From dunc at nturnbull.com Thu May 1 01:24:59 2014 From: dunc at nturnbull.com (dunc at nturnbull.com) Date: Thu, 1 May 2014 09:24:59 +0100 Subject: [Bro] SIP Message-ID: <20140501082459.GB14548@dunca.members.linode.com> Hi, Having searched the mailing list I have found a few references to a SIP analyzer based on BinPAC being available, Does anyone on the list have a copy they could send me? Thanks & Regards Duncan Turnbull dunc at nturnbull.com From seth at icir.org Thu May 1 05:31:34 2014 From: seth at icir.org (Seth Hall) Date: Thu, 1 May 2014 08:31:34 -0400 Subject: [Bro] SIP In-Reply-To: <20140501082459.GB14548@dunca.members.linode.com> References: <20140501082459.GB14548@dunca.members.linode.com> Message-ID: On May 1, 2014, at 4:24 AM, dunc at nturnbull.com wrote: > Having searched the mailing list I have found a few references to a SIP analyzer based on BinPAC being available, > > Does anyone on the list have a copy they could send me?  git clone --recursive git://git.bro.org/bro git checkout topic/vladg/sip ./configure make Have fun. Please report your experiences if you test it! This is not going into the upcoming 2.3 release because it's still being tested by a few people and we're in feature freeze for 2.3. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140501/03693ef5/attachment.bin From dunc at nturnbull.com Thu May 1 07:16:30 2014 From: dunc at nturnbull.com (dunc at nturnbull.com) Date: Thu, 1 May 2014 15:16:30 +0100 Subject: [Bro] SIP In-Reply-To: References: <20140501082459.GB14548@dunca.members.linode.com> Message-ID: <20140501141630.GC14548@dunca.members.linode.com> Unfortunately my SIP is TCP not UDP, which the TODO file says is currently unsupported. Is this an easy change to make to the analyzer? Thanks Duncan Turnbull dunc at nturnbull.com On Thu, May 01, 2014 at 08:31:34AM -0400, Seth Hall wrote: > > On May 1, 2014, at 4:24 AM, dunc at nturnbull.com wrote: > > > Having searched the mailing list I have found a few references to a SIP analyzer based on BinPAC being available, > > > > Does anyone on the list have a copy they could send me? >  > git clone --recursive git://git.bro.org/bro > git checkout topic/vladg/sip > ./configure > make > > Have fun. Please report your experiences if you test it! This is not going into the upcoming 2.3 release because it's still being tested by a few people and we're in feature freeze for 2.3. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > From nate at nullbyte.net Thu May 1 10:05:19 2014 From: nate at nullbyte.net (nate) Date: Thu, 01 May 2014 12:05:19 -0500 Subject: [Bro] Duplication of packets and UID's Message-ID: <53627ECF.4040704@nullbyte.net> My Bro setup is part of Security Onion, but they recommended coming to Bro for assistance. Another user on the SO mailing list reported similar problems (https://groups.google.com/forum/#!topic/security-onion/7x27uKttByM). I've sent this email twice already, but the attachment is apparently too large and a mod needs to approve it, which hasn't happened for almost two weeks. So this will be sent without the sostat attachment. This is running on Ubuntu 12.4.4 w/ the older 3.8 kernel (as specified in Security Onion install). Bro version is 2.2. Let me know what additional information to provide. =============================== We've run into a very strange occurrence with our SO and Bro setup. We're seeing duplicated log entries that are mere micro seconds apart. This is a standalone setup. So we have two specific issues ====== Problem #1 From our log, lines 837 & 838: <13>Apr 9 18:26:11 aus-sosensor01 bro_dns: 1397067970.115680 CPxjB93OPbytcuTF3 10.6.0.183 62218 10.6.0.35 53 udp 45159 security.kali.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 173.246.39.190 60.000000 F <13>Apr 9 18:26:11 aus-sosensor01 bro_dns: 1397067970.115695 CPxjB93OPbytcuTF3 10.6.0.183 62218 10.6.0.35 53 udp 45159 security.kali.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 173.246.39.190 60.000000 F Note the UID: CPxjB93OPbytcuTF3 Now, lines 1130-1133 <13>Apr 9 18:26:21 aus-sosensor01 bro_dns: 1397067970.115700 CPxjB93OPbytcuTF3 10.6.0.183 62218 10.6.0.35 53 udp 48870 security.kali.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F <13>Apr 9 18:26:21 aus-sosensor01 bro_dns: 1397067970.115704 CPxjB93OPbytcuTF3 10.6.0.183 62218 10.6.0.35 53 udp 48870 security.kali.org 1 C_INTERNET 28 AAAA - - F F T F 0 - - F <13>Apr 9 18:26:21 aus-sosensor01 bro_dns: 1397067970.115700 CPxjB93OPbytcuTF3 10.6.0.183 62218 10.6.0.35 53 udp 48870 security.kali.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F <13>Apr 9 18:26:21 aus-sosensor01 bro_dns: 1397067970.115704 CPxjB93OPbytcuTF3 10.6.0.183 62218 10.6.0.35 53 udp 48870 security.kali.org 1 C_INTERNET 28 AAAA - - F F T F 0 - - F The same UID, but 10 seconds apart from the first events. As well, notice that lines 1132 and 1133, are exact duplicates of lines 1130 and 1131. Even the timestamps are the same (which puts them out of order as they're duplicated: .115700 -> .115704 -> .115700 -> .115704) 1. Why are lines 837 & 838 duplicates of each other, with different time stamps? 2. Why are lines 1130 & 1131 duplicated immediately after (lines 1132 & 1133), with the same timestamps? 3. Why do both sections of packets, 10 seconds apart, have the same UID? ====== Problem #2 Same file, lines 1081 - 1102 are this line: <13>Apr 9 18:26:21 aus-sosensor01 bro_dns: 1397067969.888173 CjW8ry3fUCdzFscJvk fe80::426c:8fff:fe37:4b49 5353 ff02::fb 5353 udp 0 _zuul1000207._udp.local 1 C_INTERNET 12 PTR - - F F &nb sp; F F 0 - - F It repeats 22 times, each with a unique timestamp, separate only by microseconds Immediately following these 22 lines is this line: <13>Apr 9 18:26:21 aus-sosensor01 bro_dns: 1397067970.062631 CjW8ry3fUCdzFscJvk fe80::426c:8fff:fe37:4b49 5353 ff02::fb 5353 udp 0 - - - - - - - F F F ; F 0 - - F Which occurs from 1103 - 1124. Exactly the same, but different timestamps, separated only by microseconds. Why was the same event capture multiple times, at different microseconds and logged each time? ====== Conclusion: Are the above issues a performance problem? Do we need to increase/decrease the number of instances of Bro? Do we need to do some other kind of tuning? Is this just a completely one off problem? These are not the only occurrences of these two problems. There are hundreds of duplicated packets with the same timestamps, or duplicated packets with timestamps only separated by microseconds. What in the world is going on? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140501/a340c3c6/attachment.html From seth at icir.org Thu May 1 11:03:59 2014 From: seth at icir.org (Seth Hall) Date: Thu, 1 May 2014 14:03:59 -0400 Subject: [Bro] Duplication of packets and UID's In-Reply-To: <53627ECF.4040704@nullbyte.net> References: <53627ECF.4040704@nullbyte.net> Message-ID: <3A410770-849B-4E55-BDD8-8D4E70534AC7@icir.org> On May 1, 2014, at 1:05 PM, nate wrote: > 1. Why are lines 837 & 838 duplicates of each other, with different time stamps?  I believe this might be a bug that we have fixed in the upcoming 2.3 release. We did some DNS script refactoring. It's a surprisingly hard protocol to get just right. > 2. Why are lines 1130 & 1131 duplicated immediately after (lines 1132 & 1133), with the same timestamps? I suspect that's the same bug expressing itself again. > 3. Why do both sections of packets, 10 seconds apart, have the same UID? Because it's UDP. :) Bro creates mock "connections" for UDP and the client in this case was using the same ephemeral port for multiple queries so they showed up as part of the same "connection". (all quotes very deliberate). .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140501/44a1a2bd/attachment.bin From martiner315 at gmail.com Thu May 1 23:49:05 2014 From: martiner315 at gmail.com (Ja Som) Date: Fri, 2 May 2014 08:49:05 +0200 Subject: [Bro] Bro weird, email notification Message-ID: Hi, I need help with email notifications. I configured email server using ssmtp and put hook Notice::policy(n: Notice::Info) { add n$actions[Notice::ACTION_ALARM]; } to local.bro. Emails works fine, I recieve for example alarm summary, connection summary bot not weird activity and I see in bro.log that I have it in my network. What should I change or add? Thank you very much! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140502/10d65366/attachment.html From scott.e.knick.ctr at mail.mil Tue May 6 05:56:26 2014 From: scott.e.knick.ctr at mail.mil (Knick, Scott E CTR USARMY RCERT-EUR (US)) Date: Tue, 6 May 2014 12:56:26 +0000 Subject: [Bro] http_request event Message-ID: Hello all, This is my first message to the mailing list. I was hoping someone could help me understand something regarding the HTTP module's http_request event. Specifically, I was hoping I could get access to the additional information added to the connection parameter by the HTTP module, but when the event is fired, my handler is unable to reference the information as it doesn't appear that it's there. The information I'm referring to is the following (from the bro/share/bro/base/protocols/httpd/main.bro file): # Add the http state tracking fields to the connection record. redef record connection += { http: Info &optional; http_state: State &optional; }; When I try to get to the http field's host field, I get a "field value missing [WebRequests::c$http$host]" error. Any thoughts? -- Scott Knick From shane.castle at gmail.com Tue May 6 06:59:12 2014 From: shane.castle at gmail.com (Shane Castle) Date: Tue, 06 May 2014 15:59:12 +0200 Subject: [Bro] http_request event In-Reply-To: References: Message-ID: <5368EAB0.3000309@gmail.com> Hmm, yknow it's been a while since I messed around in Bro code, but I *think* the reason might be 'cos the host field is not filled in at that point in the processing. It looks like it's not til the header is being processed that it gets a value, in the "event http_header" part of http/main.bro. The IP addresses might have values, though. Just out of curiosity, can you talk about what you are trying to accomplish here? Are you modifying the main.bro script, or are you adding to local.bro, or what? -- Shane Castle On 06.05.2014 14:56, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: > Hello all, > > This is my first message to the mailing list. I was hoping someone could help me understand something regarding the HTTP module's http_request event. Specifically, I was hoping I could get access to the additional information added to the connection parameter by the HTTP module, but when the event is fired, my handler is unable to reference the information as it doesn't appear that it's there. The information I'm referring to is the following (from the bro/share/bro/base/protocols/httpd/main.bro file): > > # Add the http state tracking fields to the connection record. > redef record connection += { > http: Info &optional; > http_state: State &optional; > }; > > When I try to get to the http field's host field, I get a "field value missing [WebRequests::c$http$host]" error. > > Any thoughts? > > -- > Scott Knick > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From scott.e.knick.ctr at mail.mil Tue May 6 07:04:07 2014 From: scott.e.knick.ctr at mail.mil (Knick, Scott E CTR USARMY RCERT-EUR (US)) Date: Tue, 6 May 2014 14:04:07 +0000 Subject: [Bro] http_request event In-Reply-To: <5368EAB0.3000309@gmail.com> References: <5368EAB0.3000309@gmail.com> Message-ID: I appreciate the reply. I'm really at this point just trying to get comfortable with Bro scripting. While I understand that Bro will already log HTTP data for me, the end goal is to be able to log very specific things that I want. My first exercise is to approximate the output of the "urlsnarf" tool (part of the dsniff tools). I think you're right about the host part. I guess at the time of the http_request event, the DNS resolution has already occurred and thus at this "layer" I can just see the IP address of the host receiving the request, and the "HOST" part of the HTTP header hasn't been seen yet. Is an alternative way to implement this to maintain the hostname from a previous event? I'm kind of groping in the dark here... -----Original Message----- From: Shane Castle [mailto:shane.castle at gmail.com] Sent: Tuesday, May 06, 2014 3:59 PM To: Knick, Scott E CTR USARMY RCERT-EUR (US) Cc: bro at bro.org Subject: Re: [Bro] http_request event Hmm, yknow it's been a while since I messed around in Bro code, but I *think* the reason might be 'cos the host field is not filled in at that point in the processing. It looks like it's not til the header is being processed that it gets a value, in the "event http_header" part of http/main.bro. The IP addresses might have values, though. Just out of curiosity, can you talk about what you are trying to accomplish here? Are you modifying the main.bro script, or are you adding to local.bro, or what? -- Shane Castle On 06.05.2014 14:56, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: > Hello all, > > This is my first message to the mailing list. I was hoping someone could help me understand something regarding the HTTP module's http_request event. Specifically, I was hoping I could get access to the additional information added to the connection parameter by the HTTP module, but when the event is fired, my handler is unable to reference the information as it doesn't appear that it's there. The information I'm referring to is the following (from the bro/share/bro/base/protocols/httpd/main.bro file): > > # Add the http state tracking fields to the connection record. > redef record connection += { > http: Info &optional; > http_state: State &optional; > }; > > When I try to get to the http field's host field, I get a "field value missing [WebRequests::c$http$host]" error. > > Any thoughts? > > -- > Scott Knick > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From liburdi.joshua at gmail.com Tue May 6 07:27:30 2014 From: liburdi.joshua at gmail.com (Josh Liburdi) Date: Tue, 6 May 2014 10:27:30 -0400 Subject: [Bro] http_request event In-Reply-To: References: <5368EAB0.3000309@gmail.com> Message-ID: Instead of using the http request event, you'll need to use an event that has all of the fields you want to use in the script. A quick way to identify those events is to look at the protocol analyzer page for common protocol events: http://www.bro.org/sphinx/scripts/proto-analyzers.html#bro-http In many cases there are fields initialized in the connection portion of an event that are not immediately obvious. One way to see what fields are initialized in the event is to print the data to standard out ("print c;") when running it in a local instance of Bro. You'll quickly see what is initialized and what is not. If you simply want all http data, you could use the http log event-- that's generated as http logs are being sent to the logging framework. event HTTP::log_http(rec: HTTP::Info) { print rec; } - Josh On Tue, May 6, 2014 at 10:04 AM, Knick, Scott E CTR USARMY RCERT-EUR (US) < scott.e.knick.ctr at mail.mil> wrote: > I appreciate the reply. I'm really at this point just trying to get > comfortable with Bro scripting. While I understand that Bro will already > log HTTP data for me, the end goal is to be able to log very specific > things that I want. My first exercise is to approximate the output of the > "urlsnarf" tool (part of the dsniff tools). > > I think you're right about the host part. I guess at the time of the > http_request event, the DNS resolution has already occurred and thus at > this "layer" I can just see the IP address of the host receiving the > request, and the "HOST" part of the HTTP header hasn't been seen yet. Is an > alternative way to implement this to maintain the hostname from a previous > event? I'm kind of groping in the dark here... > > -----Original Message----- > From: Shane Castle [mailto:shane.castle at gmail.com] > Sent: Tuesday, May 06, 2014 3:59 PM > To: Knick, Scott E CTR USARMY RCERT-EUR (US) > Cc: bro at bro.org > Subject: Re: [Bro] http_request event > > Hmm, yknow it's been a while since I messed around in Bro code, but I > *think* the reason might be 'cos the host field is not filled in at that > point in the processing. It looks like it's not til the header is being > processed that it gets a value, in the "event http_header" part of > http/main.bro. The IP addresses might have values, though. > > Just out of curiosity, can you talk about what you are trying to > accomplish here? Are you modifying the main.bro script, or are you adding > to local.bro, or what? > > -- > Shane Castle > > On 06.05.2014 14:56, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: > > Hello all, > > > > This is my first message to the mailing list. I was hoping someone could > help me understand something regarding the HTTP module's http_request > event. Specifically, I was hoping I could get access to the additional > information added to the connection parameter by the HTTP module, but when > the event is fired, my handler is unable to reference the information as it > doesn't appear that it's there. The information I'm referring to is the > following (from the bro/share/bro/base/protocols/httpd/main.bro file): > > > > # Add the http state tracking fields to the connection record. > > redef record connection += { > > http: Info &optional; > > http_state: State &optional; > > }; > > > > When I try to get to the http field's host field, I get a "field value > missing [WebRequests::c$http$host]" error. > > > > Any thoughts? > > > > -- > > Scott Knick > > > > > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140506/5976b76f/attachment.html From shane.castle at gmail.com Tue May 6 07:30:29 2014 From: shane.castle at gmail.com (Shane Castle) Date: Tue, 06 May 2014 16:30:29 +0200 Subject: [Bro] http_request event In-Reply-To: References: <5368EAB0.3000309@gmail.com> Message-ID: <5368F205.9080702@gmail.com> You'd probably want to get your information at the time the http.log file entry is fired off, I think, or tie your output to a different event. Have you seen the git repositories for Bro scripts of various sorts? And of course there's this section of the Bro doc: https://www.bro.org/sphinx/scripting/index.html A couple years ago I was into modifying the Bro installation I was in charge of (using Security Onion, a great set of tools). I'm not doing that anymore (a huge family relocation) but I'm trying to stay current, with an NSM installed in a VM at home. -- Shane Castle On 06.05.2014 16:04, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: > I appreciate the reply. I'm really at this point just trying to get > comfortable with Bro scripting. While I understand that Bro will > already log HTTP data for me, the end goal is to be able to log very > specific things that I want. My first exercise is to approximate the > output of the "urlsnarf" tool (part of the dsniff tools). > > I think you're right about the host part. I guess at the time of the > http_request event, the DNS resolution has already occurred and thus > at this "layer" I can just see the IP address of the host receiving > the request, and the "HOST" part of the HTTP header hasn't been seen > yet. Is an alternative way to implement this to maintain the hostname > from a previous event? I'm kind of groping in the dark here... > > -----Original Message----- From: Shane Castle > [mailto:shane.castle at gmail.com] Sent: Tuesday, May 06, 2014 3:59 PM > To: Knick, Scott E CTR USARMY RCERT-EUR (US) Cc: bro at bro.org Subject: > Re: [Bro] http_request event > > Hmm, yknow it's been a while since I messed around in Bro code, but > I *think* the reason might be 'cos the host field is not filled in at > that point in the processing. It looks like it's not til the header > is being processed that it gets a value, in the "event http_header" > part of http/main.bro. The IP addresses might have values, though. > > Just out of curiosity, can you talk about what you are trying to > accomplish here? Are you modifying the main.bro script, or are you > adding to local.bro, or what? > > -- Shane Castle > > On 06.05.2014 14:56, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: >> Hello all, >> >> This is my first message to the mailing list. I was hoping someone >> could help me understand something regarding the HTTP module's >> http_request event. Specifically, I was hoping I could get access >> to the additional information added to the connection parameter by >> the HTTP module, but when the event is fired, my handler is unable >> to reference the information as it doesn't appear that it's there. >> The information I'm referring to is the following (from the >> bro/share/bro/base/protocols/httpd/main.bro file): >> >> # Add the http state tracking fields to the connection record. >> redef record connection += { http: Info &optional; >> http_state: State &optional; }; >> >> When I try to get to the http field's host field, I get a "field >> value missing [WebRequests::c$http$host]" error. >> >> Any thoughts? >> >> -- Scott Knick >> >> >> >> _______________________________________________ Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> From anthony.kasza at gmail.com Tue May 6 07:43:37 2014 From: anthony.kasza at gmail.com (anthony kasza) Date: Tue, 6 May 2014 07:43:37 -0700 Subject: [Bro] http_request event In-Reply-To: <5368EAB0.3000309@gmail.com> References: <5368EAB0.3000309@gmail.com> Message-ID: Info records can have fields which are optional or get set at a later stage in processing than where user defined code is handled. It's good practice to check if a field is present before using its value. An example of a check follows: if (c$http?$host) { print "host field is there"; } -AK On May 6, 2014 7:14 AM, "Shane Castle" wrote: > Hmm, yknow it's been a while since I messed around in Bro code, but I > *think* the reason might be 'cos the host field is not filled in at that > point in the processing. It looks like it's not til the header is being > processed that it gets a value, in the "event http_header" part of > http/main.bro. The IP addresses might have values, though. > > Just out of curiosity, can you talk about what you are trying to > accomplish here? Are you modifying the main.bro script, or are you > adding to local.bro, or what? > > -- > Shane Castle > > On 06.05.2014 14:56, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: > > Hello all, > > > > This is my first message to the mailing list. I was hoping someone could > help me understand something regarding the HTTP module's http_request > event. Specifically, I was hoping I could get access to the additional > information added to the connection parameter by the HTTP module, but when > the event is fired, my handler is unable to reference the information as it > doesn't appear that it's there. The information I'm referring to is the > following (from the bro/share/bro/base/protocols/httpd/main.bro file): > > > > # Add the http state tracking fields to the connection record. > > redef record connection += { > > http: Info &optional; > > http_state: State &optional; > > }; > > > > When I try to get to the http field's host field, I get a "field value > missing [WebRequests::c$http$host]" error. > > > > Any thoughts? > > > > -- > > Scott Knick > > > > > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140506/ecd8c862/attachment.html From scott.e.knick.ctr at mail.mil Tue May 6 08:09:47 2014 From: scott.e.knick.ctr at mail.mil (Knick, Scott E CTR USARMY RCERT-EUR (US)) Date: Tue, 6 May 2014 15:09:47 +0000 Subject: [Bro] http_request event In-Reply-To: References: <5368EAB0.3000309@gmail.com> Message-ID: Great info! I appreciate everyone's input and have kind of figured some of this out in the last couple of hours. Below is my current script if you're interested (and feedback is welcome). As you can see, I use the http_all_headers event to get the data I need. I had tried to use the log_http event earlier today but it wouldn't fire for reasons I'm not sure of. @load base/protocols/http module WebRequests; export { redef enum Log::ID += { LOG }; type Request: record { ts: string &log; source: addr &log; dest: addr &log; dest_port: port &log; method: string &log &optional; host: string &log &optional; uri: string &log &optional; referrer: string &log &optional; user_agent: string &log &optional; content_length: count &log &optional; basic_auth_user: string &log &optional; }; } event bro_init() { Log::create_stream(LOG, [$columns = Request]); } event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list) { if (is_orig) { local req: Request; req$ts = strftime("%Y/%m/%d %H:%M:%S", c$http$ts); req$source = c$id$orig_h; req$dest = c$id$resp_h; req$dest_port = c$id$resp_p; if (c$http?$method) req$method = c$http$method; if (c$http?$host) req$host = c$http$host; if (c$http?$uri) req$uri = c$http$uri; if (c$http?$referrer) req$referrer = c$http$referrer; if (c$http?$user_agent) req$user_agent = c$http$user_agent; if (c$http?$request_body_len) req$content_length = c$http$request_body_len; if (c$http?$username) req$basic_auth_user = c$http$username; Log::write(LOG, req); } } -----Original Message----- From: Josh Liburdi [mailto:liburdi.joshua at gmail.com] Sent: Tuesday, May 06, 2014 4:28 PM To: Knick, Scott E CTR USARMY RCERT-EUR (US) Cc: Shane Castle; bro at bro.org Subject: Re: [Bro] http_request event Instead of using the http request event, you'll need to use an event that has all of the fields you want to use in the script. A quick way to identify those events is to look at the protocol analyzer page for common protocol events: http://www.bro.org/sphinx/scripts/proto-analyzers.html#bro-http In many cases there are fields initialized in the connection portion of an event that are not immediately obvious. One way to see what fields are initialized in the event is to print the data to standard out ("print c;") when running it in a local instance of Bro. You'll quickly see what is initialized and what is not. If you simply want all http data, you could use the http log event-- that's generated as http logs are being sent to the logging framework. event HTTP::log_http(rec: HTTP::Info) { print rec; } - Josh On Tue, May 6, 2014 at 10:04 AM, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: I appreciate the reply. I'm really at this point just trying to get comfortable with Bro scripting. While I understand that Bro will already log HTTP data for me, the end goal is to be able to log very specific things that I want. My first exercise is to approximate the output of the "urlsnarf" tool (part of the dsniff tools). I think you're right about the host part. I guess at the time of the http_request event, the DNS resolution has already occurred and thus at this "layer" I can just see the IP address of the host receiving the request, and the "HOST" part of the HTTP header hasn't been seen yet. Is an alternative way to implement this to maintain the hostname from a previous event? I'm kind of groping in the dark here... -----Original Message----- From: Shane Castle [mailto:shane.castle at gmail.com] Sent: Tuesday, May 06, 2014 3:59 PM To: Knick, Scott E CTR USARMY RCERT-EUR (US) Cc: bro at bro.org Subject: Re: [Bro] http_request event Hmm, yknow it's been a while since I messed around in Bro code, but I *think* the reason might be 'cos the host field is not filled in at that point in the processing. It looks like it's not til the header is being processed that it gets a value, in the "event http_header" part of http/main.bro. The IP addresses might have values, though. Just out of curiosity, can you talk about what you are trying to accomplish here? Are you modifying the main.bro script, or are you adding to local.bro, or what? -- Shane Castle On 06.05.2014 14:56, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: > Hello all, > > This is my first message to the mailing list. I was hoping someone could help me understand something regarding the HTTP module's http_request event. Specifically, I was hoping I could get access to the additional information added to the connection parameter by the HTTP module, but when the event is fired, my handler is unable to reference the information as it doesn't appear that it's there. The information I'm referring to is the following (from the bro/share/bro/base/protocols/httpd/main.bro file): > > # Add the http state tracking fields to the connection record. > redef record connection += { > http: Info &optional; > http_state: State &optional; > }; > > When I try to get to the http field's host field, I get a "field value missing [WebRequests::c$http$host]" error. > > Any thoughts? > > -- > Scott Knick > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From scott.e.knick.ctr at mail.mil Wed May 7 01:26:29 2014 From: scott.e.knick.ctr at mail.mil (Knick, Scott E CTR USARMY RCERT-EUR (US)) Date: Wed, 7 May 2014 08:26:29 +0000 Subject: [Bro] Disabling logs from loaded scripts Message-ID: I want to tightly control what Bro outputs. As a result, I run it with the "bare" option enabled. This works well except any scripts I load end up logging their own stuff. For example, if my script loads base/protocols/http, then that module ends up logging stuff to files.log and http.log. I was able to cut out the files.log by loading specifically base/protocols/http/main.bro, but http.log is still generated. Is there some other option I can use, perhaps in my script? Thanks. -- Scott Knick From shane.castle at gmail.com Wed May 7 03:37:36 2014 From: shane.castle at gmail.com (Shane Castle) Date: Wed, 07 May 2014 12:37:36 +0200 Subject: [Bro] Disabling logs from loaded scripts In-Reply-To: References: Message-ID: <536A0CF0.1040907@gmail.com> There are a couple of things you might do. You could modify the scripts you want, put them in bro/share/site, and load them from there instead of the usual spots, for instance. You could make a new directory under the bro/share hierarchy, put your custom or test scripts in there, and load the whole set using one '@load', if I recall correctly. The best approach might be tuning the logging by customizing the logging framework. See this section of the doc: https://www.bro.org/sphinx/frameworks/logging.html Please experiment, but remember not to modify any of the the scripts in the normal directories, that is, keep your mods to new directories or to the bro/share/site directory, as others will be replaced with updates. -- Shane Castle On 07.05.2014 10:26, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: > I want to tightly control what Bro outputs. As a result, I run it > with the "bare" option enabled. This works well except any scripts I > load end up logging their own stuff. For example, if my script loads > base/protocols/http, then that module ends up logging stuff to > files.log and http.log. I was able to cut out the files.log by > loading specifically base/protocols/http/main.bro, but http.log is > still generated. Is there some other option I can use, perhaps in my > script? > > Thanks. > > -- Scott Knick From scott.e.knick.ctr at mail.mil Wed May 7 06:02:05 2014 From: scott.e.knick.ctr at mail.mil (Knick, Scott E CTR USARMY RCERT-EUR (US)) Date: Wed, 7 May 2014 13:02:05 +0000 Subject: [Bro] Updated p0f Fingerprints Message-ID: Just thought I'd pass on this extremely useful info: If you're interested in using the passive OS fingerprinting capability of Bro (via the OS_version_found event, for example), then you'll need a version of the fingerprint file far more up-to-date than the one shipped with Bro. As it turns out, the awesome people at Carnegie Mellon have updated it (so it can be used with their yaf tool): https://tools.netsa.cert.org/confluence/display/tt/p0f+fingerprints I've tested the updated p0f.fp file with Bro and it works like a champ. -- Scott Knick From scott.e.knick.ctr at mail.mil Wed May 7 06:20:43 2014 From: scott.e.knick.ctr at mail.mil (Knick, Scott E CTR USARMY RCERT-EUR (US)) Date: Wed, 7 May 2014 13:20:43 +0000 Subject: [Bro] Can't load magic file on CentOS 5 Message-ID: I've managed to build Bro on CentOS 5 successfully after a bit of work to get needed dependencies in place, but I can't seem to get around an issue where Bro complains about not being able to find any valid magic files when it starts. I get this error: internal error: can't load magic file : could not find any valid magic files! I have my Bro executable installed to /opt/dcod/bin with all of the magic files from Bro in /opt/dcod/share/bro/magic (e.g., /opt/dcod/share/bro/magic/animation, /opt/dcod/share/bro/magic/archive, etc.). Permissions are fine. The "libmagic mime magic database search path" is set to /opt/dcod/share/bro/magic (Bro has actually been built with that path in it, but I've also set the BROMAGIC environment variable to the same for the hell of it to no avail). Any ideas? Is the search path for libmagic set correctly? I've been fighting with this problem for quite a while now. -- Scott Knick From mkolkebeck at gmail.com Wed May 7 06:54:17 2014 From: mkolkebeck at gmail.com (Mike Kolkebeck) Date: Wed, 7 May 2014 08:54:17 -0500 Subject: [Bro] Can't load magic file on CentOS 5 In-Reply-To: References: Message-ID: <48903FF9-A4BB-4255-9756-5621EFD4096A@gmail.com> I've had the same problem when upgrading to libmagic 5.18 (file-5.18), using Bro 2.2. It worked fine with file-5.16. Are there any quick fixes out there without having to downgrade? > On May 7, 2014, at 8:20 AM, "Knick, Scott E CTR USARMY RCERT-EUR (US)" wrote: > > I've managed to build Bro on CentOS 5 successfully after a bit of work to get needed dependencies in place, but I can't seem to get around an issue where Bro complains about not being able to find any valid magic files when it starts. I get this error: > > internal error: can't load magic file : could not find any valid magic files! > > I have my Bro executable installed to /opt/dcod/bin with all of the magic files from Bro in /opt/dcod/share/bro/magic (e.g., /opt/dcod/share/bro/magic/animation, /opt/dcod/share/bro/magic/archive, etc.). Permissions are fine. The "libmagic mime magic database search path" is set to /opt/dcod/share/bro/magic (Bro has actually been built with that path in it, but I've also set the BROMAGIC environment variable to the same for the hell of it to no avail). > > Any ideas? Is the search path for libmagic set correctly? I've been fighting with this problem for quite a while now. > > -- > Scott Knick > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From scott.e.knick.ctr at mail.mil Wed May 7 06:57:29 2014 From: scott.e.knick.ctr at mail.mil (Knick, Scott E CTR USARMY RCERT-EUR (US)) Date: Wed, 7 May 2014 13:57:29 +0000 Subject: [Bro] Can't load magic file on CentOS 5 In-Reply-To: <48903FF9-A4BB-4255-9756-5621EFD4096A@gmail.com> References: <48903FF9-A4BB-4255-9756-5621EFD4096A@gmail.com> Message-ID: I did discover a solution based on the following bug report, though I'm still fighting through some other issues. https://bro-tracker.atlassian.net/browse/BIT-1111 Basically, you have to also (or rather?) set the MAGIC environment variable, not just the BROMAGIC environment variable. My conundrum seems to be happening because I need to be able to run on CentOS 5 (or RHEL 5), but that distro is stuck with libmagic version 4, and I can't figure out how to upgrade the system to version 5 without ruining a bunch of things. -----Original Message----- From: Mike Kolkebeck [mailto:mkolkebeck at gmail.com] Sent: Wednesday, May 07, 2014 3:54 PM To: Knick, Scott E CTR USARMY RCERT-EUR (US) Cc: bro at bro.org Subject: Re: [Bro] Can't load magic file on CentOS 5 I've had the same problem when upgrading to libmagic 5.18 (file-5.18), using Bro 2.2. It worked fine with file-5.16. Are there any quick fixes out there without having to downgrade? > On May 7, 2014, at 8:20 AM, "Knick, Scott E CTR USARMY RCERT-EUR (US)" wrote: > > I've managed to build Bro on CentOS 5 successfully after a bit of work to get needed dependencies in place, but I can't seem to get around an issue where Bro complains about not being able to find any valid magic files when it starts. I get this error: > > internal error: can't load magic file : could not find any valid magic files! > > I have my Bro executable installed to /opt/dcod/bin with all of the magic files from Bro in /opt/dcod/share/bro/magic (e.g., /opt/dcod/share/bro/magic/animation, /opt/dcod/share/bro/magic/archive, etc.). Permissions are fine. The "libmagic mime magic database search path" is set to /opt/dcod/share/bro/magic (Bro has actually been built with that path in it, but I've also set the BROMAGIC environment variable to the same for the hell of it to no avail). > > Any ideas? Is the search path for libmagic set correctly? I've been fighting with this problem for quite a while now. > > -- > Scott Knick > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From yardley at illinois.edu Wed May 7 07:26:41 2014 From: yardley at illinois.edu (Yardley, Tim) Date: Wed, 7 May 2014 14:26:41 +0000 Subject: [Bro] Updated p0f Fingerprints In-Reply-To: References: Message-ID: <8358FC10-4B66-43FC-BFFF-ED7998B0DD1C@illinois.edu> Scott, I'm not sure what the history is behind the p0f incorporation in bro, but it might be worth looking into updating to p0f 3.x as the inspection level is much more interesting (allowing one to inspect not just the layer 4 info, but all the way up through the application stack). I'd imagine that change could be straightforward, but I didn't look into it. The last update to dsniff/p0f2.py I made brought in the last 2006 signatures (v 2.0.8, with a couple more updates beyond that), but I never bothered implementing p0f3. The signature format changed dramatically due to the complete rewrite, so they aren't backwards compatible. There are some other older experimental signatures that sit in the dsniff repo as well. https://code.google.com/p/dsniff/source/browse/trunk/#trunk%2Fshare I'm not sure what CMU used to update their signatures for p0f2, but they would still have less power in identification than using p0f3. If p0f3 interests you, there have been some public forks that added a bit more: https://github.com/p0f/p0f/network Other things that might interest you using p0f3 include patches like this: https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f/ Again, depends on what you are doing though. Tim -- Tim Yardley Assistant Director, Testbed Services Information Trust Institute, University of Illinois yardley at illinois.edu On May 7, 2014, at 8:02 AM, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: > Just thought I'd pass on this extremely useful info: If you're interested in using the passive OS fingerprinting capability of Bro (via the OS_version_found event, for example), then you'll need a version of the fingerprint file far more up-to-date than the one shipped with Bro. As it turns out, the awesome people at Carnegie Mellon have updated it (so it can be used with their yaf tool): > > https://tools.netsa.cert.org/confluence/display/tt/p0f+fingerprints > > I've tested the updated p0f.fp file with Bro and it works like a champ. > > -- > Scott Knick > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jsiwek at illinois.edu Wed May 7 08:24:01 2014 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Wed, 7 May 2014 15:24:01 +0000 Subject: [Bro] Can't load magic file on CentOS 5 In-Reply-To: References: <48903FF9-A4BB-4255-9756-5621EFD4096A@gmail.com> Message-ID: <800B4582-76D2-4594-9AEE-649483802078@illinois.edu> On May 7, 2014, at 8:57 AM, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: > I did discover a solution based on the following bug report, though I'm still fighting through some other issues. > > https://bro-tracker.atlassian.net/browse/BIT-1111 > > Basically, you have to also (or rather?) set the MAGIC environment variable, not just the BROMAGIC environment variable. I?d suggest just setting both to point at the same libmagic installation (e.g. the one Bro has been configured to use via `./configure ?with-libmagic=`). > My conundrum seems to be happening because I need to be able to run on CentOS 5 (or RHEL 5), but that distro is stuck with libmagic version 4, and I can't figure out how to upgrade the system to version 5 without ruining a bunch of things. If you build/install the latest libmagic from source doing something like `./configure ?prefix=/opt && make && make install` (you can choose whatever prefix you want), does that work for you as far as isolating that version from everything? - Jon From scott.e.knick.ctr at mail.mil Thu May 8 01:06:34 2014 From: scott.e.knick.ctr at mail.mil (Knick, Scott E CTR USARMY RCERT-EUR (US)) Date: Thu, 8 May 2014 08:06:34 +0000 Subject: [Bro] Can't load magic file on CentOS 5 In-Reply-To: <800B4582-76D2-4594-9AEE-649483802078@illinois.edu> References: <48903FF9-A4BB-4255-9756-5621EFD4096A@gmail.com> <800B4582-76D2-4594-9AEE-649483802078@illinois.edu> Message-ID: Thanks for the thoughts. This is kind of what I'm working towards, though my complication is that I'm building an RPM that incorporates libmagic, which is built and temporarily installed into the RPM build root. If I want to have libmagic installed to somewhere in /opt, my RPM build is not very clean anymore. Does anyone know if there's a way to easily statically link Bro against libmagic? That would take some of this headache away. Another thing I'm baffled about is that when I build libmagic 5, the resulting shared library and symbolic links have the same filenames as the libmagic 4 that's already installed. How can this be? [dcod at localhost lib]$ ls -al /usr/lib64 | grep libmagic -rw-r--r-- 1 root root 105348 Jun 22 2012 libmagic.a lrwxrwxrwx 1 root root 17 Apr 1 12:22 libmagic.so -> libmagic.so.1.0.0 lrwxrwxrwx 1 root root 17 Apr 1 12:22 libmagic.so.1 -> libmagic.so.1.0.0 -rwxr-xr-x 1 root root 65608 Jun 22 2012 libmagic.so.1.0.0 [dcod at localhost lib]$ ls -al total 340 drwxr-xr-x 2 dcod dcod 4096 May 7 16:37 . drwxr-xr-x 6 dcod dcod 4096 May 7 16:37 .. -rwxr-xr-x 1 dcod dcod 921 May 7 16:37 libmagic.la lrwxrwxrwx 1 dcod dcod 17 May 7 16:37 libmagic.so -> libmagic.so.1.0.0 lrwxrwxrwx 1 dcod dcod 17 May 7 16:37 libmagic.so.1 -> libmagic.so.1.0.0 -rwxr-xr-x 1 dcod dcod 331757 May 7 16:37 libmagic.so.1.0.0 -----Original Message----- From: Siwek, Jonathan Luke [mailto:jsiwek at illinois.edu] Sent: Wednesday, May 07, 2014 5:24 PM To: Knick, Scott E CTR USARMY RCERT-EUR (US) Cc: Mike Kolkebeck; bro at bro.org Subject: Re: [Bro] Can't load magic file on CentOS 5 On May 7, 2014, at 8:57 AM, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: > I did discover a solution based on the following bug report, though I'm still fighting through some other issues. > > https://bro-tracker.atlassian.net/browse/BIT-1111 > > Basically, you have to also (or rather?) set the MAGIC environment variable, not just the BROMAGIC environment variable. I'd suggest just setting both to point at the same libmagic installation (e.g. the one Bro has been configured to use via `./configure -with-libmagic=`). > My conundrum seems to be happening because I need to be able to run on CentOS 5 (or RHEL 5), but that distro is stuck with libmagic version 4, and I can't figure out how to upgrade the system to version 5 without ruining a bunch of things. If you build/install the latest libmagic from source doing something like `./configure -prefix=/opt && make && make install` (you can choose whatever prefix you want), does that work for you as far as isolating that version from everything? - Jon From scott.e.knick.ctr at mail.mil Thu May 8 02:28:33 2014 From: scott.e.knick.ctr at mail.mil (Knick, Scott E CTR USARMY RCERT-EUR (US)) Date: Thu, 8 May 2014 09:28:33 +0000 Subject: [Bro] Can't load magic file on CentOS 5 References: <48903FF9-A4BB-4255-9756-5621EFD4096A@gmail.com> <800B4582-76D2-4594-9AEE-649483802078@illinois.edu> Message-ID: I think I've figured out a solution in case anyone is interested, and it's basically what Jon recommended--install libmagic 5 from source to somewhere so that it doesn't overwrite the existing libmagic 4 packaged installation already present (I installed to /usr/local, which works fine). As for my question about the shared library version of libmagic not changing between version 4 and 5 of the project, I guess that's because the interface did not change at all (which seems unlikely, but it's possible). -----Original Message----- From: Knick, Scott E CTR USARMY RCERT-EUR (US) Sent: Thursday, May 08, 2014 10:07 AM To: 'Siwek, Jonathan Luke' Cc: Mike Kolkebeck; bro at bro.org Subject: RE: [Bro] Can't load magic file on CentOS 5 Thanks for the thoughts. This is kind of what I'm working towards, though my complication is that I'm building an RPM that incorporates libmagic, which is built and temporarily installed into the RPM build root. If I want to have libmagic installed to somewhere in /opt, my RPM build is not very clean anymore. Does anyone know if there's a way to easily statically link Bro against libmagic? That would take some of this headache away. Another thing I'm baffled about is that when I build libmagic 5, the resulting shared library and symbolic links have the same filenames as the libmagic 4 that's already installed. How can this be? [dcod at localhost lib]$ ls -al /usr/lib64 | grep libmagic -rw-r--r-- 1 root root 105348 Jun 22 2012 libmagic.a lrwxrwxrwx 1 root root 17 Apr 1 12:22 libmagic.so -> libmagic.so.1.0.0 lrwxrwxrwx 1 root root 17 Apr 1 12:22 libmagic.so.1 -> libmagic.so.1.0.0 -rwxr-xr-x 1 root root 65608 Jun 22 2012 libmagic.so.1.0.0 [dcod at localhost lib]$ ls -al total 340 drwxr-xr-x 2 dcod dcod 4096 May 7 16:37 . drwxr-xr-x 6 dcod dcod 4096 May 7 16:37 .. -rwxr-xr-x 1 dcod dcod 921 May 7 16:37 libmagic.la lrwxrwxrwx 1 dcod dcod 17 May 7 16:37 libmagic.so -> libmagic.so.1.0.0 lrwxrwxrwx 1 dcod dcod 17 May 7 16:37 libmagic.so.1 -> libmagic.so.1.0.0 -rwxr-xr-x 1 dcod dcod 331757 May 7 16:37 libmagic.so.1.0.0 -----Original Message----- From: Siwek, Jonathan Luke [mailto:jsiwek at illinois.edu] Sent: Wednesday, May 07, 2014 5:24 PM To: Knick, Scott E CTR USARMY RCERT-EUR (US) Cc: Mike Kolkebeck; bro at bro.org Subject: Re: [Bro] Can't load magic file on CentOS 5 On May 7, 2014, at 8:57 AM, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: > I did discover a solution based on the following bug report, though I'm still fighting through some other issues. > > https://bro-tracker.atlassian.net/browse/BIT-1111 > > Basically, you have to also (or rather?) set the MAGIC environment variable, not just the BROMAGIC environment variable. I'd suggest just setting both to point at the same libmagic installation (e.g. the one Bro has been configured to use via `./configure -with-libmagic=`). > My conundrum seems to be happening because I need to be able to run on CentOS 5 (or RHEL 5), but that distro is stuck with libmagic version 4, and I can't figure out how to upgrade the system to version 5 without ruining a bunch of things. If you build/install the latest libmagic from source doing something like `./configure -prefix=/opt && make && make install` (you can choose whatever prefix you want), does that work for you as far as isolating that version from everything? - Jon From jsiwek at illinois.edu Thu May 8 08:38:42 2014 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Thu, 8 May 2014 15:38:42 +0000 Subject: [Bro] Can't load magic file on CentOS 5 In-Reply-To: References: <48903FF9-A4BB-4255-9756-5621EFD4096A@gmail.com> <800B4582-76D2-4594-9AEE-649483802078@illinois.edu> Message-ID: <0EDE5847-4261-4AB9-948E-67EF954D09FD@illinois.edu> On May 8, 2014, at 3:06 AM, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: > Does anyone know if there's a way to easily statically link Bro against libmagic? If it were possible to arrange things so that only libmagic.a is in the paths being searched, I think Bro would just go with that. Or a quick/dirty way would be to edit Bro?s cmake/FindLibMagic.cmake to unconditionally do [1] instead of just when on Darwin. Also just FYI, Bro 2.3 won?t depend on libmagic. - Jon [1] https://github.com/bro/cmake/blob/master/FindLibMagic.cmake#L29 From scott.e.knick.ctr at mail.mil Thu May 8 23:59:25 2014 From: scott.e.knick.ctr at mail.mil (Knick, Scott E CTR USARMY RCERT-EUR (US)) Date: Fri, 9 May 2014 06:59:25 +0000 Subject: [Bro] Can't load magic file on CentOS 5 In-Reply-To: <0EDE5847-4261-4AB9-948E-67EF954D09FD@illinois.edu> References: <48903FF9-A4BB-4255-9756-5621EFD4096A@gmail.com> <800B4582-76D2-4594-9AEE-649483802078@illinois.edu> <0EDE5847-4261-4AB9-948E-67EF954D09FD@illinois.edu> Message-ID: Good to hear! Libmagic in general seems a little hokey given how it must resolve the magic file. Thanks. -----Original Message----- From: Siwek, Jonathan Luke [mailto:jsiwek at illinois.edu] Sent: Thursday, May 08, 2014 5:39 PM To: Knick, Scott E CTR USARMY RCERT-EUR (US) Cc: Mike Kolkebeck; bro at bro.org Subject: Re: [Bro] Can't load magic file on CentOS 5 On May 8, 2014, at 3:06 AM, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: > Does anyone know if there's a way to easily statically link Bro against libmagic? If it were possible to arrange things so that only libmagic.a is in the paths being searched, I think Bro would just go with that. Or a quick/dirty way would be to edit Bro's cmake/FindLibMagic.cmake to unconditionally do [1] instead of just when on Darwin. Also just FYI, Bro 2.3 won't depend on libmagic. - Jon [1] https://github.com/bro/cmake/blob/master/FindLibMagic.cmake#L29 From scott.e.knick.ctr at mail.mil Fri May 9 00:41:32 2014 From: scott.e.knick.ctr at mail.mil (Knick, Scott E CTR USARMY RCERT-EUR (US)) Date: Fri, 9 May 2014 07:41:32 +0000 Subject: [Bro] Disabling logs from loaded scripts In-Reply-To: <536A0CF0.1040907@gmail.com> References: <536A0CF0.1040907@gmail.com> Message-ID: Thanks. I found the best way to do what I want by looking at the link you provided. In my bro_init() handler, I simply disable the HTTP module's logging like so: event bro_init() { Log::disable_stream(HTTP::LOG); Log::create_stream(HTTP_LOG, [$columns = HTTPRequest]); Log::create_stream(P0F_LOG, [$columns = OSFingerprint]); } That handler disables the HTTP module's log and then creates two logs for the things I want to log in my module. Works like a champ! -----Original Message----- From: Shane Castle [mailto:shane.castle at gmail.com] Sent: Wednesday, May 07, 2014 12:38 PM To: Knick, Scott E CTR USARMY RCERT-EUR (US); bro at bro.org Subject: Re: [Bro] Disabling logs from loaded scripts There are a couple of things you might do. You could modify the scripts you want, put them in bro/share/site, and load them from there instead of the usual spots, for instance. You could make a new directory under the bro/share hierarchy, put your custom or test scripts in there, and load the whole set using one '@load', if I recall correctly. The best approach might be tuning the logging by customizing the logging framework. See this section of the doc: https://www.bro.org/sphinx/frameworks/logging.html Please experiment, but remember not to modify any of the the scripts in the normal directories, that is, keep your mods to new directories or to the bro/share/site directory, as others will be replaced with updates. -- Shane Castle On 07.05.2014 10:26, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: > I want to tightly control what Bro outputs. As a result, I run it with > the "bare" option enabled. This works well except any scripts I load > end up logging their own stuff. For example, if my script loads > base/protocols/http, then that module ends up logging stuff to > files.log and http.log. I was able to cut out the files.log by loading > specifically base/protocols/http/main.bro, but http.log is still > generated. Is there some other option I can use, perhaps in my script? > > Thanks. > > -- Scott Knick From scott.e.knick.ctr at mail.mil Fri May 9 01:51:28 2014 From: scott.e.knick.ctr at mail.mil (Knick, Scott E CTR USARMY RCERT-EUR (US)) Date: Fri, 9 May 2014 08:51:28 +0000 Subject: [Bro] Returning NULL? Message-ID: Is there some way to return something like a NULL or undefined from a Bro script function? I'm looking to set a field in a logged record via a function call but would ideally like to be able to return an unset value from that function if needed. -- Scott Knick From bernhard at ICSI.Berkeley.EDU Fri May 9 05:39:14 2014 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Fri, 9 May 2014 05:39:14 -0700 Subject: [Bro] Returning NULL? In-Reply-To: References: Message-ID: <20140509123849.GA1667@LadyMacbeth.local> On Fri, May 09, 2014 at 08:51:28AM +0000, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote: > Is there some way to return something like a NULL or undefined from a > Bro script function? I'm looking to set a field in a logged record via a > function call but would ideally like to be able to return an unset value > from that function if needed. There is no way to direcly return null. The two "workarounds" that come to mind at the moment are to either return a record with one optional field - which you can leave unset to represent null. Or return a vector where you either can add the element when present, or let it be zero-size when 0. Bernhard From hammadog at gmail.com Tue May 13 10:02:10 2014 From: hammadog at gmail.com (Tom OBrion) Date: Tue, 13 May 2014 13:02:10 -0400 Subject: [Bro] Intel Framework and email alerts Message-ID: Hello all Having a brain cramp on why my intel framework emails are not working. Here is a snippet out of my feed file lets say: #fields indicator indicator_type meta.source meta.desc meta.do_notice xxx.xxx.xxx.xxx Intel::ADDR Internal-Intel malware_addr T my local.bro @load frameworks/intel/seen @load frameworks/intel/do_notice redef Intel::read_files += { "/nsm/bro/feeds/malware-addr.intel", }; redef Notice::emailed_types += { Intel::Notice, TeamCymruMalwareHashRegistry::Match, }; I know the notice framework and emails get sent as I get my summary emails as well as the malware hash emails. When I test and try to access the address within the feed it gets logged to my intel.log file but no email is being sent. This use to work for me, but for some reason it is not anymore. I know its something stupid and I just need a slap up side the head. Can someone point me in the right direction? Thanks -- Tom O'Brion Twitter: @tobrion Skype: TomOBrion "Life is too short to spend time with people who suck the happy out of you." [image: View Tom OBrion's profile on LinkedIn] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140513/21c67387/attachment.html From JAzoff at albany.edu Tue May 13 11:36:03 2014 From: JAzoff at albany.edu (Justin Azoff) Date: Tue, 13 May 2014 14:36:03 -0400 Subject: [Bro] Intel Framework and email alerts In-Reply-To: References: Message-ID: <20140513183603.GO13320@datacomm.albany.edu> On Tue, May 13, 2014 at 01:02:10PM -0400, Tom OBrion wrote: > I know the notice framework and emails get sent as I get my summary emails as > well as the malware hash emails. When I test and try to access the address > within the feed it gets logged to my intel.log file but no email is being sent. > This use to work for me, but for some reason it is not anymore. I know its > something stupid and I just need a slap up side the head. Can someone point me > in the right direction? Are the intel notices showing up in notice.log? -- -- Justin Azoff From hammadog at gmail.com Tue May 13 12:17:19 2014 From: hammadog at gmail.com (Tom OBrion) Date: Tue, 13 May 2014 15:17:19 -0400 Subject: [Bro] Intel Framework and email alerts In-Reply-To: <20140513183603.GO13320@datacomm.albany.edu> References: <20140513183603.GO13320@datacomm.albany.edu> Message-ID: Negative, only in the intel.log On Tue, May 13, 2014 at 2:36 PM, Justin Azoff wrote: > On Tue, May 13, 2014 at 01:02:10PM -0400, Tom OBrion wrote: > > I know the notice framework and emails get sent as I get my summary > emails as > > well as the malware hash emails. When I test and try to access the > address > > within the feed it gets logged to my intel.log file but no email is > being sent. > > This use to work for me, but for some reason it is not anymore. I > know its > > something stupid and I just need a slap up side the head. Can someone > point me > > in the right direction? > > Are the intel notices showing up in notice.log? > > -- > -- Justin Azoff > -- Tom O'Brion Twitter: @tobrion Skype: TomOBrion "Life is too short to spend time with people who suck the happy out of you." [image: View Tom OBrion's profile on LinkedIn] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140513/105df314/attachment.html From vmuthu at ucdavis.edu Wed May 14 03:08:27 2014 From: vmuthu at ucdavis.edu (Vishak Muthukumar) Date: Wed, 14 May 2014 03:08:27 -0700 Subject: [Bro] Parsing Modbus packet with Function code 15 Message-ID: Hi, I am having a problem in parsing the modbus packet with function code 15. I have a trace file which has a write request to write to coil 0. But when I monitor that trace file in my bro script, I cannot see the coil value. It says the size of the coil vector is empty. The command I use to run the bro script is - PREFIX/bin/bro -C -r I checked the tracefile in the wireshark to make sure that the packets have the coil data. I have attached the trace file and the bro script. Thanks -- Vishak Muthukumar Graduate Student University of California, Davis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140514/11f1f444/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: trace Type: application/octet-stream Size: 3168 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140514/11f1f444/attachment.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: write_multiple.bro Type: application/octet-stream Size: 1002 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140514/11f1f444/attachment-0001.obj From robin at icir.org Wed May 14 07:40:29 2014 From: robin at icir.org (Robin Sommer) Date: Wed, 14 May 2014 07:40:29 -0700 Subject: [Bro] Parsing Modbus packet with Function code 15 In-Reply-To: References: Message-ID: <20140514144029.GR11995@icir.org> On Wed, May 14, 2014 at 03:08 -0700, Vishak Muthukumar wrote: > I have a trace file which has a write request to write to coil 0. > But when I monitor that trace file in my bro script, I cannot see the coil > value. It says the size of the coil vector is empty. Iirc, the analyzer doesn't further extract coil values yet. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin From seth at icir.org Wed May 14 09:24:05 2014 From: seth at icir.org (Seth Hall) Date: Wed, 14 May 2014 12:24:05 -0400 Subject: [Bro] Parsing Modbus packet with Function code 15 In-Reply-To: <20140514144029.GR11995@icir.org> References: <20140514144029.GR11995@icir.org> Message-ID: On May 14, 2014, at 10:40 AM, Robin Sommer wrote: > On Wed, May 14, 2014 at 03:08 -0700, Vishak Muthukumar wrote: > >> I have a trace file which has a write request to write to coil 0. >> But when I monitor that trace file in my bro script, I cannot see the coil >> value. It says the size of the coil vector is empty. > > Iirc, the analyzer doesn't further extract coil values yet. I was unable to find traffic that dealt with coils so I left that out. Most of the infrastructure is in place however. Vishak, can we use the traffic you submitted in our test suite if it works out when we look at it? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140514/85030f1e/attachment.bin From vmuthu at ucdavis.edu Wed May 14 09:40:08 2014 From: vmuthu at ucdavis.edu (Vishak Muthukumar) Date: Wed, 14 May 2014 09:40:08 -0700 Subject: [Bro] Parsing Modbus packet with Function code 15 In-Reply-To: References: <20140514144029.GR11995@icir.org> Message-ID: Hi Seth Hall, Sure, please go ahead and use the traffic. Thanks for your quick responses. Vishak On Wed, May 14, 2014 at 9:24 AM, Seth Hall wrote: > > On May 14, 2014, at 10:40 AM, Robin Sommer wrote: > > > On Wed, May 14, 2014 at 03:08 -0700, Vishak Muthukumar wrote: > > > >> I have a trace file which has a write request to write to coil 0. > >> But when I monitor that trace file in my bro script, I cannot see the > coil > >> value. It says the size of the coil vector is empty. > > > > Iirc, the analyzer doesn't further extract coil values yet. > > I was unable to find traffic that dealt with coils so I left that out. > Most of the infrastructure is in place however. Vishak, can we use the > traffic you submitted in our test suite if it works out when we look at it? > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -- Vishak Muthukumar Graduate Student University of California, Davis Phone : +15303025318 Skype id: vishakm92 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140514/f2fd1f2a/attachment.html From hlin33 at illinois.edu Wed May 14 09:54:53 2014 From: hlin33 at illinois.edu (Hui Lin (Hugo) ) Date: Wed, 14 May 2014 11:54:53 -0500 Subject: [Bro] Parsing Modbus packet with Function code 15 In-Reply-To: References: <20140514144029.GR11995@icir.org> Message-ID: Hi Seth, If we want to extract the value such as coil value from Modbus analyzer, do we need to redeclare the event handler included in event.bif? I saw that you use the "this" pointer to represent the whole payload message. I might need to use the Modbus analyzer in another project later. Thanks, Best, Hui Lin On Wed, May 14, 2014 at 11:24 AM, Seth Hall wrote: > > On May 14, 2014, at 10:40 AM, Robin Sommer wrote: > > > On Wed, May 14, 2014 at 03:08 -0700, Vishak Muthukumar wrote: > > > >> I have a trace file which has a write request to write to coil 0. > >> But when I monitor that trace file in my bro script, I cannot see the > coil > >> value. It says the size of the coil vector is empty. > > > > Iirc, the analyzer doesn't further extract coil values yet. > > I was unable to find traffic that dealt with coils so I left that out. > Most of the infrastructure is in place however. Vishak, can we use the > traffic you submitted in our test suite if it works out when we look at it? > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -- Hui Lin PhD Candidate, Research Assistant Electrical and Computer Engineering Department University of Illinois at Urbana-Champaign -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140514/be0ef80d/attachment.html From daniel.guerra69 at gmail.com Wed May 14 11:41:36 2014 From: daniel.guerra69 at gmail.com (daniel.guerra69) Date: Wed, 14 May 2014 20:41:36 +0200 Subject: [Bro] alternative for lookup_hostname_txt Message-ID: <5373B8E0.7040306@gmail.com> Hi, I'm working with bro in an protected network where I can't do dns requests. I want to lookup malware with malware.hash.cymru.com with a http request but I can't find any function for this. I could make my own script and activate it with piped_exec, but would I be able to read the scripts stdout ? Regards, Daniel From seth at icir.org Wed May 14 13:21:37 2014 From: seth at icir.org (Seth Hall) Date: Wed, 14 May 2014 16:21:37 -0400 Subject: [Bro] alternative for lookup_hostname_txt In-Reply-To: <5373B8E0.7040306@gmail.com> References: <5373B8E0.7040306@gmail.com> Message-ID: <10AD631E-0B6F-400B-8F91-EC5C93A369CE@icir.org> On May 14, 2014, at 2:41 PM, daniel.guerra69 wrote: > I'm working with bro in an protected network where > I can't do dns requests. I want to lookup malware with > malware.hash.cymru.com with a http request but > I can't find any function for this. I could make my own > script and activate it with piped_exec, but would I be > able to read the scripts stdout ? A small modification from our test suite... (more generally take a look at scripts/base/utils/active-http.bro) @load base/utils/active-http event bro_init() { local req = ActiveHTTP::Request($url="http://google.com"); when ( local resp = ActiveHTTP::request(req) ) { print resp; } timeout 1min { print "HTTP request timeout"; } } .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140514/b7a4133e/attachment.bin From jdopheid at illinois.edu Wed May 14 14:09:17 2014 From: jdopheid at illinois.edu (Dopheide, Jeannette M) Date: Wed, 14 May 2014 21:09:17 +0000 Subject: [Bro] BroCon '14: Reminder to register and book hotel Message-ID: Bro Community, If you haven't done so already, we wanted to remind you to register for BroCon '14(August 18th -20th). Register here: regonline.com/brocon2014 If you haven't booked your hotel yet, we wanted to inform you that we have a block of rooms reserved at the Holiday Inn but were unable to reserve rooms at the Hampton Inn. If you wish to stay at the Hampton Inn you should consider booking your room soon. This year's event is occurring during UIUC's move-in week and those rooms are in high demand. More information can be found here: http://bro.org/community/brocon2014.html#hotelinformation We are accepting presentation proposals. More info here: http://bro.org/community/brocon2014.html#call-forpresentations Interested in sponsoring BroCon '14? More info here: http://bro.org/community/brocon2014.html#sponsorship See you in August, The Bro Team ------ Jeannette M. Dopheide Bro Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign From affan.syed at nu.edu.pk Thu May 15 00:06:12 2014 From: affan.syed at nu.edu.pk (Affan Syed) Date: Thu, 15 May 2014 12:06:12 +0500 Subject: [Bro] Using Bro for data plane programmability Message-ID: <53746764.8010600@nu.edu.pk> Dear all, I just wanted to bring to your attention a recent acceptance at CCR of work done here at my lab, where we have argued using Bro as the best choice for data plane programmability. I really think Bro language should be expanded beyond just the definition of NIDS. It provides a much more powerful construct. The details about the project (which deals with a novel ISP service delivery mechanism), and a link to the paper are the project website (http://sysnet.org.pk/w/ISDF). This page also has links to the ports we have done (and previous posted on this list by the students -- who did the real work :). -- Regards, Affan From lowson.chris at gmail.com Sat May 17 07:46:57 2014 From: lowson.chris at gmail.com (Chris Lowson) Date: Sat, 17 May 2014 10:46:57 -0400 Subject: [Bro] Faster Bro Summary of Alerts Message-ID: Hello Everyone, New to bro so please bare with me, but i can't seem to find my answer online. Can anyone tell me / point me in the direction to setup bro to have the alert notices come in every 5-10 mins and not hourly? I don't want to connection summary every 5 mins, that can stay every hour, I just want to see the SSH password guessing faster. -- Thanks, Christopher Lowson -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140517/f731f7d2/attachment.html From seth at icir.org Sat May 17 22:44:35 2014 From: seth at icir.org (Seth Hall) Date: Sun, 18 May 2014 01:44:35 -0400 Subject: [Bro] Faster Bro Summary of Alerts In-Reply-To: References: Message-ID: <6B3D5EFC-629B-4EB3-AC97-1B76D311BA95@icir.org> On May 17, 2014, at 10:46 AM, Chris Lowson wrote: > I don't want to connection summary every 5 mins, that can stay every hour, I just want to see the SSH password guessing faster. This will send you an email each time the notice happens: redef Notice::emailed_types += { SSH::Password_Guessing }; .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140518/9b5af9e2/attachment.bin From bkellogg at dresser-rand.com Sun May 18 06:36:06 2014 From: bkellogg at dresser-rand.com (Kellogg, Brian D (OLN)) Date: Sun, 18 May 2014 13:36:06 +0000 Subject: [Bro] distributing Intel feeds using Salt Message-ID: I've setup a number of Intel feeds on our SecurityOnion server that get distributed to the sensors via the "salt-cp" command. I use mal-dns2bro to grab them. Does the "salt-cp" command act as an atomic move of the intel feed files to the sensors or should I first delete the files from the sensors? Is there a log that shows the updated Intel feed files being read? Thank you, Brian Kellogg Security Analyst; IT Governance, Risk, and Compliance 500 Paul Clark Drive, Olean, NY 14760 T: (716) 375-3186 | F: (716) 375-3557 www.dresser-rand.com NYSE: DRC Bringing energy and the environment into harmony(r) IMPORTANT NOTICE: This email may be confidential, may be legally privileged, and is for the intended recipient only. Unauthorized access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offense. Please delete if obtained in error and email confirmation to the sender. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140518/661ba4c5/attachment.html From doug.burks at gmail.com Sun May 18 07:34:03 2014 From: doug.burks at gmail.com (Doug Burks) Date: Sun, 18 May 2014 10:34:03 -0400 Subject: [Bro] distributing Intel feeds using Salt In-Reply-To: References: Message-ID: Hi Brian, This question is probably more suited for the Security Onion mailing list (cc'd). If you're using our OnionSalt scripts, you shouldn't need to use salt-cp manually. OnionSalt should automatically replicate /opt/bro/share/bro/policy/ from the server to all sensors. http://blog.securityonion.net/2014/04/new-securityonion-onionsalt-package.html?m=1 On Sunday, May 18, 2014, Kellogg, Brian D (OLN) wrote: > I've setup a number of Intel feeds on our SecurityOnion server that get > distributed to the sensors via the "salt-cp" command. I use mal-dns2bro to > grab them. Does the "salt-cp" command act as an atomic move of the intel > feed files to the sensors or should I first delete the files from the > sensors? Is there a log that shows the updated Intel feed files being read? > > > > > > Thank you, > > *Brian Kellogg* > > Security Analyst; IT Governance, Risk, and Compliance > > 500 Paul Clark Drive, Olean, NY 14760 > > T: (716) 375-3186 | F: (716) 375-3557 > > www.dresser-rand.com NYSE: DRC > > > > Bringing energy and the environment into harmony? > > > > *IMPORTANT NOTICE:* > > *This email may be confidential, may be legally privileged, and is for the > intended recipient only. Unauthorized access, disclosure, copying, > distribution, or reliance on any of it by anyone else is prohibited and may > be a criminal offense. Please delete if obtained in error and email > confirmation to the sender.* > -- Doug Burks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140518/cd38149a/attachment.html From scott at 0x4c.com Sun May 18 22:39:57 2014 From: scott at 0x4c.com (scott mcallester) Date: Mon, 19 May 2014 15:39:57 +1000 Subject: [Bro] bro exchange 2013 intel exercises Message-ID: <5379992D.4010706@0x4c.com> I'm trying to get the exercises from here going, My intel.bro: @load policy/frameworks/intel/seen @load policy/frameworks/intel/do_notice redef Intel::read_files += { fmt("%s/intel.dat", @DIR) }; My intel.dat: #fields indicator indicator_type meta.source fetchback.com Intel::DOMAIN my_special_source I've double checked the tab spacing it all looks fine, but every time I run this I receive this error: bro -C -r exercise-traffic.pcap intel.bro internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 Aborted (core dumped) I also installed Bro 2.2 from source to my local machine(mint 13) and get exactly the same error. Any ideas? And a follow up question for when I get this sorted: If I have a txt file with a list of new-line separated IP's(~1500) from malwaredomainlist.com, is this something the intel framework is suited for? Or should I just stick to Snort's blacklist.rules or Suricata's equivalent? Scott -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/8d81c878/attachment.html From liburdi.joshua at gmail.com Mon May 19 05:34:53 2014 From: liburdi.joshua at gmail.com (Josh Liburdi) Date: Mon, 19 May 2014 05:34:53 -0700 (PDT) Subject: [Bro] bro exchange 2013 intel exercises In-Reply-To: <5379992D.4010706@0x4c.com> References: <5379992D.4010706@0x4c.com> Message-ID: <1400502893536.0b312003@Nodemailer> Haven't run into your first question before, but to answer the second ... yes, the Intel framework is suited for IP addresses. Can't speak for Suricata, but Bro will natively find IP addresses in more places than Snort does.? -Josh On Mon, May 19, 2014 at 1:56 AM, scott mcallester > wrote: I'm trying to get the exercises from here going, My intel.bro: @load policy/frameworks/intel/seen @load policy/frameworks/intel/do_notice redef Intel::read_files += { ? fmt("%s/intel.dat", @DIR) }; My intel.dat: #fields??? indicator??? indicator_type??? meta.source fetchback.com??? ??? Intel::DOMAIN??? my_special_source I've double checked the tab spacing it all looks fine, but every time I run this I receive this error: bro -C -r exercise-traffic.pcap intel.bro internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 Aborted (core dumped) I also installed Bro 2.2 from source to my local machine(mint 13) and get exactly the same error. Any ideas? And a follow up question for when I get this sorted: If I have a txt file with a list of new-line separated IP's(~1500) from malwaredomainlist.com, is this something the intel framework is suited for? Or should I just stick to Snort's blacklist.rules or Suricata's equivalent? Scott -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/81794625/attachment.html From liburdi.joshua at gmail.com Mon May 19 05:40:32 2014 From: liburdi.joshua at gmail.com (Josh Liburdi) Date: Mon, 19 May 2014 08:40:32 -0400 Subject: [Bro] Faster Bro Summary of Alerts In-Reply-To: References: Message-ID: Add this field to any notice interval you'd like to change: $suppress_for= By default notices are suppressed for one hour, but it can be overridden with the line above. In practice that would look like ... NOTICE([$note=Password_Guessing, $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num), $src=key$host, $suppress_for=5mins, $identifier=cat(key$host)]); -Josh On Sat, May 17, 2014 at 10:46 AM, Chris Lowson wrote: > Hello Everyone, > > New to bro so please bare with me, but i can't seem to find my answer > online. > > Can anyone tell me / point me in the direction to setup bro to have the > alert notices come in every 5-10 mins and not hourly? > > I don't want to connection summary every 5 mins, that can stay every hour, > I just want to see the SSH password guessing faster. > > -- > Thanks, > Christopher Lowson > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/258c0d35/attachment.html From jsiwek at illinois.edu Mon May 19 07:41:54 2014 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Mon, 19 May 2014 14:41:54 +0000 Subject: [Bro] bro exchange 2013 intel exercises In-Reply-To: <5379992D.4010706@0x4c.com> References: <5379992D.4010706@0x4c.com> Message-ID: <8CC7DE25-0C5E-4F71-8D44-24D5E992D692@illinois.edu> On May 19, 2014, at 12:39 AM, scott mcallester wrote: > My intel.dat: > #fields indicator indicator_type meta.source > fetchback.com Intel::DOMAIN my_special_source > > I've double checked the tab spacing it all looks fine, but every time I run this I receive this error: > bro -C -r exercise-traffic.pcap intel.bro > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > Aborted (core dumped) Can you check that there?s only a single tab character between values? In particular, if there is more than one tab between ?fetchback.com? and ?Intel::DOMAIN? I reproduce that error. - Jon From r.bortolameotti at gmail.com Mon May 19 08:01:10 2014 From: r.bortolameotti at gmail.com (Riccardo Bortolameotti) Date: Mon, 19 May 2014 17:01:10 +0200 Subject: [Bro] unable to get local issuer certificate - X509 Certificate Message-ID: <1400511670.18725.2.camel@stud169130.mobiel.utwente.nl> Hello guys, I am having a problem with the developer version of Bro. Running the script that validates the certificates, I obtain: unable to get local issuer certificate even though the certificate is okay. I did not have this problem running the normal (non-dev) version. Do you also have this problem? ps: I have to use the dev-version for my thesis, because it has some important features that I need (certificate extensions) regards, R. From jsiwek at illinois.edu Mon May 19 08:15:06 2014 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Mon, 19 May 2014 15:15:06 +0000 Subject: [Bro] unable to get local issuer certificate - X509 Certificate In-Reply-To: <1400511670.18725.2.camel@stud169130.mobiel.utwente.nl> References: <1400511670.18725.2.camel@stud169130.mobiel.utwente.nl> Message-ID: On May 19, 2014, at 10:01 AM, Riccardo Bortolameotti wrote: > I am having a problem with the developer version of Bro. Running the > script that validates the certificates, I obtain: > > unable to get local issuer certificate > > even though the certificate is okay. I did not have this problem running > the normal (non-dev) version. Take a look at scripts/base/protocols/ssl/mozilla-ca-list.bro for the certificates that Bro trusts by default. I?m guessing that ?SSL::root_certs? differs between versions of Bro and the issuer of the certificate in questions is included in the old version, but not the new. You?re also free to ?redef? that variable to add your own trusted certificates. - Jon From r.bortolameotti at gmail.com Mon May 19 08:49:40 2014 From: r.bortolameotti at gmail.com (Riccardo Bortolameotti) Date: Mon, 19 May 2014 17:49:40 +0200 Subject: [Bro] unable to get local issuer certificate - X509 Certificate In-Reply-To: References: <1400511670.18725.2.camel@stud169130.mobiel.utwente.nl> Message-ID: <1400514580.18725.4.camel@stud169130.mobiel.utwente.nl> I have updated the file of the developer version with the "official" one (2.2) and it works.. Thank you very much guys! problem solved!! ;D On Mon, 2014-05-19 at 15:15 +0000, Siwek, Jonathan Luke wrote: > On May 19, 2014, at 10:01 AM, Riccardo Bortolameotti wrote: > > > I am having a problem with the developer version of Bro. Running the > > script that validates the certificates, I obtain: > > > > unable to get local issuer certificate > > > > even though the certificate is okay. I did not have this problem running > > the normal (non-dev) version. > > Take a look at scripts/base/protocols/ssl/mozilla-ca-list.bro for the certificates that Bro trusts by default. I?m guessing that ?SSL::root_certs? differs between versions of Bro and the issuer of the certificate in questions is included in the old version, but not the new. You?re also free to ?redef? that variable to add your own trusted certificates. > > - Jon From jsiwek at illinois.edu Mon May 19 09:13:01 2014 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Mon, 19 May 2014 16:13:01 +0000 Subject: [Bro] unable to get local issuer certificate - X509 Certificate In-Reply-To: <1400514580.18725.4.camel@stud169130.mobiel.utwente.nl> References: <1400511670.18725.2.camel@stud169130.mobiel.utwente.nl> <1400514580.18725.4.camel@stud169130.mobiel.utwente.nl> Message-ID: <3C1AD530-9C9E-4F6E-AD03-FD6C768C9C8A@illinois.edu> On May 19, 2014, at 10:49 AM, Riccardo Bortolameotti wrote: > I have updated the file of the developer version with the "official" one > (2.2) and it works.. Thank you very much guys! problem solved!! ;D Bro's trusted certs are a snapshot of what Mozilla uses and the ?developer" version is soon going to be the ?official? one, so you may want to look in to why the CA in question was removed. - Jon From mitch at uidaho.edu Mon May 19 12:26:02 2014 From: mitch at uidaho.edu (Parks, Mitch (mitch@uidaho.edu)) Date: Mon, 19 May 2014 19:26:02 +0000 Subject: [Bro] Dell M620 blade and x520-k 10G? Message-ID: Our systems folks have suggested a Dell blade server connected to our FC SAN instead of a standalone box for our Bro install. This is a 16 core 2.2GHz E-2660 Dell M620 box with a 10GbE pass-through module to an Intel "X520-k". Is anyone running Bro on this kind of hardware successfully? I wouldn't expect any issues, but I always wonder about "variants" of cards. Thanks for any input. Mitch Parks University of Idaho -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/4a002e46/attachment.html From kim at blackcatsec.net Mon May 19 13:56:17 2014 From: kim at blackcatsec.net (Kim Halavakoski) Date: Mon, 19 May 2014 23:56:17 +0300 Subject: [Bro] Intel Framework troubleshooting tips? Message-ID: <774EC8B3-1C04-49EB-8666-155394DC7836@blackcatsec.net> Hello. I am running Bro 2.2 from RPM downloaded from Bro.org and recently got interested in enabling the Intel Framework when I watched Liam Randalls talk : https://www.youtube.com/watch?v=8XqiQuy7nFQ I have downloaded mal-dnssearch and mal-dns2bro scripts and have downloaded all of the feeds to /opt/bro/feeds and enabled the intel framework in /opt/bro/share/bro/site/local.bro: # Load the Intel Framework to be used with mal-dnssearch for # Threat Intelligence data analysis and correlation # http://www.bro.org/sphinx-git/frameworks/intel.html # http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html # @load frameworks/intel/seen @load frameworks/intel/do_notice redef Intel::read_files += { "/opt/bro/feeds/alienvault.intel", "/opt/bro/feeds/botcc.intel", "/opt/bro/feeds/ciarmy.intel", "/opt/bro/feeds/et_ips.intel", "/opt/bro/feeds/malhosts.intel", "/opt/bro/feeds/malips.intel", "/opt/bro/feeds/mandiant.intel", "/opt/bro/feeds/mayhemic.intel", "/opt/bro/feeds/rbn.intel", "/opt/bro/feeds/snort.intel", "/opt/bro/feeds/tor.intel", }; The various intel files follow the format and fields are separated by tabs and the files have been downloaded with mal-dnssearch and inte files created with mal-dns2bro scripts. [root at bro-anal01 feeds]# head alienvault.intel #fields indicator indicator_type meta.source meta.url meta.do_notice meta.if_in 119.60.12.102 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - 37.205.198.162 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - 182.131.22.235 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - 58.250.71.43 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - 211.160.19.250 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - 176.215.86.120 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - 203.121.165.16 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - 211.151.57.196 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - 108.59.1.5 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - I?ve restarted Bro and I am not seeing any Intel-events and the intel.log has not been created and no intel logs are logged in notice.log? I have created traffic towards some of the IP-addresses listed in the various sources that should create intel matches and notice.log events but nothing Intel-related is logged: [root at bro-anal01 logs]# ls -la current/intel.log ls: cannot access current/intel.log: No such file or directory [root at bro-anal01 logs]# cat current/notice.log |bro-cut -d note | sort -u PacketFilter::Dropped_Packets SSH::Password_Guessing SSL::Invalid_Server_Cert Scan::Address_Scan [root at bro-anal01 bin]# ./bro -v ./bro version 2.2 What am I doing wrong? Am I running the wrong version(Bro 2.2 from RPM downloaded from bro.org) and Intel framework is only supported on the bleeding-edge Bro from github? Kim Halavakoski - CISM kim at blackcatsec.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/727ec443/attachment.html From kim at blackcatsec.net Mon May 19 13:57:06 2014 From: kim at blackcatsec.net (Kim Halavakoski) Date: Mon, 19 May 2014 23:57:06 +0300 Subject: [Bro] Bro Intel Framework troubleshooting? Message-ID: <855A3F2A-8670-4FB7-926B-C7A3C8A74599@blackcatsec.net> Hello. I am running Bro 2.2 from RPM downloaded from Bro.org and recently got interested in enabling the Intel Framework when I watched Liam Randalls talk : https://www.youtube.com/watch?v=8XqiQuy7nFQ I have downloaded mal-dnssearch and mal-dns2bro scripts and have downloaded all of the feeds to /opt/bro/feeds and enabled the intel framework in /opt/bro/share/bro/site/local.bro: # Load the Intel Framework to be used with mal-dnssearch for # Threat Intelligence data analysis and correlation # http://www.bro.org/sphinx-git/frameworks/intel.html # http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html # @load frameworks/intel/seen @load frameworks/intel/do_notice redef Intel::read_files += { "/opt/bro/feeds/alienvault.intel", "/opt/bro/feeds/botcc.intel", "/opt/bro/feeds/ciarmy.intel", "/opt/bro/feeds/et_ips.intel", "/opt/bro/feeds/malhosts.intel", "/opt/bro/feeds/malips.intel", "/opt/bro/feeds/mandiant.intel", "/opt/bro/feeds/mayhemic.intel", "/opt/bro/feeds/rbn.intel", "/opt/bro/feeds/snort.intel", "/opt/bro/feeds/tor.intel", }; The various intel files follow the format and fields are separated by tabs and the files have been downloaded with mal-dnssearch and inte files created with mal-dns2bro scripts. [root at bro-anal01 feeds]# head alienvault.intel #fields indicator indicator_type meta.source meta.url meta.do_notice meta.if_in 119.60.12.102 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - 37.205.198.162 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - 182.131.22.235 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - 58.250.71.43 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - 211.160.19.250 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - 176.215.86.120 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - 203.121.165.16 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - 211.151.57.196 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - 108.59.1.5 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - I?ve restarted Bro and I am not seeing any Intel-events and the intel.log has not been created and no intel logs are logged in notice.log? I have created traffic towards some of the IP-addresses listed in the various i [root at bro-anal01 logs]# ls -la current/intel.log ls: cannot access current/intel.log: No such file or directory [root at bro-anal01 logs]# cat current/notice.log |bro-cut -d note | sort -u PacketFilter::Dropped_Packets SSH::Password_Guessing SSL::Invalid_Server_Cert Scan::Address_Scan [root at bro-anal01 bin]# ./bro -v ./bro version 2.2 What am I doing wrong? Am I running the wrong version(Bro 2.2 from RPM downloaded from bro.org) and Intel framework is only supported on the bleeding-edge Bro from github? Kim Halavakoski - CISM kim at blackcatsec.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/f8a1952d/attachment.html From jonschipp at gmail.com Mon May 19 15:41:57 2014 From: jonschipp at gmail.com (Jon Schipp) Date: Mon, 19 May 2014 17:41:57 -0500 Subject: [Bro] Bro Intel Framework troubleshooting? In-Reply-To: <855A3F2A-8670-4FB7-926B-C7A3C8A74599@blackcatsec.net> References: <855A3F2A-8670-4FB7-926B-C7A3C8A74599@blackcatsec.net> Message-ID: Did you put the configuration into effect? e.g. ``broctl check && broctl install && broctl restart'' Also, what's the output of ``tail -1 alienvault.intel | hexdump -c''? On Mon, May 19, 2014 at 3:57 PM, Kim Halavakoski wrote: > Hello. > I am running Bro 2.2 from RPM downloaded from Bro.org and recently got > interested in enabling the Intel Framework when I watched Liam Randalls > talk : https://www.youtube.com/watch?v=8XqiQuy7nFQ > I have downloaded mal-dnssearch and mal-dns2bro scripts and have > downloaded all of the feeds to /opt/bro/feeds and enabled the intel > framework in /opt/bro/share/bro/site/local.bro: > > # Load the Intel Framework to be used with mal-dnssearch for > # Threat Intelligence data analysis and correlation > # http://www.bro.org/sphinx-git/frameworks/intel.html > # http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html > # > > @load frameworks/intel/seen > @load frameworks/intel/do_notice > > redef Intel::read_files += { > "/opt/bro/feeds/alienvault.intel", > "/opt/bro/feeds/botcc.intel", > "/opt/bro/feeds/ciarmy.intel", > "/opt/bro/feeds/et_ips.intel", > "/opt/bro/feeds/malhosts.intel", > "/opt/bro/feeds/malips.intel", > "/opt/bro/feeds/mandiant.intel", > "/opt/bro/feeds/mayhemic.intel", > "/opt/bro/feeds/rbn.intel", > "/opt/bro/feeds/snort.intel", > "/opt/bro/feeds/tor.intel", > }; > > > The various intel files follow the format and fields are separated by tabs > and the files have been downloaded with mal-dnssearch and inte files > created with mal-dns2bro scripts. > > [root at bro-anal01 feeds]# head alienvault.intel > #fields indicator indicator_type meta.source meta.url meta.do_notice > meta.if_in > 119.60.12.102 Intel::ADDR alienvault > http://reputation.alienvault.com/reputation.generic T - > 37.205.198.162 Intel::ADDR alienvault > http://reputation.alienvault.com/reputation.generic T - > 182.131.22.235 Intel::ADDR alienvault > http://reputation.alienvault.com/reputation.generic T - > 58.250.71.43 Intel::ADDR alienvault > http://reputation.alienvault.com/reputation.generic T - > 211.160.19.250 Intel::ADDR alienvault > http://reputation.alienvault.com/reputation.generic T - > 176.215.86.120 Intel::ADDR alienvault > http://reputation.alienvault.com/reputation.generic T - > 203.121.165.16 Intel::ADDR alienvault > http://reputation.alienvault.com/reputation.generic T - > 211.151.57.196 Intel::ADDR alienvault > http://reputation.alienvault.com/reputation.generic T - > 108.59.1.5 Intel::ADDR alienvault > http://reputation.alienvault.com/reputation.generic T - > > I?ve restarted Bro and I am not seeing any Intel-events and the intel.log > has not been created and no intel logs are logged in notice.log? I have > created traffic towards some of the IP-addresses listed in the various i > > [root at bro-anal01 logs]# ls -la current/intel.log > ls: cannot access current/intel.log: No such file or directory > [root at bro-anal01 logs]# cat current/notice.log |bro-cut -d note | sort -u > PacketFilter::Dropped_Packets > SSH::Password_Guessing > SSL::Invalid_Server_Cert > Scan::Address_Scan > > [root at bro-anal01 bin]# ./bro -v > ./bro version 2.2 > > What am I doing wrong? Am I running the wrong version(Bro 2.2 from RPM > downloaded from bro.org) and Intel framework is only supported on the > bleeding-edge Bro from github? > > *Kim Halavakoski - CISM* > kim at blackcatsec.net > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Jon Schipp, jonschipp.com, sickbits.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/209f6429/attachment.html From damonrouse at gmail.com Mon May 19 15:58:50 2014 From: damonrouse at gmail.com (Damon Rouse) Date: Mon, 19 May 2014 15:58:50 -0700 Subject: [Bro] Notifications from Local.bro Message-ID: Hi Everyone I'm pretty new to BRO and have a quick question about setting up alerts from Bro. Inside my Local.bro file I have the following what's below (which works great). If I uncomment the emailed_types redef, Bro errors out after running the following sudo broctl install && sudo broctl restart. The error is: manager terminated immediately after starting; check output with "diag" Can you only have one redef statement in the local.bro file? Or did I make a mistake somewhere? hook Notice::policy(n: Notice::Info) { add n$actions[Notice::ACTION_EMAIL]; } # redef Notice::emailed_types += { HTTP::Incorrect_File_Type, SSH::Interesting_Hostname_Login, HTTP::Malware_Hash_Registry_Match, APT1::Domain_Hit, APT1::Certificate_Hit, APT1::File_MD5_Hit, }; redef Notice::ignored_types += { SSL::Invalid_Server_Cert }; Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/f8d68483/attachment.html From scott at 0x4c.com Mon May 19 16:49:35 2014 From: scott at 0x4c.com (scott mcallester) Date: Tue, 20 May 2014 09:49:35 +1000 Subject: [Bro] bro exchange 2013 intel exercises In-Reply-To: <8CC7DE25-0C5E-4F71-8D44-24D5E992D692@illinois.edu> References: <5379992D.4010706@0x4c.com> <8CC7DE25-0C5E-4F71-8D44-24D5E992D692@illinois.edu> Message-ID: <537A988F.6040602@0x4c.com> Yep that was it, narrowed it down to an Emacs issue, If i hit the tab key once there, it would add 2 tabs, not sure why though yet. Thanks Scott On 20/05/14 00:41, Siwek, Jonathan Luke wrote: > On May 19, 2014, at 12:39 AM, scott mcallester wrote: > >> My intel.dat: >> #fields indicator indicator_type meta.source >> fetchback.com Intel::DOMAIN my_special_source >> >> I've double checked the tab spacing it all looks fine, but every time I run this I receive this error: >> bro -C -r exercise-traffic.pcap intel.bro >> internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 >> Aborted (core dumped) > Can you check that there?s only a single tab character between values? In particular, if there is more than one tab between ?fetchback.com? and ?Intel::DOMAIN? I reproduce that error. > > - Jon From jonschipp at gmail.com Mon May 19 17:28:01 2014 From: jonschipp at gmail.com (Jon Schipp) Date: Mon, 19 May 2014 19:28:01 -0500 Subject: [Bro] Notifications from Local.bro In-Reply-To: References: Message-ID: Just to be sure, are you uncommenting the entire emailed_types redefinition? You have a comment character at the beginning of the definition in your output, "# redef Notice::emailed_types +=". On Mon, May 19, 2014 at 5:58 PM, Damon Rouse wrote: > Hi Everyone > > I'm pretty new to BRO and have a quick question about setting up alerts > from Bro. Inside my Local.bro file I have the following what's below > (which works great). If I uncomment the emailed_types redef, Bro errors > out after running the following sudo broctl install && sudo broctl restart. > The error is: manager terminated immediately after starting; check output > with "diag" > > Can you only have one redef statement in the local.bro file? Or did I > make a mistake somewhere? > > hook Notice::policy(n: Notice::Info) > { > add n$actions[Notice::ACTION_EMAIL]; > } > > # redef Notice::emailed_types += { > HTTP::Incorrect_File_Type, > SSH::Interesting_Hostname_Login, > HTTP::Malware_Hash_Registry_Match, > APT1::Domain_Hit, > APT1::Certificate_Hit, > APT1::File_MD5_Hit, > }; > > redef Notice::ignored_types += { SSL::Invalid_Server_Cert }; > > Thanks! > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Jon Schipp, jonschipp.com, sickbits.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/78fb56ad/attachment.html From jsiwek at illinois.edu Mon May 19 17:43:41 2014 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Tue, 20 May 2014 00:43:41 +0000 Subject: [Bro] Notifications from Local.bro In-Reply-To: References: Message-ID: <78A9CBA2-9361-49C6-83A1-3BE983928712@illinois.edu> On May 19, 2014, at 5:58 PM, Damon Rouse wrote: > The error is: manager terminated immediately after starting; check output with "diag" > > Can you only have one redef statement in the local.bro file? Or did I make a mistake somewhere? More than one redef is fine. After the failed start, if you do `broctl diag`, it may give more of a clue as to what?s wrong. Can you share the output of that if you need more help interpreting the error? - Jon From damonrouse at gmail.com Mon May 19 19:34:59 2014 From: damonrouse at gmail.com (Damon Rouse) Date: Mon, 19 May 2014 19:34:59 -0700 Subject: [Bro] Notifications from Local.bro In-Reply-To: References: Message-ID: <7EF14160-F521-4E31-B610-18C50C4294A5@gmail.com> Yes, I?m removing that last comment character. I?ll run and post the diag later tonight. Thanks On May 19, 2014, at 5:28 PM, Jon Schipp wrote: > Just to be sure, are you uncommenting the entire emailed_types redefinition? > You have a comment character at the beginning of the definition in your output, "# redef Notice::emailed_types +=". > > > On Mon, May 19, 2014 at 5:58 PM, Damon Rouse wrote: > Hi Everyone > > I'm pretty new to BRO and have a quick question about setting up alerts from Bro. Inside my Local.bro file I have the following what's below (which works great). If I uncomment the emailed_types redef, Bro errors out after running the following sudo broctl install && sudo broctl restart. The error is: manager terminated immediately after starting; check output with "diag" > > Can you only have one redef statement in the local.bro file? Or did I make a mistake somewhere? > > hook Notice::policy(n: Notice::Info) > { > add n$actions[Notice::ACTION_EMAIL]; > } > > # redef Notice::emailed_types += { > HTTP::Incorrect_File_Type, > SSH::Interesting_Hostname_Login, > HTTP::Malware_Hash_Registry_Match, > APT1::Domain_Hit, > APT1::Certificate_Hit, > APT1::File_MD5_Hit, > }; > > redef Notice::ignored_types += { SSL::Invalid_Server_Cert }; > > Thanks! > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > -- > Jon Schipp, > jonschipp.com, sickbits.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/90983341/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/90983341/attachment.bin From 45070198 at qq.com Mon May 19 21:48:29 2014 From: 45070198 at qq.com (=?gb18030?B?o6hwZXRlcqOp?=) Date: Tue, 20 May 2014 12:48:29 +0800 Subject: [Bro] Does bro REALLY SUPPORT port-independent analysis of application-layer protocols? Message-ID: Hi, The bro documents claims that it supports the port-independent analysis protocol, but in the practice, it is not. In the file /usr/local/bro/share/bro/base/protocols/socks/main.bro, there are some codes as following: const ports = { 1080/tcp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks]); Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports); } I started the bro, and created a socks-server. Only the port equals 1080, the bro could detect it! How could I detect the socks protocol if I started the socks with other port ? peter, From seth at icir.org Mon May 19 22:11:28 2014 From: seth at icir.org (Seth Hall) Date: Tue, 20 May 2014 01:11:28 -0400 Subject: [Bro] Does bro REALLY SUPPORT port-independent analysis of application-layer protocols? In-Reply-To: References: Message-ID: <66631005-BD8B-4869-9F99-4BEA47E4B134@icir.org> On May 20, 2014, at 12:48 AM, ?peter? <45070198 at qq.com> wrote: > In the file /usr/local/bro/share/bro/base/protocols/socks/main.bro, there are some codes as following: Take a look at socks/dpd.sig. Those are the signatures that are running and attempting to identify off-port SOCKS connections. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140520/7ac86414/attachment.bin From damonrouse at gmail.com Mon May 19 22:39:37 2014 From: damonrouse at gmail.com (Damon Rouse) Date: Mon, 19 May 2014 22:39:37 -0700 Subject: [Bro] Notifications from Local.bro In-Reply-To: <78A9CBA2-9361-49C6-83A1-3BE983928712@illinois.edu> References: <78A9CBA2-9361-49C6-83A1-3BE983928712@illinois.edu> Message-ID: <69C8369C-2893-4778-B6B4-4F22151EB797@gmail.com> Here?s the output of the diag after I uncommented redef and restarted BRO. Not sure why it?s saying the HTTP::Incorrect_File_Type is an unknown identifier. Thanks for your help Damon sudo broctl diag waiting for lock ..... ok [manager] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== stderr.log error in /nsm/bro/spool/installed-scripts-do-not-touch/site/local.bro, line 99: unknown identifier HTTP::Incorrect_File_Type, at or near "HTTP::Incorrect_File_Type" ==== stdout.log unlimited unlimited unlimited ==== .cmdline -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto ==== .env_vars PATH=/opt/bro/bin:/opt/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin BROPATH=/nsm/bro/spool/installed-scripts-do-not-touch/site::/nsm/bro/spool/installed-scripts-do-not-touch/auto:/opt/bro/share/bro:/opt/bro/share/bro/policy:/opt/bro/share/bro/site CLUSTER_NODE=manager ==== .status TERMINATED [atexit] ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [proxy] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [essorgso-eth1-1] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [essorgso-eth1-2] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [essorgso-eth1-3] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [essorgso-eth1-4] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [essorgso-eth1-5] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [essorgso-eth1-6] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [essorgso-eth1-7] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [essorgso-eth1-8] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [essorgso-eth2-1] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [essorgso-eth2-2] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [essorgso-eth2-3] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [essorgso-eth2-4] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [essorgso-eth2-5] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [essorgso-eth2-6] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [essorgso-eth2-7] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [essorgso-eth2-8] Bro 2.2 Linux 3.2.0-61-generic ==== No reporter.log ==== No stderr.log ==== No stdout.log ==== No .cmdline ==== No .env_vars ==== No .status ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log On May 19, 2014, at 5:43 PM, Siwek, Jonathan Luke wrote: > > On May 19, 2014, at 5:58 PM, Damon Rouse wrote: > >> The error is: manager terminated immediately after starting; check output with "diag" >> >> Can you only have one redef statement in the local.bro file? Or did I make a mistake somewhere? > > More than one redef is fine. After the failed start, if you do `broctl diag`, it may give more of a clue as to what?s wrong. Can you share the output of that if you need more help interpreting the error? > > - Jon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/f6eb7983/attachment.bin From 45070198 at qq.com Mon May 19 22:42:47 2014 From: 45070198 at qq.com (=?gb18030?B?o6hwZXRlcqOp?=) Date: Tue, 20 May 2014 13:42:47 +0800 Subject: [Bro] Does bro REALLY SUPPORT port-independent analysis of application-layer protocols? In-Reply-To: <66631005-BD8B-4869-9F99-4BEA47E4B134@icir.org> References: <66631005-BD8B-4869-9F99-4BEA47E4B134@icir.org> Message-ID: Seth, > > In the file /usr/local/bro/share/bro/base/protocols/socks/main.bro, there are some codes as following: > > Take a look at socks/dpd.sig. Those are the signatures that are running and attempting to identify off-port SOCKS connections. Yes, I had saw it, and I thought it would work like that. But, the bro only could detect and generate the socks.log when the socks server used port 1080/tcp, not other ports. How could I configure it for detecting socks, which use other port? Best, peter -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140520/efa688eb/attachment.html From bernhard at ICSI.Berkeley.EDU Mon May 19 22:57:25 2014 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Mon, 19 May 2014 22:57:25 -0700 Subject: [Bro] Notifications from Local.bro In-Reply-To: <69C8369C-2893-4778-B6B4-4F22151EB797@gmail.com> References: <78A9CBA2-9361-49C6-83A1-3BE983928712@illinois.edu> <69C8369C-2893-4778-B6B4-4F22151EB797@gmail.com> Message-ID: <89679FAE-F6BC-4F12-B973-95B16FB8553C@icsi.berkeley.edu> HTTP::Incorrect_File_Type was removed with an overhaul of the files framework even before 2.2, if I read the git commit log correctly. So - you probably just want to remove that one from your script. Bernhard On 19 May 2014, at 22:39, Damon Rouse wrote: > Here?s the output of the diag after I uncommented redef and > restarted BRO. Not sure why it?s saying the > HTTP::Incorrect_File_Type is an unknown identifier. Thanks for your > help > > Damon > > sudo broctl diag > waiting for lock ..... ok > [manager] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== stderr.log > error in /nsm/bro/spool/installed-scripts-do-not-touch/site/local.bro, > line 99: unknown identifier HTTP::Incorrect_File_Type, at or near > "HTTP::Incorrect_File_Type" > > ==== stdout.log > unlimited > unlimited > unlimited > > ==== .cmdline > -U .status -p broctl -p broctl-live -p local -p manager local.bro > broctl base/frameworks/cluster local-manager.bro broctl/auto > > ==== .env_vars > PATH=/opt/bro/bin:/opt/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin > BROPATH=/nsm/bro/spool/installed-scripts-do-not-touch/site::/nsm/bro/spool/installed-scripts-do-not-touch/auto:/opt/bro/share/bro:/opt/bro/share/bro/policy:/opt/bro/share/bro/site > CLUSTER_NODE=manager > > ==== .status > TERMINATED [atexit] > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [proxy] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [essorgso-eth1-1] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [essorgso-eth1-2] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [essorgso-eth1-3] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [essorgso-eth1-4] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [essorgso-eth1-5] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [essorgso-eth1-6] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [essorgso-eth1-7] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [essorgso-eth1-8] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [essorgso-eth2-1] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [essorgso-eth2-2] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [essorgso-eth2-3] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [essorgso-eth2-4] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [essorgso-eth2-5] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [essorgso-eth2-6] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [essorgso-eth2-7] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > [essorgso-eth2-8] > > Bro 2.2 > Linux 3.2.0-61-generic > > > ==== No reporter.log > > ==== No stderr.log > > ==== No stdout.log > > ==== No .cmdline > > ==== No .env_vars > > ==== No .status > > ==== No prof.log > > ==== No packet_filter.log > > ==== No loaded_scripts.log > On May 19, 2014, at 5:43 PM, Siwek, Jonathan Luke > wrote: > >> >> On May 19, 2014, at 5:58 PM, Damon Rouse >> wrote: >> >>> The error is: manager terminated immediately after starting; check >>> output with "diag" >>> >>> Can you only have one redef statement in the local.bro file? Or did >>> I make a mistake somewhere? >> >> More than one redef is fine. After the failed start, if you do >> `broctl diag`, it may give more of a clue as to what?s wrong. Can >> you share the output of that if you need more help interpreting the >> error? >> >> - Jon > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From damonrouse at gmail.com Mon May 19 23:15:29 2014 From: damonrouse at gmail.com (Damon Rouse) Date: Mon, 19 May 2014 23:15:29 -0700 Subject: [Bro] Notifications from Local.bro In-Reply-To: <89679FAE-F6BC-4F12-B973-95B16FB8553C@icsi.berkeley.edu> References: <78A9CBA2-9361-49C6-83A1-3BE983928712@illinois.edu> <69C8369C-2893-4778-B6B4-4F22151EB797@gmail.com> <89679FAE-F6BC-4F12-B973-95B16FB8553C@icsi.berkeley.edu> Message-ID: <5822CC69-4723-456E-93C9-8FDDD63DE1A2@gmail.com> Thanks Bernhard I?m all good now?Looks like this one was removed too (got the same error): HTTP::Malware_Hash_Registry_Match Is there a link to all the notice types somewhere for a beginner like me? Thanks Damon On May 19, 2014, at 10:57 PM, Bernhard Amann wrote: > HTTP::Incorrect_File_Type was removed with an overhaul of the files framework even before 2.2, if I read the git commit log correctly. So - you probably just want to remove that one from your script. > > Bernhard > > On 19 May 2014, at 22:39, Damon Rouse wrote: > >> Here?s the output of the diag after I uncommented redef and restarted BRO. Not sure why it?s saying the HTTP::Incorrect_File_Type is an unknown identifier. Thanks for your help >> >> Damon >> >> sudo broctl diag >> waiting for lock ..... ok >> [manager] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== stderr.log >> error in /nsm/bro/spool/installed-scripts-do-not-touch/site/local.bro, line 99: unknown identifier HTTP::Incorrect_File_Type, at or near "HTTP::Incorrect_File_Type" >> >> ==== stdout.log >> unlimited >> unlimited >> unlimited >> >> ==== .cmdline >> -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto >> >> ==== .env_vars >> PATH=/opt/bro/bin:/opt/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin >> BROPATH=/nsm/bro/spool/installed-scripts-do-not-touch/site::/nsm/bro/spool/installed-scripts-do-not-touch/auto:/opt/bro/share/bro:/opt/bro/share/bro/policy:/opt/bro/share/bro/site >> CLUSTER_NODE=manager >> >> ==== .status >> TERMINATED [atexit] >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [proxy] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [essorgso-eth1-1] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [essorgso-eth1-2] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [essorgso-eth1-3] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [essorgso-eth1-4] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [essorgso-eth1-5] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [essorgso-eth1-6] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [essorgso-eth1-7] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [essorgso-eth1-8] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [essorgso-eth2-1] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [essorgso-eth2-2] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [essorgso-eth2-3] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [essorgso-eth2-4] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [essorgso-eth2-5] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [essorgso-eth2-6] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [essorgso-eth2-7] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> [essorgso-eth2-8] >> >> Bro 2.2 >> Linux 3.2.0-61-generic >> >> >> ==== No reporter.log >> >> ==== No stderr.log >> >> ==== No stdout.log >> >> ==== No .cmdline >> >> ==== No .env_vars >> >> ==== No .status >> >> ==== No prof.log >> >> ==== No packet_filter.log >> >> ==== No loaded_scripts.log >> On May 19, 2014, at 5:43 PM, Siwek, Jonathan Luke wrote: >> >>> >>> On May 19, 2014, at 5:58 PM, Damon Rouse wrote: >>> >>>> The error is: manager terminated immediately after starting; check output with "diag" >>>> >>>> Can you only have one redef statement in the local.bro file? Or did I make a mistake somewhere? >>> >>> More than one redef is fine. After the failed start, if you do `broctl diag`, it may give more of a clue as to what?s wrong. Can you share the output of that if you need more help interpreting the error? >>> >>> - Jon >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/025ba404/attachment.bin From seth at icir.org Tue May 20 05:15:45 2014 From: seth at icir.org (Seth Hall) Date: Tue, 20 May 2014 08:15:45 -0400 Subject: [Bro] Does bro REALLY SUPPORT port-independent analysis of application-layer protocols? In-Reply-To: References: <66631005-BD8B-4869-9F99-4BEA47E4B134@icir.org> Message-ID: <119CFE1E-BCDD-432A-B975-DC81B0794DAD@icir.org> On May 20, 2014, at 1:42 AM, ?peter? <45070198 at qq.com> wrote: > How could I configure it for detecting socks, which use other port? It should work. If it's not you need to provide a packet capture that shows it not working. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Tue May 20 05:17:37 2014 From: seth at icir.org (Seth Hall) Date: Tue, 20 May 2014 08:17:37 -0400 Subject: [Bro] Notifications from Local.bro In-Reply-To: <5822CC69-4723-456E-93C9-8FDDD63DE1A2@gmail.com> References: <78A9CBA2-9361-49C6-83A1-3BE983928712@illinois.edu> <69C8369C-2893-4778-B6B4-4F22151EB797@gmail.com> <89679FAE-F6BC-4F12-B973-95B16FB8553C@icsi.berkeley.edu> <5822CC69-4723-456E-93C9-8FDDD63DE1A2@gmail.com> Message-ID: <2855D6F6-4155-464F-BA8F-9C7A9A0D5E0B@icir.org> On May 20, 2014, at 2:15 AM, Damon Rouse wrote: > I?m all good now?Looks like this one was removed too (got the same error): HTTP::Malware_Hash_Registry_Match It was renamed because it's now generic across any file protocol. TeamCymruMalwareHashRegistry::Match > Is there a link to all the notice types somewhere for a beginner like me? Yes. http://www.bro.org/sphinx/bro-noticeindex.html .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140520/9cd41131/attachment.bin From hlin33 at illinois.edu Tue May 20 06:22:35 2014 From: hlin33 at illinois.edu (Hui Lin (Hugo) ) Date: Tue, 20 May 2014 08:22:35 -0500 Subject: [Bro] Does bro REALLY SUPPORT port-independent analysis of application-layer protocols? In-Reply-To: <79195b5d8d6b4015a91019484e314e50@CHIHT4.ad.uillinois.edu> References: <66631005-BD8B-4869-9F99-4BEA47E4B134@icir.org> <79195b5d8d6b4015a91019484e314e50@CHIHT4.ad.uillinois.edu> Message-ID: Perhaps this document may help, in case that you did not see it. http://www.bro.org/development/howtos/dpd.html#determining-analyzer-activation Best, Hugo On Tue, May 20, 2014 at 12:42 AM, ?peter? <45070198 at qq.com> wrote: > > Seth, > > > > In the file /usr/local/bro/share/bro/base/protocols/socks/main.bro, > there are some codes as following: > > > > Take a look at socks/dpd.sig. Those are the signatures that are running > and attempting to identify off-port SOCKS connections. > > Yes, I had saw it, and I thought it would work like that. But, the bro > only could detect and generate the socks.log when the socks server used > port 1080/tcp, not other ports. > > How could I configure it for detecting socks, which use other port? > > Best, > peter > > > -- Hui Lin PhD Candidate, Research Assistant Electrical and Computer Engineering Department University of Illinois at Urbana-Champaign -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140520/3cd7d0da/attachment.html From kim at blackcatsec.net Tue May 20 07:33:14 2014 From: kim at blackcatsec.net (Kim Halavakoski) Date: Tue, 20 May 2014 17:33:14 +0300 Subject: [Bro] Bro Intel Framework troubleshooting? In-Reply-To: References: <855A3F2A-8670-4FB7-926B-C7A3C8A74599@blackcatsec.net> Message-ID: <68CC65A0-ED5F-43D5-95A6-BBB0CC89B536@blackcatsec.net> Hi, Thanks that works now! I "forgot" the broctl install command and have just restarted bro hoping it would pick up the config changes... Is there any way of getting anither variable from the intel file and using it as some kind of tpe/classifier? In the Alienvault example the IP-address comes with a type like "Scanning host", "Malware domain" etc. How can I use thst field in the Intel file so that I know what kind of threat it is? Best regards, Kim Halavakoski kim at blackcatsec.net Sent from my mobile device, excuse my clawfingerness! > On 20 maj 2014, at 01:41, Jon Schipp wrote: > > Did you put the configuration into effect? e.g. ``broctl check && broctl install && broctl restart'' > > Also, what's the output of ``tail -1 alienvault.intel | hexdump -c''? > > >> On Mon, May 19, 2014 at 3:57 PM, Kim Halavakoski wrote: >> Hello. >> I am running Bro 2.2 from RPM downloaded from Bro.org and recently got interested in enabling the Intel Framework when I watched Liam Randalls talk : https://www.youtube.com/watch?v=8XqiQuy7nFQ >> I have downloaded mal-dnssearch and mal-dns2bro scripts and have downloaded all of the feeds to /opt/bro/feeds and enabled the intel framework in /opt/bro/share/bro/site/local.bro: >> >> # Load the Intel Framework to be used with mal-dnssearch for >> # Threat Intelligence data analysis and correlation >> # http://www.bro.org/sphinx-git/frameworks/intel.html >> # http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html >> # >> >> @load frameworks/intel/seen >> @load frameworks/intel/do_notice >> >> redef Intel::read_files += { >> "/opt/bro/feeds/alienvault.intel", >> "/opt/bro/feeds/botcc.intel", >> "/opt/bro/feeds/ciarmy.intel", >> "/opt/bro/feeds/et_ips.intel", >> "/opt/bro/feeds/malhosts.intel", >> "/opt/bro/feeds/malips.intel", >> "/opt/bro/feeds/mandiant.intel", >> "/opt/bro/feeds/mayhemic.intel", >> "/opt/bro/feeds/rbn.intel", >> "/opt/bro/feeds/snort.intel", >> "/opt/bro/feeds/tor.intel", >> }; >> >> >> The various intel files follow the format and fields are separated by tabs and the files have been downloaded with mal-dnssearch and inte files created with mal-dns2bro scripts. >> >> [root at bro-anal01 feeds]# head alienvault.intel >> #fields indicator indicator_type meta.source meta.url meta.do_notice meta.if_in >> 119.60.12.102 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - >> 37.205.198.162 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - >> 182.131.22.235 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - >> 58.250.71.43 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - >> 211.160.19.250 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - >> 176.215.86.120 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - >> 203.121.165.16 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - >> 211.151.57.196 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - >> 108.59.1.5 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T - >> >> I?ve restarted Bro and I am not seeing any Intel-events and the intel.log has not been created and no intel logs are logged in notice.log? I have created traffic towards some of the IP-addresses listed in the various i >> >> [root at bro-anal01 logs]# ls -la current/intel.log >> ls: cannot access current/intel.log: No such file or directory >> [root at bro-anal01 logs]# cat current/notice.log |bro-cut -d note | sort -u >> PacketFilter::Dropped_Packets >> SSH::Password_Guessing >> SSL::Invalid_Server_Cert >> Scan::Address_Scan >> >> [root at bro-anal01 bin]# ./bro -v >> ./bro version 2.2 >> >> What am I doing wrong? Am I running the wrong version(Bro 2.2 from RPM downloaded from bro.org) and Intel framework is only supported on the bleeding-edge Bro from github? >> >> Kim Halavakoski - CISM >> kim at blackcatsec.net >> >> >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > -- > Jon Schipp, > jonschipp.com, sickbits.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140520/d8aa29df/attachment.html From damonrouse at gmail.com Tue May 20 08:42:36 2014 From: damonrouse at gmail.com (Damon Rouse) Date: Tue, 20 May 2014 08:42:36 -0700 Subject: [Bro] Notifications from Local.bro In-Reply-To: <2855D6F6-4155-464F-BA8F-9C7A9A0D5E0B@icir.org> References: <78A9CBA2-9361-49C6-83A1-3BE983928712@illinois.edu> <69C8369C-2893-4778-B6B4-4F22151EB797@gmail.com> <89679FAE-F6BC-4F12-B973-95B16FB8553C@icsi.berkeley.edu> <5822CC69-4723-456E-93C9-8FDDD63DE1A2@gmail.com> <2855D6F6-4155-464F-BA8F-9C7A9A0D5E0B@icir.org> Message-ID: Thanks for the help everyone, much appreciated! On Tue, May 20, 2014 at 5:17 AM, Seth Hall wrote: > > On May 20, 2014, at 2:15 AM, Damon Rouse wrote: > > > I?m all good now?Looks like this one was removed too (got the same > error): HTTP::Malware_Hash_Registry_Match > > It was renamed because it's now generic across any file protocol. > TeamCymruMalwareHashRegistry::Match > > > Is there a link to all the notice types somewhere for a beginner like me? > > Yes. http://www.bro.org/sphinx/bro-noticeindex.html > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140520/f118e4a0/attachment.html From mkhan04 at gmail.com Wed May 21 07:15:21 2014 From: mkhan04 at gmail.com (M K) Date: Wed, 21 May 2014 10:15:21 -0400 Subject: [Bro] Bitwise Operations Message-ID: Looking through the archives, it looks like this has come up, but I'll ask it again since doesn't look like it's been asked recently. Does bro support bitwise operations such as 'and', 'or', and 'xor' ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140521/0e3986b8/attachment.html From kyle.creyts at gmail.com Wed May 21 12:01:25 2014 From: kyle.creyts at gmail.com (Kyle Creyts) Date: Wed, 21 May 2014 12:01:25 -0700 Subject: [Bro] Bitwise Operations In-Reply-To: References: Message-ID: Shifts would be nice too. On Wed, May 21, 2014 at 7:15 AM, M K wrote: > Looking through the archives, it looks like this has come up, but I'll ask > it again since doesn't look like it's been asked recently. Does bro support > bitwise operations such as 'and', 'or', and 'xor' ? > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Kyle Creyts Information Assurance Professional Founder BSidesDetroit From damonrouse at gmail.com Wed May 21 15:30:36 2014 From: damonrouse at gmail.com (Damon Rouse) Date: Wed, 21 May 2014 15:30:36 -0700 Subject: [Bro] Can't Browse /etc/bro Directory Message-ID: Hi I went to look at the files.log today, I can't see the bro directory xxxxxxx at xxxxxxx:/etc/nsm$ ls administration.conf essorgso-eth2 pulledpork securityonion sensortab templates xxxxxx-eth1 ossec rules securityonion.conf servertab xxxxxxx at xxxxxxxx:/etc/nsm$ cd bro -bash: cd: bro: No such file or directory xxxxxx at xxxxxxx:/etc/nsm$ But I can see the data is there: xxxxxxx at xxxxxxxx:~$ sudo ls -lah /nsm/bro total 44K drwxr-xr-x 5 root root 4.0K Sep 4 2013 . drwxr-xr-x 6 root root 4.0K May 16 21:10 .. drwxr-xr-x 2 root root 28K May 21 22:22 extracted drwxr-xr-x 9 root root 4.0K May 21 22:03 logs drwxr-xr-x 22 root root 4.0K May 21 22:20 spool xxxxxxxx at xxxxxxxxxxx:~$ sudo ls -lah /nsm/bro/logs total 228K drwxr-xr-x 9 root root 4.0K May 21 22:03 . drwxr-xr-x 5 root root 4.0K Sep 4 2013 .. drwxr-xr-x 2 root root 20K May 17 00:00 2014-05-16 drwxr-xr-x 2 root root 36K May 18 00:00 2014-05-17 drwxr-xr-x 2 root root 40K May 19 00:00 2014-05-18 drwxr-xr-x 2 root root 40K May 20 00:00 2014-05-19 drwxr-xr-x 2 root root 36K May 21 21:34 2014-05-20 drwxr-xr-x 2 root root 36K May 21 22:03 2014-05-21 lrwxrwxrwx 1 root root 22 May 21 22:03 current -> /nsm/bro/spool/manager drwxr-xr-x 3 root root 4.0K May 16 21:10 stats I've stopped bro, did broctl check, then install and then start with no errors. Anyone have any ideas? I haven't messed with permissions, but it definitely seems to be a permission issue. Thanks Damon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140521/dc2e5993/attachment.html From JAzoff at albany.edu Wed May 21 15:38:51 2014 From: JAzoff at albany.edu (Justin Azoff) Date: Wed, 21 May 2014 18:38:51 -0400 Subject: [Bro] Can't Browse /etc/bro Directory In-Reply-To: References: Message-ID: <20140521223851.GS13320@datacomm.albany.edu> On Wed, May 21, 2014 at 03:30:36PM -0700, Damon Rouse wrote: > Hi > > I went to look at the files.log today, I can't see the bro directory > > xxxxxxx at xxxxxxx:/etc/nsm$ ls ... > xxxxxxx at xxxxxxxx:~$ sudo ls -lah /nsm/bro Looks like you are mixing up /etc/nsb/bro (which does not exist) and /nsm/bro (which does exist) -- -- Justin Azoff From paul.halliday at gmail.com Wed May 21 16:35:56 2014 From: paul.halliday at gmail.com (Paul Halliday) Date: Wed, 21 May 2014 20:35:56 -0300 Subject: [Bro] Is there a regex that can be used to match the uids in the logs? Message-ID: Thanks. -- Paul Halliday http://www.pintumbler.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140521/e1b8b65b/attachment.html From anthony.kasza at gmail.com Wed May 21 16:50:00 2014 From: anthony.kasza at gmail.com (anthony kasza) Date: Wed, 21 May 2014 16:50:00 -0700 Subject: [Bro] Is there a regex that can be used to match the uids in the logs? In-Reply-To: References: Message-ID: Is there a reason why you can't use the field seperator and field name? On May 21, 2014 4:44 PM, "Paul Halliday" wrote: > Thanks. > > -- > Paul Halliday > http://www.pintumbler.org/ > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140521/ed18fdf5/attachment.html From jlay at slave-tothe-box.net Wed May 21 16:58:08 2014 From: jlay at slave-tothe-box.net (James Lay) Date: Wed, 21 May 2014 17:58:08 -0600 Subject: [Bro] Is there a regex that can be used to match the uids in the logs? In-Reply-To: References: Message-ID: <1400716688.2559.0.camel@JamesiMac> On Wed, 2014-05-21 at 20:35 -0300, Paul Halliday wrote: > Thanks. > > > > > -- > Paul Halliday > http://www.pintumbler.org/ > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro This should get you there Paul: egrep -o '[0-9a-zA-Z]{18}' James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140521/fba5fa8c/attachment.html From paul.halliday at gmail.com Wed May 21 17:03:41 2014 From: paul.halliday at gmail.com (Paul Halliday) Date: Wed, 21 May 2014 21:03:41 -0300 Subject: [Bro] Is there a regex that can be used to match the uids in the logs? In-Reply-To: References: Message-ID: This is probably really ghetto but bear with me.. I am prototyping something where I am parsing the results from an elasticsearch query. I know what format my data is in but I want to be able to add some functionality for those sources that may not be structured the same way; for example no field names or different field indexes. I want the regex so that I can do a replace (add a link to the uid) so the user can quick query it. On Wed, May 21, 2014 at 8:50 PM, anthony kasza wrote: > Is there a reason why you can't use the field seperator and field name? > On May 21, 2014 4:44 PM, "Paul Halliday" wrote: > >> Thanks. >> >> -- >> Paul Halliday >> http://www.pintumbler.org/ >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > -- Paul Halliday http://www.pintumbler.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140521/529f1588/attachment.html From paul.halliday at gmail.com Wed May 21 17:15:06 2014 From: paul.halliday at gmail.com (Paul Halliday) Date: Wed, 21 May 2014 21:15:06 -0300 Subject: [Bro] Is there a regex that can be used to match the uids in the logs? In-Reply-To: <1400716688.2559.0.camel@JamesiMac> References: <1400716688.2559.0.camel@JamesiMac> Message-ID: :) Thanks. On Wed, May 21, 2014 at 8:58 PM, James Lay wrote: > On Wed, 2014-05-21 at 20:35 -0300, Paul Halliday wrote: > > Thanks. > > > > -- > Paul Halliday > http://www.pintumbler.org/ > > _______________________________________________ > Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > This should get you there Paul: > > egrep -o '[0-9a-zA-Z]{18}' > > James > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Paul Halliday http://www.pintumbler.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140521/0d6d4ebf/attachment.html From seth at icir.org Thu May 22 07:28:40 2014 From: seth at icir.org (Seth Hall) Date: Thu, 22 May 2014 10:28:40 -0400 Subject: [Bro] Is there a regex that can be used to match the uids in the logs? In-Reply-To: <1400716688.2559.0.camel@JamesiMac> References: <1400716688.2559.0.camel@JamesiMac> Message-ID: On May 21, 2014, at 7:58 PM, James Lay wrote: > egrep -o '[0-9a-zA-Z]{18}' I don't think there is a requirement that UIDs are 18 characters long. I believe it depends on the number being represented underneath. Although, now with 96bit uids it is less likely to have shorter uids but I think it's still possible. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140522/2ee347dc/attachment.bin From jsiwek at illinois.edu Thu May 22 09:14:39 2014 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Thu, 22 May 2014 16:14:39 +0000 Subject: [Bro] Bro 2.3 Beta Available Message-ID: A beta version of Bro 2.3 is now available for testing and can be downloaded from: https://bro.org/download/index.html The NEWS/CHANGES files also linked on that page contain highlights/details. Feel free to use this mailing list or the bug tracker (tracker.bro.org) to provide feedback or report problems. - Jon From damonrouse at gmail.com Thu May 22 09:49:48 2014 From: damonrouse at gmail.com (Damon Rouse) Date: Thu, 22 May 2014 09:49:48 -0700 Subject: [Bro] Question on Notices Message-ID: Hi I've been playing with notice alerts and was wondering if it's possible to get the alert below to show the unique hosts that it scanned. If not possible via an alert, what would be the best way in Bro to find these hosts? Thanks! [Bro] Scan::Address_Scan Message: 192.168.xxx.xxx scanned at least 27 unique hosts on port 80/tcp in 1m56s Sub-message: local Address: 192.168.xxx.xxx Email Extensions ---------------- orig/src hostname: xxxxxxxxxxxxxxx -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140522/4f99d7a8/attachment.html From mkhan04 at gmail.com Fri May 23 10:03:17 2014 From: mkhan04 at gmail.com (M K) Date: Fri, 23 May 2014 13:03:17 -0400 Subject: [Bro] String as Vector of Bytes Message-ID: So, according to the docs, Bro stores strings, internally, as a vector of bytes (and a count). Is there anyway to actually get access to the bytes as ints or counts in a bro script? Looking at the bro cheatsheet, I didn't see any functions that could convert a string to any sort of integer related format. The thing that came closest was bytestring_to_hexstring, but that still returns a regular string (except with all bytes converted to string hex). Is there any function I'm missing that converts a string to a vector of count or something similar? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140523/ef177302/attachment.html From mkhan04 at gmail.com Fri May 23 10:10:08 2014 From: mkhan04 at gmail.com (M K) Date: Fri, 23 May 2014 13:10:08 -0400 Subject: [Bro] Bitwise Operations In-Reply-To: References: Message-ID: Looks like it wouldn't be too difficult to add bitwise operators that work on integral types (int and count) -- I modified the bro source to add '&', '^', '<<', and '>>'. I had some clash with '|' due to it being used in other places (and there's probably numerous other bugs since I'm not much of a lex/yacc expert) but it seems like something that'd be do-able. On Wed, May 21, 2014 at 3:01 PM, Kyle Creyts wrote: > Shifts would be nice too. > > On Wed, May 21, 2014 at 7:15 AM, M K wrote: > > Looking through the archives, it looks like this has come up, but I'll > ask > > it again since doesn't look like it's been asked recently. Does bro > support > > bitwise operations such as 'and', 'or', and 'xor' ? > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > -- > Kyle Creyts > > Information Assurance Professional > Founder BSidesDetroit > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140523/61c4b842/attachment.html From liburdi.joshua at gmail.com Fri May 23 10:40:54 2014 From: liburdi.joshua at gmail.com (Josh Liburdi) Date: Fri, 23 May 2014 13:40:54 -0400 Subject: [Bro] Question on Notices In-Reply-To: References: Message-ID: Originally only replied to Damon, wanted to make sure the rest of the list caught this too in case anyone else had a similar question ... There are a couple ways to get the hosts in your notice, but both require modifying the scan.bro script-- if you want to capture all of the victim hosts, then you can add the victims to a table as the data is being sent to Sumstats ( SumStats::observe("scan.addr.fail" ... ); if you want a random sample of the victim hosts, then you can add the Sumstats sample measurement to the reducer ( detect-sqli.bro has an example of this ). The latter won't give you all the scanned hosts, but it'd be easier and cleaner to implement in the script. The easiest way to check w/o editing any scripts or altering the notice is to bro-cut your http.log and fgrep for the scanner IP connecting to hosts on port 80. -Josh On Thu, May 22, 2014 at 12:49 PM, Damon Rouse wrote: > Hi > > I've been playing with notice alerts and was wondering if it's possible to > get the alert below to show the unique hosts that it scanned. If not > possible via an alert, what would be the best way in Bro to find these > hosts? Thanks! > > [Bro] Scan::Address_Scan > > Message: 192.168.xxx.xxx scanned at least 27 unique hosts on port 80/tcp > in 1m56s > > Sub-message: local > > Address: 192.168.xxx.xxx > > Email Extensions > > ---------------- > > orig/src hostname: xxxxxxxxxxxxxxx > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140523/5bb8cb57/attachment.html From jsiwek at illinois.edu Fri May 23 10:41:38 2014 From: jsiwek at illinois.edu (Siwek, Jon) Date: Fri, 23 May 2014 17:41:38 +0000 Subject: [Bro] String as Vector of Bytes In-Reply-To: References: Message-ID: <89C38448-7E4D-4083-93EE-047EB46BA5AA@illinois.edu> On May 23, 2014, at 12:03 PM, M K wrote: > there any function I'm missing that converts a string to a vector of count or something similar? bytestring_to_count() [1] may help. E.g.: local s = "testing"; for ( c in s ) print bytestring_to_count(c); - Jon [1] http://bro.org/sphinx-git/scripts/base/bif/bro.bif.bro.html?highlight=bytestring_to_count#id-bytestring_to_count From vladg at cmu.edu Fri May 23 11:42:02 2014 From: vladg at cmu.edu (Vlad Grigorescu) Date: Fri, 23 May 2014 18:42:02 +0000 Subject: [Bro] Question on Notices In-Reply-To: References: Message-ID: <3CAE4455-400D-4671-B1B4-81CE0A699528@andrew.cmu.edu> On May 23, 2014, at 1:40 PM, Josh Liburdi wrote: > There are a couple ways to get the hosts in your notice, but both require modifying the scan.bro script-- if you want to capture all of the victim hosts, then you can add the victims to a table as the data is being sent to Sumstats ( SumStats::observe("scan.addr.fail" ... ); if you want a random sample of the victim hosts, then you can add the Sumstats sample measurement to the reducer ( detect-sqli.bro has an example of this ). The latter won't give you all the scanned hosts, but it'd be easier and cleaner to implement in the script. +1 to what Josh said, but I'll just add two points: - Adding the full set of victim hosts will drastically increase the memory usage. scan.bro can already be fairly memory intensive on a large network (depending on how populated your IP space is, where exactly Bro is inspecting the traffic, etc.) This trade-off might be worth it to you, just wanted to point it out. - While with the sampling approach the samples are randomized, they are also statistically significant. That means that if an attacker scans 1000 ports on host A, and one port on another 10 hosts, host A would be the one to show up in the sample. (I'm oversimplifying things here, for more information see: http://en.wikipedia.org/wiki/Reservoir_sampling) --Vlad -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140523/e39af873/attachment.bin From mkhan04 at gmail.com Fri May 23 12:51:54 2014 From: mkhan04 at gmail.com (M K) Date: Fri, 23 May 2014 15:51:54 -0400 Subject: [Bro] String as Vector of Bytes In-Reply-To: <89C38448-7E4D-4083-93EE-047EB46BA5AA@illinois.edu> References: <89C38448-7E4D-4083-93EE-047EB46BA5AA@illinois.edu> Message-ID: Yup, exactly what I'm looking for. I guess the cheat sheet isn't up to date. Thanks. On May 23, 2014 1:41 PM, "Siwek, Jon" wrote: > > On May 23, 2014, at 12:03 PM, M K wrote: > > > there any function I'm missing that converts a string to a vector of > count or something similar? > > bytestring_to_count() [1] may help. E.g.: > > local s = "testing"; > for ( c in s ) print bytestring_to_count(c); > > - Jon > > [1] > http://bro.org/sphinx-git/scripts/base/bif/bro.bif.bro.html?highlight=bytestring_to_count#id-bytestring_to_count -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140523/902f4b28/attachment.html From vern at icir.org Fri May 23 21:31:35 2014 From: vern at icir.org (Vern Paxson) Date: Fri, 23 May 2014 21:31:35 -0700 Subject: [Bro] Bitwise Operations In-Reply-To: (Fri, 23 May 2014 13:10:08 EDT). Message-ID: <20140524043135.BAC6B2C40B9@rock.ICSI.Berkeley.EDU> > Looks like it wouldn't be too difficult to add bitwise operators that work > on integral types (int and count) Sure. But can you please sketch a compelling use case for which it's important to add this functionality? That's the general bar for deciding what sort of features to add. Vern From mkhan04 at gmail.com Fri May 23 22:26:27 2014 From: mkhan04 at gmail.com (M K) Date: Sat, 24 May 2014 01:26:27 -0400 Subject: [Bro] Bitwise Operations In-Reply-To: <20140524043135.BAC6B2C40B9@rock.ICSI.Berkeley.EDU> References: <20140524043135.BAC6B2C40B9@rock.ICSI.Berkeley.EDU> Message-ID: Well, one reason would be to aid in detecting malware c2 traffic that can't be detected with simple signatures or regular math operations. As a grossly simplified example, imagine you've reverse engineered a piece of c2 malware and have figured out what their handshake protocol looks like. This malware always puts a key somewhere in the packet and then uses that key to xor data in other parts of the packet. This method would be used as a simple traffic obfuscation technique to prevent traditional signature detection. As it stands there's very little way (frankly, no way) for Bro to detect this sort of stuff (and that was my response when someone asked if we could implement something in Bro to detect some c2 traffic we're trying to track). Assuming you have the full range of the bro language to leverage in the signature framework's eval function, this is pretty much a requirement for writing more advanced signatures and one of the reasons Snort introduced Shared Object Rules into their system ( http://blog.snort.org/2011/02/snort-shared-object-rules.html). On Sat, May 24, 2014 at 12:31 AM, Vern Paxson wrote: > > Looks like it wouldn't be too difficult to add bitwise operators that > work > > on integral types (int and count) > > Sure. But can you please sketch a compelling use case for which it's > important to add this functionality? That's the general bar for deciding > what sort of features to add. > > Vern > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140524/b0312e46/attachment.html From anthony.kasza at gmail.com Fri May 23 22:34:57 2014 From: anthony.kasza at gmail.com (anthony kasza) Date: Fri, 23 May 2014 22:34:57 -0700 Subject: [Bro] Bitwise Operations In-Reply-To: <20140524043135.BAC6B2C40B9@rock.ICSI.Berkeley.EDU> References: <20140524043135.BAC6B2C40B9@rock.ICSI.Berkeley.EDU> Message-ID: Bitwise operations on user defined stream fields for custom protocol (or specific "data chunks") analyzers within scriptland is one reason. -AK On May 23, 2014 9:44 PM, "Vern Paxson" wrote: > > Looks like it wouldn't be too difficult to add bitwise operators that > work > > on integral types (int and count) > > Sure. But can you please sketch a compelling use case for which it's > important to add this functionality? That's the general bar for deciding > what sort of features to add. > > Vern > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140523/e306d67f/attachment.html From vern at icir.org Fri May 23 22:42:18 2014 From: vern at icir.org (Vern Paxson) Date: Fri, 23 May 2014 22:42:18 -0700 Subject: [Bro] Bitwise Operations In-Reply-To: (Fri, 23 May 2014 22:34:57 PDT). Message-ID: <20140524054218.197032C402D@rock.ICSI.Berkeley.EDU> > Bitwise operations on user defined stream fields for custom protocol Okay, these examples make sense to me. Let me ask then about what such operators should look like. M K originally sketched them as operating on integral types. However, I'd think that if it's for manipulating blobs of C&C, then instead working on strings would be the right target ... ? Vern From mkhan04 at gmail.com Fri May 23 22:52:49 2014 From: mkhan04 at gmail.com (M K) Date: Sat, 24 May 2014 01:52:49 -0400 Subject: [Bro] Bitwise Operations In-Reply-To: <20140524054218.197032C402D@rock.ICSI.Berkeley.EDU> References: <20140524054218.197032C402D@rock.ICSI.Berkeley.EDU> Message-ID: My method was to take a string of bytes and convert them to integral types I wanted. So if I received a 'string' type in a function I could do: local foo1 = bytestring_to_count(sub_bytes(string, 0, 4)); local foo2 = bytestring_to_count(sub_bytes(string, 4, 2)); local foo3 = bytestring_to_count(sub_bytes(string, 6, 2)); bar = foo1 ^ 0x12345678; bah = (foo2 + foo3) & 0xFFFF; if ( bar == 0xDEADBEEF && bah > 0x1234 ) { #do a barrel roll } On Sat, May 24, 2014 at 1:42 AM, Vern Paxson wrote: > > Bitwise operations on user defined stream fields for custom protocol > > Okay, these examples make sense to me. Let me ask then about what such > operators should look like. M K originally sketched them as operating on > integral types. However, I'd think that if it's for manipulating blobs > of C&C, then instead working on strings would be the right target ... ? > > Vern > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140524/f08416cf/attachment.html From anthony.kasza at gmail.com Fri May 23 23:56:42 2014 From: anthony.kasza at gmail.com (anthony kasza) Date: Fri, 23 May 2014 23:56:42 -0700 Subject: [Bro] Bitwise Operations In-Reply-To: References: <20140524054218.197032C402D@rock.ICSI.Berkeley.EDU> Message-ID: I'd love to see these operations built into Bro. However, considering Bro's focus on scale, individual c2 operations analysis (especially when applied to specific connections within a large pipe) may be better suited for something like chopshop or another framework focussed on individual connections. Any other opinions? -AK On May 23, 2014 10:52 PM, "M K" wrote: > My method was to take a string of bytes and convert them to integral types > I wanted. > > So if I received a 'string' type in a function I could do: > > local foo1 = bytestring_to_count(sub_bytes(string, 0, 4)); > local foo2 = bytestring_to_count(sub_bytes(string, 4, 2)); > local foo3 = bytestring_to_count(sub_bytes(string, 6, 2)); > > bar = foo1 ^ 0x12345678; > bah = (foo2 + foo3) & 0xFFFF; > > if ( bar == 0xDEADBEEF && bah > 0x1234 ) { > #do a barrel roll > } > > > > On Sat, May 24, 2014 at 1:42 AM, Vern Paxson wrote: > >> > Bitwise operations on user defined stream fields for custom protocol >> >> Okay, these examples make sense to me. Let me ask then about what such >> operators should look like. M K originally sketched them as operating on >> integral types. However, I'd think that if it's for manipulating blobs >> of C&C, then instead working on strings would be the right target ... ? >> >> Vern >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140523/bad73bf1/attachment.html From mkhan04 at gmail.com Tue May 27 04:53:12 2014 From: mkhan04 at gmail.com (M K) Date: Tue, 27 May 2014 07:53:12 -0400 Subject: [Bro] Bitwise Operations In-Reply-To: References: <20140524054218.197032C402D@rock.ICSI.Berkeley.EDU> Message-ID: ChopShop is too slow to handle detection of c2 traffic in real-time on a large pipe. Frankly, it was never meant for it, even though a lot of folks would like to run it like that. For detection of c2 in real-time on a large pipe you need some capability that has the ability to scale (and just be faster overall). If the performance hit added by the translation of bro script is too huge, then it would be slow, but given Bro Cluster's ability to scale I would hope that it could be somehow managed. The alternative would be to add another bro framework (or augment the signature framework) to allow for C or C++ like code to be directly executed on packets akin to Shared Object Rules or to add some abstracted math language to it that gets parsed and directly executed. The other alternative, of course, is to just use another detection system. P.S -- full disclosure -- I'm the primary author of ChopShop. On Sat, May 24, 2014 at 2:56 AM, anthony kasza wrote: > I'd love to see these operations built into Bro. However, considering > Bro's focus on scale, individual c2 operations analysis (especially when > applied to specific connections within a large pipe) may be better suited > for something like chopshop or another framework focussed on individual > connections. Any other opinions? > > -AK > On May 23, 2014 10:52 PM, "M K" wrote: > >> My method was to take a string of bytes and convert them to integral >> types I wanted. >> >> So if I received a 'string' type in a function I could do: >> >> local foo1 = bytestring_to_count(sub_bytes(string, 0, 4)); >> local foo2 = bytestring_to_count(sub_bytes(string, 4, 2)); >> local foo3 = bytestring_to_count(sub_bytes(string, 6, 2)); >> >> bar = foo1 ^ 0x12345678; >> bah = (foo2 + foo3) & 0xFFFF; >> >> if ( bar == 0xDEADBEEF && bah > 0x1234 ) { >> #do a barrel roll >> } >> >> >> >> On Sat, May 24, 2014 at 1:42 AM, Vern Paxson wrote: >> >>> > Bitwise operations on user defined stream fields for custom protocol >>> >>> Okay, these examples make sense to me. Let me ask then about what such >>> operators should look like. M K originally sketched them as operating on >>> integral types. However, I'd think that if it's for manipulating blobs >>> of C&C, then instead working on strings would be the right target ... ? >>> >>> Vern >>> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140527/9573620d/attachment.html From anthony.kasza at gmail.com Tue May 27 09:01:19 2014 From: anthony.kasza at gmail.com (anthony kasza) Date: Tue, 27 May 2014 09:01:19 -0700 Subject: [Bro] Bitwise Operations In-Reply-To: References: <20140524054218.197032C402D@rock.ICSI.Berkeley.EDU> Message-ID: In my mind malware C2 communications comes in three flavors. - repurposed HTTP (RFC compliant) - modified HTTP (just enough to make it not work with Bro's HTTP analyzer) - custom binary A bitwise operations within scriptland would be very useful for the first type, where xor'ing an HTTP body or header value can reveal an underlying communications mechanism. This assumes you're looking to take advantage of Bro's HTTP analyzer. The second and third types of C2 would require completely new protocol analyzers. If the analyzer is written in C/C++, the scriptland bitwise operator is pointless. If the analyzer was written in scriptland, e.g. hooking events such as tcp_contents, the bitwise operator would be very handy but Bro's speed would likely be compromised. -AK P.S -- full disclosure -- I'm a fan of ChopShop :) On Tue, May 27, 2014 at 4:53 AM, M K wrote: > ChopShop is too slow to handle detection of c2 traffic in real-time on a > large pipe. Frankly, it was never meant for it, even though a lot of folks > would like to run it like that. For detection of c2 in real-time on a large > pipe you need some capability that has the ability to scale (and just be > faster overall). If the performance hit added by the translation of bro > script is too huge, then it would be slow, but given Bro Cluster's ability > to scale I would hope that it could be somehow managed. > > The alternative would be to add another bro framework (or augment the > signature framework) to allow for C or C++ like code to be directly executed > on packets akin to Shared Object Rules or to add some abstracted math > language to it that gets parsed and directly executed. The other > alternative, of course, is to just use another detection system. > > > > P.S -- full disclosure -- I'm the primary author of ChopShop. > > > > On Sat, May 24, 2014 at 2:56 AM, anthony kasza > wrote: >> >> I'd love to see these operations built into Bro. However, considering >> Bro's focus on scale, individual c2 operations analysis (especially when >> applied to specific connections within a large pipe) may be better suited >> for something like chopshop or another framework focussed on individual >> connections. Any other opinions? >> >> -AK >> >> On May 23, 2014 10:52 PM, "M K" wrote: >>> >>> My method was to take a string of bytes and convert them to integral >>> types I wanted. >>> >>> So if I received a 'string' type in a function I could do: >>> >>> local foo1 = bytestring_to_count(sub_bytes(string, 0, 4)); >>> local foo2 = bytestring_to_count(sub_bytes(string, 4, 2)); >>> local foo3 = bytestring_to_count(sub_bytes(string, 6, 2)); >>> >>> bar = foo1 ^ 0x12345678; >>> bah = (foo2 + foo3) & 0xFFFF; >>> >>> if ( bar == 0xDEADBEEF && bah > 0x1234 ) { >>> #do a barrel roll >>> } >>> >>> >>> >>> On Sat, May 24, 2014 at 1:42 AM, Vern Paxson wrote: >>>> >>>> > Bitwise operations on user defined stream fields for custom protocol >>>> >>>> Okay, these examples make sense to me. Let me ask then about what such >>>> operators should look like. M K originally sketched them as operating >>>> on >>>> integral types. However, I'd think that if it's for manipulating blobs >>>> of C&C, then instead working on strings would be the right target ... ? >>>> >>>> Vern >>> >>> > From seth at icir.org Tue May 27 10:27:13 2014 From: seth at icir.org (Seth Hall) Date: Tue, 27 May 2014 13:27:13 -0400 Subject: [Bro] Bitwise Operations In-Reply-To: References: <20140524054218.197032C402D@rock.ICSI.Berkeley.EDU> Message-ID: On May 27, 2014, at 12:01 PM, anthony kasza wrote: > In my mind malware C2 communications comes in three flavors. > - repurposed HTTP (RFC compliant) > - modified HTTP (just enough to make it not work with Bro's HTTP analyzer) > - custom binary Nice list. I think you've nailed it with these. Fortunately there has been work in progress for several years that should help address points 2 and 3. ;) For the first case, it's possible to implement xor in scriptland (I attached an implementation to this email). I can't promise how well it will perform, but it's unlikely you'd be doing it constantly either. > hooking events such as tcp_contents, the bitwise operator would be very handy but Bro's speed > would likely be compromised. Yeah, I *definitely* don't recommend that. .Seth -------------- next part -------------- A non-text attachment was scrubbed... Name: xor.bro Type: application/octet-stream Size: 8772 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140527/d273d61a/attachment.obj -------------- next part -------------- -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140527/d273d61a/attachment.bin From chilton.brian at yahoo.com Wed May 28 07:03:16 2014 From: chilton.brian at yahoo.com (Brian Chilton) Date: Wed, 28 May 2014 07:03:16 -0700 (PDT) Subject: [Bro] Tables and Strings Message-ID: <1401285796.44518.YahooMailNeo@web160803.mail.bf1.yahoo.com> all, I will apologize up front for my lack of knowledge in this subject but after 3 weekends of 8 to 12 hours searching I have officially hit the end of the road so I am reaching out to the community hoping you all might have some answers.? What I'm trying to do is simple in context I just don't know the language good enough to do it here is the logic. if (http connection established and method is post)? check to see have we visited this site before (compare against master list (or table)) if visited this?site before ------ignore connection if site is newly visited ------add site to list or table, and alert really simple in logic but for the life of me I cannot figure out how to add to a list or table after comparing to that table.?? Hopefully I explained this well enough, but if I didn't please let me know and I will try my best to explain it better. thanks, Brian, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140528/96876d80/attachment.html From liburdi.joshua at gmail.com Wed May 28 11:20:03 2014 From: liburdi.joshua at gmail.com (Josh Liburdi) Date: Wed, 28 May 2014 14:20:03 -0400 Subject: [Bro] Tables and Strings In-Reply-To: <1401285796.44518.YahooMailNeo@web160803.mail.bf1.yahoo.com> References: <1401285796.44518.YahooMailNeo@web160803.mail.bf1.yahoo.com> Message-ID: Brian, Taking a guess, your difficulty might be stemming from trying to use a table type when instead you may want to use a set type. In the Bro language, a table always has an index and yield, but a set is just a list ... if you only want a list of sites users are visiting (no indexes or yields, only a list), then the set type is what you should use. Here's a simple example (hopefully the script formatting comes through correctly): global websites: set[string]; event http_header(c: connection, is_orig: bool, name: string, value: string) { if ( name == "HOST" ) if ( value !in websites ) add websites[value]; } event bro_done() { print websites; } Keep in mind that in production, the websites set is likely to grow enormously and could cause memory issues. For local testing with pcap, the above script will print the seen host values to stdout when Bro finishes. Alternatively, if you want a table of the originating hosts by the websites they connected to ... global websites: table[string] of set[addr]; event http_header(c: connection, is_orig: bool, name: string, value: string) { if ( name == "HOST" ) { if ( value !in websites ) websites[value] = set(); if ( value in websites ) { add websites[value][c$id$orig_h]; print "found a new website! "+ value; # ^^^ could raise notice here instead } } } event bro_done() { print websites; } Same caveat as before regarding the size of the table and running in production, but the above table contains indexes of websites with yields that are sets of the originating hosts who connected to those sites; the table is printed to stdout when Bro finishes. If you want to take this to production, you'd likely be better off writing the websites set/table to a file and re-reading it with the input framework ... I haven't had a need to explore doing that yet, so I don't have much experience there. - Josh On Wed, May 28, 2014 at 10:03 AM, Brian Chilton wrote: > all, > > I will apologize up front for my lack of knowledge in this subject but > after 3 weekends of 8 to 12 hours searching I have officially hit the end > of the road so I am reaching out to the community hoping you all might have > some answers. What I'm trying to do is simple in context I just don't know > the language good enough to do it here is the logic. > > if (http connection established and method is post) > check to see have we visited this site before (compare against master list > (or table)) > if visited this site before > ------ignore connection > if site is newly visited > ------add site to list or table, and alert > > really simple in logic but for the life of me I cannot figure out how to > add to a list or table after comparing to that table. Hopefully I > explained this well enough, but if I didn't please let me know and I will > try my best to explain it better. > > > thanks, > > Brian, > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140528/8c993432/attachment.html From anthony.kasza at gmail.com Wed May 28 11:28:08 2014 From: anthony.kasza at gmail.com (anthony kasza) Date: Wed, 28 May 2014 11:28:08 -0700 Subject: [Bro] Tables and Strings In-Reply-To: References: <1401285796.44518.YahooMailNeo@web160803.mail.bf1.yahoo.com> Message-ID: Tables also have nice key/value expire functionality that can help curb their size. -AK On May 28, 2014 11:22 AM, "Josh Liburdi" wrote: > Brian, > > Taking a guess, your difficulty might be stemming from trying to use a > table type when instead you may want to use a set type. In the Bro > language, a table always has an index and yield, but a set is just a list > ... if you only want a list of sites users are visiting (no indexes or > yields, only a list), then the set type is what you should use. Here's a > simple example (hopefully the script formatting comes through correctly): > > global websites: set[string]; > > event http_header(c: connection, is_orig: bool, name: string, value: > string) > { > if ( name == "HOST" ) > if ( value !in websites ) > add websites[value]; > } > > event bro_done() > { > print websites; > } > > Keep in mind that in production, the websites set is likely to grow > enormously and could cause memory issues. For local testing with pcap, the > above script will print the seen host values to stdout when Bro finishes. > Alternatively, if you want a table of the originating hosts by the websites > they connected to ... > > global websites: table[string] of set[addr]; > > event http_header(c: connection, is_orig: bool, name: string, value: > string) > { > if ( name == "HOST" ) > { > if ( value !in websites ) > websites[value] = set(); > if ( value in websites ) > { > add websites[value][c$id$orig_h]; > print "found a new website! "+ value; > # ^^^ could raise notice here instead > } > } > } > > event bro_done() > { > print websites; > } > > Same caveat as before regarding the size of the table and running in > production, but the above table contains indexes of websites with yields > that are sets of the originating hosts who connected to those sites; the > table is printed to stdout when Bro finishes. If you want to take this to > production, you'd likely be better off writing the websites set/table to a > file and re-reading it with the input framework ... I haven't had a need to > explore doing that yet, so I don't have much experience there. > > - Josh > > > On Wed, May 28, 2014 at 10:03 AM, Brian Chilton wrote: > >> all, >> >> I will apologize up front for my lack of knowledge in this subject but >> after 3 weekends of 8 to 12 hours searching I have officially hit the end >> of the road so I am reaching out to the community hoping you all might have >> some answers. What I'm trying to do is simple in context I just don't know >> the language good enough to do it here is the logic. >> >> if (http connection established and method is post) >> check to see have we visited this site before (compare against master >> list (or table)) >> if visited this site before >> ------ignore connection >> if site is newly visited >> ------add site to list or table, and alert >> >> really simple in logic but for the life of me I cannot figure out how to >> add to a list or table after comparing to that table. Hopefully I >> explained this well enough, but if I didn't please let me know and I will >> try my best to explain it better. >> >> >> thanks, >> >> Brian, >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140528/aab7ec76/attachment.html From liburdi.joshua at gmail.com Wed May 28 11:34:56 2014 From: liburdi.joshua at gmail.com (Josh Liburdi) Date: Wed, 28 May 2014 14:34:56 -0400 Subject: [Bro] Tables and Strings In-Reply-To: References: <1401285796.44518.YahooMailNeo@web160803.mail.bf1.yahoo.com> Message-ID: Yep, there are quite a few attributes that can make them manageable ... lots of good information on this page: http://www.bro.org/sphinx/scripts/builtins.html Looks like I made a mistake in the script I shared ... if you want to generate a notice when a new website is found, then the notice should go under the if statement where the value is added to the set/table websites. If you have a master list (set) of websites you'd like to manage separately from a dynamic set/table, then you can add an if statement to check if the value is or isn't in that list as well ... const master_list: set[string] = { "google.com", "evil.com" }; { ... } if ( name == "HOST" ) if ( value in master_list ) #do something - Josh On Wed, May 28, 2014 at 2:28 PM, anthony kasza wrote: > Tables also have nice key/value expire functionality that can help curb > their size. > > -AK > On May 28, 2014 11:22 AM, "Josh Liburdi" wrote: > >> Brian, >> >> Taking a guess, your difficulty might be stemming from trying to use a >> table type when instead you may want to use a set type. In the Bro >> language, a table always has an index and yield, but a set is just a list >> ... if you only want a list of sites users are visiting (no indexes or >> yields, only a list), then the set type is what you should use. Here's a >> simple example (hopefully the script formatting comes through correctly): >> >> global websites: set[string]; >> >> event http_header(c: connection, is_orig: bool, name: string, value: >> string) >> { >> if ( name == "HOST" ) >> if ( value !in websites ) >> add websites[value]; >> } >> >> event bro_done() >> { >> print websites; >> } >> >> Keep in mind that in production, the websites set is likely to grow >> enormously and could cause memory issues. For local testing with pcap, the >> above script will print the seen host values to stdout when Bro finishes. >> Alternatively, if you want a table of the originating hosts by the websites >> they connected to ... >> >> global websites: table[string] of set[addr]; >> >> event http_header(c: connection, is_orig: bool, name: string, value: >> string) >> { >> if ( name == "HOST" ) >> { >> if ( value !in websites ) >> websites[value] = set(); >> if ( value in websites ) >> { >> add websites[value][c$id$orig_h]; >> print "found a new website! "+ value; >> # ^^^ could raise notice here instead >> } >> } >> } >> >> event bro_done() >> { >> print websites; >> } >> >> Same caveat as before regarding the size of the table and running in >> production, but the above table contains indexes of websites with yields >> that are sets of the originating hosts who connected to those sites; the >> table is printed to stdout when Bro finishes. If you want to take this to >> production, you'd likely be better off writing the websites set/table to a >> file and re-reading it with the input framework ... I haven't had a need to >> explore doing that yet, so I don't have much experience there. >> >> - Josh >> >> >> On Wed, May 28, 2014 at 10:03 AM, Brian Chilton wrote: >> >>> all, >>> >>> I will apologize up front for my lack of knowledge in this subject but >>> after 3 weekends of 8 to 12 hours searching I have officially hit the end >>> of the road so I am reaching out to the community hoping you all might have >>> some answers. What I'm trying to do is simple in context I just don't know >>> the language good enough to do it here is the logic. >>> >>> if (http connection established and method is post) >>> check to see have we visited this site before (compare against master >>> list (or table)) >>> if visited this site before >>> ------ignore connection >>> if site is newly visited >>> ------add site to list or table, and alert >>> >>> really simple in logic but for the life of me I cannot figure out how to >>> add to a list or table after comparing to that table. Hopefully I >>> explained this well enough, but if I didn't please let me know and I will >>> try my best to explain it better. >>> >>> >>> thanks, >>> >>> Brian, >>> >>> _______________________________________________ >>> Bro mailing list >>> bro at bro-ids.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>> >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140528/aabe2098/attachment.html From chilton.brian at yahoo.com Thu May 29 06:01:01 2014 From: chilton.brian at yahoo.com (Brian Chilton) Date: Thu, 29 May 2014 06:01:01 -0700 (PDT) Subject: [Bro] Tables and Strings In-Reply-To: References: <1401285796.44518.YahooMailNeo@web160803.mail.bf1.yahoo.com> Message-ID: <1401368461.77188.YahooMailNeo@web160804.mail.bf1.yahoo.com> All, ? Thanks for the insight, what I am looking at doing is setting a notice log every time we Post to a website when there is no referrer.? I believe trimming down to just see this type of info would be less of a load then if we looked at every post to a site we had never visited before.? Would there be a large performance impact if I decided to use the input framework with this idea??It seems like that is the logical choice for this project, just not sure on how to edit lists within the input framework on the fly.?? ? On Wednesday, May 28, 2014 1:35 PM, Josh Liburdi wrote: Yep, there are quite a few attributes that can make them manageable ... lots of good information on this page:?http://www.bro.org/sphinx/scripts/builtins.html Looks like I made a mistake in the script I shared ... if you want to generate a notice when a new website is found, then the notice should go under the if statement where the value is added to the set/table websites. If you have a master list (set) of websites you'd like to manage separately from a dynamic set/table, then you can add an if statement to check if the value is or isn't in that list as well ...? const master_list: set[string] = { "google.com", "evil.com" }; { ... } if ( name == "HOST" ) ? if ( value in master_list ) ? ? #do something - Josh On Wed, May 28, 2014 at 2:28 PM, anthony kasza wrote: Tables also have nice key/value expire functionality that can help curb their size. >-AK >On May 28, 2014 11:22 AM, "Josh Liburdi" wrote: > >Brian, >> >> >>Taking a guess, your difficulty might be stemming from trying to use a table type when instead you may want to use a set type. In the Bro language, a table always has an index and yield, but a set is just a list ... if you only want a list of sites users are visiting (no indexes or yields, only a list), then the set type is what you should use. Here's a simple example (hopefully the script formatting comes through correctly): >> >> >>global websites: set[string]; >> >> >> >>event http_header(c: connection, is_orig: bool, name: string, value: string) >>{ >>if ( name == "HOST" ) >>? if ( value !in websites ) >>? ? add websites[value]; >>} >> >> >>event bro_done() >>{ >>print websites; >>} >> >> >>Keep in mind that in production, the websites set is likely to grow enormously and could cause memory issues. For local testing with pcap, the above script will print the seen host values to stdout when Bro finishes. Alternatively, if you want a table of the originating hosts by the websites they connected to ...? >> >> >>global websites: table[string] of set[addr]; >> >> >>event http_header(c: connection, is_orig: bool, name: string, value: string) >>{ >>if ( name == "HOST" ) >>? { >>? if ( value !in websites ) >>? ? websites[value] = set(); >>? if ( value in websites ) >>? ? { >>? ? add websites[value][c$id$orig_h]; >>? ? print "found a new website! "+ value;? >>? ? # ^^^ could raise notice here instead >>? ? } >>? } >>} >> >> >>event bro_done() >>{ >>print websites; >>} >> >> >>Same caveat as before regarding the size of the table and running in production, but the above table contains indexes of websites with yields that are sets of the originating hosts who connected to those sites; the table is printed to stdout when Bro finishes. If you want to take this to production, you'd likely be better off writing the websites set/table to a file and re-reading it with the input framework ... I haven't had a need to explore doing that yet, so I don't have much experience there. >> >> >>- Josh >> >> >> >>On Wed, May 28, 2014 at 10:03 AM, Brian Chilton wrote: >> >>all, >>> >>>I will apologize up front for my lack of knowledge in this subject but after 3 weekends of 8 to 12 hours searching I have officially hit the end of the road so I am reaching out to the community hoping you all might have some answers.? What I'm trying to do is simple in context I just don't know the language good enough to do it here is the logic. >>> >>>if (http connection established and method is post)? >>>check to see have we visited this site before (compare against master list (or table)) >>>if visited this?site before >>>------ignore connection >>>if site is newly visited >>>------add site to list or table, and alert >>> >>>really simple in logic but for the life of me I cannot figure out how to add to a list or table after comparing to that table.?? Hopefully I explained this well enough, but if I didn't please let me know and I will try my best to explain it better. >>> >>> >>>thanks, >>> >>>Brian, >>> >>>_______________________________________________ >>>Bro mailing list >>>bro at bro-ids.org >>>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>> >> >>_______________________________________________ >>Bro mailing list >>bro at bro-ids.org >>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140529/23baeb5c/attachment.html From mkhan04 at gmail.com Thu May 29 09:15:33 2014 From: mkhan04 at gmail.com (M K) Date: Thu, 29 May 2014 12:15:33 -0400 Subject: [Bro] Bitwise Operations In-Reply-To: References: <20140524054218.197032C402D@rock.ICSI.Berkeley.EDU> Message-ID: "Fortunately there has been work in progress for several years that should help address points 2 and 3. ;)" I assume you're talking about the dynamic plugin capability Robin is working on -- or is it something else? Are there any details you can share? "For the first case, it's possible to implement xor in scriptland (I attached an implementation to this email). I can't promise how well it will perform, but it's unlikely you'd be doing it constantly either." Although you can implement all of the bitwise operators in bro language using arithmetic operators, it seems overly cumbersome to use them for operators that are implemented literally using one instruction in almost every hardware platform (that's not to say writing bro script will turn it into one instruction, it's just to say individual math operations are fast). And for my use case, which is specifically using it as part of the signature framework it's probably highly likely that it would be doing it constantly. As an example (I wanted to make sure it would actually work), I created a test signature that used eval to call a bro function I wrote that used the ^ and & operators to detect a specific sequence that's seen during the handshake/setup of a piece of C2 and ran this on a canned sample pcap. It worked and fired off a signature match event. Obviously this is more anecdotal than anything else and would require further testing to ensure that my code isn't a massive false positive generator and would actually perform well on live traffic, but it shows that such operators have some potential. At the least, if not as individual operators, it'd be beneficial to create some built-in's that can take care of this at a lower level. The caveat with what I've mentioned though is that all of this is just an idea right now that I'm still formulating the extent of and there's no actual plans for implementation anytime soon, so it's possible you guys might add some capability in the meantime to Bro that obviates the need for this. On Tue, May 27, 2014 at 1:27 PM, Seth Hall wrote: > > On May 27, 2014, at 12:01 PM, anthony kasza > wrote: > > > In my mind malware C2 communications comes in three flavors. > > - repurposed HTTP (RFC compliant) > > - modified HTTP (just enough to make it not work with Bro's HTTP > analyzer) > > - custom binary > > Nice list. I think you've nailed it with these. Fortunately there has > been work in progress for several years that should help address points 2 > and 3. ;) > > For the first case, it's possible to implement xor in scriptland (I > attached an implementation to this email). I can't promise how well it > will perform, but it's unlikely you'd be doing it constantly either. > > > hooking events such as tcp_contents, the bitwise operator would be very > handy but Bro's speed > > would likely be compromised. > > Yeah, I *definitely* don't recommend that. > > .Seth > > > > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140529/51a7d796/attachment.html From seth at icir.org Thu May 29 13:15:26 2014 From: seth at icir.org (Seth Hall) Date: Thu, 29 May 2014 16:15:26 -0400 Subject: [Bro] Bitwise Operations In-Reply-To: References: <20140524054218.197032C402D@rock.ICSI.Berkeley.EDU> Message-ID: <1772D94E-B6C4-4A85-A8D8-F2BB98530C90@icir.org> On May 29, 2014, at 12:15 PM, M K wrote: > I assume you're talking about the dynamic plugin capability Robin is working on -- or is it something else? Are there any details you can share? Partly that, but generally I don't think that it's a good idea for most people to be writing c/c++ code that is parsing network traffic. I was primarily referring to Binpac++, but that's still research (nod to Robin) so it's probably better to not discuss it concretely in public quite yet. ;) > it seems overly cumbersome to use them for operators that are implemented literally using one instruction in almost every hardware platform Sounds like a pre-optimization to me. (although I do agree, my script is an enormous hack). :) > so it's possible you guys might add some capability in the meantime to Bro that obviates the need for this. We've been talking about having a release that focuses on language issues and additions and this could definitely fit in as a part of that. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140529/b4acae49/attachment.bin