[Bro] Realtime File Extracting problem
josh summitt
ascetik at gmail.com
Tue Sep 15 06:49:15 PDT 2015
YES! this seems to fix my issue. I had partially turned off offloaded with
ethtool -K p1p2 tx off rx off but i didn't have the other options turned
off as discussed in that blog post... These options below fixed my issue:
ethtool -K p1p2 rx off
ethtool -K p1p2 tx off
ethtool -K p1p2 sg off
ethtool -K p1p2 tso off
ethtool -K p1p2 ufo off
ethtool -K p1p2 gso off
ethtool -K p1p2 gro off
ethtool -K p1p2 lro off
Thanks Doug!!!
Thanks
Josh
On Tue, Sep 15, 2015 at 6:29 AM, Doug Burks <doug.burks at gmail.com> wrote:
> Hi Josh,
>
> Have you verified that all NIC offloading functions are disabled?
>
> http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
>
> On Tue, Sep 15, 2015 at 2:27 AM, josh summitt <ascetik at gmail.com> wrote:
> > Hey i'm new to bro but have been attempting to use the file extracting
> > features. I can generally get it to work but a lot of the time its just
> > wrong when i attempt it in real time.
> >
> > For instance i'm downloading putty.exe and trying to extract it off the
> wire
> > i get the below response when downloading it 5 times. It only
> successfully
> > extracted and hashed it once:
> > file_hash, FZKBS62fkHvKf36GTd, sha1,
> > 91b21fffe934d856c43e35a388c78fccce7471ea
> >
> > The other times it completely misses it. If i attempt from a pcap file on
> > the same machine it grabs it every time. Is there a threshold or
> something i
> > need to set in bro for real time captures.
> >
> > /tmp$ sudo /usr/local/bro/bin/bro -i eth0 -C
> >
> > listening on eth0, capture length 8192 bytes
> >
> >
> > new file, FB4np7nWhWIo8sOg5
> >
> > file_hash, FB4np7nWhWIo8sOg5, sha1,
> 7788b3ba9a36112e0d429ecd358420d21ace7e68
> >
> > new file, FxPYHc1et6sMSMY2jf <----- missed the file
> >
> > new file, FsONwVnUBjs2Fq0i5
> >
> > file_hash, FsONwVnUBjs2Fq0i5, sha1,
> 7788b3ba9a36112e0d429ecd358420d21ace7e68
> >
> > new file, FZKBS62fkHvKf36GTd <----- Yes it got the file
> >
> > file_hash, FZKBS62fkHvKf36GTd, sha1,
> > 91b21fffe934d856c43e35a388c78fccce7471ea
> >
> > new file, Fp04jH3KL23Zx75OVf
> >
> > file_hash, Fp04jH3KL23Zx75OVf, sha1,
> > 7788b3ba9a36112e0d429ecd358420d21ace7e68
> >
> > new file, FK2LoX14jpBSyfpy67 <----- missed the file
> >
> > new file, FnJ7Mg1ymupibnvSW1
> >
> > file_hash, FnJ7Mg1ymupibnvSW1, sha1,
> > 7788b3ba9a36112e0d429ecd358420d21ace7e68
> >
> > new file, FXriBu1tLEBhRVWTG3 <----- missed the file
> >
> > new file, FwByiJ30INM9Mk6DO9
> >
> > file_hash, FwByiJ30INM9Mk6DO9, sha1,
> > 7788b3ba9a36112e0d429ecd358420d21ace7e68
> >
> > new file, Fn5DEA1WWvsykOA2Lh <----- missed the file
> >
> > ^C1442296477.139167 received termination signal
> >
> > 1442296477.139167 2260 packets received on interface eth0, 0 dropped
> >
> >
> >
> >
> > Thanks
> > Josh
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> Doug Burks
> Need Security Onion Training or Commercial Support?
> http://securityonionsolutions.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150915/1e636916/attachment.html
More information about the Bro
mailing list