[Bro] Bro Digest, Vol 116, Issue 12

Sangeen Khan sangeenjan at gmail.com
Tue Dec 8 04:31:03 PST 2015 

Dear Sir,
                          I am trying to study and analysis the logs that
generating against the attack. As there is a DoS attack hping3 i am trying
to study logs that generating against this attack.
The bro server is is deployed in the our Network and i am attacking  from
from then same network on the same network node  .
the particular kali linux command is following

hping3 -S -a 172.20.16.105 --flood -p 80 172.20.16.74

Where i can find these logs that could generate against this attack???

On Sun, Dec 6, 2015 at 1:00 AM, <bro-request at bro.org> wrote:

> Send Bro mailing list submissions to
>         bro at bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
>         bro-request at bro.org
>
> You can reach the person managing the list at
>         bro-owner at bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
>    1. Uodate:  OpenSSL security issue affecting Bro (Johanna Amann)
>    2. Re: Plugin regex issue (Robin Sommer)
>    3. Re: Uodate:  OpenSSL security issue affecting Bro (Daniel Guerra)
>    4. Re: Plugin regex issue (Josh Liburdi)
>    5. Re: Plugin regex issue (Josh Liburdi)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 4 Dec 2015 15:51:03 -0800
> From: Johanna Amann <johanna at icir.org>
> Subject: [Bro] Uodate:  OpenSSL security issue affecting Bro
> To: bro at bro.org
> Message-ID: <20151204235103.GA95375 at wifi74.sys.ICSI.Berkeley.EDU>
> Content-Type: text/plain; charset=us-ascii
>
> Hello,
>
> we just posted an updated blog post describing the problem to
> http://blog.bro.org/2015/12/openssl-security-issue-affecting-bro.html.
>
> Please note, that different from the original descriptions, default
> installations of Bro that use broctl are vulnerable; a quick fix is to not
> load protocols/ssl/validate-certs.bro in local.bro.
>
> The blog post also contains instructions on how to test if your local
> openssl installation is vulnerable.
>
> Johanna
>
> On Thu, Dec 03, 2015 at 12:01:28PM -0800, Johanna Amann wrote:
> > Hello,
> >
> > The OpenSSL Project today published a security advisory, that affects
> > users of Bro that are using the X.509 certificate validation
> functionality
> > of Bro. Note that this functionality is not enabled by default -
> typically
> > it is enabled by either loading the policy script
> > protocols/ssl/validate-certs.bro or protocols/ssl/validate-ocsp.bro.
> >
> > The OpenSSL bug can cause a null-pointer exception when parsing certain
> > malformed X.509 certificates and can potentially be used for DOS attacks.
> >
> > The issue affects OpenSSL 1.0.1 and 1.0.2 and was fixed in OpenSSL 1.0.1q
> > and 1.0.2e respectively. If you use Bro and perform certificate
> > validation, you should update as soon as possible.
> >
> > The original OpenSSL security advisory is available at
> > https://www.openssl.org/news/secadv/20151203.txt. It also contains a few
> > other issues that are not directly applicable to Bro.
> >
> > Johanna
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> >
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 4 Dec 2015 17:51:00 -0800
> From: Robin Sommer <robin at icir.org>
> Subject: Re: [Bro] Plugin regex issue
> To: Josh Liburdi <liburdi.joshua at gmail.com>
> Cc: bro at bro.org
> Message-ID: <20151205015100.GF15001 at icir.org>
> Content-Type: text/plain; charset=us-ascii
>
>
>
> On Tue, Dec 01, 2015 at 15:38 -0500, Josh Liburdi wrote:
>
> > In the record above, when used as a plugin, the magic_cookie is
> > skipped. When compiled, it works as expected.
>
> Turns out it's a problem with the order in which the BinPAC system is
> initialized. I just pushed a fix for Bro to git, that seems to solve
> it. Give it a try.
>
> Robin
>
> --
> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
>
>
> ------------------------------
>
> Message: 3
> Date: Sat, 5 Dec 2015 15:32:00 +0100
> From: Daniel Guerra <daniel.guerra69 at gmail.com>
> Subject: Re: [Bro] Uodate:  OpenSSL security issue affecting Bro
> To: Johanna Amann <johanna at icir.org>
> Cc: bro at bro.org
> Message-ID: <3249B5A3-5514-4D16-A074-BD18D07270D9 at gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
> Hi Johanna,
>
> My latest docker project has been fixed for this. I tried your test before
> and after the update en can confirm it works on debian.
>
> Thanx
>
> > On 05 Dec 2015, at 00:51, Johanna Amann <johanna at icir.org> wrote:
> >
> > Hello,
> >
> > we just posted an updated blog post describing the problem to
> > http://blog.bro.org/2015/12/openssl-security-issue-affecting-bro.html.
> >
> > Please note, that different from the original descriptions, default
> > installations of Bro that use broctl are vulnerable; a quick fix is to
> not
> > load protocols/ssl/validate-certs.bro in local.bro.
> >
> > The blog post also contains instructions on how to test if your local
> > openssl installation is vulnerable.
> >
> > Johanna
> >
> > On Thu, Dec 03, 2015 at 12:01:28PM -0800, Johanna Amann wrote:
> >> Hello,
> >>
> >> The OpenSSL Project today published a security advisory, that affects
> >> users of Bro that are using the X.509 certificate validation
> functionality
> >> of Bro. Note that this functionality is not enabled by default -
> typically
> >> it is enabled by either loading the policy script
> >> protocols/ssl/validate-certs.bro or protocols/ssl/validate-ocsp.bro.
> >>
> >> The OpenSSL bug can cause a null-pointer exception when parsing certain
> >> malformed X.509 certificates and can potentially be used for DOS
> attacks.
> >>
> >> The issue affects OpenSSL 1.0.1 and 1.0.2 and was fixed in OpenSSL
> 1.0.1q
> >> and 1.0.2e respectively. If you use Bro and perform certificate
> >> validation, you should update as soon as possible.
> >>
> >> The original OpenSSL security advisory is available at
> >> https://www.openssl.org/news/secadv/20151203.txt. It also contains a
> few
> >> other issues that are not directly applicable to Bro.
> >>
> >> Johanna
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>
> >>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> ------------------------------
>
> Message: 4
> Date: Sat, 5 Dec 2015 10:52:00 -0500
> From: Josh Liburdi <liburdi.joshua at gmail.com>
> Subject: Re: [Bro] Plugin regex issue
> To: Robin Sommer <robin at icir.org>
> Cc: bro at bro.org
> Message-ID: <379F31EE-E721-401C-BCF3-802433B07350 at gmail.com>
> Content-Type: text/plain; charset=utf-8
>
> Thanks Robin, it looks like it fixed the issue I was having with this
> analyzer. I have another analyzer that primarily uses regex for the
> protocol parsing, so I?ll try that later and verify it works as well.
>
> Will the fix you pushed to git be available in the Bro 2.5 release, or
> will it be packaged and available sooner than that?
>
> Thanks!
> Josh
>
> > On Dec 4, 2015, at 8:51 PM, Robin Sommer <robin at icir.org> wrote:
> >
> >
> >
> > On Tue, Dec 01, 2015 at 15:38 -0500, Josh Liburdi wrote:
> >
> >> In the record above, when used as a plugin, the magic_cookie is
> >> skipped. When compiled, it works as expected.
> >
> > Turns out it's a problem with the order in which the BinPAC system is
> > initialized. I just pushed a fix for Bro to git, that seems to solve
> > it. Give it a try.
> >
> > Robin
> >
> > --
> > Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Sat, 5 Dec 2015 10:59:42 -0500
> From: Josh Liburdi <liburdi.joshua at gmail.com>
> Subject: Re: [Bro] Plugin regex issue
> To: Robin Sommer <robin at icir.org>
> Cc: bro at bro.org
> Message-ID: <53D99B6A-1496-4FF6-8A3A-006E42E72131 at gmail.com>
> Content-Type: text/plain; charset=utf-8
>
> Well, later turned out to come a lot sooner than I thought. I tested it
> with my second analyzer plugin and all is well. Thanks again!
>
> Josh
>
> > On Dec 5, 2015, at 10:52 AM, Josh Liburdi <liburdi.joshua at gmail.com>
> wrote:
> >
> > Thanks Robin, it looks like it fixed the issue I was having with this
> analyzer. I have another analyzer that primarily uses regex for the
> protocol parsing, so I?ll try that later and verify it works as well.
> >
> > Will the fix you pushed to git be available in the Bro 2.5 release, or
> will it be packaged and available sooner than that?
> >
> > Thanks!
> > Josh
> >
> >> On Dec 4, 2015, at 8:51 PM, Robin Sommer <robin at icir.org> wrote:
> >>
> >>
> >>
> >> On Tue, Dec 01, 2015 at 15:38 -0500, Josh Liburdi wrote:
> >>
> >>> In the record above, when used as a plugin, the magic_cookie is
> >>> skipped. When compiled, it works as expected.
> >>
> >> Turns out it's a problem with the order in which the BinPAC system is
> >> initialized. I just pushed a fix for Bro to git, that seems to solve
> >> it. Give it a try.
> >>
> >> Robin
> >>
> >> --
> >> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
> >
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro at bro.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 116, Issue 12
> ************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151208/191fb7fd/attachment.html

More information about the Bro mailing list