[Bro] Bro Digest, Vol 126, Issue 43

Audrius J audrjon at gmail.com
Tue Oct 25 11:24:24 PDT 2016 

Hi,

I think that you should restart bro and here is why...
Your data are appended but the old ioc's that are not relevant anymore are not removed. One day you may have a lot ioc's to check against the traffic so you may experience problems like packets drops and etc...
We had this issue so this is why we decide to restart bro once day just to avoid that problems...
Sure just pick up time that works for you best!

Regards,
Audrius

Sent from my iPhone

> On 24 Oct 2016, at 22:00, bro-request at bro.org wrote:
> 
> Send Bro mailing list submissions to
>    bro at bro.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
>    bro-request at bro.org
> 
> You can reach the person managing the list at
>    bro-owner at bro.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
> 
> 
> Today's Topics:
> 
>   1. Re: Bro crashed this morning.. (fatema bannatwala)
>   2. Re: Several protosig questions (Robin Sommer)
>   3. Re: When...timeout statement not executing (Robin Sommer)
>   4. Re: Several protosig questions (James Lay)
>   5. Re: Bro crashed this morning.. (Azoff, Justin S)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Mon, 24 Oct 2016 14:48:56 -0400
> From: fatema bannatwala <fatema.bannatwala at gmail.com>
> Subject: Re: [Bro] Bro crashed this morning..
> To: "Azoff, Justin S" <jazoff at illinois.edu>
> Cc: "bro at bro.org" <bro at bro.org>
> Message-ID:
>    <CACX0rURWm4R61w1QH2k=9krdnKFDyW2WfDrHXcjVtyEyH+AKPA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> I have two crons currently in bro's crontab:
> $ crontab -l
> 0-59/5 * * * *  /usr/local/bro/default/bin/broctl cron
> 55 6 * * *      /usr/local/bro/bin/restart-bro
> 
> restart-bro is a small script that looks like this:
> 
> /usr/local/bro/default/bin/broctl install
> /usr/local/bro/default/bin/broctl restart
> 
> The reason, I think, for having bro restart every morning at 6:55 is we
> pull down the intel feeds every morning at 6:45
> that updates the files that bro monitors as input feeds for intel framework.
> And I thought that Bro would not pick up new/updated input feeds unless
> restarted.
> 
> Is that would be something causing bro to not restart?
> 
> 
> On Mon, Oct 24, 2016 at 2:24 PM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
> 
>> 
>>> On Oct 23, 2016, at 5:00 PM, fatema bannatwala <
>> fatema.bannatwala at gmail.com> wrote:
>>> 
>>> Hi all,
>>> 
>>> So, it happened again, this morning around 6:55am.
>>> Bro stopped at that time, don't really know why.
>>> I got to know about this when I wanted to analyse traffic for a
>> particular IP around 11 and found out that we don't have any logs after 7am
>> logged by BRO :(
>> 
>> Do you have the 'broctl cron' job installed?
>> 
>> # /etc/cron.d/bro
>> # bro cron tasks
>> @reboot      root timeout 10m /bro/bin/broctl start
>> */5  * * * * root timeout 10m /bro/bin/broctl cron
>> 
>> --
>> - Justin Azoff
>> 
>> 
>> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161024/57450eb6/attachment-0001.html 
> 
> ------------------------------
> 
> Message: 2
> Date: Mon, 24 Oct 2016 11:51:46 -0700
> From: Robin Sommer <robin at icir.org>
> Subject: Re: [Bro] Several protosig questions
> To: James Lay <jlay at slave-tothe-box.net>
> Cc: Bro-IDS <bro at bro.org>
> Message-ID: <20161024185146.GE28345 at icir.org>
> Content-Type: text/plain; charset=iso-8859-1
> 
> 
> 
>> On Fri, Oct 21, 2016 at 17:38 -0600, you wrote:
>> 
>> However if I have a generic ntp rule, either before or after the
>> ntp_apple, I only get the ntp match:
> 
> Let me clarify one thing:
> 
>> ? eval ProtoSig::match
> 
> "eval" is not for flagging a match. It's a condition by itself that
> influences the matching of the signature. To learn about a match use
> "event" instead and then hook into the "signature_event" event. If I
> do that, things seem to work for me correctly with the sig-fixes
> branch:
> 
>    # cat test.sig
>    signature protosig_ntp {
>      ip-proto == udp
>      dst-port == 123
>      payload /.*\x00/
>      payload-size == 48
>      event "match"
> 
>    }
>    signature protosig_ntp_apple {
>      dst-ip == 17.0.0.0/8
>      ip-proto == udp
>      dst-port == 123
>      payload /.*\x00/
>      payload-size == 48
>      event "match"
>    }
> 
>    # cat test.bro
>    event signature_match(state: signature_state, msg: string, data: string)
>            {
>            print "signature match", state$sig_id;
>            }
> 
>    # bro -s ./test.sig -r ntp-1.pcap ./test.bro
>    signature match, protosig_ntp
>    signature match, protosig_ntp_apple
>    signature match, protosig_ntp
>    signature match, protosig_ntp_apple
>    signature match, protosig_ntp
>    signature match, protosig_ntp_apple
>    signature match, protosig_ntp
>    signature match, protosig_ntp_apple
>    signature match, protosig_ntp
>    signature match, protosig_ntp_apple
>    signature match, protosig_ntp
>    signature match, protosig_ntp_apple
> 
> 
> If I add "eval", I do see it execute for both signatures, though more
> often for the generic one. That's probably an artefact of the order in
> which conditions are run internally; having the dst-ip in there may
> change that.
> 
> Btw, the order of matches is undefined, and might have well changed
> since 2.4.
> 
> Robin
> 
> --
> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Mon, 24 Oct 2016 11:57:01 -0700
> From: Robin Sommer <robin at icir.org>
> Subject: Re: [Bro] When...timeout statement not executing
> To: Alex Hope <alex.hope at shopify.com>
> Cc: bro at bro.org
> Message-ID: <20161024185701.GF28345 at icir.org>
> Content-Type: text/plain; charset=us-ascii
> 
> 
> 
>> On Mon, Oct 17, 2016 at 14:55 -0400, Alex Hope wrote:
>> 
>> I'm having an issue where the when...timeout block isn't executing. I'll
>> post my code then explain the problem I'm experiencing.
> 
> Is there any chance you could find a way to reproduce this problem on
> a small trace? Since you say it happens only "sometimes" I'm guessing
> that it may be hard to track down otherwise.
> 
> Robin
> 
> -- 
> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Mon, 24 Oct 2016 12:58:08 -0600
> From: James Lay <jlay at slave-tothe-box.net>
> Subject: Re: [Bro] Several protosig questions
> To: Robin Sommer <robin at icir.org>
> Cc: Bro-IDS <bro at bro.org>
> Message-ID: <4e1013457c0cf046f0f4972fb32a5ed3 at localhost>
> Content-Type: text/plain; charset=UTF-8; format=flowed
> 
>> On 2016-10-24 12:51, Robin Sommer wrote:
>>> On Fri, Oct 21, 2016 at 17:38 -0600, you wrote:
>>> 
>>> However if I have a generic ntp rule, either before or after the
>>> ntp_apple, I only get the ntp match:
>> 
>> Let me clarify one thing:
>> 
>>> ? eval ProtoSig::match
>> 
>> "eval" is not for flagging a match. It's a condition by itself that
>> influences the matching of the signature. To learn about a match use
>> "event" instead and then hook into the "signature_event" event. If I
>> do that, things seem to work for me correctly with the sig-fixes
>> branch:
> 
> Ok cool...I've just been going per the docs here:
> 
> https://github.com/broala/bro-protosigs
> 
> "You must add the eval ProtoSig::match condition into your signature 
> that does the final match. That call is what ties the signature match 
> into the protosigs Bro scripts."
> 
> I'll give event a go and report my findings.  Thanks so much Robin!
> 
> James
> 
>> 
>>    # cat test.sig
>>    signature protosig_ntp {
>>      ip-proto == udp
>>      dst-port == 123
>>      payload /.*\x00/
>>      payload-size == 48
>>      event "match"
>> 
>>    }
>>    signature protosig_ntp_apple {
>>      dst-ip == 17.0.0.0/8
>>      ip-proto == udp
>>      dst-port == 123
>>      payload /.*\x00/
>>      payload-size == 48
>>      event "match"
>>    }
>> 
>>    # cat test.bro
>>    event signature_match(state: signature_state, msg: string, data: 
>> string)
>>            {
>>            print "signature match", state$sig_id;
>>            }
>> 
>>    # bro -s ./test.sig -r ntp-1.pcap ./test.bro
>>    signature match, protosig_ntp
>>    signature match, protosig_ntp_apple
>>    signature match, protosig_ntp
>>    signature match, protosig_ntp_apple
>>    signature match, protosig_ntp
>>    signature match, protosig_ntp_apple
>>    signature match, protosig_ntp
>>    signature match, protosig_ntp_apple
>>    signature match, protosig_ntp
>>    signature match, protosig_ntp_apple
>>    signature match, protosig_ntp
>>    signature match, protosig_ntp_apple
>> 
>> 
>> If I add "eval", I do see it execute for both signatures, though more
>> often for the generic one. That's probably an artefact of the order in
>> which conditions are run internally; having the dst-ip in there may
>> change that.
>> 
>> Btw, the order of matches is undefined, and might have well changed
>> since 2.4.
>> 
>> Robin
>> 
>> --
>> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Mon, 24 Oct 2016 18:58:22 +0000
> From: "Azoff, Justin S" <jazoff at illinois.edu>
> Subject: Re: [Bro] Bro crashed this morning..
> To: fatema bannatwala <fatema.bannatwala at gmail.com>
> Cc: "bro at bro.org" <bro at bro.org>
> Message-ID: <DFF67BD9-F4AC-494E-AA99-746D2F22D4AF at illinois.edu>
> Content-Type: text/plain; charset="us-ascii"
> 
> 
>> On Oct 24, 2016, at 2:48 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>> 
>> I have two crons currently in bro's crontab:
>> $ crontab -l
>> 0-59/5 * * * *  /usr/local/bro/default/bin/broctl cron
>> 55 6 * * *      /usr/local/bro/bin/restart-bro
>> 
>> restart-bro is a small script that looks like this:
>> 
>> /usr/local/bro/default/bin/broctl install
>> /usr/local/bro/default/bin/broctl restart
>> 
>> The reason, I think, for having bro restart every morning at 6:55 is we pull down the intel feeds every morning at 6:45
>> that updates the files that bro monitors as input feeds for intel framework.
>> And I thought that Bro would not pick up new/updated input feeds unless restarted.  
>> 
>> Is that would be something causing bro to not restart?
>> 
> 
> You shouldn't have to restart bro for it to pull in updates from intel files.
> 
> It's suspicious that you say bro crashed at 7am and that cron job runs at 6:55.
> 
> It's possible that something went wrong during the restart and bro just ended up stopped.  I could see 'broctl restart' leaving the cluster in an inconsistent state if it gets interrupted.
> 
> I'd just remove that job (since intel files should auto update on their own) or try changing the time it runs at to 6:57, which should at least avoid it running at the same time as cron.
> 
> 
> 
> -- 
> - Justin Azoff
> 
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> Bro mailing list
> Bro at bro.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> 
> End of Bro Digest, Vol 126, Issue 43
> ************************************

More information about the Bro mailing list