 tags.

It's possible to include line numbers or line highlighting with any of the
styles.  They do appear to be mutually exclusive -- you can have one but
not both.

Wendy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160501/4ab5a59a/attachment.html 

From wayward710 at gmail.com  Mon May  2 09:42:17 2016
From: wayward710 at gmail.com (Wendy Edwards)
Date: Mon, 2 May 2016 11:42:17 -0500
Subject: [Bro] Bro Ace Editor demos
Message-ID: 

There are some online demos of the online Ace Editor with Bro syntax
highlighting up at
http://open-nsm.github.io/ace-bro/

There are a number of supported themes, and six of them are shown.  The
Github repo with the source code is at
https://github.com/open-nsm/ace-bro

I submitted a PR with the Bro code support to the Ace Editor project
(upstream) a few weeks ago and there's been no response so far.  However,
the code in the this project should work and be fairly easy to copy/adapt.

At this point, the Ace Editor doesn't pick up as much as the Prism syntax
highlighter, but it does support editing.  (The Prism highlighter is
intended to make it easy to embed syntax-highlighted code in web pages.)

Wendy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160502/178bfffb/attachment.html 

From bro at pingtrip.com  Tue May  3 11:08:25 2016
From: bro at pingtrip.com (Dave Crawford)
Date: Tue, 3 May 2016 14:08:25 -0400
Subject: [Bro] Crash Reports
Message-ID: <2870ACF8-2143-4576-9F2D-9C3E091A3F9D@pingtrip.com>

Can someone point me at documentation, or have tips to help debug sporadic crashes we recently started experiencing?

/opt/bro/share/broctl/scripts/run-bro: line 100: 15362 Segmentation fault      nohup ${pin_command} $pin_cpu "$mybro" "$@?

-Dave

From jazoff at illinois.edu  Tue May  3 11:32:01 2016
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Tue, 3 May 2016 18:32:01 +0000
Subject: [Bro] Crash Reports
In-Reply-To: <2870ACF8-2143-4576-9F2D-9C3E091A3F9D@pingtrip.com>
References: <2870ACF8-2143-4576-9F2D-9C3E091A3F9D@pingtrip.com>
Message-ID: <8DA7DB81-E4BA-4014-9864-23C3680EE0D6@illinois.edu>

> On May 3, 2016, at 2:08 PM, Dave Crawford  wrote:
> 
> Can someone point me at documentation, or have tips to help debug sporadic crashes we recently started experiencing?
> 
> 
> /opt/bro/share/broctl/scripts/run-bro: line 100: 15362 Segmentation fault      nohup ${pin_command} $pin_cpu "$mybro" "$@?
> 

Take a look at

https://www.bro.org/support/reporting-problems.html

-- 
- Justin Azoff

From martin.liras at gmail.com  Thu May  5 03:54:33 2016
From: martin.liras at gmail.com (Luis Martin)
Date: Thu, 5 May 2016 12:54:33 +0200
Subject: [Bro] Developing a Bro protocol analyzer as a plugin
Message-ID: 

Hi all,

I've written an entry in my personal blog explaining how I managed to
develop an analyzer as a plugin.

http://lirasenlared.blogspot.com.es/2016/04/developing-bro-analyzer-as-plugin.html

Any comments will be welcome. I hope it to be of some help to anybody.

Enjoy!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160505/da7dab36/attachment.html 

From mostafaammar at aast.edu  Thu May  5 07:42:32 2016
From: mostafaammar at aast.edu (Mostafa Abdallah. Ammar)
Date: Thu, 5 May 2016 14:42:32 +0000
Subject: [Bro] bro ids icmp and attack signatures
Message-ID: <1F0304BD6B9F5B479AD8B86008ABF0DE40A545DA@KEERMBX01.Egypt.AAST.edu>

Dear All,

I am new to bro ids , I installed successfully bro ids , and added a tap to network to it , and for example if I accessed a website on a machine I can see in http.log the website I accessed and if the wqebsite is ssl i can see in ssl.lot and x509.log the certificate info

my question is :

I want when I ping i see a notification for this ping (I tried and could not find)

can I use signatures like snort with bro that generate logs when receiving an attack and generate log with signature ID

Please provide reply with some details as I am new to bro.

Best Regards,

Eng. Mostafa Abdallah Ammar,Msc.
Information Security and Auditing Supervisor
CCIE security #23971
Arab Academy For Science And Technology & maritime Transport
Computer Networks & Data Center (CNDC)
Mobile: 002 01001983674
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160505/a02ffc97/attachment.html 

From seth at icir.org  Thu May  5 08:16:33 2016
From: seth at icir.org (Seth Hall)
Date: Thu, 5 May 2016 11:16:33 -0400
Subject: [Bro] Developing a Bro protocol analyzer as a plugin
In-Reply-To: 
References: 
Message-ID: <31678DB4-79CB-4A76-85FA-4B844DB9744A@icir.org>

> On May 5, 2016, at 6:54 AM, Luis Martin  wrote:
> 
> I've written an entry in my personal blog explaining how I managed to develop an analyzer as a plugin.

Hi Luis!

Thanks for writing up your experiences.  It's difficult for us sometimes to see how some of this could be confusing because there are so many technologies and mechanisms that need to be learned in order to write analyzers and other plugins.  People writing about their experiences like you did can be massively helpful for us to make sure that we're on a path to making these things easier and more straight forward and also very helpful for other people learning how to do this.

Thanks!
  .Seth 

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

From seth at icir.org  Thu May  5 08:21:55 2016
From: seth at icir.org (Seth Hall)
Date: Thu, 5 May 2016 11:21:55 -0400
Subject: [Bro] Global array in context?
In-Reply-To: 
References: 

Message-ID: <3C14C079-CEF0-42DC-A212-A6833DA47C06@icir.org>

> On Apr 29, 2016, at 10:21 AM, Luis Martin  wrote:
> 
> refine connection UmasTCP_Conn += {
>         %member{
>                 int previous_fcs[256];
>         %}
> };

Sorry for not responding previously but I'm glad to hear that you figured out how to get it working!  

I do have one design question though (and there is no right answer), are you just taking these function codes and passing them directly into events to be given into script-land?  Typically the only case where I collect state in the core like you're doing is when I need that information to continue parsing messages which I believe is probably the case you are in, but you didn't give enough snippets of code to show if that's true.

If you lean toward only collecting state in the analyzer when absolutely necessary and otherwise collecting all state in scripts, it frequently makes pushing things forward more flexible because it's typically much easier and faster to collect and expunge state in scripts that it is in the core.

Congratulations on working out your own problem, I know it can be really painful sometimes. :)

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

From slagell at illinois.edu  Thu May  5 08:31:31 2016
From: slagell at illinois.edu (Slagell, Adam J)
Date: Thu, 5 May 2016 15:31:31 +0000
Subject: [Bro] Developing a Bro protocol analyzer as a plugin
In-Reply-To: <31678DB4-79CB-4A76-85FA-4B844DB9744A@icir.org>
References: 
	<31678DB4-79CB-4A76-85FA-4B844DB9744A@icir.org>
Message-ID: <66B723EA-48C3-4750-A8BE-676C6CCED4FF@illinois.edu>

> On May 5, 2016, at 10:16 AM, Seth Hall  wrote:
> 
>> On May 5, 2016, at 6:54 AM, Luis Martin  wrote:
>> 
>> I've written an entry in my personal blog explaining how I managed to develop an analyzer as a plugin.
> 
> Hi Luis!
> 
> Thanks for writing up your experiences.  It's difficult for us sometimes to see how some of this could be confusing because there are so many technologies and mechanisms that need to be learned in order to write analyzers and other plugins.  People writing about their experiences like you did can be massively helpful for us to make sure that we're on a path to making these things easier and more straight forward and also very helpful for other people learning how to do this.

Yes, thank you. 

I?d like to also look over your post and see if there are specific ways we can improve our manual. In which case, would you mind us incorporating some of what you?ve written into the manual if it makes sense?

:Adam

From bkellogg at dresser-rand.com  Thu May  5 08:34:30 2016
From: bkellogg at dresser-rand.com (Kellogg, Brian D (OLN))
Date: Thu, 5 May 2016 15:34:30 +0000
Subject: [Bro] Developing a Bro protocol analyzer as a plugin
In-Reply-To: <31678DB4-79CB-4A76-85FA-4B844DB9744A@icir.org>
References: 
	<31678DB4-79CB-4A76-85FA-4B844DB9744A@icir.org>
Message-ID: 

Thanks Luis for this!

OpenNSM has a couple good videos on Youtube for this as well.
https://www.youtube.com/watch?v=eZAgqSFd9-c 

Where I get lost is for protocols with more complex fields and sub fields
when trying to chain them together in the pac file definitions.  It's been a
while so I can't remember specifically where I got stuck.  Haven't had time
to dig into it again but it was fun to work with the little I have worked
with it so far.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5073 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160505/645048a9/attachment-0001.bin 

From josh.guild at morphick.com  Thu May  5 10:13:19 2016
From: josh.guild at morphick.com (Josh Guild)
Date: Thu, 5 May 2016 13:13:19 -0400
Subject: [Bro] Developing a Bro protocol analyzer as a plugin
In-Reply-To: 
References: 
	<31678DB4-79CB-4A76-85FA-4B844DB9744A@icir.org>

Message-ID: 

Thanks for the write up!

On Thu, May 5, 2016 at 11:34 AM, Kellogg, Brian D (OLN) <
bkellogg at dresser-rand.com> wrote:

> Thanks Luis for this!
>
> OpenNSM has a couple good videos on Youtube for this as well.
> https://www.youtube.com/watch?v=eZAgqSFd9-c
>
> Where I get lost is for protocols with more complex fields and sub fields
> when trying to chain them together in the pac file definitions.  It's been
> a
> while so I can't remember specifically where I got stuck.  Haven't had time
> to dig into it again but it was fun to work with the little I have worked
> with it so far.
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

-- 
Josh Guild
Network Intelligence Analyst

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160505/2a8e8741/attachment.html 

From liburdi.joshua at gmail.com  Thu May  5 10:47:07 2016
From: liburdi.joshua at gmail.com (Josh Liburdi)
Date: Thu, 5 May 2016 13:47:07 -0400
Subject: [Bro] Developing a Bro protocol analyzer as a plugin
In-Reply-To: 
References: 
Message-ID: 

If it helps anyone get started faster, I added some code to Vlad's BinPAC
quickstart script to automate the setup for these kinds of plugins. You can
find his script here: https://github.com/grigorescu/binpac_quickstart

On Thu, May 5, 2016 at 6:54 AM, Luis Martin  wrote:

> Hi all,
>
> I've written an entry in my personal blog explaining how I managed to
> develop an analyzer as a plugin.
>
>
> http://lirasenlared.blogspot.com.es/2016/04/developing-bro-analyzer-as-plugin.html
>
>
> Any comments will be welcome. I hope it to be of some help to anybody.
>
> Enjoy!
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160505/f247a932/attachment.html 

From sven at dreyer-net.de  Fri May  6 00:44:06 2016
From: sven at dreyer-net.de (Sven Dreyer)
Date: Fri, 6 May 2016 09:44:06 +0200
Subject: [Bro] Using workers without SSH possible?
In-Reply-To: <20160428151359.GA65121@icir.org>
References: <5720AA4D.8020901@dreyer-net.de>

	<5722136E.6090705@dreyer-net.de> <20160428151359.GA65121@icir.org>
Message-ID: <572C4B46.4060609@dreyer-net.de>

Thanks for the detailed information, Robin. We are unable to send the 
traffic of each subnet to a central bro instace because the 
interconnection speed is about 500 kBit/s, while the subnets have 100 
MBit/s or Gigabit Ethernet.

I am aware that rsync over SSH is already used. I was just searching for 
a "non-persistent" connection between the workers and the central 
manager/proxy because of frequent outages of the interconnection lines.

Thanks!
Sven

Am 28.04.2016 um 17:13 schrieb Robin Sommer:
> Actually BroControl is already using rsync over SSH, but it needs SSH
> for other stuff as well, as it runs commands on the worker nodes. The
> rsync is used for transferring the Bro setup over to the workers. The
> logs on the other hand are sent back via Bro's internal communication,
> neither SSH nor rsync involved there.
>
> Changing any of this remains tricky currently. However, we are planing
> to switch to a different deployment model eventually where each node
> maintains its Bro setup itself (so no rsync necessary anymore) and
> also keeps a persistent broctld running for inter-node communication
> (so no SSH executing commands anymore).
>
> With regards of other approaches to monitor subnets, some folks run a
> single-machine Bro cluster with multiple interfaces and then send each
> subnet's traffic to one interface. That can work pretty well in
> practice, but might not apply to your situation.
>
> Robin
>
> On Thu, Apr 28, 2016 at 15:43 +0200, Sven Dreyer wrote:
>
>> Glenn,
>>
>> Am 27.04.2016 um 14:57 schrieb Glenn Forbes Fleming Larratt:
>>> Doesn't rsync default to using ssh as its transport? Also, I'm not sure
>>> how using rsync vs. ssh improves things in the face of slow and
>>> unreliable networking between nodes; can you elaborate?
>>
>> I thought of locally collecting bro logs and have a cron job
>> transferring the log file(s) in regular intervals. If the network is
>> down for 5 minutes, no problem, the log files will be transferred the
>> next time the cronjob runs.
>>
>> if you use "rsync -e ssh", rsync uses SSH as transport, that's correct.
>> But rsync has a standalone daemon mode and does not need SSH to be used.
>>
>> Thanks,
>> Sven
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
>

From sven at dreyer-net.de  Fri May  6 00:44:13 2016
From: sven at dreyer-net.de (Sven Dreyer)
Date: Fri, 6 May 2016 09:44:13 +0200
Subject: [Bro] Problem with connections in S1 and SF state
In-Reply-To: <24995e7e-ce04-b2b3-91e0-978175e8c840@gmail.com>
References: <564B9060.1080304@dreyer-net.de> <5720A537.1010203@dreyer-net.de>
	<5720D162.6020408@gmail.com> <572214B4.1020906@dreyer-net.de>
	<24995e7e-ce04-b2b3-91e0-978175e8c840@gmail.com>
Message-ID: <572C4B4D.4040802@dreyer-net.de>

Hi Jan,

that sounds very promising! Could you please tell me what setup you 
used? (OS/Distribution, bro version, command to playback the pcap file?)

Thanks!
Sven

Am 29.04.2016 um 00:28 schrieb Jan Grash?fer:
> Hi Sven,
>
>> I also repeated playback several times with different speeds, the result
>> is reproducible.
>
> I ran Bro on your pcap and replayed it into my test environment. I could
> not reproduce the receiver/originator issue you described.
>
> Best regards,
> Jan
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

From pasqualino.paladino at gmail.com  Fri May  6 03:16:34 2016
From: pasqualino.paladino at gmail.com (Pasqualino Paladino)
Date: Fri, 6 May 2016 12:16:34 +0200
Subject: [Bro] High cpu when calling lookup_hostname
Message-ID: 

Hello everybody,

I?m using Bro 2.4.1 stable and I developed a script in order to add some
information to http.log.

This code snippet attempts to lookup each external hostname that is being
contacted by an internal IP.

*                                            if(c?$http && c$http?$host &&
c$http$host != ""){*

*                                                           when (local h =
lookup_hostname(c$http$host)){*

*
if (|h|>0 && (0.0.0.0 !in h))*

*
{*

*
c$http$host_ip = h;*

*
Log::write(HTTP::LOG, c$http);*

*
}*

*
return;*

*                                                           }*

*                                                           timeout 2 sec {*

*
return;*

*                                                           }*

*                                            }*

My problem is that the cores that have been assigned for Bro are using the
100% of the cpu and I guess the problem is caused by *when* call.

I have tried to install an internal dns cache (Bind9) in order to increase
the performance, but, having a 300 mb/s of throughput and setting 2 sec of
timeout doesn?t work .

By disabling the script bro has the expected behavior (around 50%-60% of
cpu usage).

Is anyone able to help me?

Thanks in advance,

Pasquale
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160506/7071b2c5/attachment.html 

From jan.grashoefer at gmail.com  Fri May  6 03:25:19 2016
From: jan.grashoefer at gmail.com (=?UTF-8?Q?Jan_Grash=c3=b6fer?=)
Date: Fri, 6 May 2016 12:25:19 +0200
Subject: [Bro] Problem with connections in S1 and SF state
In-Reply-To: <572C4B4D.4040802@dreyer-net.de>
References: <564B9060.1080304@dreyer-net.de> <5720A537.1010203@dreyer-net.de>
	<5720D162.6020408@gmail.com> <572214B4.1020906@dreyer-net.de>
	<24995e7e-ce04-b2b3-91e0-978175e8c840@gmail.com>
	<572C4B4D.4040802@dreyer-net.de>
Message-ID: <106220eb-a7b7-a3cd-8029-2f32f7915047@gmail.com>

Hi Sven,

> that sounds very promising! Could you please tell me what setup you
> used? (OS/Distribution, bro version, command to playback the pcap file?)

I tried that on Fedora 23 with a recent Bro master. To playback I used:
# tcpreplay -t -i  
I am using Open vSwitch for my virtual testing network and utilized the
OVS monitoring interface I created in this context for replaying the
traffic.

Best regards,
Jan

From cchiaverini at bnl.gov  Fri May  6 05:27:20 2016
From: cchiaverini at bnl.gov (Chris Chiaverini)
Date: Fri, 06 May 2016 08:27:20 -0400
Subject: [Bro] High cpu when calling lookup_hostname
In-Reply-To: 
References: 
Message-ID: <572C8DA8.9070809@bnl.gov>

It is probably in IO wait on the lookup.  Could you run a local caching 
nameserver?  nscd is the easiest to setup but there are others.

Regards,

Chris Chiaverini

On 05/06/2016 06:16 AM, Pasqualino Paladino wrote:
>
> Hello everybody,
>
> I?m using Bro 2.4.1 stable and I developed a script in order to add 
> some information to http.log.
>
> This code snippet attempts to lookup each external hostname that is 
> being contacted by an internal IP.
>
> *if(c?$http && c$http?$host && c$http$host != ""){*
>
> *when (local h = lookup_hostname(c$http$host)){*
>
> *if (|h|>0 && (0.0.0.0 !in h))*
>
> *{*
>
> *c$http$host_ip = h;*
>
> *Log::write(HTTP::LOG, c$http);*
>
> *}*
>
> *return;*
>
> *}*
>
> *timeout 2 sec {*
>
> *return;*
>
> *}*
>
> *}*
>
> **
>
> My problem is that the cores that have been assigned for Bro are using 
> the 100% of the cpu and I guess the problem is caused by *when* call.
>
> I have tried to install an internal dns cache (Bind9) in order to 
> increase the performance, but, having a 300 mb/s of throughput and 
> setting 2 sec of timeout doesn?t work .
>
> By disabling the script bro has the expected behavior (around 50%-60% 
> of cpu usage).
>
> Is anyone able to help me?
>
> Thanks in advance,
>
> Pasquale
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160506/f8c941fd/attachment-0001.html 

From pawelec93 at googlemail.com  Fri May  6 13:45:49 2016
From: pawelec93 at googlemail.com (=?UTF-8?Q?Pawe=C5=82_Piszczatowski?=)
Date: Fri, 6 May 2016 21:45:49 +0100
Subject: [Bro] Bro and dependencies updates
Message-ID: 

Hello,

I didn't have the chance to check it myself but I am wondering how does Bro
behave during dependencies updates? Will a running cluster be somehow
affected?  Will there be any downtime for Bro?

Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160506/a2db5da5/attachment.html 

From mike at hexstudios.com  Fri May  6 18:30:11 2016
From: mike at hexstudios.com (Mike Wyatt)
Date: Fri, 6 May 2016 20:30:11 -0500
Subject: [Bro] Bro on El Capitan
Message-ID: 

All,

I am looking to install Bro on OS X / El Capitan (Mac Mini and portable
VM). I'm looking for feedback on others experiences. Any issues I need to
look out for? Any assistance is greatly appreciated.

Cheers,

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160506/47488c5d/attachment.html 

From slagell at illinois.edu  Fri May  6 19:35:58 2016
From: slagell at illinois.edu (Slagell, Adam J)
Date: Sat, 7 May 2016 02:35:58 +0000
Subject: [Bro] Bro on El Capitan
In-Reply-To: 
References: 
Message-ID: 

One issue with OpenSSL and El Capitan. Look at FAQ

> On May 6, 2016, at 8:38 PM, Mike Wyatt  wrote:
> 
> All,
> 
> I am looking to install Bro on OS X / El Capitan (Mac Mini and portable VM). I'm looking for feedback on others experiences. Any issues I need to look out for? Any assistance is greatly appreciated.
> 
> Cheers,
> 
> Mike
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

From slagell at illinois.edu  Fri May  6 19:41:39 2016
From: slagell at illinois.edu (Slagell, Adam J)
Date: Sat, 7 May 2016 02:41:39 +0000
Subject: [Bro] Bro on El Capitan
In-Reply-To: 
References: 

Message-ID: 

I will say that setting up postfix on my Mac Mini was harder than setting up Bro. I use that to get emails from Bro. It is a bit of a PITA, and you can contact me offline if you run into issues.

> On May 6, 2016, at 9:35 PM, Slagell, Adam J  wrote:
> 
> One issue with OpenSSL and El Capitan. Look at FAQ
> 
>> On May 6, 2016, at 8:38 PM, Mike Wyatt  wrote:
>> 
>> All,
>> 
>> I am looking to install Bro on OS X / El Capitan (Mac Mini and portable VM). I'm looking for feedback on others experiences. Any issues I need to look out for? Any assistance is greatly appreciated.
>> 
>> Cheers,
>> 
>> Mike
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

------

Adam J. Slagell
Chief Information Security Officer
Director, Cybersecurity Division
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
www.slagell.info

"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." 

From mike at hexstudios.com  Sat May  7 09:33:59 2016
From: mike at hexstudios.com (Mike Wyatt)
Date: Sat, 7 May 2016 11:33:59 -0500
Subject: [Bro] Bro on El Capitan
In-Reply-To: 
References: 

Message-ID: 

Adam,

Thanks for the information. Looks like I'm all set.

Cheers,

Mike

On Friday, May 6, 2016, Slagell, Adam J  wrote:

> I will say that setting up postfix on my Mac Mini was harder than setting
> up Bro. I use that to get emails from Bro. It is a bit of a PITA, and you
> can contact me offline if you run into issues.
>
> > On May 6, 2016, at 9:35 PM, Slagell, Adam J  > wrote:
> >
> > One issue with OpenSSL and El Capitan. Look at FAQ
> >
> >> On May 6, 2016, at 8:38 PM, Mike Wyatt  > wrote:
> >>
> >> All,
> >>
> >> I am looking to install Bro on OS X / El Capitan (Mac Mini and portable
> VM). I'm looking for feedback on others experiences. Any issues I need to
> look out for? Any assistance is greatly appreciated.
> >>
> >> Cheers,
> >>
> >> Mike
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org 
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org 
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> ------
>
> Adam J. Slagell
> Chief Information Security Officer
> Director, Cybersecurity Division
> National Center for Supercomputing Applications
> University of Illinois at Urbana-Champaign
> www.slagell.info
>
> "Under the Illinois Freedom of Information Act (FOIA), any written
> communication to or from University employees regarding University business
> is a public record and may be subject to public disclosure."
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160507/9bedd36f/attachment.html 

From art.maddalena at teamaol.com  Mon May  9 05:58:48 2016
From: art.maddalena at teamaol.com (Art Maddalena)
Date: Mon, 9 May 2016 08:58:48 -0400
Subject: [Bro] Question regarding leaking file descriptors
Message-ID: 

Hi,

We are having a problem with leaking file descriptors when using
ActiveHTTP.  We do see the temporary files being deleted, but lsof shows
the files not closed, so we eventually run out of file descriptors.

*Sample Output:*

bro     10687 root 1016r   REG              253,0       283     57148394
/tmp/bro-activehttp-qque3JKygsj_body (deleted)

bro     10687 root 1017r   REG              253,0       131     57148392
/tmp/bro-activehttp-qque3JKygsj_headers (deleted)

bro     10687 root 1018r   REG              253,0       348     57148398
/tmp/bro-activehttp-nhBlB9hVchg_body (deleted)

bro     10687 root 1019r   REG              253,0       131     57148396
/tmp/bro-activehttp-nhBlB9hVchg_headers (deleted)

Our code is at:

https://github.com/aol/moloch/blob/master/capture/plugins/wiseService/molochwise.bro#L98

We are using bro 2.4.1. Is this a known issue or do we need to change the
code somehow?

Thank you for your help!

VR
Art Maddalena, CISSP
Sr. Technical Security Engineer // *AOL*
o: 703.265.2292
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160509/12ef742b/attachment.html 

From pasqualino.paladino at gmail.com  Mon May  9 06:20:37 2016
From: pasqualino.paladino at gmail.com (Pasqualino Paladino)
Date: Mon, 9 May 2016 15:20:37 +0200
Subject: [Bro] Fwd: High cpu when calling lookup_hostname
In-Reply-To: 
References: 
Message-ID: 

The wa percentage seems to be 0% by top command so I guess that is not the
problem.

I have installed a local dns cache (Bind) and this seems to have improved a
little bit the performance, but bro keeps losing packets due to the ?when?
call.

Thanks,

Pasquale

---------- Forwarded message ----------

*Chris Chiaverini* cchiaverini at bnl.gov

*Fri May 6 05:27:20 PDT 2016*

It is probably in IO wait on the lookup.  Could you run a local caching
nameserver?  nscd is the easiest to setup but there are others.
Regards, Chris Chiaverini

---------- Forwarded message ----------
From: Pasqualino Paladino 
Date: 2016-05-06 12:16 GMT+02:00
Subject: High cpu when calling lookup_hostname
To: bro at bro.org

Hello everybody,

I?m using Bro 2.4.1 stable and I developed a script in order to add some
information to http.log.

This code snippet attempts to lookup each external hostname that is being
contacted by an internal IP.

*                                            if(c?$http && c$http?$host &&
c$http$host != ""){*

*                                                           when (local h =
lookup_hostname(c$http$host)){*

*
if (|h|>0 && (0.0.0.0 !in h))*

*
{*

*
c$http$host_ip = h;*

*
Log::write(HTTP::LOG, c$http);*

*
}*

*
return;*

*                                                           }*

*                                                           timeout 2 sec {*

*
return;*

*                                                           }*

*                                            }*

My problem is that the cores that have been assigned for Bro are using the
100% of the cpu and I guess the problem is caused by *when* call.

I have tried to install an internal dns cache (Bind9) in order to increase
the performance, but, having a 300 mb/s of throughput and setting 2 sec of
timeout doesn?t work .

By disabling the script bro has the expected behavior (around 50%-60% of
cpu usage).

Is anyone able to help me?

Thanks in advance,

Pasquale
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160509/0245044b/attachment.html 

From mostafaammar at aast.edu  Mon May  9 06:20:49 2016
From: mostafaammar at aast.edu (Mostafa Abdallah. Ammar)
Date: Mon, 9 May 2016 13:20:49 +0000
Subject: [Bro] bro ids icmp and attack signatures
In-Reply-To: <1F0304BD6B9F5B479AD8B86008ABF0DE40A545DA@KEERMBX01.Egypt.AAST.edu>
References: <1F0304BD6B9F5B479AD8B86008ABF0DE40A545DA@KEERMBX01.Egypt.AAST.edu>
Message-ID: <1F0304BD6B9F5B479AD8B86008ABF0DE40A55584@KEERMBX01.Egypt.AAST.edu>

Dear All,

I tried the following script icmptest.bro (attached) while running remote syslog, all the messages on syslog are regarding ipv6 and not ipv4 is there an explanation for that .

05-09-2016    14:56:23    Local7.Info    10.0.1.153    May  9 14:55:45 ubuntu-HVM-domU bro_notice: 1462798535.800222   -   -   -   -   -   -   -   -   -   DetectICMPSHell::  ICMP connection threshold exceeded : fe80::1d26:ba55:fc1c:4a8    -   -   -   -   -   bro   Notice::ACTION_LOG   3600.000000   F   -   -   -   -   -
Best Regards,

Eng. Mostafa Abdallah Ammar,Msc.
Information Security and Auditing Supervisor
CCIE security #23971
Arab Academy For Science And Technology & maritime Transport
Computer Networks & Data Center (CNDC)
Mobile: 002 01001983674
________________________________
From: Mostafa Abdallah. Ammar
Sent: Thursday, May 05, 2016 4:42 PM
To: bro at bro.org
Subject: bro ids icmp and attack signatures

Dear All,

I am new to bro ids , I installed successfully bro ids , and added a tap to network to it , and for example if I accessed a website on a machine I can see in http.log the website I accessed and if the wqebsite is ssl i can see in ssl.lot and x509.log the certificate info

my question is :

I want when I ping i see a notification for this ping (I tried and could not find)

can I use signatures like snort with bro that generate logs when receiving an attack and generate log with signature ID

Please provide reply with some details as I am new to bro.

Best Regards,

Eng. Mostafa Abdallah Ammar,Msc.
Information Security and Auditing Supervisor
CCIE security #23971
Arab Academy For Science And Technology & maritime Transport
Computer Networks & Data Center (CNDC)
Mobile: 002 01001983674
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160509/0f096dfd/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: icmptest.bro
Type: application/octet-stream
Size: 4477 bytes
Desc: icmptest.bro
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160509/0f096dfd/attachment-0001.obj 

From vladg at illinois.edu  Mon May  9 07:49:34 2016
From: vladg at illinois.edu (Vlad Grigorescu)
Date: Mon, 09 May 2016 09:49:34 -0500
Subject: [Bro] Bro and dependencies updates
In-Reply-To: 
References: 
Message-ID: 

It's hard to say. A running cluster *should* not be affected. broctl
(which by default runs every 5 minutes) might stop working. Of note, Bro
won't actually pick up the changes to the dependencies until it's
restarted.

The safest course of action would be to restart Bro after dependency
updates. We usually reboot the systems as well, to ensure that the
updates are picked up by all the system components.

  --Vlad

Pawe? Piszczatowski  writes:

> Hello,
>
> I didn't have the chance to check it myself but I am wondering how does Bro
> behave during dependencies updates? Will a running cluster be somehow
> affected?  Will there be any downtime for Bro?
>
> Regards
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160509/4258f827/attachment.bin 

From newfire.bw at gmail.com  Mon May  9 20:50:56 2016
From: newfire.bw at gmail.com (Bowen Li)
Date: Tue, 10 May 2016 11:50:56 +0800
Subject: [Bro] bro cluster packet loss with pf_ring_zc
Message-ID: 

Dear list,

I?m using Bro 2.4.1 stable and PF_RING_ZC to analysis network traffic. The
peak flow of the traffic almost close to 1G/bps(the full load of NIC), and
the number of data packet in traffic may reach 200,000 pps. PF_RING_ZC
zbalance_ipc shows pf_ring has no packet loss and broctl netstats
shows that bro cluster have lost most of the packets, but the link number
is equal to the receive packet number.

When handle the packets, almost all of the cpus are in full load status, so
I suspect that the processor of the server limits the packet processing
speed, so the bro-cluster have to drop packets.

So my question is now the performance of the server under 200,000 pps cases
a packet loss in bro is normal or not.

Here is the CPU info:
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                32
On-line CPU(s) list:   0-31
Thread(s) per core:    2
Core(s) per socket:    8
Socket(s):             2
NUMA node(s):          2
Vendor ID:             GenuineIntel
CPU family:            6
Model:                 45
Model name:            Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz
Stepping:              6
CPU MHz:               1317.937
BogoMIPS:              4419.58
Virtualization:        VT-x
L1d cache:             32K
L1i cache:             32K
L2 cache:              256K
L3 cache:              20480K
NUMA node0 CPU(s):     0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30
NUMA node1 CPU(s):     1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31

Here is the memory info:
              total        used        free      shared  buff/cache
available
Mem:       65759080    13018468    31412324      132364    21328288
 52079776
Swap:      29241340           0    29241340

Is anyone able to help me?

Thanks in advance,

Bowen Li
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160510/5b5ed9b7/attachment.html 

From gfaulkner.nsm at gmail.com  Tue May 10 08:27:13 2016
From: gfaulkner.nsm at gmail.com (Gary Faulkner)
Date: Tue, 10 May 2016 10:27:13 -0500
Subject: [Bro] bro cluster packet loss with pf_ring_zc
In-Reply-To: 
References: 
Message-ID: 

I guess the first thing is to ask how much packet loss? You'll never 
fully eliminate it, but a good cluster set up can keep your average loss 
under 1%. I could ask a whole lot of questions about your cluster set 
up, but it is probably easier if you can share a redacted version of 
your node.conf (redact public IPs, DNS names, any sensitive info etc). 
You could also try running the capture loss script and doing some 
analysis on which and how many workers are dropping packets over time. 
Keep in mind if you are doing any kind of partial flow shunting this 
could skew the results. You could also look at stats.log if you have it 
enabled. If one or two workers are really dropping packets during an 
interval of time, but the rest look OK this could be traffic related 
(some large flows). If it is across the board you may need to look more 
closely at your cluster set-up for sub-optimal configuration or 
over-subscription.

~Gary

On 5/9/16 10:50 PM, Bowen Li wrote:
> Dear list,
>
> I?m using Bro 2.4.1 stable and PF_RING_ZC to analysis network traffic. The
> peak flow of the traffic almost close to 1G/bps(the full load of NIC), and
> the number of data packet in traffic may reach 200,000 pps. PF_RING_ZC
> zbalance_ipc shows pf_ring has no packet loss and broctl netstats
> shows that bro cluster have lost most of the packets, but the link number
> is equal to the receive packet number.
>
> When handle the packets, almost all of the cpus are in full load status, so
> I suspect that the processor of the server limits the packet processing
> speed, so the bro-cluster have to drop packets.
>
> So my question is now the performance of the server under 200,000 pps cases
> a packet loss in bro is normal or not.
>
> Here is the CPU info:
> Architecture:          x86_64
> CPU op-mode(s):        32-bit, 64-bit
> Byte Order:            Little Endian
> CPU(s):                32
> On-line CPU(s) list:   0-31
> Thread(s) per core:    2
> Core(s) per socket:    8
> Socket(s):             2
> NUMA node(s):          2
> Vendor ID:             GenuineIntel
> CPU family:            6
> Model:                 45
> Model name:            Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz
> Stepping:              6
> CPU MHz:               1317.937
> BogoMIPS:              4419.58
> Virtualization:        VT-x
> L1d cache:             32K
> L1i cache:             32K
> L2 cache:              256K
> L3 cache:              20480K
> NUMA node0 CPU(s):     0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30
> NUMA node1 CPU(s):     1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31
>
> Here is the memory info:
>                total        used        free      shared  buff/cache
> available
> Mem:       65759080    13018468    31412324      132364    21328288
>   52079776
> Swap:      29241340           0    29241340
>
> Is anyone able to help me?
>
>
>
> Thanks in advance,
>
> Bowen Li
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160510/bc98bba6/attachment.html 

From seth at icir.org  Tue May 10 09:09:04 2016
From: seth at icir.org (Seth Hall)
Date: Tue, 10 May 2016 12:09:04 -0400
Subject: [Bro] bro ids icmp and attack signatures
In-Reply-To: <1F0304BD6B9F5B479AD8B86008ABF0DE40A55584@KEERMBX01.Egypt.AAST.edu>
References: <1F0304BD6B9F5B479AD8B86008ABF0DE40A545DA@KEERMBX01.Egypt.AAST.edu>
	<1F0304BD6B9F5B479AD8B86008ABF0DE40A55584@KEERMBX01.Egypt.AAST.edu>
Message-ID: <839261C2-AE66-47FF-9AD7-D7FD0CB3E2E3@icir.org>

I would look into what icmp messages you are seeing over ICMP that is causing this.  This is probably just due to some aspect of how router solicitation or neighbor solicitation happens.  I would also create a pcap containing a test case where you know this to trigger correctly so that you can have a repeatable test.

  .Seth

> On May 9, 2016, at 9:20 AM, Mostafa Abdallah. Ammar  wrote:
> 
> Dear All,
> 
> I tried the following script icmptest.bro (attached) while running remote syslog, all the messages on syslog are regarding ipv6 and not ipv4 is there an explanation for that .
> 
> 05-09-2016    14:56:23    Local7.Info    10.0.1.153    May  9 14:55:45 ubuntu-HVM-domU bro_notice: 1462798535.800222   -   -   -   -   -   -   -   -   -   DetectICMPSHell::  ICMP connection threshold exceeded : fe80::1d26:ba55:fc1c:4a8    -   -   -   -   -   bro   Notice::ACTION_LOG   3600.000000   F   -   -   -   -   -
> Best Regards,
> 
> Eng. Mostafa Abdallah Ammar,Msc.
> Information Security and Auditing Supervisor
> CCIE security #23971
> Arab Academy For Science And Technology & maritime Transport
> Computer Networks & Data Center (CNDC)
> Mobile: 002 01001983674
> From: Mostafa Abdallah. Ammar
> Sent: Thursday, May 05, 2016 4:42 PM
> To: bro at bro.org
> Subject: bro ids icmp and attack signatures
> 
> Dear All,
> 
> I am new to bro ids , I installed successfully bro ids , and added a tap to network to it , and for example if I accessed a website on a machine I can see in http.log the website I accessed and if the wqebsite is ssl i can see in ssl.lot and x509.log the certificate info
> 
> my question is :
> 
> I want when I ping i see a notification for this ping (I tried and could not find)
> 
> can I use signatures like snort with bro that generate logs when receiving an attack and generate log with signature ID
> 
> Please provide reply with some details as I am new to bro.
> 
> 
> Best Regards,
> 
> Eng. Mostafa Abdallah Ammar,Msc.
> Information Security and Auditing Supervisor
> CCIE security #23971
> Arab Academy For Science And Technology & maritime Transport
> Computer Networks & Data Center (CNDC)
> Mobile: 002 01001983674
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

From mostafaammar at aast.edu  Tue May 10 12:41:16 2016
From: mostafaammar at aast.edu (Mostafa Abdallah. Ammar)
Date: Tue, 10 May 2016 19:41:16 +0000
Subject: [Bro] bro ids icmp and attack signatures
In-Reply-To: <839261C2-AE66-47FF-9AD7-D7FD0CB3E2E3@icir.org>
References: <1F0304BD6B9F5B479AD8B86008ABF0DE40A545DA@KEERMBX01.Egypt.AAST.edu>
	<1F0304BD6B9F5B479AD8B86008ABF0DE40A55584@KEERMBX01.Egypt.AAST.edu>,
	<839261C2-AE66-47FF-9AD7-D7FD0CB3E2E3@icir.org>
Message-ID: <1F0304BD6B9F5B479AD8B86008ABF0DE40A55A5F@KEERMBX01.Egypt.AAST.edu>

Dear Seth,

Thanks for your kind reply , finally it is solved and I can see logs for the icmp echo request and echo response ,  I was not putting the notice action correctly under the echo request event .kindly find attached file after editing for any one who follows case .

Now I can print time in network time format in logs is there a way to transfer it to human readable format?

Best Regards,

Eng. Mostafa Abdallah Ammar,Msc.
Information Security and Auditing Supervisor
CCIE security #23971
Arab Academy For Science And Technology & maritime Transport
Computer Networks & Data Center (CNDC)
Mobile: 002 01001983674

________________________________________
From: Seth Hall [seth at icir.org]
Sent: Tuesday, May 10, 2016 6:09 PM
To: Mostafa Abdallah. Ammar
Cc: bro at bro.org
Subject: Re: [Bro] bro ids icmp and attack signatures

I would look into what icmp messages you are seeing over ICMP that is causing this.  This is probably just due to some aspect of how router solicitation or neighbor solicitation happens.  I would also create a pcap containing a test case where you know this to trigger correctly so that you can have a repeatable test.

  .Seth

> On May 9, 2016, at 9:20 AM, Mostafa Abdallah. Ammar  wrote:
>
> Dear All,
>
> I tried the following script icmptest.bro (attached) while running remote syslog, all the messages on syslog are regarding ipv6 and not ipv4 is there an explanation for that .
>
> 05-09-2016    14:56:23    Local7.Info    10.0.1.153    May  9 14:55:45 ubuntu-HVM-domU bro_notice: 1462798535.800222   -   -   -   -   -   -   -   -   -   DetectICMPSHell::  ICMP connection threshold exceeded : fe80::1d26:ba55:fc1c:4a8    -   -   -   -   -   bro   Notice::ACTION_LOG   3600.000000   F   -   -   -   -   -
> Best Regards,
>
> Eng. Mostafa Abdallah Ammar,Msc.
> Information Security and Auditing Supervisor
> CCIE security #23971
> Arab Academy For Science And Technology & maritime Transport
> Computer Networks & Data Center (CNDC)
> Mobile: 002 01001983674
> From: Mostafa Abdallah. Ammar
> Sent: Thursday, May 05, 2016 4:42 PM
> To: bro at bro.org
> Subject: bro ids icmp and attack signatures
>
> Dear All,
>
> I am new to bro ids , I installed successfully bro ids , and added a tap to network to it , and for example if I accessed a website on a machine I can see in http.log the website I accessed and if the wqebsite is ssl i can see in ssl.lot and x509.log the certificate info
>
> my question is :
>
> I want when I ping i see a notification for this ping (I tried and could not find)
>
> can I use signatures like snort with bro that generate logs when receiving an attack and generate log with signature ID
>
> Please provide reply with some details as I am new to bro.
>
>
> Best Regards,
>
> Eng. Mostafa Abdallah Ammar,Msc.
> Information Security and Auditing Supervisor
> CCIE security #23971
> Arab Academy For Science And Technology & maritime Transport
> Computer Networks & Data Center (CNDC)
> Mobile: 002 01001983674
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: icmptest.bro
Type: application/octet-stream
Size: 4713 bytes
Desc: icmptest.bro
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160510/3248c3ff/attachment.obj 

From mehmetleb at gmail.com  Wed May 11 01:41:01 2016
From: mehmetleb at gmail.com (=?UTF-8?B?TWVobWV0IExFQkxFQsSwQ8Sw?=)
Date: Wed, 11 May 2016 11:41:01 +0300
Subject: [Bro] Bro - File Extraction
Message-ID: 

Hello all,

I am using Bro 2.4.1 and want to extract files seen on the network traffic.
For this i loaded extract-all-files.bro script in local.bro. However, it
does not completely extract files. It seems it stops extracting after some
point. This occurs for all file types. I looked at the files.log file and
see that total_bytes and seen_bytes fields are not same. I also checked
extract file size limit and there is no problem with that. Also, when i
save the traffic into a pcap file and issue bro -Cr pcapFile.pcap
...../extract-all-files.bro, it extracts files successfully. However, it
cannot do so in current/logs/extractFiles directory. I am kind of new to
Bro and i am stuck with this problem for about a week. So, any help will be
appreciated.

Thanks in advance,

Mehmet Leblebici
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160511/ef796faa/attachment.html 

From martin.liras at gmail.com  Wed May 11 02:03:41 2016
From: martin.liras at gmail.com (Luis Martin Liras)
Date: Wed, 11 May 2016 11:03:41 +0200
Subject: [Bro] Obtain a MD5 hash from a file in disk
Message-ID: <5732F56D.7050100@gmail.com>

Hi there,

I need some help to obtain a MD5 hash of file. But not a file obtained 
from an HTTP stream. I have my own network payload I have written to disk:

                 f=open(payload_filename);
                 if (write_file(f, payload))
                 {
                         close(f);
                 }

in this case the file handler "f" is of type "file".

I tried adding it to an MD5 analyzer:

                         #Files::add_analyzer(f, Files::ANALYZER_MD5);

However this request needs a "fa_file" record, associated with a stream 
not a "file" handler...

Anyone can explain how can I obtain a MD5 hash from a file in disk?

Thank you!

From chriswelber at yahoo.com  Wed May 11 03:27:29 2016
From: chriswelber at yahoo.com (Chris Welber yahoo)
Date: Wed, 11 May 2016 06:27:29 -0400
Subject: [Bro] metrics
In-Reply-To: <5732F56D.7050100@gmail.com>
References: <5732F56D.7050100@gmail.com>
Message-ID: <80B61F56-5536-4A10-B99B-D994888B970D@yahoo.com>

Does any one have a method for creating metrics with bro. In regards to IT security needs: I.e. How many malware event types, violations, etc?
> 

From martin.liras at gmail.com  Wed May 11 03:58:18 2016
From: martin.liras at gmail.com (Luis Martin)
Date: Wed, 11 May 2016 12:58:18 +0200
Subject: [Bro] Obtain a MD5 hash from a file in disk
In-Reply-To: <5732F56D.7050100@gmail.com>
References: <5732F56D.7050100@gmail.com>
Message-ID: 

Ok,

Found it. Only had to use the function

md5_hash

...of the payload, not the handler.

Rgds

2016-05-11 11:03 GMT+02:00 Luis Martin Liras :

> Hi there,
>
> I need some help to obtain a MD5 hash of file. But not a file obtained
> from an HTTP stream. I have my own network payload I have written to disk:
>
>
>                 f=open(payload_filename);
>                 if (write_file(f, payload))
>                 {
>                         close(f);
>                 }
>
> in this case the file handler "f" is of type "file".
>
>
> I tried adding it to an MD5 analyzer:
>
>                         #Files::add_analyzer(f, Files::ANALYZER_MD5);
>
> However this request needs a "fa_file" record, associated with a stream
> not a "file" handler...
>
> Anyone can explain how can I obtain a MD5 hash from a file in disk?
>
> Thank you!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160511/e4c0d72b/attachment-0001.html 

From sanjuanswan at gmail.com  Wed May 11 09:50:45 2016
From: sanjuanswan at gmail.com (Jay Swan)
Date: Wed, 11 May 2016 10:50:45 -0600
Subject: [Bro] Multiple log streams
Message-ID: 

I used this script:

https://gist.github.com/J-Gras/f9f86828f9e9d9c0b8f0908bc3573bb0

to log simultaneously as JSON and normal Bro TSV.

I'm seeing only a fraction of the total logs being written as JSON -- it
varies between about 25-40%.

The script looks OK to me. Any ideas what's wrong? Is there a better way to
do dual log streams?

Thanks,
Jay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160511/0d37f911/attachment.html 

From gfaulkner.nsm at gmail.com  Wed May 11 09:58:07 2016
From: gfaulkner.nsm at gmail.com (Gary Faulkner)
Date: Wed, 11 May 2016 11:58:07 -0500
Subject: [Bro] metrics
In-Reply-To: <80B61F56-5536-4A10-B99B-D994888B970D@yahoo.com>
References: <5732F56D.7050100@gmail.com>
	<80B61F56-5536-4A10-B99B-D994888B970D@yahoo.com>
Message-ID: <3fb37634-cbf4-c873-5a0c-8c8588a88098@gmail.com>

Have you looked at Bro-statsd? If you are comfortable with Bro scripting 
and something like graphite or influxdb you should be able to do just 
about anything.

https://github.com/JustinAzoff/bro-statsd-plugin

On 5/11/16 5:27 AM, Chris Welber yahoo wrote:
> Does any one have a method for creating metrics with bro. In regards to IT security needs: I.e. How many malware event types, violations, etc?
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

From sanjuanswan at gmail.com  Wed May 11 10:25:53 2016
From: sanjuanswan at gmail.com (Jay Swan)
Date: Wed, 11 May 2016 11:25:53 -0600
Subject: [Bro] Multiple log streams
Message-ID: 

I originally sent this to the wrong email address -- sorry Bro team. :-)

I used this script:

https://gist.github.com/J-Gras/f9f86828f9e9d9c0b8f0908bc3573bb0

to log simultaneously as JSON and normal Bro TSV.

I'm seeing only a fraction of the total logs being written as JSON -- it
varies between about 25-40%.

The script looks OK to me. Any ideas what's wrong? Is there a better way to
do dual log streams?

Thanks,
Jay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160511/01aa50f7/attachment.html 

From jdopheid at illinois.edu  Wed May 11 17:12:41 2016
From: jdopheid at illinois.edu (Dopheide, Jeannette M)
Date: Thu, 12 May 2016 00:12:41 +0000
Subject: [Bro] Don't forget to submit your BroCon CFPs
Message-ID: <7EFD7D614A2BB84ABEA19B2CEDD246580A73F8B8@CITESMBX5.ad.uillinois.edu>

Bro Community,

A friendly reminder to submit your BroCon ?16 CFP, details here:

https://www.bro.org/community/brocon2016.html#call-forpresentations

And don't forget to register!

See you in September,

The Bro Development Team

------

Jeannette M. Dopheide
Bro Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160512/7a196bb3/attachment.html 

From landy-bible at utulsa.edu  Wed May 11 19:35:39 2016
From: landy-bible at utulsa.edu (Landy Bible)
Date: Wed, 11 May 2016 21:35:39 -0500
Subject: [Bro] metrics
In-Reply-To: <3fb37634-cbf4-c873-5a0c-8c8588a88098@gmail.com>
References: <5732F56D.7050100@gmail.com>
	<80B61F56-5536-4A10-B99B-D994888B970D@yahoo.com>
	<3fb37634-cbf4-c873-5a0c-8c8588a88098@gmail.com>
Message-ID: 

We use Logstash to ship the our Bro logs into ElasticSearch, then we use
Kibana to create all sorts of interesting dashboards related to our
traffic. If you use the JSON output plugin for Bro it makes it easy because
you don't need to try to write Bro filters for Logstash to parse the logs,
just pump the JSON directly into ElasticSearch. Be aware that ElasticSearch
2 doesn't allow dots in field names, so you'll either need to stick with
the 1x branch or use Logstash filters to remove the dots.

--
Landy Bible
Information Security Analyst
The University of Tulsa

On Wed, May 11, 2016 at 11:58 AM, Gary Faulkner 
wrote:

> Have you looked at Bro-statsd? If you are comfortable with Bro scripting
> and something like graphite or influxdb you should be able to do just
> about anything.
>
> https://github.com/JustinAzoff/bro-statsd-plugin
>
>
> On 5/11/16 5:27 AM, Chris Welber yahoo wrote:
> > Does any one have a method for creating metrics with bro. In regards to
> IT security needs: I.e. How many malware event types, violations, etc?
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160511/5148c11e/attachment.html 

From fatema.bannatwala at gmail.com  Thu May 12 07:23:02 2016
From: fatema.bannatwala at gmail.com (fatema bannatwala)
Date: Thu, 12 May 2016 10:23:02 -0400
Subject: [Bro] Bro Digest, Vol 121, Issue 10
In-Reply-To: 
References: 
Message-ID: 

Hi Li,

I don't know how much relevant this solution is to the case presented, but
might worth a try.
We run a bro cluster of 4 worker nodes and a manager. We recently started
seeing a lot of capture loss (>60%)
and tried doing some tuning of the interfaces:
Turned off Tx and Rx check-summing  on the NIC,  hence reduced the lag
between packets captured by interface and packets processed by BRO.
Also, check-sum calculation is default in BRO, hence turning it off on
interface won't create any security issues.

$  sudo ethtool -K em1 rx off
Actual changes:
rx-checksumming: off
large-receive-offload: off [requested on]
$ sudo ethtool -K em1 tx off
Actual changes:
tx-checksumming: off
        tx-checksum-ipv4: off
        tx-checksum-ipv6: off
        tx-checksum-sctp: off
tcp-segmentation-offload: off
        tx-tcp-segmentation: off [requested on]
        tx-tcp6-segmentation: off [requested on]
$ sudo ethtool -K em1 sg off
Actual changes:
scatter-gather: off
        tx-scatter-gather: off
generic-segmentation-offload: off [requested on]
$ sudo ethtool -K em1 tso off
$ sudo ethtool -K em1 gso off
$ sudo ethtool -K em1 gro off

This reduced the capture loss % to below 1%, and the cluster is not seeing
any capture loss till date.

Thanks,
Fatema.

On Tue, May 10, 2016 at 3:00 PM,  wrote:

> Send Bro mailing list submissions to
>         bro at bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
>         bro-request at bro.org
>
> You can reach the person managing the list at
>         bro-owner at bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
>    1. bro cluster packet loss with pf_ring_zc (Bowen Li)
>    2. Re: bro cluster packet loss with pf_ring_zc (Gary Faulkner)
>    3. Re: bro ids icmp and attack signatures (Seth Hall)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 10 May 2016 11:50:56 +0800
> From: Bowen Li 
> Subject: [Bro] bro cluster packet loss with pf_ring_zc
> To: bro at bro.org
> Message-ID:
>         <
> CAJ17UJdzkj8N0uD2Sn-vrAmtcw8OQATKj2Wm5HMqWDmdxf1H1w at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Dear list,
>
> I?m using Bro 2.4.1 stable and PF_RING_ZC to analysis network traffic. The
> peak flow of the traffic almost close to 1G/bps(the full load of NIC), and
> the number of data packet in traffic may reach 200,000 pps. PF_RING_ZC
> zbalance_ipc shows pf_ring has no packet loss and broctl netstats
> shows that bro cluster have lost most of the packets, but the link number
> is equal to the receive packet number.
>
> When handle the packets, almost all of the cpus are in full load status, so
> I suspect that the processor of the server limits the packet processing
> speed, so the bro-cluster have to drop packets.
>
> So my question is now the performance of the server under 200,000 pps cases
> a packet loss in bro is normal or not.
>
> Here is the CPU info:
> Architecture:          x86_64
> CPU op-mode(s):        32-bit, 64-bit
> Byte Order:            Little Endian
> CPU(s):                32
> On-line CPU(s) list:   0-31
> Thread(s) per core:    2
> Core(s) per socket:    8
> Socket(s):             2
> NUMA node(s):          2
> Vendor ID:             GenuineIntel
> CPU family:            6
> Model:                 45
> Model name:            Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz
> Stepping:              6
> CPU MHz:               1317.937
> BogoMIPS:              4419.58
> Virtualization:        VT-x
> L1d cache:             32K
> L1i cache:             32K
> L2 cache:              256K
> L3 cache:              20480K
> NUMA node0 CPU(s):     0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30
> NUMA node1 CPU(s):     1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31
>
> Here is the memory info:
>               total        used        free      shared  buff/cache
> available
> Mem:       65759080    13018468    31412324      132364    21328288
>  52079776
> Swap:      29241340           0    29241340
>
> Is anyone able to help me?
>
>
>
> Thanks in advance,
>
> Bowen Li
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160510/5b5ed9b7/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Tue, 10 May 2016 10:27:13 -0500
> From: Gary Faulkner 
> Subject: Re: [Bro] bro cluster packet loss with pf_ring_zc
> To: Bowen Li , bro at bro.org
> Message-ID: 
> Content-Type: text/plain; charset="windows-1252"
>
> I guess the first thing is to ask how much packet loss? You'll never
> fully eliminate it, but a good cluster set up can keep your average loss
> under 1%. I could ask a whole lot of questions about your cluster set
> up, but it is probably easier if you can share a redacted version of
> your node.conf (redact public IPs, DNS names, any sensitive info etc).
> You could also try running the capture loss script and doing some
> analysis on which and how many workers are dropping packets over time.
> Keep in mind if you are doing any kind of partial flow shunting this
> could skew the results. You could also look at stats.log if you have it
> enabled. If one or two workers are really dropping packets during an
> interval of time, but the rest look OK this could be traffic related
> (some large flows). If it is across the board you may need to look more
> closely at your cluster set-up for sub-optimal configuration or
> over-subscription.
>
> ~Gary
>
>
> On 5/9/16 10:50 PM, Bowen Li wrote:
> > Dear list,
> >
> > I?m using Bro 2.4.1 stable and PF_RING_ZC to analysis network traffic.
> The
> > peak flow of the traffic almost close to 1G/bps(the full load of NIC),
> and
> > the number of data packet in traffic may reach 200,000 pps. PF_RING_ZC
> > zbalance_ipc shows pf_ring has no packet loss and broctl netstats
> > shows that bro cluster have lost most of the packets, but the link number
> > is equal to the receive packet number.
> >
> > When handle the packets, almost all of the cpus are in full load status,
> so
> > I suspect that the processor of the server limits the packet processing
> > speed, so the bro-cluster have to drop packets.
> >
> > So my question is now the performance of the server under 200,000 pps
> cases
> > a packet loss in bro is normal or not.
> >
> > Here is the CPU info:
> > Architecture:          x86_64
> > CPU op-mode(s):        32-bit, 64-bit
> > Byte Order:            Little Endian
> > CPU(s):                32
> > On-line CPU(s) list:   0-31
> > Thread(s) per core:    2
> > Core(s) per socket:    8
> > Socket(s):             2
> > NUMA node(s):          2
> > Vendor ID:             GenuineIntel
> > CPU family:            6
> > Model:                 45
> > Model name:            Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz
> > Stepping:              6
> > CPU MHz:               1317.937
> > BogoMIPS:              4419.58
> > Virtualization:        VT-x
> > L1d cache:             32K
> > L1i cache:             32K
> > L2 cache:              256K
> > L3 cache:              20480K
> > NUMA node0 CPU(s):     0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30
> > NUMA node1 CPU(s):     1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31
> >
> > Here is the memory info:
> >                total        used        free      shared  buff/cache
> > available
> > Mem:       65759080    13018468    31412324      132364    21328288
> >   52079776
> > Swap:      29241340           0    29241340
> >
> > Is anyone able to help me?
> >
> >
> >
> > Thanks in advance,
> >
> > Bowen Li
> >
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160510/bc98bba6/attachment-0001.html
>
> ------------------------------
>
> Message: 3
> Date: Tue, 10 May 2016 12:09:04 -0400
> From: Seth Hall 
> Subject: Re: [Bro] bro ids icmp and attack signatures
> To: "Mostafa Abdallah. Ammar" 
> Cc: "bro at bro.org" 
> Message-ID: <839261C2-AE66-47FF-9AD7-D7FD0CB3E2E3 at icir.org>
> Content-Type: text/plain; charset=iso-8859-1
>
> I would look into what icmp messages you are seeing over ICMP that is
> causing this.  This is probably just due to some aspect of how router
> solicitation or neighbor solicitation happens.  I would also create a pcap
> containing a test case where you know this to trigger correctly so that you
> can have a repeatable test.
>
>   .Seth
>
>
> > On May 9, 2016, at 9:20 AM, Mostafa Abdallah. Ammar <
> mostafaammar at aast.edu> wrote:
> >
> > Dear All,
> >
> > I tried the following script icmptest.bro (attached) while running
> remote syslog, all the messages on syslog are regarding ipv6 and not ipv4
> is there an explanation for that .
> >
> > 05-09-2016    14:56:23    Local7.Info    10.0.1.153    May  9 14:55:45
> ubuntu-HVM-domU bro_notice: 1462798535.800222   -   -   -   -   -   -   -
>  -   -   DetectICMPSHell::  ICMP connection threshold exceeded :
> fe80::1d26:ba55:fc1c:4a8    -   -   -   -   -   bro   Notice::ACTION_LOG
>  3600.000000   F   -   -   -   -   -
> > Best Regards,
> >
> > Eng. Mostafa Abdallah Ammar,Msc.
> > Information Security and Auditing Supervisor
> > CCIE security #23971
> > Arab Academy For Science And Technology & maritime Transport
> > Computer Networks & Data Center (CNDC)
> > Mobile: 002 01001983674
> > From: Mostafa Abdallah. Ammar
> > Sent: Thursday, May 05, 2016 4:42 PM
> > To: bro at bro.org
> > Subject: bro ids icmp and attack signatures
> >
> > Dear All,
> >
> > I am new to bro ids , I installed successfully bro ids , and added a tap
> to network to it , and for example if I accessed a website on a machine I
> can see in http.log the website I accessed and if the wqebsite is ssl i can
> see in ssl.lot and x509.log the certificate info
> >
> > my question is :
> >
> > I want when I ping i see a notification for this ping (I tried and could
> not find)
> >
> > can I use signatures like snort with bro that generate logs when
> receiving an attack and generate log with signature ID
> >
> > Please provide reply with some details as I am new to bro.
> >
> >
> > Best Regards,
> >
> > Eng. Mostafa Abdallah Ammar,Msc.
> > Information Security and Auditing Supervisor
> > CCIE security #23971
> > Arab Academy For Science And Technology & maritime Transport
> > Computer Networks & Data Center (CNDC)
> > Mobile: 002 01001983674
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro at bro.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 121, Issue 10
> ************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160512/f6f18f68/attachment-0001.html 

From sven at dreyer-net.de  Fri May 13 06:24:14 2016
From: sven at dreyer-net.de (Sven Dreyer)
Date: Fri, 13 May 2016 15:24:14 +0200
Subject: [Bro] Problem with connections in S1 and SF state
In-Reply-To: <106220eb-a7b7-a3cd-8029-2f32f7915047@gmail.com>
References: <564B9060.1080304@dreyer-net.de> <5720A537.1010203@dreyer-net.de>
	<5720D162.6020408@gmail.com> <572214B4.1020906@dreyer-net.de>
	<24995e7e-ce04-b2b3-91e0-978175e8c840@gmail.com>
	<572C4B4D.4040802@dreyer-net.de>
	<106220eb-a7b7-a3cd-8029-2f32f7915047@gmail.com>
Message-ID: <5735D57E.4010406@dreyer-net.de>

Thanks Jan, I'll give that setup a try and will report back.

Best regards,
Sven

Am 06.05.2016 um 12:25 schrieb Jan Grash?fer:
> Hi Sven,
>
>> that sounds very promising! Could you please tell me what setup you
>> used? (OS/Distribution, bro version, command to playback the pcap file?)
>
> I tried that on Fedora 23 with a recent Bro master. To playback I used:
> # tcpreplay -t -i  
> I am using Open vSwitch for my virtual testing network and utilized the
> OVS monitoring interface I created in this context for replaying the
> traffic.
>
> Best regards,
> Jan
>

From bro at pingtrip.com  Fri May 13 07:44:09 2016
From: bro at pingtrip.com (Dave Crawford)
Date: Fri, 13 May 2016 10:44:09 -0400
Subject: [Bro] Creating multiple notice logs
Message-ID: 

Does anyone have an example of diverting specific notices to a new log file?

Is the right approach to hook "Notice::policy" (with priority), Log:write to the new log stream and then 'break' from the hook?

-Dave  

From jazoff at illinois.edu  Fri May 13 08:00:12 2016
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Fri, 13 May 2016 15:00:12 +0000
Subject: [Bro] Creating multiple notice logs
In-Reply-To: 
References: 
Message-ID: <2CDF2306-C1A8-41F3-BA4D-B05D9A1FD3F6@illinois.edu>

> On May 13, 2016, at 10:44 AM, Dave Crawford  wrote:
>
> Does anyone have an example of diverting specific notices to a new log file?
>
> Is the right approach to hook "Notice::policy" (with priority), Log:write to the new log stream and then 'break' from the hook?
>
> -Dave

Yes.. you're on the right track.  As it turns out I have a script that does exactly that.

The input file is so I can have a file with rows like

#fields ip      note    reason  timestamp
1.2.3.4   TeamCymruMalwareHashRegistry::Match     test box        1445362562

The key thing that my script does is

    n$actions = set();

If you just wanted to move some notices to a different log file you could accomplish that much easier by using Log::add_filter with a path_func.

--
- Justin Azoff

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160513/a0dee435/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ignore-notices.bro
Type: application/octet-stream
Size: 1025 bytes
Desc: ignore-notices.bro
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160513/a0dee435/attachment.obj 

From bro at pingtrip.com  Fri May 13 12:08:15 2016
From: bro at pingtrip.com (Dave Crawford)
Date: Fri, 13 May 2016 15:08:15 -0400
Subject: [Bro] Creating multiple notice logs
In-Reply-To: <2CDF2306-C1A8-41F3-BA4D-B05D9A1FD3F6@illinois.edu>
References: 
	<2CDF2306-C1A8-41F3-BA4D-B05D9A1FD3F6@illinois.edu>
Message-ID: 

Thanks Justin,

The add_filter option you mentioned is probably the better route. I?m just looking to move "PacketFilter::Dropped_Packets? notices to a separate log.

> On May 13, 2016, at 11:00 AM, Azoff, Justin S  wrote:
> 
> 
> > On May 13, 2016, at 10:44 AM, Dave Crawford  wrote:
> > 
> > Does anyone have an example of diverting specific notices to a new log file?
> > 
> > Is the right approach to hook "Notice::policy" (with priority), Log:write to the new log stream and then 'break' from the hook?
> > 
> > -Dave  
> 
> Yes.. you're on the right track.  As it turns out I have a script that does exactly that.
> 
> 
> 
> The input file is so I can have a file with rows like
> 
> #fields ip      note    reason  timestamp
> 1.2.3.4   TeamCymruMalwareHashRegistry::Match     test box        1445362562
> 
> 
> 
> The key thing that my script does is
> 
>     n$actions = set();
> 
> If you just wanted to move some notices to a different log file you could accomplish that much easier by using Log::add_filter with a path_func.
> 
> 
> 
> -- 
> - Justin Azoff
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160513/ce74bf58/attachment.html 

From gross.b at ghc.org  Fri May 13 12:49:57 2016
From: gross.b at ghc.org (Gross, Brett)
Date: Fri, 13 May 2016 19:49:57 +0000
Subject: [Bro] bro SMTP failing to parse attributes (subject,
	attachment) with EHLO
Message-ID: 

Hello Bro Community,

I'm having an issue with bro SMTP not parsing certain mail attributes like subject or attachment. The parsing worked correctly when utilizing HELO but after switching to EHLO, parsing is minimal for those attributes or not at all.

Thank you
Brett

________________________________

GHC Confidentiality Statement

This message and any attached files might contain confidential information protected by federal and state law. The information is intended only for the use of the individual(s) or entities originally named as addressees. The improper disclosure of such information may be subject to civil or criminal penalties. If this message reached you in error, please contact the sender and destroy this message. Disclosing, copying, forwarding, or distributing the information by unauthorized individuals or entities is strictly prohibited by law.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160513/165db561/attachment.html 

From pssunu6 at gmail.com  Fri May 13 13:01:08 2016
From: pssunu6 at gmail.com (ps sunu)
Date: Sat, 14 May 2016 01:31:08 +0530
Subject: [Bro] field value missing error
Message-ID: 

module Musers;

export {
        redef enum Log::ID += { MUSER::LOG };

        type Info: record {

                ts:               time    &log;

                id :       conn_id &log &optional;

                orig_user:         string &log &optional;

               resp_user:         string &log &optional;
        };

        global log_muser: event(rec: Info);
}

redef record connection += {
        muser: Info &optional;
};

global host_name_user: table[addr] of string &synchronized
&write_expire=7day;
global host_name_user1: table[addr] of string &synchronized
&write_expire=7day;

# Create the Tor log stream and load the Tor list
event bro_init()
{
Log::create_stream(MUSER::LOG, [$columns=Info, $ev=log_muser]);

}

event KRB::log_krb (rec: KRB::Info)
{

  host_name_user1[rec$id$orig_h] = rec$client;

}

event RADIUS::log_radius (rec: RADIUS::Info)

{

host_name_user[rec$id$orig_h] = rec$username;

}

function set_session(c: connection)
{
if ( ! c?$muser )
        {
        add c$service["muser"];
        c$muser = [$ts=network_time(),$id=c$id];
        }
}

# Function to convert blutmagie Tor flags from count to bool
#function convert_flag(flag: count): bool
#{
#if ( flag == 1 )
#       return T;
#else return F;
#}

# Function to set data in the Tor info record

# Check each new connection for an IP address in the Tor list
event new_connection(c: connection )
{

 set_session(c);

  if ( c$id$orig_h in Musers::host_name_user )
    c$muser$orig_user = Musers::host_name_user[c$id$orig_h];

  if ( c$id$resp_h in Musers::host_name_user )
    c$muser$resp_user = Musers::host_name_user[c$id$resp_h];

if ( c$id$orig_h in Musers::host_name_user1 )

#local  mist120 =  host_name_user1[c$id$orig_h];
{
if  ( host_name_user1[c$id$orig_h] ==
 /^([A-Za-z0-9._\.-]+)([\/])([\da-zA-Z\.-]+)\.([a-zA-Z\.]{2,6})$/ )
{

print fmt ("orig");

c$muser$orig_user = Musers::host_name_user1[c$id$orig_h];

}

if (  c$id$resp_h  in Musers::host_name_user1 )

#local mist130 =  host_name_user1[c$id$resp_h];

if  ( host_name_user1[c$id$resp_h]
 ==/^([A-Za-z0-9._\.-]+)([\/])([\da-zA-Z\.-]+)\.([a-zA-Z\.]{2,6})$/ )
{

print fmt ("resp");
c$muser$resp_user = Musers::host_name_user1[c$id$resp_h];

}

}

}

event connection_state_remove(c: connection)
{
if ( c?$muser )
        {
        Log::write(MUSER::LOG, c$muser);
        }
}

               This is my sample code, while running this i am getting
below error
virtual-machine:~/Newlogs$ sudo bro -C
contrained-delegation/Krb-contrained-delegation.cap  Musers.bro
orig
1139998844.531337 expression error in ./Musers.bro, line 51: field value
missing [Musers::rec$client]

            that error line no 51 is marked as red ,any problem in this
code ?

Regards,
Sunu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160514/a02bfe34/attachment-0001.html 

From jazoff at illinois.edu  Fri May 13 13:18:42 2016
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Fri, 13 May 2016 20:18:42 +0000
Subject: [Bro] field value missing error
In-Reply-To: 
References: 
Message-ID: <797A2CA6-01F7-400E-9827-CAF1963C6BD3@illinois.edu>

> On May 13, 2016, at 4:01 PM, ps sunu  wrote:
> 
> 
> event KRB::log_krb (rec: KRB::Info)
> {
> 
>   host_name_user1[rec$id$orig_h] = rec$client;
> }
> 
> 
>                This is my sample code, while running this i am getting below error 
> virtual-machine:~/Newlogs$ sudo bro -C contrained-delegation/Krb-contrained-delegation.cap  Musers.bro
> orig
> 1139998844.531337 expression error in ./Musers.bro, line 51: field value missing [Musers::rec$client] 
> 
>             that error line no 51 is marked as red ,any problem in this code ?
> 

client is an optional field, you need to wrap that statement with a

    if(rec?$client) { }

-- 
- Justin Azoff

From pssunu6 at gmail.com  Fri May 13 13:51:21 2016
From: pssunu6 at gmail.com (ps sunu)
Date: Sat, 14 May 2016 02:21:21 +0530
Subject: [Bro] field value missing error
In-Reply-To: <797A2CA6-01F7-400E-9827-CAF1963C6BD3@illinois.edu>
References: 
	<797A2CA6-01F7-400E-9827-CAF1963C6BD3@illinois.edu>
Message-ID: 

Ya solved  Thank you

On Sat, May 14, 2016 at 1:48 AM, Azoff, Justin S 
wrote:

> > On May 13, 2016, at 4:01 PM, ps sunu  wrote:
> >
> >
> > event KRB::log_krb (rec: KRB::Info)
> > {
> >
> >   host_name_user1[rec$id$orig_h] = rec$client;
> > }
> >
> >
> >                This is my sample code, while running this i am getting
> below error
> > virtual-machine:~/Newlogs$ sudo bro -C
> contrained-delegation/Krb-contrained-delegation.cap  Musers.bro
> > orig
> > 1139998844.531337 expression error in ./Musers.bro, line 51: field value
> missing [Musers::rec$client]
> >
> >             that error line no 51 is marked as red ,any problem in this
> code ?
> >
>
> client is an optional field, you need to wrap that statement with a
>
>     if(rec?$client) { }
>
> --
> - Justin Azoff
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160514/a4ee7b57/attachment.html 

From gross.b at ghc.org  Fri May 13 17:32:35 2016
From: gross.b at ghc.org (Gross, Brett)
Date: Sat, 14 May 2016 00:32:35 +0000
Subject: [Bro] bro SMTP failing to parse attributes (subject,
 attachment) with EHLO
In-Reply-To: 
References: 
Message-ID: 

Is it possible that during the processing of SMTP traffic that parsing is interrupted when certain conditions are meant? For example, short circuit parsing logic after seeing "starttls" as the traffic won't be readable and parsing is not applicable?

Brett

From: Gross, Brett
Sent: Friday, May 13, 2016 12:50 PM
To: 'bro at bro.org'
Subject: bro SMTP failing to parse attributes (subject, attachment) with EHLO

Hello Bro Community,

I'm having an issue with bro SMTP not parsing certain mail attributes like subject or attachment. The parsing worked correctly when utilizing HELO but after switching to EHLO, parsing is minimal for those attributes or not at all.

Thank you
Brett

________________________________

GHC Confidentiality Statement

This message and any attached files might contain confidential information protected by federal and state law. The information is intended only for the use of the individual(s) or entities originally named as addressees. The improper disclosure of such information may be subject to civil or criminal penalties. If this message reached you in error, please contact the sender and destroy this message. Disclosing, copying, forwarding, or distributing the information by unauthorized individuals or entities is strictly prohibited by law.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160514/d94b7467/attachment.html 

From landy-bible at utulsa.edu  Sat May 14 20:19:46 2016
From: landy-bible at utulsa.edu (Landy Bible)
Date: Sat, 14 May 2016 22:19:46 -0500
Subject: [Bro] Using workers without SSH possible?
In-Reply-To: <572C4B46.4060609@dreyer-net.de>
References: <5720AA4D.8020901@dreyer-net.de>

	<5722136E.6090705@dreyer-net.de> <20160428151359.GA65121@icir.org>
	<572C4B46.4060609@dreyer-net.de>
Message-ID: 

I would just run independent bro servers at each location and aggregate the
logs to a central location out of band with a periodic rsync or perhaps a
shipper like logstash. Assuming the clocks are in sync with ntp it'd be
easy enough to correlate logs.
On May 6, 2016 2:51 AM, "Sven Dreyer"  wrote:

> Thanks for the detailed information, Robin. We are unable to send the
> traffic of each subnet to a central bro instace because the
> interconnection speed is about 500 kBit/s, while the subnets have 100
> MBit/s or Gigabit Ethernet.
>
> I am aware that rsync over SSH is already used. I was just searching for
> a "non-persistent" connection between the workers and the central
> manager/proxy because of frequent outages of the interconnection lines.
>
> Thanks!
> Sven
>
>
> Am 28.04.2016 um 17:13 schrieb Robin Sommer:
> > Actually BroControl is already using rsync over SSH, but it needs SSH
> > for other stuff as well, as it runs commands on the worker nodes. The
> > rsync is used for transferring the Bro setup over to the workers. The
> > logs on the other hand are sent back via Bro's internal communication,
> > neither SSH nor rsync involved there.
> >
> > Changing any of this remains tricky currently. However, we are planing
> > to switch to a different deployment model eventually where each node
> > maintains its Bro setup itself (so no rsync necessary anymore) and
> > also keeps a persistent broctld running for inter-node communication
> > (so no SSH executing commands anymore).
> >
> > With regards of other approaches to monitor subnets, some folks run a
> > single-machine Bro cluster with multiple interfaces and then send each
> > subnet's traffic to one interface. That can work pretty well in
> > practice, but might not apply to your situation.
> >
> > Robin
> >
> > On Thu, Apr 28, 2016 at 15:43 +0200, Sven Dreyer wrote:
> >
> >> Glenn,
> >>
> >> Am 27.04.2016 um 14:57 schrieb Glenn Forbes Fleming Larratt:
> >>> Doesn't rsync default to using ssh as its transport? Also, I'm not sure
> >>> how using rsync vs. ssh improves things in the face of slow and
> >>> unreliable networking between nodes; can you elaborate?
> >>
> >> I thought of locally collecting bro logs and have a cron job
> >> transferring the log file(s) in regular intervals. If the network is
> >> down for 5 minutes, no problem, the log files will be transferred the
> >> next time the cronjob runs.
> >>
> >> if you use "rsync -e ssh", rsync uses SSH as transport, that's correct.
> >> But rsync has a standalone daemon mode and does not need SSH to be used.
> >>
> >> Thanks,
> >> Sven
> >>
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>
> >
> >
> >
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160514/d559c78f/attachment.html 

From gross.b at ghc.org  Sun May 15 12:43:04 2016
From: gross.b at ghc.org (Gross, Brett)
Date: Sun, 15 May 2016 19:43:04 +0000
Subject: [Bro] Support for SMTP chunking?
Message-ID: 

Do the Bro analyzers support SMTP "chunking" verb/command?
Thanks,
Brett

________________________________

GHC Confidentiality Statement

This message and any attached files might contain confidential information protected by federal and state law. The information is intended only for the use of the individual(s) or entities originally named as addressees. The improper disclosure of such information may be subject to civil or criminal penalties. If this message reached you in error, please contact the sender and destroy this message. Disclosing, copying, forwarding, or distributing the information by unauthorized individuals or entities is strictly prohibited by law.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160515/9e1e8fbc/attachment.html 

From gross.b at ghc.org  Mon May 16 11:31:14 2016
From: gross.b at ghc.org (Gross, Brett)
Date: Mon, 16 May 2016 18:31:14 +0000
Subject: [Bro] Support for SMTP chunking?
In-Reply-To: 
References: 
Message-ID: 

All,

So after a long weekend of Bro, I believe I've confirm that Bro does not currently support parsing BINARYMIME/CHUNKING style connections or formatting. I was able to write a small PoC script to print the MIME record to confirm the data is present but not being parsed by SMTP base. We've resolved this by disabling the BINARYMIME and CHUNKING SMTP verbs as advertised on the SMTP server and the upstream SMTP server now connects using the traditional DATA command resulting in Bro being able to parse that traffic.

Brett

From: Gross, Brett
Sent: Sunday, May 15, 2016 12:43 PM
To: bro at bro.org
Subject: Support for SMTP chunking?

Do the Bro analyzers support SMTP "chunking" verb/command?
Thanks,
Brett

________________________________

GHC Confidentiality Statement

This message and any attached files might contain confidential information protected by federal and state law. The information is intended only for the use of the individual(s) or entities originally named as addressees. The improper disclosure of such information may be subject to civil or criminal penalties. If this message reached you in error, please contact the sender and destroy this message. Disclosing, copying, forwarding, or distributing the information by unauthorized individuals or entities is strictly prohibited by law.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160516/f107606c/attachment.html 

From gross.b at ghc.org  Mon May 16 11:32:55 2016
From: gross.b at ghc.org (Gross, Brett)
Date: Mon, 16 May 2016 18:32:55 +0000
Subject: [Bro] bro SMTP failing to parse attributes (subject,
 attachment) with EHLO
In-Reply-To: 
References: 

Message-ID: 

All,

This is in relation to my other post "Support for SMTP chunking?" which originally I thought was due to switching to EHLO. That was not the case...

In summary:
"So after a long weekend of Bro, I believe I've confirm that Bro does not currently support parsing BINARYMIME/CHUNKING style connections or formatting. I was able to write a small PoC script to print the MIME record to confirm the data is present but not being parsed by SMTP base. We've resolved this by disabling the BINARYMIME and CHUNKING SMTP verbs as advertised on the SMTP server and the upstream SMTP server now connects using the traditional DATA command resulting in Bro being able to parse that traffic."

Brett
From: Gross, Brett
Sent: Friday, May 13, 2016 5:33 PM
To: 'bro at bro.org'
Subject: RE: bro SMTP failing to parse attributes (subject, attachment) with EHLO

Is it possible that during the processing of SMTP traffic that parsing is interrupted when certain conditions are meant? For example, short circuit parsing logic after seeing "starttls" as the traffic won't be readable and parsing is not applicable?

Brett

From: Gross, Brett
Sent: Friday, May 13, 2016 12:50 PM
To: 'bro at bro.org'
Subject: bro SMTP failing to parse attributes (subject, attachment) with EHLO

Hello Bro Community,

I'm having an issue with bro SMTP not parsing certain mail attributes like subject or attachment. The parsing worked correctly when utilizing HELO but after switching to EHLO, parsing is minimal for those attributes or not at all.

Thank you
Brett

________________________________

GHC Confidentiality Statement

This message and any attached files might contain confidential information protected by federal and state law. The information is intended only for the use of the individual(s) or entities originally named as addressees. The improper disclosure of such information may be subject to civil or criminal penalties. If this message reached you in error, please contact the sender and destroy this message. Disclosing, copying, forwarding, or distributing the information by unauthorized individuals or entities is strictly prohibited by law.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160516/7deeadce/attachment.html 

From jan.grashoefer at gmail.com  Mon May 16 11:44:11 2016
From: jan.grashoefer at gmail.com (=?UTF-8?Q?Jan_Grash=c3=b6fer?=)
Date: Mon, 16 May 2016 20:44:11 +0200
Subject: [Bro] Multiple log streams
In-Reply-To: 
References: 
Message-ID: <0e63e70b-0528-85a1-be3a-e026fc44724e@gmail.com>

Hi Jay,

> I'm seeing only a fraction of the total logs being written as JSON -- it
> varies between about 25-40%.

Do you miss single log lines or complete log files? In case you are
missing single log lines: Is there any pattern (e.g. a certain type of
events is missing or just a subset of logs is affected)?

In case you are running a cluster, it might be interesting to log the
node (see
https://github.com/0xxon/bro-scripts/blob/master/conn-workers.bro).

Best regards,
Jan

From monahbaki at gmail.com  Tue May 17 04:12:38 2016
From: monahbaki at gmail.com (Monah Baki)
Date: Tue, 17 May 2016 07:12:38 -0400
Subject: [Bro] Capturing active directory authentication
Message-ID: 

Hi all,

Our bro sensor is connected to a tap, I would like to capture users Active
directory and their IP address for tracking purposes. Is this possible?

Thanks
Monah
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160517/be18c604/attachment.html 

From johanna at icir.org  Tue May 17 09:57:51 2016
From: johanna at icir.org (Johanna Amann)
Date: Tue, 17 May 2016 09:57:51 -0700
Subject: [Bro] Bro - File Extraction
In-Reply-To: 
References: 
Message-ID: <20160517165751.GA76789@wifi82.sys.ICSI.Berkeley.EDU>

Hello Mehmet,

this sounds a bit like you encountered packet loss and Bro might not have
seen all the data packets, either due to network problems, or because the
CPU was overutilized during life capture.

Did you take a look at the missing_bytes field in files.log and if this is
greater than 0?

Johanna

On Wed, May 11, 2016 at 11:41:01AM +0300, Mehmet LEBLEB?C? wrote:
> Hello all,
> 
> I am using Bro 2.4.1 and want to extract files seen on the network traffic.
> For this i loaded extract-all-files.bro script in local.bro. However, it
> does not completely extract files. It seems it stops extracting after some
> point. This occurs for all file types. I looked at the files.log file and
> see that total_bytes and seen_bytes fields are not same. I also checked
> extract file size limit and there is no problem with that. Also, when i
> save the traffic into a pcap file and issue bro -Cr pcapFile.pcap
> ...../extract-all-files.bro, it extracts files successfully. However, it
> cannot do so in current/logs/extractFiles directory. I am kind of new to
> Bro and i am stuck with this problem for about a week. So, any help will be
> appreciated.
> 
> Thanks in advance,
> 
> 
> Mehmet Leblebici

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

From johanna at icir.org  Tue May 17 09:59:48 2016
From: johanna at icir.org (Johanna Amann)
Date: Tue, 17 May 2016 09:59:48 -0700
Subject: [Bro] Question regarding leaking file descriptors
In-Reply-To: 
References: 
Message-ID: <20160517165948.GB76789@wifi82.sys.ICSI.Berkeley.EDU>

Hello Art,

this is an active issue that should be fixed in the next release. The
ticket for this issue is at

https://bro-tracker.atlassian.net/browse/BIT-1594

I hope that helps,
 Johanna

On Mon, May 09, 2016 at 08:58:48AM -0400, Art Maddalena wrote:
> Hi,
> 
> We are having a problem with leaking file descriptors when using
> ActiveHTTP.  We do see the temporary files being deleted, but lsof shows
> the files not closed, so we eventually run out of file descriptors.
> 
> *Sample Output:*
> 
> bro     10687 root 1016r   REG              253,0       283     57148394
> /tmp/bro-activehttp-qque3JKygsj_body (deleted)
> 
> bro     10687 root 1017r   REG              253,0       131     57148392
> /tmp/bro-activehttp-qque3JKygsj_headers (deleted)
> 
> bro     10687 root 1018r   REG              253,0       348     57148398
> /tmp/bro-activehttp-nhBlB9hVchg_body (deleted)
> 
> bro     10687 root 1019r   REG              253,0       131     57148396
> /tmp/bro-activehttp-nhBlB9hVchg_headers (deleted)
> 
> 
> Our code is at:
> 
> https://github.com/aol/moloch/blob/master/capture/plugins/wiseService/molochwise.bro#L98
> 
> We are using bro 2.4.1. Is this a known issue or do we need to change the
> code somehow?
> 
> Thank you for your help!
> 
> 
> VR
> Art Maddalena, CISSP
> Sr. Technical Security Engineer // *AOL*
> o: 703.265.2292

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

From doris at bro.org  Tue May 17 14:25:05 2016
From: doris at bro.org (Doris Schioberg)
Date: Tue, 17 May 2016 14:25:05 -0700
Subject: [Bro] New Blog Post: Talk to us! - The Bro team's communication
	channels
Message-ID: <5e3fb170-e2b8-9832-897e-4d2166c310f9@bro.org>

We made a few changes to the ways you can talk with us and others in the
Bro community. Please have a look.
http://blog.bro.org/2016/05/talk-to-us-bro-teams-communication.html

-The Bro Team

-- 
Doris Schioberg
Bro Outreach, Training, and Education Coordinator
International Computer Science Institute (ICSI Berkeley)
Phone: +1 (510) 289-8406 * doris at bro.org

From seth at broala.com  Tue May 17 18:30:29 2016
From: seth at broala.com (Seth Hall)
Date: Tue, 17 May 2016 21:30:29 -0400
Subject: [Bro] Capturing active directory authentication
In-Reply-To: 
References: 
Message-ID: 

> On May 17, 2016, at 7:12 AM, Monah Baki  wrote:
> 
> Our bro sensor is connected to a tap, I would like to capture users Active directory and their IP address for tracking purposes. Is this possible?

It should be in Bro 2.5.  There is an SMB analyzer in development that includes an NTLM analyzer.

  .Seth

--
Seth Hall * Broala * seth at broala.com * www.broala.com

From tgdesrochers at gmail.com  Fri May 20 03:20:49 2016
From: tgdesrochers at gmail.com (Tim Desrochers)
Date: Fri, 20 May 2016 06:20:49 -0400
Subject: [Bro] [bro] attachment name in smtp log
Message-ID: <573ee5a0.0a208c0a.2d8b5.0a3d@mx.google.com>

Is there currently a way to have the filename from the file.log be placed in the smtp.log when the email contains attachments?  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160520/ef86f1b1/attachment.html 

From jdopheid at illinois.edu  Mon May 23 13:00:32 2016
From: jdopheid at illinois.edu (Dopheide, Jeannette M)
Date: Mon, 23 May 2016 20:00:32 +0000
Subject: [Bro] =?utf-8?q?Reminder=3A_BroCon_=E2=80=9916_CFP_ends_Friday_Ju?=
 =?utf-8?q?ne_3rd?=
Message-ID: <1EA57778-2BFA-4220-8257-048C5405CC60@illinois.edu>

Interested in presenting at BroCon ?16 this year? Our call for presentations ends Friday, June 3rd. 

We are looking for talks to represent the many applications of Bro. Suitable topics include, but are not limited to: 
   * as a tool for solving problems;
   * interesting user stories, solutions, or research projects;
   * a postmortem analysis of a security incident, emphasizing Bro?s contribution;
   * the value Bro brings to your professional work;
   * and, using Bro for more than intrusion detection.
Criteria for evaluating proposals include whether the topic is applicable to multiple types of organizations, gives people ideas to take home and use, can be understood by a broad audience, or is novel to many in the audience. Scrolling through our YouTube Channel may provide some insight into the types of presentations we wish to feature. Plan on limiting your talk to 30-35 minutes with an additional 10 minutes for questions/comments.

Send abstracts (max 500 words) to: info at bro.org
Subject: BroCon 2016 Call for Presentations
Submission due date: Friday, June 3rd
Target date for announcing speakers: Friday July 1st

Presentationss are selected by the Bro Leadership Team:
   * Seth Hall, International Computer Science Institute
   * Keith Lehigh, Indiana University
   * Vern Paxson, University of California at Berkeley / International Computer Science Institute
   * Michal Purzynski, Mozilla Foundation
   * Aashish Sharma, Lawrence Berkeley Lab
   * Adam Slagell, National Center for Supercomputing Applications
   * Robin Sommer, International Computer Science Institute

------

Jeannette Dopheide
Education Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign

From tgdesrochers at gmail.com  Thu May 26 07:28:34 2016
From: tgdesrochers at gmail.com (Tim Desrochers)
Date: Thu, 26 May 2016 10:28:34 -0400
Subject: [Bro] [bro] configure from email address
Message-ID: 

When I receive emails from my bro sensors the email address is:

bro at hostname

is there a way to configure the first part of the email address to be a
specific name instead of bro

Thanks
Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160526/8927464c/attachment.html 

From jlay at slave-tothe-box.net  Thu May 26 07:39:11 2016
From: jlay at slave-tothe-box.net (James Lay)
Date: Thu, 26 May 2016 08:39:11 -0600
Subject: [Bro] [bro] configure from email address
In-Reply-To: 
References: 
Message-ID: <5a7de65485c13901d7dfd0f723f06ca3@localhost>

On 2016-05-26 08:28, Tim Desrochers wrote:
> When I receive emails from my bro sensors the email address is:
> 
> bro at hostname
> 
> is there a way to configure the first part of the email address to be
> a specific name instead of bro
> 
> Thanks
> Tim
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Take a peek at:

/usr/local/bro/spool/broctl-config.sh

James

From slagell at illinois.edu  Thu May 26 07:42:01 2016
From: slagell at illinois.edu (Slagell, Adam J)
Date: Thu, 26 May 2016 14:42:01 +0000
Subject: [Bro] [bro] configure from email address
In-Reply-To: 
References: 
Message-ID: 

I believe that your system configuration, not bro configuration, is controlling that and it just comes from the username of the process.

On May 26, 2016, at 9:28 AM, Tim Desrochers > wrote:

When I receive emails from my bro sensors the email address is:

bro at hostname

is there a way to configure the first part of the email address to be a specific name instead of bro

Thanks
Tim
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

------

Adam J. Slagell
Chief Information Security Officer
Director, Cybersecurity Division
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
www.slagell.info

"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160526/20c89276/attachment.html 

From William.Baker at tietronix.com  Thu May 26 07:54:59 2016
From: William.Baker at tietronix.com (William Baker)
Date: Thu, 26 May 2016 14:54:59 +0000
Subject: [Bro] Adding MAC Address Information to Connection Object and Logs
Message-ID: 

Hello,

I have a fairly simple use case. I have a database of devices, which contains a device name, manufacturer, IP addresses, and MAC address. I want to be able to take a device from that database, retrieve the MAC address, and use that to query data that has been generated by BRO.

I have successfully gotten MAC address information into the conn.log by using the roam.bro script linked from another message in this chain and extending the conn.log functionality. But, this is getting the MAC address from the DHCP table. I was hoping to get the MAC address directly from the PCAP file from which the connection object is being generated (at least that is my assumption).

My first thoughts were that the connection object that is being passed into many of these methods would get its information from the PCAP file and I could expand that functionality, but this has been a dead end for me.

Does anyone have advice for getting MAC address from a PCAP file that was used to generate different logs in BRO?

Thanks!

William Baker  |  Software Developer
Tietronix Software Inc.  |  1331 Gemini Ave.  STE 300  |  Houston, TX 77058
+1 (281) 404-7253  |  wbaker at tietronix.com  |  www.tietronix.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160526/140e2a1b/attachment.html 

From slagell at illinois.edu  Thu May 26 07:59:15 2016
From: slagell at illinois.edu (Slagell, Adam J)
Date: Thu, 26 May 2016 14:59:15 +0000
Subject: [Bro] [bro] configure from email address
In-Reply-To: <5a7de65485c13901d7dfd0f723f06ca3@localhost>
References: 
	<5a7de65485c13901d7dfd0f723f06ca3@localhost>
Message-ID: <8BB972E0-4078-4E9D-B58D-C4AF030EEA24@illinois.edu>

> On May 26, 2016, at 9:39 AM, James Lay  wrote:
> 
> On 2016-05-26 08:28, Tim Desrochers wrote:
>> When I receive emails from my bro sensors the email address is:
>> 
>> bro at hostname
>> 
>> is there a way to configure the first part of the email address to be
>> a specific name instead of bro
>> 
>> Thanks
>> Tim
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> Take a peek at:
> 
> /usr/local/bro/spool/broctl-config.sh
> 
> James

James is right. The from name ?Big Brother? and the local address comes from that file, but the local name can be over-ridden by your system configuration. So in my case, postfix is configured to connect to a gmail account, which then appears to be the from address. 

From tgdesrochers at gmail.com  Thu May 26 08:13:15 2016
From: tgdesrochers at gmail.com (Tim Desrochers)
Date: Thu, 26 May 2016 11:13:15 -0400
Subject: [Bro] [bro] configure from email address
In-Reply-To: <5a7de65485c13901d7dfd0f723f06ca3@localhost>
References: 
	<5a7de65485c13901d7dfd0f723f06ca3@localhost>
Message-ID: 

the configuration option is in there but when I run a broctl restart or
broctl deploy it resets the option back to default.

On Thu, May 26, 2016 at 10:39 AM, James Lay 
wrote:

> On 2016-05-26 08:28, Tim Desrochers wrote:
> > When I receive emails from my bro sensors the email address is:
> >
> > bro at hostname
> >
> > is there a way to configure the first part of the email address to be
> > a specific name instead of bro
> >
> > Thanks
> > Tim
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> Take a peek at:
>
> /usr/local/bro/spool/broctl-config.sh
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160526/76f2f11a/attachment.html 

From jlay at slave-tothe-box.net  Thu May 26 08:15:25 2016
From: jlay at slave-tothe-box.net (James Lay)
Date: Thu, 26 May 2016 09:15:25 -0600
Subject: [Bro] [bro] configure from email address
In-Reply-To: 
References: 
	<5a7de65485c13901d7dfd0f723f06ca3@localhost>

Message-ID: <103242efeb0874a7243bcff0b3f7a582@localhost>

Stop bro first, make changes, start broctl, update and you should be 
good to go.

James

On 2016-05-26 09:13, Tim Desrochers wrote:
> the configuration option is in there but when I run a broctl restart
> or broctl deploy it resets the option back to default.
> 
> On Thu, May 26, 2016 at 10:39 AM, James Lay 
> wrote:
> 
>> On 2016-05-26 08:28, Tim Desrochers wrote:
>>> When I receive emails from my bro sensors the email address is:
>>> 
>>> bro at hostname
>>> 
>>> is there a way to configure the first part of the email address to
>> be
>>> a specific name instead of bro
>>> 
>>> Thanks
>>> Tim
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 
>> Take a peek at:
>> 
>> /usr/local/bro/spool/broctl-config.sh
>> 
>> James
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

From matt.clemons at gmail.com  Thu May 26 08:24:06 2016
From: matt.clemons at gmail.com (Matt Clemons)
Date: Thu, 26 May 2016 10:24:06 -0500
Subject: [Bro] [bro] configure from email address
In-Reply-To: 
References: 
	<5a7de65485c13901d7dfd0f723f06ca3@localhost>

Message-ID: 

I just set it int broctl.cfg

MailFrom = NAME

On Thu, May 26, 2016 at 10:13 AM, Tim Desrochers 
wrote:

> the configuration option is in there but when I run a broctl restart or
> broctl deploy it resets the option back to default.
>
> On Thu, May 26, 2016 at 10:39 AM, James Lay 
> wrote:
>
>> On 2016-05-26 08:28, Tim Desrochers wrote:
>> > When I receive emails from my bro sensors the email address is:
>> >
>> > bro at hostname
>> >
>> > is there a way to configure the first part of the email address to be
>> > a specific name instead of bro
>> >
>> > Thanks
>> > Tim
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>> Take a peek at:
>>
>> /usr/local/bro/spool/broctl-config.sh
>>
>> James
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

-- 
Regards,

Matt Clemons
(816) 200-0789
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160526/33a59881/attachment.html 

From tgdesrochers at gmail.com  Thu May 26 08:31:55 2016
From: tgdesrochers at gmail.com (Tim Desrochers)
Date: Thu, 26 May 2016 11:31:55 -0400
Subject: [Bro] [bro] configure from email address
In-Reply-To: 
References: 
	<5a7de65485c13901d7dfd0f723f06ca3@localhost>

Message-ID: 

adding it to broctl.cfg worked.

Thanks everyone

On Thu, May 26, 2016 at 11:24 AM, Matt Clemons 
wrote:

> I just set it int broctl.cfg
>
> MailFrom = NAME
>
> On Thu, May 26, 2016 at 10:13 AM, Tim Desrochers 
> wrote:
>
>> the configuration option is in there but when I run a broctl restart or
>> broctl deploy it resets the option back to default.
>>
>> On Thu, May 26, 2016 at 10:39 AM, James Lay 
>> wrote:
>>
>>> On 2016-05-26 08:28, Tim Desrochers wrote:
>>> > When I receive emails from my bro sensors the email address is:
>>> >
>>> > bro at hostname
>>> >
>>> > is there a way to configure the first part of the email address to be
>>> > a specific name instead of bro
>>> >
>>> > Thanks
>>> > Tim
>>> > _______________________________________________
>>> > Bro mailing list
>>> > bro at bro-ids.org
>>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>> Take a peek at:
>>>
>>> /usr/local/bro/spool/broctl-config.sh
>>>
>>> James
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
>
> --
> Regards,
>
> Matt Clemons
> (816) 200-0789
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160526/9049b5be/attachment.html 

From jan.grashoefer at gmail.com  Thu May 26 08:37:45 2016
From: jan.grashoefer at gmail.com (=?UTF-8?Q?Jan_Grash=c3=b6fer?=)
Date: Thu, 26 May 2016 17:37:45 +0200
Subject: [Bro] Adding MAC Address Information to Connection Object and
 Logs
In-Reply-To: 
References: 
Message-ID: 

Hi William,

> I have successfully gotten MAC address information into the conn.log by using the roam.bro script linked from another message in this chain and extending the conn.log functionality. But, this is getting the MAC address from the DHCP table. I was hoping to get the MAC address directly from the PCAP file from which the connection object is being generated (at least that is my assumption).
> 
> My first thoughts were that the connection object that is being passed into many of these methods would get its information from the PCAP file and I could expand that functionality, but this has been a dead end for me.

Bro's concept of connections is based on layer 3 and upwards (its very
TCP-like, sometimes makes it difficult to understand how UDP traffic is
abstracted). In theory layer 2 addresses are independent and might even
vary in the course of a connection. Therefore the question would be:
Which MACs of which packets do you want to log?

In general the raw_packet event (see [1]) provides access to layer 2
addresses. The current master includes a new function called
get_current_packet_header that might be more comfortable to use.

Best regards,
Jan

[1]
https://www.bro.org/sphinx-git/scripts/base/bif/event.bif.bro.html#id-raw_packet

From josh.guild at morphick.com  Thu May 26 10:33:41 2016
From: josh.guild at morphick.com (Josh Guild)
Date: Thu, 26 May 2016 13:33:41 -0400
Subject: [Bro] My first Bro Scripts
Message-ID: 

Hi everyone,

I wrote a few Bro scripts to cut my teeth on the language if you all would
like to check them out:

https://github.com/joshuaguild/bro_scripts

Network Visibility will allow you to confirm that the traffic that should
be flowing to your sensor actually is. You can populate what subnets you
should be seeing and it will dump a log to confirm if it sees a host in
that subnet.

RDP Layout just checks the keyboard_layout field in the rdp.log against a
whitelist (or you can make it a black list by changing the !in to in). Good
for monitoring for lateral movement or connections to your DMZ.

Comments/criticism are welcome! (I'm a network guy, not a programmer so...)

-- 
Josh Guild
Network Intelligence Analyst

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160526/d8830c0e/attachment.html 

From lagoon7 at gmail.com  Thu May 26 13:15:36 2016
From: lagoon7 at gmail.com (Ludwig Goon)
Date: Thu, 26 May 2016 16:15:36 -0400
Subject: [Bro] Best way to configure BRO IDS 2.4.1 to capture from a Quad
 port Network card
Message-ID: 

Hi were are using Dell R230's with an additional quad port card for network
captures, streaming in traffic from our NetOptics Taps. On bro 2.4.1 what
is the best way to configure it to listed on all 4 interfaces? Would we set
that up in node.cfg and create 4 worker processes so that we can use
broctl? Or can we specify it in BRO_CAPTURE_INTERFACE=" eth2 eth3 eth4
eth5". Or is there a command line bro with options?
Is PF_RING needed?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160526/7ecbed26/attachment.html 

From asharma at lbl.gov  Thu May 26 13:40:08 2016
From: asharma at lbl.gov (Aashish Sharma)
Date: Thu, 26 May 2016 13:40:08 -0700
Subject: [Bro] Best way to configure BRO IDS 2.4.1 to capture from a
 Quad port Network card
In-Reply-To: 
References: 
Message-ID: <20160526204004.GH83552@mac-2.local>

Ludwig, 

> that up in node.cfg and create 4 worker processes so that we can use

yes!!  You can use a cluster setup with assigned worker to each one of the interfaces.  This works under assumption that your traffic is not bouncing around (ie part of it is on eth0 and remaining on eth2 )

so node.cfg looks like this:

[manager]
type=manager
host=hostname 

[proxy-1]
type=proxy
host=hostname

[proxy-2]
type=proxy
host=hostname

# (infrastructure)
[worker-12]
type=worker
host=hostname
interface=eth1

# (development)
[worker-13]
type=worker
host=hostname
interface=eth2

# main office)
[worker-14]
type=worker
host=hostname
interface=eth3

once setup you can use broctl install, stop deploy commands. 

On Thu, May 26, 2016 at 04:15:36PM -0400, Ludwig Goon wrote:
> Hi were are using Dell R230's with an additional quad port card for network
> captures, streaming in traffic from our NetOptics Taps. On bro 2.4.1 what
> is the best way to configure it to listed on all 4 interfaces? Would we set
> that up in node.cfg and create 4 worker processes so that we can use
> broctl? Or can we specify it in BRO_CAPTURE_INTERFACE=" eth2 eth3 eth4
> eth5". Or is there a command line bro with options?
> Is PF_RING needed?

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

From lagoon7 at gmail.com  Thu May 26 13:57:01 2016
From: lagoon7 at gmail.com (Ludwig Goon)
Date: Thu, 26 May 2016 16:57:01 -0400
Subject: [Bro] Best way to configure BRO IDS 2.4.1 to capture from a
 Quad port Network card
In-Reply-To: <20160526204004.GH83552@mac-2.local>
References: 
	<20160526204004.GH83552@mac-2.local>
Message-ID: 

Thanks!

I figured that would work.

On Thu, May 26, 2016 at 4:40 PM, Aashish Sharma  wrote:

> Ludwig,
>
> > that up in node.cfg and create 4 worker processes so that we can use
>
> yes!!  You can use a cluster setup with assigned worker to each one of the
> interfaces.  This works under assumption that your traffic is not bouncing
> around (ie part of it is on eth0 and remaining on eth2 )
>
> so node.cfg looks like this:
>
> [manager]
> type=manager
> host=hostname
>
> [proxy-1]
> type=proxy
> host=hostname
>
> [proxy-2]
> type=proxy
> host=hostname
>
> # (infrastructure)
> [worker-12]
> type=worker
> host=hostname
> interface=eth1
>
> # (development)
> [worker-13]
> type=worker
> host=hostname
> interface=eth2
>
> # main office)
> [worker-14]
> type=worker
> host=hostname
> interface=eth3
>
> once setup you can use broctl install, stop deploy commands.
>
> On Thu, May 26, 2016 at 04:15:36PM -0400, Ludwig Goon wrote:
> > Hi were are using Dell R230's with an additional quad port card for
> network
> > captures, streaming in traffic from our NetOptics Taps. On bro 2.4.1 what
> > is the best way to configure it to listed on all 4 interfaces? Would we
> set
> > that up in node.cfg and create 4 worker processes so that we can use
> > broctl? Or can we specify it in BRO_CAPTURE_INTERFACE=" eth2 eth3 eth4
> > eth5". Or is there a command line bro with options?
> > Is PF_RING needed?
>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160526/0966017b/attachment.html 

From d7om.ph at hotmail.com  Thu May 26 16:41:19 2016
From: d7om.ph at hotmail.com (=?utf-8?B?2ZBBQkRVTCBBTEVBTkFaSQ==?=)
Date: Thu, 26 May 2016 16:41:19 -0700
Subject: [Bro] My first Bro Scripts
In-Reply-To: 
References: 
Message-ID: 

what about outgoing connections? does it check for that? 

Sent from my iPhone

> On May 26, 2016, at 10:42 AM, Josh Guild  wrote:
> 
> Hi everyone,
> 
> I wrote a few Bro scripts to cut my teeth on the language if you all would like to check them out:
> 
> https://github.com/joshuaguild/bro_scripts
> 
> Network Visibility will allow you to confirm that the traffic that should be flowing to your sensor actually is. You can populate what subnets you should be seeing and it will dump a log to confirm if it sees a host in that subnet.
> 
> RDP Layout just checks the keyboard_layout field in the rdp.log against a whitelist (or you can make it a black list by changing the !in to in). Good for monitoring for lateral movement or connections to your DMZ.
> 
> Comments/criticism are welcome! (I'm a network guy, not a programmer so...)
> 
> -- 
> Josh Guild
> Network Intelligence Analyst
>  
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160526/318b56a3/attachment.html 
-------------- next part --------------
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

From robin at icir.org  Thu May 26 20:44:21 2016
From: robin at icir.org (Robin Sommer)
Date: Thu, 26 May 2016 20:44:21 -0700
Subject: [Bro] Adding MAC Address Information to Connection Object and
 Logs
In-Reply-To: 
References: 
Message-ID: <20160527034421.GA53165@icir.org>

On Thu, May 26, 2016 at 14:54 +0000, William Baker wrote:

> Does anyone have advice for getting MAC address from a PCAP file that
> was used to generate different logs in BRO?

Right now the packet-level functions/events Jan mentioned are the only
option. But we've been kicking around the idea for a while to provide
access to MAC addresses similar to how Bro now makes the VLAN
information accessible as well. It shouldn't be too difficult
actually. If you anybody feels adventurous and wants to give it a try,
I can send some pointers. Otherwise I'm hoping to take a look at that
sometime soonish, but no guarantees. :-)

Robin

-- 
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin

From josh.guild at morphick.com  Fri May 27 06:12:59 2016
From: josh.guild at morphick.com (Josh Guild)
Date: Fri, 27 May 2016 09:12:59 -0400
Subject: [Bro] My first Bro Scripts
In-Reply-To: 
References: 

Message-ID: 

Hi Abdul,

You could use it to verify outbound connections if you wanted.

Just change the c$id$orig_h to c$id$resp_h and populate the net_conn_nets
set with the IPs you like to verify.

What's your overall goal with monitoring outbound connections? There may be
a more elegant way of achieving it.

Thanks!

On Thu, May 26, 2016 at 7:41 PM, ?ABDUL ALEANAZI 
wrote:

> what about outgoing connections? does it check for that?
>
> Sent from my iPhone
>
> On May 26, 2016, at 10:42 AM, Josh Guild  wrote:
>
> Hi everyone,
>
> I wrote a few Bro scripts to cut my teeth on the language if you all would
> like to check them out:
>
> https://github.com/joshuaguild/bro_scripts
>
> Network Visibility will allow you to confirm that the traffic that should
> be flowing to your sensor actually is. You can populate what subnets you
> should be seeing and it will dump a log to confirm if it sees a host in
> that subnet.
>
> RDP Layout just checks the keyboard_layout field in the rdp.log against a
> whitelist (or you can make it a black list by changing the !in to in). Good
> for monitoring for lateral movement or connections to your DMZ.
>
> Comments/criticism are welcome! (I'm a network guy, not a programmer so...)
>
> --
> Josh Guild
> Network Intelligence Analyst
>  
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
>
>

-- 
Josh Guild
Network Intelligence Analyst

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160527/2592a5ae/attachment-0001.html 

From seth at icir.org  Fri May 27 07:04:02 2016
From: seth at icir.org (Seth Hall)
Date: Fri, 27 May 2016 10:04:02 -0400
Subject: [Bro] My first Bro Scripts
In-Reply-To: 
References: 

Message-ID: <9FDA1DD8-1628-4687-8770-585AF196049C@icir.org>

> On May 27, 2016, at 9:12 AM, Josh Guild  wrote:
>> 
>> Network Visibility will allow you to confirm that the traffic that should be flowing to your sensor actually is. You can populate what subnets you should be seeing and it will dump a log to confirm if it sees a host in that subnet.

I like that visibility script.  It's a pretty neat idea.  Let me know if you need any pointers for moving to local_nets.

>> RDP Layout just checks the keyboard_layout field in the rdp.log against a whitelist (or you can make it a black list by changing the !in to in). Good for monitoring for lateral movement or connections to your DMZ.

Cool idea too.  Has it caught anything interesting?

One small suggestion I could make is that you might want to go through quickly and clean up the formatting of your scripts.  You have tabs and spaces intermixed and some parts just aren't indented to the correct depth, it would make them a bit easier to read. :)

Thanks for putting those scripts out there.  Cool ideas!

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

From josh.guild at morphick.com  Fri May 27 07:37:35 2016
From: josh.guild at morphick.com (Josh Guild)
Date: Fri, 27 May 2016 10:37:35 -0400
Subject: [Bro] My first Bro Scripts
In-Reply-To: <9FDA1DD8-1628-4687-8770-585AF196049C@icir.org>
References: 

	<9FDA1DD8-1628-4687-8770-585AF196049C@icir.org>
Message-ID: 

Thanks! I'd love some help in adding the local_nets into the net_conn_nets
set if you have the time.
The RDP script hasn't been deployed just yet since I just wrote it but
we'll be pushing it out in our next build. I'll let you know if we get hits
on anything fun.

And I'll go through today and clean up my formatting, I know it's a mess
right now :)

On Fri, May 27, 2016 at 10:04 AM, Seth Hall  wrote:

>
> > On May 27, 2016, at 9:12 AM, Josh Guild  wrote:
> >>
> >> Network Visibility will allow you to confirm that the traffic that
> should be flowing to your sensor actually is. You can populate what subnets
> you should be seeing and it will dump a log to confirm if it sees a host in
> that subnet.
>
> I like that visibility script.  It's a pretty neat idea.  Let me know if
> you need any pointers for moving to local_nets.
>
> >> RDP Layout just checks the keyboard_layout field in the rdp.log against
> a whitelist (or you can make it a black list by changing the !in to in).
> Good for monitoring for lateral movement or connections to your DMZ.
>
> Cool idea too.  Has it caught anything interesting?
>
> One small suggestion I could make is that you might want to go through
> quickly and clean up the formatting of your scripts.  You have tabs and
> spaces intermixed and some parts just aren't indented to the correct depth,
> it would make them a bit easier to read. :)
>
> Thanks for putting those scripts out there.  Cool ideas!
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>

-- 
Josh Guild
Network Intelligence Analyst

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160527/3800736d/attachment.html 

From d7om.ph at hotmail.com  Fri May 27 09:27:46 2016
From: d7om.ph at hotmail.com (=?utf-8?B?2ZBBQkRVTCBBTEVBTkFaSQ==?=)
Date: Fri, 27 May 2016 09:27:46 -0700
Subject: [Bro] My first Bro Scripts
In-Reply-To: 
References: 

Message-ID: 

great! Thank you

my goal is to monitor the behaviour of the network for outbound connection 

Sent from my iPhone

> On May 27, 2016, at 6:13 AM, Josh Guild  wrote:
> 
> Hi Abdul,
> 
> You could use it to verify outbound connections if you wanted. 
> 
> Just change the c$id$orig_h to c$id$resp_h and populate the net_conn_nets set with the IPs you like to verify.
> 
> What's your overall goal with monitoring outbound connections? There may be a more elegant way of achieving it.
> 
> Thanks!
> 
>> On Thu, May 26, 2016 at 7:41 PM, ?ABDUL ALEANAZI  wrote:
>> what about outgoing connections? does it check for that? 
>> 
>> Sent from my iPhone
>> 
>>> On May 26, 2016, at 10:42 AM, Josh Guild  wrote:
>>> 
>>> Hi everyone,
>>> 
>>> I wrote a few Bro scripts to cut my teeth on the language if you all would like to check them out:
>>> 
>>> https://github.com/joshuaguild/bro_scripts
>>> 
>>> Network Visibility will allow you to confirm that the traffic that should be flowing to your sensor actually is. You can populate what subnets you should be seeing and it will dump a log to confirm if it sees a host in that subnet.
>>> 
>>> RDP Layout just checks the keyboard_layout field in the rdp.log against a whitelist (or you can make it a black list by changing the !in to in). Good for monitoring for lateral movement or connections to your DMZ.
>>> 
>>> Comments/criticism are welcome! (I'm a network guy, not a programmer so...)
>>> 
>>> -- 
>>> Josh Guild
>>> Network Intelligence Analyst
>>>  
>>> 
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> 
> 
> -- 
> Josh Guild
> Network Intelligence Analyst
>  
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160527/d85f2466/attachment.html 

From josh.guild at morphick.com  Fri May 27 10:21:47 2016
From: josh.guild at morphick.com (Josh Guild)
Date: Fri, 27 May 2016 17:21:47 +0000
Subject: [Bro] My first Bro Scripts
In-Reply-To: 
References: 

Message-ID: 

No problem. My script may be a limited way to do this. If there are
specific domains/IPs you'd like to watch for, then I'd recommend using the
intel framework. This will log and notify.

https://www.bro.org/sphinx/frameworks/intel.html

Or you could use bro-cut on the id.resp_h field in your conn.log with some
regex to remove private IPs (I think I have a one-liner for this somewhere)

Hope that helps!

On Fri, May 27, 2016, 12:28 ?ABDUL ALEANAZI  wrote:

> great! Thank you
>
> my goal is to monitor the behaviour of the network for outbound connection
>
> Sent from my iPhone
>
> On May 27, 2016, at 6:13 AM, Josh Guild  wrote:
>
> Hi Abdul,
>
> You could use it to verify outbound connections if you wanted.
>
> Just change the c$id$orig_h to c$id$resp_h and populate the net_conn_nets
> set with the IPs you like to verify.
>
> What's your overall goal with monitoring outbound connections? There may
> be a more elegant way of achieving it.
>
> Thanks!
>
> On Thu, May 26, 2016 at 7:41 PM, ?ABDUL ALEANAZI 
> wrote:
>
>> what about outgoing connections? does it check for that?
>>
>> Sent from my iPhone
>>
>> On May 26, 2016, at 10:42 AM, Josh Guild  wrote:
>>
>> Hi everyone,
>>
>> I wrote a few Bro scripts to cut my teeth on the language if you all
>> would like to check them out:
>>
>> https://github.com/joshuaguild/bro_scripts
>>
>> Network Visibility will allow you to confirm that the traffic that should
>> be flowing to your sensor actually is. You can populate what subnets you
>> should be seeing and it will dump a log to confirm if it sees a host in
>> that subnet.
>>
>> RDP Layout just checks the keyboard_layout field in the rdp.log against a
>> whitelist (or you can make it a black list by changing the !in to in). Good
>> for monitoring for lateral movement or connections to your DMZ.
>>
>> Comments/criticism are welcome! (I'm a network guy, not a programmer
>> so...)
>>
>> --
>> Josh Guild
>> Network Intelligence Analyst
>>  
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 
>>
>>
>
>
> --
> Josh Guild
> Network Intelligence Analyst
>  
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160527/3661789c/attachment-0001.html 

From doris at bro.org  Fri May 27 10:26:57 2016
From: doris at bro.org (Doris Schioberg)
Date: Fri, 27 May 2016 10:26:57 -0700
Subject: [Bro] Reminder: Upgrade your Bro installation! Stability updates in
	2.4.1
Message-ID: <8268d783-ba48-7631-428f-f8c0959f37cb@bro.org>

Bro 2.5 is not far away, but in the meantime you should upgrade to Bro
2.4.1. This is the latest stable release. If you are running 2.4 the
upgrade to 2.4.1 won't break your config. This release contains
important fixes without changing Bro's functionality.

Check the change log here: https://www.bro.org/download/CHANGES.bro.txt.

- the Bro team

-- 
Doris Schioberg
Bro Outreach, Training, and Education Coordinator
International Computer Science Institute (ICSI Berkeley)
Phone: +1 (510) 289-8406 * doris at bro.org

From robin at icir.org  Sun May 29 17:45:19 2016
From: robin at icir.org (Robin Sommer)
Date: Sun, 29 May 2016 17:45:19 -0700
Subject: [Bro] Adding MAC Address Information to Connection Object and
 Logs
In-Reply-To: <20160527034421.GA53165@icir.org>
References: 
	<20160527034421.GA53165@icir.org>
Message-ID: <20160530004519.GA27606@icir.org>

On Thu, May 26, 2016 at 20:44 -0700, I wrote:

> Otherwise I'm hoping to take a look at that sometime soonish, but no
> guarantees. :-)

Alright, just pushed a commit to master, see
https://github.com/bro/bro/commit/57aef6d49ff2fabfed638ef44100daa7dab06e9b

Robin

-- 
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin

From jan.grashoefer at gmail.com  Mon May 30 02:48:52 2016
From: jan.grashoefer at gmail.com (=?UTF-8?Q?Jan_Grash=c3=b6fer?=)
Date: Mon, 30 May 2016 11:48:52 +0200
Subject: [Bro] Adding MAC Address Information to Connection Object and
 Logs
In-Reply-To: <20160530004519.GA27606@icir.org>
References: 
	<20160527034421.GA53165@icir.org> <20160530004519.GA27606@icir.org>
Message-ID: <9f10ff61-2184-89ee-c4b8-5ed7c3187aa7@gmail.com>

> Alright, just pushed a commit to master, see
> https://github.com/bro/bro/commit/57aef6d49ff2fabfed638ef44100daa7dab06e9b

I had a look, too, and came up to a slightly different solution (see
https://github.com/bro/bro/compare/master...J-Gras:topic/jgras/link-layer-addr).
The main difference is that the MAC addresses follow the
originator/responder pattern, so you could correlate them to IPs.

Another point is that link-layer addresses could change in the course of
a "connection" (see q-in-q.trace for a minimal example). My idea would
be to handle this like the flow label and generate an event once the
addresses change (might be valuable information). I hesitated to
implement this, as this would add per-packet code, which I guess should
only be introduced if really necessary. However, if you are fine with
that extra lines I could add it and merge both solutions.

Best regards,
Jan

P.S.: Seems you forgot to commit your protocols/conn/mac-logging.bro

From qaienee at gmail.com  Mon May 30 09:58:55 2016
From: qaienee at gmail.com (Hamid Reza Ghaeini)
Date: Tue, 31 May 2016 00:58:55 +0800
Subject: [Bro] Brownian and Ubuntu 16.04
Message-ID: 

Hi.
I configured the Brownian based on your instructions and the following link:
http://www.hyperionavenue.com/?p=692

My configurations are:
Elasticsearch 2.3.3
Bro 2.4.1
Ubuntu 16.04 LTS

I followed the procedure and it works on Ubuntu 14.04.
I wondering why it is not working in the new version of Ubuntu.
I did this for testing the elasticsearch.

curl 'localhost:9200/_cat/indices?v' | grep bro
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 270 100 270 0 0 4302 0 --:--:-- --:--:-- --:--:-- 4354
yellow open @bro-meta 5 1 1 11 4.8kb 4.8kb
yellow open bro-201605312100 5 1 0 0 795b 795b

But it looks that elasticsearch is working fine.
But the brownian show this error:
Error! Could not connect to server - please check ELASTICSEARCH_SERVER in
settings.py

Could you please help me to solve this problem?

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160531/922427f0/attachment.html 

From robin at icir.org  Mon May 30 12:23:43 2016
From: robin at icir.org (Robin Sommer)
Date: Mon, 30 May 2016 12:23:43 -0700
Subject: [Bro] Adding MAC Address Information to Connection Object and
 Logs
In-Reply-To: <9f10ff61-2184-89ee-c4b8-5ed7c3187aa7@gmail.com>
References: 
	<20160527034421.GA53165@icir.org> <20160530004519.GA27606@icir.org>
	<9f10ff61-2184-89ee-c4b8-5ed7c3187aa7@gmail.com>
Message-ID: <20160530192343.GK45278@icir.org>

On Mon, May 30, 2016 at 11:48 +0200, Jan Grash?fer wrote:

> The main difference is that the MAC addresses follow the
> originator/responder pattern, so you could correlate them to IPs.

Yeah, I can see moving them into the endpoints, that also addresses
flipping them if the connection switches roles. If you turn that into
a pull request, I'll merge it in. (I think I'd change the?dynamic
allocations for orig/resp_l2_addr to static arrays to avoid the memory
operations.)

> Another point is that link-layer addresses could change in the course of
> a "connection" (see q-in-q.trace for a minimal example). My idea would
> be to handle this like the flow label and generate an event once the
> addresses change (might be valuable information).

I'm hesistant on this too, not sure that's common enough to warrant
the extra logic. It's also part of the fundamental issue that Bro's
connection-oriented nature sometimes has trouble reflecting layer-2
semantics (VLANs could in principle change too). So I would skip this
at least until a clear need arises.

> P.S.: Seems you forgot to commit your protocols/conn/mac-logging.bro

Fixed!

Robin

-- 
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin

From sherine.davis at flipkart.com  Tue May 31 00:19:43 2016
From: sherine.davis at flipkart.com (Sherine Davis (Security Engineering))
Date: Tue, 31 May 2016 12:49:43 +0530
Subject: [Bro] ERROR ! I keep getting a message saying "cant find weird"
Message-ID: 

I am sorry for the disturbance. This must be a noob question :P
And I am new to this, so please help me out

My BRO script starts is as follows :
@load weird
@load alarm
@load tcp

event tcp_packet(c: connection, is_orig: bool, flags: string, seq: count,
ack: count, len: count, payload: string)
{
print fmt("IP : %s WITH PORT NO.: %s IS TRYING TO ACCESS TCP PACKETS",
c$id$orig_h, c$id$orig_p);
}

error :
cant find weird

Even if i remove the first line
the same error keeps popping up for alarm and tcp
It has to be something about the path from which the scripts are being
loaded
But wasn't able to get a solution
Please do help

Thank You
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160531/56f445d2/attachment.html 

From jazoff at illinois.edu  Tue May 31 06:11:26 2016
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Tue, 31 May 2016 13:11:26 +0000
Subject: [Bro] ERROR ! I keep getting a message saying "cant find weird"
In-Reply-To: 
References: 
Message-ID: <1AF30C93-F272-4F65-AA48-EEF53CD35CB3@illinois.edu>

> On May 31, 2016, at 3:19 AM, Sherine Davis (Security Engineering)  wrote:
> 
> I am sorry for the disturbance. This must be a noob question :P
> And I am new to this, so please help me out

Remove all 3 of the @load lines, no such scripts exist and you do not need any of them.

> My BRO script starts is as follows :
> @load weird
> @load alarm
> @load tcp
> 

-- 
- Justin Azoff

From jan.grashoefer at gmail.com  Tue May 31 06:45:01 2016
From: jan.grashoefer at gmail.com (=?UTF-8?Q?Jan_Grash=c3=b6fer?=)
Date: Tue, 31 May 2016 15:45:01 +0200
Subject: [Bro] Adding MAC Address Information to Connection Object and
 Logs
In-Reply-To: <20160530192343.GK45278@icir.org>
References: 
	<20160527034421.GA53165@icir.org> <20160530004519.GA27606@icir.org>
	<9f10ff61-2184-89ee-c4b8-5ed7c3187aa7@gmail.com>
	<20160530192343.GK45278@icir.org>
Message-ID: <0117143f-d67d-74d9-ca98-c4b312fb979f@gmail.com>

> Yeah, I can see moving them into the endpoints, that also addresses
> flipping them if the connection switches roles. If you turn that into
> a pull request, I'll merge it in. (I think I'd change the dynamic
> allocations for orig/resp_l2_addr to static arrays to avoid the memory
> operations.)

I will have a look this week and open a pull request.

>> Another point is that link-layer addresses could change in the course of
>> a "connection" (see q-in-q.trace for a minimal example). My idea would
>> be to handle this like the flow label and generate an event once the
>> addresses change (might be valuable information).
> 
> I'm hesistant on this too, not sure that's common enough to warrant
> the extra logic. It's also part of the fundamental issue that Bro's
> connection-oriented nature sometimes has trouble reflecting layer-2
> semantics (VLANs could in principle change too). So I would skip this
> at least until a clear need arises.

I don't know how complex the plugin logic is, but maybe plugins can be
used to support optional layer 2 stuff like this.

Best regards,
Jan

From gfaulkner.nsm at gmail.com  Tue May 31 09:48:24 2016
From: gfaulkner.nsm at gmail.com (Gary Faulkner)
Date: Tue, 31 May 2016 11:48:24 -0500
Subject: [Bro] Bro Roadmap and Linux Distro Compatibility
Message-ID: <0f62a4f3-3e11-f169-ea11-9c599ead4749@gmail.com>

I'm about to build a couple more worker nodes and it got me wondering 
whether I should migrate to a newer Linux distro. My current cluster is 
running on RHEL 6.x, but over the past couple years I've noticed changes 
to Bro that temporarily required installing newer versions of CMake than 
RHEL 6.x originally supported. RHEL 6.x eventually broke the mold of not 
breaking binary compatibility around RHEL 6.6 and moved to a newer CMake 
which made the RHEL packaged CMake Bro compatible once again. As such 
I'm wondering if there is anything in the pipeline that would break 
compatibility a properly updated RHEL 6.x/Centos6.x. I'd rather not 
maintain separate versions of libraries to build Bro if possible. We're 
technically a RHEL shop, so I'd probably be looking at RHEL7.x, but I 
could look at another distro that is more aggressive with running newer 
kernels and software libraries if necessary. Thoughts?

~Gary

From slagell at illinois.edu  Tue May 31 09:52:30 2016
From: slagell at illinois.edu (Slagell, Adam J)
Date: Tue, 31 May 2016 16:52:30 +0000
Subject: [Bro] Bro Roadmap and Linux Distro Compatibility
In-Reply-To: <0f62a4f3-3e11-f169-ea11-9c599ead4749@gmail.com>
References: <0f62a4f3-3e11-f169-ea11-9c599ead4749@gmail.com>
Message-ID: <5197D1AD-088B-40A2-A8A3-762F9830B76C@illinois.edu>

Yes, you should for Bro 2.5. I suppose you will be able to disable broker at config time and maybe still compile, but the RHEL 6 compiler doesn?t support all of Bro?s code or its dependencies.

> On May 31, 2016, at 11:48 AM, Gary Faulkner  wrote:
> 
> I'm about to build a couple more worker nodes and it got me wondering 
> whether I should migrate to a newer Linux distro. My current cluster is 
> running on RHEL 6.x, but over the past couple years I've noticed changes 
> to Bro that temporarily required installing newer versions of CMake than 
> RHEL 6.x originally supported. RHEL 6.x eventually broke the mold of not 
> breaking binary compatibility around RHEL 6.6 and moved to a newer CMake 
> which made the RHEL packaged CMake Bro compatible once again. As such 
> I'm wondering if there is anything in the pipeline that would break 
> compatibility a properly updated RHEL 6.x/Centos6.x. I'd rather not 
> maintain separate versions of libraries to build Bro if possible. We're 
> technically a RHEL shop, so I'd probably be looking at RHEL7.x, but I 
> could look at another distro that is more aggressive with running newer 
> kernels and software libraries if necessary. Thoughts?
> 
> ~Gary
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

------

Adam J. Slagell
Chief Information Security Officer
Director, Cybersecurity Division
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
www.slagell.info

"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." 

From doris at bro.org  Tue May 31 13:17:07 2016
From: doris at bro.org (Doris Schioberg)
Date: Tue, 31 May 2016 13:17:07 -0700
Subject: [Bro] Reminder: Upgrade your Bro installation! Stability
 updates in 2.4.1
In-Reply-To: <8268d783-ba48-7631-428f-f8c0959f37cb@bro.org>
References: <8268d783-ba48-7631-428f-f8c0959f37cb@bro.org>
Message-ID: <6577c4c0-a185-a231-d957-6fee829a3e75@bro.org>

2.4.1 is not a new release! We just wanted to remind everyone to look at
the version they're running.
Your current version can be seen using "bro --version".

- the Bro team

On 5/27/16 10:26 AM, Doris Schioberg wrote:
> Bro 2.5 is not far away, but in the meantime you should upgrade to Bro
> 2.4.1. This is the latest stable release. If you are running 2.4 the
> upgrade to 2.4.1 won't break your config. This release contains
> important fixes without changing Bro's functionality.
> 
> Check the change log here: https://www.bro.org/download/CHANGES.bro.txt.
> 
> - the Bro team
> 

-- 
Doris Schioberg
Bro Outreach, Training, and Education Coordinator
International Computer Science Institute (ICSI Berkeley)
Phone: +1 (510) 289-8406 * doris at bro.org

From gfaulkner.nsm at gmail.com  Tue May 31 13:43:44 2016
From: gfaulkner.nsm at gmail.com (Gary Faulkner)
Date: Tue, 31 May 2016 15:43:44 -0500
Subject: [Bro] Bro Roadmap and Linux Distro Compatibility
In-Reply-To: <5197D1AD-088B-40A2-A8A3-762F9830B76C@illinois.edu>
References: <0f62a4f3-3e11-f169-ea11-9c599ead4749@gmail.com>
	<5197D1AD-088B-40A2-A8A3-762F9830B76C@illinois.edu>
Message-ID: <332126d4-084d-38f9-d819-2501a1d1782e@gmail.com>

Are we just talking C++11 support, which RHEL 7 supports (current git 
master compiles as long as you install CAF), or something where I'll 
want to jump to something with a 4.x kernel and C++14 support, say 
Ubuntu 16.04 LTS, Fedora etc? RHEL 7 appears to have CMake 2.8.11 and 
GCC 4.8.5. The latter supports C++11, but I don't believe it supports 
anything newer. At one point I thought I saw talk of wanting to move to 
C++14 on the dev list.

~Gary

On 5/31/16 11:52 AM, Slagell, Adam J wrote:
> Yes, you should for Bro 2.5. I suppose you will be able to disable broker at config time and maybe still compile, but the RHEL 6 compiler doesn?t support all of Bro?s code or its dependencies.
>
>> On May 31, 2016, at 11:48 AM, Gary Faulkner  wrote:
>>
>> I'm about to build a couple more worker nodes and it got me wondering
>> whether I should migrate to a newer Linux distro. My current cluster is
>> running on RHEL 6.x, but over the past couple years I've noticed changes
>> to Bro that temporarily required installing newer versions of CMake than
>> RHEL 6.x originally supported. RHEL 6.x eventually broke the mold of not
>> breaking binary compatibility around RHEL 6.6 and moved to a newer CMake
>> which made the RHEL packaged CMake Bro compatible once again. As such
>> I'm wondering if there is anything in the pipeline that would break
>> compatibility a properly updated RHEL 6.x/Centos6.x. I'd rather not
>> maintain separate versions of libraries to build Bro if possible. We're
>> technically a RHEL shop, so I'd probably be looking at RHEL7.x, but I
>> could look at another distro that is more aggressive with running newer
>> kernels and software libraries if necessary. Thoughts?
>>
>> ~Gary
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> ------
>
> Adam J. Slagell
> Chief Information Security Officer
> Director, Cybersecurity Division
> National Center for Supercomputing Applications
> University of Illinois at Urbana-Champaign
> www.slagell.info
>
> "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."
>
>
>
>
>
>
>
>

From slagell at illinois.edu  Tue May 31 15:20:35 2016
From: slagell at illinois.edu (Slagell, Adam J)
Date: Tue, 31 May 2016 22:20:35 +0000
Subject: [Bro] Bro Roadmap and Linux Distro Compatibility
In-Reply-To: <332126d4-084d-38f9-d819-2501a1d1782e@gmail.com>
References: <0f62a4f3-3e11-f169-ea11-9c599ead4749@gmail.com>
	<5197D1AD-088B-40A2-A8A3-762F9830B76C@illinois.edu>,
	<332126d4-084d-38f9-d819-2501a1d1782e@gmail.com>
Message-ID: 

I am just talking about C++11 support

> On May 31, 2016, at 3:43 PM, Gary Faulkner  wrote:
> 
> Are we just talking C++11 support, which RHEL 7 supports (current git master compiles as long as you install CAF), or something where I'll want to jump to something with a 4.x kernel and C++14 support, say Ubuntu 16.04 LTS, Fedora etc? RHEL 7 appears to have CMake 2.8.11 and GCC 4.8.5. The latter supports C++11, but I don't believe it supports anything newer. At one point I thought I saw talk of wanting to move to C++14 on the dev list.
> 
> ~Gary
> 
>> On 5/31/16 11:52 AM, Slagell, Adam J wrote:
>> Yes, you should for Bro 2.5. I suppose you will be able to disable broker at config time and maybe still compile, but the RHEL 6 compiler doesn?t support all of Bro?s code or its dependencies.
>> 
>>> On May 31, 2016, at 11:48 AM, Gary Faulkner  wrote:
>>> 
>>> I'm about to build a couple more worker nodes and it got me wondering
>>> whether I should migrate to a newer Linux distro. My current cluster is
>>> running on RHEL 6.x, but over the past couple years I've noticed changes
>>> to Bro that temporarily required installing newer versions of CMake than
>>> RHEL 6.x originally supported. RHEL 6.x eventually broke the mold of not
>>> breaking binary compatibility around RHEL 6.6 and moved to a newer CMake
>>> which made the RHEL packaged CMake Bro compatible once again. As such
>>> I'm wondering if there is anything in the pipeline that would break
>>> compatibility a properly updated RHEL 6.x/Centos6.x. I'd rather not
>>> maintain separate versions of libraries to build Bro if possible. We're
>>> technically a RHEL shop, so I'd probably be looking at RHEL7.x, but I
>>> could look at another distro that is more aggressive with running newer
>>> kernels and software libraries if necessary. Thoughts?
>>> 
>>> ~Gary
>>> 
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> ------
>> 
>> Adam J. Slagell
>> Chief Information Security Officer
>> Director, Cybersecurity Division
>> National Center for Supercomputing Applications
>> University of Illinois at Urbana-Champaign
>> www.slagell.info
>> 
>> "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."
> 

From dnj0496 at gmail.com  Tue May 31 22:32:35 2016
From: dnj0496 at gmail.com (Dk Jack)
Date: Tue, 31 May 2016 22:32:35 -0700
Subject: [Bro] plugin help
Message-ID: 

Hi,
I have a written a small bro plugin. I followed the instructions on the bro
plugin page.
If I put my plugin code in /lib/bro/plugins directory everything
works fine.
For testing purposes, I'd like to keep plugins directory different from the
final directory.
If I have my plugin in /abc/def and set my BRO_PLUGIN_PATH=/abc/def
directory, it fails to load. I run bro using the following command:

    > /bin/bro -N

The program coredumps...The failure happens in the InitBifs code... which
calls my
plugin bif init function. The plugin directory layout is exactly the same
as when it works
if I put the plugins directory in  directory. Is there something
I need to setup
if I have the plugins directory in a different location? thanks.

Dk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160531/6fd23b48/attachment.html 

From sherine.davis at flipkart.com  Tue May 31 22:45:10 2016
From: sherine.davis at flipkart.com (Sherine Davis (Security Engineering))
Date: Wed, 1 Jun 2016 11:15:10 +0530
Subject: [Bro] Possibility storing results into system registers ?
Message-ID: 

Hi,
I am trying to build a cpp app, that shows information about the traffic.
So i would like to know if it is possible to store results obtained using
bro scripts into system registers or somewhere that another cpp file can
access those scripts

If any other suggestions feel free to comment

Regards,
Sherine Davis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160601/08633bce/attachment.html 