to a reference in which these states are discussed thoroughly. I suspect the link from Alex answered your question, but to go a little further than the rote documentation I'd like to point out that what that field really represents is how Bro chose to perceive the connection. Since Bro is a third party passive observer it can't always perfectly understand the conversation for various reasons like packet loss, missing packets due to asynchronous routing, or peculiar host semantics that Bro doesn't understand. Check out the history field too if you want a little more information about what Bro actually saw on the wire. It's documented on the same page: http://www.bro.org/sphinx-git/scripts/base/protocols/conn/main.html .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From la_arshadi at yahoo.com Mon Jul 22 08:54:18 2013 From: la_arshadi at yahoo.com (Laleh Arshadi) Date: Mon, 22 Jul 2013 08:54:18 -0700 (PDT) Subject: [Bro] connection states In-Reply-To: <73DC7685-AB9B-4637-8673-2FD15DD35BD4@icir.org> References: <1374387085.34901.YahooMailNeo@web140601.mail.bf1.yahoo.com> <73DC7685-AB9B-4637-8673-2FD15DD35BD4@icir.org> Message-ID: <1374508458.81855.YahooMailNeo@web140603.mail.bf1.yahoo.com> Hi ? Thank you both Alex and Seth for the link and the explanation. I got the taste of the connection states, now I am looking for the policies upon which Bro decides that a connection is "good", "bad' or "unkown". Is anything stated in the documents in this regard? ? Regards Laleh ________________________________ On Jul 21, 2013, at 2:11 AM, Laleh Arshadi wrote: > Seems that Bro classifies connections into a number of states in its "connection summaries" log files. States such SF, REJ, etc. upon which it then classifies the connection into one of the three states "good", "bad' or "unkown". I was wondering if one could give me a direct pointer to a reference in which these states are discussed thoroughly. I suspect the link from Alex answered your question, but to go a little further than the rote documentation I'd like to point out that what that field really represents is how Bro chose to perceive the connection.? Since Bro is a third party passive observer it can't always perfectly understand the conversation for various reasons like packet loss, missing packets due to asynchronous routing, or peculiar host semantics that Bro doesn't understand. Check out the history field too if you want a little more information about what Bro actually saw on the wire.? It's documented on the same page: ??? http://www.bro.org/sphinx-git/scripts/base/protocols/conn/main.html ? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130722/6d95af09/attachment.html From seth at icir.org Mon Jul 22 09:23:03 2013 From: seth at icir.org (Seth Hall) Date: Mon, 22 Jul 2013 12:23:03 -0400 Subject: [Bro] connection states In-Reply-To: <1374508458.81855.YahooMailNeo@web140603.mail.bf1.yahoo.com> References: <1374387085.34901.YahooMailNeo@web140601.mail.bf1.yahoo.com> <73DC7685-AB9B-4637-8673-2FD15DD35BD4@icir.org> <1374508458.81855.YahooMailNeo@web140603.mail.bf1.yahoo.com> Message-ID: <94E9CD68-A962-4497-BD55-1125F8D5DE7D@icir.org> On Jul 22, 2013, at 11:54 AM, Laleh Arshadi wrote: > \now I am looking for the policies upon which Bro decides that a connection is "good", "bad' or "unknown". Hm, your question is a little broad. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From la_arshadi at yahoo.com Mon Jul 22 11:11:23 2013 From: la_arshadi at yahoo.com (Laleh Arshadi) Date: Mon, 22 Jul 2013 11:11:23 -0700 (PDT) Subject: [Bro] connection states In-Reply-To: <94E9CD68-A962-4497-BD55-1125F8D5DE7D@icir.org> References: <1374387085.34901.YahooMailNeo@web140601.mail.bf1.yahoo.com> <73DC7685-AB9B-4637-8673-2FD15DD35BD4@icir.org> <1374508458.81855.YahooMailNeo@web140603.mail.bf1.yahoo.com> <94E9CD68-A962-4497-BD55-1125F8D5DE7D@icir.org> Message-ID: <1374516683.29350.YahooMailNeo@web140602.mail.bf1.yahoo.com> ? OK... to be more precise, how can I decide which connection is suspicious to be a TCP scanning attempt? ________________________________ On Jul 22, 2013, at 11:54 AM, Laleh Arshadi wrote: > \now I am looking for the policies upon which Bro decides that a connection is "good", "bad' or "unknown". Hm, your question is a little broad. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130722/6d702012/attachment.html From seth at icir.org Mon Jul 22 11:30:02 2013 From: seth at icir.org (Seth Hall) Date: Mon, 22 Jul 2013 14:30:02 -0400 Subject: [Bro] connection states In-Reply-To: <1374516683.29350.YahooMailNeo@web140602.mail.bf1.yahoo.com> References: <1374387085.34901.YahooMailNeo@web140601.mail.bf1.yahoo.com> <73DC7685-AB9B-4637-8673-2FD15DD35BD4@icir.org> <1374508458.81855.YahooMailNeo@web140603.mail.bf1.yahoo.com> <94E9CD68-A962-4497-BD55-1125F8D5DE7D@icir.org> <1374516683.29350.YahooMailNeo@web140602.mail.bf1.yahoo.com> Message-ID: <4FB062E0-9663-4841-A843-C651931B6849@icir.org> On Jul 22, 2013, at 2:11 PM, Laleh Arshadi wrote: > OK... to be more precise, how can I decide which connection is suspicious to be a TCP scanning attempt? That's mostly going to depend on what you consider a TCP scan attempt. This is such a hard problem and could be slightly different in everyone's context. Anyway, I would recommend taking a look at the scan.bro that is in our master repository. It's a new script that is coming out with the upcoming 2.2 release and it works pretty well, if you read and understand that script it should answer your question though. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From krkhan at inspirated.com Mon Jul 22 12:19:16 2013 From: krkhan at inspirated.com (Kamran Khan) Date: Mon, 22 Jul 2013 12:19:16 -0700 Subject: [Bro] Current listening interface Message-ID: Is there a way to query the name of the interface Bro is currently listening on from scriptland? Regards, -- Kamran Riaz Khan. http://inspirated.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130722/b894e940/attachment.html From joonysky at yahoo.com Mon Jul 22 14:24:26 2013 From: joonysky at yahoo.com (JH YANG) Date: Mon, 22 Jul 2013 14:24:26 -0700 (PDT) Subject: [Bro] Create different file size from original one in HTTP File-extract Message-ID: <1374528266.55201.YahooMailNeo@web120605.mail.ne1.yahoo.com> Hey guys, I'm working on BRO and extracting certain type of files on file systems. My question is Bro often has different file size from original one. So I performed some test with a vanilla BRO only configured like below. redef HTTP::extract_file_types = /application\/.*/; redef HTTP::extraction_prefix= "/usr/local/bro/logs/http-entity/" After then I compared with a file from original one while capturing packets. I found below : Downloaded file(Bamf.zip) : Original file size: 96396 bytes From Bro:? 94119 bytes Pcap: 96396 bytes Pcap hasn't any missed parts but the file from Bro created uncompleted file which doesn't have last parts of file(2277bytes) I would appreciate if you provide me any clue or thought for solving it Thank you, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130722/d2857000/attachment.html From jessebowling at gmail.com Mon Jul 22 17:46:52 2013 From: jessebowling at gmail.com (Jesse Bowling) Date: Mon, 22 Jul 2013 20:46:52 -0400 Subject: [Bro] Error in listen.bro, line 6 Message-ID: Hi, Using a fresh install of Bro 2.1 from stable tgz, I get the following error: "error in /usr/local/bro/share/bro/policy/frameworks/communication/listen.bro, line 6: " Below is some output from Broctl; I tried looking at the file but it appears to be fine...What am I missing/what can I check? This is a standalone install built with: ./configure --with-pcap=/usr/local/lib Any hints? Cheers, Jesse Welcome to BroControl 1.1 Type "help" for help. [BroControl] > install removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/site ... done. removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/auto ... done. creating policy directories ... done. installing site policies ... done. generating standalone-layout.bro ... done. generating local-networks.bro ... done. generating broctl-config.bro ... done. updating nodes ... done. [BroControl] > check bro failed. error in /usr/local/bro/share/bro/policy/frameworks/communication/listen.bro, line 6: syntax error, at or near "module" [BroControl] > start starting bro ... bro terminated immediately after starting; check output with "diag" [BroControl] > diag [bro] ==== No reporter.log ==== stderr.log error in /usr/local/bro/share/bro/policy/frameworks/communication/listen.bro, line 6: syntax error, at or near "module" ==== stdout.log unlimited unlimited unlimited ==== .cmdline -i eth3 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto ==== .env_vars PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bro/bin:/root/bin BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site CLUSTER_NODE= ==== .status TERMINATED [atexit] ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log -- Jesse Bowling -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130722/34b01e8b/attachment.html From JAzoff at albany.edu Mon Jul 22 18:26:50 2013 From: JAzoff at albany.edu (Justin Azoff) Date: Mon, 22 Jul 2013 21:26:50 -0400 Subject: [Bro] Error in listen.bro, line 6 In-Reply-To: References: Message-ID: <20130723012650.GC3196@datacomm.albany.edu> On Mon, Jul 22, 2013 at 08:46:52PM -0400, Jesse Bowling wrote: > Hi, > > Using a fresh install of Bro 2.1 from stable tgz, I get the following error: > > "error in /usr/local/bro/share/bro/policy/frameworks/communication/listen.bro, > line 6: " I believe that can be caused by an error in a script included before that. If a policy file is missing a trailing } or ; you will get that.. These files: > generating standalone-layout.bro ... done. > generating local-networks.bro ... done. > generating broctl-config.bro ... done. are generated from the various .cfg files (broctl, nodes, network..) If you haven't installed any site local policies I would double check that none of those .cfg files has anything weird in it. -- -- Justin Azoff -- Network Security & Performance Analyst From seth at icir.org Mon Jul 22 20:07:44 2013 From: seth at icir.org (Seth Hall) Date: Mon, 22 Jul 2013 23:07:44 -0400 Subject: [Bro] Create different file size from original one in HTTP File-extract In-Reply-To: <1374528266.55201.YahooMailNeo@web120605.mail.ne1.yahoo.com> References: <1374528266.55201.YahooMailNeo@web120605.mail.ne1.yahoo.com> Message-ID: <2BA526CC-425A-45A4-A35A-65195481C7C3@icir.org> On Jul 22, 2013, at 5:24 PM, JH YANG wrote: > Pcap hasn't any missed parts but the file from Bro created uncompleted file which doesn't have last parts of file(2277bytes) I think that there is a bug in Bro that shows up like this in some cases. This is unlikely a bug that any of us on the core team are likely to look into though because there is new "file" handling code that is coming soon and just generally works better all around. Sorry for the probably unsatisfactory answer, but things will be even better soon! :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jessebowling at gmail.com Mon Jul 22 20:38:43 2013 From: jessebowling at gmail.com (Jesse Bowling) Date: Mon, 22 Jul 2013 23:38:43 -0400 Subject: [Bro] Error in listen.bro, line 6 In-Reply-To: <20130723012650.GC3196@datacomm.albany.edu> References: <20130723012650.GC3196@datacomm.albany.edu> Message-ID: Ah, on the money; my final statement in local.bro was missing a ';'...Thanks! On Mon, Jul 22, 2013 at 9:26 PM, Justin Azoff wrote: > On Mon, Jul 22, 2013 at 08:46:52PM -0400, Jesse Bowling wrote: > > Hi, > > > > Using a fresh install of Bro 2.1 from stable tgz, I get the following > error: > > > > "error in > /usr/local/bro/share/bro/policy/frameworks/communication/listen.bro, > > line 6: " > > I believe that can be caused by an error in a script included before > that. If a policy file is missing a trailing } or ; you will get that.. > > These files: > > > generating standalone-layout.bro ... done. > > generating local-networks.bro ... done. > > generating broctl-config.bro ... done. > > are generated from the various .cfg files (broctl, nodes, network..) > > If you haven't installed any site local policies I would double check > that none of those .cfg files has anything weird in it. > > -- > -- Justin Azoff > -- Network Security & Performance Analyst > -- Jesse Bowling -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130722/86a64851/attachment.html From seth at icir.org Tue Jul 23 10:44:21 2013 From: seth at icir.org (Seth Hall) Date: Tue, 23 Jul 2013 13:44:21 -0400 Subject: [Bro] [security-onion] Bro and Myricom In-Reply-To: <51EEAA14.1040006@rsbac.org> References: <51EEAA14.1040006@rsbac.org> Message-ID: <8BAF3B08-D72B-4087-972B-FDEE59271EC1@icir.org> On Jul 23, 2013, at 12:06 PM, Michal Purzynski wrote: > I've thrown about 1.5Gbit of traffic on the host, give it or take 500Mbit. > > 12 workers. Bro from the svn (oh well). Hm, are you using our git repository? Or are you using some old version from our subversion repository that still exists (but hasn't been touched for a long time)? > Myricom support told me to: > > "And also make sure that you are using the latest Bro 2.0 and that the Sniffer environment flags are set in /usr/local/bro/lib/broctl/BroControl/control.py: > > env += " SNF_NUM_RINGS=12 SNF_FLAGS=0x1" > " What?!? Myricom support is telling people that! That's not the right way to do it (with 2.1 and we don't really support 2.0 anymore). [worker1] type=worker host=1.2.3.4 interface=eth0 lb_method=myricom lb_procs=12 That's how you should be doing it in node.cfg. No changes in python are required. Would you mind putting me in touch with whomever you contacted at Myricom support? > I've also recompilled Bro against the vendor provided pcap lib. So far so good. Could you paste the exact configure flags you used? > fatal error in /opt/bro/share/bro/policy/frameworks/software/vulnerable.bro, line 41: BroType::AsRecordType (table/record) (set[record { min:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; max:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; }]) It looks like you may have something out of date, but I'm not really sure what's causing this error. Could you please move discussions like this over to the Bro mailing list too? This thread is solidly Bro and not exactly related to SO. Thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From michal at rsbac.org Tue Jul 23 11:06:28 2013 From: michal at rsbac.org (Michal Purzynski) Date: Tue, 23 Jul 2013 20:06:28 +0200 Subject: [Bro] Myricom and Bro Message-ID: <51EEC624.3080702@rsbac.org> Moving from the Security Onion list. On Jul 23, 2013, at 12:06 PM, Michal Purzynski wrote: > I've thrown about 1.5Gbit of traffic on the host, give it or take 500Mbit. > > 12 workers. Bro from the svn (oh well). Hm, are you using our git repository? Or are you using some old version from our subversion repository that still exists (but hasn't been touched for a long time)? Yep, fresh git. > Myricom support told me to: > > "And also make sure that you are using the latest Bro 2.0 and that the Sniffer environment flags are set in /usr/local/bro/lib/broctl/BroControl/control.py: > > env += " SNF_NUM_RINGS=12 SNF_FLAGS=0x1" > " What?!? Myricom support is telling people that! That's not the right way to do it (with 2.1 and we don't really support 2.0 anymore). [worker1] type=worker host=1.2.3.4 interface=eth0 lb_method=myricom lb_procs=12 That's how you should be doing it in node.cfg. No changes in python are required. How about recompilling Bro against the Myricom pcap lib? Would you mind putting me in touch with whomever you contacted at Myricom support? Done. > I've also recompilled Bro against the vendor provided pcap lib. So far so good. Could you paste the exact configure flags you used? ./configure --with-pcap=/home/mpurzynski/myri_snf-2.0.11.50370_25b3f53d7-2930.x86_64 --prefix=/opt/bro > fatal error in /opt/bro/share/bro/policy/frameworks/software/vulnerable.bro, line 41: BroType::AsRecordType (table/record) (set[record { min:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; max:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; }]) It looks like you may have something out of date, but I'm not really sure what's causing this error. So, I've kind of worked around it by commenting out a few things (now how do you like this hack? ;). Let's get this fixed and the Myricom thingy working. From nicolas.retrain at cea.fr Wed Jul 24 01:59:00 2013 From: nicolas.retrain at cea.fr (nicolas.retrain at cea.fr) Date: Wed, 24 Jul 2013 10:59:00 +0200 Subject: [Bro] questions about binpac Message-ID: <51EF9754.6070701@cea.fr> Hi, I am trying parse BER with binpac, but I have some difficulties, and I wonder if there is a clean way to implement the protocol. -First, is it possible to use recursive code in binpac? type A = record { field1 : uint8; field2 : case field1 of{ [...] 0x10 -> value : B; [...] }; }; type B = record { [...] field1 : A; } This kind of dependency give me "error 139" at compilation time. (Sorry for writing code in a email..) -Secondly, I need to do some computations on the current byte to know how to parse the next ones. I can sum up the problem, for instance, with the length field. Due to the X.690 documentation (https://www.itu.int/rec/T-REC-X.690-200811-I), the algorithm is : -if the lead bit of the first byte is 0, then the byte is the packet length. ex : 0x20 0x02 0x01 0x.. ^ | ---- -- -- -- ... |other fields | | length -else , the 7 other bits of the first byte give then number of byte to parse in order to retrieve the packet length. ex : 0x84 0x00 0x00 0x00 0x41 0x.. ^ ^ | -- ... |other fields |-- -- -- -- -- -- -- --| length In my binpac I have tried something with &let and &if, but it was not working. Is there a way to do it in full binpac code? (otherwise I will write it in C++). Thanks for your help ! Nicolas From anthony.kasza at gmail.com Wed Jul 24 19:24:43 2013 From: anthony.kasza at gmail.com (anthony kasza) Date: Wed, 24 Jul 2013 19:24:43 -0700 Subject: [Bro] Request for Handholding - BIF Extending Message-ID: Hey Bro, I'm wondering if any examples or walk-throughs exist for extending Bro's set of built in functions. Perhaps some dumby C++ code that I could play around with that outlines some basics, similar to what example.bro (http://bro.org/sphinx/_downloads/example.bro) does for script land. Does anyone have any suggestions or starting points? Thanks all, -AK From seth at icir.org Thu Jul 25 05:31:54 2013 From: seth at icir.org (Seth Hall) Date: Thu, 25 Jul 2013 08:31:54 -0400 Subject: [Bro] Request for Handholding - BIF Extending In-Reply-To: References: Message-ID: <971BB1B0-18F9-4430-8D2D-5F1CC4A1EFB8@icir.org> On Jul 24, 2013, at 10:24 PM, anthony kasza wrote: > I'm wondering if any examples or walk-throughs exist for extending > Bro's set of built in functions. Take a look at bro.bif and strings.bif, you couldn't get a better set of example code. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From tyler.schoenke at colorado.edu Sat Jul 27 16:00:23 2013 From: tyler.schoenke at colorado.edu (Tyler T. Schoenke) Date: Sat, 27 Jul 2013 17:00:23 -0600 Subject: [Bro] vulnerable.bro error on check, Was RE: Myricom and Bro Message-ID: <0AA5D924DE90AF48BBD563CCD296B8FBD99603894A@EXC2.ad.colorado.edu> > fatal error in /opt/bro/share/bro/policy/frameworks/software/vulnerable.bro, line 41: BroType::AsRecordType (table/record) (set[record { min:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; max:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; }]) Not trying to hijack the thread, but ditto for me on the above message. I just updated to git master today after running an old version for a long time. Commenting out f/s/vulnerable in local.bro bypasses error. Is it safe to assume accounts didn't get ported over to the new Tracker? Tyler From vladg at cmu.edu Sat Jul 27 18:00:01 2013 From: vladg at cmu.edu (Vlad Grigorescu) Date: Sun, 28 Jul 2013 01:00:01 +0000 Subject: [Bro] vulnerable.bro error on check In-Reply-To: <9191_1374966540_r6RN8xsk009243_0AA5D924DE90AF48BBD563CCD296B8FBD99603894A@EXC2.ad.colorado.edu> References: <9191_1374966540_r6RN8xsk009243_0AA5D924DE90AF48BBD563CCD296B8FBD99603894A@EXC2.ad.colorado.edu> Message-ID: <1202BE242E080642B0CD0AD0A03E8552D5E49D@PGH-MSGMB-03.andrew.ad.cmu.edu> On Jul 27, 2013, at 7:00 PM, Tyler T. Schoenke wrote: >> fatal error in /opt/bro/share/bro/policy/frameworks/software/vulnerable.bro, line 41: BroType::AsRecordType (table/record) (set[record { min:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; max:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; }]) > > Not trying to hijack the thread, but ditto for me on the above message. I just updated to git master today after running an old version for a long time. Commenting out f/s/vulnerable in local.bro bypasses error. The way vulnerable software is specified has changed to allow for more flexibility. Here's what my local.bro has, for example: > global java_1_6_vuln: Software::VulnerableVersionRange = [$max=[$major=1,$minor=6,$minor2=0,$minor3=44]]; > global java_1_7_vuln: Software::VulnerableVersionRange = [$min=[$major=1,$minor=7], $max=[$major=1,$minor=7,$minor2=0,$minor3=20]]; > > redef Software::vulnerable_versions += { > ["Java"] = set(java_1_6_vuln, java_1_7_vuln) > }; This defines any Java <= 1.6.0.44 and any Java >= 1.7 and <= 1.7.0.20 as vulnerable. >From CHANGES: > 2.1-366 | 2013-03-17 12:35:59 -0700 > > * Improvements to vulnerable software detection. (Seth Hall) > > - Add a DNS based updating method. This needs to be tested > still. > > - Vulnerable version ranges are used now instead of only single > versions. This can deal with software with multiple stable > major versions. > > * Update software version parsing and comparison to account for a > third numeric subversion. Also, $addl is now compared numerically > if the value is actually numeric. (Seth Hall) > Is it safe to assume accounts didn't get ported over to the new Tracker? See: , specifically: > The most significant thing users should note is that as part of the import in to JIRA, accounts have been created with the same usernames as were in Trac, however password resets need to be requested before they can be used to log in. This can be done by selecting the "Unable to access your account?" link from the log in screen to request password reset instructions via email. Hope this helps, --Vlad From tyler.schoenke at colorado.edu Sun Jul 28 19:07:28 2013 From: tyler.schoenke at colorado.edu (Tyler T. Schoenke) Date: Sun, 28 Jul 2013 20:07:28 -0600 Subject: [Bro] vulnerable.bro error on check In-Reply-To: <1202BE242E080642B0CD0AD0A03E8552D5E49D@PGH-MSGMB-03.andrew.ad.cmu.edu> References: <9191_1374966540_r6RN8xsk009243_0AA5D924DE90AF48BBD563CCD296B8FBD99603894A@EXC2.ad.colorado.edu> <1202BE242E080642B0CD0AD0A03E8552D5E49D@PGH-MSGMB-03.andrew.ad.cmu.edu> Message-ID: <0AA5D924DE90AF48BBD563CCD296B8FBD996038962@EXC2.ad.colorado.edu> Thanks Vlad, that got me past that error. I've run into a few more, but have been working through them. I may ask for some help converting my old scripts that were working with the bro 2.1 git repository from 11/2012. Tyler From bennetc at lcc.edu Mon Jul 29 05:54:07 2013 From: bennetc at lcc.edu (Chris Bennett) Date: Mon, 29 Jul 2013 08:54:07 -0400 Subject: [Bro] Bro working with a Cisco Ironport WSA Message-ID: <20130729085407056.00000001536@ISIS-WIN7-5> I was trying out BRO and was using a span port from the inside interface of our firewall. I was wondering about if there is any feature in BRO that you can use to understand all the redirection that happens because of our new Cisco WSA. BRO is going bonkers with all the half-open sessions, etc that the WCCP redirects from the firewall to the WSA cause. I am thinking that I will have to better engineer where I am looking at traffic, but I thought I would ask first. Thanks for any insight you can provide. Chris Bennett, CISSP, GSNA Dir. of Information Security and Infrastructure Support Lansing Community College 517-483-5264 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130729/d9887983/attachment.html From jsiwek at illinois.edu Mon Jul 29 08:43:14 2013 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Mon, 29 Jul 2013 15:43:14 +0000 Subject: [Bro] vulnerable.bro error on check, Was RE: Myricom and Bro In-Reply-To: <0AA5D924DE90AF48BBD563CCD296B8FBD99603894A@EXC2.ad.colorado.edu> References: <0AA5D924DE90AF48BBD563CCD296B8FBD99603894A@EXC2.ad.colorado.edu> Message-ID: > Is it safe to assume accounts didn't get ported over to the new Tracker? Accounts existing before July 17th should be ported, but all must perform a password reset. - Jon From bruisebrotherprobert at gmail.com Mon Jul 29 10:23:15 2013 From: bruisebrotherprobert at gmail.com (Bob Probert) Date: Mon, 29 Jul 2013 10:23:15 -0700 Subject: [Bro] Elastic Search Message-ID: Seth, I read on the security-onion list that Bro's Elastic Search writer doesn't write the correct metadata indexes for use with Kibana. Can you elaborate? https://groups.google.com/forum/#!topic/security-onion/mmxZfVfO0D0 Also, I read in the comments of "elasticsearch.bro" that there is some sort of memory leak either in the elastic search writer or elastic search itself? Can you also elaborate on this? http://www.bro-project.org/sphinx-git/_downloads/elasticsearch.bro Thanks!! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130729/5a9f75c6/attachment.html From vladg at cmu.edu Mon Jul 29 12:48:17 2013 From: vladg at cmu.edu (Vlad Grigorescu) Date: Mon, 29 Jul 2013 19:48:17 +0000 Subject: [Bro] Elastic Search In-Reply-To: <27744_1375118988_r6THTlHr007114_CAA+XsoeyCh=btXUVMAaDmw61mjU8TZaM3z8d7knd_qmgQXtXGA@mail.gmail.com> References: <27744_1375118988_r6THTlHr007114_CAA+XsoeyCh=btXUVMAaDmw61mjU8TZaM3z8d7knd_qmgQXtXGA@mail.gmail.com> Message-ID: <1202BE242E080642B0CD0AD0A03E8552D6402B@PGH-MSGMB-03.andrew.ad.cmu.edu> On Jul 29, 2013, at 1:23 PM, Bob Probert wrote: > Seth, > > I read on the security-onion list that Bro's Elastic Search writer doesn't write the correct metadata indexes for use with Kibana. Can you elaborate? > > https://groups.google.com/forum/#!topic/security-onion/mmxZfVfO0D0 Previous versions of Kibana were designed to only work with Logstash data, which introduces certain assumptions about the way the data is stored. At one point, I had a fork of Kibana that worked with Bro, because it allowed extra configuration. I haven't updated it with the release of Kibana3, and don't intend to. Kibana3 might be flexible enough to support Bro's data, but I haven't checked yet. If you are interested in using Kibana, I would advise you to be *very* careful about the risks introduced by allowing a user's browser to directly query ElasticSearch. ElasticSearch has no security protections, and all it takes is a curl -XDELETE es.local:9200 to delete all your log data. Kibana does come with a sample nginx config, so I would definitely look at that at least. > Also, I read in the comments of "elasticsearch.bro" that there is some sort of memory leak either in the elastic search writer or elastic search itself? Can you also elaborate on this? > > http://www.bro-project.org/sphinx-git/_downloads/elasticsearch.bro Bro queues undelivered log messages in memory. If Bro is logging faster than ElasticSearch can accept logs, more and more memory is used. There's no memory leak - if your ElasticSearch server can't keep up, the logs simply have nowhere to go, and instead of being dropped, they just queue up on the manager. --Vlad From bruisebrotherprobert at gmail.com Mon Jul 29 13:05:48 2013 From: bruisebrotherprobert at gmail.com (Bob Probert) Date: Mon, 29 Jul 2013 13:05:48 -0700 Subject: [Bro] Elastic Search In-Reply-To: <1202BE242E080642B0CD0AD0A03E8552D6402B@PGH-MSGMB-03.andrew.ad.cmu.edu> References: <27744_1375118988_r6THTlHr007114_CAA+XsoeyCh=btXUVMAaDmw61mjU8TZaM3z8d7knd_qmgQXtXGA@mail.gmail.com> <1202BE242E080642B0CD0AD0A03E8552D6402B@PGH-MSGMB-03.andrew.ad.cmu.edu> Message-ID: Vlad, Thank you for the quick response! What is on the roadmap for Brownian? On Mon, Jul 29, 2013 at 12:48 PM, Vlad Grigorescu wrote: > On Jul 29, 2013, at 1:23 PM, Bob Probert > wrote: > > > Seth, > > > > I read on the security-onion list that Bro's Elastic Search writer > doesn't write the correct metadata indexes for use with Kibana. Can you > elaborate? > > > > https://groups.google.com/forum/#!topic/security-onion/mmxZfVfO0D0 > > Previous versions of Kibana were designed to only work with Logstash data, > which introduces certain assumptions about the way the data is stored. At > one point, I had a fork of Kibana that worked with Bro, because it allowed > extra configuration. I haven't updated it with the release of Kibana3, and > don't intend to. Kibana3 might be flexible enough to support Bro's data, > but I haven't checked yet. > > If you are interested in using Kibana, I would advise you to be *very* > careful about the risks introduced by allowing a user's browser to directly > query ElasticSearch. ElasticSearch has no security protections, and all it > takes is a curl -XDELETE es.local:9200 to delete all your log data. Kibana > does come with a sample nginx config, so I would definitely look at that at > least. > > > Also, I read in the comments of "elasticsearch.bro" that there is some > sort of memory leak either in the elastic search writer or elastic search > itself? Can you also elaborate on this? > > > > http://www.bro-project.org/sphinx-git/_downloads/elasticsearch.bro > > Bro queues undelivered log messages in memory. If Bro is logging faster > than ElasticSearch can accept logs, more and more memory is used. There's > no memory leak - if your ElasticSearch server can't keep up, the logs > simply have nowhere to go, and instead of being dropped, they just queue up > on the manager. > > --Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130729/dca3d662/attachment.html From jes.smith.bro at aol.com Wed Jul 31 07:15:46 2013 From: jes.smith.bro at aol.com (Jessica Smith) Date: Wed, 31 Jul 2013 10:15:46 -0400 (EDT) Subject: [Bro] SSL: Check Certs Revoked Message-ID: <8D05C0F9561FCE1-1CB0-112B7@webmail-m231.sysops.aol.com> Hi, how can I check if a X.509 certificate has been revoked? Thanks in advance. Jessica. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130731/8d41b3e2/attachment.html