From seth at icir.org Wed May 1 05:00:15 2013 From: seth at icir.org (Seth Hall) Date: Wed, 1 May 2013 08:00:15 -0400 Subject: [Bro] XML-interface In-Reply-To: References: <20130426142139.GJ89784@icir.org> <2590BD399E5AA74D811796B5DAC9F43328EC9C86@EXCH-MBOX-2.exch.ucr.edu> <20130426170408.GQ89784@icir.org>

Message-ID: <1CA2E50D-640A-431D-903E-268079DAEE1F@icir.org> On May 1, 2013, at 2:57 AM, Shabbir Ahmed wrote: > actually im trying to run bro on openwrt we have successfully ported bro to openwrt but will broccoli work on openwrt? has any one ported it to ...? I suspect Broccoli should be very easy to build on openwrt. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Wed May 1 09:16:00 2013 From: seth at icir.org (Seth Hall) Date: Wed, 1 May 2013 12:16:00 -0400 Subject: [Bro] #Bro IRC channel Message-ID: <9ABE3DE9-CEE9-4BD5-8AF6-E621C569B30E@icir.org> In case anyone has forgotten or didn't realize we actually have a fairly sizable and active presence on the Freenode IRC network in the #Bro channel. See you there! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130501/24d9fc2c/attachment.bin From carlopmart at gmail.com Thu May 2 23:54:46 2013 From: carlopmart at gmail.com (C. L. Martinez) Date: Fri, 3 May 2013 06:54:46 +0000 Subject: [Bro] broctl cron locks all bro processes In-Reply-To: References: <5179A84E.7020106@illinois.edu> <517E90CF.9080703@illinois.edu> Message-ID: On Tue, Apr 30, 2013 at 5:55 AM, C. L. Martinez wrote: > > > > On Mon, Apr 29, 2013 at 3:25 PM, Daniel Thayer wrote: > >> On 04/29/2013 01:07 AM, C. L. Martinez wrote: >> >> First of all. sorry for the later response. I have tried to run broctl >>> cron manually and this is the error message: >>> >>> warning: cannot get list of local IP addresses >>> >>> .. and I don't understand it ... >>> >>> Bro process runs as a root user ... >>> >>> >> The warning message you saw just means that a script >> called "local-interfaces" failed for some reason. >> Try running this script (replace with the bro install >> prefix directory that you are using): >> /share/broctl/scripts/**local-interfaces >> >> and then immediately type "echo $?" >> >> > Uhmm .. I do not know if this is correct. > > root at nsm01:~# /opt/bro/share/broctl/scripts/local-interfaces > 10.196.0.106 > fe80::250:56ff:fe35:22bb > 172.17.22.4 > fe80::250:56ff:fe2c:47d > 172.17.24.4 > fe80::250:56ff:fe0e:6fd2 > 172.17.25.4 > fe80::250:56ff:fe1d:a2db > fe80::250:56ff:fe1e:94f > ::1 > fe80::1 > 127.0.0.1 > root at nsm01:~# echo $? > 0 > > Please, any help?? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130503/9ff72557/attachment.html From zaafar.tahir at gmail.com Fri May 3 06:17:12 2013 From: zaafar.tahir at gmail.com (Zaafar Ahmed) Date: Fri, 3 May 2013 18:17:12 +0500 Subject: [Bro] problem with creating listening socket in bro Message-ID: Hello, I was trying to create listening socket in bro via communication framework ( "base/frameworks/communication/main.bro" ). I run the above mention script after adding a Node in the nodes table, then I run netstat command to check if there is any listening port (default port) open but there isn't. Following is the output of communication.log file. 1367582532.150345 bro parent - - - info raised pipe's socket buffer size from 224K to 1024K 1367582532.150345 bro parent - - - info communication started, parent pid is 13482, child pid is 13484 1367582538.673958 bro child - - - info selects=100000 canwrites=0 timeouts=100000 1367582545.197614 bro child - - - info selects=200000 canwrites=0 timeouts=200000 1367582551.720802 bro child - - - info selects=300000 canwrites=0 timeouts=300000 1367582558.242728 bro child - - - info selects=400000 canwrites=0 timeouts=400000 1367582564.762133 bro child - - - info selects=500000 canwrites=0 timeouts=500000 when I checked, what the above mentioned script was doing, it was calling enable_communication function, function enable_communication%(%): any shouldn't that script also call 'listen' function. function listen%(ip: addr, p: port, ssl: bool, ipv6: bool, zone_id: string, retry_interval: interval%) : bool maybe that's the reason it isn't opening listening port? Regards, zaafar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130503/341333b5/attachment.html From seth at icir.org Fri May 3 07:20:23 2013 From: seth at icir.org (Seth Hall) Date: Fri, 3 May 2013 10:20:23 -0400 Subject: [Bro] broctl cron locks all bro processes In-Reply-To: References: <5179A84E.7020106@illinois.edu> <517E90CF.9080703@illinois.edu> Message-ID: <0AA0D4FF-A0C4-4F5A-9BF8-2409D5253984@icir.org> On May 3, 2013, at 2:54 AM, C. L. Martinez wrote: > Please, any help?? When you built Bro did you use any particular configure options or did you leave it all at the defaults? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Fri May 3 07:23:31 2013 From: seth at icir.org (Seth Hall) Date: Fri, 3 May 2013 10:23:31 -0400 Subject: [Bro] problem with creating listening socket in bro In-Reply-To: References: Message-ID: <0E3C5C44-6092-43FA-B1B3-597B2A1145FA@icir.org> On May 3, 2013, at 9:17 AM, Zaafar Ahmed wrote: > I was trying to create listening socket in bro via communication framework ( "base/frameworks/communication/main.bro" ). I run the above mention script after adding a Node in the nodes table What did you put into the Communication::nodes table? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From carlopmart at gmail.com Fri May 3 07:23:55 2013 From: carlopmart at gmail.com (C. L. Martinez) Date: Fri, 3 May 2013 14:23:55 +0000 Subject: [Bro] broctl cron locks all bro processes In-Reply-To: <0AA0D4FF-A0C4-4F5A-9BF8-2409D5253984@icir.org> References: <5179A84E.7020106@illinois.edu> <517E90CF.9080703@illinois.edu> <0AA0D4FF-A0C4-4F5A-9BF8-2409D5253984@icir.org> Message-ID: On Fri, May 3, 2013 at 2:20 PM, Seth Hall wrote: > > On May 3, 2013, at 2:54 AM, C. L. Martinez wrote: > > > Please, any help?? > > When you built Bro did you use any particular configure options or did you > leave it all at the defaults? > > .Seth > > No, I use these ones: ./configure --prefix=/opt/bro --enable-perftools --disable-ruby --conf-files-dir=/data/config/etc/bro/conf --scriptdir=/data/config/etc/bro/scripts -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130503/47d05ab2/attachment.html From seth at icir.org Fri May 3 07:34:31 2013 From: seth at icir.org (Seth Hall) Date: Fri, 3 May 2013 10:34:31 -0400 Subject: [Bro] broctl cron locks all bro processes In-Reply-To: References: <5179A84E.7020106@illinois.edu> <517E90CF.9080703@illinois.edu> <0AA0D4FF-A0C4-4F5A-9BF8-2409D5253984@icir.org> Message-ID: On May 3, 2013, at 10:23 AM, C. L. Martinez wrote: > ./configure --prefix=/opt/bro --enable-perftools --disable-ruby --conf-files-dir=/data/config/etc/bro/conf --scriptdir=/data/config/etc/bro/scripts Sounds like a bug then. Do you have an account in our ticket tracker? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From carlopmart at gmail.com Fri May 3 07:35:45 2013 From: carlopmart at gmail.com (C. L. Martinez) Date: Fri, 3 May 2013 14:35:45 +0000 Subject: [Bro] broctl cron locks all bro processes In-Reply-To: References: <5179A84E.7020106@illinois.edu> <517E90CF.9080703@illinois.edu> <0AA0D4FF-A0C4-4F5A-9BF8-2409D5253984@icir.org>

Message-ID: On Fri, May 3, 2013 at 2:34 PM, Seth Hall wrote: > > On May 3, 2013, at 10:23 AM, C. L. Martinez wrote: > > > ./configure --prefix=/opt/bro --enable-perftools --disable-ruby > --conf-files-dir=/data/config/etc/bro/conf > --scriptdir=/data/config/etc/bro/scripts > > Sounds like a bug then. Do you have an account in our ticket tracker? > > .Seth > > No. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130503/a28602da/attachment.html From seth at icir.org Fri May 3 07:43:08 2013 From: seth at icir.org (Seth Hall) Date: Fri, 3 May 2013 10:43:08 -0400 Subject: [Bro] broctl cron locks all bro processes In-Reply-To: References: <5179A84E.7020106@illinois.edu> <517E90CF.9080703@illinois.edu> <0AA0D4FF-A0C4-4F5A-9BF8-2409D5253984@icir.org>

Message-ID: <7F35ABCB-0882-44AD-8984-F9C5495BBBD8@icir.org> On May 3, 2013, at 10:35 AM, "C. L. Martinez" wrote: > No. Account details sent off-list. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From zaafar.tahir at gmail.com Fri May 3 08:21:35 2013 From: zaafar.tahir at gmail.com (Zaafar Ahmed) Date: Fri, 3 May 2013 20:21:35 +0500 Subject: [Bro] problem with creating listening socket in bro In-Reply-To: <0E3C5C44-6092-43FA-B1B3-597B2A1145FA@icir.org> References: <0E3C5C44-6092-43FA-B1B3-597B2A1145FA@icir.org> Message-ID: I added localhost. redef Communication::nodes += { ["localhost"] = [$host=127.0.0.1] }; ZAAFAR AHMED POSTGRADUATE COMPUTER SCIENCE NUCES ISLAMABAD Telephone: 0092-51-5730135 | Email: zaafar.tahir at gmail.com On Fri, May 3, 2013 at 7:23 PM, Seth Hall wrote: > > On May 3, 2013, at 9:17 AM, Zaafar Ahmed wrote: > > > I was trying to create listening socket in bro via communication > framework ( "base/frameworks/communication/main.bro" ). I run the above > mention script after adding a Node in the nodes table > > What did you put into the Communication::nodes table? > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130503/ba0279f1/attachment.html From seth at icir.org Fri May 3 08:39:14 2013 From: seth at icir.org (Seth Hall) Date: Fri, 3 May 2013 11:39:14 -0400 Subject: [Bro] problem with creating listening socket in bro In-Reply-To: References: <0E3C5C44-6092-43FA-B1B3-597B2A1145FA@icir.org> Message-ID: <92C0A804-2A5D-4857-8277-0A916337EDF4@icir.org> On May 3, 2013, at 11:21 AM, Zaafar Ahmed wrote: > I added localhost. > redef Communication::nodes += { ["localhost"] = [$host=127.0.0.1] }; You can refer to base/frameworks/cluster/setup-connections.bro if you want to see some examples of Communication::nodes being configured. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From zaafar.tahir at gmail.com Fri May 3 08:58:16 2013 From: zaafar.tahir at gmail.com (Zaafar Ahmed) Date: Fri, 3 May 2013 20:58:16 +0500 Subject: [Bro] problem with creating listening socket in bro In-Reply-To: <92C0A804-2A5D-4857-8277-0A916337EDF4@icir.org> References: <0E3C5C44-6092-43FA-B1B3-597B2A1145FA@icir.org> <92C0A804-2A5D-4857-8277-0A916337EDF4@icir.org> Message-ID: thanks, for pointing that out :) Regards, ZAAFAR AHMED POSTGRADUATE COMPUTER SCIENCE NUCES ISLAMABAD Telephone: 0092-51-5730135 | Email: zaafar.tahir at gmail.com On Fri, May 3, 2013 at 8:39 PM, Seth Hall wrote: > > On May 3, 2013, at 11:21 AM, Zaafar Ahmed wrote: > > > I added localhost. > > redef Communication::nodes += { ["localhost"] = [$host=127.0.0.1] }; > > You can refer to base/frameworks/cluster/setup-connections.bro if you want > to see some examples of Communication::nodes being configured. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130503/f7309e04/attachment.html From david at mandelberg.org Fri May 3 15:59:07 2013 From: david at mandelberg.org (David Mandelberg) Date: Fri, 03 May 2013 18:59:07 -0400 Subject: [Bro] processing all Notices Message-ID: Hi, Is there a good way to process all Notices without having any effect on the Notices? Something like "event new_notice(n: Notice::Info)" would be great. (I'm trying to write a script to correlate multiple Notices and modify firewall rules as appropriate.) -- David Eric Mandelberg / dseomn http://david.mandelberg.org/ From init.conf at gmail.com Fri May 3 16:57:53 2013 From: init.conf at gmail.com (Aashish SHARMA) Date: Fri, 3 May 2013 16:57:53 -0700 Subject: [Bro] processing all Notices In-Reply-To: References: Message-ID: <58987CB5-0343-4417-9120-5947CAA34F78@gmail.com> [Not sure if my previous reply went through - resending] Hello David: I have a very simple script which counts number of notices per source and generates another notice. The new notice can be escalation to a different action (Action::EMAIL or ACTION::DROP etc). Consider this version 0.1 but you will get a good idea from this. I want to include another threshold for generating a notice if N distinct notice_types per source are seen. Additionally, such heuristics can be extended further. Policy file attached. Aashish -------------- next part -------------- A non-text attachment was scrubbed... Name: notice_count.bro Type: application/octet-stream Size: 1789 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130503/6bacf2ff/attachment.obj -------------- next part -------------- On May 3, 2013, at 3:59 PM, David Mandelberg wrote: > Hi, > > Is there a good way to process all Notices without having any effect on > the Notices? Something like "event new_notice(n: Notice::Info)" would be > great. > > (I'm trying to write a script to correlate multiple Notices and modify > firewall rules as appropriate.) > > -- > David Eric Mandelberg / dseomn > http://david.mandelberg.org/ > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From ginsko3 at gmail.com Mon May 6 13:55:27 2013 From: ginsko3 at gmail.com (George Insko) Date: Mon, 6 May 2013 16:55:27 -0400 Subject: [Bro] 10g Nic Cards Message-ID: Hey guys, Do you all have any recommendations on buying a NIC card. We are looking at purchasing a 10g NIC card for testing BRO at our edge. We currently only see about 3G/Sec of throughput. Thanks for any help. George Insko. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130506/9b512f64/attachment.html From hhoffman at ip-solutions.net Mon May 6 14:20:52 2013 From: hhoffman at ip-solutions.net (Harry Hoffman) Date: Mon, 06 May 2013 17:20:52 -0400 Subject: [Bro] 10g Nic Cards Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130506/7859cba4/attachment.html From slagell at illinois.edu Mon May 6 14:35:25 2013 From: slagell at illinois.edu (Slagell, Adam J) Date: Mon, 6 May 2013 21:35:25 +0000 Subject: [Bro] 10g Nic Cards In-Reply-To: References: Message-ID: <558D23D33781EF45A69229CDAC6BF15110FFD51F@CITESMBX6.ad.uillinois.edu> But you need to pay for the sniffing driver to really make use of them. On May 6, 2013, at 3:20 PM, Harry Hoffman > wrote: Myricom seems to be the recommended card for pricing. Cheers, Harry -------- Original Message -------- From: George Insko Sent: Mon, May 6, 2013 04:55 PM To: bro at bro.org CC: Subject: [Bro] 10g Nic Cards Hey guys, Do you all have any recommendations on buying a NIC card. We are looking at purchasing a 10g NIC card for testing BRO at our edge. We currently only see about 3G/Sec of throughput. Thanks for any help. George Insko. _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro ------ Adam J. Slagell Chief Information Security Officer Sr. Research Scientist National Center for Supercomputing Applications University of Illinois at Urbana-Champaign www.slagell.info "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130506/30f3fa81/attachment.html From vladg at cmu.edu Mon May 6 16:09:40 2013 From: vladg at cmu.edu (Vlad Grigorescu) Date: Mon, 6 May 2013 23:09:40 +0000 Subject: [Bro] 10g Nic Cards In-Reply-To: <29364_1367876159_r46LZwLr003098_558D23D33781EF45A69229CDAC6BF15110FFD51F@CITESMBX6.ad.uillinois.edu> References: <29364_1367876159_r46LZwLr003098_558D23D33781EF45A69229CDAC6BF15110FFD51F@CITESMBX6.ad.uillinois.edu> Message-ID: <1202BE242E080642B0CD0AD0A03E8552BBFDA0@PGH-MSGMB-03.andrew.ad.cmu.edu> On May 6, 2013, at 5:35 PM, "Slagell, Adam J" wrote: > But you need to pay for the sniffing driver to really make use of them. This is actually the same for Intel NICs as well. If you go the Intel route, you'll probably want a similar license for ntop's PF_RING + DNA driver and the price comes out to be just about the same as Myricom[1]. You can opt to not get this license, but performance will suffer. Research and educational networks used to get an exemption from ntop license fees, however this is no longer the case for PF_RING + DNA since development was subsidized by Silicom. If you get a dual-port NIC, the difference becomes even more exaggerated, as the ntop license is $261 *per port* as opposed to the $295 *per card* Myricom license. Other advantages of the Myricom cards is that they're easier to work with and a bit faster. The Myricom sniffer driver doesn't require special privileges to sniff traffic, so you don't have to do funky setcap stuff - it "just works," even if you don't run Bro as root. From a simple test that someone at a large university ran, pitting a Myricom card with the Myricom sniffer driver against an Intel card with the top-of-the-line ntop driver (PF_RING + DNA + libzero - a $500 license), the Myricom card was better performing. Hope that provides some insight into why we went with Myricom, at least. --Vlad Grigorescu Senior Information Security Engineer Carnegie Mellon University [1] - Using CDW prices, Myricom + 10G short-range optics + license is $864.98, while Intel x540 + 10G short-range optics + license is $850.98. From michael.brandeis at ucr.edu Mon May 6 16:33:53 2013 From: michael.brandeis at ucr.edu (Michael Brandeis) Date: Mon, 6 May 2013 23:33:53 +0000 Subject: [Bro] 10g Nic Cards In-Reply-To: <1202BE242E080642B0CD0AD0A03E8552BBFDA0@PGH-MSGMB-03.andrew.ad.cmu.edu> References: <29364_1367876159_r46LZwLr003098_558D23D33781EF45A69229CDAC6BF15110FFD51F@CITESMBX6.ad.uillinois.edu> <1202BE242E080642B0CD0AD0A03E8552BBFDA0@PGH-MSGMB-03.andrew.ad.cmu.edu> Message-ID: <2590BD399E5AA74D811796B5DAC9F43328ED16FE@EXCH-MBOX-2.exch.ucr.edu> At UC Riverside we just purchased 6 cards from Silicom and did not have to pay for PF_RING or DNA licenses (cards are detected as PF_RING ready, no separate licensing required). Cost per dual 10G card with optics was right around $1k, so that may be roughly equivalent to buying a Myricom card plus license, but the costs and licensing are not wildly disparate from a University perspective. I haven't done a performance comparison vs Myricom, but we haven't had any performance issues here, nor has the setup been funky. -michael -----Original Message----- From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Vlad Grigorescu Sent: Monday, May 06, 2013 4:10 PM To: Slagell, Adam J Cc: bro at bro.org Subject: Re: [Bro] 10g Nic Cards On May 6, 2013, at 5:35 PM, "Slagell, Adam J" wrote: > But you need to pay for the sniffing driver to really make use of them. This is actually the same for Intel NICs as well. If you go the Intel route, you'll probably want a similar license for ntop's PF_RING + DNA driver and the price comes out to be just about the same as Myricom[1]. You can opt to not get this license, but performance will suffer. Research and educational networks used to get an exemption from ntop license fees, however this is no longer the case for PF_RING + DNA since development was subsidized by Silicom. If you get a dual-port NIC, the difference becomes even more exaggerated, as the ntop license is $261 *per port* as opposed to the $295 *per card* Myricom license. Other advantages of the Myricom cards is that they're easier to work with and a bit faster. The Myricom sniffer driver doesn't require special privileges to sniff traffic, so you don't have to do funky setcap stuff - it "just works," even if you don't run Bro as root. From a simple test that someone at a large university ran, pitting a Myricom card with the Myricom sniffer driver against an Intel card with the top-of-the-line ntop driver (PF_RING + DNA + libzero - a $500 license), the Myricom card was better performing. Hope that provides some insight into why we went with Myricom, at least. --Vlad Grigorescu Senior Information Security Engineer Carnegie Mellon University [1] - Using CDW prices, Myricom + 10G short-range optics + license is $864.98, while Intel x540 + 10G short-range optics + license is $850.98. _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From andika at gmail.com Mon May 6 17:43:59 2013 From: andika at gmail.com (Andika Triwidada) Date: Tue, 7 May 2013 07:43:59 +0700 Subject: [Bro] 10g Nic Cards In-Reply-To: References: Message-ID: On Tue, May 7, 2013 at 3:55 AM, George Insko wrote: > Hey guys, > > Do you all have any recommendations on buying a NIC card. We are looking > at purchasing a 10g NIC card for testing BRO at our edge. We currently only > see about 3G/Sec of throughput. > Do you mean you can generate traffic only up to 3 Gbps? I can only generate up to ~6 Gbps with Broadcom NetXtreme BCM57711 on an IBM x3950 M2. > Thanks for any help. > > George Insko. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130507/18ea3cce/attachment.html From seth at icir.org Mon May 6 21:42:41 2013 From: seth at icir.org (Seth Hall) Date: Tue, 7 May 2013 00:42:41 -0400 Subject: [Bro] 10g Nic Cards In-Reply-To: <2590BD399E5AA74D811796B5DAC9F43328ED16FE@EXCH-MBOX-2.exch.ucr.edu> References: <29364_1367876159_r46LZwLr003098_558D23D33781EF45A69229CDAC6BF15110FFD51F@CITESMBX6.ad.uillinois.edu> <1202BE242E080642B0CD0AD0A03E8552BBFDA0@PGH-MSGMB-03.andrew.ad.cmu.edu> <2590BD399E5AA74D811796B5DAC9F43328ED16FE@EXCH-MBOX-2.exch.ucr.edu> Message-ID: <3698F91E-D3A9-4B65-BB3F-FCFB6A7F1C51@icir.org> On May 6, 2013, at 7:33 PM, Michael Brandeis wrote: > I haven't done a performance comparison vs Myricom, but we haven't had any performance issues here, nor has the setup been funky. Would you mind going into more detail about what the configuration is like or point to docs? Are you actually using PF_RING+DNA? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From hhoffman at ip-solutions.net Tue May 7 04:04:00 2013 From: hhoffman at ip-solutions.net (Harry Hoffman) Date: Tue, 07 May 2013 07:04:00 -0400 Subject: [Bro] 10g Nic Cards Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130507/3f5d4114/attachment.html From bregant2 at illinois.edu Tue May 7 06:05:50 2013 From: bregant2 at illinois.edu (Bob Bregant II) Date: Tue, 7 May 2013 08:05:50 -0500 Subject: [Bro] 10g Nic Cards In-Reply-To: References: Message-ID: <6cf58392-ab81-42ef-83dd-5ba4285a5e5e@email.android.com> That was my impression as well (you know because that's what it says on their website). Unfortunately, the last time I tried to get a 10 Gb DNA license for my Intel X520 NIC, I wound up getting bounced to a Silicom rep who wanted $500/interface. I pointed out the discrepancy and was told that this *was* the educational price and that because the 10 Gb DNA driver development had been subsidized by Silicom, Luca had no choice in the matter. This was on March 7 of this year. If you can get by without DNA (which provides a definite performance boost) or are using a slower interface, maybe you won't run into this. It sounds like it might not be an issue if you buy your cards from Silicom, either. But do be aware that at present there are configurations that can wind up hitting you with that kind of hidden cost, which may wind up favoring another vendor. Hopefully, Silicom will change their minds on this. -- Bob Bregant II Office of Privacy and Information Assurance University of Illinois at Urbana-Champaign Harry Hoffman wrote: >I believe the pf_ring stuff is free for .edu usage :-) > >-------- Original Message -------- >From: Vlad Grigorescu >Sent: Mon, May 6, 2013 07:09 PM >To: Slagell, Adam J >CC: bro at bro.org >Subject: Re: [Bro] 10g Nic Cards > >On May 6, 2013, at 5:35 PM, "Slagell, Adam J" wrote: > >> But you need to pay for the sniffing driver to really make use of >them. > >This is actually the same for Intel NICs as well. If you go the Intel >route, you'll probably want a similar license for ntop's PF_RING + DNA >driver and the price comes out to be just about the same as Myricom[1]. >You can opt to not get this license, but performance will suffer. >Research and educational networks used to get an exemption from ntop >license fees, however this is no longer the case for PF_RING + DNA >since development was subsidized by Silicom. If you get a dual-port >NIC, the difference becomes even more exaggerated, as the ntop license >is $261 *per port* as opposed to the $295 *per card* Myricom license. > >Other advantages of the Myricom cards is that they're easier to work >with and a bit faster. The Myricom sniffer driver doesn't require >special privileges to sniff traffic, so you don't have to do funky >setcap stuff - it "just works," even if you don't run Bro as root. From >a simple test that someone at a large university ran, pitting a Myricom >card with the Myricom sniffer driver against an Intel card with the >top-of-the-line ntop driver (PF_RING + DNA + libzero - a $500 license), >the Myricom card was better performing. > >Hope that provides some insight into why we went with Myricom, at >least. > >--Vlad Grigorescu >Senior Information Security Engineer >Carnegie Mellon University > >[1] - Using CDW prices, Myricom + 10G short-range optics + license is >$864.98, while Intel x540 + 10G short-range optics + license is >$850.98. >_______________________________________________ >Bro mailing list >bro at bro-ids.org >http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > >------------------------------------------------------------------------ > >_______________________________________________ >Bro mailing list >bro at bro-ids.org >http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From michael.brandeis at ucr.edu Tue May 7 09:43:06 2013 From: michael.brandeis at ucr.edu (Michael Brandeis) Date: Tue, 7 May 2013 16:43:06 +0000 Subject: [Bro] 10g Nic Cards In-Reply-To: <3698F91E-D3A9-4B65-BB3F-FCFB6A7F1C51@icir.org> References: <29364_1367876159_r46LZwLr003098_558D23D33781EF45A69229CDAC6BF15110FFD51F@CITESMBX6.ad.uillinois.edu> <1202BE242E080642B0CD0AD0A03E8552BBFDA0@PGH-MSGMB-03.andrew.ad.cmu.edu> <2590BD399E5AA74D811796B5DAC9F43328ED16FE@EXCH-MBOX-2.exch.ucr.edu> <3698F91E-D3A9-4B65-BB3F-FCFB6A7F1C51@icir.org> Message-ID: <2590BD399E5AA74D811796B5DAC9F43328ED18F2@EXCH-MBOX-2.exch.ucr.edu> Yes, I can write something up. I am currently setting up some elasticsearch servers to test bro's elasticsearch output and test using logstash+elasticsearch as a replacement for our syslog servers. I'll work on a writing up some details on everything. -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Monday, May 06, 2013 9:43 PM To: Michael Brandeis Cc: Vlad Grigorescu; Slagell, Adam J; bro at bro.org Subject: Re: [Bro] 10g Nic Cards On May 6, 2013, at 7:33 PM, Michael Brandeis wrote: > I haven't done a performance comparison vs Myricom, but we haven't had any performance issues here, nor has the setup been funky. Would you mind going into more detail about what the configuration is like or point to docs? Are you actually using PF_RING+DNA? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From david at mandelberg.org Tue May 7 10:16:54 2013 From: david at mandelberg.org (David Mandelberg) Date: Tue, 07 May 2013 13:16:54 -0400 Subject: [Bro] processing all Notices In-Reply-To: <58987CB5-0343-4417-9120-5947CAA34F78@gmail.com> References: <58987CB5-0343-4417-9120-5947CAA34F78@gmail.com> Message-ID: <93abe9f8ed1c43ef698e6edb246965fe@mail.mandelberg.org> On Fri, 3 May 2013 16:57:53 -0700, Aashish SHARMA wrote: > [Not sure if my previous reply went through - resending] > > Hello David: > > I have a very simple script which counts number of notices per source and > generates another notice. The new notice can be escalation to a different > action (Action::EMAIL or ACTION::DROP etc). > > Consider this version 0.1 but you will get a good idea from this. I want > to include another threshold for generating a notice if N distinct > notice_types per source are seen. Additionally, such heuristics can be > extended further. > > Policy file attached. > > Aashish Thanks! -- David Eric Mandelberg / dseomn http://david.mandelberg.org/ From jones at tacc.utexas.edu Wed May 8 12:36:35 2013 From: jones at tacc.utexas.edu (William Jones) Date: Wed, 8 May 2013 19:36:35 +0000 Subject: [Bro] Confused about bro pf_ring support In-Reply-To: <2590BD399E5AA74D811796B5DAC9F43328ED18F2@EXCH-MBOX-2.exch.ucr.edu> References: <29364_1367876159_r46LZwLr003098_558D23D33781EF45A69229CDAC6BF15110FFD51F@CITESMBX6.ad.uillinois.edu> <1202BE242E080642B0CD0AD0A03E8552BBFDA0@PGH-MSGMB-03.andrew.ad.cmu.edu> <2590BD399E5AA74D811796B5DAC9F43328ED16FE@EXCH-MBOX-2.exch.ucr.edu> <3698F91E-D3A9-4B65-BB3F-FCFB6A7F1C51@icir.org> <2590BD399E5AA74D811796B5DAC9F43328ED18F2@EXCH-MBOX-2.exch.ucr.edu> Message-ID: I just tried pf ring with the lasts bro. The following is the worker node entry in node.cfg: [worker-1] type=worker host=ids.tacc.utexas.edu. interface=p1p1.667 -ip1p2.667 -ip2p1.667 -ip2p2.667 lb_method=pf_ring lb_procs=4 When a look at the conn.log file if find the following entries like the following: 1368039512.116220 hla3Z6U8RRb 128.83.144.198 40873 129.114.62.11 22 tcp - 0.097901 0 96 OTH F 0 dA 1 40 1 88 (empty) worker-1-1 1368039512.362164 lSJB3FANh21 128.83.144.198 40873 129.114.62.11 22 tcp - 0.002922 48 0 OTH F 0 DA 2 128 0 0 (empty) worker-1-3 I though that pf_ring hash flows so that the same flow always went to the same worker so that a worker saw all traffic for flow. I am using two dual port intel 520 nick to read packets from 10 GigE two port lacp pair off two taps. Is there anyone elese using taps with pf_ring. If so do you see anything wrong with my config? Bill Jnes From jessebowling at gmail.com Wed May 8 12:45:55 2013 From: jessebowling at gmail.com (Jesse Bowling) Date: Wed, 8 May 2013 15:45:55 -0400 Subject: [Bro] Confused about bro pf_ring support In-Reply-To: References: <29364_1367876159_r46LZwLr003098_558D23D33781EF45A69229CDAC6BF15110FFD51F@CITESMBX6.ad.uillinois.edu> <1202BE242E080642B0CD0AD0A03E8552BBFDA0@PGH-MSGMB-03.andrew.ad.cmu.edu> <2590BD399E5AA74D811796B5DAC9F43328ED16FE@EXCH-MBOX-2.exch.ucr.edu> <3698F91E-D3A9-4B65-BB3F-FCFB6A7F1C51@icir.org> <2590BD399E5AA74D811796B5DAC9F43328ED18F2@EXCH-MBOX-2.exch.ucr.edu> Message-ID: Hi Bill, I configured my PF_RING enabled workers like: [worker-1] type=worker host=10.10.10.10 interface=p2p1\;p2p2\;p2p3\;p2p4 lb_method=pf_ring lb_procs=8 ...I also had to make a change I referenced on-list: *********************** So while this apparently fixes my issue: --- control.py 2013-02-13 12:08:00.514656601 -0500 +++ control_mod.py 2013-02-13 12:09:38.382663593 -0500 @@ -808,7 +808,7 @@ for (addr, interface) in hosts.keys(): node = hosts[addr, interface] - capstats = [config.Config.capstatspath, "-i", interface, "-I", str(interval), "-n", "1"] + capstats = [config.Config.capstatspath, "-i", '"' + interface + '"', "-I", str(interval), "-n", "1"] # Unfinished feature: only consider a particular MAC. Works here for capstats # but Bro config is not adapted currently so we disable it for now. I cannot speak to how this might affect others, the system in general, or where else this issue might crop up. I suspect that anywhere that involves bash + interface names is likely to suffer unexpected results due to this PF_RING style invocation... *********************** I'm not sure if that has been changed in the main distro however...Might be best to double check that file if you find your broctl cron jobs failing... :) Cheers, Jesse On Wed, May 8, 2013 at 3:36 PM, William Jones wrote: > I just tried pf ring with the lasts bro. The following is the worker > node entry in node.cfg: > > [worker-1] > type=worker > host=ids.tacc.utexas.edu. > interface=p1p1.667 -ip1p2.667 -ip2p1.667 -ip2p2.667 > lb_method=pf_ring > lb_procs=4 > > > When a look at the conn.log file if find the following entries like the > following: > > 1368039512.116220 hla3Z6U8RRb 128.83.144.198 40873 > 129.114.62.11 22 tcp - 0.097901 0 96 OTH > F 0 dA 1 40 1 88 (empty) worker-1-1 > 1368039512.362164 lSJB3FANh21 128.83.144.198 40873 > 129.114.62.11 22 tcp - 0.002922 48 0 OTH > F 0 DA 2 128 0 0 (empty) worker-1-3 > > I though that pf_ring hash flows so that the same flow always went to the > same worker so that a worker saw all traffic for flow. > > I am using two dual port intel 520 nick to read packets from 10 GigE two > port lacp pair off two taps. > > Is there anyone elese using taps with pf_ring. If so do you see anything > wrong with my config? > > > Bill Jnes > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Jesse Bowling -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130508/0f4545a7/attachment.html From jones at tacc.utexas.edu Wed May 8 13:47:32 2013 From: jones at tacc.utexas.edu (William Jones) Date: Wed, 8 May 2013 20:47:32 +0000 Subject: [Bro] Confused about bro pf_ring support In-Reply-To: References: <29364_1367876159_r46LZwLr003098_558D23D33781EF45A69229CDAC6BF15110FFD51F@CITESMBX6.ad.uillinois.edu> <1202BE242E080642B0CD0AD0A03E8552BBFDA0@PGH-MSGMB-03.andrew.ad.cmu.edu> <2590BD399E5AA74D811796B5DAC9F43328ED16FE@EXCH-MBOX-2.exch.ucr.edu> <3698F91E-D3A9-4B65-BB3F-FCFB6A7F1C51@icir.org> <2590BD399E5AA74D811796B5DAC9F43328ED18F2@EXCH-MBOX-2.exch.ucr.edu> Message-ID: I change my interface line to mach yours. Now I don?t see any pf_ring entries that indecat that pf_ring is active in /proc/net/pf_ring/ I should see entry like the following for each open device: 8115-p1p1.667.9. Could you check your system /proc/net/pf_ring and see you are really using pf_ring. From: Jesse Bowling [mailto:jessebowling at gmail.com] Sent: Wednesday, May 08, 2013 2:46 PM To: William Jones Cc: bro at bro.org Subject: Re: [Bro] Confused about bro pf_ring support Hi Bill, I configured my PF_RING enabled workers like: [worker-1] type=worker host=10.10.10.10 interface=p2p1\;p2p2\;p2p3\;p2p4 lb_method=pf_ring lb_procs=8 ...I also had to make a change I referenced on-list: *********************** So while this apparently fixes my issue: --- control.py 2013-02-13 12:08:00.514656601 -0500 +++ control_mod.py 2013-02-13 12:09:38.382663593 -0500 @@ -808,7 +808,7 @@ for (addr, interface) in hosts.keys(): node = hosts[addr, interface] - capstats = [config.Config.capstatspath, "-i", interface, "-I", str(interval), "-n", "1"] + capstats = [config.Config.capstatspath, "-i", '"' + interface + '"', "-I", str(interval), "-n", "1"] # Unfinished feature: only consider a particular MAC. Works here for capstats # but Bro config is not adapted currently so we disable it for now. I cannot speak to how this might affect others, the system in general, or where else this issue might crop up. I suspect that anywhere that involves bash + interface names is likely to suffer unexpected results due to this PF_RING style invocation... *********************** I'm not sure if that has been changed in the main distro however...Might be best to double check that file if you find your broctl cron jobs failing... :) Cheers, Jesse On Wed, May 8, 2013 at 3:36 PM, William Jones > wrote: I just tried pf ring with the lasts bro. The following is the worker node entry in node.cfg: [worker-1] type=worker host=ids.tacc.utexas.edu. interface=p1p1.667 -ip1p2.667 -ip2p1.667 -ip2p2.667 lb_method=pf_ring lb_procs=4 When a look at the conn.log file if find the following entries like the following: 1368039512.116220 hla3Z6U8RRb 128.83.144.198 40873 129.114.62.11 22 tcp - 0.097901 0 96 OTH F 0 dA 1 40 1 88 (empty) worker-1-1 1368039512.362164 lSJB3FANh21 128.83.144.198 40873 129.114.62.11 22 tcp - 0.002922 48 0 OTH F 0 DA 2 128 0 0 (empty) worker-1-3 I though that pf_ring hash flows so that the same flow always went to the same worker so that a worker saw all traffic for flow. I am using two dual port intel 520 nick to read packets from 10 GigE two port lacp pair off two taps. Is there anyone elese using taps with pf_ring. If so do you see anything wrong with my config? Bill Jnes _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Jesse Bowling -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130508/903d9505/attachment.html From jones at tacc.utexas.edu Thu May 9 09:08:46 2013 From: jones at tacc.utexas.edu (William Jones) Date: Thu, 9 May 2013 16:08:46 +0000 Subject: [Bro] Confused about bro pf_ring support In-Reply-To: References: <29364_1367876159_r46LZwLr003098_558D23D33781EF45A69229CDAC6BF15110FFD51F@CITESMBX6.ad.uillinois.edu> <1202BE242E080642B0CD0AD0A03E8552BBFDA0@PGH-MSGMB-03.andrew.ad.cmu.edu> <2590BD399E5AA74D811796B5DAC9F43328ED16FE@EXCH-MBOX-2.exch.ucr.edu> <3698F91E-D3A9-4B65-BB3F-FCFB6A7F1C51@icir.org> <2590BD399E5AA74D811796B5DAC9F43328ED18F2@EXCH-MBOX-2.exch.ucr.edu> Message-ID: Thank for correcting me on the right way to specify multiple interface when using pf_ring. It resolved my issue with flows show up in multiple works. Thanks From: Jesse Bowling [mailto:jessebowling at gmail.com] Sent: Wednesday, May 08, 2013 2:46 PM To: William Jones Cc: bro at bro.org Subject: Re: [Bro] Confused about bro pf_ring support Hi Bill, I configured my PF_RING enabled workers like: [worker-1] type=worker host=10.10.10.10 interface=p2p1\;p2p2\;p2p3\;p2p4 lb_method=pf_ring lb_procs=8 ...I also had to make a change I referenced on-list: *********************** So while this apparently fixes my issue: --- control.py 2013-02-13 12:08:00.514656601 -0500 +++ control_mod.py 2013-02-13 12:09:38.382663593 -0500 @@ -808,7 +808,7 @@ for (addr, interface) in hosts.keys(): node = hosts[addr, interface] - capstats = [config.Config.capstatspath, "-i", interface, "-I", str(interval), "-n", "1"] + capstats = [config.Config.capstatspath, "-i", '"' + interface + '"', "-I", str(interval), "-n", "1"] # Unfinished feature: only consider a particular MAC. Works here for capstats # but Bro config is not adapted currently so we disable it for now. I cannot speak to how this might affect others, the system in general, or where else this issue might crop up. I suspect that anywhere that involves bash + interface names is likely to suffer unexpected results due to this PF_RING style invocation... *********************** I'm not sure if that has been changed in the main distro however...Might be best to double check that file if you find your broctl cron jobs failing... :) Cheers, Jesse On Wed, May 8, 2013 at 3:36 PM, William Jones > wrote: I just tried pf ring with the lasts bro. The following is the worker node entry in node.cfg: [worker-1] type=worker host=ids.tacc.utexas.edu. interface=p1p1.667 -ip1p2.667 -ip2p1.667 -ip2p2.667 lb_method=pf_ring lb_procs=4 When a look at the conn.log file if find the following entries like the following: 1368039512.116220 hla3Z6U8RRb 128.83.144.198 40873 129.114.62.11 22 tcp - 0.097901 0 96 OTH F 0 dA 1 40 1 88 (empty) worker-1-1 1368039512.362164 lSJB3FANh21 128.83.144.198 40873 129.114.62.11 22 tcp - 0.002922 48 0 OTH F 0 DA 2 128 0 0 (empty) worker-1-3 I though that pf_ring hash flows so that the same flow always went to the same worker so that a worker saw all traffic for flow. I am using two dual port intel 520 nick to read packets from 10 GigE two port lacp pair off two taps. Is there anyone elese using taps with pf_ring. If so do you see anything wrong with my config? Bill Jnes _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Jesse Bowling -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130509/0a60703f/attachment.html From nicolas.retrain at cea.fr Wed May 15 01:35:25 2013 From: nicolas.retrain at cea.fr (nicolas.retrain at cea.fr) Date: Wed, 15 May 2013 10:35:25 +0200 Subject: [Bro] binpac documentation Message-ID: <519348CD.3070800@cea.fr> Hi, I saw a bug in the socks analyzer. I want to fix it, unfortunately I don't speek binpac. Is there documentation on it? (http://www.bro.org/development/howtos/binpac-sample-analyzer.html is not sufficient). thanks, Nicolas From Eric.Asselin at usherbrooke.ca Wed May 15 01:44:53 2013 From: Eric.Asselin at usherbrooke.ca (Eric Asselin) Date: Wed, 15 May 2013 10:44:53 +0200 Subject: [Bro] binpac documentation In-Reply-To: <519348CD.3070800@cea.fr> References: <519348CD.3070800@cea.fr> Message-ID: <51934B05.8050706@usherbrooke.ca> Hi, This is the original paper : http://www.icir.org/robin/papers/imc06.pdf Eric Le 13-05-15 10:35, nicolas.retrain at cea.fr a ?crit : > Hi, > I saw a bug in the socks analyzer. I want to fix it, unfortunately I > don't speek binpac. Is there documentation on it? > (http://www.bro.org/development/howtos/binpac-sample-analyzer.html is > not sufficient). > > thanks, > Nicolas > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From seth at icir.org Wed May 15 05:33:49 2013 From: seth at icir.org (Seth Hall) Date: Wed, 15 May 2013 08:33:49 -0400 Subject: [Bro] binpac documentation In-Reply-To: <519348CD.3070800@cea.fr> References: <519348CD.3070800@cea.fr> Message-ID: On May 15, 2013, at 4:35 AM, nicolas.retrain at cea.fr wrote: > I saw a bug in the socks analyzer. I want to fix it, unfortunately I > don't speek binpac. Is there documentation on it? > (http://www.bro.org/development/howtos/binpac-sample-analyzer.html is > not sufficient). What's the bug? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From nicolas.retrain at cea.fr Wed May 15 05:52:38 2013 From: nicolas.retrain at cea.fr (nicolas.retrain at cea.fr) Date: Wed, 15 May 2013 14:52:38 +0200 Subject: [Bro] binpac documentation In-Reply-To: References: <519348CD.3070800@cea.fr> Message-ID: <51938516.5040601@cea.fr> I saw a bug in the socks analyzer. I want to fix it, unfortunately I don't speek binpac. Is there documentation on it? (http://www.bro.org/development/howtos/binpac-sample-analyzer.html is not sufficient). > > What's the bug? > > .Seth > > It appears using the username authentication with SOCKS 5. After the client and the server have chosen the username authentication, the client has to send the following packet : Client request (RFC 1929) : +----+------+----------+------+----------+ |VER | ULEN | UNAME | PLEN | PASSWD | +----+------+----------+------+----------+ | 1 | 1 | 1 to 255 | 1 | 1 to 255 | +----+------+----------+------+----------+ Here the first byte must be 0x1, it specifies the version of the authentication mechanisme, not the SOCKS version (0x5) like in all others packets. However in the socks-protocol.pac the type SOCKS_Version never parses data if the first byte is 0x1, and it goes to an error. 1 2 type SOCKS_Version(is_orig: bool) = record { 3 version: uint8; 4 msg: case version of { 5 4 -> socks4_msg: SOCKS4_Message(is_orig); 6 5 -> socks5_msg: SOCKS5_Message(is_orig); 7 default -> socks_msg_fail: SOCKS_Version_Error(version); 8 }; 9 }; -- Nicolas From seth at icir.org Wed May 15 06:16:07 2013 From: seth at icir.org (Seth Hall) Date: Wed, 15 May 2013 09:16:07 -0400 Subject: [Bro] binpac documentation In-Reply-To: <51938516.5040601@cea.fr> References: <519348CD.3070800@cea.fr> <51938516.5040601@cea.fr> Message-ID: <86D414EA-E3F2-4BCD-B787-371237799F1B@icir.org> On May 15, 2013, at 8:52 AM, nicolas.retrain at cea.fr wrote: > It appears using the username authentication with SOCKS 5. > > After the client and the server have chosen the username authentication, the client has to send the following packet : Do you have a trace file that exhibits the issue? It would be helpful to have a file we could add to our test suite to make sure this issue gets fixed and stays fixed. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From mscox42 at gmail.com Wed May 15 10:22:54 2013 From: mscox42 at gmail.com (Michael Cox) Date: Wed, 15 May 2013 12:22:54 -0500 Subject: [Bro] any ArcSight users? Message-ID: Anyone feeding Bro logs to ArcSight? If so, could you ping me back, please? We can take it off-list. I'm having issues with their connector. I know... talk to the vendor... but that's not always as fruitful as one would like to think. Thanks, Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130515/c88833af/attachment.html From seth at icir.org Wed May 15 10:36:36 2013 From: seth at icir.org (Seth Hall) Date: Wed, 15 May 2013 13:36:36 -0400 Subject: [Bro] any ArcSight users? In-Reply-To: References: Message-ID: <766567F1-7462-48B4-B844-8A82A0A29816@icir.org> On May 15, 2013, at 1:22 PM, Michael Cox wrote: > Anyone feeding Bro logs to ArcSight? If so, could you ping me back, please? We can take it off-list. Sounds worthwhile, please keep it on list! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From brad.doctor at gmail.com Wed May 15 11:28:11 2013 From: brad.doctor at gmail.com (Brad Doctor) Date: Wed, 15 May 2013 12:28:11 -0600 Subject: [Bro] any ArcSight users? In-Reply-To: <766567F1-7462-48B4-B844-8A82A0A29816@icir.org> References: <766567F1-7462-48B4-B844-8A82A0A29816@icir.org> Message-ID: yup - a flex connector is your answer. -brad On Wed, May 15, 2013 at 11:36 AM, Seth Hall wrote: > > On May 15, 2013, at 1:22 PM, Michael Cox wrote: > > > Anyone feeding Bro logs to ArcSight? If so, could you ping me back, > please? We can take it off-list. > > Sounds worthwhile, please keep it on list! > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130515/4143ed4e/attachment.html From mscox42 at gmail.com Wed May 15 11:47:15 2013 From: mscox42 at gmail.com (Michael Cox) Date: Wed, 15 May 2013 13:47:15 -0500 Subject: [Bro] any ArcSight users? In-Reply-To: References: <766567F1-7462-48B4-B844-8A82A0A29816@icir.org> Message-ID: Did you try their canned "Bro IDS NG" connector? "NG" is their way of saying v2.1. It parses OK, but I'm having issues with log rotation. Could you share your agent.properties file for the rotation options? Thanks again, Michael On Wed, May 15, 2013 at 1:28 PM, Brad Doctor wrote: > yup - a flex connector is your answer. > -brad > > > On Wed, May 15, 2013 at 11:36 AM, Seth Hall wrote: > >> >> On May 15, 2013, at 1:22 PM, Michael Cox wrote: >> >> > Anyone feeding Bro logs to ArcSight? If so, could you ping me back, >> please? We can take it off-list. >> >> Sounds worthwhile, please keep it on list! >> >> .Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro.org/ >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130515/25603c48/attachment.html From brad.doctor at gmail.com Wed May 15 11:50:26 2013 From: brad.doctor at gmail.com (Brad Doctor) Date: Wed, 15 May 2013 12:50:26 -0600 Subject: [Bro] any ArcSight users? In-Reply-To: References: <766567F1-7462-48B4-B844-8A82A0A29816@icir.org> Message-ID: we did, but as we customize our format, it didn't work. and we have a lot of sensors reporting in via syslog forwarding, so the flexconnector was the most reliable way to do this. syslog subagent, basically. -brad On Wed, May 15, 2013 at 12:47 PM, Michael Cox wrote: > Did you try their canned "Bro IDS NG" connector? "NG" is their way of > saying v2.1. > > It parses OK, but I'm having issues with log rotation. Could you share > your agent.properties file for the rotation options? > > Thanks again, > Michael > > > On Wed, May 15, 2013 at 1:28 PM, Brad Doctor wrote: > >> yup - a flex connector is your answer. >> -brad >> >> >> On Wed, May 15, 2013 at 11:36 AM, Seth Hall wrote: >> >>> >>> On May 15, 2013, at 1:22 PM, Michael Cox wrote: >>> >>> > Anyone feeding Bro logs to ArcSight? If so, could you ping me back, >>> please? We can take it off-list. >>> >>> Sounds worthwhile, please keep it on list! >>> >>> .Seth >>> >>> -- >>> Seth Hall >>> International Computer Science Institute >>> (Bro) because everyone has a network >>> http://www.bro.org/ >>> >>> >>> _______________________________________________ >>> Bro mailing list >>> bro at bro-ids.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130515/df4fe784/attachment.html From seth at icir.org Wed May 15 12:02:08 2013 From: seth at icir.org (Seth Hall) Date: Wed, 15 May 2013 15:02:08 -0400 Subject: [Bro] any ArcSight users? In-Reply-To: References: <766567F1-7462-48B4-B844-8A82A0A29816@icir.org> Message-ID: On May 15, 2013, at 2:50 PM, Brad Doctor wrote: > we did, but as we customize our format, it didn't work. and we have a lot of sensors reporting in via syslog forwarding, so the flexconnector was the most reliable way to do this. syslog subagent, basically. What do you mean you customize your format? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From brad.doctor at gmail.com Wed May 15 12:08:26 2013 From: brad.doctor at gmail.com (Brad Doctor) Date: Wed, 15 May 2013 13:08:26 -0600 Subject: [Bro] any ArcSight users? In-Reply-To: References: <766567F1-7462-48B4-B844-8A82A0A29816@icir.org>

Message-ID: in the .bro files, some changes have been made to the format to better suite our needs. as such that completely breaks the arcsight connector. On Wed, May 15, 2013 at 1:02 PM, Seth Hall wrote: > > On May 15, 2013, at 2:50 PM, Brad Doctor wrote: > > > we did, but as we customize our format, it didn't work. and we have a > lot of sensors reporting in via syslog forwarding, so the flexconnector was > the most reliable way to do this. syslog subagent, basically. > > What do you mean you customize your format? > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130515/efdc5c0a/attachment.html From mscox42 at gmail.com Wed May 15 12:37:03 2013 From: mscox42 at gmail.com (Michael Cox) Date: Wed, 15 May 2013 14:37:03 -0500 Subject: [Bro] any ArcSight users? In-Reply-To: References: <766567F1-7462-48B4-B844-8A82A0A29816@icir.org>

Message-ID: I made a quick flex connector (file reader) for just the http.log as a test. It all works fine, and it handles file rotation without the problems I am seeing with the canned connector. There's a handy function built into the flex connector, _createLocalTimeStampFromSecondsSinceEpoch(), to convert the time to a format that ESM can deal with. Everything else was very simple and straightforward. Hopefully the thread will help someone else. Regards, Michael On Wed, May 15, 2013 at 2:08 PM, Brad Doctor wrote: > in the .bro files, some changes have been made to the format to better > suite our needs. as such that completely breaks the arcsight connector. > > > On Wed, May 15, 2013 at 1:02 PM, Seth Hall wrote: > >> >> On May 15, 2013, at 2:50 PM, Brad Doctor wrote: >> >> > we did, but as we customize our format, it didn't work. and we have a >> lot of sensors reporting in via syslog forwarding, so the flexconnector was >> the most reliable way to do this. syslog subagent, basically. >> >> What do you mean you customize your format? >> >> .Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro.org/ >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130515/59396635/attachment.html From nicolas.retrain at cea.fr Thu May 16 02:28:41 2013 From: nicolas.retrain at cea.fr (nicolas.retrain at cea.fr) Date: Thu, 16 May 2013 11:28:41 +0200 Subject: [Bro] TCP PUSH flag In-Reply-To: <86D414EA-E3F2-4BCD-B787-371237799F1B@icir.org> References: <519348CD.3070800@cea.fr> <51938516.5040601@cea.fr> <86D414EA-E3F2-4BCD-B787-371237799F1B@icir.org> Message-ID: <5194A6C9.70703@cea.fr> hi, I am still investigating on the SOCKS bug. In addition to the byte version problem, I noticed that only data from client are displayed by DeliverStream, strange. So I take a look to my use case trace, and it appears that the tcp connection uses the PUSH flag. How does BRO deal with PUSH flag? Could the problem come from this? Here is the tcp flow of my test case : (Client) |Time | 192.168.0.2 (Socks server) | | | | 192.168.0.1 | |0.000000 | SYN | |Seq = 0 | |(55951) ------------------> (1080) | |0.000063 | SYN, ACK | |Seq = 0 Ack = 1 | |(55951) <------------------ (1080) | |0.000923 | ACK | |Seq = 1 Ack = 1 | |(55951) ------------------> (1080) | |0.069237 | PSH, ACK - Len: 5 |Seq = 1 Ack = 1 | |(55951) ------------------> (1080) | |0.069282 | ACK | |Seq = 1 Ack = 6 | |(55951) <------------------ (1080) | |0.212734 | PSH, ACK - Len: 2 |Seq = 1 Ack = 6 | |(55951) <------------------ (1080) | |0.213192 | ACK | |Seq = 6 Ack = 3 | |(55951) ------------------> (1080) | |0.213561 | PSH, ACK - Len: 11 |Seq = 6 Ack = 3 | |(55951) ------------------> (1080) | |0.213583 | ACK | |Seq = 3 Ack = 17 | |(55951) <------------------ (1080) | |0.216805 | PSH, ACK - Len: 2 |Seq = 3 Ack = 17 | |(55951) <------------------ (1080) | |0.217095 | PSH, ACK - Len: 10 |Seq = 17 Ack = 5 | |(55951) ------------------> (1080) | |0.222837 | PSH, ACK - Len: 10 |Seq = 5 Ack = 27 | |(55951) <------------------ (1080) | Nicolas From tyler.schoenke at colorado.edu Thu May 16 14:19:21 2013 From: tyler.schoenke at colorado.edu (Tyler Schoenke) Date: Thu, 16 May 2013 15:19:21 -0600 Subject: [Bro] 10g Nic Cards In-Reply-To: <1202BE242E080642B0CD0AD0A03E8552BBFDA0@PGH-MSGMB-03.andrew.ad.cmu.edu> References: <29364_1367876159_r46LZwLr003098_558D23D33781EF45A69229CDAC6BF15110FFD51F@CITESMBX6.ad.uillinois.edu> <1202BE242E080642B0CD0AD0A03E8552BBFDA0@PGH-MSGMB-03.andrew.ad.cmu.edu> Message-ID: <51954D59.2070304@colorado.edu> We were pricing out 64 core (4x 16 processors AMD). Does anyone know if the Myricom's can support load balancing to 64 cores? I recall the 32 core limit for PF_RING. Tyler -- Tyler Schoenke Network Security Program Manager IT Security Office University of Colorado at Boulder On 5/6/13 5:09 PM, Vlad Grigorescu wrote: > On May 6, 2013, at 5:35 PM, "Slagell, Adam J" wrote: > >> But you need to pay for the sniffing driver to really make use of them. > This is actually the same for Intel NICs as well. If you go the Intel route, you'll probably want a similar license for ntop's PF_RING + DNA driver and the price comes out to be just about the same as Myricom[1]. You can opt to not get this license, but performance will suffer. Research and educational networks used to get an exemption from ntop license fees, however this is no longer the case for PF_RING + DNA since development was subsidized by Silicom. If you get a dual-port NIC, the difference becomes even more exaggerated, as the ntop license is $261 *per port* as opposed to the $295 *per card* Myricom license. > > Other advantages of the Myricom cards is that they're easier to work with and a bit faster. The Myricom sniffer driver doesn't require special privileges to sniff traffic, so you don't have to do funky setcap stuff - it "just works," even if you don't run Bro as root. From a simple test that someone at a large university ran, pitting a Myricom card with the Myricom sniffer driver against an Intel card with the top-of-the-line ntop driver (PF_RING + DNA + libzero - a $500 license), the Myricom card was better performing. > > Hope that provides some insight into why we went with Myricom, at least. > > --Vlad Grigorescu > Senior Information Security Engineer > Carnegie Mellon University > > [1] - Using CDW prices, Myricom + 10G short-range optics + license is $864.98, while Intel x540 + 10G short-range optics + license is $850.98. > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From klehigh at iupui.edu Thu May 16 17:12:20 2013 From: klehigh at iupui.edu (Keith Lehigh) Date: Thu, 16 May 2013 20:12:20 -0400 Subject: [Bro] 10g Nic Cards In-Reply-To: <51954D59.2070304@colorado.edu> References: <29364_1367876159_r46LZwLr003098_558D23D33781EF45A69229CDAC6BF15110FFD51F@CITESMBX6.ad.uillinois.edu> <1202BE242E080642B0CD0AD0A03E8552BBFDA0@PGH-MSGMB-03.andrew.ad.cmu.edu> <51954D59.2070304@colorado.edu> Message-ID: <20130517001220.5FE28C0057@rijndael.uits.iupui.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 32 rings per adapter according to this [1] - - Keith [1] https://www.myricom.com/software/sniffer10g/470-what-is-the-maximum-number- of-rings-supported-by-sniffer10g.html > We were pricing out 64 core (4x 16 processors AMD). Does anyone know > if the Myricom's can support load balancing to 64 cores? I recall the > 32 core limit for PF_RING. > > Tyler > > -- > Tyler Schoenke > Network Security Program Manager > IT Security Office > University of Colorado at Boulder > > > On 5/6/13 5:09 PM, Vlad Grigorescu wrote: > > On May 6, 2013, at 5:35 PM, "Slagell, Adam J" wrote: > > > >> But you need to pay for the sniffing driver to really make use of them. > > This is actually the same for Intel NICs as well. If you go the Intel route > , you'll probably want a similar license for ntop's PF_RING + DNA driver and > the price comes out to be just about the same as Myricom[1]. You can opt to n > ot get this license, but performance will suffer. Research and educational ne > tworks used to get an exemption from ntop license fees, however this is no lo > nger the case for PF_RING + DNA since development was subsidized by Silicom. > If you get a dual-port NIC, the difference becomes even more exaggerated, as > the ntop license is $261 *per port* as opposed to the $295 *per card* Myricom > license. > > > > Other advantages of the Myricom cards is that they're easier to work with a > nd a bit faster. The Myricom sniffer driver doesn't require special privilege > s to sniff traffic, so you don't have to do funky setcap stuff - it "just wor > ks," even if you don't run Bro as root. From a simple test that someone at a > large university ran, pitting a Myricom card with the Myricom sniffer driver > against an Intel card with the top-of-the-line ntop driver (PF_RING + DNA + l > ibzero - a $500 license), the Myricom card was better performing. > > > > Hope that provides some insight into why we went with Myricom, at least. > > > > --Vlad Grigorescu > > Senior Information Security Engineer > > Carnegie Mellon University > > > > [1] - Using CDW prices, Myricom + 10G short-range optics + license is $864. > 98, while Intel x540 + 10G short-range optics + license is $850.98. > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlGVdd8ACgkQW5AQrvjB4mdruwCeIpbi2O86Fsk8yhLla6vN3od5 0JAAnio+6b/sOdq3BbemtjfFUNbZDMTM =vYrD -----END PGP SIGNATURE----- From vern at icir.org Tue May 21 22:44:32 2013 From: vern at icir.org (Vern Paxson) Date: Tue, 21 May 2013 22:44:32 -0700 Subject: [Bro] TCP PUSH flag In-Reply-To: <5194A6C9.70703@cea.fr> (Thu, 16 May 2013 11:28:41 +0200). Message-ID: <20130522054432.A9CFA2C4003@rock.ICSI.Berkeley.EDU> > H flag. How does BRO deal > with PUSH flag? Could the problem come from this? It ignores it, so the problem is something else. Vern From nicolas.retrain at cea.fr Thu May 23 02:16:24 2013 From: nicolas.retrain at cea.fr (nicolas.retrain at cea.fr) Date: Thu, 23 May 2013 11:16:24 +0200 Subject: [Bro] TCP PUSH flag In-Reply-To: <20130522054432.A9CFA2C4003@rock.ICSI.Berkeley.EDU> References: <20130522054432.A9CFA2C4003@rock.ICSI.Berkeley.EDU> Message-ID: <519DDE68.20302@cea.fr> Le 22/05/2013 07:44, Vern Paxson a ?crit : >> H flag. How does BRO deal >> with PUSH flag? Could the problem come from this? > It ignores it, so the problem is something else. > > Vern |I figure it out, it was a bad tcp checksum due to tcpdump (http://sokratisg.net/2012/04/01/udp-tcp-checksum-errors-from-tcpdump-nic-hardware-offloading/). I correct checksums with : "tcprewrite -i input.cap -o output.cap -C" so Bro seems to work find :) Nicolas | -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130523/e1e01c9a/attachment.html From seth at icir.org Thu May 23 06:07:01 2013 From: seth at icir.org (Seth Hall) Date: Thu, 23 May 2013 09:07:01 -0400 Subject: [Bro] TCP PUSH flag In-Reply-To: <519DDE68.20302@cea.fr> References: <20130522054432.A9CFA2C4003@rock.ICSI.Berkeley.EDU> <519DDE68.20302@cea.fr> Message-ID: <27FA00A4-7199-4AF7-A211-9DBFADF3C07B@icir.org> On May 23, 2013, at 5:16 AM, nicolas.retrain at cea.fr wrote: > I figure it out, it was a bad tcp checksum due to tcpdump (http://sokratisg.net/2012/04/01/udp-tcp-checksum-errors-from-tcpdump-nic-hardware-offloading/). I correct checksums with : "tcprewrite -i input.cap -o output.cap -C" so Bro seems to work find :) Were you using the 2.1 release or a build from our git repository? There is a reporter warning (that now prints to stderr if you're running the bro binary directly) that should indicate if your tracefile has bad checksums. I've been caught by that problem quite a few times myself before realizing that I had bad checksums. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130523/80fbe9ea/attachment.bin From nicolas.retrain at cea.fr Thu May 23 06:20:46 2013 From: nicolas.retrain at cea.fr (nicolas.retrain at cea.fr) Date: Thu, 23 May 2013 15:20:46 +0200 Subject: [Bro] TCP PUSH flag In-Reply-To: <27FA00A4-7199-4AF7-A211-9DBFADF3C07B@icir.org> References: <20130522054432.A9CFA2C4003@rock.ICSI.Berkeley.EDU> <519DDE68.20302@cea.fr> <27FA00A4-7199-4AF7-A211-9DBFADF3C07B@icir.org> Message-ID: <519E17AE.20404@cea.fr> Le 23/05/2013 15:07, Seth Hall a ?crit : > On May 23, 2013, at 5:16 AM, nicolas.retrain at cea.fr wrote: > >> I figure it out, it was a bad tcp checksum due to tcpdump (http://sokratisg.net/2012/04/01/udp-tcp-checksum-errors-from-tcpdump-nic-hardware-offloading/). I correct checksums with : "tcprewrite -i input.cap -o output.cap -C" so Bro seems to work find :) > Were you using the 2.1 release or a build from our git repository? There is a reporter warning (that now prints to stderr if you're running the bro binary directly) that should indicate if your tracefile has bad checksums. I've been caught by that problem quite a few times myself before realizing that I had bad checksums. Actually, I was using the 2.1. I also tried the build from git, which helped me to discover bad checksums thanks to the warning. Nicolas > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > From James.Richards at wisconsin.gov Thu May 23 14:16:36 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Thu, 23 May 2013 16:16:36 -0500 Subject: [Bro] cannot create working directory Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119855@MEWMAD0PC01G02.accounts.wistate.us> Good afternoon, I am new to Bro, and have been trying to google around for some information, I am hoping one of you may have run into this before. Our bro system stopped updating a bit ago, and when I go into the manager console and attempt to start things up, I get a cannot create working directory error messages for the nodes. Have any of you run into this? It looks like it should be fairly straight forward, but I am very new to the system, and the specific installation of it. Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130523/e529998a/attachment.html From jlay at slave-tothe-box.net Thu May 23 14:23:37 2013 From: jlay at slave-tothe-box.net (James Lay) Date: Thu, 23 May 2013 15:23:37 -0600 Subject: [Bro] cannot create working directory In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119855@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119855@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: On 2013-05-23 15:16, Richards, James L - DOA wrote: > Good afternoon, > > I am new to Bro, and have been trying to google around for some > information, I am hoping one of you may have run into this before. > > Our bro system stopped updating a bit ago, and when I go into the > manager console and attempt to start things up, I get a cannot create > working directory error messages for the nodes. > > Have any of you run into this? It looks like it should be fairly > straight forward, but I am very new to the system, and the specific > installation of it. > > Jim First guess, full file system. Linux? df -h should get you space available numbers. James From Keith_Schoenefeld at baylor.edu Thu May 23 14:25:57 2013 From: Keith_Schoenefeld at baylor.edu (Schoenefeld, Keith P.) Date: Thu, 23 May 2013 21:25:57 +0000 Subject: [Bro] cannot create working directory In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119855@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119855@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: Are you running commands as the correct user? -- KS Keith Schoenefeld Information Security Analyst Baylor University 254-710-6667 From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Richards, James L - DOA Sent: Thursday, May 23, 2013 4:17 PM To: bro at bro.org Subject: [Bro] cannot create working directory Good afternoon, I am new to Bro, and have been trying to google around for some information, I am hoping one of you may have run into this before. Our bro system stopped updating a bit ago, and when I go into the manager console and attempt to start things up, I get a cannot create working directory error messages for the nodes. Have any of you run into this? It looks like it should be fairly straight forward, but I am very new to the system, and the specific installation of it. Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130523/beab2c79/attachment.html From James.Richards at wisconsin.gov Thu May 23 14:31:08 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Thu, 23 May 2013 16:31:08 -0500 Subject: [Bro] cannot create working directory In-Reply-To: References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119855@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119857@MEWMAD0PC01G02.accounts.wistate.us> I am checking that out, because that would make perfect sense. Thanks much! From: Schoenefeld, Keith P. [mailto:Keith_Schoenefeld at baylor.edu] Sent: Thursday, May 23, 2013 4:26 PM To: Richards, James L - DOA; bro at bro.org Subject: RE: cannot create working directory Are you running commands as the correct user? -- KS Keith Schoenefeld Information Security Analyst Baylor University 254-710-6667 From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Richards, James L - DOA Sent: Thursday, May 23, 2013 4:17 PM To: bro at bro.org Subject: [Bro] cannot create working directory Good afternoon, I am new to Bro, and have been trying to google around for some information, I am hoping one of you may have run into this before. Our bro system stopped updating a bit ago, and when I go into the manager console and attempt to start things up, I get a cannot create working directory error messages for the nodes. Have any of you run into this? It looks like it should be fairly straight forward, but I am very new to the system, and the specific installation of it. Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130523/9ddf6542/attachment.html From JerryChampion at synovus.com Fri May 24 08:56:53 2013 From: JerryChampion at synovus.com (Champion,Jerry) Date: Fri, 24 May 2013 15:56:53 +0000 Subject: [Bro] Installation Issue Message-ID: I am getting a Dependency is not satisfiable: libc6(<2.12) error message. [cid:image001.png at 01CE5875.C815C190] I have run the required dependency: sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev But I have version 2.17 [cid:image002.png at 01CE5875.C815C190] Can someone assist me with this? VR Jerry Champion Information Secuity Engineer Synovus Financial Corp 706-644-4589 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130524/b093e5b4/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 25290 bytes Desc: image001.png Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130524/b093e5b4/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 26696 bytes Desc: image002.png Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130524/b093e5b4/attachment-0001.bin From jazoff at albany.edu Fri May 24 09:22:04 2013 From: jazoff at albany.edu (Azoff, Justin) Date: Fri, 24 May 2013 16:22:04 +0000 Subject: [Bro] Installation Issue In-Reply-To: References: Message-ID: Install build-essential? "Champion,Jerry" wrote: I am getting a Dependency is not satisfiable: libc6(<2.12) error message. [cid:image001.png at 01CE5875.C815C190] I have run the required dependency: sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev But I have version 2.17 [cid:image002.png at 01CE5875.C815C190] Can someone assist me with this? VR Jerry Champion Information Secuity Engineer Synovus Financial Corp 706-644-4589 ________________________________ ________________________________ NOTICE: This communication is intended only for the person or entity to whom it is addressed and may contain confidential, proprietary, and/or privileged material. Unless you are the intended addressee, any review, reliance, dissemination, distribution, copying or use whatsoever of this communication is strictly prohibited. If you received this in error, please reply immediately and delete the material from all computers. Email sent through the Internet is not secure. Do not use email to send us confidential information such as credit card numbers, PIN numbers, passwords, Social Security Numbers, Account numbers, or other important and confidential information. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130524/22d7ea1f/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 25290 bytes Desc: image001.png Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130524/22d7ea1f/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 26696 bytes Desc: image002.png Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130524/22d7ea1f/attachment-0001.bin From seth at icir.org Fri May 24 09:22:42 2013 From: seth at icir.org (Seth Hall) Date: Fri, 24 May 2013 12:22:42 -0400 Subject: [Bro] Installation Issue In-Reply-To: References: Message-ID: On May 24, 2013, at 11:56 AM, "Champion,Jerry" wrote: > I am getting a Dependency is not satisfiable: libc6(<2.12) error message. What version of Ubuntu are you running? It's possible that our .deb was built for an older version. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From JAzoff at albany.edu Fri May 24 10:45:26 2013 From: JAzoff at albany.edu (Justin Azoff) Date: Fri, 24 May 2013 13:45:26 -0400 Subject: [Bro] Installation Issue In-Reply-To: References: Message-ID: <20130524174526.GT32624@datacomm.albany.edu> On Fri, May 24, 2013 at 04:22:04PM +0000, Azoff, Justin wrote: > Install build-essential? disregard.. I thought you were building bro. -- -- Justin Azoff -- Network Security & Performance Analyst From James.Richards at wisconsin.gov Fri May 24 12:46:21 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Fri, 24 May 2013 14:46:21 -0500 Subject: [Bro] cannot create working directory In-Reply-To: References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119855@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E1198BB@MEWMAD0PC01G02.accounts.wistate.us> Well... It doesn't look like a permissions issue, all files are bro:bro, and the broctl.sh script looks to be running as bro. Plenty of space on the drives. It has been suggested that I take this as an opportunity to install the latest version of bro on the nodes. I have a couple of questions: On Ubuntu, can I run the command to install the binaries, is this recommended, or should I compile, any advantage/risk to either method? Do I need to update the brocntl machine as well, that one is running more than just Bro so I cannot take it down at will. Thanks much, Jim -----Original Message----- From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of James Lay Sent: Thursday, May 23, 2013 4:24 PM To: bro at bro.org Subject: Re: [Bro] cannot create working directory On 2013-05-23 15:16, Richards, James L - DOA wrote: > Good afternoon, > > I am new to Bro, and have been trying to google around for some > information, I am hoping one of you may have run into this before. > > Our bro system stopped updating a bit ago, and when I go into the > manager console and attempt to start things up, I get a cannot create > working directory error messages for the nodes. > > Have any of you run into this? It looks like it should be fairly > straight forward, but I am very new to the system, and the specific > installation of it. > > Jim First guess, full file system. Linux? df -h should get you space available numbers. James _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From wraquel at illinois.edu Fri May 24 12:48:43 2013 From: wraquel at illinois.edu (Warren Raquel) Date: Fri, 24 May 2013 14:48:43 -0500 Subject: [Bro] cannot create working directory In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E1198BB@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119855@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E1198BB@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <519FC41B.1050409@illinois.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 You're not out of inodes are you? df -i - -Warren On 5/24/13 2:46 PM, Richards, James L - DOA wrote: > Well... > > It doesn't look like a permissions issue, all files are bro:bro, > and the broctl.sh script looks to be running as bro. > > Plenty of space on the drives. > > It has been suggested that I take this as an opportunity to install > the latest version of bro on the nodes. I have a couple of > questions: > > On Ubuntu, can I run the command to install the binaries, is this > recommended, or should I compile, any advantage/risk to either > method? > > Do I need to update the brocntl machine as well, that one is > running more than just Bro so I cannot take it down at will. > > Thanks much, > > > Jim > > > -----Original Message----- From: bro-bounces at bro.org > [mailto:bro-bounces at bro.org] On Behalf Of James Lay Sent: Thursday, > May 23, 2013 4:24 PM To: bro at bro.org Subject: Re: [Bro] cannot > create working directory > > On 2013-05-23 15:16, Richards, James L - DOA wrote: >> Good afternoon, >> >> I am new to Bro, and have been trying to google around for some >> information, I am hoping one of you may have run into this >> before. >> >> Our bro system stopped updating a bit ago, and when I go into the >> manager console and attempt to start things up, I get a cannot >> create working directory error messages for the nodes. >> >> Have any of you run into this? It looks like it should be fairly >> straight forward, but I am very new to the system, and the >> specific installation of it. >> >> Jim > > First guess, full file system. Linux? > > df -h > > should get you space available numbers. > > James _______________________________________________ Bro mailing > list bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > _______________________________________________ Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > - -- Warren Raquel Incident Response and Security Team Lead National Center for Supercomputing Applications +1 (217) 333-2876 PGP Fingerprint: F88E 960B 6193 A3ED 0BB2 45C7 7DF9 57DB 6DCF 34C1 -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEAREKAAYFAlGfxBsACgkQfflX223PNMHnhwCgs9KNXSU+ZwctorHw6/9T2+06 gBEAoIpQoCtEkXP3HAbpE1rr0+Gl43XE =Jnn8 -----END PGP SIGNATURE----- From dnthayer at illinois.edu Fri May 24 13:06:00 2013 From: dnthayer at illinois.edu (Daniel Thayer) Date: Fri, 24 May 2013 15:06:00 -0500 Subject: [Bro] cannot create working directory In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E1198BB@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119855@MEWMAD0PC01G02.accounts.wistate.us> <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E1198BB@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <519FC828.3060806@illinois.edu> Are you getting the error message for only one node, or more than one? Did you verify that you can connect to the affected nodes, and that each node has plenty of free disk space? You could try (make sure you get output from every node): "broctl df" On 05/24/2013 02:46 PM, Richards, James L - DOA wrote: > Well... > > It doesn't look like a permissions issue, all files are bro:bro, and the broctl.sh script looks to be running as bro. > > Plenty of space on the drives. > > It has been suggested that I take this as an opportunity to install the latest version of bro on the nodes. I have a couple of questions: > > On Ubuntu, can I run the command to install the binaries, is this recommended, or should I compile, any advantage/risk to either method? > > Do I need to update the brocntl machine as well, that one is running more than just Bro so I cannot take it down at will. > > Thanks much, > > > Jim > > > -----Original Message----- > From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of James Lay > Sent: Thursday, May 23, 2013 4:24 PM > To: bro at bro.org > Subject: Re: [Bro] cannot create working directory > > On 2013-05-23 15:16, Richards, James L - DOA wrote: >> Good afternoon, >> >> I am new to Bro, and have been trying to google around for some >> information, I am hoping one of you may have run into this before. >> >> Our bro system stopped updating a bit ago, and when I go into the >> manager console and attempt to start things up, I get a cannot create >> working directory error messages for the nodes. >> >> Have any of you run into this? It looks like it should be fairly >> straight forward, but I am very new to the system, and the specific >> installation of it. >> >> Jim > > First guess, full file system. Linux? > > df -h > > should get you space available numbers. > > James > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From JAzoff at albany.edu Fri May 24 14:03:15 2013 From: JAzoff at albany.edu (Justin Azoff) Date: Fri, 24 May 2013 17:03:15 -0400 Subject: [Bro] cannot create working directory In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119855@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119855@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <20130524210315.GW32624@datacomm.albany.edu> On Thu, May 23, 2013 at 04:16:36PM -0500, Richards, James L - DOA wrote: > Our bro system stopped updating a bit ago, and when I go into the manager > console and attempt to start things up, I get a cannot create working directory > error messages for the nodes. Have you tried this? broctl stop broctl cleanup broctl install broctl check broctl restart Apparently that error comes from "mkdir -p" failing to make the spool directory. You can find what that is by running broctl config | grep spooldir so for whatever reason it failing(or at least thinking it is failing) to mkdir -p spooldir/worker-name. cleanup+install may fix things though ( unless you are really out of inodes) broctl doesn't show stderr from the mkdir command, so logging into the worker node and running mkdir -p manually might conclusively show why this isn't working. -- -- Justin Azoff -- Network Security & Performance Analyst From James.Richards at wisconsin.gov Tue May 28 09:17:22 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Tue, 28 May 2013 11:17:22 -0500 Subject: [Bro] waiting for lock Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E11994F@MEWMAD0PC01G02.accounts.wistate.us> Sorry for being such a newbie, but... In broctl, when issuing a cleanup -all, I get a message 'waiting for lock' a parade of periods follows, then a cannot get lock message which kicks me out of broctl. Is this perhaps a communication issue involving the shared secret/open ssh? James Richards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130528/7fb91538/attachment.html From James.Richards at wisconsin.gov Tue May 28 09:25:59 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Tue, 28 May 2013 11:25:59 -0500 Subject: [Bro] waiting for lock In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E11994F@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E11994F@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119954@MEWMAD0PC01G02.accounts.wistate.us> Never mind on this last query. I no sooner had submitted, when my brain must have finally become caffeinated enough to figure it out. :) James Richards From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Richards, James L - DOA Sent: Tuesday, May 28, 2013 11:17 AM To: bro at bro.org Subject: [Bro] waiting for lock Sorry for being such a newbie, but... In broctl, when issuing a cleanup -all, I get a message 'waiting for lock' a parade of periods follows, then a cannot get lock message which kicks me out of broctl. Is this perhaps a communication issue involving the shared secret/open ssh? James Richards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130528/0a6e6563/attachment.html From James.Richards at wisconsin.gov Wed May 29 08:51:40 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Wed, 29 May 2013 10:51:40 -0500 Subject: [Bro] Getting status from broctl Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119A26@MEWMAD0PC01G02.accounts.wistate.us> When I am in the broctl console, issuing a status results in the following: (could this be giving me other grief as well?) [BroControl] > status Name Type Host Status Pid Peers Started Traceback (most recent call last): File "/usr/local/bro/bin/broctl", line 905, in loop.cmdloop("\nWelcome to BroControl %s\n\nType \"help\" for help.\n" % Version) File "/usr/lib/python2.7/cmd.py", line 142, in cmdloop stop = self.onecmd(line) File "/usr/lib/python2.7/cmd.py", line 221, in onecmd return func(arg) File "/usr/local/bro/bin/broctl", line 289, in do_status control.status(nodes) File "/usr/local/bro-20130502/lib/broctl/BroControl/control.py", line 512, in status statuses = dict([(n.name, success and output[0].split()[0].lower() or "???") for (n, success, output) in statuses]) IndexError: list index out of range abnormal termination, saving state ... James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130529/8fb8e9e0/attachment.html From JAzoff at albany.edu Wed May 29 09:08:59 2013 From: JAzoff at albany.edu (Justin Azoff) Date: Wed, 29 May 2013 12:08:59 -0400 Subject: [Bro] Getting status from broctl In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119A26@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119A26@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <20130529160859.GC32624@datacomm.albany.edu> On Wed, May 29, 2013 at 10:51:40AM -0500, Richards, James L - DOA wrote: > When I am in the broctl console, issuing a status results in the following: > (could this be giving me other grief as well?) This is probably related to your other issues.. > statuses = dict([(n.name, success and output[0].split()[0].lower() or "??? > ") for (n, success, output) in statuses]) the status command just grabs the first word of the output of cat /path/to/worker/.status.. like.. root at sec2:~# cat /var/spool/bro/worker-sec2-3/.status RUNNING [net_run] that's failing for you for some reason.. -- -- Justin Azoff -- Network Security & Performance Analyst From slagell at illinois.edu Fri May 31 10:45:30 2013 From: slagell at illinois.edu (Slagell, Adam J) Date: Fri, 31 May 2013 17:45:30 +0000 Subject: [Bro] A chance to play on a 100+ GB Bro playground, and call it work In-Reply-To: <777E8D3E-52A0-46AF-AF4C-0457FC234524@illinois.edu> References: <777E8D3E-52A0-46AF-AF4C-0457FC234524@illinois.edu> Message-ID: <558D23D33781EF45A69229CDAC6BF1511106BC1B@CITESMBX6.ad.uillinois.edu> We're still looking for at least one more person, and so we have re-opened the search. On Apr 2, 2013, at 2:14 PM, Adam J. Slagell wrote: > We are looking for some new security engineers & analysts at the NCSA [1], a part of the University of Illinois at Urbana-Champaign. This person will be on the team responsible for day-to-day security operations, performing incident response, and running some really innovative technologies. > > Bro experience is a highly desired skill for us. Bro is a key part of our security infrastructure, where we currently use it to monitor two dozen 10G links, with plans to add another 100G link and more. > > If you are interested, you can follow the link below to apply. > > [1] http://www.ncsa.illinois.edu/AboutUs/Employment/A1300136.html ------ Adam J. Slagell Chief Information Security Officer Sr. Research Scientist National Center for Supercomputing Applications University of Illinois at Urbana-Champaign www.slagell.info "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." From dkovar at gmail.com Fri May 31 10:59:53 2013 From: dkovar at gmail.com (David Kovar) Date: Fri, 31 May 2013 12:59:53 -0500 Subject: [Bro] A chance to play on a 100+ GB Bro playground, and call it work In-Reply-To: <558D23D33781EF45A69229CDAC6BF1511106BC1B@CITESMBX6.ad.uillinois.edu> References: <777E8D3E-52A0-46AF-AF4C-0457FC234524@illinois.edu> <558D23D33781EF45A69229CDAC6BF1511106BC1B@CITESMBX6.ad.uillinois.edu> Message-ID: <67576648-6802-4653-AD1A-4F76B3729128@gmail.com> Greetings, I had an opportunity to visit with Adam and his team at the NCSA. They're great people to work with and they're working on some *very* interesting problems. This would be an amazing job for many people. If you're thinking "Central Illinois? No way!" you should reconsider. I moved out here from the SF Bay Area. It was a bit of a shock, but one adapts, and the C-U area has a lot going for it. -David On May 31, 2013, at 12:45 PM, "Slagell, Adam J" wrote: > We're still looking for at least one more person, and so we have re-opened the search. > > On Apr 2, 2013, at 2:14 PM, Adam J. Slagell wrote: > >> We are looking for some new security engineers & analysts at the NCSA [1], a part of the University of Illinois at Urbana-Champaign. This person will be on the team responsible for day-to-day security operations, performing incident response, and running some really innovative technologies. >> >> Bro experience is a highly desired skill for us. Bro is a key part of our security infrastructure, where we currently use it to monitor two dozen 10G links, with plans to add another 100G link and more. >> >> If you are interested, you can follow the link below to apply. >> >> [1] http://www.ncsa.illinois.edu/AboutUs/Employment/A1300136.html > > ------ > > Adam J. Slagell > Chief Information Security Officer > Sr. Research Scientist > National Center for Supercomputing Applications > University of Illinois at Urbana-Champaign > www.slagell.info > > "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." > > > > > > > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From James.Richards at wisconsin.gov Fri May 31 13:16:59 2013 From: James.Richards at wisconsin.gov (Richards, James L - DOA) Date: Fri, 31 May 2013 15:16:59 -0500 Subject: [Bro] My continuing lock file issue Message-ID: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119C09@MEWMAD0PC01G02.accounts.wistate.us> So, I have now reinstalled bro completely (from source, there is a dependency issue with libc with the binary install), wiped the nodes clean and rebuilt all directories, established the ssh connections for the bro user. When I go into broctl I still am getting the cannot get lock issue. I do notice that when I go into /usr/local/bro/spool, I get some files showing up being owned by root, and it doesn't seem it should be. drwxr-xr-x 4 bro bro 4096 May 31 11:35 . drwxr-xr-x 9 bro bro 4096 May 31 11:33 .. -rw-r--r-- 1 root root 82 May 31 11:35 broctl.dat drwxr-xr-x 2 bro bro 4096 May 31 11:33 scripts -rw-r--r-- 1 root root 445 May 31 11:35 stats.log drwxr-xr-x 2 bro bro 4096 May 31 11:33 tmp James Richards Office of Security Wisconsin Department of Administration 608.224.3880 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130531/245743bc/attachment.html From robin at icir.org Fri May 31 15:02:17 2013 From: robin at icir.org (Robin Sommer) Date: Fri, 31 May 2013 15:02:17 -0700 Subject: [Bro] My continuing lock file issue In-Reply-To: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119C09@MEWMAD0PC01G02.accounts.wistate.us> References: <25CF1A45B56CE94DA4F129EDCDFD8D2B02927E119C09@MEWMAD0PC01G02.accounts.wistate.us> Message-ID: <20130531220217.GN54508@icir.org> On Fri, May 31, 2013 at 15:16 -0500, Richards, James L - DOA wrote: > I do notice that when I go into /usr/local/bro/spool, I get some files > showing up being owned by root, and it doesn't seem it should be. Just a guess: is "broctl cron" executed from the system crontab? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin