From jlay at slave-tothe-box.net Sat Jun 1 07:21:30 2013 From: jlay at slave-tothe-box.net (James Lay) Date: Sat, 1 Jun 2013 08:21:30 -0600 Subject: [Bro] Status crashed Message-ID: <1CBD05E7-997A-4354-9ADF-BC8181EC83E4@slave-tothe-box.net> So?at some point in time, my bro crashed. I lost about 4 days worth of data. I checked syslogs and found no indication of this?is there any way to get a log or notification or something when this happens? Thank you. James From seth at icir.org Sun Jun 2 17:53:31 2013 From: seth at icir.org (Seth Hall) Date: Sun, 2 Jun 2013 20:53:31 -0400 Subject: [Bro] Status crashed In-Reply-To: <1CBD05E7-997A-4354-9ADF-BC8181EC83E4@slave-tothe-box.net> References: <1CBD05E7-997A-4354-9ADF-BC8181EC83E4@slave-tothe-box.net> Message-ID: <7420A103-F1C9-4B91-92B7-B684E8E7A981@icir.org> On Jun 1, 2013, at 10:21 AM, James Lay wrote: > So?at some point in time, my bro crashed. I lost about 4 days worth of data. I checked syslogs and found no indication of this?is there any way to get a log or notification or something when this happens? Thank you. Do you have a cron job installed to run the "broctl cron" command? Also, you probably want to check that the cron command is enabled with "broctl cron ?" .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From hckim at narusec.com Mon Jun 3 02:39:14 2013 From: hckim at narusec.com (=?UTF-8?B?6rmA7Z2s7LKg?=) Date: Mon, 3 Jun 2013 18:39:14 +0900 Subject: [Bro] add TTL to conn.log Message-ID: Hi every one I am trying to add TTL field to conn.log but can not seem to get TTL there is TTL in the base/event.bif I can not get it to work. could anyone help me out Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130603/821a7357/attachment.html From jlay at slave-tothe-box.net Mon Jun 3 03:39:50 2013 From: jlay at slave-tothe-box.net (James Lay) Date: Mon, 3 Jun 2013 04:39:50 -0600 Subject: [Bro] Status crashed In-Reply-To: <7420A103-F1C9-4B91-92B7-B684E8E7A981@icir.org> References: <1CBD05E7-997A-4354-9ADF-BC8181EC83E4@slave-tothe-box.net> <7420A103-F1C9-4B91-92B7-B684E8E7A981@icir.org> Message-ID: <4974C3EC-DF68-4DF7-900F-B6AB8F50E183@slave-tothe-box.net> On Jun 2, 2013, at 6:53 PM, Seth Hall wrote: > > On Jun 1, 2013, at 10:21 AM, James Lay wrote: > >> So?at some point in time, my bro crashed. I lost about 4 days worth of data. I checked syslogs and found no indication of this?is there any way to get a log or notification or something when this happens? Thank you. > > > Do you have a cron job installed to run the "broctl cron" command? > > Also, you probably want to check that the cron command is enabled with "broctl cron ?" > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ I'd neglected to add that in?.thanks Seth! James From mike.patterson at uwaterloo.ca Mon Jun 3 04:10:11 2013 From: mike.patterson at uwaterloo.ca (Mike Patterson) Date: Mon, 3 Jun 2013 07:10:11 -0400 Subject: [Bro] Status crashed In-Reply-To: <7420A103-F1C9-4B91-92B7-B684E8E7A981@icir.org> References: <1CBD05E7-997A-4354-9ADF-BC8181EC83E4@slave-tothe-box.net> <7420A103-F1C9-4B91-92B7-B684E8E7A981@icir.org> Message-ID: <515A77F8-5719-4C6D-B019-9AE88697961B@uwaterloo.ca> On 2013-06-02, at 8:53 PM, Seth Hall wrote: > > On Jun 1, 2013, at 10:21 AM, James Lay wrote: > >> So?at some point in time, my bro crashed. I lost about 4 days worth of data. I checked syslogs and found no indication of this?is there any way to get a log or notification or something when this happens? Thank you. > > > Do you have a cron job installed to run the "broctl cron" command? > > Also, you probably want to check that the cron command is enabled with "broctl cron ?" And in the belt-and-suspenders approach, you probably want to monitor the status of the processes with Nagios, Zabbix, or some other system/host monitoring system. If my number of Bro processes drops below a certain figure, I get an email. Could be a page if I wanted it to be. And while you're configuring Bro monitoring, you might as well go ahead and monitor other things that can affect your monitor: free disk space, CPU, free RAM, dropped packets on the network interface, etc. This doesn't help you *this* time, but if there's a next time, you'll at least find out about it before more than several days have gone by. Mike From seth at icir.org Mon Jun 3 06:00:58 2013 From: seth at icir.org (Seth Hall) Date: Mon, 3 Jun 2013 09:00:58 -0400 Subject: [Bro] add TTL to conn.log In-Reply-To: References: Message-ID: On Jun 3, 2013, at 5:39 AM, ??? wrote: > I am trying to add TTL field to conn.log > but can not seem to get TTL TTL is given per-packet, but the conn logs represent an entire connection. What are you looking to get? > there is TTL in the base/event.bif I can not get it to work. I have no clue what you're talking about here. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From hhoffman at ip-solutions.net Mon Jun 3 09:28:06 2013 From: hhoffman at ip-solutions.net (Harry Hoffman) Date: Mon, 03 Jun 2013 12:28:06 -0400 Subject: [Bro] Chimera Message-ID: <51ACC416.2070608@ip-solutions.net> Hi All, Wondering if anyone is playing around with Chimera[1], and if so, what your thoughts are about using it. Cheers, Harry [1] http://chimera-query.org/ From seth at icir.org Mon Jun 3 09:46:46 2013 From: seth at icir.org (Seth Hall) Date: Mon, 3 Jun 2013 12:46:46 -0400 Subject: [Bro] Chimera In-Reply-To: <51ACC416.2070608@ip-solutions.net> References: <51ACC416.2070608@ip-solutions.net> Message-ID: On Jun 3, 2013, at 12:28 PM, Harry Hoffman wrote: > Wondering if anyone is playing around with Chimera[1], and if so, what > your thoughts are about using it. The code hasn't been released. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From oguzyarimtepe at gmail.com Mon Jun 3 12:02:37 2013 From: oguzyarimtepe at gmail.com (=?UTF-8?B?T8SfdXogWWFyxLFtdGVwZQ==?=) Date: Mon, 3 Jun 2013 22:02:37 +0300 Subject: [Bro] importing bro rules Message-ID: Hi, Is there any way to use bro rules at an external program. I want to detect raw traffic anomalies/attacks and instead of installing Bro i wonder whether i can just use the rules and parse them to gather some information. Maybe there exists an already written solution? Regards. -- O?uz Yar?mtepe http://about.me/oguzy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130603/93cfbd01/attachment.html From James.Richards at wisconsin.gov Mon Jun 3 14:01:01 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Mon, 3 Jun 2013 16:01:01 -0500 Subject: [Bro] My continuing lock file issue In-Reply-To: <20130531220217.GN54508@icir.org> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119C09@MEWMAD0PC01G02.accounts.wistate.us> <20130531220217.GN54508@icir.org> Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5710C5@MEWMAD0PC01G02.accounts.wistate.us> It was, under var/spool/cron/crontabs. I got rid of the entries, and broctl now works flawlessly. But now my nodes won't start, I can see the 'install' command happily updating the nodes via ssh, but they won't start. So I started to chase it down via the scripts to run at startup (smtp, connections, software, etc.), so I copied the sites/local.bro from an older subdirectory (previous install) to my new install, but now manager is stopping with an error. No replies necessary, as I think I am almost there. Thanks all for your help, it is appreciated, and I have learned a bunch. James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -----Original Message----- From: Robin Sommer [mailto:robin at icir.org] Sent: Friday, May 31, 2013 5:02 PM To: Richards, James L - DOA Cc: bro at bro.org Subject: Re: [Bro] My continuing lock file issue On Fri, May 31, 2013 at 15:16 -0500, Richards, James L - DOA wrote: > I do notice that when I go into /usr/local/bro/spool, I get some files > showing up being owned by root, and it doesn't seem it should be. Just a guess: is "broctl cron" executed from the system crontab? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin From seth at icir.org Mon Jun 3 19:11:15 2013 From: seth at icir.org (Seth Hall) Date: Mon, 3 Jun 2013 22:11:15 -0400 Subject: [Bro] importing bro rules In-Reply-To: References: Message-ID: On Jun 3, 2013, at 3:02 PM, O?uz Yar?mtepe wrote: > Is there any way to use bro rules at an external program. I want to detect raw traffic anomalies/attacks and instead of installing Bro i wonder whether i can just use the rules and parse them to gather some information. Maybe there exists an already written solution? I believe you are misunderstanding Bro. Please give it a try instead of trying to avoid it. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From paul.halliday at gmail.com Tue Jun 4 04:14:51 2013 From: paul.halliday at gmail.com (Paul Halliday) Date: Tue, 4 Jun 2013 08:14:51 -0300 Subject: [Bro] Question about fields in the notice log Message-ID: What is the difference between id.orig_h, id.resp_h and src,dst? -- Paul Halliday http://www.pintumbler.org/ From srunnels at gmail.com Tue Jun 4 06:55:46 2013 From: srunnels at gmail.com (Scott Runnels) Date: Tue, 4 Jun 2013 09:55:46 -0400 Subject: [Bro] Question about fields in the notice log In-Reply-To: References: Message-ID: Hi Paul, src and dst are used if there isn't a connection id. source: http://www.bro.org/sphinx-git/scripts/base/frameworks/notice/main.html#type-Notice::Info src: addr &log &optional Source address, if we don?t have a conn_id . dst: addr &log &optional Destination address. Scott Runnels On Tue, Jun 4, 2013 at 7:14 AM, Paul Halliday wrote: > What is the difference between id.orig_h, id.resp_h and src,dst? > > -- > Paul Halliday > http://www.pintumbler.org/ > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130604/1c689cb4/attachment.html From seth at icir.org Tue Jun 4 11:01:06 2013 From: seth at icir.org (Seth Hall) Date: Tue, 4 Jun 2013 14:01:06 -0400 Subject: [Bro] Question about fields in the notice log In-Reply-To: References: Message-ID: <11A96F8C-23B8-47B5-A3A7-1BA924D375DB@icir.org> On Jun 4, 2013, at 7:14 AM, Paul Halliday wrote: > What is the difference between id.orig_h, id.resp_h and src,dst? Not much. :) I think the original intent behind them was that in cases where there is no obvious directionality (i.e. non-tcp) the src and dst fields would be used since they indicate the sender and receiver of an individual packet and don't represent a "connection". I've been using the src field for notices that only reference a single host too although ultimately I don't think that's a good thing. We should probably add a host field for cases where only a single host is being referred to in the notice. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Tue Jun 4 11:36:46 2013 From: seth at icir.org (Seth Hall) Date: Tue, 4 Jun 2013 14:36:46 -0400 Subject: [Bro] PF_Ring+DNA and Bro Message-ID: <131F7273-BEF1-43EF-8F67-C170DDFC70BA@icir.org> Is there anyone around with PF_Ring and DNA experience that would be willing to test our PF_Ring+DNA BroControl support for us so that we can get it into the 2.2 release? http://tracker.bro.org/bro/ticket/845 Let me know if you have time and the hardware to help us test this. Thanks! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130604/8d9a200a/attachment.bin From alexwis at gmail.com Tue Jun 4 20:51:13 2013 From: alexwis at gmail.com (Alex Waher) Date: Tue, 4 Jun 2013 20:51:13 -0700 Subject: [Bro] PF_Ring+DNA and Bro In-Reply-To: <131F7273-BEF1-43EF-8F67-C170DDFC70BA@icir.org> References: <131F7273-BEF1-43EF-8F67-C170DDFC70BA@icir.org> Message-ID: I'm still on a demo DNA license for now, but some quick notes (and while I haven't gotten setup with the git repo either!) `pfdnacluster_master` would need to be find-able in bro's helper run-cmd path-- (or add an option into broctl.cfg.. what I opt'd for just now) Add the daemon -d option to line 34 of lb_pf_ring_dna.py, interactive mode looks to lockup broctl. Alas, need to keep track of this daemon pid now. The bro worker's interface needs to launch on `dnacluster:` (bro -i dnacluster:21 ..etc..) Will do some more testing later this week, time permitting On Tue, Jun 4, 2013 at 11:36 AM, Seth Hall wrote: > Is there anyone around with PF_Ring and DNA experience that would be > willing to test our PF_Ring+DNA BroControl support for us so that we can > get it into the 2.2 release? > > http://tracker.bro.org/bro/ticket/845 > > Let me know if you have time and the hardware to help us test this. > > Thanks! > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130604/428012b3/attachment.html From seth at icir.org Tue Jun 4 20:57:48 2013 From: seth at icir.org (Seth Hall) Date: Tue, 4 Jun 2013 23:57:48 -0400 Subject: [Bro] PF_Ring+DNA and Bro In-Reply-To: References: <131F7273-BEF1-43EF-8F67-C170DDFC70BA@icir.org> Message-ID: On Jun 4, 2013, at 11:51 PM, Alex Waher wrote: > Will do some more testing later this week, time permitting Thanks! It looks like we should have some updates for that script tomorrow from someone else that was testing. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From robin at icir.org Wed Jun 5 07:38:28 2013 From: robin at icir.org (Robin Sommer) Date: Wed, 5 Jun 2013 07:38:28 -0700 Subject: [Bro] Help Us Demonstrate Bro's Impact: Deployment Survey Message-ID: <20130605143828.GF3330@icir.org> In 2010, the Bro Team received a grant from the National Science Foundation (NSF) to advance the state of the system, with a particular focus on making Bro more easy to deploy. Much of the work on Bro 2.x has been (and still is) funded out of this grant. We'd like to demonstrate to NSF that their support has made a real difference and have prepared a short survey aimed at better understanding today's state of Bro deployments. If you're running Bro on your organisation's network, please take a few minutes to fill it out (it's anonymous and really short!): https://www.surveymonkey.com/s/bro-deployment Many thanks in advance, a strong response may help us secure future funding to continue the current work. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin From seth at icir.org Thu Jun 6 05:59:22 2013 From: seth at icir.org (Seth Hall) Date: Thu, 6 Jun 2013 08:59:22 -0400 Subject: [Bro] Bro Exchange 2013 Message-ID: We're happy to announce that the Bro Exchange is returning to NCSA this August! http://blog.bro.org/2013/06/announcing-bro-exchange-2013-and.html .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130606/f507c871/attachment.bin From rjenkins at rmjconsulting.net Thu Jun 6 06:32:43 2013 From: rjenkins at rmjconsulting.net (Ron Jenkins) Date: Thu, 6 Jun 2013 13:32:43 +0000 Subject: [Bro] Bro Exchange 2013 In-Reply-To: References: Message-ID: Just registered for Bro Exchange 2013! Looking forward to the event. -----Original Message----- From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Seth Hall Sent: Thursday, June 06, 2013 7:59 AM To: bro at bro.org List Subject: [Bro] Bro Exchange 2013 We're happy to announce that the Bro Exchange is returning to NCSA this August! http://blog.bro.org/2013/06/announcing-bro-exchange-2013-and.html .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From kyunsang.song at inspien.co.kr Thu Jun 6 23:07:44 2013 From: kyunsang.song at inspien.co.kr (kyunsang.song at inspien.co.kr) Date: Fri, 7 Jun 2013 15:07:44 +0900 Subject: [Bro] How can I receive tcp_contents event over 1500 bytes. Message-ID: Hi, I'm new to bro. I received tcp_contents (reassembled tcp payload) event with broccoli. But, bro doesn't emit events over 1500 bytes. (approx.) How can I receive event tcp_contents properly. Bellow is my local.bro ======================================== @load frameworks/communication/listen redef tcp_reassembler_ports_resp: set[port] = { 3200/tcp, 3201/tcp }; redef tcp_content_deliver_all_orig: bool = T; redef tcp_content_deliver_all_resp: bool = T; Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130607/eafeb547/attachment.html From jlay at slave-tothe-box.net Sun Jun 9 06:03:59 2013 From: jlay at slave-tothe-box.net (James Lay) Date: Sun, 9 Jun 2013 07:03:59 -0600 Subject: [Bro] Seeing packets Message-ID: Any way to disable these types of emails: localhost is seeing packets again on interface eth0 Kinda of silly ;) Thank you. James From jlay at slave-tothe-box.net Tue Jun 11 00:25:31 2013 From: jlay at slave-tothe-box.net (James Lay) Date: Tue, 11 Jun 2013 01:25:31 -0600 Subject: [Bro] Seeing packets In-Reply-To: References: Message-ID: On Jun 9, 2013, at 7:03 AM, James Lay wrote: > Any way to disable these types of emails: > > localhost is seeing packets again on interface eth0 > > Kinda of silly ;) Thank you. > > James > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro Anyone? James From hckim at narusec.com Thu Jun 13 03:30:17 2013 From: hckim at narusec.com (=?UTF-8?B?6rmA7Z2s7LKg?=) Date: Thu, 13 Jun 2013 19:30:17 +0900 Subject: [Bro] adding date into file extraction directory Message-ID: Hi I made change to local.bro to do http file extraction and set the saving directory to ../files/http/file-http problem is there is to many files in the http directory so is there a way to make auto date directory under http ..files/http/today's date/file-http and date changes automatically. I used the command redef HTTP::extract_file_types = /application\/.*/; redef HTTP::extraction_prefix = "../files/http/file-http"; thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130613/72fe05ab/attachment.html From jlay at slave-tothe-box.net Thu Jun 13 04:44:54 2013 From: jlay at slave-tothe-box.net (James Lay) Date: Thu, 13 Jun 2013 05:44:54 -0600 Subject: [Bro] Seeing packets In-Reply-To: References: Message-ID: And a third time now?.I've looked through the scripts and I don't see any reference to this..I've googled and searched the docs..nothing on this. I know it's part of the cron job process, but that's all I know. Maybe if I post some config data I'll get ANY response eh? Here's my broctl config?thanks for any insight. alive-localhost = 0 bindir = /opt/bin bro = /opt/bin/bro bro-crashed = 0 bro-pid = 3573 bro-port = 47760 broargs = brobase = /opt broctlconfigdir = /opt/spool broversion = 2.1 capstatspath = /opt/bin/capstats cfgdir = /opt/etc cflowaddress = cflowpassword = cflowuser = commtimeout = 10 compresslogs = 1 cron = 0 croncmd = debug = 0 debuglog = /opt/spool/debug.log disk-space-bro-dev-sda1 = 24.6 havenfs = 0 helperdir = /opt/share/broctl/scripts/helpers home = ipv6comm = 1 lastpkts-bro = 50.0 libdir = /opt/lib libdirinternal = /opt/lib/broctl localnetscfg = /opt/etc/networks.cfg lockfile = /opt/spool/lock logdir = /opt/logs logexpireinterval = 0 logrotationinterval = 86400 mailalarmsto = root at localhost mailfrom = Big Brother mailreplyto = mailsubjectprefix = [Bro] mailto = root at localhost makearchivename = /opt/share/broctl/scripts/make-archive-name manager-crashed = 0 manager-pid = manager-port = 47761 memlimit = unlimited mindiskspace = 5 nodecfg = /opt/etc/node.cfg os = linux pfringclusterid = 0 plugindir = /opt/lib/broctl/plugins policydir = /opt/share/bro policydirsiteinstall = /opt/spool/installed-scripts-do-not-touch/site policydirsiteinstallauto = /opt/spool/installed-scripts-do-not-touch/auto postprocdir = /opt/share/broctl/scripts/postprocessors prefixes = local proxy-1-crashed = 0 proxy-1-pid = proxy-1-port = 47762 savetraces = 0 scriptsdir = /opt/share/broctl/scripts sendmail = /usr/sbin/sendmail sigint = 0 sitepluginpath = sitepolicymanager = local-manager.bro sitepolicypath = /opt/share/bro/site sitepolicystandalone = local.bro sitepolicyworker = local-worker.bro spooldir = /opt/spool standalone = 1 statefile = /opt/spool/broctl.dat staticdir = /opt/share/broctl statsdir = /opt/logs/stats statslog = /opt/spool/stats.log stoptimeout = 60 test.enabled = 0 test.foo = 1 time = /usr/bin/time timefmt = %d %b %H:%M:%S timemachinehost = timemachineport = 47757/tcp tmpdir = /opt/spool/tmp tmpexecdir = /opt/spool/tmp tracesummary = /opt/bin/trace-summary version = 1.1 worker-1-crashed = 0 worker-1-pid = worker-1-port = 47763 worker-2-crashed = 0 worker-2-pid = worker-2-port = 47764 zoneid = On Jun 11, 2013, at 1:25 AM, James Lay wrote: > > On Jun 9, 2013, at 7:03 AM, James Lay wrote: > >> Any way to disable these types of emails: >> >> localhost is seeing packets again on interface eth0 >> >> Kinda of silly ;) Thank you. >> >> James >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > Anyone? > > James > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From James.Richards at wisconsin.gov Thu Jun 13 09:03:26 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Thu, 13 Jun 2013 11:03:26 -0500 Subject: [Bro] Nodes still crashing/Site specific files Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5715D2@MEWMAD0PC01G02.accounts.wistate.us> I am back onto bro, and still addressing some issues. When performing a new installation, I would like to copy back my site-specific files with modifications, and it appears that some files live outside of the /usr/local/bro directory. Does anyone know offhand where I should look for these files. I have performed a new install, then copied the files from a previous working version of bro from the /usr/local/previous-bro/share/bro/site and /usr/local/previous-bro/spool/ directories to the current bro install... but all of my nodes crash upon issuing the START command from broctl. I also repointed bro using ln -s PREVIOUS-WORKIN-BRO bro, but the same behavior persists. Anyone run into this? James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130613/b6638529/attachment.html From jsiwek at illinois.edu Thu Jun 13 10:47:27 2013 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Thu, 13 Jun 2013 17:47:27 +0000 Subject: [Bro] adding date into file extraction directory In-Reply-To: References: Message-ID: On Jun 13, 2013, at 5:30 AM, ??? wrote: > I made change to local.bro to do http file extraction > and set the saving directory to ../files/http/file-http > > problem is there is to many files in the http directory > > so is there a way to make auto date directory under http > > ..files/http/today's date/file-http > and date changes automatically. > > I used the command > redef HTTP::extract_file_types = /application\/.*/; > redef HTTP::extraction_prefix = "../files/http/file-http"; You can't do that by using those existing mechanisms since the extraction prefix is always a string constant at runtime and cannot change. It should be possible/easy to do in the next release when using the generic file analysis interface. For now, what you could do is basically duplicate the code of scripts/base/protocols/http/file-extract.bro except replace usage of "extraction_prefix" with a call to your own function that returns the file prefix that you want (it would probably use something like "strftime("%Y-%m-%d", current_time()" to get the date part of it). Then change your local.bro to use your own version of the script. - Jon From jsiwek at illinois.edu Thu Jun 13 11:05:51 2013 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Thu, 13 Jun 2013 18:05:51 +0000 Subject: [Bro] Seeing packets In-Reply-To: References: Message-ID: On Jun 9, 2013, at 8:03 AM, James Lay wrote: > Any way to disable these types of emails: > > localhost is seeing packets again on interface eth0 I don't see any options to tweak how the output of `broctl cron` is constructed/emailed. You can add a feature request at http://tracker.bro.org/bro. The quick and dirty way to disable it would be to directly remove or comment out the code that generates those messages in /usr/local/bro/lib/broctl/BroControl/cron.py. (looks like for v2.1, that's lines 119-123). - Jon From jsiwek at illinois.edu Thu Jun 13 11:06:25 2013 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Thu, 13 Jun 2013 18:06:25 +0000 Subject: [Bro] Nodes still crashing/Site specific files In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5715D2@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5715D2@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: On Jun 13, 2013, at 11:03 AM, "Richards, James L - DOA" wrote: > When performing a new installation, I would like to copy back my site-specific files with modifications, and it appears that some files live outside of the /usr/local/bro directory. It can depend on how you configured/installed and on what OS, but if you're just doing a default build from source, then nothing should get installed outside /usr/local/bro. What files did you find outside that dir? > Does anyone know offhand where I should look for these files. This should be all of them: /usr/local/bro/share/bro/site/local.bro /usr/local/bro/share/bro/site/local-manager.bro /usr/local/bro/share/bro/site/local-proxy.bro /usr/local/bro/share/bro/site/local-worker.bro /usr/local/bro/etc/broctl.cfg /usr/local/bro/etc/networks.cfg /usr/local/bro/etc/node.cfg /usr/local/bro/etc/broccoli.conf > I have performed a new install, then copied the files from a previous working version of bro from the /usr/local/previous-bro/share/bro/site and /usr/local/previous-bro/spool/ directories to the current bro install? but all of my nodes crash upon issuing the START command from broctl. Copying the spool dir between installs isn't typical. But you could use `broctl diag` to get more info about why the nodes don't start. - Jon From jlay at slave-tothe-box.net Thu Jun 13 11:09:54 2013 From: jlay at slave-tothe-box.net (James Lay) Date: Thu, 13 Jun 2013 12:09:54 -0600 Subject: [Bro] Seeing packets In-Reply-To: References: Message-ID: <7aa445d8dd5d403f31130c301b22dc32@localhost> On 2013-06-13 12:05, Siwek, Jonathan Luke wrote: > On Jun 9, 2013, at 8:03 AM, James Lay > wrote: > >> Any way to disable these types of emails: >> >> localhost is seeing packets again on interface eth0 > > I don't see any options to tweak how the output of `broctl cron` is > constructed/emailed. You can add a feature request at > http://tracker.bro.org/bro. > > The quick and dirty way to disable it would be to directly remove or > comment out the code that generates those messages in > /usr/local/bro/lib/broctl/BroControl/cron.py. (looks like for v2.1, > that's lines 119-123). > > - Jon Thanks Jon...Mike Patterson sent me this offlist, and here's my response as well: Are you getting this constantly? I do get it on occasion, when something horrid has happened (link is down or a worker has crashed) but otherwise, my Bro install is silent. Mike This is listening on my home LAN...so when it's not in use for 5 minutes, not uncommon, I'll see these. Thanks for the response. I'll take a peek at cron.py and file a feature request as well...thanks again, it does help. James From James.Richards at wisconsin.gov Thu Jun 13 12:04:47 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Thu, 13 Jun 2013 14:04:47 -0500 Subject: [Bro] Nodes still crashing/Site specific files In-Reply-To: References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5715D2@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571608@MEWMAD0PC01G02.accounts.wistate.us> When I do a broctl check all nodes comeback as OK When I do a broctl diag I get: [worker-3-8] No gdb installed. ==== No reporter.log ==== stderr.log /usr/local/bro/bin/bro: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory ==== stdout.log unlimited unlimited unlimited ==== .cmdline -i eth4 -U .status -p broctl -p broctl-live -p local -p worker-3-8 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto ==== .env_vars PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games BROPATH=/usr/local/bro-20121002/spool/installed-scripts-do-not-touch/site::/usr/local/bro-20121002/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site CLUSTER_NODE=worker-3-8 ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -----Original Message----- From: Siwek, Jonathan Luke [mailto:jsiwek at illinois.edu] Sent: Thursday, June 13, 2013 1:06 PM To: Richards, James L - DOA Cc: bro at bro.org Subject: Re: [Bro] Nodes still crashing/Site specific files On Jun 13, 2013, at 11:03 AM, "Richards, James L - DOA" wrote: > When performing a new installation, I would like to copy back my site-specific files with modifications, and it appears that some files live outside of the /usr/local/bro directory. It can depend on how you configured/installed and on what OS, but if you're just doing a default build from source, then nothing should get installed outside /usr/local/bro. What files did you find outside that dir? > Does anyone know offhand where I should look for these files. This should be all of them: /usr/local/bro/share/bro/site/local.bro /usr/local/bro/share/bro/site/local-manager.bro /usr/local/bro/share/bro/site/local-proxy.bro /usr/local/bro/share/bro/site/local-worker.bro /usr/local/bro/etc/broctl.cfg /usr/local/bro/etc/networks.cfg /usr/local/bro/etc/node.cfg /usr/local/bro/etc/broccoli.conf > I have performed a new install, then copied the files from a previous working version of bro from the /usr/local/previous-bro/share/bro/site and /usr/local/previous-bro/spool/ directories to the current bro install... but all of my nodes crash upon issuing the START command from broctl. Copying the spool dir between installs isn't typical. But you could use `broctl diag` to get more info about why the nodes don't start. - Jon From James.Richards at wisconsin.gov Thu Jun 13 12:32:22 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Thu, 13 Jun 2013 14:32:22 -0500 Subject: [Bro] Nodes still crashing/Site specific files In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571608@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5715D2@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571608@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571613@MEWMAD0PC01G02.accounts.wistate.us> In looking at the below diag... I am seeing an odd directory showing up in the BROPATH, it looks like there are some artifacts of previous installations... Where is the BROPATH set? James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -----Original Message----- From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Richards, James L - DOA Sent: Thursday, June 13, 2013 2:05 PM To: Siwek, Jonathan Luke; bro at bro.org Subject: Re: [Bro] Nodes still crashing/Site specific files When I do a broctl check all nodes comeback as OK When I do a broctl diag I get: [worker-3-8] No gdb installed. ==== No reporter.log ==== stderr.log /usr/local/bro/bin/bro: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory ==== stdout.log unlimited unlimited unlimited ==== .cmdline -i eth4 -U .status -p broctl -p broctl-live -p local -p worker-3-8 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto ==== .env_vars PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games BROPATH=/usr/local/bro-20121002/spool/installed-scripts-do-not-touch/site::/usr/local/bro-20121002/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site CLUSTER_NODE=worker-3-8 ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -----Original Message----- From: Siwek, Jonathan Luke [mailto:jsiwek at illinois.edu] Sent: Thursday, June 13, 2013 1:06 PM To: Richards, James L - DOA Cc: bro at bro.org Subject: Re: [Bro] Nodes still crashing/Site specific files On Jun 13, 2013, at 11:03 AM, "Richards, James L - DOA" wrote: > When performing a new installation, I would like to copy back my site-specific files with modifications, and it appears that some files live outside of the /usr/local/bro directory. It can depend on how you configured/installed and on what OS, but if you're just doing a default build from source, then nothing should get installed outside /usr/local/bro. What files did you find outside that dir? > Does anyone know offhand where I should look for these files. This should be all of them: /usr/local/bro/share/bro/site/local.bro /usr/local/bro/share/bro/site/local-manager.bro /usr/local/bro/share/bro/site/local-proxy.bro /usr/local/bro/share/bro/site/local-worker.bro /usr/local/bro/etc/broctl.cfg /usr/local/bro/etc/networks.cfg /usr/local/bro/etc/node.cfg /usr/local/bro/etc/broccoli.conf > I have performed a new install, then copied the files from a previous working version of bro from the /usr/local/previous-bro/share/bro/site and /usr/local/previous-bro/spool/ directories to the current bro install... but all of my nodes crash upon issuing the START command from broctl. Copying the spool dir between installs isn't typical. But you could use `broctl diag` to get more info about why the nodes don't start. - Jon _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From soehlert at illinois.edu Thu Jun 13 12:44:26 2013 From: soehlert at illinois.edu (Oehlert, Samuel J) Date: Thu, 13 Jun 2013 19:44:26 +0000 Subject: [Bro] Nodes still crashing/Site specific files In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571608@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5715D2@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571608@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: There also seems to be an issue with your libpcap install. Whether it's not installed or bro is not looking in the right directory, if bro can't find libpcap, you won't get anywhere. -Sam ------- Sam Oehlert (217) 300-1076 Security Engineer National Center for Supercomputing Applications On Jun 13, 2013, at 2:04 PM, "Richards, James L - DOA" wrote: > When I do a broctl check all nodes comeback as OK > > When I do a broctl diag I get: > > [worker-3-8] > No gdb installed. > > ==== No reporter.log > > ==== stderr.log > /usr/local/bro/bin/bro: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory > > ==== stdout.log > unlimited > unlimited > unlimited > > ==== .cmdline > -i eth4 -U .status -p broctl -p broctl-live -p local -p worker-3-8 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto > > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games > BROPATH=/usr/local/bro-20121002/spool/installed-scripts-do-not-touch/site::/usr/local/bro-20121002/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE=worker-3-8 > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > > James Richards > Office of Security > Wisconsin Department of Administration > 608.224.3880 > > > -----Original Message----- > From: Siwek, Jonathan Luke [mailto:jsiwek at illinois.edu] > Sent: Thursday, June 13, 2013 1:06 PM > To: Richards, James L - DOA > Cc: bro at bro.org > Subject: Re: [Bro] Nodes still crashing/Site specific files > > > On Jun 13, 2013, at 11:03 AM, "Richards, James L - DOA" wrote: > >> When performing a new installation, I would like to copy back my site-specific files with modifications, and it appears that some files live outside of the /usr/local/bro directory. > > It can depend on how you configured/installed and on what OS, but if you're just doing a default build from source, then nothing should get installed outside /usr/local/bro. What files did you find outside that dir? > >> Does anyone know offhand where I should look for these files. > > This should be all of them: > > /usr/local/bro/share/bro/site/local.bro > /usr/local/bro/share/bro/site/local-manager.bro > /usr/local/bro/share/bro/site/local-proxy.bro > /usr/local/bro/share/bro/site/local-worker.bro > /usr/local/bro/etc/broctl.cfg > /usr/local/bro/etc/networks.cfg > /usr/local/bro/etc/node.cfg > /usr/local/bro/etc/broccoli.conf > >> I have performed a new install, then copied the files from a previous working version of bro from the /usr/local/previous-bro/share/bro/site and /usr/local/previous-bro/spool/ directories to the current bro install... but all of my nodes crash upon issuing the START command from broctl. > > Copying the spool dir between installs isn't typical. But you could use `broctl diag` to get more info about why the nodes don't start. > > - Jon > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From James.Richards at wisconsin.gov Thu Jun 13 12:56:35 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Thu, 13 Jun 2013 14:56:35 -0500 Subject: [Bro] Nodes still crashing/Site specific files In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571613@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5715D2@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571608@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571613@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571618@MEWMAD0PC01G02.accounts.wistate.us> Could this be due to the use of PFRING? James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -----Original Message----- From: Richards, James L - DOA Sent: Thursday, June 13, 2013 2:32 PM To: Richards, James L - DOA; Siwek, Jonathan Luke; bro at bro.org Subject: RE: [Bro] Nodes still crashing/Site specific files In looking at the below diag... I am seeing an odd directory showing up in the BROPATH, it looks like there are some artifacts of previous installations... Where is the BROPATH set? James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -----Original Message----- From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Richards, James L - DOA Sent: Thursday, June 13, 2013 2:05 PM To: Siwek, Jonathan Luke; bro at bro.org Subject: Re: [Bro] Nodes still crashing/Site specific files When I do a broctl check all nodes comeback as OK When I do a broctl diag I get: [worker-3-8] No gdb installed. ==== No reporter.log ==== stderr.log /usr/local/bro/bin/bro: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory ==== stdout.log unlimited unlimited unlimited ==== .cmdline -i eth4 -U .status -p broctl -p broctl-live -p local -p worker-3-8 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto ==== .env_vars PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games BROPATH=/usr/local/bro-20121002/spool/installed-scripts-do-not-touch/site::/usr/local/bro-20121002/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site CLUSTER_NODE=worker-3-8 ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -----Original Message----- From: Siwek, Jonathan Luke [mailto:jsiwek at illinois.edu] Sent: Thursday, June 13, 2013 1:06 PM To: Richards, James L - DOA Cc: bro at bro.org Subject: Re: [Bro] Nodes still crashing/Site specific files On Jun 13, 2013, at 11:03 AM, "Richards, James L - DOA" wrote: > When performing a new installation, I would like to copy back my site-specific files with modifications, and it appears that some files live outside of the /usr/local/bro directory. It can depend on how you configured/installed and on what OS, but if you're just doing a default build from source, then nothing should get installed outside /usr/local/bro. What files did you find outside that dir? > Does anyone know offhand where I should look for these files. This should be all of them: /usr/local/bro/share/bro/site/local.bro /usr/local/bro/share/bro/site/local-manager.bro /usr/local/bro/share/bro/site/local-proxy.bro /usr/local/bro/share/bro/site/local-worker.bro /usr/local/bro/etc/broctl.cfg /usr/local/bro/etc/networks.cfg /usr/local/bro/etc/node.cfg /usr/local/bro/etc/broccoli.conf > I have performed a new install, then copied the files from a previous working version of bro from the /usr/local/previous-bro/share/bro/site and /usr/local/previous-bro/spool/ directories to the current bro install... but all of my nodes crash upon issuing the START command from broctl. Copying the spool dir between installs isn't typical. But you could use `broctl diag` to get more info about why the nodes don't start. - Jon _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jsiwek at illinois.edu Thu Jun 13 13:00:13 2013 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Thu, 13 Jun 2013 20:00:13 +0000 Subject: [Bro] Nodes still crashing/Site specific files In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571608@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5715D2@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571608@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: On Jun 13, 2013, at 2:04 PM, "Richards, James L - DOA" wrote: > /usr/local/bro/bin/bro: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory That usually means the linker can't resolve a path to that library. Did you link against a libpcap that's installed in a non-standard path? If `ldd /usr/local/bro/bin/bro` tells you it can't find libpcap, it's either really missing from your system or you need to teach the linker how to find it in a non-standard path. > In looking at the below diag... I am seeing an odd directory showing up in the BROPATH, it looks like there are some artifacts of previous installations... > > Where is the BROPATH set? Check your etc/broctl.cfg to see if the paths are as you expect. I think at least SpoolDir goes in to BROPATH and if you just copied the file from a previous install, then it's going to be wrong. - Jon From carlopmart at gmail.com Thu Jun 13 22:47:24 2013 From: carlopmart at gmail.com (C. L. Martinez) Date: Fri, 14 Jun 2013 05:47:24 +0000 Subject: [Bro] Testing pre-Bro 2.2 Message-ID: HI all, Is it possible to test pre-Bro 2.2?? Is this https://github.com/bro/bro an official mirror?? I would like to test new features under my OpenBSD IDS systems Thanks From vallentin at icir.org Thu Jun 13 23:18:17 2013 From: vallentin at icir.org (Matthias Vallentin) Date: Thu, 13 Jun 2013 23:18:17 -0700 Subject: [Bro] Testing pre-Bro 2.2 In-Reply-To: References: Message-ID: > Is it possible to test pre-Bro 2.2?? Sure, just use git/master which will eventually become v2.2. > Is this > https://github.com/bro/bro an official mirror?? Yes, this is our official github outlet. You can find our main repositories at http://git.bro.org. Each push to git.bro.org results in an update of the github mirror and you don't have to worry about getting out of sync. If you're interested in the full repository feed across branches, have a look at https://github.com/organizations/bro. Matthias From rjenkins at rmjconsulting.net Fri Jun 14 03:56:41 2013 From: rjenkins at rmjconsulting.net (Ron Jenkins) Date: Fri, 14 Jun 2013 10:56:41 +0000 Subject: [Bro] Testing pre-Bro 2.2 In-Reply-To: References: , Message-ID: Good morning; How far out is officially release? Thanks Ron Jenkins (SnortCP,VCP 3 / 4,MCNE,MCPS,MCNPS,CCNA) RMJ Consulting, LLC. "Bringing Companies and Solutions Together" Owner / Senior Architect Physical Address 11715 Bricksome Ave STE B-7 Baton Rouge, LA 70816 Mail Address 7575 Jefferson Hwy #103 Baton Rouge, LA 70806 Toll. 855-448-5214 Direct. 225-448-5214 Fax. 225-448-5324 Cell. 225-931-1632 Email. rjenkins at rmjconsulting.net Web. http://www.rmjconsulting.net http://www.linkedin.com/in/ronmjenkins On Jun 14, 2013, at 1:30 AM, "Matthias Vallentin" wrote: >> Is it possible to test pre-Bro 2.2?? > > Sure, just use git/master which will eventually become v2.2. > >> Is this >> https://github.com/bro/bro an official mirror?? > > Yes, this is our official github outlet. You can find our main > repositories at http://git.bro.org. Each push to git.bro.org results > in an update of the github mirror and you don't have to worry about > getting out of sync. > > If you're interested in the full repository feed across branches, have > a look at https://github.com/organizations/bro. > > Matthias > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From James.Richards at wisconsin.gov Fri Jun 14 06:44:30 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Fri, 14 Jun 2013 08:44:30 -0500 Subject: [Bro] Nodes still crashing/Site specific files In-Reply-To: References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5715D2@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571608@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F57164E@MEWMAD0PC01G02.accounts.wistate.us> Ahhh, We are running pfring, which is located in /usr/local/pfring/lib which shows up doing an ldconfig -v /usr/local/pfring/lib: libpfring.so -> libpfring.so libpcap.so.1 -> libpcap.so.1.1.1 But I am seeing that libpcap.so.0.8 is being referenced in the error, is this the issue which has been plaguing me? James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -----Original Message----- From: Siwek, Jonathan Luke [mailto:jsiwek at illinois.edu] Sent: Thursday, June 13, 2013 3:00 PM To: Richards, James L - DOA Cc: bro at bro.org Subject: Re: [Bro] Nodes still crashing/Site specific files On Jun 13, 2013, at 2:04 PM, "Richards, James L - DOA" wrote: > /usr/local/bro/bin/bro: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory That usually means the linker can't resolve a path to that library. Did you link against a libpcap that's installed in a non-standard path? If `ldd /usr/local/bro/bin/bro` tells you it can't find libpcap, it's either really missing from your system or you need to teach the linker how to find it in a non-standard path. > In looking at the below diag... I am seeing an odd directory showing up in the BROPATH, it looks like there are some artifacts of previous installations... > > Where is the BROPATH set? Check your etc/broctl.cfg to see if the paths are as you expect. I think at least SpoolDir goes in to BROPATH and if you just copied the file from a previous install, then it's going to be wrong. - Jon From James.Richards at wisconsin.gov Fri Jun 14 07:57:08 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Fri, 14 Jun 2013 09:57:08 -0500 Subject: [Bro] Nodes still crashing/Site specific files In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F57164E@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5715D2@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571608@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F57164E@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F57165E@MEWMAD0PC01G02.accounts.wistate.us> OK, now I think I have that figured out. I ran ./configure --prefix=/usr/local/bro --with-pcap=/usr/local/pfring Then make, make install, chown -R etc. It is no longer giving me the libpcap in diag, but I am now getting: fatal error: /usr/local/bro/bin/bro: problem with interface eth4 - pcap_open_live: eth4: You don't have permission to capture on that device (socket: Operation not permitted) Am I getting closer, or am I further ruining this... James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -----Original Message----- From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Richards, James L - DOA Sent: Friday, June 14, 2013 8:45 AM To: Siwek, Jonathan Luke Cc: bro at bro.org Subject: Re: [Bro] Nodes still crashing/Site specific files Ahhh, We are running pfring, which is located in /usr/local/pfring/lib which shows up doing an ldconfig -v /usr/local/pfring/lib: libpfring.so -> libpfring.so libpcap.so.1 -> libpcap.so.1.1.1 But I am seeing that libpcap.so.0.8 is being referenced in the error, is this the issue which has been plaguing me? James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -----Original Message----- From: Siwek, Jonathan Luke [mailto:jsiwek at illinois.edu] Sent: Thursday, June 13, 2013 3:00 PM To: Richards, James L - DOA Cc: bro at bro.org Subject: Re: [Bro] Nodes still crashing/Site specific files On Jun 13, 2013, at 2:04 PM, "Richards, James L - DOA" wrote: > /usr/local/bro/bin/bro: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory That usually means the linker can't resolve a path to that library. Did you link against a libpcap that's installed in a non-standard path? If `ldd /usr/local/bro/bin/bro` tells you it can't find libpcap, it's either really missing from your system or you need to teach the linker how to find it in a non-standard path. > In looking at the below diag... I am seeing an odd directory showing up in the BROPATH, it looks like there are some artifacts of previous installations... > > Where is the BROPATH set? Check your etc/broctl.cfg to see if the paths are as you expect. I think at least SpoolDir goes in to BROPATH and if you just copied the file from a previous install, then it's going to be wrong. - Jon _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jsiwek at illinois.edu Fri Jun 14 08:24:59 2013 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Fri, 14 Jun 2013 15:24:59 +0000 Subject: [Bro] Nodes still crashing/Site specific files In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F57165E@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5715D2@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571608@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F57164E@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F57165E@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: On Jun 14, 2013, at 9:57 AM, "Richards, James L - DOA" wrote: > I ran ./configure --prefix=/usr/local/bro --with-pcap=/usr/local/pfring > Then make, make install, chown -R etc. > > It is no longer giving me the libpcap in diag, but I am now getting: > > fatal error: /usr/local/bro/bin/bro: problem with interface eth4 - pcap_open_live: eth4: You don't have permission to capture on that device (socket: Operation not permitted) What user were you `chown`ing things to? You'll have to do something extra for non-root users to be able to capture packets, see [1]. - Jon [1] http://www.bro.org/documentation/faq.html#how-can-i-capture-packets-as-an-unprivileged-user From James.Richards at wisconsin.gov Fri Jun 14 08:27:38 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Fri, 14 Jun 2013 10:27:38 -0500 Subject: [Bro] Nodes still crashing/Site specific files In-Reply-To: References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5715D2@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571608@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F57164E@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F57165E@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571666@MEWMAD0PC01G02.accounts.wistate.us> That is just what I was looking at... everything is running as user bro... Thanks much... James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -----Original Message----- From: Siwek, Jonathan Luke [mailto:jsiwek at illinois.edu] Sent: Friday, June 14, 2013 10:25 AM To: Richards, James L - DOA Cc: bro at bro.org Subject: Re: [Bro] Nodes still crashing/Site specific files On Jun 14, 2013, at 9:57 AM, "Richards, James L - DOA" wrote: > I ran ./configure --prefix=/usr/local/bro > --with-pcap=/usr/local/pfring Then make, make install, chown -R etc. > > It is no longer giving me the libpcap in diag, but I am now getting: > > fatal error: /usr/local/bro/bin/bro: problem with interface eth4 - > pcap_open_live: eth4: You don't have permission to capture on that > device (socket: Operation not permitted) What user were you `chown`ing things to? You'll have to do something extra for non-root users to be able to capture packets, see [1]. - Jon [1] http://www.bro.org/documentation/faq.html#how-can-i-capture-packets-as-an-unprivileged-user From mcholste at gmail.com Fri Jun 14 10:56:47 2013 From: mcholste at gmail.com (Martin Holste) Date: Fri, 14 Jun 2013 12:56:47 -0500 Subject: [Bro] Nodes still crashing/Site specific files In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571666@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5715D2@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571608@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F57164E@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F57165E@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F571666@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: You need to use the setcap utility to allow the Bro user the ability to open an interface promiscuously. On Friday, June 14, 2013, Richards, James L - DOA wrote: > That is just what I was looking at... everything is running as user bro... > > Thanks much... > > James Richards > Office of Security > Wisconsin Department of Administration > 608.224.3880 > > > -----Original Message----- > From: Siwek, Jonathan Luke [mailto:jsiwek at illinois.edu ] > Sent: Friday, June 14, 2013 10:25 AM > To: Richards, James L - DOA > Cc: bro at bro.org > Subject: Re: [Bro] Nodes still crashing/Site specific files > > > On Jun 14, 2013, at 9:57 AM, "Richards, James L - DOA" < > James.Richards at wisconsin.gov > wrote: > > > I ran ./configure --prefix=/usr/local/bro > > --with-pcap=/usr/local/pfring Then make, make install, chown -R etc. > > > > It is no longer giving me the libpcap in diag, but I am now getting: > > > > fatal error: /usr/local/bro/bin/bro: problem with interface eth4 - > > pcap_open_live: eth4: You don't have permission to capture on that > > device (socket: Operation not permitted) > > > What user were you `chown`ing things to? You'll have to do something > extra for non-root users to be able to capture packets, see [1]. > > - Jon > > [1] > http://www.bro.org/documentation/faq.html#how-can-i-capture-packets-as-an-unprivileged-user > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130614/e9e29fda/attachment.html From jeff at scaparra.com Tue Jun 18 22:34:29 2013 From: jeff at scaparra.com (Jeff Scaparra) Date: Wed, 19 Jun 2013 01:34:29 -0400 Subject: [Bro] PF_RING Clustering Problem Message-ID: I followed this howto http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.htmlhowever I am finding bro is now reporting 4 of everything so the load balancing isn't working. How can I verify PF_RING is load balancing or what could I be missing? Is there a better document I should be looking at? Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130619/104068d4/attachment.html From seth at icir.org Wed Jun 19 09:06:57 2013 From: seth at icir.org (Seth Hall) Date: Wed, 19 Jun 2013 12:06:57 -0400 Subject: [Bro] PF_RING Clustering Problem In-Reply-To: References: Message-ID: <8F528952-92CF-4E94-BD49-807A8E2B946B@icir.org> On Jun 19, 2013, at 1:34 AM, Jeff Scaparra wrote: > I followed this howto http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html however I am finding bro is now reporting 4 of everything so the load balancing isn't working. How can I verify PF_RING is load balancing or what could I be missing? Is there a better document I should be looking at? Those directions are outdated. Instead of configuring separate workers you should configure a single worker per interface you are sniffing like this? [worker-1] host=1.2.3.4 interface=eth0 lb_method=pf_ring lb_procs=4 That will automatically enable the pf_ring load balancing and start up four processes that the traffic on eth0 is load balanced across. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Wed Jun 19 09:09:21 2013 From: seth at icir.org (Seth Hall) Date: Wed, 19 Jun 2013 12:09:21 -0400 Subject: [Bro] Testing pre-Bro 2.2 In-Reply-To: References: , Message-ID: On Jun 14, 2013, at 6:56 AM, Ron Jenkins wrote: > How far out is officially release? We aren't sure yet. We have several things we need to finish up before releasing but we aren't at a point where we can give a timetable. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From rjenkins at rmjconsulting.net Wed Jun 19 09:11:22 2013 From: rjenkins at rmjconsulting.net (Ron Jenkins) Date: Wed, 19 Jun 2013 16:11:22 +0000 Subject: [Bro] Testing pre-Bro 2.2 In-Reply-To: References: , Message-ID: Thank you for the update! -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Wednesday, June 19, 2013 11:09 AM To: Ron Jenkins Cc: Matthias Vallentin; bro at bro-ids.org Subject: Re: [Bro] Testing pre-Bro 2.2 On Jun 14, 2013, at 6:56 AM, Ron Jenkins wrote: > How far out is officially release? We aren't sure yet. We have several things we need to finish up before releasing but we aren't at a point where we can give a timetable. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Wed Jun 19 09:11:46 2013 From: seth at icir.org (Seth Hall) Date: Wed, 19 Jun 2013 12:11:46 -0400 Subject: [Bro] Seeing packets In-Reply-To: <7aa445d8dd5d403f31130c301b22dc32@localhost> References: <7aa445d8dd5d403f31130c301b22dc32@localhost> Message-ID: <283E444D-7250-412B-9E3F-F045B55A901D@icir.org> On Jun 13, 2013, at 2:09 PM, James Lay wrote: > This is listening on my home LAN...so when it's not in use for 5 > minutes, not uncommon, I'll see these. Thanks for the response. Ahhh. This is another characteristic of Bro only being used on high volume networks. I'm still hoping that before too much longer we'll have resources to be able to do a bit of a rewrite/rearchitecting of broctl where things like this would be addressed. Thanks for reporting. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From david at mandelberg.org Wed Jun 19 09:14:43 2013 From: david at mandelberg.org (David Mandelberg) Date: Wed, 19 Jun 2013 12:14:43 -0400 Subject: [Bro] appending to a vector Message-ID: <4b53a7b5510381858730e234347fff41@mail.mandelberg.org> Hi, What's the recommended way to append to a vector? The documentation says vectors are like tables, so I tried the below code, but it gives some errors. const foo: vector of double = vector() &redef; redef foo += { [|foo|] = 42.0 }; print(foo); -- David Eric Mandelberg / dseomn http://david.mandelberg.org/ From srunnels at gmail.com Wed Jun 19 09:24:06 2013 From: srunnels at gmail.com (Scott Runnels) Date: Wed, 19 Jun 2013 12:24:06 -0400 Subject: [Bro] appending to a vector In-Reply-To: <4b53a7b5510381858730e234347fff41@mail.mandelberg.org> References: <4b53a7b5510381858730e234347fff41@mail.mandelberg.org> Message-ID: Hi David, I think you're looking for something like this: const foo: vector of double = vector() &redef; foo[|foo|] = 42.0; print(foo); v/r Scott Scott Runnels On Wed, Jun 19, 2013 at 12:14 PM, David Mandelberg wrote: > Hi, > > What's the recommended way to append to a vector? The documentation > says vectors are like tables, so I tried the below code, but it gives > some errors. > > const foo: vector of double = vector() &redef; > > redef foo += { > [|foo|] = 42.0 > }; > > print(foo); > > -- > David Eric Mandelberg / dseomn > http://david.mandelberg.org/ > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130619/83bd90c6/attachment.html From david at mandelberg.org Wed Jun 19 09:36:29 2013 From: david at mandelberg.org (David Mandelberg) Date: Wed, 19 Jun 2013 12:36:29 -0400 Subject: [Bro] appending to a vector In-Reply-To: References: <4b53a7b5510381858730e234347fff41@mail.mandelberg.org> Message-ID: <15648ea8a9ef920e19642dc892a447c9@mail.mandelberg.org> That works... but there's no redef. I thought normal assignment to a const variable was supposed to fail. Isn't that a bug? On 2013-06-19 12:24, Scott Runnels wrote: > Hi David,? > > I think youre looking for something like this: > > const foo: vector of double = vector() &redef; > foo[|foo|] = 42.0; > > print(foo); > > v/r > Scott > > Scott Runnels > > On Wed, Jun 19, 2013 at 12:14 PM, David Mandelberg > wrote: > >> Hi, >> >> Whats the recommended way to append to a vector? The documentation >> says vectors are like tables, so I tried the below code, but it >> gives >> some errors. >> >> const foo: vector of double = vector() &redef; >> >> redef foo += { >> ? ? ?[|foo|] = 42.0 >> }; >> >> print(foo); >> >> -- >> David Eric Mandelberg / dseomn >> http://david.mandelberg.org/ [1] >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org [2] >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [3] > > > > Links: > ------ > [1] http://david.mandelberg.org/ > [2] mailto:bro at bro-ids.org > [3] http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > [4] mailto:david at mandelberg.org -- David Eric Mandelberg / dseomn http://david.mandelberg.org/ From seth at icir.org Wed Jun 19 09:42:26 2013 From: seth at icir.org (Seth Hall) Date: Wed, 19 Jun 2013 12:42:26 -0400 Subject: [Bro] appending to a vector In-Reply-To: <4b53a7b5510381858730e234347fff41@mail.mandelberg.org> References: <4b53a7b5510381858730e234347fff41@mail.mandelberg.org> Message-ID: On Jun 19, 2013, at 12:14 PM, David Mandelberg wrote: > What's the recommended way to append to a vector? Many (most?) of us strongly dislike vectors in Bro. It's likely something that will be improved in the next couple of releases if I had to make a guess. :) > The documentation > says vectors are like tables, so I tried the below code, but it gives > some errors. > > const foo: vector of double = vector() &redef; > > redef foo += { > [|foo|] = 42.0 > }; Hm, I don't know about this if you add more than a single element at a time because the length wouldn't be right. If you are using our git master you can use a new construct that was recently added for creating types containers. type DoubleVector: vector of double; const foo = DoubleVector([0] = 42.0, [1] = 43.0, [2] = 44.0); Generally though you're going to run into weird poorly defined edge cases like this with vectors, when they were added to Bro it was in a sort of ad-hoc fashion and not fully thought out except for the use case in which they were originally used. (the code I gave above may not even work, I haven't tested it!) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Wed Jun 19 09:50:07 2013 From: seth at icir.org (Seth Hall) Date: Wed, 19 Jun 2013 12:50:07 -0400 Subject: [Bro] appending to a vector In-Reply-To: <15648ea8a9ef920e19642dc892a447c9@mail.mandelberg.org> References: <4b53a7b5510381858730e234347fff41@mail.mandelberg.org> <15648ea8a9ef920e19642dc892a447c9@mail.mandelberg.org> Message-ID: On Jun 19, 2013, at 12:36 PM, David Mandelberg wrote: > That works... but there's no redef. I thought normal assignment to a > const variable was supposed to fail. Isn't that a bug? Yeah, that's probably a bug. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jlay at slave-tothe-box.net Wed Jun 19 09:51:42 2013 From: jlay at slave-tothe-box.net (James Lay) Date: Wed, 19 Jun 2013 10:51:42 -0600 Subject: [Bro] Seeing packets In-Reply-To: <283E444D-7250-412B-9E3F-F045B55A901D@icir.org> References: <7aa445d8dd5d403f31130c301b22dc32@localhost> <283E444D-7250-412B-9E3F-F045B55A901D@icir.org> Message-ID: <4db6fae6533e9e698fb9514045a2c8d0@localhost> On 2013-06-19 10:11, Seth Hall wrote: > On Jun 13, 2013, at 2:09 PM, James Lay > wrote: > >> This is listening on my home LAN...so when it's not in use for 5 >> minutes, not uncommon, I'll see these. Thanks for the response. > > > Ahhh. This is another characteristic of Bro only being used on high > volume networks. I'm still hoping that before too much longer we'll > have resources to be able to do a bit of a rewrite/rearchitecting of > broctl where things like this would be addressed. > > Thanks for reporting. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ Thanks Seth. From my own vantage point, maybe providing quick/easy methods to start or stop all things that log/email could be implemented going forward. Thank you. James From david at mandelberg.org Wed Jun 19 09:57:32 2013 From: david at mandelberg.org (David Mandelberg) Date: Wed, 19 Jun 2013 12:57:32 -0400 Subject: [Bro] appending to a vector In-Reply-To: References: <4b53a7b5510381858730e234347fff41@mail.mandelberg.org> Message-ID: <458cb16e4b0f022bfd50f59c4a79392d@mail.mandelberg.org> On 2013-06-19 12:42, Seth Hall wrote: > On Jun 19, 2013, at 12:14 PM, David Mandelberg > wrote: > >> What's the recommended way to append to a vector? > > Many (most?) of us strongly dislike vectors in Bro. It's likely > something that will be improved in the next couple of releases if I > had to make a guess. :) Maybe there's a better way to do what I want without vectors. I have a somewhat complex record type and I want to store multiple records of that type in a container of some sort. I want to be able to iterate over the container, but I don't care about order (vector) or uniqueness (set). When I tried using sets, I got the error below, so I switched to vectors. internal error: over-ran key in CompositeHash::RecoverVals Aborted > Generally though you're going to run into weird poorly defined edge > cases like this with vectors :) -- David Eric Mandelberg / dseomn http://david.mandelberg.org/ From seth at icir.org Wed Jun 19 10:06:14 2013 From: seth at icir.org (Seth Hall) Date: Wed, 19 Jun 2013 13:06:14 -0400 Subject: [Bro] appending to a vector In-Reply-To: <458cb16e4b0f022bfd50f59c4a79392d@mail.mandelberg.org> References: <4b53a7b5510381858730e234347fff41@mail.mandelberg.org> <458cb16e4b0f022bfd50f59c4a79392d@mail.mandelberg.org> Message-ID: On Jun 19, 2013, at 12:57 PM, David Mandelberg wrote: > internal error: over-ran key in CompositeHash::RecoverVals > Aborted  What did your set code look like? I suppose you had a type like "type MySet: set[MyRecord];" defined? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Wed Jun 19 10:07:21 2013 From: seth at icir.org (Seth Hall) Date: Wed, 19 Jun 2013 13:07:21 -0400 Subject: [Bro] Seeing packets In-Reply-To: <4db6fae6533e9e698fb9514045a2c8d0@localhost> References: <7aa445d8dd5d403f31130c301b22dc32@localhost> <283E444D-7250-412B-9E3F-F045B55A901D@icir.org> <4db6fae6533e9e698fb9514045a2c8d0@localhost> Message-ID: <3E094DEE-DA46-4128-B6B0-4046BA694FD7@icir.org> On Jun 19, 2013, at 12:51 PM, James Lay wrote: > Thanks Seth. From my own vantage point, maybe providing quick/easy > methods to start or stop all things that log/email could be implemented > going forward. Thank you. Yep, I suspect when/if we start on the broctl rework we will put some thought into all input and output from broctl. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From srunnels at gmail.com Wed Jun 19 10:08:21 2013 From: srunnels at gmail.com (Scott Runnels) Date: Wed, 19 Jun 2013 13:08:21 -0400 Subject: [Bro] appending to a vector In-Reply-To: <458cb16e4b0f022bfd50f59c4a79392d@mail.mandelberg.org> References: <4b53a7b5510381858730e234347fff41@mail.mandelberg.org> <458cb16e4b0f022bfd50f59c4a79392d@mail.mandelberg.org> Message-ID: In that case, does it need to be a constant? Scott Runnels On Wed, Jun 19, 2013 at 12:57 PM, David Mandelberg wrote: > On 2013-06-19 12:42, Seth Hall wrote: > > On Jun 19, 2013, at 12:14 PM, David Mandelberg > > wrote: > > > >> What's the recommended way to append to a vector? > > > > Many (most?) of us strongly dislike vectors in Bro. It's likely > > something that will be improved in the next couple of releases if I > > had to make a guess. :) > > Maybe there's a better way to do what I want without vectors. I have a > somewhat complex record type and I want to store multiple records of > that type in a container of some sort. I want to be able to iterate over > the container, but I don't care about order (vector) or uniqueness > (set). When I tried using sets, I got the error below, so I switched to > vectors. > > internal error: over-ran key in CompositeHash::RecoverVals > Aborted > > > > Generally though you're going to run into weird poorly defined edge > > cases like this with vectors > > :) > > -- > David Eric Mandelberg / dseomn > http://david.mandelberg.org/ > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130619/8150babc/attachment.html From david at mandelberg.org Wed Jun 19 10:20:21 2013 From: david at mandelberg.org (David Mandelberg) Date: Wed, 19 Jun 2013 13:20:21 -0400 Subject: [Bro] appending to a vector In-Reply-To: References: <4b53a7b5510381858730e234347fff41@mail.mandelberg.org> <458cb16e4b0f022bfd50f59c4a79392d@mail.mandelberg.org> Message-ID: <363f64dd416448f4bcac489d83755817@mail.mandelberg.org> On 2013-06-19 13:08, Scott Runnels wrote: > In that case, does it need to be a constant? Modifying the set/vector/collection after bro_init() would have no effect and could cause quite a bit of confusion. Const is a useful way to express that. -- David Eric Mandelberg / dseomn http://david.mandelberg.org/ From jsiwek at illinois.edu Wed Jun 19 15:00:20 2013 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Wed, 19 Jun 2013 22:00:20 +0000 Subject: [Bro] appending to a vector In-Reply-To: <4b53a7b5510381858730e234347fff41@mail.mandelberg.org> References: <4b53a7b5510381858730e234347fff41@mail.mandelberg.org> Message-ID: On Jun 19, 2013, at 11:14 AM, David Mandelberg wrote: > What's the recommended way to append to a vector? The documentation > says vectors are like tables, so I tried the below code, but it gives > some errors. > > const foo: vector of double = vector() &redef; > > redef foo += { > [|foo|] = 42.0 > }; Appending to a vector can't currently be done w/ redef, but I don't think it would be difficult to implement if you want to add a ticket to the tracker. > Maybe there's a better way to do what I want without vectors. I have a > somewhat complex record type and I want to store multiple records of > that type in a container of some sort. I want to be able to iterate over > the container, but I don't care about order (vector) or uniqueness > (set). When I tried using sets, I got the error below, so I switched to > vectors. > > internal error: over-ran key in CompositeHash::RecoverVals > Aborted Can you give an example script that reproduces that (create a bug/ticket for it) ? > I thought normal assignment to a const variable was supposed to fail. Isn't that a bug? I agree that it shouldn't be allowed, but just to explain how it's currently working: the const applies to the variable, not the value bound it. So you can't assign further values to the const variable, but its value may still be mutable depending on its type. - Jon From david at mandelberg.org Wed Jun 19 15:13:11 2013 From: david at mandelberg.org (David Mandelberg) Date: Wed, 19 Jun 2013 18:13:11 -0400 Subject: [Bro] appending to a vector In-Reply-To: References: <4b53a7b5510381858730e234347fff41@mail.mandelberg.org> Message-ID: <54f200f2fb7f4ff26e4b4893f3720abf@mail.mandelberg.org> On 2013-06-19 18:00, Siwek, Jonathan Luke wrote: > On Jun 19, 2013, at 11:14 AM, David Mandelberg > wrote: > >> What's the recommended way to append to a vector? The documentation >> says vectors are like tables, so I tried the below code, but it >> gives >> some errors. >> >> const foo: vector of double = vector() &redef; >> >> redef foo += { >> [|foo|] = 42.0 >> }; > > Appending to a vector can't currently be done w/ redef, but I don't > think it would be difficult to implement if you want to add a ticket > to the tracker. I got number 1024 :D http://tracker.bro.org/bro/ticket/1024 >> Maybe there's a better way to do what I want without vectors. I have >> a >> somewhat complex record type and I want to store multiple records of >> that type in a container of some sort. I want to be able to iterate >> over >> the container, but I don't care about order (vector) or uniqueness >> (set). When I tried using sets, I got the error below, so I switched >> to >> vectors. >> >> internal error: over-ran key in CompositeHash::RecoverVals >> Aborted > > > Can you give an example script that reproduces that (create a > bug/ticket for it) ? If I can reproduce it, I'll file a bug. >> I thought normal assignment to a const variable was supposed to >> fail. Isn't that a bug? > > > I agree that it shouldn't be allowed, but just to explain how it's > currently working: the const applies to the variable, not the value > bound it. So you can't assign further values to the const variable, > but its value may still be mutable depending on its type. Gotcha. -- David Eric Mandelberg / dseomn http://david.mandelberg.org/ From James.Richards at wisconsin.gov Thu Jun 20 07:50:12 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Thu, 20 Jun 2013 09:50:12 -0500 Subject: [Bro] My last issue I hope Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718E9@MEWMAD0PC01G02.accounts.wistate.us> So everything is humming along with no errors, but also no events. In looking at pf_ring, specifically /proc/net/pf_ring, I am seeing that it does not appear to be capturing packets... Slot Len : 8224 [bucket+header] Tot Memory : 67108864 Tot Packets : 0 Tot Pkt Lost : 0 Tot Insert : 0 Tot Read : 0 Insert Offset : 0 Remove Offset : 0 TX: Send Ok : 0 TX: Send Errors : 0 Reflect: Fwd Ok : 0 Reflect: Fwd Errors: 0 Num Free Slots : 8159 I have the nics in promisc mode, and have done the sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro Have any of you run into this? I am scouring the web right now, but if anyone knows this one off the top of their head I would be most appreciative for any pointers. James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130620/126329eb/attachment.html From seth at icir.org Thu Jun 20 07:57:47 2013 From: seth at icir.org (Seth Hall) Date: Thu, 20 Jun 2013 10:57:47 -0400 Subject: [Bro] My last issue I hope In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718E9@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718E9@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <372DDC74-B859-4798-B61B-C6F92407672B@icir.org> On Jun 20, 2013, at 10:50 AM, "Richards, James L - DOA" wrote: > In looking at pf_ring, specifically /proc/net/pf_ring, I am seeing that it does not appear to be capturing packets? Did you load the pf_ring module in mode 0 or something higher? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From JAzoff at albany.edu Thu Jun 20 08:05:10 2013 From: JAzoff at albany.edu (Justin Azoff) Date: Thu, 20 Jun 2013 11:05:10 -0400 Subject: [Bro] My last issue I hope In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718E9@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718E9@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <20130620150510.GO32624@datacomm.albany.edu> On Thu, Jun 20, 2013 at 09:50:12AM -0500, Richards, James L - DOA wrote: > So everything is humming along with no errors, but also no events. > > In looking at pf_ring, specifically /proc/net/pf_ring, I am seeing that it does > not appear to be capturing packets? The simplest cause could be that you have an issue with the tap/span port that is supposed to be feeding you traffic. Is your sensor definitely receiving traffic? Are the ethernet links up? -- -- Justin Azoff -- Network Security & Performance Analyst From James.Richards at wisconsin.gov Thu Jun 20 08:09:58 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Thu, 20 Jun 2013 10:09:58 -0500 Subject: [Bro] My last issue I hope In-Reply-To: <372DDC74-B859-4798-B61B-C6F92407672B@icir.org> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718E9@MEWMAD0PC01G02.accounts.wistate.us> <372DDC74-B859-4798-B61B-C6F92407672B@icir.org> Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718F0@MEWMAD0PC01G02.accounts.wistate.us> Where might I find that info? I am looking. And thanks! James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Thursday, June 20, 2013 9:58 AM To: Richards, James L - DOA Cc: bro at bro.org Subject: Re: [Bro] My last issue I hope On Jun 20, 2013, at 10:50 AM, "Richards, James L - DOA" wrote: > In looking at pf_ring, specifically /proc/net/pf_ring, I am seeing that it does not appear to be capturing packets... Did you load the pf_ring module in mode 0 or something higher? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Thu Jun 20 08:23:12 2013 From: seth at icir.org (Seth Hall) Date: Thu, 20 Jun 2013 11:23:12 -0400 Subject: [Bro] My last issue I hope In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718F0@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718E9@MEWMAD0PC01G02.accounts.wistate.us> <372DDC74-B859-4798-B61B-C6F92407672B@icir.org> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718F0@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <14CE587D-A52B-4BE2-AD05-A840E1A43EE4@icir.org> On Jun 20, 2013, at 11:09 AM, "Richards, James L - DOA" wrote: > Where might I find that info? I am looking. If you don't know then you probably are using mode 0 which is the default. I think the next step is definitely to follow Justin's advice. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From James.Richards at wisconsin.gov Thu Jun 20 08:31:55 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Thu, 20 Jun 2013 10:31:55 -0500 Subject: [Bro] My last issue I hope In-Reply-To: <20130620150510.GO32624@datacomm.albany.edu> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718E9@MEWMAD0PC01G02.accounts.wistate.us> <20130620150510.GO32624@datacomm.albany.edu> Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718FA@MEWMAD0PC01G02.accounts.wistate.us> It certainly appears to be working and up in promic mode... eth4 Link encap:Ethernet HWaddr 00:1b:21:33:55:20 inet6 addr: fe80::21b:21ff:fe33:5520/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:474826801 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:330011101828 (330.0 GB) TX bytes:468 (468.0 B) Thanks all, I will continue to dig... James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -----Original Message----- From: Justin Azoff [mailto:JAzoff at albany.edu] Sent: Thursday, June 20, 2013 10:05 AM To: Richards, James L - DOA Cc: bro at bro.org Subject: Re: [Bro] My last issue I hope On Thu, Jun 20, 2013 at 09:50:12AM -0500, Richards, James L - DOA wrote: > So everything is humming along with no errors, but also no events. > > In looking at pf_ring, specifically /proc/net/pf_ring, I am seeing > that it does not appear to be capturing packets? The simplest cause could be that you have an issue with the tap/span port that is supposed to be feeding you traffic. Is your sensor definitely receiving traffic? Are the ethernet links up? -- -- Justin Azoff -- Network Security & Performance Analyst From JAzoff at albany.edu Thu Jun 20 16:21:40 2013 From: JAzoff at albany.edu (Justin Azoff) Date: Thu, 20 Jun 2013 19:21:40 -0400 Subject: [Bro] My last issue I hope In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718FA@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718E9@MEWMAD0PC01G02.accounts.wistate.us> <20130620150510.GO32624@datacomm.albany.edu> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718FA@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <20130620232140.GQ32624@datacomm.albany.edu> On Thu, Jun 20, 2013 at 10:31:55AM -0500, Richards, James L - DOA wrote: > eth4 Link encap:Ethernet HWaddr 00:1b:21:33:55:20 > inet6 addr: fe80::21b:21ff:fe33:5520/64 Scope:Link > UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 > RX packets:474826801 errors:0 dropped:0 overruns:0 frame:0 > TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:330011101828 (330.0 GB) TX bytes:468 (468.0 B) You have something like this in your node.cfg ? interface=eth4 lb_method=pf_ring lb_procs=4 -- -- Justin Azoff -- Network Security & Performance Analyst From James.Richards at wisconsin.gov Fri Jun 21 07:23:54 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Fri, 21 Jun 2013 09:23:54 -0500 Subject: [Bro] My last issue I hope In-Reply-To: <20130620232140.GQ32624@datacomm.albany.edu> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718E9@MEWMAD0PC01G02.accounts.wistate.us> <20130620150510.GO32624@datacomm.albany.edu> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718FA@MEWMAD0PC01G02.accounts.wistate.us> <20130620232140.GQ32624@datacomm.albany.edu> Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5719A6@MEWMAD0PC01G02.accounts.wistate.us> Interesting... I swear that these were at 0, but in looking at one node I am seeing what appear to be packets captured... The one here is on the manager which is also running suricata I am seeing packets captured: But further below I am not seeing packets on the node, and the APPL Name is unknown... On The MANAGER richaj at utlmad0d0363:/proc/net/pf_ring$ more 32094-eth4.137 Bound Device(s) : eth4 Active : 1 Breed : Non-DNA Sampling Rate : 1 Capture Direction : RX+TX Socket Mode : RX+TX Appl. Name : Suricata IP Defragment : No BPF Filtering : Disabled # Sw Filt. Rules : 0 # Hw Filt. Rules : 0 Poll Pkt Watermark : 128 Num Poll Calls : 1534927 Channel Id Mask : 0xFFFFFFFF Cluster Id : 99 Slot Version : 14 [5.4.6] Min Num Slots : 4889 Bucket Len : 1514 Slot Len : 1714 [bucket+header] Tot Memory : 8388608 Tot Packets : 107648318 Tot Pkt Lost : 672416 Tot Insert : 106975907 Tot Read : 106975798 Insert Offset : 7698710 Remove Offset : 7603240 TX: Send Ok : 0 TX: Send Errors : 0 Reflect: Fwd Ok : 0 Reflect: Fwd Errors: 0 Num Free Slots : 4780 On the NODE: richaj at utlmad0d0367:/proc/net/pf_ring$ more 8903-eth4.5 Bound Device(s) : eth4 Active : 1 Breed : Non-DNA Sampling Rate : 1 Capture Direction : RX+TX Socket Mode : RX+TX Appl. Name : IP Defragment : No BPF Filtering : Enabled # Sw Filt. Rules : 0 # Hw Filt. Rules : 0 Poll Pkt Watermark : 1 Num Poll Calls : 665709393 Channel Id Mask : 0xFFFFFFFF Cluster Id : 22 Slot Version : 14 [5.4.6] Min Num Slots : 8159 Bucket Len : 8192 Slot Len : 8224 [bucket+header] Tot Memory : 67108864 Tot Packets : 0 Tot Pkt Lost : 0 Tot Insert : 0 Tot Read : 0 Insert Offset : 0 Remove Offset : 0 TX: Send Ok : 0 TX: Send Errors : 0 Reflect: Fwd Ok : 0 Reflect: Fwd Errors: 0 Num Free Slots : 8159 richaj at utlmad0d0367:/proc/net/pf_ring$ James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -----Original Message----- From: Justin Azoff [mailto:JAzoff at albany.edu] Sent: Thursday, June 20, 2013 6:22 PM To: Richards, James L - DOA Cc: bro at bro.org Subject: Re: [Bro] My last issue I hope On Thu, Jun 20, 2013 at 10:31:55AM -0500, Richards, James L - DOA wrote: > eth4 Link encap:Ethernet HWaddr 00:1b:21:33:55:20 > inet6 addr: fe80::21b:21ff:fe33:5520/64 Scope:Link > UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 > RX packets:474826801 errors:0 dropped:0 overruns:0 frame:0 > TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:330011101828 (330.0 GB) TX bytes:468 (468.0 B) You have something like this in your node.cfg ? interface=eth4 lb_method=pf_ring lb_procs=4 -- -- Justin Azoff -- Network Security & Performance Analyst From James.Richards at wisconsin.gov Fri Jun 21 08:48:33 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Fri, 21 Jun 2013 10:48:33 -0500 Subject: [Bro] My last issue I hope In-Reply-To: References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718E9@MEWMAD0PC01G02.accounts.wistate.us> <20130620150510.GO32624@datacomm.albany.edu> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718FA@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5719C3@MEWMAD0PC01G02.accounts.wistate.us> I may have something here... in perusing the logs on a node in /usr/local/bro/logs, I am seeing... /usr/local/bro/bin/bro: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory When I do an ldconfig -v on the same node, I get /usr/local/pfring/lib: libpfring.so -> libpfring.so libpcap.so.1 -> libpcap.so.1.1.1 So bro is looking for libpcap.so.0.8 which is not present, correct? James Richards Office of Security Wisconsin Department of Administration 608.224.3880 From: Tritium Cat [mailto:tritium.cat at gmail.com] Sent: Thursday, June 20, 2013 2:28 PM To: Richards, James L - DOA Subject: Re: [Bro] My last issue I hope On Thu, Jun 20, 2013 at 8:31 AM, Richards, James L - DOA > wrote: It certainly appears to be working and up in promic mode... eth4 Link encap:Ethernet HWaddr 00:1b:21:33:55:20 inet6 addr: fe80::21b:21ff:fe33:5520/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:474826801 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:330011101828 (330.0 GB) TX bytes:468 (468.0 B) Thanks all, I will continue to dig... You might have more than one version of libpcap on the system and when Bro was compiled it linked to the non-PF_RING version. Try "ldd /path/to/bro" and check that the linked libpcap library is the pf_ring aware version. If that's your problem or you cannot easily tell then I think the easiest solution is to use your package manager to uninstall libpcap and use the version provided by the pf_ring package. You may need to recompile everything depending on how Bro discovered resources during the configure / make. If Bro were using PF_RING correctly you should see a proc entry with the PID and interface for filename. Example: "cat /proc/net/pf_ring/33461-eth5.47" would show you the PF_RING stats for that particular worker. You could also install the pf_ring library and libpcap version to a non-standard directory so the distinction is clear(er) but this requires a bunch of additional stuff. --tc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130621/933cdc06/attachment.html From seth at icir.org Fri Jun 21 09:14:49 2013 From: seth at icir.org (Seth Hall) Date: Fri, 21 Jun 2013 12:14:49 -0400 Subject: [Bro] My last issue I hope In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5719C3@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718E9@MEWMAD0PC01G02.accounts.wistate.us> <20130620150510.GO32624@datacomm.albany.edu> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5718FA@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927F5719C3@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <15E563F3-8A04-48AC-A88C-6100CA3A6959@icir.org> On Jun 21, 2013, at 11:48 AM, "Richards, James L - DOA" wrote: > libpfring.so -> libpfring.so > libpcap.so.1 -> libpcap.so.1.1.1 > > So bro is looking for libpcap.so.0.8 which is not present, correct? You need to make sure that all of your workers have the pf_ring libpcap installed in the same place as you did on the manager (or wherever you built Bro). .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From mcholste at gmail.com Fri Jun 21 13:02:39 2013 From: mcholste at gmail.com (Martin Holste) Date: Fri, 21 Jun 2013 16:02:39 -0400 Subject: [Bro] PF_RING Clustering Problem In-Reply-To: <8F528952-92CF-4E94-BD49-807A8E2B946B@icir.org> References: <8F528952-92CF-4E94-BD49-807A8E2B946B@icir.org> Message-ID: I updated the post to show the new, shorter config. On Wed, Jun 19, 2013 at 12:06 PM, Seth Hall wrote: > > On Jun 19, 2013, at 1:34 AM, Jeff Scaparra wrote: > > > I followed this howto > http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.htmlhowever I am finding bro is now reporting 4 of everything so the load > balancing isn't working. How can I verify PF_RING is load balancing or what > could I be missing? Is there a better document I should be looking at? > > Those directions are outdated. Instead of configuring separate workers > you should configure a single worker per interface you are sniffing like > this? > > [worker-1] > host=1.2.3.4 > interface=eth0 > lb_method=pf_ring > lb_procs=4 > > That will automatically enable the pf_ring load balancing and start up > four processes that the traffic on eth0 is load balanced across. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130621/6a70d815/attachment.html From seth at icir.org Fri Jun 21 13:23:03 2013 From: seth at icir.org (Seth Hall) Date: Fri, 21 Jun 2013 16:23:03 -0400 Subject: [Bro] PF_RING Clustering Problem In-Reply-To: References: <8F528952-92CF-4E94-BD49-807A8E2B946B@icir.org> Message-ID: On Jun 21, 2013, at 4:02 PM, Martin Holste wrote: > I updated the post to show the new, shorter config. Awesome! Thanks Martin! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From itsecderek at gmail.com Tue Jun 25 10:50:02 2013 From: itsecderek at gmail.com (Derek Banks) Date: Tue, 25 Jun 2013 13:50:02 -0400 Subject: [Bro] Question about capture loss script vs. broctl netstats Message-ID: I apologize if this has been answered already - I was searching through the list archives and did't seem to find the answer. I have configured a RHEL 6 server with the latest Bro from the repository and pf_ring 5.2.2. It seems pf_ring works - I run pfcount on my capture interface and it sees traffic and reports no packet loss. I have Bro configured per the post at http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.htmland everything starts fine and Bro is up and running. I run netstats in the Broctl shell and get: worker-0-1: 1372179895.260001 recvd=64969350 dropped=0 link=64969350 worker-0-2: 1372179895.461289 recvd=66422051 dropped=0 link=66422051 worker-0-3: 1372179895.660990 recvd=64099315 dropped=0 link=64099315 worker-0-4: 1372179895.861853 recvd=61738222 dropped=0 link=61738222 But in the notice.log file I see: 1372179930.880560 - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an estimated loss rate above 38.520% - - - - - worker-0-3 Notice::ACTION_LOG 3600.000000 F - - - -- 1372179930.908354 - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an estimated loss rate above 37.415% - - - - - worker-0-4 Notice::ACTION_LOG 3600.000000 F - - - -- 1372179930.923939 - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an estimated loss rate above 40.462% - - - - - worker-0-1 Notice::ACTION_LOG 3600.000000 F - - - -- 1372179930.923939 - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an estimated loss rate above 42.910% - - - - - worker-0-2 Notice::ACTION_LOG 3600.000000 F - - - -- So my question is, am I dropping packets or am I good to go? Best Regards, Derek Banks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130625/9466c3fe/attachment.html From itsecderek at gmail.com Tue Jun 25 11:07:05 2013 From: itsecderek at gmail.com (Derek Banks) Date: Tue, 25 Jun 2013 14:07:05 -0400 Subject: [Bro] Question about capture loss script vs. broctl netstats Message-ID: I apologize if this has been answered already - I was searching through the list archives and did't seem to find the answer. I have configured a RHEL 6 server with the latest Bro from the repository and pf_ring 5.2.2. It seems pf_ring works - I run pfcount on my capture interface and it sees traffic and reports no packet loss. I have Bro configured per the post at http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.htmland everything starts fine and Bro is up and running. I run netstats in the Broctl shell and get: worker-0-1: 1372179895.260001 recvd=64969350 dropped=0 link=64969350 worker-0-2: 1372179895.461289 recvd=66422051 dropped=0 link=66422051 worker-0-3: 1372179895.660990 recvd=64099315 dropped=0 link=64099315 worker-0-4: 1372179895.861853 recvd=61738222 dropped=0 link=61738222 But in the notice.log file I see: 1372179930.880560 - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an estimated loss rate above 38.520% - - - - - worker-0-3 Notice::ACTION_LOG 3600.000000 F - - - -- 1372179930.908354 - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an estimated loss rate above 37.415% - - - - - worker-0-4 Notice::ACTION_LOG 3600.000000 F - - - -- 1372179930.923939 - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an estimated loss rate above 40.462% - - - - - worker-0-1 Notice::ACTION_LOG 3600.000000 F - - - -- 1372179930.923939 - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an estimated loss rate above 42.910% - - - - - worker-0-2 Notice::ACTION_LOG 3600.000000 F - - - -- So my question is, am I dropping packets or am I good to go? Best Regards, Derek Banks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130625/01b3a62a/attachment.html From Keith_Schoenefeld at baylor.edu Tue Jun 25 11:15:27 2013 From: Keith_Schoenefeld at baylor.edu (Schoenefeld, Keith P.) Date: Tue, 25 Jun 2013 18:15:27 +0000 Subject: [Bro] Question about capture loss script vs. broctl netstats In-Reply-To: Message-ID: My understanding is that this indicates Bro is processing every packet it receives, but it is only receiving about 60% of the packets that are crossing the wire Bro is monitoring? Do you have more information about the link you are tapping (bandwidth, packets/sec), the network card on the Bro box, and the specs of the Bro box? -- KS From: Derek Banks > Date: Tuesday, June 25, 2013 12:50 PM To: "bro at bro-ids.org" > Subject: [Bro] Question about capture loss script vs. broctl netstats I apologize if this has been answered already - I was searching through the list archives and did't seem to find the answer. I have configured a RHEL 6 server with the latest Bro from the repository and pf_ring 5.2.2. It seems pf_ring works - I run pfcount on my capture interface and it sees traffic and reports no packet loss. I have Bro configured per the post at http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html and everything starts fine and Bro is up and running. I run netstats in the Broctl shell and get: worker-0-1: 1372179895.260001 recvd=64969350 dropped=0 link=64969350 worker-0-2: 1372179895.461289 recvd=66422051 dropped=0 link=66422051 worker-0-3: 1372179895.660990 recvd=64099315 dropped=0 link=64099315 worker-0-4: 1372179895.861853 recvd=61738222 dropped=0 link=61738222 But in the notice.log file I see: 1372179930.880560 - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an estimated loss rate above 38.520% - - - - - worker-0-3 Notice::ACTION_LOG 3600.000000 F - - - -- 1372179930.908354 - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an estimated loss rate above 37.415% - - - - - worker-0-4 Notice::ACTION_LOG 3600.000000 F - - - -- 1372179930.923939 - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an estimated loss rate above 40.462% - - - - - worker-0-1 Notice::ACTION_LOG 3600.000000 F - - - -- 1372179930.923939 - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an estimated loss rate above 42.910% - - - - - worker-0-2 Notice::ACTION_LOG 3600.000000 F - - - -- So my question is, am I dropping packets or am I good to go? Best Regards, Derek Banks From seth at icir.org Tue Jun 25 13:13:26 2013 From: seth at icir.org (Seth Hall) Date: Tue, 25 Jun 2013 16:13:26 -0400 Subject: [Bro] Question about capture loss script vs. broctl netstats In-Reply-To: References: Message-ID: On Jun 25, 2013, at 1:50 PM, Derek Banks wrote: > So my question is, am I dropping packets or am I good to go? How are you tapping your traffic? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From itsecderek at gmail.com Tue Jun 25 13:51:43 2013 From: itsecderek at gmail.com (Derek Banks) Date: Tue, 25 Jun 2013 16:51:43 -0400 Subject: [Bro] Question about capture loss script vs. broctl netstats In-Reply-To: References: Message-ID: It is from a span fed into a Netoptics port regenerator that feeds a few devices. One of those is another Red Hat box with an Endace card in it. That box (and another device we have) do not seem to be dropping traffic. -Derek On Jun 25, 2013 4:13 PM, "Seth Hall" wrote: > > On Jun 25, 2013, at 1:50 PM, Derek Banks wrote: > > > So my question is, am I dropping packets or am I good to go? > > How are you tapping your traffic? > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130625/ab4b31ea/attachment.html From seth at icir.org Tue Jun 25 19:22:21 2013 From: seth at icir.org (Seth Hall) Date: Tue, 25 Jun 2013 22:22:21 -0400 Subject: [Bro] Question about capture loss script vs. broctl netstats In-Reply-To: References: Message-ID: <949A1A2C-5508-4F2F-8ABA-4AE88D4E7181@icir.org> On Jun 25, 2013, at 4:51 PM, Derek Banks wrote: > It is from a span fed into a Netoptics port regenerator that feeds a few devices. One of those is another Red Hat box with an Endace card in it. That box (and another device we have) do not seem to be dropping traffic. How are you measuring packet loss with your other tools? The script that is generating those notices you saw is measuring aspects of TCP that indicate packet loss which could be happening upstream of your monitoring. By that, I mean you could be oversubscribing your SPAN port. It could be worth checking packet stats on the SPAN port to see if you are losing traffic there. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From hckim at narusec.com Wed Jun 26 06:47:06 2013 From: hckim at narusec.com (=?UTF-8?B?6rmA7Z2s7LKg?=) Date: Wed, 26 Jun 2013 22:47:06 +0900 Subject: [Bro] change notice$note to match signature Message-ID: Hi all the signature notice$note comes out with Signatures::Sensitive_Signature I want to change the notice$note to signature ID or custom name I try to do this by signature_match but this is not working if I use testsig.sig in the local.bro, notice comes out find. do I have to approach from different way? --------------------------- @load-sigs ./testsig.sig module test; #redef signature_files += "testsig.sig"; redef enum Notice::Type += {NAVER.com_found}; event signature_match(state: signature_state, msg: string, data: string){ if (/naver/ in state$sig_id){ event Signatures::log_signature(rec: Signatures::Info){ rec$note=NAVER.com_found; } # print fmt("%s",data); } } ---------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130626/c84fd102/attachment.html From seth at icir.org Wed Jun 26 07:27:17 2013 From: seth at icir.org (Seth Hall) Date: Wed, 26 Jun 2013 10:27:17 -0400 Subject: [Bro] change notice$note to match signature In-Reply-To: References: Message-ID: <6213FE2F-9FD1-40B2-9C77-988631642CD4@icir.org> On Jun 26, 2013, at 9:47 AM, ??? wrote: > all the signature notice$note comes out with Signatures::Sensitive_Signature > I want to change the notice$note to signature ID or custom name I understand what you want to happen, but I don't really understand how you're trying to approach it. Your code doesn't even look like it's valid syntax (the log_signature part). .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jbabio at po-box.esu.edu Wed Jun 26 10:21:40 2013 From: jbabio at po-box.esu.edu (John Babio) Date: Wed, 26 Jun 2013 17:21:40 +0000 Subject: [Bro] bro comparison to snort operation Message-ID: Hello Group, I need some clarification. I am trying to understand the operations of Bro and it relates to how snort operates. I am having a little trouble with a few things. 1.Where are default rules/signatures/scripts stored in the folder structure? 2. What log file are we supposed to pay attention to? Communication, Notices, Weird or all of them? 3. Where do we place custom bro scripts we write? 4. Is there a skeleton of a basic script somewhere so I know where to start? 5. Where in Bro to I specify sending the data to an external ELSA server? Thanks for your help! From soehlert at illinois.edu Wed Jun 26 10:40:59 2013 From: soehlert at illinois.edu (Oehlert, Samuel J) Date: Wed, 26 Jun 2013 17:40:59 +0000 Subject: [Bro] bro comparison to snort operation In-Reply-To: References: Message-ID: John, 1. The default policies are underneath $BROHOME/share/bro/, but keep in mind you should never edit these policy files. 2. That's tough to answer because that's really up to you. You can look at whatever log you find most helpful, depends on the situation. Maybe if you could clarify what you are hoping to find, we can help point you to the correct log. 3. Site specific policies go in the $BROHOME/share/bro/site as this directory does not get overwritten on updates, meaning your policies will persist. 4. Personally, I found it best to look at the default policies (which you can find here: http://www.bro.org/sphinx/scripts/index.html), as well as here: https://github.com/languages/Bro 5. That I'm not sure of sorry. -Sam ------- Sam Oehlert > (217) 300-1076 Security Engineer National Center for Supercomputing Applications On Jun 26, 2013, at 12:21 PM, John Babio > wrote: Hello Group, I need some clarification. I am trying to understand the operations of Bro and it relates to how snort operates. I am having a little trouble with a few things. 1.Where are default rules/signatures/scripts stored in the folder structure? 2. What log file are we supposed to pay attention to? Communication, Notices, Weird or all of them? 3. Where do we place custom bro scripts we write? 4. Is there a skeleton of a basic script somewhere so I know where to start? 5. Where in Bro to I specify sending the data to an external ELSA server? Thanks for your help! _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130626/f26a5b31/attachment.html From seth at icir.org Wed Jun 26 10:42:18 2013 From: seth at icir.org (Seth Hall) Date: Wed, 26 Jun 2013 13:42:18 -0400 Subject: [Bro] bro comparison to snort operation In-Reply-To: References: Message-ID: <0811AE92-A4DF-4F49-A7CE-C51623BEC5F8@icir.org> On Jun 26, 2013, at 1:21 PM, John Babio wrote: > I need some clarification. I am trying to understand the operations of Bro and it relates to how snort operates. I am having a little trouble with a few things. Don't try to draw those comparisons. They're only going to lead to confusion for you. :) > 1.Where are default rules/signatures/scripts stored in the folder structure? /share/bro > 2. What log file are we supposed to pay attention to? Communication, Notices, Weird or all of them? Any and all logs could be important depending on what you're investigating. Certain logs like communication.log, notice_policy.log, and loaded_scripts.log are Bro doing some internal accounting so that if you have questions about how it's behaving you may be to figure that out. In "normal" operation the weird log tends to be of less value too (please correct me if someone uses that a lot!). Typically the most important logs are the ones that provide some sort of network activity logging (i.e. http.log, smtp.log, conn.log, dns.log, software.log, etc) > 3. Where do we place custom bro scripts we write? I typically recommend that people place scripts into /share/bro/site/ and use the local.bro script in that directory to load their scripts. > 4. Is there a skeleton of a basic script somewhere so I know where to start? I would take a look at the scripts in /share/bro/policy/ (there are quite a few) to get a general feel of the land. That directory and all of it's subdirectories are where most of the scripts are that detect various things. > 5. Where in Bro to I specify sending the data to an external ELSA server? That is something you'll have to do outside of Bro. We don't have any direct integration at this point in time. The SecurityOnion project should be able to provide some guidance there since they ship with Bro logs integrated in ELSA .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jbabio at po-box.esu.edu Wed Jun 26 10:50:08 2013 From: jbabio at po-box.esu.edu (John Babio) Date: Wed, 26 Jun 2013 17:50:08 +0000 Subject: [Bro] bro comparison to snort operation In-Reply-To: <0811AE92-A4DF-4F49-A7CE-C51623BEC5F8@icir.org> Message-ID: Thank you Seth and Samuel. I appreciate the help. :) On 6/26/13 1:42 PM, "Seth Hall" wrote: > >On Jun 26, 2013, at 1:21 PM, John Babio wrote: > >> I need some clarification. I am trying to understand the operations of >>Bro and it relates to how snort operates. I am having a little trouble >>with a few things. > >Don't try to draw those comparisons. They're only going to lead to >confusion for you. :) > >> 1.Where are default rules/signatures/scripts stored in the folder >>structure? > >/share/bro > >> 2. What log file are we supposed to pay attention to? Communication, >>Notices, Weird or all of them? > >Any and all logs could be important depending on what you're >investigating. Certain logs like communication.log, notice_policy.log, >and loaded_scripts.log are Bro doing some internal accounting so that if >you have questions about how it's behaving you may be to figure that out. > >In "normal" operation the weird log tends to be of less value too (please >correct me if someone uses that a lot!). Typically the most important >logs are the ones that provide some sort of network activity logging >(i.e. http.log, smtp.log, conn.log, dns.log, software.log, etc) > >> 3. Where do we place custom bro scripts we write? > >I typically recommend that people place scripts into >/share/bro/site/ and use the local.bro script in that directory >to load their scripts. > >> 4. Is there a skeleton of a basic script somewhere so I know where to >>start? > >I would take a look at the scripts in /share/bro/policy/ (there >are quite a few) to get a general feel of the land. That directory and >all of it's subdirectories are where most of the scripts are that detect >various things. > >> 5. Where in Bro to I specify sending the data to an external ELSA >>server? > >That is something you'll have to do outside of Bro. We don't have any >direct integration at this point in time. The SecurityOnion project >should be able to provide some guidance there since they ship with Bro >logs integrated in ELSA > > .Seth > >-- >Seth Hall >International Computer Science Institute >(Bro) because everyone has a network >http://www.bro.org/ > From vern at icir.org Thu Jun 27 06:09:08 2013 From: vern at icir.org (Vern Paxson) Date: Thu, 27 Jun 2013 06:09:08 -0700 Subject: [Bro] Question about capture loss script vs. broctl netstats In-Reply-To: (Tue, 25 Jun 2013 14:07:05 EDT). Message-ID: <20130627130908.B0E5A2C4002@rock.ICSI.Berkeley.EDU> As seth mentions, the capture-loss script is quite robust, because it essentially computes an end-to-end value. I don't know of any situations where in practice it makes poor estimates. These stats: > worker-0-1: 1372179895.260001 recvd=64969350 dropped=0 link=64969350 > worker-0-2: 1372179895.461289 recvd=66422051 dropped=0 link=66422051 > worker-0-3: 1372179895.660990 recvd=64099315 dropped=0 link=64099315 > worker-0-4: 1372179895.861853 recvd=61738222 dropped=0 link=61738222 on the other hand come from the kernel's statistics. If packets are lost prior to the kernel even seeing them (such as due to an overwhelmed SPAN port - quite common), then while it reports no drops, that's not a useful end-to-end measure. (Also, some kernels have bugs in how these statistics are captured, for example missing out on packets dropped by the NIC rather than the kernel.) Vern From jbabio at po-box.esu.edu Thu Jun 27 09:41:07 2013 From: jbabio at po-box.esu.edu (John Babio) Date: Thu, 27 Jun 2013 16:41:07 +0000 Subject: [Bro] example from manual Message-ID: http://bro.org/sphinx/notice.html Where does the example syntax get placed? From seth at icir.org Thu Jun 27 10:00:30 2013 From: seth at icir.org (Seth Hall) Date: Thu, 27 Jun 2013 13:00:30 -0400 Subject: [Bro] example from manual In-Reply-To: References: Message-ID: On Jun 27, 2013, at 12:41 PM, John Babio wrote: > http://bro.org/sphinx/notice.html > > Where does the example syntax get placed? You could put it in local.bro or a better idea might be to place a new file of your own in /share/bro/site/ and and add an "@load myfile" line to local.bro. Like this? in /share/bro/site/myfile.bro: print "hello world"; in /share/bro/site/local.bro: @load myfile Are you running Bro with broctl or just running it directly? If you run with broctl, that local.bro script will automatically get loaded (and subsequently load your script). .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jbabio at po-box.esu.edu Thu Jun 27 10:03:39 2013 From: jbabio at po-box.esu.edu (John Babio) Date: Thu, 27 Jun 2013 17:03:39 +0000 Subject: [Bro] example from manual In-Reply-To: Message-ID: Yes. I am running it via security onion. On 6/27/13 1:00 PM, "Seth Hall" wrote: > >On Jun 27, 2013, at 12:41 PM, John Babio wrote: > >> http://bro.org/sphinx/notice.html >> >> Where does the example syntax get placed? > > >You could put it in local.bro or a better idea might be to place a new >file of your own in /share/bro/site/ and and add an "@load >myfile" line to local.bro. > >Like this? > >in /share/bro/site/myfile.bro: > print "hello world"; > >in /share/bro/site/local.bro: > @load myfile > >Are you running Bro with broctl or just running it directly? If you run >with broctl, that local.bro script will automatically get loaded (and >subsequently load your script). > > .Seth > >-- >Seth Hall >International Computer Science Institute >(Bro) because everyone has a network >http://www.bro.org/ > From jbabio at po-box.esu.edu Thu Jun 27 10:11:23 2013 From: jbabio at po-box.esu.edu (John Babio) Date: Thu, 27 Jun 2013 17:11:23 +0000 Subject: [Bro] example from manual In-Reply-To: Message-ID: In the example, if I wanted it to log this info instead of ACTION_EMAIL, what would I change it too? ACTION_ALARM or ACTION_LOG? On 6/27/13 1:00 PM, "Seth Hall" wrote: > >On Jun 27, 2013, at 12:41 PM, John Babio wrote: > >> http://bro.org/sphinx/notice.html >> >> Where does the example syntax get placed? > > >You could put it in local.bro or a better idea might be to place a new >file of your own in /share/bro/site/ and and add an "@load >myfile" line to local.bro. > >Like this? > >in /share/bro/site/myfile.bro: > print "hello world"; > >in /share/bro/site/local.bro: > @load myfile > >Are you running Bro with broctl or just running it directly? If you run >with broctl, that local.bro script will automatically get loaded (and >subsequently load your script). > > .Seth > >-- >Seth Hall >International Computer Science Institute >(Bro) because everyone has a network >http://www.bro.org/ > From seth at icir.org Thu Jun 27 10:13:39 2013 From: seth at icir.org (Seth Hall) Date: Thu, 27 Jun 2013 13:13:39 -0400 Subject: [Bro] example from manual In-Reply-To: References: Message-ID: <0C32F454-A016-4570-BFA5-023F442803A3@icir.org> On Jun 27, 2013, at 1:11 PM, John Babio wrote: > In the example, if I wanted it to log this info instead of ACTION_EMAIL, > what would I change it too? ACTION_ALARM or ACTION_LOG? All notices are logged by default in notice.log. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From alexwis at gmail.com Thu Jun 27 11:00:53 2013 From: alexwis at gmail.com (Alex Waher) Date: Thu, 27 Jun 2013 11:00:53 -0700 Subject: [Bro] Question about capture loss script vs. broctl netstats In-Reply-To: <20130627130908.B0E5A2C4002@rock.ICSI.Berkeley.EDU> References: <20130627130908.B0E5A2C4002@rock.ICSI.Berkeley.EDU> Message-ID: If you're seeing nearly 50% of dropped traffic, perhaps the SPAN session is monitoring one direction of traffic flow across a NAT'd interface or proxy server? On the external interface monitoring inbound, and on the internal interface monitoring inbound? Any introduction of non bi-directional traffic would very likely confuse the capture loss script. On Thu, Jun 27, 2013 at 6:09 AM, Vern Paxson wrote: > As seth mentions, the capture-loss script is quite robust, because it > essentially computes an end-to-end value. I don't know of any situations > where in practice it makes poor estimates. These stats: > > > worker-0-1: 1372179895.260001 recvd=64969350 dropped=0 link=64969350 > > worker-0-2: 1372179895.461289 recvd=66422051 dropped=0 link=66422051 > > worker-0-3: 1372179895.660990 recvd=64099315 dropped=0 link=64099315 > > worker-0-4: 1372179895.861853 recvd=61738222 dropped=0 link=61738222 > > on the other hand come from the kernel's statistics. If packets are lost > prior to the kernel even seeing them (such as due to an overwhelmed SPAN > port - quite common), then while it reports no drops, that's not a > useful end-to-end measure. (Also, some kernels have bugs in how these > statistics are captured, for example missing out on packets dropped by > the NIC rather than the kernel.) > > Vern > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130627/a48f12b7/attachment.html From seth at icir.org Thu Jun 27 11:17:10 2013 From: seth at icir.org (Seth Hall) Date: Thu, 27 Jun 2013 14:17:10 -0400 Subject: [Bro] Question about capture loss script vs. broctl netstats In-Reply-To: <20130627130908.B0E5A2C4002@rock.ICSI.Berkeley.EDU> References: <20130627130908.B0E5A2C4002@rock.ICSI.Berkeley.EDU> Message-ID: On Jun 27, 2013, at 9:09 AM, Vern Paxson wrote: > (Also, some kernels have bugs in how these > statistics are captured, for example missing out on packets dropped by > the NIC rather than the kernel.) Since you're using a DAG card this could depend on what sort of flow splitting configuration you have in place there too. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From itsecderek at gmail.com Thu Jun 27 11:21:34 2013 From: itsecderek at gmail.com (Derek Banks) Date: Thu, 27 Jun 2013 14:21:34 -0400 Subject: [Bro] Question about capture loss script vs. broctl netstats In-Reply-To: References: <20130627130908.B0E5A2C4002@rock.ICSI.Berkeley.EDU> Message-ID: Thanks for all the responses. I put an Intel Pro 1000 in this morning and still using PF_Ring. I three hours of running Bro, I don't see any reported packet loss. Looks like the Broadcom Card was most likely the problem. -Derek On Thu, Jun 27, 2013 at 2:17 PM, Seth Hall wrote: > > On Jun 27, 2013, at 9:09 AM, Vern Paxson wrote: > > > (Also, some kernels have bugs in how these > > statistics are captured, for example missing out on packets dropped by > > the NIC rather than the kernel.) > > > Since you're using a DAG card this could depend on what sort of flow > splitting configuration you have in place there too. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130627/b4e55906/attachment.html From seth at icir.org Thu Jun 27 11:38:12 2013 From: seth at icir.org (Seth Hall) Date: Thu, 27 Jun 2013 14:38:12 -0400 Subject: [Bro] Question about capture loss script vs. broctl netstats In-Reply-To: References: <20130627130908.B0E5A2C4002@rock.ICSI.Berkeley.EDU> Message-ID: On Jun 27, 2013, at 2:21 PM, Derek Banks wrote: > Thanks for all the responses. I put an Intel Pro 1000 in this morning and still using PF_Ring. I three hours of running Bro, I don't see any reported packet loss. Looks like the Broadcom Card was most likely the problem. Oh yeah, I would never use Broadcom for sniffing. I've had way too many problems with them. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From michal at rsbac.org Thu Jun 27 14:15:17 2013 From: michal at rsbac.org (Michal Purzynski) Date: Thu, 27 Jun 2013 23:15:17 +0200 Subject: [Bro] Question about capture loss script vs. broctl netstats In-Reply-To: References: <20130627130908.B0E5A2C4002@rock.ICSI.Berkeley.EDU> Message-ID: <51CCAB65.7000708@rsbac.org> On 6/27/13 8:38 PM, Seth Hall wrote: > On Jun 27, 2013, at 2:21 PM, Derek Banks wrote: > >> Thanks for all the responses. I put an Intel Pro 1000 in this morning and still using PF_Ring. I three hours of running Bro, I don't see any reported packet loss. Looks like the Broadcom Card was most likely the problem. > Oh yeah, I would never use Broadcom for sniffing. I've had way too many problems with them. Use Intel or ... use Intel. Too many stability problems with other vendors, and all of them resolved using X520. Unless you can afford DAG or similar of course. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From kristoffer.bjork at gmail.com Sun Jun 30 15:25:47 2013 From: kristoffer.bjork at gmail.com (=?ISO-8859-1?Q?Kristoffer_Bj=F6rk?=) Date: Mon, 1 Jul 2013 00:25:47 +0200 Subject: [Bro] Question about capture loss script vs. broctl netstats In-Reply-To: <51CCAB65.7000708@rsbac.org> References: <20130627130908.B0E5A2C4002@rock.ICSI.Berkeley.EDU> <51CCAB65.7000708@rsbac.org> Message-ID: myrinet seems to be pretty popular aswell, so i would guess work ok aswell, or? //Kristoffer On Thu, Jun 27, 2013 at 11:15 PM, Michal Purzynski wrote: > On 6/27/13 8:38 PM, Seth Hall wrote: > > On Jun 27, 2013, at 2:21 PM, Derek Banks wrote: > > > >> Thanks for all the responses. I put an Intel Pro 1000 in this morning > and still using PF_Ring. I three hours of running Bro, I don't see any > reported packet loss. Looks like the Broadcom Card was most likely the > problem. > > Oh yeah, I would never use Broadcom for sniffing. I've had way too many > problems with them. > Use Intel or ... use Intel. Too many stability problems with other > vendors, and all of them resolved using X520. > > Unless you can afford DAG or similar of course. > > > > .Seth > > > > -- > > Seth Hall > > International Computer Science Institute > > (Bro) because everyone has a network > > http://www.bro.org/ > > > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130701/3ab880c2/attachment.html From krkhan at inspirated.com Sun Jun 30 18:23:08 2013 From: krkhan at inspirated.com (Kamran Khan) Date: Sun, 30 Jun 2013 18:23:08 -0700 Subject: [Bro] Flow blocking with iptables from Bro Message-ID: To anyone who might be interested I've posted a Bro module along with instructions for blocking traffic flows with a timeout (using iptables and bash): http://inspirated.com/2013/07/01/blocking-traffic-flows-selectively-with-a-timeout-from-bro-ids (As a side note, this follows my earlier port of Bro on OpenWRT: http://inspirated.com/2012/12/10/bro-ids-on-openwrt ) Thanks, -- Kamran Riaz Khan. http://inspirated.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130630/b5691e21/attachment.html