[Bro] SMB2 module

Danilo Nicolò dani.nicolo at gmail.com
Mon Mar 23 03:07:15 PDT 2015


Hi Seth,

Sorry, I've to rectify my latest reply: inserting the environment variable
BRO_DNS_FAKE Bro seems to work now.
I've tried also to disable the affected scripts and Bro works too.

I'm little confused about the different behavior: if I set BRO_DNS_FAKE=1,
Will dns logs be altered significantly?

Thank you so much.

Best regards,

Danilo

2015-03-21 0:35 GMT+01:00 Danilo Nicolò <dani.nicolo at gmail.com>:

> Hi,
>
>
> 2015-03-20 20:27 GMT+01:00 Seth Hall <seth at icir.org>:
>
>>
>> > On Mar 20, 2015, at 3:08 PM, Vlad Grigorescu <vlad at grigorescu.org>
>> wrote:
>> >
>> > Of course, the "better" solution would be to fix the system so that it
>> can do reverse DNS lookups (and TXT queries for detect-MHR) :-)
>>
>
> At the line 35 of
> /usr/local/bro/share/bro/policy/protocols/ssh/interesting-hostnames.bro
> script there's the function
>
>         lookup_addr(host)
>
> that invoke DNS lookup, so I think definitely that the problem is in this
> function.
>
>
>> Another option here is to force Bro into a mode where it fakes DNS
>> responses internally.  Unfortunately there isn’t a switch to enable this in
>> scripts, but you can change the behavior with an environment variable:
>>
>> BRO_DNS_FAKE=1 bro -r somepackets.pcap
>>
>
> I've tried to run bro with BRO_DNS_FAKE=1 env but unfortunately it didn't
> work.
> I've received the SIGSEV signal, below you can see the gdb log
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x000000000060a5d9 in SerializationFormat::WriteData (this=0x7ffff001b780,
> b=b at entry=0x7fffff7ff03c, count=count at entry=2)
>     at /home/danko/bro_smb/bro/src/SerializationFormat.cc:87
> 87 memcpy(output + output_pos, b, count);
> (gdb) p output
> $1 = 0x7fff51d14010 "\001"
>
> As Vlad as suggested to me, I'm going to disable these scripts and I'll
> let you know asap.
>
> Thank you so much.
>
> Regards,
> Danilo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150323/3316280f/attachment.html 


More information about the Bro mailing list