[Bro] Bro Digest, Vol 132, Issue 24

Dave Florek dave.a.florek at gmail.com
Mon Apr 17 09:24:12 PDT 2017


Hi Seth,

I'm trying to get Bro to compile with the libpcap shared object initially
installed with CentOS or from the development package:

/usr/lib64/libpcap.so.1
/usr/local/lib/libpcap.so.1

On Mon, Apr 17, 2017 at 11:11 AM, <bro-request at bro.org> wrote:

> Send Bro mailing list submissions to
>         bro at bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
>         bro-request at bro.org
>
> You can reach the person managing the list at
>         bro-owner at bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
>    1. Layer 7 DoS attacks (RoM)
>    2. host_name adding into dhcp.log (ps sunu)
>    3. Ports used between manager/logger/proxy host and worker nodes
>       (C. L. Martinez)
>    4. Re: Ports used between manager/logger/proxy host and worker
>       nodes (C. L. Martinez)
>    5. Re: Ports used between manager/logger/proxy host and worker
>       nodes (SOLVED) (C. L. Martinez)
>    6. Re: Bro and GeoIP support (Seth Hall)
>    7. Re: Issue with Bro and libpcap during compile (Seth Hall)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 17 Apr 2017 13:10:12 +0800
> From: RoM <theomnipotentyouth at gmail.com>
> Subject: [Bro] Layer 7 DoS attacks
> To: bro at bro.org
> Message-ID:
>         <CAEmjipPugy56embSMcfX_PgzpWz5uM-Pa=9YoZHxrUKxcNXFKA@
> mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi all,
>
> I saw an interesting post (http://mailman.icsi.berkeley.
> edu/pipermail/bro/2012-January/004508.html)about detecting layer 7 DoS
> attack using Bro, there was a script written by Seth Hall(
> seth at corelight.com
> )(http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/201201
> 09/84fdf6c0/attachment.obj
> <http://mailman.icsi.berkeley.edu/pipermail/bro/attachments/
> 20120109/84fdf6c0/attachment.obj>),
> but the script won't work in the new version of Bro, so I was wondering if
> anyone had any idea on how to do it in Bro 2.5?
>
> Thanks for any feedback in advance!
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/
> 20170417/bc74775c/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Mon, 17 Apr 2017 11:23:27 +0530
> From: ps sunu <pssunu6 at gmail.com>
> Subject: [Bro] host_name adding into dhcp.log
> To: bro at bro.org
> Message-ID:
>         <CALGAZaAWhUtb_Kf5kSppwWgoCrfueeU-kiM0EGuRbURMVgYwrQ at mail.gmail.
> com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>                   How to add host name in dhcp.log  any samples there ?
>
> Regards,
> Sunu
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/
> 20170417/18f0b4b6/attachment-0001.html
>
> ------------------------------
>
> Message: 3
> Date: Mon, 17 Apr 2017 11:25:23 +0000
> From: "C. L. Martinez" <carlopmart at gmail.com>
> Subject: [Bro] Ports used between manager/logger/proxy host and worker
>         nodes
> To: bro at bro.org
> Message-ID: <20170417112522.37mshye6yafbypki at scotland.uxdom.org>
> Content-Type: text/plain; charset=utf-8
>
> Hi all,
>
>  I have setup one manager/logger/proxy host with 5 worker nodes (all using
> 2.5 version). Two of these 5 worker nodes are behind firewalls. I am seeing
> several packets dropped between these worker nodes and manager host:
>
> Apr 17 11:23:59.890910 rule 21/(match) [uid 0, pid 75183] block out on
> vio5: [uid 4294967295, pid 100000] 172.22.59.2.1255 > 172.22.59.4.47763: S
> 2230094890:2230094890(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
> 6,nop,nop,timestamp 1780505936[|tcp]> (DF) (ttl 64, id 47383, len 64, bad
> ip cksum 14! -> b36d)
> Apr 17 11:23:59.890988 rule 21/(match) [uid 0, pid 75183] block out on
> vio5: [uid 4294967295, pid 100000] 172.22.59.2.35138 > 172.22.59.4.47762: S
> 4275416417:4275416417(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
> 6,nop,nop,timestamp 1149589794[|tcp]> (DF) (ttl 64, id 42370, len 64, bad
> ip cksum 14! -> c702)
> Apr 17 11:23:59.891057 rule 21/(match) [uid 0, pid 75183] block out on
> vio5: [uid 4294967295, pid 100000] 172.22.59.2.24230 > 172.22.59.4.47761: S
> 363396747:363396747(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
> 6,nop,nop,timestamp 703336159[|tcp]> (DF) (ttl 64, id 38422, len 64, bad ip
> cksum 14! -> d66e)
>
>  What ports do I need to open in these firewalls to permit comms between
> worker nodes and manager host?
>
> Thanks
> --
> Greetings,
> C. L. Martinez
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 17 Apr 2017 12:32:40 +0000
> From: "C. L. Martinez" <carlopmart at gmail.com>
> Subject: Re: [Bro] Ports used between manager/logger/proxy host and
>         worker  nodes
> To: bro at bro.org
> Message-ID: <20170417123240.2ovba7nobdk2b4vk at scotland.uxdom.org>
> Content-Type: text/plain; charset=utf-8
>
> On Mon, Apr 17, 2017 at 11:25:23AM +0000, C. L. Martinez wrote:
> > Hi all,
> >
> >  I have setup one manager/logger/proxy host with 5 worker nodes (all
> using 2.5 version). Two of these 5 worker nodes are behind firewalls. I am
> seeing several packets dropped between these worker nodes and manager host:
> >
> > Apr 17 11:23:59.890910 rule 21/(match) [uid 0, pid 75183] block out on
> vio5: [uid 4294967295, pid 100000] 172.22.59.2.1255 > 172.22.59.4.47763: S
> 2230094890:2230094890(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
> 6,nop,nop,timestamp 1780505936[|tcp]> (DF) (ttl 64, id 47383, len 64, bad
> ip cksum 14! -> b36d)
> > Apr 17 11:23:59.890988 rule 21/(match) [uid 0, pid 75183] block out on
> vio5: [uid 4294967295, pid 100000] 172.22.59.2.35138 > 172.22.59.4.47762: S
> 4275416417:4275416417(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
> 6,nop,nop,timestamp 1149589794[|tcp]> (DF) (ttl 64, id 42370, len 64, bad
> ip cksum 14! -> c702)
> > Apr 17 11:23:59.891057 rule 21/(match) [uid 0, pid 75183] block out on
> vio5: [uid 4294967295, pid 100000] 172.22.59.2.24230 > 172.22.59.4.47761: S
> 363396747:363396747(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
> 6,nop,nop,timestamp 703336159[|tcp]> (DF) (ttl 64, id 38422, len 64, bad ip
> cksum 14! -> d66e)
> >
> >  What ports do I need to open in these firewalls to permit comms between
> worker nodes and manager host?
> >
> > Thanks
> > --
>
> More info. According to broctl-config.sh, comms are established on port
> 47760:
>
> bindir="/opt/bro/bin"
> bro="/opt/bro/bin/bro"
> broargs=""
> brobase="/opt/bro"
> broctlconfigdir="/nsm/bro/spool"
> broport="47760"
> broscriptdir="/opt/bro/share/bro"
> capstatspath="/opt/bro/bin/capstats"
> cfgdir="/opt/bro/etc"
> ....
>
>  But as you can see in previous log, worker nodes tries to connect to port
> 47763. Do I need to open a pool of ports on my firewalls? Can I configure
> what tcp port to use between workers and manager host?
>
> Thanks
>
> --
> Greetings,
> C. L. Martinez
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 17 Apr 2017 12:36:44 +0000
> From: "C. L. Martinez" <carlopmart at gmail.com>
> Subject: Re: [Bro] Ports used between manager/logger/proxy host and
>         worker nodes (SOLVED)
> To: bro at bro.org
> Message-ID: <20170417123644.qyi7oembwiliw6ha at scotland.uxdom.org>
> Content-Type: text/plain; charset=utf-8
>
> On Mon, Apr 17, 2017 at 12:32:40PM +0000, C. L. Martinez wrote:
> > On Mon, Apr 17, 2017 at 11:25:23AM +0000, C. L. Martinez wrote:
> > > Hi all,
> > >
> > >  I have setup one manager/logger/proxy host with 5 worker nodes (all
> using 2.5 version). Two of these 5 worker nodes are behind firewalls. I am
> seeing several packets dropped between these worker nodes and manager host:
> > >
> > > Apr 17 11:23:59.890910 rule 21/(match) [uid 0, pid 75183] block out on
> vio5: [uid 4294967295, pid 100000] 172.22.59.2.1255 > 172.22.59.4.47763: S
> 2230094890:2230094890(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
> 6,nop,nop,timestamp 1780505936[|tcp]> (DF) (ttl 64, id 47383, len 64, bad
> ip cksum 14! -> b36d)
> > > Apr 17 11:23:59.890988 rule 21/(match) [uid 0, pid 75183] block out on
> vio5: [uid 4294967295, pid 100000] 172.22.59.2.35138 > 172.22.59.4.47762: S
> 4275416417:4275416417(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
> 6,nop,nop,timestamp 1149589794[|tcp]> (DF) (ttl 64, id 42370, len 64, bad
> ip cksum 14! -> c702)
> > > Apr 17 11:23:59.891057 rule 21/(match) [uid 0, pid 75183] block out on
> vio5: [uid 4294967295, pid 100000] 172.22.59.2.24230 > 172.22.59.4.47761: S
> 363396747:363396747(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
> 6,nop,nop,timestamp 703336159[|tcp]> (DF) (ttl 64, id 38422, len 64, bad ip
> cksum 14! -> d66e)
> > >
> > >  What ports do I need to open in these firewalls to permit comms
> between worker nodes and manager host?
> > >
> > > Thanks
> > > --
> >
> > More info. According to broctl-config.sh, comms are established on port
> 47760:
> >
> > bindir="/opt/bro/bin"
> > bro="/opt/bro/bin/bro"
> > broargs=""
> > brobase="/opt/bro"
> > broctlconfigdir="/nsm/bro/spool"
> > broport="47760"
> > broscriptdir="/opt/bro/share/bro"
> > capstatspath="/opt/bro/bin/capstats"
> > cfgdir="/opt/bro/etc"
> > ....
> >
> >  But as you can see in previous log, worker nodes tries to connect to
> port 47763. Do I need to open a pool of ports on my firewalls? Can I
> configure what tcp port to use between workers and manager host?
> >
> > Thanks
> >
>
> Ok, got it. According to Bro's manual:
>
> "Note that you can change the port that Bro listens on by changing the
> value of the ?BroPort? option in your  broctl.cfg file (this should be
> needed only if your system has another process that listens on the same
> port). By default, a standalone Bro listens on TCP port 47760. For a
> cluster setup, the logger listens on TCP port 47761, and the manager
> listens on TCP port 47762 (or 47761 if no logger is defined). Each proxy is
> assigned its own port number, starting with one number greater than the
> manager?s port. Likewise, each worker is assigned its own port starting one
> number greater than the highest port number assigned to a proxy."
>
>  Openning ports 47762 and 47761, it seems all works ok.
>
> --
> Greetings,
> C. L. Martinez
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 17 Apr 2017 11:10:41 -0400
> From: Seth Hall <seth at corelight.com>
> Subject: Re: [Bro] Bro and GeoIP support
> To: "LinuxBSDos.com" <finid at vivaldi.net>
> Cc: Bro <bro at bro.org>
> Message-ID: <496B0224-8BEA-45B7-BE84-F2B60A58D38E at corelight.com>
> Content-Type: text/plain; charset=us-ascii
>
>
> > On Apr 13, 2017, at 1:52 PM, LinuxBSDos.com <finid at vivaldi.net> wrote:
> >
> > If not, what's the process of getting Bro to support the mmdb database?
>
> I'm working on this and I'm going to be releasing it as a bro-pkg when
> it's functional.
>
>   .Seth
>
> --
> Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 17 Apr 2017 11:11:53 -0400
> From: Seth Hall <seth at corelight.com>
> Subject: Re: [Bro] Issue with Bro and libpcap during compile
> To: Dave Florek <dave.a.florek at gmail.com>
> Cc: bro at bro.org
> Message-ID: <9689341F-5963-424D-9D79-A3C175D75C17 at corelight.com>
> Content-Type: text/plain; charset=us-ascii
>
>
> > On Apr 13, 2017, at 3:38 PM, Dave Florek <dave.a.florek at gmail.com>
> wrote:
> >
> > I'm curious to see if anyone in the Bro community has been successful at
> installing Bro from source using the initial libpcap files bundled with
> CentOS 7. No matter if I specify ./configure --with-pcap=/usr/local/ or
> ./configure --with-pcap=/usr/lib64/ after installing libpcap-devel, I'm
> still unable to get Bro to compile:
>
> I suppose you're using some libpcap wrapper since you're telling it to
> look for libpcap in a certain location?  What libpcap wrapper are you using?
>
>   .Seth
>
> --
> Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro at bro.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 132, Issue 24
> ************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170417/4dd4f8c5/attachment-0001.html 


More information about the Bro mailing list