From bro at pingtrip.com Wed Feb 1 05:05:04 2017 From: bro at pingtrip.com (Dave Crawford) Date: Wed, 1 Feb 2017 08:05:04 -0500 Subject: [Bro] Converting Notice::Info to JSON In-Reply-To: <93400B68-43ED-4070-9181-C1677EB6C2A1@pingtrip.com> References: <8084C305-D1BE-4E68-8A21-684F7A4E50A5@pingtrip.com> <93400B68-43ED-4070-9181-C1677EB6C2A1@pingtrip.com> Message-ID: > On Jan 31, 2017, at 3:39 PM, Dave Crawford wrote: > > >> On Jan 31, 2017, at 11:16 AM, Azoff, Justin S wrote: >> >> You could probably avoid the whole issue by using to_json like this: >> >> to_json(note, T); >> >> to set the only_loggable option to true which should cause it to ignore fields that aren't normally logged in the first place. >> >> -- >> - Justin Azoff >> > A follow-up question on to_json() is if the function is always producing valid JSON? As an example: to_json(n, T) Produces a few field values that aren?t properly quoted, or in the case of Booleans, not converting T/F to true/false: {"proto": tcp, "peer_descr": "bro", "id": {"resp_h": "199.192.156.134", "resp_p": 443, "orig_h": "10.0.2.15", "orig_p": 1381}, "dst": "199.192.156.134", "p": 443, "sub": "POST /bbs/info.asp HTTP/1.1\\x0d\\x0aHost: 199.192.156.134:443\\x0d\\x0aContent-Length: 165\\x0d\\x0aConnection: Keep-Alive\\x0d\\x0aCache-Control: no-cache\\x0d\\x0a\\x0d\\x0a3D333531501A...", "suppress_for": "", "src": "10.0.2.15", "msg": "10.0.2.15: ATTACK-RESPONSES Microsoft cmd.exe banner (reverse-shell originator)", "note": Signatures::Sensitive_Signature, "ts": 1485952936.47094, "uid": "CZwEv13Gadjmnaf6W6", "dropped": F, "actions": [Notice::ACTION_LOG, Phantom::ACTION_TEST]} -Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170201/4f466084/attachment-0001.html From robin at icir.org Wed Feb 1 07:51:57 2017 From: robin at icir.org (Robin Sommer) Date: Wed, 1 Feb 2017 07:51:57 -0800 Subject: [Bro] Converting Notice::Info to JSON In-Reply-To: References: <8084C305-D1BE-4E68-8A21-684F7A4E50A5@pingtrip.com> <93400B68-43ED-4070-9181-C1677EB6C2A1@pingtrip.com> Message-ID: <20170201155157.GE783@icir.org> On Wed, Feb 01, 2017 at 08:05 -0500, Dave Crawford wrote: > to_json(n, T) > Produces a few field values that aren?t properly quoted, or in the > case of Booleans, not converting T/F to true/false: That sounds like a bug to me: if it says JSON, it should be JSON. Please file a ticket for that. Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From jazoff at illinois.edu Wed Feb 1 08:29:26 2017 From: jazoff at illinois.edu (Azoff, Justin S) Date: Wed, 1 Feb 2017 16:29:26 +0000 Subject: [Bro] Logging and memory leak In-Reply-To: References:

Message-ID: > On Jan 31, 2017, at 7:36 PM, Hovsep Levi wrote: > > No, both are disabled. > Do you have any other custom scripts loaded that are using sumstats? With a dedicated logger process the manager doesn't really do anything other than sumstats. Look in your cluster-layout.bro to see what port your manager process is assigned.. with 4 loggers I'd imagine it is around 47765/tcp Then, run this command on the manager, on the interface that it talks to workers: tcpdump -n -i em1 port 47765 -A | egrep -io '[A-Za-z_:-]{10,}' That will output the names of the events that are bouncing between the workers and the manager And see what you see.. It SHOULD be almost nothing, maybe a trickle of events. -- - Justin Azoff From philosnef at gmail.com Thu Feb 2 05:20:03 2017 From: philosnef at gmail.com (erik clark) Date: Thu, 2 Feb 2017 08:20:03 -0500 Subject: [Bro] branching Bro Message-ID: We need to branch Bro due to FIPS non-compliance. Is there any thorough documentation as to what parts are FIPS non-compliant, other than the md5 analyzer, and is there any documentation on the md5 analyzer hooks (built in stock scripts, so on so forth) so we can begin attempting to branch this into a FIPS compliant tool? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170202/47792c99/attachment.html From jazoff at illinois.edu Thu Feb 2 05:51:47 2017 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 2 Feb 2017 13:51:47 +0000 Subject: [Bro] branching Bro In-Reply-To: References: Message-ID: <878EBD62-C217-4550-AD73-752112A62CA3@illinois.edu> > On Feb 2, 2017, at 8:20 AM, erik clark wrote: > > We need to branch Bro due to FIPS non-compliance. Is there any thorough documentation as to what parts are FIPS non-compliant, other than the md5 analyzer, and is there any documentation on the md5 analyzer hooks (built in stock scripts, so on so forth) so we can begin attempting to branch this into a FIPS compliant tool? > > Thanks. I hereby grant you an exception to FIPS compliance that allows you to use Bro as it is intended and to its full capabilities. Note: This exception is equally as meaningless as FIPS compliance. -- - Justin Azoff From philosnef at gmail.com Thu Feb 2 05:53:55 2017 From: philosnef at gmail.com (erik clark) Date: Thu, 2 Feb 2017 08:53:55 -0500 Subject: [Bro] branching Bro In-Reply-To: <878EBD62-C217-4550-AD73-752112A62CA3@illinois.edu> References: <878EBD62-C217-4550-AD73-752112A62CA3@illinois.edu> Message-ID: Sadly, in the federal world, FIPS compliance isn't meaningless. There is a real need for it. On Thu, Feb 2, 2017 at 8:51 AM, Azoff, Justin S wrote: > > > On Feb 2, 2017, at 8:20 AM, erik clark wrote: > > > > We need to branch Bro due to FIPS non-compliance. Is there any thorough > documentation as to what parts are FIPS non-compliant, other than the md5 > analyzer, and is there any documentation on the md5 analyzer hooks (built > in stock scripts, so on so forth) so we can begin attempting to branch this > into a FIPS compliant tool? > > > > Thanks. > > I hereby grant you an exception to FIPS compliance that allows you to use > Bro as it is intended and to its full capabilities. > > Note: This exception is equally as meaningless as FIPS compliance. > > -- > - Justin Azoff > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170202/f6f75e17/attachment.html From jazoff at illinois.edu Thu Feb 2 05:59:36 2017 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 2 Feb 2017 13:59:36 +0000 Subject: [Bro] branching Bro In-Reply-To: References: <878EBD62-C217-4550-AD73-752112A62CA3@illinois.edu> Message-ID: <9263D96B-A693-4EE5-9263-75BE625665BC@illinois.edu> > On Feb 2, 2017, at 8:53 AM, erik clark wrote: > > Sadly, in the federal world, FIPS compliance isn't meaningless. There is a real need for it. And handicapping the best tool you'd have to detect noncompliant certificates is extremely misguided and counterproductive. It's like if you had a tool that could scan for use of 512bit key SSL certificates, and someone prevented you from using it because it "supports" 512bit certificates and 512bit certificates are not FIPS compliant. -- - Justin Azoff From hosom at battelle.org Thu Feb 2 06:30:42 2017 From: hosom at battelle.org (Hosom, Stephen M) Date: Thu, 2 Feb 2017 14:30:42 +0000 Subject: [Bro] branching Bro In-Reply-To: References: <878EBD62-C217-4550-AD73-752112A62CA3@illinois.edu> Message-ID: FIPS compliance isn?t an application ?thing?. FIPS compliance is an implementation ?thing?. FIPS does not apply to the md5 file hash analyzer because in this case no cryptography is being performed. FIPS also does not apply to the calls in the SSL analysis stuff to md5 because once again, no cryptography occurs with the calculation of that MD5 hash. I don?t remember which portion of Bro ultimately caused this issue for you, but whether it was the file analyzer or the SSL analyzer?I am not aware of segments of either of those analyzers performing any cryptography. FIPS is a process by which the government assesses implementations of cryptography. Is your question ?Where is cryptography implemented in Bro so that I review those sections to determine whether or not they would pass a FIPS validation assessment?? To the best of my knowledge, cryptography isn?t implemented anywhere in Bro. I suspect that what you really want is for the communication that occurs when network traffic leaves the server to be encrypted in a manner that would pass FIPS 140 validation tests. My recommendation for that would be to run the cluster traffic in an isolated network and document that in your system security plan. Not only is this the best scenario for you, this is almost always how the most active people on this mailing list would deploy Bro. If what is really going on here is that a STIG check is ?requiring? you to run everything in FIPS mode, then documenting an exception is usually alright. If it is unacceptable for your audit that you document an exception (which would be a new one for me since the government that you are working with generally only wants data encrypted when it leaves the system), then you should follow Vlad?s advice about setting up tunnels between cluster nodes and the master. This implementation (assuming that you perform the configuration right) has the ability to pass FIPS-140 validation. Branching Bro and rewriting all of its cluster communications to use encryption that you write yourself from scratch is almost certainly going to be a bad idea. You?re unlikely to pass FIPS validation writing something yourself. While I don?t doubt your skills, FIPS validation is something that development teams strive for and a developer would likely struggle with. You will also be introducing an immense amount of risk. You have the risk that you?ll almost certainly never be able to pull down updates from the origin?since you?re working with completely different clustering code. You?re going to have the risk that your version of Bro?which I?m assuming will be closed source?will now only ever be reviewed by you or your team. Your implementation will likely be significantly weaker because of this. For those watching: please feel free to correct any information you feel that I have misrepresented. I would normally include sources and double check everything in an email this lengthy, but I have to rush off and want to make an attempt at being helpful here. From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of erik clark Sent: Thursday, February 2, 2017 8:54 AM To: Azoff, Justin S Cc: Bro-IDS Subject: Re: [Bro] branching Bro Sadly, in the federal world, FIPS compliance isn't meaningless. There is a real need for it. On Thu, Feb 2, 2017 at 8:51 AM, Azoff, Justin S > wrote: > On Feb 2, 2017, at 8:20 AM, erik clark > wrote: > > We need to branch Bro due to FIPS non-compliance. Is there any thorough documentation as to what parts are FIPS non-compliant, other than the md5 analyzer, and is there any documentation on the md5 analyzer hooks (built in stock scripts, so on so forth) so we can begin attempting to branch this into a FIPS compliant tool? > > Thanks. I hereby grant you an exception to FIPS compliance that allows you to use Bro as it is intended and to its full capabilities. Note: This exception is equally as meaningless as FIPS compliance. -- - Justin Azoff -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170202/01abeb14/attachment-0001.html From mfernandez at mitre.org Thu Feb 2 06:37:35 2017 From: mfernandez at mitre.org (Fernandez, Mark I) Date: Thu, 2 Feb 2017 14:37:35 +0000 Subject: [Bro] branching Bro In-Reply-To: <9263D96B-A693-4EE5-9263-75BE625665BC@illinois.edu> References: <878EBD62-C217-4550-AD73-752112A62CA3@illinois.edu> <9263D96B-A693-4EE5-9263-75BE625665BC@illinois.edu> Message-ID: Erik, Justin - You both have good points. For Erik, I think you have solid ground on which to stand if you make the following distinctions: (a) Bro is capable of inspecting/monitoring/detecting FIPS non-compliant encryption; this is a valid and necessary capability for the defense and security of your network; and (b) Is Bro being used to PROTECT federal information (whether in transit or at rest)? If not, then no worries, argument alleviated. But if so, then is Bro able to implement a FIPS-compliant encryption to do so? As long as Bro uses FIPS-compliant encryption to PROTECT information (or if you can come up with an appropriate mitigation), then I believe you can make a reasonable case to your certification and accreditation folks to allow Bro to also continue monitoring for non-compliance. Cheers! Mark Fernandez -----Original Message----- From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Azoff, Justin S Sent: Thursday, February 02, 2017 9:00 AM To: erik clark Cc: Bro-IDS Subject: Re: [Bro] branching Bro > On Feb 2, 2017, at 8:53 AM, erik clark wrote: > > Sadly, in the federal world, FIPS compliance isn't meaningless. There is a real need for it. And handicapping the best tool you'd have to detect noncompliant certificates is extremely misguided and counterproductive. It's like if you had a tool that could scan for use of 512bit key SSL certificates, and someone prevented you from using it because it "supports" 512bit certificates and 512bit certificates are not FIPS compliant. -- - Justin Azoff _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From philosnef at gmail.com Thu Feb 2 06:46:48 2017 From: philosnef at gmail.com (erik clark) Date: Thu, 2 Feb 2017 09:46:48 -0500 Subject: [Bro] branching Bro In-Reply-To: References: <878EBD62-C217-4550-AD73-752112A62CA3@illinois.edu> <9263D96B-A693-4EE5-9263-75BE625665BC@illinois.edu> Message-ID: Stephen, Bro flat out does not run if your kernel is in fips mode. You specifically get: ValueError: error:060800A3: digitial envelope routines:EVP_DigestInit_ex:disabled for fips I brought up the cross network logging encryption issue previously. This is very specifically an issue where you can not run Bro at all with a FIPS compliant kernel. Getting someone to sign off on an exception not only for Bro, but the kernel as well, is unlikely. The issue with the md5 crypto libs in Bro causing it to simply not run with a FIPS kernel was already brought up in the list as well, by Gary. On Thu, Feb 2, 2017 at 9:37 AM, Fernandez, Mark I wrote: > Erik, Justin - > > You both have good points. For Erik, I think you have solid ground on > which to stand if you make the following distinctions: > > (a) Bro is capable of inspecting/monitoring/detecting FIPS > non-compliant encryption; this is a valid and necessary capability for the > defense and security of your network; and > > (b) Is Bro being used to PROTECT federal information (whether in > transit or at rest)? If not, then no worries, argument alleviated. But if > so, then is Bro able to implement a FIPS-compliant encryption to do so? > > As long as Bro uses FIPS-compliant encryption to PROTECT information (or > if you can come up with an appropriate mitigation), then I believe you can > make a reasonable case to your certification and accreditation folks to > allow Bro to also continue monitoring for non-compliance. > > Cheers! > Mark Fernandez > > > -----Original Message----- > From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of > Azoff, Justin S > Sent: Thursday, February 02, 2017 9:00 AM > To: erik clark > Cc: Bro-IDS > Subject: Re: [Bro] branching Bro > > > > On Feb 2, 2017, at 8:53 AM, erik clark wrote: > > > > Sadly, in the federal world, FIPS compliance isn't meaningless. There is > a real need for it. > > And handicapping the best tool you'd have to detect noncompliant > certificates is extremely misguided and counterproductive. > > It's like if you had a tool that could scan for use of 512bit key SSL > certificates, and someone prevented you from using it because it "supports" > 512bit certificates and 512bit certificates are not FIPS compliant. > > -- > - Justin Azoff > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170202/b13b2917/attachment.html From bro at pingtrip.com Thu Feb 2 09:09:10 2017 From: bro at pingtrip.com (Dave Crawford) Date: Thu, 2 Feb 2017 12:09:10 -0500 Subject: [Bro] Converting Notice::Info to JSON In-Reply-To: <20170201155157.GE783@icir.org> References: <8084C305-D1BE-4E68-8A21-684F7A4E50A5@pingtrip.com> <93400B68-43ED-4070-9181-C1677EB6C2A1@pingtrip.com> <20170201155157.GE783@icir.org> Message-ID: > On Feb 1, 2017, at 10:51 AM, Robin Sommer wrote: > > > > On Wed, Feb 01, 2017 at 08:05 -0500, Dave Crawford wrote: > >> to_json(n, T) > >> Produces a few field values that aren?t properly quoted, or in the >> case of Booleans, not converting T/F to true/false: > > That sounds like a bug to me: if it says JSON, it should be JSON. > Please file a ticket for that. > > Robin > > > -- > Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin As requested. BIT-1789 -Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170202/906cd322/attachment.html From dnthayer at illinois.edu Thu Feb 2 12:09:01 2017 From: dnthayer at illinois.edu (Daniel Thayer) Date: Thu, 2 Feb 2017 14:09:01 -0600 Subject: [Bro] Converting Notice::Info to JSON In-Reply-To: References: <8084C305-D1BE-4E68-8A21-684F7A4E50A5@pingtrip.com> <93400B68-43ED-4070-9181-C1677EB6C2A1@pingtrip.com> <20170201155157.GE783@icir.org> Message-ID: On 2/2/17 11:09 AM, Dave Crawford wrote: > >> On Feb 1, 2017, at 10:51 AM, Robin Sommer > > wrote: >> >> >> >> On Wed, Feb 01, 2017 at 08:05 -0500, Dave Crawford wrote: >> >>> to_json(n, T) >> >>> Produces a few field values that aren?t properly quoted, or in the >>> case of Booleans, not converting T/F to true/false: >> >> That sounds like a bug to me: if it says JSON, it should be JSON. >> Please file a ticket for that. >> >> Robin >> >> > > As requested. BIT-1789 > > > -Dave I've fixed this issue (see https://bro-tracker.atlassian.net/browse/BIT-1788). -Daniel From bro at pingtrip.com Thu Feb 2 12:17:37 2017 From: bro at pingtrip.com (Dave Crawford) Date: Thu, 2 Feb 2017 15:17:37 -0500 Subject: [Bro] Converting Notice::Info to JSON In-Reply-To: References: <8084C305-D1BE-4E68-8A21-684F7A4E50A5@pingtrip.com> <93400B68-43ED-4070-9181-C1677EB6C2A1@pingtrip.com> <20170201155157.GE783@icir.org>

Message-ID: > On Feb 2, 2017, at 3:09 PM, Daniel Thayer wrote: > > On 2/2/17 11:09 AM, Dave Crawford wrote: >> >>> On Feb 1, 2017, at 10:51 AM, Robin Sommer >> > wrote: >>> >>> >>> >>> On Wed, Feb 01, 2017 at 08:05 -0500, Dave Crawford wrote: >>> >>>> to_json(n, T) >>> >>>> Produces a few field values that aren?t properly quoted, or in the >>>> case of Booleans, not converting T/F to true/false: >>> >>> That sounds like a bug to me: if it says JSON, it should be JSON. >>> Please file a ticket for that. >>> >>> Robin >>> >>> >> >> As requested. BIT-1789 >> >> >> -Dave > > I've fixed this issue (see https://bro-tracker.atlassian.net/browse/BIT-1788). > > -Daniel > Awesome, thanks Daniel. I closed my ticket as a duplicate and referenced your ticket. -Dave From albertociolini92 at gmail.com Fri Feb 3 06:14:20 2017 From: albertociolini92 at gmail.com (Alberto Ciolini) Date: Fri, 3 Feb 2017 15:14:20 +0100 Subject: [Bro] How to stop script and send email Message-ID: Hi everyone. I wrote a simple script Bro that print a log file after read event from broccoli. I would like that the script stop automatically at the end and not with ctrl-c on keyboard. Is there a way for this? And another simple question: how send email with bro? Thanks, Alberto. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170203/661db8f6/attachment.html From twaller at bivio.net Fri Feb 3 12:27:25 2017 From: twaller at bivio.net (Tony Waller) Date: Fri, 3 Feb 2017 20:27:25 +0000 Subject: [Bro] Information on OCSP and CRL Message-ID: I am looking for additional information on utilizing OCSP and CRL in Bro NSM. I would like to know if certificates from clients can be checked in real-time or near real-time against a CRL? Also, can Bro NSM perform a OCSP request to a RA and check a certificate to determine if it is valid? If this is the case where in Bro NSM do you set the address for the RA or CRL responder? Sincerely, Tony Tony Waller, CISSP Director, Systems Engineering Bivio Networks, Inc. ?Powering Advanced Cyber Operations? (TM) Mobile (443) 994-0936 [cid:image001.png at 01D27E32.049899E0] *Note: The information contained in this email confidential. This information is intended only for the individual, individuals or entity to whom it is addressed. If you are not the intended recipient(s), the employee or agent responsible for delivering it to the intended recipient(s), you are hereby notified that any use, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this email in error, please return the original message to us by email and delete or destroy any copies. Please note any views or opinions expressed or presented in this email are solely those of the author and do not necessarily represent those of Bivio Networks, Inc. The recipient should check this email or any attachments for the presence of viruses or malware. Bivio Networks, Inc. accepts no responsibility for any damage caused by any virus or malware transmitted by this email. Thank you. Think Green when printing -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170203/535bf03b/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 8127 bytes Desc: image001.png Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170203/535bf03b/attachment.bin From hovsep.sanjay.levi at gmail.com Fri Feb 3 16:48:39 2017 From: hovsep.sanjay.levi at gmail.com (Hovsep Levi) Date: Sat, 4 Feb 2017 00:48:39 +0000 Subject: [Bro] Logging and memory leak In-Reply-To: References:

Message-ID: No, no custom scripts. I found the cluster overwhelmed again today with massive virtual memory usage and an hour after restarting it the same condition returns. I'm using a single logger since the last time. It seems when using a Kafka only export a single logger works fine as the event timestamps arriving at Kafka are near realtime. (the "ts" for conn, http, etc.) The logger is using 47761, manager is 47762. I took a sample of 5000 packets for each during the high memory usage and it looks like the manager is still receiving logs of some sort dealing with x509 certificates. tcpdump -A -r Bro__Manager_port_47662.pcap | egrep -io '[A-Za-z_:-]{10,}' | sort | uniq -c | sort -rn | head -10 reading from file Bro__Manager_port_47662.pcap, link-type EN10MB (Ethernet) 2852 certificate 2064 Notice::begin_suppressionA 1800 Conn::IN_ORIG 739 Authentication 685 Identifier 681 Encipherment 660 validation 646 Corporation Config: event bro_init() Analyzer::disable_analyzer(Analyzer::ANALYZER_SYSLOG); @load misc/loaded-scripts @load tuning/defaults @load misc/stats @load misc/capture-loss @load frameworks/software/vulnerable @load frameworks/software/version-changes @load-sigs frameworks/signatures/detect-windows-shells @load protocols/ftp/software @load protocols/smtp/software @load protocols/ssh/software @load protocols/http/software @load protocols/dns/detect-external-names @load protocols/ftp/detect @load protocols/conn/known-hosts @load protocols/conn/known-services @load protocols/ssl/known-certs @load protocols/ssl/validate-certs @load protocols/ssl/log-hostcerts-only @load protocols/ssh/geo-data @load protocols/ssh/detect-bruteforcing @load protocols/ssh/interesting-hostnames @load protocols/http/detect-sqli @load frameworks/files/hash-all-files @load frameworks/files/detect-MHR @load frameworks/intel/seen @load frameworks/intel/do_notice @load local-intel.bro @load Bro/Kafka/logs-to-kafka.bro Snapshots before the first restart at @ Wed Feb 1 19:57:28 UTC 2017 [bro at mgr /opt/bro]$ bin/broctl top manager logger-1 && echo "" && date Name Type Host Pid Proc VSize Rss Cpu Cmd logger-1 logger 10.1.1.1 25469 parent 849M 330M 171% bro logger-1 logger 10.1.1.1 25523 child 458M 69M 38% bro manager manager 10.1.1.1 25685 child 494M 261M 100% bro manager manager 10.1.1.1 25543 parent 9G 1G 27% bro @ Fri Feb 3 04:05:04 UTC 2017 [bro at mgr /opt/bro]$ bin/broctl top manager logger-1 && echo "" && date Name Type Host Pid Proc VSize Rss Cpu Cmd logger-1 logger 10.1.1.1 25469 parent 793M 284M 99% bro logger-1 logger 10.1.1.1 25523 child 466M 80M 25% bro manager manager 10.1.1.1 25685 child 494M 261M 100% bro manager manager 10.1.1.1 25543 parent 9G 1G 35% bro @ Fri Feb 3 21:15:51 UTC 2017 [bro at mgr /opt/bro]$ bin/broctl top manager logger-1 && echo "" && date Name Type Host Pid Proc VSize Rss Cpu Cmd logger-1 logger 10.1.1.1 25469 parent 813M 316M 178% bro logger-1 logger 10.1.1.1 25523 child 466M 83M 38% bro manager manager 10.1.1.1 25685 child 8G 8G 100% bro manager manager 10.1.1.1 25543 parent 1222G 87G 99% bro last pid: 33713; load averages: 7.35, 6.19, 5.69 up 6+20:45:54 21:32:43 49 processes: 4 running, 45 sleeping CPU: 8.0% user, 0.3% nice, 5.7% system, 0.2% interrupt, 85.8% idle Mem: 31G Active, 69G Inact, 20G Wired, 1884K Cache, 5167M Free ARC: 14G Total, 2327M MFU, 11G MRU, 155K Anon, 58M Header, 555M Other Swap: 12G Total, 17M Used, 12G Free PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 25469 bro 172 20 0 1089M 591M select 11 118.3H 258.45% bro 25685 bro 1 108 5 9174M 9035M CPU22 22 63.0H 100.00% bro 25543 bro 7 20 0 1275G 93626M uwait 2 21.1H 100.00% bro 25523 bro 1 92 5 466M 85900K CPU3 3 18.0H 51.27% bro 33713 bro 1 78 0 97192K 17284K CPU32 32 0:02 21.09% python2.7 33709 bro 1 52 0 97192K 17300K piperd 31 0:01 2.69% python2.7 I restarted the cluster at 21:42 and see the same behavior almost immediately, within an hour: @ Fri Feb 3 22:27:38 UTC 2017 [bro at mgr /opt/bro]$ bin/broctl top manager logger-1 && echo "" && date Name Type Host Pid Proc VSize Rss Cpu Cmd logger-1 logger 10.1.1.1 37525 parent 647M 124M 15% bro logger-1 logger 10.1.1.1 37576 child 458M 65M 2% bro manager manager 10.1.1.1 37653 child 506M 199M 100% bro manager manager 10.1.1.1 37600 parent 250G 18G 100% bro @ Sat Feb 4 00:22:01 UTC 2017 [bro at mgr /opt/bro]$ bin/broctl top manager logger-1 && echo "" && date Name Type Host Pid Proc VSize Rss Cpu Cmd logger-1 logger 10.1.1.1 37525 parent 663M 134M 14% bro logger-1 logger 10.1.1.1 37576 child 458M 65M 2% bro manager manager 10.1.1.1 37653 child 506M 237M 100% bro manager manager 10.1.1.1 37600 parent 640G 46G 38% bro last pid: 75833; load averages: 2.31, 2.47, 2.57 up 6+23:49:38 00:36:27 47 processes: 2 running, 45 sleeping CPU: 1.2% user, 0.2% nice, 2.4% system, 0.1% interrupt, 96.1% idle Mem: 20G Active, 26G Inact, 22G Wired, 1752K Cache, 57G Free ARC: 8159M Total, 2242M MFU, 5323M MRU, 64K Anon, 49M Header, 545M Other Swap: 12G Total, 16M Used, 12G Free PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 37653 bro 1 108 5 506M 237M CPU33 33 172:00 100.00% bro 37600 bro 7 20 0 640G 47116M uwait 25 143:23 27.88% bro 37525 bro 162 20 0 663M 134M select 45 106:45 12.60% bro 37576 bro 1 25 5 458M 67404K select 6 5:03 1.46% bro @ Sat Feb 4 00:38:50 UTC 2017 Name Type Host Pid Proc VSize Rss Cpu Cmd logger-1 logger 10.1.1.1 37525 parent 663M 134M 13% bro logger-1 logger 10.1.1.1 37576 child 458M 65M 1% bro manager manager 10.1.1.1 37653 child 506M 237M 99% bro manager manager 10.1.1.1 37600 parent 640G 46G 37% bro With pure Kafka export there's very few logs on the manager filesystem. I don't think this is related to the manager issue but fwiw there's a steady stream of kafka errors even though logging seems to be working: >From /opt/bro_data/logs/current/stderr.log -> (/opt/bro_data/spool/logger-1) %3|1486168762.913|ERROR|rdkafka#producer-15| 10.1.1.5:9092/bootstrap: Receive failed: Disconnected %3|1486168773.922|FAIL|rdkafka#producer-18| 10.1.1.5:9092/bootstrap: Receive failed: Disconnected %3|1486168773.922|ERROR|rdkafka#producer-18| 10.1.1.5:9092/bootstrap: Receive failed: Disconnected %3|1486168775.662|FAIL|rdkafka#producer-19| 10.1.1.5:9092/bootstrap: Receive failed: Disconnected %3|1486168775.663|ERROR|rdkafka#producer-19| 10.1.1.5:9092/bootstrap: Receive failed: Disconnected %3|1486168778.818|FAIL|rdkafka#producer-21| 10.1.1.5:9092/bootstrap: Receive failed: Disconnected %3|1486168778.819|ERROR|rdkafka#producer-21| 10.1.1.5:9092/bootstrap: Receive failed: Disconnected (...) %3|1486169053.779|ERROR|rdkafka#producer-8| 10.1.1.5:9092/bootstrap: Receive failed: Disconnected %3|1486169082.658|FAIL|rdkafka#producer-23| 10.1.1.5:9092/bootstrap: Receive failed: Disconnected %3|1486169082.659|ERROR|rdkafka#producer-23| 10.1.1.5:9092/bootstrap: Receive failed: Disconnected [bro at mgr /opt/bro_data/logs]$ date -r 1486169082 Sat Feb 4 00:44:42 UTC 2017 [bro at mgr /opt/bro_data/logs]$ date Sat Feb 4 00:45:08 UTC 2017 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170204/21b01db4/attachment-0001.html From jazoff at illinois.edu Fri Feb 3 20:00:39 2017 From: jazoff at illinois.edu (Azoff, Justin S) Date: Sat, 4 Feb 2017 04:00:39 +0000 Subject: [Bro] Logging and memory leak In-Reply-To: References:

Message-ID: <6B204A64-5F4C-4230-8741-9CDD550EC433@illinois.edu> > On Feb 3, 2017, at 7:48 PM, Hovsep Levi wrote: > > No, no custom scripts. I found the cluster overwhelmed again today with massive virtual memory usage and an hour after restarting it the same condition returns. > > I'm using a single logger since the last time. It seems when using a Kafka only export a single logger works fine as the event timestamps arriving at Kafka are near realtime. (the "ts" for conn, http, etc.) > > The logger is using 47761, manager is 47762. I took a sample of 5000 packets for each during the high memory usage and it looks like the manager is still receiving logs of some sort dealing with x509 certificates. > > > tcpdump -A -r Bro__Manager_port_47662.pcap | egrep -io '[A-Za-z_:-]{10,}' | sort | uniq -c | sort -rn | head -10 > reading from file Bro__Manager_port_47662.pcap, link-type EN10MB (Ethernet) > 2852 certificate > 2064 Notice::begin_suppressionA > 1800 Conn::IN_ORIG > 739 Authentication > 685 Identifier > 681 Encipherment > 660 validation > 646 Corporation > What timeframe was that pcap for? If the pcap was from an hour or so, it's probably nothing.. but if that was from a few seconds you could have a problem there. The 2000+ things are definitely related to SSL, as well as the other strings in there.. if you look at the raw tcpdump output those would make more sense in the normal order.. The numbers are a little inflated because when the manager sends out something like the Notice::begin_suppression event, it has to send it once to each worker (which is also something that needs to be addressed for better scaling bro). ~2064 events would have been sent out for only ~14 notices events if you had 150 workers. What does your notice.log contain related to SSL. Do you have a TON of notices for Invalid_Server_Cert or something like it? Is your known_certs.log file growing rapidly? using a larger cutoff for head may have shown SSL::Invalid_Server_Cert. The 1800 Conn::IN_ORIG are from workers -> manager from policy/frameworks/intel/seen/conn-established.bro One thing you could try is commenting out anything in your config related to ssl or intel, and see if that's stable. That would help narrow down what the problem is. In general, the manager just isn't doing much anymore, so for it to be using that much ram that fast, it would have to be doing something extremely frequently. That's why knowing the timeframe is really important :-) If your cluster is doing something like generating Invalid_Server_Cert notices at an extremely high rate, then it's possible that the manager parent is trying to tell all the workers about it and the manager child is not able to keep up. That kind of fits with this output: manager manager 10.1.1.1 37653 child 506M 237M 100% bro manager manager 10.1.1.1 37600 parent 640G 46G 38% bro -- - Justin Azoff From john at isfaster.com Sat Feb 4 19:20:34 2017 From: john at isfaster.com (John Brown (isFaster)) Date: Sat, 4 Feb 2017 20:20:34 -0700 Subject: [Bro] new to bro, a few questions Message-ID: Hi, I'm new to Bro and I'm wondering how I can do a couple of things: 1. I'd like to basically disable all of the various rules and detection stuff. 2. I'd like to create a simple rule that detects say DNS packets with cpsc.gov in the query or answer Figure it would be best to start simple and then build up rules (either my own, or others) as I need them. Sort of a K&R "Hello World" approach.. Any specifics would be much appreciated. Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170204/ecb0ab9b/attachment.html From pyrodie18 at gmail.com Sun Feb 5 12:09:23 2017 From: pyrodie18 at gmail.com (Troy Ward) Date: Sun, 5 Feb 2017 15:09:23 -0500 Subject: [Bro] new to bro, a few questions Message-ID: Not sure that bro is the best choice for what you're looking for. Bro is capable of doing what you're asking but this sounds like it may be better to try out SNORT. Bro is much more usefully for getting a wide variety of statistics for a wide variety of packets, not just a single DNS packet. Troy > Hi, I'm new to Bro and I'm wondering how I can do a couple of things: > > 1. I'd like to basically disable all of the various rules and detection > stuff. > 2. I'd like to create a simple rule that detects say DNS packets with > cpsc.gov in the query or answer > > Figure it would be best to start simple and then build up rules (either my > own, or others) as I need them. Sort of a K&R "Hello World" approach.. > > Any specifics would be much appreciated. > > > Thank you > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/ > 20170204/ecb0ab9b/attachment-0001.html > > ------------------------------ > > _______________________________________________ > Bro mailing list > Bro at bro.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > End of Bro Digest, Vol 130, Issue 8 > *********************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170205/f4a4c6f0/attachment.html From cgaylord at vt.edu Sun Feb 5 12:21:41 2017 From: cgaylord at vt.edu (Clark Gaylord) Date: Sun, 5 Feb 2017 15:21:41 -0500 Subject: [Bro] new to bro, a few questions In-Reply-To: References: Message-ID: Though if you're thinking the eventuality of more of bro's functionality is possibly in your future, there's something to be said for that. You could retain logs for a couple days or a week, say, and use grep, etc for retaining your query of interest longer. That's probably easier than going into the config and turning off the default reports, though as Troy points out you can do that. I've never known anyone to say "I wish I didn't have these data" (though perhaps "I wish they didn't take up the space")... -- Clark Gaylord cgaylord at vt.edu ... autocorrect may have improved this message brevity should not imply curtness ... On Feb 5, 2017 15:11, "Troy Ward" wrote: Not sure that bro is the best choice for what you're looking for. Bro is capable of doing what you're asking but this sounds like it may be better to try out SNORT. Bro is much more usefully for getting a wide variety of statistics for a wide variety of packets, not just a single DNS packet. Troy > Hi, I'm new to Bro and I'm wondering how I can do a couple of things: > > 1. I'd like to basically disable all of the various rules and detection > stuff. > 2. I'd like to create a simple rule that detects say DNS packets with > cpsc.gov in the query or answer > > Figure it would be best to start simple and then build up rules (either my > own, or others) as I need them. Sort of a K&R "Hello World" approach.. > > Any specifics would be much appreciated. > > > Thank you > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/2 > 0170204/ecb0ab9b/attachment-0001.html > > ------------------------------ > > _______________________________________________ > Bro mailing list > Bro at bro.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > End of Bro Digest, Vol 130, Issue 8 > *********************************** > _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro On Feb 5, 2017 15:11, "Troy Ward" wrote: Not sure that bro is the best choice for what you're looking for. Bro is capable of doing what you're asking but this sounds like it may be better to try out SNORT. Bro is much more usefully for getting a wide variety of statistics for a wide variety of packets, not just a single DNS packet. Troy > Hi, I'm new to Bro and I'm wondering how I can do a couple of things: > > 1. I'd like to basically disable all of the various rules and detection > stuff. > 2. I'd like to create a simple rule that detects say DNS packets with > cpsc.gov in the query or answer > > Figure it would be best to start simple and then build up rules (either my > own, or others) as I need them. Sort of a K&R "Hello World" approach.. > > Any specifics would be much appreciated. > > > Thank you > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/2 > 0170204/ecb0ab9b/attachment-0001.html > > ------------------------------ > > _______________________________________________ > Bro mailing list > Bro at bro.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > End of Bro Digest, Vol 130, Issue 8 > *********************************** > _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170205/bae92b5a/attachment.html From anthony.kasza at gmail.com Sun Feb 5 14:03:55 2017 From: anthony.kasza at gmail.com (anthony kasza) Date: Sun, 5 Feb 2017 15:03:55 -0700 Subject: [Bro] new to bro, a few questions In-Reply-To: References: Message-ID: You may want to look at Bro's "bare mode". It starts Bro without many of Bro's features. -AK On Feb 4, 2017 8:23 PM, "John Brown (isFaster)" wrote: > Hi, I'm new to Bro and I'm wondering how I can do a couple of things: > > 1. I'd like to basically disable all of the various rules and detection > stuff. > 2. I'd like to create a simple rule that detects say DNS packets with > cpsc.gov in the query or answer > > Figure it would be best to start simple and then build up rules (either my > own, or others) as I need them. Sort of a K&R "Hello World" approach.. > > Any specifics would be much appreciated. > > > Thank you > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170205/2692f167/attachment.html From darkheaven1983 at gmail.com Mon Feb 6 01:13:38 2017 From: darkheaven1983 at gmail.com (duhang) Date: Mon, 6 Feb 2017 17:13:38 +0800 Subject: [Bro] Content gap breaks application layer analysis Message-ID: Hi, I'm using Bro which listens to the nic card connects to a mirror port from a switch to dump http request/response and smtp email for further analysis. The packets that received from the mirror port are massively disordered(Unseen ACKed in wireshark). I saw a lot of content gap events which skips the following packets received. A lot of uncompleted http/smtp logs exist which relatively means high packet loss rate from appliance layer's perspective. Is there any workaround/solution to have bi-directional reassembly in this case? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170206/a0b6040b/attachment-0001.html From hosom at battelle.org Mon Feb 6 07:31:23 2017 From: hosom at battelle.org (Hosom, Stephen M) Date: Mon, 6 Feb 2017 15:31:23 +0000 Subject: [Bro] Remember to double check your DNS resolver configuration Message-ID: I've been troubleshooting an issue where a single node would have all of its workers grow in memory until they would be OOM killed. The troubleshooting process spanned multiple days and I only happened to come across this with some help from Justin combined with a thread on the issue tracker (https://bro-tracker.atlassian.net/browse/BIT-1482). Keep in mind that when you are using the MHR script (enabled by default) or the notary script, your Bro workers are performing a LOT of DNS. In my case I was using both. Since lookup_host_txt and lookup_host never return if the worker node doesn't reach a DNS server, this results in what would appear to be a new thread for each new DNS query when your DNS resolvers are misconfigured. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170206/f1c4d3de/attachment.html From jlay at slave-tothe-box.net Mon Feb 6 09:32:55 2017 From: jlay at slave-tothe-box.net (James Lay) Date: Mon, 06 Feb 2017 10:32:55 -0700 Subject: [Bro] Extracted files don't rotate Message-ID: <7072c554eb4d393e84f5f5ae8a37440e@localhost> Hey all, So I recently changed the way I run bro at a site. Originally this was run via command line, now I have the below: [logger] type=logger host=localhost [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=ethx [worker-2] type=worker host=localhost interface=ethx extract_files shows up in worker-2. Here's the extract-files script: global ext_map: table[string] of string = { ["application/x-dosexec"] = "exe", ["application/zip"] = "zip", ["application/msword"] = "xls", ["application/vnd.openxmlformats-officedocument.wordprocessingml.document"] = "docx", ["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"] = "xlsx", ["application/vnd.openxmlformats-officedocument.presentationml.presentation"] = "pptx" }; event file_sniff(f: fa_file, meta: fa_metadata) { if ( f$source != "SMTP" ) return; if ( ! meta?$mime_type || meta$mime_type !in ext_map ) return; local ext = ""; if ( meta?$mime_type ) ext = ext_map[meta$mime_type]; local fname = fmt("%s-%s.%s", f$source, f$id, ext); Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); } In looking, I see that the files are accumulating and not rotating out. Anything I can do to troubleshoot this? Thank you. James From hovsep.sanjay.levi at gmail.com Mon Feb 6 11:14:28 2017 From: hovsep.sanjay.levi at gmail.com (Hovsep Levi) Date: Mon, 6 Feb 2017 19:14:28 +0000 Subject: [Bro] Logging and memory leak In-Reply-To: <6B204A64-5F4C-4230-8741-9CDD550EC433@illinois.edu> References:

<6B204A64-5F4C-4230-8741-9CDD550EC433@illinois.edu> Message-ID: On Sat, Feb 4, 2017 at 4:00 AM, Azoff, Justin S wrote: What timeframe was that pcap for? If the pcap was from an hour or so, it's > probably nothing.. but if that was from a few seconds you could have a > problem there. > The pcap is 9 seconds during the problem timeframe at the peak of system usage. > The 2000+ things are definitely related to SSL, as well as the other > strings in there.. if you look at the raw tcpdump output those would make > more sense in the normal order.. The numbers are a little inflated because > when the manager sends out something like the Notice::begin_suppression > event, it has to send it once to each worker (which is also something that > needs to be addressed for better scaling bro). ~2064 events would have > been sent out for only ~14 notices events if you had 150 workers. > > Good to know. 132 workers. > What does your notice.log contain related to SSL. Do you have a TON of > notices for Invalid_Server_Cert or something like it? Is your > known_certs.log file growing rapidly? > Not sure at the moment. > using a larger cutoff for head may have shown SSL::Invalid_Server_Cert. > > The 1800 Conn::IN_ORIG are from workers -> manager from > policy/frameworks/intel/seen/conn-established.bro > > It did not but I think that type of message would have been sent to the Logger on a different port. 2064 Notice::begin_suppression 1800 Conn::IN_ORIG 396 Notice::cluster_notice 26 SumStats::cluster_key_intermediate_response 1 Intel::match_no_items 1 Conn::Info > One thing you could try is commenting out anything in your config related > to ssl or intel, and see if that's stable. That would help narrow down > what the problem is. > > In general, the manager just isn't doing much anymore, so for it to be > using that much ram that fast, it would have to be doing something > extremely frequently. That's why knowing the timeframe is really important > :-) > > If your cluster is doing something like generating Invalid_Server_Cert > notices at an extremely high rate, then it's possible that the manager > parent is trying to tell all the workers about it and the manager child is > not able to keep up. That kind of fits with this output: > > I'll try that. Seems like I'll be able to narrow down the issue this week. There's a weekly pattern to the failure starting late Thursday and continuing most of the day Friday so I'm guessing either a researcher or an automated scan is the cause. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170206/154f6f8a/attachment.html From lc.taylor at protonmail.com Mon Feb 6 17:16:52 2017 From: lc.taylor at protonmail.com (Lincy Taylor) Date: Mon, 06 Feb 2017 20:16:52 -0500 Subject: [Bro] Run Bro with inspecting specific protocol only Message-ID: Hello all: How to run bro with only necessary module and specific protocol analyzers enabled? I am trying to use Bro to detect huge amount of malicious DNS queries and found the packet dropping rate is higher than 50% in bro with PF_RING enabled. I was thinking if there's any method to speed up Bro by disabling unnecessary modules and protocol analyzers. Another problem I am having is I implemented an event handler for 'log_dns' event in my work and i will get no event logs if I removed the default built-in log stream of DNS with "Log::remove_stream(DNS::LOG)". Can anyone share with me your experiences? thanks. Sent with [ProtonMail](https://protonmail.com) Secure Email. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170206/743f8b35/attachment.html From albertociolini92 at gmail.com Tue Feb 7 08:07:26 2017 From: albertociolini92 at gmail.com (Alberto Ciolini) Date: Tue, 7 Feb 2017 17:07:26 +0100 Subject: [Bro] Send mail Message-ID: Hi everyone, i have a little question. How to send email with a simple text message in Bro? Thanks a lot! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170207/6cd9d2d9/attachment.html From jdopheid at illinois.edu Tue Feb 7 11:48:25 2017 From: jdopheid at illinois.edu (Dopheide, Jeannette M) Date: Tue, 7 Feb 2017 19:48:25 +0000 Subject: [Bro] Bro4Pros slides Message-ID: We?ve posted the slideshow presentations for Bro4Pros, you can find them here: https://www.bro.org/community/bro4pros2017.html#agenda Thanks again to the presenters and all of you who were able to join us. ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign From jdopheid at illinois.edu Tue Feb 7 13:17:48 2017 From: jdopheid at illinois.edu (Dopheide, Jeannette M) Date: Tue, 7 Feb 2017 21:17:48 +0000 Subject: [Bro] 7-question survey about professional Bro Training Message-ID: <42F0BB6F-4F77-4F81-9898-682D5C89D81B@illinois.edu> Hello Bro Community, We are attempting to gauge interest in professional Bro training, potentially with corresponding certification officially approved by the Bro Project. Let us know about your needs, or the needs of your staff, by filling out this 7-question survey: https://goo.gl/forms/Cm2MZRYexAzYAQrk2 Thank you, The Bro Project ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign From bro at pingtrip.com Tue Feb 7 16:09:25 2017 From: bro at pingtrip.com (Dave Crawford) Date: Tue, 7 Feb 2017 19:09:25 -0500 Subject: [Bro] PF_Ring Message-ID: <44F81CFD-BC3C-46C1-8D40-9985B3E4CDAA@pingtrip.com> Are there any performance benefits over compiling Bro with pf_ring (--with-pcap=*) versus using the Bro pf_ring plugin? Additionally, if I?m using the ZC drivers (with zbalance_ipc clusters) is the plugin compatible or do I still need to compile Bro with the ?with-pcap option? Also, this documentation is a tad outdated at this point: https://www.bro.org/sphinx-git/configuration/index.html Thanks! -Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170207/54547dc6/attachment.html From bro at pingtrip.com Wed Feb 8 04:52:37 2017 From: bro at pingtrip.com (Dave Crawford) Date: Wed, 8 Feb 2017 07:52:37 -0500 Subject: [Bro] Netmap Message-ID: <9E525AE1-D515-463B-B815-6C5A0D83CD6C@pingtrip.com> Related to my other question on PF_Ring? I just read through Seth?s slides on Netmap (https://www.bro.org//bro4pros2017/Hall_Netmap_Bro4Pros2017.pdf ) and I?m curious if it's currently a viable solution for production? From the slides it appears to be a much simpler implementation than PF_Ring, while providing the same performance as PF_Ring ZC? -Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170208/5a663820/attachment.html From seth at icir.org Wed Feb 8 07:33:35 2017 From: seth at icir.org (Seth Hall) Date: Wed, 8 Feb 2017 10:33:35 -0500 Subject: [Bro] Netmap In-Reply-To: <9E525AE1-D515-463B-B815-6C5A0D83CD6C@pingtrip.com> References: <9E525AE1-D515-463B-B815-6C5A0D83CD6C@pingtrip.com> Message-ID: <64519771-0846-4E0A-91D0-03C187E512FB@icir.org> > On Feb 8, 2017, at 7:52 AM, Dave Crawford wrote: > > Related to my other question on PF_Ring? I just read through Seth?s slides on Netmap (https://www.bro.org//bro4pros2017/Hall_Netmap_Bro4Pros2017.pdf) and I?m curious if it's currently a viable solution for production? From the slides it appears to be a much simpler implementation than PF_Ring, while providing the same performance as PF_Ring ZC? It is viable with the caveat that it's still a bit in development. I've used it quite a bit and it's been very stable for me. Let me know if you run into any trouble if you try it! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From shirkdog.bsd at gmail.com Wed Feb 8 07:50:17 2017 From: shirkdog.bsd at gmail.com (Michael Shirk) Date: Wed, 8 Feb 2017 10:50:17 -0500 Subject: [Bro] Netmap In-Reply-To: <64519771-0846-4E0A-91D0-03C187E512FB@icir.org> References: <9E525AE1-D515-463B-B815-6C5A0D83CD6C@pingtrip.com> <64519771-0846-4E0A-91D0-03C187E512FB@icir.org> Message-ID: In the FreeBSD sense, 12-CURRENT has a recent check-in of netmap code into the OS/Kernel, which is usable by default. You have to compile lb from the netmap github repo. lb compiles and works with 11-STABLE but YMMV with the use of it with the netmap code. -- Michael Shirk Daemon Security, Inc. http://www.daemon-security.com On Feb 8, 2017 10:42 AM, "Seth Hall" wrote: > > > On Feb 8, 2017, at 7:52 AM, Dave Crawford wrote: > > > > Related to my other question on PF_Ring? I just read through Seth?s > slides on Netmap (https://www.bro.org//bro4pros2017/Hall_Netmap_ > Bro4Pros2017.pdf) and I?m curious if it's currently a viable solution for > production? From the slides it appears to be a much simpler implementation > than PF_Ring, while providing the same performance as PF_Ring ZC? > > It is viable with the caveat that it's still a bit in development. I've > used it quite a bit and it's been very stable for me. Let me know if you > run into any trouble if you try it! > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170208/095aaf14/attachment.html From seth at icir.org Wed Feb 8 08:18:45 2017 From: seth at icir.org (Seth Hall) Date: Wed, 8 Feb 2017 11:18:45 -0500 Subject: [Bro] Netmap In-Reply-To: References: <9E525AE1-D515-463B-B815-6C5A0D83CD6C@pingtrip.com> <64519771-0846-4E0A-91D0-03C187E512FB@icir.org> Message-ID: <8F0EE4A6-D31E-46B3-AEF0-519F22F1061A@icir.org> Nice! Let me know if you have any problems. .Seth > On Feb 8, 2017, at 10:50 AM, Michael Shirk wrote: > > In the FreeBSD sense, 12-CURRENT has a recent check-in of netmap code into the OS/Kernel, which is usable by default. You have to compile lb from the netmap github repo. > > lb compiles and works with 11-STABLE but YMMV with the use of it with the netmap code. > > -- > Michael Shirk > Daemon Security, Inc. > http://www.daemon-security.com > > On Feb 8, 2017 10:42 AM, "Seth Hall" wrote: > > > On Feb 8, 2017, at 7:52 AM, Dave Crawford wrote: > > > > Related to my other question on PF_Ring? I just read through Seth?s slides on Netmap (https://www.bro.org//bro4pros2017/Hall_Netmap_Bro4Pros2017.pdf) and I?m curious if it's currently a viable solution for production? From the slides it appears to be a much simpler implementation than PF_Ring, while providing the same performance as PF_Ring ZC? > > It is viable with the caveat that it's still a bit in development. I've used it quite a bit and it's been very stable for me. Let me know if you run into any trouble if you try it! > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jdopheid at illinois.edu Wed Feb 8 13:27:41 2017 From: jdopheid at illinois.edu (Dopheide, Jeannette M) Date: Wed, 8 Feb 2017 21:27:41 +0000 Subject: [Bro] 7-question survey about professional Bro Training Message-ID: Hello, Pinging this thread again to remind folks to fill out this survey. We?re getting some really great feedback already. ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign On 2/7/17, 3:17 PM, "bro-bounces at bro.org on behalf of Dopheide, Jeannette M" wrote: Hello Bro Community, We are attempting to gauge interest in professional Bro training, potentially with corresponding certification officially approved by the Bro Project. Let us know about your needs, or the needs of your staff, by filling out this 7-question survey: https://goo.gl/forms/Cm2MZRYexAzYAQrk2 Thank you, The Bro Project ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jlay at slave-tothe-box.net Wed Feb 8 14:01:43 2017 From: jlay at slave-tothe-box.net (James Lay) Date: Wed, 08 Feb 2017 15:01:43 -0700 Subject: [Bro] Extracted files don't rotate In-Reply-To: <7072c554eb4d393e84f5f5ae8a37440e@localhost> References: <7072c554eb4d393e84f5f5ae8a37440e@localhost> Message-ID: <9739c7e8dd7e8de7f2b6161a05ea2079@localhost> Any takers on the below? Thank you. James On 2017-02-06 10:32, James Lay wrote: > Hey all, > > So I recently changed the way I run bro at a site. Originally this was > run via command line, now I have the below: > > [logger] > type=logger > host=localhost > > [manager] > type=manager > host=localhost > > [proxy-1] > type=proxy > host=localhost > > [worker-1] > type=worker > host=localhost > interface=ethx > > [worker-2] > type=worker > host=localhost > interface=ethx > > extract_files shows up in worker-2. Here's the extract-files script: > > global ext_map: table[string] of string = { > ["application/x-dosexec"] = "exe", > ["application/zip"] = "zip", > ["application/msword"] = "xls", > > ["application/vnd.openxmlformats-officedocument.wordprocessingml.document"] > = "docx", > > ["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"] > = > "xlsx", > > ["application/vnd.openxmlformats-officedocument.presentationml.presentation"] > = "pptx" > > }; > > event file_sniff(f: fa_file, meta: fa_metadata) > { > if ( f$source != "SMTP" ) > return; > > if ( ! meta?$mime_type || meta$mime_type !in ext_map ) > return; > > local ext = ""; > > if ( meta?$mime_type ) > ext = ext_map[meta$mime_type]; > > local fname = fmt("%s-%s.%s", f$source, f$id, ext); > Files::add_analyzer(f, Files::ANALYZER_EXTRACT, > [$extract_filename=fname]); > } > > > In looking, I see that the files are accumulating and not rotating out. > Anything I can do to troubleshoot this? Thank you. > > James > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jazoff at illinois.edu Wed Feb 8 14:10:54 2017 From: jazoff at illinois.edu (Azoff, Justin S) Date: Wed, 8 Feb 2017 22:10:54 +0000 Subject: [Bro] Extracted files don't rotate In-Reply-To: <7072c554eb4d393e84f5f5ae8a37440e@localhost> References: <7072c554eb4d393e84f5f5ae8a37440e@localhost> Message-ID: > On Feb 6, 2017, at 12:32 PM, James Lay wrote: > > Hey all, > In looking, I see that the files are accumulating and not rotating out. > Anything I can do to troubleshoot this? Thank you. Ah yes.. Extracted files aren't managed by anything. If you want files archived in a specific way you need to extract them to the full path that you want or setup a cron job to move+compress them periodically. If you had something specific in mind I could probably whip up an example script for you. -- - Justin Azoff From jlay at slave-tothe-box.net Wed Feb 8 14:17:49 2017 From: jlay at slave-tothe-box.net (James Lay) Date: Wed, 08 Feb 2017 15:17:49 -0700 Subject: [Bro] Extracted files don't rotate In-Reply-To: References: <7072c554eb4d393e84f5f5ae8a37440e@localhost> Message-ID: <8ef08f1c450bfd0fbf71c49fe853abf5@localhost> On 2017-02-08 15:10, Azoff, Justin S wrote: >> On Feb 6, 2017, at 12:32 PM, James Lay >> wrote: >> >> Hey all, >> In looking, I see that the files are accumulating and not rotating >> out. >> Anything I can do to troubleshoot this? Thank you. > > Ah yes.. Extracted files aren't managed by anything. If you want > files archived in a specific way you need to extract them to the full > path that you want or setup a cron job to move+compress them > periodically. > > If you had something specific in mind I could probably whip up an > example script for you. Thanks Justin that's helpful. So as I look at my old setup I see that I indeed had move and compress manually on a cron job, so I'll just do that for the extract_files dir. Maybe a feature request down the road would be (maybe in broctl.conf) to be able to add "pre" rotate and "post" rotate scripts. Just a thought. James From deshmukh at slac.stanford.edu Wed Feb 8 14:55:11 2017 From: deshmukh at slac.stanford.edu (Deshmukh, Andy) Date: Wed, 8 Feb 2017 22:55:11 +0000 Subject: [Bro] Netmap plugin issue Message-ID: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> Hello, I am trying to build netmap plugin with Bro 2.5 and having the following error: [root at bro netmap]# ./configure --bro-dist=/home/bro/bro-2.5 --install-root=/var/bro --with-netmap=/home/bro/netmap-corelight_updates Build Directory : build Bro Source Directory : /home/bro/bro-2.5 -- The C compiler identification is GNU 4.8.5 -- The CXX compiler identification is GNU 4.8.5 -- Check for working C compiler: /bin/cc -- Check for working C compiler: /bin/cc -- works -- Detecting C compiler ABI info -- Detecting C compiler ABI info - done -- Check for working CXX compiler: /bin/c++ -- Check for working CXX compiler: /bin/c++ -- works -- Detecting CXX compiler ABI info -- Detecting CXX compiler ABI info - done -- Performing Test cxx11_header_works -- Performing Test cxx11_header_works - Success -- Bro executable : /home/bro/bro-2.5/build/src/bro -- Bro source : /home/bro/bro-2.5 -- Bro build : /home/bro/bro-2.5/build -- Bro install prefix : /var/bro -- Bro plugin directory: /var/bro -- Bro debug mode : false -- Could NOT find Netmap (missing: NETMAP_INCLUDE_DIR) CMake Error at CMakeLists.txt:20 (message): Netmap headers not found. -- Configuring incomplete, errors occurred! See also "/home/bro/bro-2.5/aux/plugins/netmap/build/CMakeFiles/CMakeOutput.log". Any suggestions? Thanks, Andy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170208/928b8bb6/attachment.html From seth at icir.org Wed Feb 8 19:15:54 2017 From: seth at icir.org (Seth Hall) Date: Wed, 8 Feb 2017 22:15:54 -0500 Subject: [Bro] Extracted files don't rotate In-Reply-To: <8ef08f1c450bfd0fbf71c49fe853abf5@localhost> References: <7072c554eb4d393e84f5f5ae8a37440e@localhost> <8ef08f1c450bfd0fbf71c49fe853abf5@localhost> Message-ID: > On Feb 8, 2017, at 5:17 PM, James Lay wrote: > > Thanks Justin that's helpful. So as I look at my old setup I see that I > indeed had move and compress manually on a cron job, so I'll just do > that for the extract_files dir. Maybe a feature request down the road > would be (maybe in broctl.conf) to be able to add "pre" rotate and > "post" rotate scripts. Just a thought. This has been a bit of a sticking point for quite a while. Part of the issue is the diversity in how clusters are run and managed. It's hard to create one solution which works for everyone's deployment. I've been hoping to spend some time rejiggering how file extraction happens a little bit this year but I'd be glad to see anyone else beat me to it. It's a deceptively sneaky issue. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Wed Feb 8 19:17:23 2017 From: seth at icir.org (Seth Hall) Date: Wed, 8 Feb 2017 22:17:23 -0500 Subject: [Bro] Netmap plugin issue In-Reply-To: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> Message-ID: <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> > On Feb 8, 2017, at 5:55 PM, Deshmukh, Andy wrote: > > -- Could NOT find Netmap (missing: NETMAP_INCLUDE_DIR) > CMake Error at CMakeLists.txt:20 (message): > Netmap headers not found. Unfortunately in the plugin that comes with 2.5, you need netmap installed on the system you're building on. We're going to be making changes for the 2.6 release so that nothing is required from netmap at build time and it is just built by default and included in Bro. If you install netmap, does the problem go away? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jlay at slave-tothe-box.net Thu Feb 9 05:09:48 2017 From: jlay at slave-tothe-box.net (James Lay) Date: Thu, 09 Feb 2017 06:09:48 -0700 Subject: [Bro] Extracted files don't rotate In-Reply-To: References: <7072c554eb4d393e84f5f5ae8a37440e@localhost> <8ef08f1c450bfd0fbf71c49fe853abf5@localhost> Message-ID: <1486645788.2453.5.camel@slave-tothe-box.net> On Wed, 2017-02-08 at 22:15 -0500, Seth Hall wrote: > > > > On Feb 8, 2017, at 5:17 PM, James Lay > > wrote: > > > > Thanks Justin that's helpful.??So as I look at my old setup I see > > that I? > > indeed had move and compress manually on a cron job, so I'll just > > do? > > that for the extract_files dir.??Maybe a feature request down the > > road? > > would be (maybe in broctl.conf) to be able to add "pre" rotate and? > > "post" rotate scripts.??Just a thought. > This has been a bit of a sticking point for quite a while.??Part of > the issue is the diversity in how clusters are run and managed.??It's > hard to create one solution which works for everyone's deployment. > > I've been hoping to spend some time rejiggering how file extraction > happens a little bit this year but I'd be glad to see anyone else > beat me to it.??It's a deceptively sneaky issue. > > ?.Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ Appreciate the feedback all. James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170209/fec0b557/attachment.html From jdopheid at illinois.edu Thu Feb 9 06:39:41 2017 From: jdopheid at illinois.edu (Dopheide, Jeannette M) Date: Thu, 9 Feb 2017 14:39:41 +0000 Subject: [Bro] Bro Blog: Software Freedom Conservancy fund drive Message-ID: [https://2.bp.blogspot.com/-CJKHQRmOhJA/VgGwoP4dcBI/AAAAAAAAADg/6UBXnHvLg2c/s200/sfc_logo.png] In October of 2015 we announced that the Bro Project joined Software Freedom Conservancy. Conservancy is a not-for-profit organization that helps promote, improve, develop, and defend Free, Libre, and Open Source Software (FLOSS) projects. You are likely familiar with many of its member projects; including Git, BusyBox, Samba, and PyPy. We chose to join Conservancy for several reasons: it builds community transparency and trust, provides legal protection for contributors, clarifies intellectual property, and signifies longevity for the project. They leave the technical and artistic control of the project to the contributors and community. With the guidance of Conservancy we have formed a leadership team, applied for a trademark, and created a donation and sponsorship framework for community members to give back to the project. This may seem like stuffy paperwork but it is the real work necessary for maintaining a sustainable open-source project. Now it is our turn to help bring the Bro Community to the aid of Conservancy. Conservancy funds its organization by taking a 10% share of donations to member projects, however that is nowhere near enough to fully fund its staff and services. They also rely on donations from people and organizations that are passionate about supporting FLOSS projects. An anonymous donor has challenged Software Freedom Conservancy with the task of signing up 150 supporters in one week, the deadline is this Monday (February 13th). Donate here If you support the Bro Project, thank you. Please consider including Conservancy in the support network necessary for keeping the Bro Project running. (Blog originally posted here.) ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170209/52749b79/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 4684 bytes Desc: image001.png Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170209/52749b79/attachment.bin From seth at icir.org Thu Feb 9 10:22:01 2017 From: seth at icir.org (Seth Hall) Date: Thu, 9 Feb 2017 13:22:01 -0500 Subject: [Bro] Remember to double check your DNS resolver configuration In-Reply-To: References: Message-ID: <3913C8F3-D62E-45FA-8D31-7EC1302DB86D@icir.org> Did evidence of this show up in stats.log? There are some fields that track the amount of DNS actively being performed by Bro in there. .Seth > On Feb 6, 2017, at 10:31 AM, Hosom, Stephen M wrote: > > I?ve been troubleshooting an issue where a single node would have all of its workers grow in memory until they would be OOM killed. The troubleshooting process spanned multiple days and I only happened to come across this with some help from Justin combined with a thread on the issue tracker (https://bro-tracker.atlassian.net/browse/BIT-1482). > > Keep in mind that when you are using the MHR script (enabled by default) or the notary script, your Bro workers are performing a LOT of DNS. In my case I was using both. Since lookup_host_txt and lookup_host never return if the worker node doesn?t reach a DNS server, this results in what would appear to be a new thread for each new DNS query when your DNS resolvers are misconfigured. > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From vladg at illinois.edu Thu Feb 9 11:37:44 2017 From: vladg at illinois.edu (Vlad Grigorescu) Date: Thu, 09 Feb 2017 13:37:44 -0600 Subject: [Bro] Information on OCSP and CRL In-Reply-To: References: Message-ID: Tony, There's an optional script for OCSP validation: https://github.com/bro/bro/blob/v2.5/scripts/policy/protocols/ssl/validate-ocsp.bro To use: > @load protocols/ssl/validate-ocsp --Vlad Tony Waller writes: > I am looking for additional information on utilizing OCSP and CRL in Bro NSM. I would like to know if certificates from clients can be checked in real-time or near real-time against a CRL? Also, can Bro NSM perform a OCSP request to a RA and check a certificate to determine if it is valid? If this is the case where in Bro NSM do you set the address for the RA or CRL responder? > > Sincerely, > > Tony > > > Tony Waller, CISSP > Director, Systems Engineering > Bivio Networks, Inc. > ?Powering Advanced Cyber Operations? (TM) > Mobile (443) 994-0936 > > [cid:image001.png at 01D27E32.049899E0] > > *Note: The information contained in this email confidential. This information is intended only for the individual, individuals or entity to whom it is addressed. If you are not the intended recipient(s), the employee or agent responsible for delivering it to the intended recipient(s), you are hereby notified that any use, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this email in error, please return the original message to us by email and delete or destroy any copies. Please note any views or opinions expressed or presented in this email are solely those of the author and do not necessarily represent those of Bivio Networks, Inc. The recipient should check this email or any attachments for the presence of viruses or malware. Bivio Networks, Inc. accepts no responsibility for any damage caused by any virus or malware transmitted by this email. Thank you. > > Think Green when printing > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 800 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170209/418d68fa/attachment-0001.bin From jdopheid at illinois.edu Thu Feb 9 13:19:03 2017 From: jdopheid at illinois.edu (Dopheide, Jeannette M) Date: Thu, 9 Feb 2017 21:19:03 +0000 Subject: [Bro] 7-question survey about professional Bro Training In-Reply-To: References: Message-ID: Hello again, last call for filling out this survey, we?ll close it tomorrow (Friday) at noon CST. ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign On 2/8/17, 3:27 PM, "bro-bounces at bro.org on behalf of Dopheide, Jeannette M" wrote: Hello, Pinging this thread again to remind folks to fill out this survey. We?re getting some really great feedback already. ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign On 2/7/17, 3:17 PM, "bro-bounces at bro.org on behalf of Dopheide, Jeannette M" wrote: Hello Bro Community, We are attempting to gauge interest in professional Bro training, potentially with corresponding certification officially approved by the Bro Project. Let us know about your needs, or the needs of your staff, by filling out this 7-question survey: https://goo.gl/forms/Cm2MZRYexAzYAQrk2 Thank you, The Bro Project ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From wren3 at illinois.edu Thu Feb 9 13:20:59 2017 From: wren3 at illinois.edu (Ren, Wenyu) Date: Thu, 9 Feb 2017 21:20:59 +0000 Subject: [Bro] Question about installing broker Message-ID: Dear all, I have problem installing Broker. I installed CAF from the source. When I tried to install Broker, I got the following error. Build Directory : build Source Directory: /home/rwy/Downloads/broker -- Found CAF: /usr/local/lib/libcaf_core.so;/usr/local/lib/libcaf_io.so found components: core io CMake Error at CMakeLists.txt:21 (message): Broker requires CAF version 0.14, older and newer versions are not supported. Detected version: 0.15.3 -- Configuring incomplete, errors occurred! See also "/home/rwy/Downloads/broker/build/CMakeFiles/CMakeOutput.log". It seems that Broker only support CAF version 0.14 but not any higher version. Is there a workaround for this? Or I need to find a lower version of CAF to install? And all the examples in Broker's documents are in C. Are there any python examples to show how to use Broker in python? Thanks a lot. Wenyu From espressobeanies at gmail.com Thu Feb 9 13:26:01 2017 From: espressobeanies at gmail.com (Espresso Beanies) Date: Thu, 9 Feb 2017 16:26:01 -0500 Subject: [Bro] Question on redefining Bro variables Message-ID: Good afternoon, Where would it be best to redefine Bro variables? Should they all be in the local.bro file or individual main.bro files for each module? Thanks in advance, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170209/033f2d28/attachment.html From anthony.kasza at gmail.com Thu Feb 9 13:50:06 2017 From: anthony.kasza at gmail.com (anthony kasza) Date: Thu, 9 Feb 2017 14:50:06 -0700 Subject: [Bro] Question on redefining Bro variables In-Reply-To: References: Message-ID: Personally, I make my own directory of scripts and modules and @load them from the local.bro file. -AK On Feb 9, 2017 2:33 PM, "Espresso Beanies" wrote: > Good afternoon, > > Where would it be best to redefine Bro variables? Should they all be in > the local.bro file or individual main.bro files for each module? > > Thanks in advance, > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170209/041de9ff/attachment.html From dnthayer at illinois.edu Thu Feb 9 13:59:09 2017 From: dnthayer at illinois.edu (Daniel Thayer) Date: Thu, 9 Feb 2017 15:59:09 -0600 Subject: [Bro] Question about installing broker In-Reply-To: References: Message-ID: <6c8eef0e-982a-1d9f-0119-c6dce1807962@illinois.edu> You can download older versions of CAF from this page: https://github.com/actor-framework/actor-framework/releases On 2/9/17 3:20 PM, Ren, Wenyu wrote: > Dear all, > > I have problem installing Broker. I installed CAF from the source. When I tried to install Broker, I got the following error. > > Build Directory : build > Source Directory: /home/rwy/Downloads/broker > -- Found CAF: /usr/local/lib/libcaf_core.so;/usr/local/lib/libcaf_io.so found components: core io > CMake Error at CMakeLists.txt:21 (message): > Broker requires CAF version 0.14, older and newer versions are not > supported. Detected version: 0.15.3 > > > -- Configuring incomplete, errors occurred! > See also "/home/rwy/Downloads/broker/build/CMakeFiles/CMakeOutput.log". > > It seems that Broker only support CAF version 0.14 but not any higher version. Is there a workaround for this? Or I need to find a lower version of CAF to install? > > And all the examples in Broker's documents are in C. Are there any python examples to show how to use Broker in python? > > Thanks a lot. > > Wenyu From deshmukh at slac.stanford.edu Fri Feb 10 10:29:47 2017 From: deshmukh at slac.stanford.edu (Deshmukh, Andy) Date: Fri, 10 Feb 2017 18:29:47 +0000 Subject: [Bro] Netmap plugin issue In-Reply-To: <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> Message-ID: <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> Yes, the issue was resolved and was able to install the plugin. However, we have two 10 gig NICs on the Bro worker node and netmap cannot allocate memory for the second interface. [root at sec-bro04 ]# lb -i em1 -B 1024 -p broem1:10 881.534306 main [637] interface is em1 881.534384 main [658] requested 1024 extra buffers 883.371747 main [772] successfully opened netmap:em1 (tx rings: 512) 883.371818 main [783] obtained 1024 extra buffers [root at sec-bro04 ]# lb -i em2 -B 1024 -p broem2:10 014.454468 main [637] interface is em2 014.454555 main [658] requested 1024 extra buffers 014.501811 nm_open [920] NIOCREGIF failed: Cannot allocate memory em2 014.501828 main [768] cannot open netmap:em2 -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Wednesday, February 8, 2017 7:17 PM To: Deshmukh, Andy Cc: bro at bro.org Subject: Re: [Bro] Netmap plugin issue > On Feb 8, 2017, at 5:55 PM, Deshmukh, Andy wrote: > > -- Could NOT find Netmap (missing: NETMAP_INCLUDE_DIR) CMake Error at > CMakeLists.txt:20 (message): > Netmap headers not found. Unfortunately in the plugin that comes with 2.5, you need netmap installed on the system you're building on. We're going to be making changes for the 2.6 release so that nothing is required from netmap at build time and it is just built by default and included in Bro. If you install netmap, does the problem go away? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From deshmukh at slac.stanford.edu Fri Feb 10 15:43:25 2017 From: deshmukh at slac.stanford.edu (Deshmukh, Andy) Date: Fri, 10 Feb 2017 23:43:25 +0000 Subject: [Bro] Netmap plugin issue In-Reply-To: References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> Message-ID: <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> In my case only 5 instances are running per NIC; cannot run 10/NIC as it crashes. I modified the lb_procs to 5 in node.cfg. However, I am not seeing any packet forwarded or dropped. Do you see that on the running instances ? From: Dave Crawford [mailto:dave at pingtrip.com] Sent: Friday, February 10, 2017 3:20 PM To: Deshmukh, Andy Cc: Seth Hall ; bro at bro.org Subject: Re: [Bro] Netmap plugin issue On Feb 10, 2017, at 1:29 PM, Deshmukh, Andy > wrote: Yes, the issue was resolved and was able to install the plugin. However, we have two 10 gig NICs on the Bro worker node and netmap cannot allocate memory for the second interface. [root at sec-bro04 ]# lb -i em1 -B 1024 -p broem1:10 881.534306 main [637] interface is em1 881.534384 main [658] requested 1024 extra buffers 883.371747 main [772] successfully opened netmap:em1 (tx rings: 512) 883.371818 main [783] obtained 1024 extra buffers [root at sec-bro04 ]# lb -i em2 -B 1024 -p broem2:10 014.454468 main [637] interface is em2 014.454555 main [658] requested 1024 extra buffers 014.501811 nm_open [920] NIOCREGIF failed: Cannot allocate memory em2 014.501828 main [768] cannot open netmap:em2 I just ran into the same issue. I have an IGB and IXGBE NIC and some of the workers monitoring the IXGBE nic fail to start. From broctl drag: 113.929963 nm_open [920] NIOCREGIF failed: Cannot allocate memory bro}1 fatal error: problem with interface netmap::bro}1 (Cannot allocate memory) MID_GLR is the IGB and 5 workers started without issue. Only 3 of 10 on the IXGBE interface started: Name Type Host Status Pid Started MGR_INT manager x.y.217.48 running 7697 10 Feb 18:08:29 MID_INT_PXY_1 proxy x.y.5.149 running 7086 10 Feb 18:08:31 MID_GLR-1 worker x.y.5.149 running 7265 10 Feb 18:08:32 MID_GLR-2 worker x.y.5.149 running 7270 10 Feb 18:08:32 MID_GLR-3 worker x.y.5.149 running 7296 10 Feb 18:08:32 MID_GLR-4 worker x.y.5.149 running 7292 10 Feb 18:08:32 MID_GLR-5 worker x.y.5.149 running 7302 10 Feb 18:08:32 MID_INT-1 worker x.y.5.149 crashed MID_INT-10 worker x.y.5.149 crashed MID_INT-2 worker x.y.5.149 crashed MID_INT-3 worker x.y.5.149 running 7331 10 Feb 18:08:32 MID_INT-4 worker x.y.5.149 crashed MID_INT-5 worker x.y.5.149 running 7339 10 Feb 18:08:32 MID_INT-6 worker x.y.5.149 running 7345 10 Feb 18:08:32 MID_INT-7 worker x.y.5.149 crashed MID_INT-8 worker x.y.5.149 crashed MID_INT-9 worker x.y.5.149 crashed -Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170210/61a6da34/attachment.html From bro at pingtrip.com Fri Feb 10 15:47:59 2017 From: bro at pingtrip.com (Dave Crawford) Date: Fri, 10 Feb 2017 18:47:59 -0500 Subject: [Bro] Netmap plugin issue In-Reply-To: <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> Message-ID: > On Feb 10, 2017, at 6:43 PM, Deshmukh, Andy wrote: > > In my case only 5 instances are running per NIC; cannot run 10/NIC as it crashes. I modified the lb_procs to 5 in node.cfg. > However, I am not seeing any packet forwarded or dropped. Do you see that on the running instances ? I can get 10 instances to run on the x520 if I comment out the IGB worker in node.cfg. I?m wondering if the issue has to due with memory allocations done when the netmap kernel module loads. Do we need to tweak them in modprobe.d to account for two instances requesting X number of buffers? "data_forward_rate_Mbps": 330.0390, "data_drop_rate_Mbps": 0.0000, "packet_forward_rate_kpps": 71.5200, "packet_drop_rate_kpps": 0.0000, -Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170210/b858bd49/attachment.html From deshmukh at slac.stanford.edu Fri Feb 10 16:05:41 2017 From: deshmukh at slac.stanford.edu (Deshmukh, Andy) Date: Sat, 11 Feb 2017 00:05:41 +0000 Subject: [Bro] Netmap plugin issue In-Reply-To: References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> Message-ID: I did tweak it by putting this in /etc/modprobe.d/netmap.conf : options netmap default_pipes=1000 options netmap ring_num=1024 options netmap buf_num=655360 options netmap if_num=1024 options netmap ring_size=100000 options netmap buf_size=4096 options netmap if_size=4096 However, when I run: [sec-bro04 ~]$ lb -i em1 -B 1000 -p broem1:5 & [sec-bro04 ~]$ lb -i em2 -B 1000 -p broem2:5 & Ring stats : Feb 10 16:03:54 sec-bro04 lb: {"ts":1486771434.006337,"input_interface":"netmap:em1","output_interface":"netmap:broem1{0/xT at 1","packets_forwarded":0,"packets_dropped":0,"data_forward_rate_Mbps":0.0000, "data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":0.0000,"packet_drop_rate_kpps":0.0000,"overflow_queue_size":0} Feb 10 16:03:54 sec-bro04 lb: {"ts":1486771434.668234,"input_interface":"netmap:em2","output_interface":"netmap:broem2{0/xT at 1","packets_forwarded":0,"packets_dropped":0,"data_forward_rate_Mbps":0.0000, "data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":0.0000,"packet_drop_rate_kpps":0.0000,"overflow_queue_size":0} From: Dave Crawford [mailto:bro at pingtrip.com] Sent: Friday, February 10, 2017 3:48 PM To: Deshmukh, Andy Cc: Seth Hall ; bro at bro.org Subject: Re: [Bro] Netmap plugin issue On Feb 10, 2017, at 6:43 PM, Deshmukh, Andy > wrote: In my case only 5 instances are running per NIC; cannot run 10/NIC as it crashes. I modified the lb_procs to 5 in node.cfg. However, I am not seeing any packet forwarded or dropped. Do you see that on the running instances ? I can get 10 instances to run on the x520 if I comment out the IGB worker in node.cfg. I?m wondering if the issue has to due with memory allocations done when the netmap kernel module loads. Do we need to tweak them in modprobe.d to account for two instances requesting X number of buffers? "data_forward_rate_Mbps": 330.0390, "data_drop_rate_Mbps": 0.0000, "packet_forward_rate_kpps": 71.5200, "packet_drop_rate_kpps": 0.0000, -Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170211/f4fb2ca6/attachment-0001.html From seth at icir.org Fri Feb 10 18:53:49 2017 From: seth at icir.org (Seth Hall) Date: Fri, 10 Feb 2017 21:53:49 -0500 Subject: [Bro] Netmap plugin issue In-Reply-To: <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> Message-ID: <35224580-AE4F-45AE-8046-303758FF9A9E@icir.org> > On Feb 10, 2017, at 6:43 PM, Deshmukh, Andy wrote: > > In my case only 5 instances are running per NIC; cannot run 10/NIC as it crashes. I modified the lb_procs to 5 in node.cfg. > However, I am not seeing any packet forwarded or dropped. Do you see that on the running instances ? Netmap doesn't currently mark interfaces as promiscuous when it connects. If you manually mark the interface promisc, do you get packets? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From deshmukh at slac.stanford.edu Fri Feb 10 19:07:00 2017 From: deshmukh at slac.stanford.edu (Deshmukh, Andy) Date: Sat, 11 Feb 2017 03:07:00 +0000 Subject: [Bro] Netmap plugin issue In-Reply-To: <35224580-AE4F-45AE-8046-303758FF9A9E@icir.org> References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> <35224580-AE4F-45AE-8046-303758FF9A9E@icir.org> Message-ID: <95315aa48ece4e8696e229da0879d445@exch13-mail04.win.slac.stanford.edu> Yea!! I totally forgot about that... But the packet_drop is very high! Is it cause of the tweaks in modprobe.d ? Feb 10 19:04:59 sec-bro04 lb: {"ts":1486782299.253931,"input_interface":"netmap:em1","output_interface":"netmap:broem1{0/xT at 1","packets_forwarded":66870,"packets_dropped":112000,"data_forward_rate_Mbps":9.5147,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":0.9570,"packet_drop_rate_kpps":0.0000,"overflow_queue_size":0} Feb 10 19:04:59 sec-bro04 lb: {"ts":1486782299.253931,"input_interface":"netmap:em1","output_interface":"netmap:broem1{1/xT at 1","packets_forwarded":56280,"packets_dropped":90700,"data_forward_rate_Mbps":11.9930,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":1.5820,"packet_drop_rate_kpps":0.0000,"overflow_queue_size":0} Feb 10 19:04:59 sec-bro04 lb: {"ts":1486782299.253931,"input_interface":"netmap:em1","output_interface":"netmap:broem1{2/xT at 1","packets_forwarded":51795,"packets_dropped":83500,"data_forward_rate_Mbps":10.2431,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":0.8180,"packet_drop_rate_kpps":0.0000,"overflow_queue_size":0} Feb 10 19:04:59 sec-bro04 lb: {"ts":1486782299.253931,"input_interface":"netmap:em1","output_interface":"netmap:broem1{3/xT at 1","packets_forwarded":535398,"packets_dropped":924500,"data_forward_rate_Mbps":175.7472,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":13.4440,"packet_drop_rate_kpps":0.0000,"overflow_queue_size":0} Feb 10 19:04:59 sec-bro04 lb: {"ts":1486782299.253931,"input_interface":"netmap:em1","output_interface":"netmap:broem1{4/xT at 1","packets_forwarded":228411,"packets_dropped":370900,"data_forward_rate_Mbps":13.0369,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":2.8260,"packet_drop_rate_kpps":0.0000,"overflow_queue_size":0} Feb 10 19:04:59 sec-bro04 lb: {"ts":1486782299.253931,"interface":"netmap:em1","packets_received":2522287,"packets_forwarded":938754,"packets_dropped":1581600,"non_ip_packets":54442,"data_forward_rate_Mbps":220.5349,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":19.6260,"packet_drop_rate_kpps":0.0000,"free_buffer_slots":1000} Feb 10 19:04:59 sec-bro04 lb: {"ts":1486782299.255037,"input_interface":"netmap:em2","output_interface":"netmap:broem2{0/xT at 1","packets_forwarded":200176,"packets_dropped":297700,"data_forward_rate_Mbps":3.0338,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":2.2230,"packet_drop_rate_kpps":0.0000,"overflow_queue_size":0} Feb 10 19:04:59 sec-bro04 lb: {"ts":1486782299.255037,"input_interface":"netmap:em2","output_interface":"netmap:broem2{1/xT at 1","packets_forwarded":18104,"packets_dropped":46000,"data_forward_rate_Mbps":0.1089,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":0.0960,"packet_drop_rate_kpps":0.0000,"overflow_queue_size":0} Feb 10 19:04:59 sec-bro04 lb: {"ts":1486782299.255037,"input_interface":"netmap:em2","output_interface":"netmap:broem2{2/xT at 1","packets_forwarded":18740,"packets_dropped":20400,"data_forward_rate_Mbps":0.5375,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":0.4710,"packet_drop_rate_kpps":0.0000,"overflow_queue_size":0} Feb 10 19:04:59 sec-bro04 lb: {"ts":1486782299.255037,"input_interface":"netmap:em2","output_interface":"netmap:broem2{3/xT at 1","packets_forwarded":26775,"packets_dropped":31500,"data_forward_rate_Mbps":0.0908,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":0.0700,"packet_drop_rate_kpps":0.0000,"overflow_queue_size":0} Feb 10 19:04:59 sec-bro04 lb: {"ts":1486782299.255037,"input_interface":"netmap:em2","output_interface":"netmap:broem2{4/xT at 1","packets_forwarded":235348,"packets_dropped":358200,"data_forward_rate_Mbps":3.4327,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":2.6540,"packet_drop_rate_kpps":0.0000,"overflow_queue_size":0} Feb 10 19:04:59 sec-bro04 lb: {"ts":1486782299.255037,"interface":"netmap:em2","packets_received":1255048,"packets_forwarded":499143,"packets_dropped":753800,"non_ip_packets":47454,"data_forward_rate_Mbps":7.2036,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":5.5130,"packet_drop_rate_kpps":0.0000,"free_buffer_slots":1000} -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Friday, February 10, 2017 6:54 PM To: Deshmukh, Andy Cc: Dave Crawford ; bro at bro.org Subject: Re: [Bro] Netmap plugin issue > On Feb 10, 2017, at 6:43 PM, Deshmukh, Andy wrote: > > In my case only 5 instances are running per NIC; cannot run 10/NIC as it crashes. I modified the lb_procs to 5 in node.cfg. > However, I am not seeing any packet forwarded or dropped. Do you see that on the running instances ? Netmap doesn't currently mark interfaces as promiscuous when it connects. If you manually mark the interface promisc, do you get packets? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From bro at pingtrip.com Fri Feb 10 20:24:51 2017 From: bro at pingtrip.com (Dave Crawford) Date: Fri, 10 Feb 2017 23:24:51 -0500 Subject: [Bro] Netmap plugin issue In-Reply-To: <95315aa48ece4e8696e229da0879d445@exch13-mail04.win.slac.stanford.edu> References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> <35224580-AE4F-45AE-8046-303758FF9A9E@icir.org> <95315aa48ece4e8696e229da0879d445@exch13-mail04.win.slac.stanford.edu> Message-ID: <34442F24-0A8B-4EE7-A835-52707EA20478@pingtrip.com> > On Feb 10, 2017, at 10:07 PM, Deshmukh, Andy wrote: > > Yea!! I totally forgot about that... > But the packet_drop is very high! Is it cause of the tweaks in modprobe.d ? I have the same observations Andy. {"ts":1486786393.408004,"interface":"netmap:eth6","packets_received":3816916,"packets_forwarded":2495606,"packets_dropped":1213100,"non_ip_packets":2014,"data_forward_rate_Mbps":93.6190,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":29.4030,"packet_drop_rate_kpps":0.0000,"free_buffer_slots":100000} Wouldn?t a 30% packet loss result in a high number of weird.log messages as well as a high capture_loss? Bro is reporting under 1% for that worker. 1486786916.930127 600.000012 MID_INT-9 21 120263 0.017462 1486786916.899102 600.000025 MID_INT-2 26 113792 0.022849 1486786916.913207 600.000046 MID_INT-5 17 114020 0.01491 1486786917.062056 600.000040 MID_INT-1 37 122988 0.030084 1486786916.899164 600.000046 MID_INT-6 20 117978 0.016952 1486786916.898184 600.000043 MID_INT-8 10 117535 0.008508 1486786916.899106 600.000023 MID_INT-10 31 135819 0.022824 1486786916.899611 600.000023 MID_INT-3 19 130912 0.014514 1486786916.902911 600.000014 MID_INT-7 24 144454 0.016614 1486786916.897984 600.000029 MID_INT-4 25 106400 0.023496 -Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170210/b2a5cb66/attachment.html From deshmukh at slac.stanford.edu Sat Feb 11 10:35:16 2017 From: deshmukh at slac.stanford.edu (Deshmukh, Andy) Date: Sat, 11 Feb 2017 18:35:16 +0000 Subject: [Bro] Netmap plugin issue In-Reply-To: <34442F24-0A8B-4EE7-A835-52707EA20478@pingtrip.com> References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> <35224580-AE4F-45AE-8046-303758FF9A9E@icir.org> <95315aa48ece4e8696e229da0879d445@exch13-mail04.win.slac.stanford.edu> <34442F24-0A8B-4EE7-A835-52707EA20478@pingtrip.com> Message-ID: Hmm, that?s interesting. For me Bro is reporting the capture loss which kind of matches the overall netmap stats and it is very high: 1486814690.289371 900.000065 sec-bro04-1-1 4983 28153 17.699712 1486814690.296848 900.000132 sec-bro04-1-5 29050 69353 41.887157 1486814690.283136 900.000080 sec-bro04-1-4 221424 242109 91.456328 1486814690.315410 900.000052 sec-bro04-1-2 26613 65599 40.569216 1486814690.300392 900.000025 sec-bro04-1-3 7591 34491 22.00864 1486815590.289398 900.000027 sec-bro04-1-1 15437 42078 36.68663 1486815590.315530 900.000120 sec-bro04-1-2 913 9650 9.46114 1486815590.283290 900.000154 sec-bro04-1-4 40906 49390 82.822434 From: Dave Crawford [mailto:bro at pingtrip.com] Sent: Friday, February 10, 2017 8:25 PM To: Deshmukh, Andy Cc: Seth Hall ; bro at bro.org Subject: Re: [Bro] Netmap plugin issue On Feb 10, 2017, at 10:07 PM, Deshmukh, Andy > wrote: Yea!! I totally forgot about that... But the packet_drop is very high! Is it cause of the tweaks in modprobe.d ? I have the same observations Andy. {"ts":1486786393.408004,"interface":"netmap:eth6","packets_received":3816916,"packets_forwarded":2495606,"packets_dropped":1213100,"non_ip_packets":2014,"data_forward_rate_Mbps":93.6190,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":29.4030,"packet_drop_rate_kpps":0.0000,"free_buffer_slots":100000} Wouldn?t a 30% packet loss result in a high number of weird.log messages as well as a high capture_loss? Bro is reporting under 1% for that worker. 1486786916.930127 600.000012 MID_INT-9 21 120263 0.017462 1486786916.899102 600.000025 MID_INT-2 26 113792 0.022849 1486786916.913207 600.000046 MID_INT-5 17 114020 0.01491 1486786917.062056 600.000040 MID_INT-1 37 122988 0.030084 1486786916.899164 600.000046 MID_INT-6 20 117978 0.016952 1486786916.898184 600.000043 MID_INT-8 10 117535 0.008508 1486786916.899106 600.000023 MID_INT-10 31 135819 0.022824 1486786916.899611 600.000023 MID_INT-3 19 130912 0.014514 1486786916.902911 600.000014 MID_INT-7 24 144454 0.016614 1486786916.897984 600.000029 MID_INT-4 25 106400 0.023496 -Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170211/6e196507/attachment-0001.html From seth at icir.org Sat Feb 11 18:12:04 2017 From: seth at icir.org (Seth Hall) Date: Sat, 11 Feb 2017 21:12:04 -0500 Subject: [Bro] Netmap plugin issue In-Reply-To: <34442F24-0A8B-4EE7-A835-52707EA20478@pingtrip.com> References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> <35224580-AE4F-45AE-8046-303758FF9A9E@icir.org> <95315aa48ece4e8696e229da0879d445@exch13-mail04.win.slac.stanford.edu> <34442F24-0A8B-4EE7-A835-52707EA20478@pingtrip.com> Message-ID: <34BAF267-69FE-4DF9-8516-B4689DCB3819@icir.org> > On Feb 10, 2017, at 11:24 PM, Dave Crawford wrote: > > {"ts":1486786393.408004,"interface":"netmap:eth6","packets_received":3816916,"packets_forwarded":2495606,"packets_dropped":1213100,"non_ip_packets":2014,"data_forward_rate_Mbps":93.6190,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":29.4030,"packet_drop_rate_kpps":0.0000,"free_buffer_slots":100000} What's more interesting for me here is that the packet_drop_rate_kpps is 0. What could have happened is that the packets were lost because Bro processes hadn't been started yet. It seems to me from this line is that ~100Mbps of traffic is flowing with no packets being lost. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Sat Feb 11 18:13:29 2017 From: seth at icir.org (Seth Hall) Date: Sat, 11 Feb 2017 21:13:29 -0500 Subject: [Bro] Netmap plugin issue In-Reply-To: References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> <35224580-AE4F-45AE-8046-303758FF9A9E@icir.org> <95315aa48ece4e8696e229da0879d445@exch13-mail04.win.slac.stanford.edu> <34442F24-0A8B-4EE7-A835-52707EA20478@pingtrip.com> Message-ID: <03503572-1528-40F0-9A0F-E686F0AFA67F@icir.org> > On Feb 11, 2017, at 1:35 PM, Deshmukh, Andy wrote: > > Hmm, that?s interesting. For me Bro is reporting the capture loss which kind of matches the overall netmap stats and it is very high: > > 1486814690.289371 900.000065 sec-bro04-1-1 4983 28153 17.699712 > 1486814690.296848 900.000132 sec-bro04-1-5 29050 69353 41.887157 > 1486814690.283136 900.000080 sec-bro04-1-4 221424 242109 91.456328 > 1486814690.315410 900.000052 sec-bro04-1-2 26613 65599 40.569216 > 1486814690.300392 900.000025 sec-bro04-1-3 7591 34491 22.00864 > 1486815590.289398 900.000027 sec-bro04-1-1 15437 42078 36.68663 > 1486815590.315530 900.000120 sec-bro04-1-2 913 9650 9.46114 > 1486815590.283290 900.000154 sec-bro04-1-4 40906 49390 82.822434 During the time where the data was collected for this capture-loss log, what was the output of lb showing? Did it show any bursts of loss? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From deshmukh at slac.stanford.edu Sat Feb 11 21:58:04 2017 From: deshmukh at slac.stanford.edu (Deshmukh, Andy) Date: Sun, 12 Feb 2017 05:58:04 +0000 Subject: [Bro] Netmap plugin issue In-Reply-To: <03503572-1528-40F0-9A0F-E686F0AFA67F@icir.org> References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> <35224580-AE4F-45AE-8046-303758FF9A9E@icir.org> <95315aa48ece4e8696e229da0879d445@exch13-mail04.win.slac.stanford.edu> <34442F24-0A8B-4EE7-A835-52707EA20478@pingtrip.com> <03503572-1528-40F0-9A0F-E686F0AFA67F@icir.org> Message-ID: <6165d3b4ddbc483996206c2dfc2f17ad@exch13-mail04.win.slac.stanford.edu> Capture_loss event: 1486803890.282458 900.000048 sec-bro04-1-4 28622 35953 79.60949 Lb logs: Feb 11 01:04:50 sec-bro04 lb: {"ts":1486803890.238885,"input_interface":"netmap:em1","output_interface":"netmap:broem1{4/xT at 1","packets_forwarded":6664358,"packets_dropped":177568,"data_forward_rate_Mbps":3.1411,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":2.0600,"packet_drop_rate_kpps":0.0000,"overflow_queue_size":0} On other interfaces it does show some loss but nothing substantial. -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Saturday, February 11, 2017 6:13 PM To: Deshmukh, Andy Cc: Dave Crawford ; bro at bro.org Subject: Re: [Bro] Netmap plugin issue > On Feb 11, 2017, at 1:35 PM, Deshmukh, Andy wrote: > > Hmm, that?s interesting. For me Bro is reporting the capture loss which kind of matches the overall netmap stats and it is very high: > > 1486814690.289371 900.000065 sec-bro04-1-1 4983 28153 17.699712 > 1486814690.296848 900.000132 sec-bro04-1-5 29050 69353 41.887157 > 1486814690.283136 900.000080 sec-bro04-1-4 221424 242109 91.456328 > 1486814690.315410 900.000052 sec-bro04-1-2 26613 65599 40.569216 > 1486814690.300392 900.000025 sec-bro04-1-3 7591 34491 22.00864 > 1486815590.289398 900.000027 sec-bro04-1-1 15437 42078 36.68663 > 1486815590.315530 900.000120 sec-bro04-1-2 913 9650 9.46114 > 1486815590.283290 900.000154 sec-bro04-1-4 40906 49390 82.822434 During the time where the data was collected for this capture-loss log, what was the output of lb showing? Did it show any bursts of loss? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From pssunu6 at gmail.com Sun Feb 12 01:31:21 2017 From: pssunu6 at gmail.com (ps sunu) Date: Sun, 12 Feb 2017 15:01:21 +0530 Subject: [Bro] bro_intel feeds as csv file Message-ID: Hi all , Is possible to generate bro_intel txt files as a .CSV format ? my format #fields indicator indicator_type meta.source meta.url meta.do_notice meta.if_in meta.whitelist # Intel::ADDR binarydefense-ip - T - - # Intel::ADDR binarydefense-ip - T - - # Intel::ADDR binarydefense-ip - T - - # Intel::ADDR binarydefense-ip - T - - # Intel::ADDR binarydefense-ip - T - - # Intel::ADDR binarydefense-ip - T - - # Intel::ADDR binarydefense-ip - T - - Need to change this feeds as a csv format Regards, Sunu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170212/5c993440/attachment.html From bro at pingtrip.com Sun Feb 12 04:15:56 2017 From: bro at pingtrip.com (Dave Crawford) Date: Sun, 12 Feb 2017 07:15:56 -0500 Subject: [Bro] Netmap plugin issue In-Reply-To: <6165d3b4ddbc483996206c2dfc2f17ad@exch13-mail04.win.slac.stanford.edu> References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> <35224580-AE4F-45AE-8046-303758FF9A9E@icir.org> <95315aa48ece4e8696e229da0879d445@exch13-mail04.win.slac.stanford.edu> <34442F24-0A8B-4EE7-A835-52707EA20478@pingtrip.com> <03503572-1528-40F0-9A0F-E686F0AFA67F@icir.org> <6165d3b4ddbc483996206c2dfc2f17ad@exch13-mail04.win.slac.stanford.edu> Message-ID: My LB stats are similar, but Bro isn?t reflecting a loss: Feb 11 04:58:02 mid-csignsm-01 lb[3144]: {"ts":1486807082.815681,"interface":"netmap:eth6","packets_received":739258266,"packets_forwarded":737718676,"packets_dropped":1213100,"non_ip_packets":371283,"data_forward_rate_Mbps":758.6328,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":102.7250,"packet_drop_rate_kpps":0.0000,"free_buffer_slots":100000} The next cycle of capture_loss shows less than 1% loss for the 10 workers: 2017-02-11T05:01:56-0500 600.000119 MID_INT-2 5 102927 0.004858 2017-02-11T05:01:56-0500 600.000015 MID_INT-4 7 107577 0.006507 2017-02-11T05:01:56-0500 600.000053 MID_INT-9 6 101979 0.005884 2017-02-11T05:01:56-0500 600.000016 MID_INT-3 1 304887 0.000328 2017-02-11T05:01:56-0500 600.000543 MID_INT-10 5 186552 0.00268 2017-02-11T05:01:56-0500 600.000009 MID_INT-5 6 101433 0.005915 2017-02-11T05:01:56-0500 600.000005 MID_INT-6 5 110256 0.004535 2017-02-11T05:01:56-0500 600.000085 MID_INT-7 1 98164 0.001019 2017-02-11T05:01:56-0500 600.000041 MID_INT-8 4 99979 0.004001 2017-02-11T05:01:57-0500 600.000047 MID_INT-1 3 90591 0.003312 I also noticed that Andy?s LB output is slightly different. His displays the free buffers as ?overflow_queue_size? where my output is ?free_buffer_slots?. Also Andy, your overflow queue size is ?0?, did you define one and its been depleted? Creating one, or increasing the size may help with the Bro dropped packets. -Dave > On Feb 12, 2017, at 12:58 AM, Deshmukh, Andy wrote: > > Capture_loss event: > 1486803890.282458 900.000048 sec-bro04-1-4 28622 35953 79.60949 > > Lb logs: > Feb 11 01:04:50 sec-bro04 lb: {"ts":1486803890.238885,"input_interface":"netmap:em1","output_interface":"netmap:broem1{4/xT at 1","packets_forwarded":6664358,"packets_dropped":177568,"data_forward_rate_Mbps":3.1411,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":2.0600,"packet_drop_rate_kpps":0.0000,"overflow_queue_size":0} > > On other interfaces it does show some loss but nothing substantial. > > -----Original Message----- > From: Seth Hall [mailto:seth at icir.org] > Sent: Saturday, February 11, 2017 6:13 PM > To: Deshmukh, Andy > Cc: Dave Crawford ; bro at bro.org > Subject: Re: [Bro] Netmap plugin issue > > >> On Feb 11, 2017, at 1:35 PM, Deshmukh, Andy wrote: >> >> Hmm, that?s interesting. For me Bro is reporting the capture loss which kind of matches the overall netmap stats and it is very high: >> >> 1486814690.289371 900.000065 sec-bro04-1-1 4983 28153 17.699712 >> 1486814690.296848 900.000132 sec-bro04-1-5 29050 69353 41.887157 >> 1486814690.283136 900.000080 sec-bro04-1-4 221424 242109 91.456328 >> 1486814690.315410 900.000052 sec-bro04-1-2 26613 65599 40.569216 >> 1486814690.300392 900.000025 sec-bro04-1-3 7591 34491 22.00864 >> 1486815590.289398 900.000027 sec-bro04-1-1 15437 42078 36.68663 >> 1486815590.315530 900.000120 sec-bro04-1-2 913 9650 9.46114 >> 1486815590.283290 900.000154 sec-bro04-1-4 40906 49390 82.822434 > > During the time where the data was collected for this capture-loss log, what was the output of lb showing? Did it show any bursts of loss? > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170212/743834da/attachment-0001.html From randy at psg.com Sun Feb 12 05:45:26 2017 From: randy at psg.com (Randy Bush) Date: Sun, 12 Feb 2017 22:45:26 +0900 Subject: [Bro] Netmap plugin issue In-Reply-To: References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> <35224580-AE4F-45AE-8046-303758FF9A9E@icir.org> <95315aa48ece4e8696e229da0879d445@exch13-mail04.win.slac.stanford.edu> <34442F24-0A8B-4EE7-A835-52707EA20478@pingtrip.com> <03503572-1528-40F0-9A0F-E686F0AFA67F@icir.org> <6165d3b4ddbc483996206c2dfc2f17ad@exch13-mail04.win.slac.stanford.edu> Message-ID: [ n00b. well i ran bro over a decade ago. ] a ganeti cluster running ganeti 2.15 on deb8 and ubuntu16 i run bro in a vm on one of the nodes. as it is on the bridged lan, it sees all the traffic to all vms whose primary is on the same node. this is sweet. but i want to see the traffic to the vms whose primary are on the other nodes. so what is the minimial hack i can run on other nodes to stream pcaps to that bro instance so that the whole cluster is feeding to one bro instance? i would prefer a simple hack to run on the host opsys, but could create more guest vms iff i had to. the cluster has a second inter-node lan i could use to avoid pcapping the pcap transport. [ no, i prefer not to mirror off the switch ] randy From randy at psg.com Sun Feb 12 05:46:22 2017 From: randy at psg.com (Randy Bush) Date: Sun, 12 Feb 2017 22:46:22 +0900 Subject: [Bro] apologies for coopting another thread Message-ID: On Sun, 12 Feb 2017 22:45:26 +0900, Randy Bush wrote: > > [ n00b. well i ran bro over a decade ago. ] ... From randy at psg.com Sun Feb 12 19:56:51 2017 From: randy at psg.com (Randy Bush) Date: Mon, 13 Feb 2017 12:56:51 +0900 Subject: [Bro] bro access to ether on ubuntu Message-ID: ok, i give. i realize that i need to have a bro vm on each of the physical nodes in a three-node ganeti cluster and run a bro cluster. can i do this with only three vms for a three-node cluster, i.e. one of the bro vms be both a worker and the central manager with broctl? or does the manager need to be a fourth vm? randy From randy at psg.com Sun Feb 12 20:22:54 2017 From: randy at psg.com (Randy Bush) Date: Mon, 13 Feb 2017 13:22:54 +0900 Subject: [Bro] ganeti cluster with bro cluster In-Reply-To: References: Message-ID: ok, to put it directly, is it reasonable, presuming i can give the bro vms whatever cpus they need, and the load is not heavy, to do the following: [logger] type=logger host=localhost # [manager] type=manager host=localhost # #[proxy-1] #type=proxy #host=localhost # [worker-0] type=worker host=localhost interface=eth0 # [worker-1] type=worker host=bro1.sea.rg.net interface=eth0 # [worker-2] type=worker host=bro2.sea.rg.net interface=eth0 randy From randy at psg.com Sun Feb 12 23:04:40 2017 From: randy at psg.com (Randy Bush) Date: Mon, 13 Feb 2017 16:04:40 +0900 Subject: [Bro] ganeti cluster with bro cluster In-Reply-To: References:

Message-ID: [ ubuntu 16.04 on ganeti cluster ] so i figured the config out [logger] type=logger host=bro0.sea.rg.net # [manager] type=manager host=bro0.sea.rg.net # [proxy-1] type=proxy host=bro0.sea.rg.net # [worker-0] type=worker host=bro0.sea.rg.net interface=eth0 # [worker-1] type=worker host=bro1.sea.rg.net interface=eth0 # [worker-2] type=worker host=bro2.sea.rg.net interface=eth0 and i got the worker-0 node to be able to pcap its eth0 by sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro although i ran the same on worker-1 and worker-2, they fail with worker-2 terminated immediately after starting; check output with "diag" worker-1 terminated immediately after starting; check output with "diag" and the logs say fatal error: problem with interface eth0 (pcap_error: socket: Operation not permitted (pcap_activate)) i suspected that when `broctl deploy` copies over /usr/local/bro/bin/bro, the copies do not inherit the capabilities. but i did broctl deploy broctl start and the same result, pcap_error on workers 1 and 2, not on 0. --- i also get Error: error occurred while trying to send mail: send-mail: SENDMAIL-NOTFOUND not found despite $ which sendmail /usr/sbin/sendmail --- clue bat, please randy From Izik.Birka at hot.net.il Mon Feb 13 00:34:29 2017 From: Izik.Birka at hot.net.il (Izik Birka) Date: Mon, 13 Feb 2017 08:34:29 +0000 Subject: [Bro] SMB Message-ID: <592228F4D0C8504187F2F76658040CB6DFE23DFF@HOT-MAILBOX-02.HOT.NET.IL> Hi Is there any logs that contains SMB stats ? why conn.log doesn't contains SMB connection ? I have bro 2.5 Thanks Izik Birka This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170213/a95aad8d/attachment.html From bro at pingtrip.com Mon Feb 13 05:43:16 2017 From: bro at pingtrip.com (Dave Crawford) Date: Mon, 13 Feb 2017 08:43:16 -0500 Subject: [Bro] ganeti cluster with bro cluster In-Reply-To: References:

Message-ID: <5ACD12BB-B9E0-4684-9017-03C911CF9A1C@pingtrip.com> Hi Randy, I wrote a Bro plugin that takes care of the ?setcap? tasks after each deploy. Just adjusts the paths to reflect your Bro instal. Let me know if you run into any issues with it. https://github.com/PingTrip/broctl-setcap -Dave > > and i got the worker-0 node to be able to pcap its eth0 by > > sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro > > although i ran the same on worker-1 and worker-2, they fail with > > worker-2 terminated immediately after starting; check output with "diag" > worker-1 terminated immediately after starting; check output with "diag" > > and the logs say > > fatal error: problem with interface eth0 (pcap_error: socket: Operation not permitted (pcap_activate)) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170213/ca593dba/attachment.html From bro at pingtrip.com Mon Feb 13 10:07:52 2017 From: bro at pingtrip.com (Dave Crawford) Date: Mon, 13 Feb 2017 13:07:52 -0500 Subject: [Bro] Netmap plugin issue In-Reply-To: References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> <35224580-AE4F-45AE-8046-303758FF9A9E@icir.org> <95315aa48ece4e8696e229da0879d445@exch13-mail04.win.slac.stanford.edu> <34442F24-0A8B-4EE7-A835-52707EA20478@pingtrip.com> <03503572-1528-40F0-9A0F-E686F0AFA67F@icir.org> <6165d3b4ddbc483996206c2dfc2f17ad@exch13-mail04.win.slac.stanford.edu> Message-ID: Continuing to see impressive performance with Bro+Netmap: data_forward_rate_Mbps":1484.1698" data_drop_rate_Mbps":0.0000" And of the 10 workers, the greatest capture_loss reported by Bro is well under 1%: 2017-02-13T09:01:56-0500 600.000013 MID_INT-8 1221 3368533 0.036247 -Dave > On Feb 12, 2017, at 7:15 AM, Dave Crawford wrote: > > My LB stats are similar, but Bro isn?t reflecting a loss: > > Feb 11 04:58:02 mid-csignsm-01 lb[3144]: {"ts":1486807082.815681,"interface":"netmap:eth6","packets_received":739258266,"packets_forwarded":737718676,"packets_dropped":1213100,"non_ip_packets":371283,"data_forward_rate_Mbps":758.6328,"data_drop_rate_Mbps":0.0000,"packet_forward_rate_kpps":102.7250,"packet_drop_rate_kpps":0.0000,"free_buffer_slots":100000} > > The next cycle of capture_loss shows less than 1% loss for the 10 workers: > > 2017-02-11T05:01:56-0500 600.000119 MID_INT-2 5 102927 0.004858 > 2017-02-11T05:01:56-0500 600.000015 MID_INT-4 7 107577 0.006507 > 2017-02-11T05:01:56-0500 600.000053 MID_INT-9 6 101979 0.005884 > 2017-02-11T05:01:56-0500 600.000016 MID_INT-3 1 304887 0.000328 > 2017-02-11T05:01:56-0500 600.000543 MID_INT-10 5 186552 0.00268 > 2017-02-11T05:01:56-0500 600.000009 MID_INT-5 6 101433 0.005915 > 2017-02-11T05:01:56-0500 600.000005 MID_INT-6 5 110256 0.004535 > 2017-02-11T05:01:56-0500 600.000085 MID_INT-7 1 98164 0.001019 > 2017-02-11T05:01:56-0500 600.000041 MID_INT-8 4 99979 0.004001 > 2017-02-11T05:01:57-0500 600.000047 MID_INT-1 3 90591 0.003312 > > I also noticed that Andy?s LB output is slightly different. His displays the free buffers as ?overflow_queue_size? where my output is ?free_buffer_slots?. > > Also Andy, your overflow queue size is ?0?, did you define one and its been depleted? Creating one, or increasing the size may help with the Bro dropped packets. > > -Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170213/dfc68497/attachment-0001.html From espressobeanies at gmail.com Mon Feb 13 10:34:47 2017 From: espressobeanies at gmail.com (Espresso Beanies) Date: Mon, 13 Feb 2017 13:34:47 -0500 Subject: [Bro] Question on redefining Bro variables In-Reply-To: References:

Message-ID: Got it. Thanks. On Thu, Feb 9, 2017 at 4:50 PM, anthony kasza wrote: > Personally, I make my own directory of scripts and modules and @load them > from the local.bro file. > > -AK > > On Feb 9, 2017 2:33 PM, "Espresso Beanies" > wrote: > >> Good afternoon, >> >> Where would it be best to redefine Bro variables? Should they all be in >> the local.bro file or individual main.bro files for each module? >> >> Thanks in advance, >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170213/fded579f/attachment.html From randy at psg.com Mon Feb 13 11:39:12 2017 From: randy at psg.com (Randy Bush) Date: Tue, 14 Feb 2017 04:39:12 +0900 Subject: [Bro] ganeti cluster with bro cluster In-Reply-To: <5ACD12BB-B9E0-4684-9017-03C911CF9A1C@pingtrip.com> References:

<5ACD12BB-B9E0-4684-9017-03C911CF9A1C@pingtrip.com> Message-ID: hi dave, aha! bro0.sea.rg.net:/usr/local/bro> broctl install removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/site ... removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/auto ... creating policy directories ... installing site policies ... generating cluster-layout.bro ... generating local-networks.bro ... generating broctl-config.bro ... generating broctl-config.sh ... updating nodes ... setcap plugin: executing setcap on each node: bro2.sea.rg.net - Executing setcap: SUCCESS bro0.sea.rg.net - Executing setcap: SUCCESS bro1.sea.rg.net - Executing setcap: SUCCESS thank you!! randy From pierre.gaulon at transfer-to.com Mon Feb 13 18:18:06 2017 From: pierre.gaulon at transfer-to.com (Pierre Gaulon) Date: Tue, 14 Feb 2017 10:18:06 +0800 Subject: [Bro] ganeti cluster with bro cluster In-Reply-To: <5ACD12BB-B9E0-4684-9017-03C911CF9A1C@pingtrip.com> References:

<5ACD12BB-B9E0-4684-9017-03C911CF9A1C@pingtrip.com> Message-ID: <2c41c7ba-fa91-d40b-1894-4b1c2d3cd298@transfer-to.com> Hi Dave, First of all, thank you for your plugin, it is very useful! I am using since a while. Last time I used it I ran into an error and had to change the code to see it. In the last line of the plugin I appended the reason of the FAIL when it fails: self.message("{0} - Executing setcap: {1}".format(n.host, 'SUCCESS' if success else 'FAIL ' + output[0])) The reason was: sorry, you must have a tty to run sudo This is linked to the sudoers setting: Defaults requiretty In order to fix it I couldn't find a workaround using the command given to the plugin (using -tt for instance). I just commented the line using visudo. Any ideas to make both compatible are still welcome! Hope it helps! Best regards, Pierre Gaulon. On 13/2/17 21:43, Dave Crawford wrote: > Hi Randy, > > I wrote a Bro plugin that takes care of the ?setcap? tasks after each > deploy. Just adjusts the paths to reflect your Bro instal. Let me know > if you run into any issues with it. > > https://github.com/PingTrip/broctl-setcap > > -Dave > >> >> and i got the worker-0 node to be able to pcap its eth0 by >> >> sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro >> >> although i ran the same on worker-1 and worker-2, they fail with >> >> worker-2 terminated immediately after starting; check output with >> "diag" >> worker-1 terminated immediately after starting; check output with >> "diag" >> >> and the logs say >> >> fatal error: problem with interface eth0 (pcap_error: socket: >> Operation not permitted (pcap_activate)) > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170214/f5b7f900/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170214/f5b7f900/attachment.bin From bro at pingtrip.com Mon Feb 13 18:26:24 2017 From: bro at pingtrip.com (Dave Crawford) Date: Mon, 13 Feb 2017 21:26:24 -0500 Subject: [Bro] ganeti cluster with bro cluster In-Reply-To: <2c41c7ba-fa91-d40b-1894-4b1c2d3cd298@transfer-to.com> References:

<5ACD12BB-B9E0-4684-9017-03C911CF9A1C@pingtrip.com> <2c41c7ba-fa91-d40b-1894-4b1c2d3cd298@transfer-to.com> Message-ID: Thanks for the feedback Pierre, what OS and version are you running Bro on? Modify the sudoers file to add an additional line to disable the tty requirement specifically for setcap. bro ALL=NOPASSWD: /sbin/setcap Defaults!/sbin/setcap !requiretty Let me know if that takes care of the issue and I?ll get my documentation updated. -Dave > On Feb 13, 2017, at 9:18 PM, Pierre Gaulon wrote: > > Hi Dave, > > First of all, thank you for your plugin, it is very useful! I am using since a while. > > Last time I used it I ran into an error and had to change the code to see it. > In the last line of the plugin I appended the reason of the FAIL when it fails: > > self.message("{0} - Executing setcap: {1}".format(n.host, 'SUCCESS' if success else 'FAIL ' + output[0])) > > The reason was: > sorry, you must have a tty to run sudo > > This is linked to the sudoers setting: > Defaults requiretty > > In order to fix it I couldn't find a workaround using the command given to the plugin (using -tt for instance). I just commented the line using visudo. > Any ideas to make both compatible are still welcome! > > Hope it helps! > Best regards, > Pierre Gaulon. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170213/4d2e91bb/attachment.html From pierre.gaulon at transfer-to.com Mon Feb 13 19:40:20 2017 From: pierre.gaulon at transfer-to.com (Pierre Gaulon) Date: Tue, 14 Feb 2017 11:40:20 +0800 Subject: [Bro] ganeti cluster with bro cluster In-Reply-To: References:

<5ACD12BB-B9E0-4684-9017-03C911CF9A1C@pingtrip.com> <2c41c7ba-fa91-d40b-1894-4b1c2d3cd298@transfer-to.com> Message-ID: <93fe0f98-c0b2-748b-4bcb-1edad56c15a7@transfer-to.com> The workers are running on CentOS Linux release 7.2.1511 (Core). The Defaults!/sbin/setcap !requiretty fixed the problem! Thanks for your help! Best regards, Pierre Gaulon. On 14/2/17 10:26, Dave Crawford wrote: > Thanks for the feedback Pierre, what OS and version are you running > Bro on? > > Modify the sudoers file to add an additional line to disable the tty > requirement specifically for setcap. > > bro ALL=NOPASSWD: /sbin/setcap > Defaults!/sbin/setcap !requiretty > > Let me know if that takes care of the issue and I?ll get my > documentation updated. > > -Dave > >> On Feb 13, 2017, at 9:18 PM, Pierre Gaulon >> > > wrote: >> >> Hi Dave, >> >> First of all, thank you for your plugin, it is very useful! I am >> using since a while. >> >> Last time I used it I ran into an error and had to change the code to >> see it. >> In the last line of the plugin I appended the reason of the FAIL when >> it fails: >> >> self.message("{0} - Executing setcap: {1}".format(n.host, 'SUCCESS' >> if success else 'FAIL ' + output[0])) >> >> The reason was: >> sorry, you must have a tty to run sudo >> >> This is linked to the sudoers setting: >> Defaults requiretty >> >> In order to fix it I couldn't find a workaround using the command >> given to the plugin (using -tt for instance). I just commented the >> line using visudo. >> Any ideas to make both compatible are still welcome! >> >> Hope it helps! >> Best regards, >> Pierre Gaulon. >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170214/2fafe1a4/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170214/2fafe1a4/attachment.bin From randy at psg.com Mon Feb 13 19:44:58 2017 From: randy at psg.com (Randy Bush) Date: Tue, 14 Feb 2017 12:44:58 +0900 Subject: [Bro] ganeti cluster with bro cluster In-Reply-To: <93fe0f98-c0b2-748b-4bcb-1edad56c15a7@transfer-to.com> References:

<5ACD12BB-B9E0-4684-9017-03C911CF9A1C@pingtrip.com> <2c41c7ba-fa91-d40b-1894-4b1c2d3cd298@transfer-to.com> <93fe0f98-c0b2-748b-4bcb-1edad56c15a7@transfer-to.com> Message-ID: fwiw, at my age, i leave a docco trail because i will forget what the heck i did a day later. so the hack i finally used is available at https://git.rg.net/randy/randy/src/master/bro-cluster.md randy From Izik.Birka at hot.net.il Mon Feb 13 23:36:24 2017 From: Izik.Birka at hot.net.il (Izik Birka) Date: Tue, 14 Feb 2017 07:36:24 +0000 Subject: [Bro] SMB Language Message-ID: <592228F4D0C8504187F2F76658040CB6DFE2B50A@HOT-MAILBOX-02.HOT.NET.IL> Hi Just enable SMB analyzer , works great I have a problem with the Hebrew language , it's looks like it's not supported , I'm getting this files name in log file : Test\hello\\\xd7\x92\xd7\x99\xd7\x95\xd7\x9c \xd7\x9b\xd7\x9e\xd7\x95\xd7\xaa\xd7\x99.csv The \\\xd7\x92\xd7\x99\xd7\x95\xd7\x9c - is Hebrew words is there a way to fix it ? This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170214/08549660/attachment.html From jazoff at illinois.edu Tue Feb 14 06:15:59 2017 From: jazoff at illinois.edu (Azoff, Justin S) Date: Tue, 14 Feb 2017 14:15:59 +0000 Subject: [Bro] SMB Language In-Reply-To: <592228F4D0C8504187F2F76658040CB6DFE2B50A@HOT-MAILBOX-02.HOT.NET.IL> References: <592228F4D0C8504187F2F76658040CB6DFE2B50A@HOT-MAILBOX-02.HOT.NET.IL> Message-ID: > On Feb 14, 2017, at 2:36 AM, Izik Birka wrote: > > Hi > Just enable SMB analyzer , works great > > I have a problem with the Hebrew language , it's looks like it's not supported , I'm getting this files name in log file : > > Test\hello\\\xd7\x92\xd7\x99\xd7\x95\xd7\x9c \xd7\x9b\xd7\x9e\xd7\x95\xd7\xaa\xd7\x99.csv > > The \\\xd7\x92\xd7\x99\xd7\x95\xd7\x9c - is Hebrew words > > is there a way to fix it ? That's just an escaped utf-8 string: >>> s='Test\hello\\\xd7\x92\xd7\x99\xd7\x95\xd7\x9c \xd7\x9b\xd7\x9e\xd7\x95\xd7\xaa\xd7\x99.csv' >>> print s Test\hello\???? ?????.csv (or in python3) >>> s=b'Test\hello\\\xd7\x92\xd7\x99\xd7\x95\xd7\x9c \xd7\x9b\xd7\x9e\xd7\x95\xd7\xaa\xd7\x99.csv' >>> print(s.decode('utf-8')) Test\hello\???? ?????.csv -- - Justin Azoff From andrew.dellana at bayer.com Tue Feb 14 06:52:34 2017 From: andrew.dellana at bayer.com (Andrew Dellana) Date: Tue, 14 Feb 2017 14:52:34 +0000 Subject: [Bro] Connection summary values Message-ID: <40f9b6e86ef34a8bb8046a97fcc822c9@moxde9.na.bayer.cnb> Hello, For the connection summary is there a way to reformat the way the notification looks - Like put each of these on their own line? Also is there way to make the value show its domain name? The value shows up in both the incoming, outgoing and total sections. #1= #2=(redacted) #3= #4= (redacted) #5= (redacted) #6= (redacted) #7= (redacted) #8= #9= #10= (redacted) #11= #12= (redacted) #13= #14= (redacted) #15= #16= (redacted) #17= #18= #19= #20= (redacted) Thanks, Andrew Dellana Intern ________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170214/a1ab1920/attachment.html From vladg at illinois.edu Tue Feb 14 07:05:02 2017 From: vladg at illinois.edu (Vlad Grigorescu) Date: Tue, 14 Feb 2017 09:05:02 -0600 Subject: [Bro] Connection summary values In-Reply-To: <40f9b6e86ef34a8bb8046a97fcc822c9@moxde9.na.bayer.cnb> References: <40f9b6e86ef34a8bb8046a97fcc822c9@moxde9.na.bayer.cnb> Message-ID: simply means that DNS resolution failed. Andrew Dellana writes: > Hello, > > For the connection summary is there a way to reformat the way the notification looks - Like put each of these on their own line? Also is there way to make the value show its domain name? The value shows up in both the incoming, outgoing and total sections. > > > > #1= #2=(redacted) #3= > > #4= (redacted) #5= (redacted) #6= (redacted) > > #7= (redacted) #8= #9= > > #10= (redacted) #11= #12= (redacted) > > #13= #14= (redacted) #15= > > #16= (redacted) #17= #18= > > #19= #20= (redacted) > > > > > Thanks, > > Andrew Dellana > Intern > ________________________ > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 800 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170214/d2661b25/attachment.bin From Izik.Birka at hot.net.il Tue Feb 14 07:11:39 2017 From: Izik.Birka at hot.net.il (Izik Birka) Date: Tue, 14 Feb 2017 15:11:39 +0000 Subject: [Bro] SMB Language In-Reply-To: References: <592228F4D0C8504187F2F76658040CB6DFE2B50A@HOT-MAILBOX-02.HOT.NET.IL> Message-ID: <592228F4D0C8504187F2F76658040CB6DFE2EB4A@HOT-MAILBOX-02.HOT.NET.IL> Can I add utf-8 encoding to bro ? Is there other option ? I'm forward the log file to SIEM system , and it's not readable in that way Thanks -----Original Message----- From: Azoff, Justin S [mailto:jazoff at illinois.edu] Sent: Tuesday, February 14, 2017 4:16 PM To: Izik Birka Cc: bro at bro.org Subject: Re: [Bro] SMB Language > On Feb 14, 2017, at 2:36 AM, Izik Birka wrote: > > Hi > Just enable SMB analyzer , works great > > I have a problem with the Hebrew language , it's looks like it's not supported , I'm getting this files name in log file : > > Test\hello\\\xd7\x92\xd7\x99\xd7\x95\xd7\x9c \xd7\x9b\xd7\x9e\xd7\x95\xd7\xaa\xd7\x99.csv > > The \\\xd7\x92\xd7\x99\xd7\x95\xd7\x9c - is Hebrew words > > is there a way to fix it ? That's just an escaped utf-8 string: >>> s='Test\hello\\\xd7\x92\xd7\x99\xd7\x95\xd7\x9c \xd7\x9b\xd7\x9e\xd7\x95\xd7\xaa\xd7\x99.csv' >>> print s Test\hello\???? ?????.csv (or in python3) >>> s=b'Test\hello\\\xd7\x92\xd7\x99\xd7\x95\xd7\x9c \xd7\x9b\xd7\x9e\xd7\x95\xd7\xaa\xd7\x99.csv' >>> print(s.decode('utf-8')) Test\hello\???? ?????.csv -- - Justin Azoff This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately. Thank you. From seth at icir.org Tue Feb 14 08:37:17 2017 From: seth at icir.org (Seth Hall) Date: Tue, 14 Feb 2017 08:37:17 -0800 Subject: [Bro] Netmap plugin issue In-Reply-To: References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> <35224580-AE4F-45AE-8046-303758FF9A9E@icir.org> <95315aa48ece4e8696e229da0879d445@exch13-mail04.win.slac.stanford.edu> <34442F24-0A8B-4EE7-A835-52707EA20478@pingtrip.com> <03503572-1528-40F0-9A0F-E686F0AFA67F@icir.org> <6165d3b4ddbc483996206c2dfc2f17ad@exch13-mail04.win.slac.stanford.edu>

Message-ID: <3B5C35C1-76E1-415D-9B27-16A738DEBCE3@icir.org> > On Feb 13, 2017, at 10:07 AM, Dave Crawford wrote: > > Continuing to see impressive performance with Bro+Netmap: > > data_forward_rate_Mbps":1484.1698" > data_drop_rate_Mbps":0.0000" > > And of the 10 workers, the greatest capture_loss reported by Bro is well under 1%: Yay, that's great! At least now you can feel more certain that the capture loss is either misreported or you have a SPAN port or packet broker that is having trouble. You could also check the interface hardware counters here and there to see if you are having any loss on the NIC. (ethtool -S) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Tue Feb 14 08:49:55 2017 From: seth at icir.org (Seth Hall) Date: Tue, 14 Feb 2017 08:49:55 -0800 Subject: [Bro] Netmap plugin issue In-Reply-To: References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> <35224580-AE4F-45AE-8046-303758FF9A9E@icir.org> <95315aa48ece4e8696e229da0879d445@exch13-mail04.win.slac.stanford.edu> <34442F24-0A8B-4EE7-A835-52707EA20478@pingtrip.com> <03503572-1528-40F0-9A0F-E686F0AFA67F@icir.org> <6165d3b4ddbc483996206c2dfc2f17ad@exch13-mail04.win.slac.stanford.edu> Message-ID: <088F7D1E-14E0-48CF-B169-232272DF32C4@icir.org> > On Feb 12, 2017, at 4:15 AM, Dave Crawford wrote: > > I also noticed that Andy?s LB output is slightly different. His displays the free buffers as ?overflow_queue_size? where my output is ?free_buffer_slots?. Those are different lb log lines. The lines with overflow_queue_size are regarding the output pipes that send packets off the Bro (or other) processes. The line that has free_buffer_slots is regarding the interface being sniffed and it means that those are buffers (each buffer holds a single packet) that can be used if a pipe isn't being flushed quickly enough. If you have free buffers and packets begin to get backed up, the free_buffer_slots number on the physical interface will begin to go down and the overflow_queue_size on the pipe or pipes getting backed up will begin to rise. I'm planning on writing a more extensive guide on all of this soon. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From bro at pingtrip.com Tue Feb 14 10:10:44 2017 From: bro at pingtrip.com (Dave Crawford) Date: Tue, 14 Feb 2017 13:10:44 -0500 Subject: [Bro] Netmap plugin issue In-Reply-To: <3B5C35C1-76E1-415D-9B27-16A738DEBCE3@icir.org> References: <9496c58b8b164eaba586a276eb56cb89@exch13-mail04.win.slac.stanford.edu> <237C84FB-3F36-4C72-BB55-ED91615D934C@icir.org> <7e14f24d17134bdbb13a4e41a8ec9e87@exch13-mail04.win.slac.stanford.edu> <6dcdf9f8999249ef9018e84c53c897fd@exch13-mail04.win.slac.stanford.edu> <35224580-AE4F-45AE-8046-303758FF9A9E@icir.org> <95315aa48ece4e8696e229da0879d445@exch13-mail04.win.slac.stanford.edu> <34442F24-0A8B-4EE7-A835-52707EA20478@pingtrip.com> <03503572-1528-40F0-9A0F-E686F0AFA67F@icir.org> <6165d3b4ddbc483996206c2dfc2f17ad@exch13-mail04.win.slac.stanford.edu>

<3B5C35C1-76E1-415D-9B27-16A738DEBCE3@icir.org> Message-ID: > > Yay, that's great! At least now you can feel more certain that the capture loss is either misreported or you have a SPAN port or packet broker that is having trouble. You could also check the interface hardware counters here and there to see if you are having any loss on the NIC. (ethtool -S) > > .Seth > Seth, so are you thinking that LB is mis-reporting packet loss? This is the ethtool stats for the capture NIC: NIC statistics: rx_packets: 55681830 tx_packets: 0 rx_bytes: 35600025423 tx_bytes: 0 rx_errors: 0 tx_errors: 0 rx_dropped: 0 tx_dropped: 0 multicast: 43367780 collisions: 0 rx_over_errors: 0 rx_crc_errors: 0 rx_frame_errors: 0 rx_fifo_errors: 0 rx_missed_errors: 193958 tx_aborted_errors: 0 tx_carrier_errors: 0 tx_fifo_errors: 0 tx_heartbeat_errors: 0 rx_pkts_nic: 18460871971 tx_pkts_nic: 0 rx_bytes_nic: 10234659126400 tx_bytes_nic: 0 lsc_int: 9 tx_busy: 0 non_eop_descs: 0 broadcast: 277894 rx_no_buffer_count: 0 tx_timeout_count: 0 tx_restart_queue: 0 rx_long_length_errors: 0 rx_short_length_errors: 0 tx_flow_control_xon: 0 rx_flow_control_xon: 0 tx_flow_control_xoff: 0 rx_flow_control_xoff: 0 rx_csum_offload_errors: 0 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170214/b7ff4a74/attachment.html From espressobeanies at gmail.com Tue Feb 14 11:52:14 2017 From: espressobeanies at gmail.com (Espresso Beanies) Date: Tue, 14 Feb 2017 14:52:14 -0500 Subject: [Bro] Conceptual question on main.bro files Message-ID: Hi, I'm trying to better understand Bro's architecture and what is the significance of the "main.bro" files in relation to the other .bro files? I'm guessing some heirarchal purpose, but I don't see a "main.bro" file in every folder that contains a .bro file itself. Is someone able to better explain? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170214/0ae605c2/attachment.html From jdopheid at illinois.edu Tue Feb 14 12:09:44 2017 From: jdopheid at illinois.edu (Dopheide, Jeannette M) Date: Tue, 14 Feb 2017 20:09:44 +0000 Subject: [Bro] =?utf-8?q?Save_the_date=3A_BroCon_=E2=80=9917=2C_Sept_12_-_?= =?utf-8?q?14_in_Urbana=2C_IL?= Message-ID: Save the date! BroCon ?17 will occur Tuesday September 12th ? Thursday September 14th in at the National Center for Supercomputing Applications in Urbana, IL. We are wrapping up registration and hotel info so be on the lookout for more complete information. ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign From zeolla at gmail.com Tue Feb 14 12:12:13 2017 From: zeolla at gmail.com (Zeolla@GMail.com) Date: Tue, 14 Feb 2017 20:12:13 +0000 Subject: [Bro] Conceptual question on main.bro files In-Reply-To: References: Message-ID: As far as I'm aware, main.bro isn't actually special. It's just a pseudo-standard (maybe a real standard, even) for a main/primary bro script for a folder/organizational area. What is special is __load__.bro. If you use @load to load a directory, it will look there for __local__.bro, and then follow whatever instructions it finds (@load or @load-sigs, for instance). You will sometimes find that __load__.bro has a `@load ./main.bro` statement in it. For instance: https://github.com/bro/bro/blob/master/scripts/base/frameworks/files/__load__.bro So, for instance, if you go to local.bro , you will find `@load tuning/defaults`, then if you go to the tuning/defaults folder, you find a __load__.bro <__load__.brohttps://github.com/bro/bro/blob/master/scripts/policy/tuning/defaults/__load__.bro>, which will be followed to load some bro scripts which are /not/ main.bro. In this situation, main.bro doesn't exist for tuning/defaults, and that's fine. Another example is, go to local.bro, and find `@load misc/detect-traceroute` (commented out by default). But if you follow what would happen if this was uncommented, it would go to misc/detect-traceroute , load __load__.bro due to convention, and then the relative main.bro /is/ loaded because it's specified in __load__.bro. Hope that helps - also, please correct me if there is an actual main.bro convention anywhere that I'm not aware of. Jon On Tue, Feb 14, 2017 at 2:54 PM Espresso Beanies wrote: > Hi, > > I'm trying to better understand Bro's architecture and what is the > significance of the "main.bro" files in relation to the other .bro files? > I'm guessing some heirarchal purpose, but I don't see a "main.bro" file in > every folder that contains a .bro file itself. Is someone able to better > explain? > > Thanks! > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Jon Sent from my mobile device -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170214/eb95e7d3/attachment.html From johanna at icir.org Tue Feb 14 13:12:46 2017 From: johanna at icir.org (Johanna Amann) Date: Tue, 14 Feb 2017 13:12:46 -0800 Subject: [Bro] bro_intel feeds as csv file In-Reply-To: References: Message-ID: <20170214211246.4z5lk4bp2d7apncq@wifi107.sys.ICSI.Berkeley.EDU> Hello Sunu, no, it is not trivially possible to get the intel framework to read csv files. The easiest way is to convert your format into the Bro syntax. Alternatively, you can use the input framework yourself, specify the delimiters that you need and manually call Intel::insert. Johanna On Sun, Feb 12, 2017 at 03:01:21PM +0530, ps sunu wrote: > Hi all , > Is possible to generate bro_intel txt files as a > .CSV format ? > > my format > > #fields indicator indicator_type meta.source meta.url meta.do_notice > meta.if_in meta.whitelist > # Intel::ADDR binarydefense-ip - T - - > # Intel::ADDR binarydefense-ip - T - - > # Intel::ADDR binarydefense-ip - T - - > # Intel::ADDR binarydefense-ip - T - - > # Intel::ADDR binarydefense-ip - T - - > # Intel::ADDR binarydefense-ip - T - - > # Intel::ADDR binarydefense-ip - T - - > > > Need to change this feeds as a csv format > > > Regards, > Sunu > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From johanna at icir.org Tue Feb 14 13:15:25 2017 From: johanna at icir.org (Johanna Amann) Date: Tue, 14 Feb 2017 13:15:25 -0800 Subject: [Bro] Information on OCSP and CRL In-Reply-To: References: Message-ID: <20170214211525.jsbcvteffga5mlpb@wifi107.sys.ICSI.Berkeley.EDU> To expand a bit on this... there is a policy script to perform certificate validation, just load policy/protocols/ssl/validate-certs.bro. Note that this uses plain OpenSSL for validation and might not be able to validate a few cases which browsers can validate. For OCSP, the situation is a bit less optimal. The script that Vlad mentioned performs OCSP validation, but _only_ in case that the OCSP response is sent stapled in the TLS handshake - which is rather rare. Outside of this, Bro currently does not support OCSP validatiob. Johanna On Thu, Feb 09, 2017 at 01:37:44PM -0600, Vlad Grigorescu wrote: > Tony, > > There's an optional script for OCSP validation: > https://github.com/bro/bro/blob/v2.5/scripts/policy/protocols/ssl/validate-ocsp.bro > > To use: > > @load protocols/ssl/validate-ocsp > > --Vlad > > Tony Waller writes: > > > I am looking for additional information on utilizing OCSP and CRL in Bro NSM. I would like to know if certificates from clients can be checked in real-time or near real-time against a CRL? Also, can Bro NSM perform a OCSP request to a RA and check a certificate to determine if it is valid? If this is the case where in Bro NSM do you set the address for the RA or CRL responder? > > > > Sincerely, > > > > Tony > > > > > > Tony Waller, CISSP > > Director, Systems Engineering > > Bivio Networks, Inc. > > ?Powering Advanced Cyber Operations? (TM) > > Mobile (443) 994-0936 > > > > [cid:image001.png at 01D27E32.049899E0] > > > > *Note: The information contained in this email confidential. This information is intended only for the individual, individuals or entity to whom it is addressed. If you are not the intended recipient(s), the employee or agent responsible for delivering it to the intended recipient(s), you are hereby notified that any use, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this email in error, please return the original message to us by email and delete or destroy any copies. Please note any views or opinions expressed or presented in this email are solely those of the author and do not necessarily represent those of Bivio Networks, Inc. The recipient should check this email or any attachments for the presence of viruses or malware. Bivio Networks, Inc. accepts no responsibility for any damage caused by any virus or malware transmitted by this email. Thank you. > > > > Think Green when printing > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From johanna at icir.org Tue Feb 14 13:17:19 2017 From: johanna at icir.org (Johanna Amann) Date: Tue, 14 Feb 2017 13:17:19 -0800 Subject: [Bro] Content gap breaks application layer analysis In-Reply-To: References: Message-ID: <20170214211719.sekdzvip4g2b6t7l@wifi107.sys.ICSI.Berkeley.EDU> Hi, Bro does not deal well with disordered packets. There currently is no workaround for that. Johanna On Mon, Feb 06, 2017 at 05:13:38PM +0800, duhang wrote: > Hi, > > I'm using Bro which listens to the nic card connects to a mirror port from > a switch to dump http request/response and smtp email for further analysis. > The packets that received from the mirror port are massively > disordered(Unseen ACKed in wireshark). I saw a lot of content gap events > which skips the following packets received. A lot of uncompleted http/smtp > logs exist which relatively means high packet loss rate from appliance > layer's perspective. Is there any workaround/solution to have > bi-directional reassembly in this case? > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From johanna at icir.org Tue Feb 14 13:20:49 2017 From: johanna at icir.org (Johanna Amann) Date: Tue, 14 Feb 2017 13:20:49 -0800 Subject: [Bro] Getting SSL events into Python In-Reply-To: <181a0dd9-aec3-700f-92df-6dda30da1e66@babioch.de> References: <181a0dd9-aec3-700f-92df-6dda30da1e66@babioch.de> Message-ID: <20170214212049.3or3xiyaxkg736nf@wifi107.sys.ICSI.Berkeley.EDU> Hello Karol, by default, events that are handled locally inside of Bro are not sent anywhere else; for core-raised events, you will have to re-raise them (with a different name to not cause any issues), and set your communication preferences so that the raised event will be forwarded to broccoli (like done in broping.bro). I hope this helps, Johanna On Mon, Jan 30, 2017 at 03:34:53PM +0100, Karol Babioch wrote: > Hi, > > I'm currently researching SSL/TLS handshakes and want to process several > events Bro provides with the SSL plugin. I've installed Bro along with > broccoli and broccoli-python and the "broping" example (from the test > directory) is working just fine. For each "ping" event I sent to Bro, a > "pong" is received and processed in my Python script. > > However, in case of the SSL my callbacks are never executed. The most > simplified version looks something like this: > > > #! /usr/bin/env python > > > > from broccoli import * > > > > @event > > def ssl_established(c): > > print('established') > > > > bc = Connection("127.0.0.1:47760") > > > > while True: > > bc.processInput() > > To my understanding I don't even have to load the SSL plugin, since it > resides within "base", but nevertheless my local.bro contains the following: > > > @load broping > > @load base/protocols/ssl > > When starting Bro and executing the Python script mentioned above, > nothing happens, even if SSL traffic is going through the interface > (and/or coming from a recorded pcap). I've also tried to register > callbacks for various other SSL related events (ssl_client_hello, > ssl_server_hello, etc.), but in no case were my callbacks invoked. > > The only difference to the "broping.py" from the examples, is that I'm > not sending any events, but just want to receive them (hence I'm calling > processInput() regularly). > > What am I missing here? Do I somehow need to enable the SSL > functionality within Bro? How can I further debug the problem? > > Any help is very much appreciated, since I've spent a fair amount of > time on this already, with no real progress. > > Thank you very much! > > Best regards, > Karol Babioch > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From karol at babioch.de Tue Feb 14 14:26:25 2017 From: karol at babioch.de (Karol Babioch) Date: Tue, 14 Feb 2017 23:26:25 +0100 Subject: [Bro] Getting SSL events into Python In-Reply-To: <20170214212049.3or3xiyaxkg736nf@wifi107.sys.ICSI.Berkeley.EDU> References: <181a0dd9-aec3-700f-92df-6dda30da1e66@babioch.de> <20170214212049.3or3xiyaxkg736nf@wifi107.sys.ICSI.Berkeley.EDU> Message-ID: <1a4fa2d6-7bbe-75f5-05c8-51d7e08b7429@babioch.de> Hello Johanna, Am 14.02.2017 um 22:20 schrieb Johanna Amann: > by default, events that are handled locally inside of Bro are not sent > anywhere else; for core-raised events, you will have to re-raise them > (with a different name to not cause any issues), and set your > communication preferences so that the raised event will be forwarded to > broccoli (like done in broping.bro). thank you very much for your feedback. It is very much appreciated and definitely helpful :-). I've worked around this problem for the time being, but will revisit this now again :-). Best regards, Karol Babioch -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170214/e2d6289c/attachment-0001.bin From cherish_139 at foxmail.com Tue Feb 14 18:28:31 2017 From: cherish_139 at foxmail.com (=?ISO-8859-1?B?Y2hlcmlzaCA=?=) Date: Wed, 15 Feb 2017 10:28:31 +0800 Subject: [Bro] Passive DNS Message-ID: hi,i'm learning "Using Bro for Building Passive DNS Data", and i encounter the error(Permission denied) in executing these two long command. BRO_PDNS_DB=mysql://pdns:pdns at localhost/pdns /nsm/bro/share/bro/site/bro-pdns/bro_pdns.py serve BRO_PDNS_DB=mysql://pdns:pdns at localhost/pdns /nsm/bro/share/bro/site/bro-pdns/bro_pdns.py process /nsm/bro/logs/current/dns.log Thanks for your reading ,would you please give me some advice ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170215/8013e694/attachment.html From twaller at bivio.net Tue Feb 14 19:50:33 2017 From: twaller at bivio.net (Tony Waller) Date: Wed, 15 Feb 2017 03:50:33 +0000 Subject: [Bro] Information on OCSP and CRL In-Reply-To: <20170214211525.jsbcvteffga5mlpb@wifi107.sys.ICSI.Berkeley.EDU> References: <20170214211525.jsbcvteffga5mlpb@wifi107.sys.ICSI.Berkeley.EDU> Message-ID: <336B81D1-3EC0-4B9C-BEA6-470DD7CDFD0D@bivio.net> Johanna, Thank you for the update. Do you see any plans for Bro to be able to leverage a OCSP client soon? If not, is this something that could be added to the code-base by the community? Sincerely, Tony Tony Waller, CPO (USN-Ret.) CISSP Director, Systems Engineering Bivio Networks, Inc. ?Powering Advanced Cyber Operations? (TM) Mobile (443) 994-0936 *Note: The information contained in this email confidential. This information is intended only for the individual, individuals or entity to whom it is addressed. If you are not the intended recipient(s), the employee or agent responsible for delivering it to the intended recipient(s), you are hereby notified that any use, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this email in error, please return the original message to us by email and delete or destroy any copies. Please note any views or opinions expressed or presented in this email are solely those of the author and do not necessarily represent those of Bivio Networks, Inc. The recipient should check this email or any attachments for the presence of viruses or malware. Bivio Networks, Inc. accepts no responsibility for any damage caused by any virus or malware transmitted by this email. Thank you. Think Green when printing On 2/14/17, 4:15 PM, "Johanna Amann" wrote: To expand a bit on this... there is a policy script to perform certificate validation, just load policy/protocols/ssl/validate-certs.bro. Note that this uses plain OpenSSL for validation and might not be able to validate a few cases which browsers can validate. For OCSP, the situation is a bit less optimal. The script that Vlad mentioned performs OCSP validation, but _only_ in case that the OCSP response is sent stapled in the TLS handshake - which is rather rare. Outside of this, Bro currently does not support OCSP validatiob. Johanna On Thu, Feb 09, 2017 at 01:37:44PM -0600, Vlad Grigorescu wrote: > Tony, > > There's an optional script for OCSP validation: > https://github.com/bro/bro/blob/v2.5/scripts/policy/protocols/ssl/validate-ocsp.bro > > To use: > > @load protocols/ssl/validate-ocsp > > --Vlad > > Tony Waller writes: > > > I am looking for additional information on utilizing OCSP and CRL in Bro NSM. I would like to know if certificates from clients can be checked in real-time or near real-time against a CRL? Also, can Bro NSM perform a OCSP request to a RA and check a certificate to determine if it is valid? If this is the case where in Bro NSM do you set the address for the RA or CRL responder? > > > > Sincerely, > > > > Tony > > > > > > Tony Waller, CISSP > > Director, Systems Engineering > > Bivio Networks, Inc. > > ?Powering Advanced Cyber Operations? (TM) > > Mobile (443) 994-0936 > > > > [cid:image001.png at 01D27E32.049899E0] > > > > *Note: The information contained in this email confidential. This information is intended only for the individual, individuals or entity to whom it is addressed. If you are not the intended recipient(s), the employee or agent responsible for delivering it to the intended recipient(s), you are hereby notified that any use, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this email in error, please return the original message to us by email and delete or destroy any copies. Please note any views or opinions expressed or presented in this email are solely those of the author and do not necessarily represent those of Bivio Networks, Inc. The recipient should check this email or any attachments for the presence of viruses or malware. Bivio Networks, Inc. accepts no responsibility for any damage caused by any virus or malware transmitted by this email. Thank you. > > > > Think Green when printing > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From hartley.87 at osu.edu Tue Feb 14 21:18:27 2017 From: hartley.87 at osu.edu (Hartley, Christopher J.) Date: Wed, 15 Feb 2017 05:18:27 +0000 Subject: [Bro] Passive DNS In-Reply-To: References: Message-ID: <19609E39-CF29-4F48-BCD9-B7DE552DE270@osu.edu> Do you have execute privileges for the python script? Probably: chmod u+x /nsm/bro/share/bro/site/bro-pdns/bro_pdns.py Apologies if that?s not the case - I would expect a more descriptive error message or stack trace were that not the cause. Chris On Feb 14, 2017, at 9:28 PM, cherish > wrote: hi,i'm learning "Using Bro for Building Passive DNS Data", and i encounter the error(Permission denied) in executing these two long command. BRO_PDNS_DB=mysql://pdns:pdns at localhost/pdns /nsm/bro/share/bro/site/bro-pdns/bro_pdns.py serve BRO_PDNS_DB=mysql://pdns:pdns at localhost/pdns /nsm/bro/share/bro/site/bro-pdns/bro_pdns.py process /nsm/bro/logs/current/dns.log Thanks for your reading ,would you please give me some advice ? _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170215/0393e119/attachment-0001.html From Mirko.Sailio at vtt.fi Wed Feb 15 02:03:47 2017 From: Mirko.Sailio at vtt.fi (Sailio Mirko) Date: Wed, 15 Feb 2017 10:03:47 +0000 Subject: [Bro] bro_init asyncronicity problem Message-ID: Hi Does bro_init event stop before the other events are started? I have a init script, which removes some of ip addresses from monitoring, but am still getting detections for them (which is bad). :) The datastructure is checked in "event new_connections()" for matches. The unwanted detection events only seems to happen in the very first moments after starting Bro, so I'm assuming that the problem occours because the rules are not yet in my datastructure, but could of course be wrong. If bro_init does not (as default) finish before other events are accepted, is there a way to force bro_init to finish first? Thanks for any help, Mirko -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170215/74a39a05/attachment.html From jazoff at illinois.edu Wed Feb 15 05:35:03 2017 From: jazoff at illinois.edu (Azoff, Justin S) Date: Wed, 15 Feb 2017 13:35:03 +0000 Subject: [Bro] bro_init asyncronicity problem In-Reply-To: References: Message-ID: > On Feb 15, 2017, at 5:03 AM, Sailio Mirko wrote: > > I have a init script, which removes some of ip addresses from monitoring, How are you doing this exactly? -- - Justin Azoff From johanna at icir.org Wed Feb 15 07:38:18 2017 From: johanna at icir.org (Johanna Amann) Date: Wed, 15 Feb 2017 07:38:18 -0800 Subject: [Bro] Information on OCSP and CRL In-Reply-To: <336B81D1-3EC0-4B9C-BEA6-470DD7CDFD0D@bivio.net> References: <20170214211525.jsbcvteffga5mlpb@wifi107.sys.ICSI.Berkeley.EDU> <336B81D1-3EC0-4B9C-BEA6-470DD7CDFD0D@bivio.net> Message-ID: <86F86059-4E50-433E-8D3C-1B206CD97EE5@icir.org> Hello Tony, Bro will get the capability to parse OCSP requests and replies that are being sent over the network soon (as in - the ones that you see in HTTP, not just the ones in the stapled ocsp extension of the TLS handshake). You should be able to map that to certificates seen in the network traffic, and to validate them; however, this only will be possible for certificates for which network clients perform OCSP requests by themselves. Apart from that, there are currently no plans to add any OCSP support to Bro; there especially are no plans to make Bro able to perform OCSP queries itself. If you want to add that - you should be able to just write a couple of bifs and add them as a package :) Johanna On 14 Feb 2017, at 19:50, Tony Waller wrote: > Johanna, > > Thank you for the update. Do you see any plans for Bro to be able to > leverage a OCSP client soon? If not, is this something that could be > added to the code-base by the community? > > Sincerely, > > Tony > > > Tony Waller, CPO (USN-Ret.) > CISSP > Director, Systems Engineering > Bivio Networks, Inc. > ?Powering Advanced Cyber Operations? (TM) > Mobile (443) 994-0936 > > > > *Note: The information contained in this email confidential. This > information is intended only for the individual, individuals or entity > to whom it is addressed. If you are not the intended recipient(s), the > employee or agent responsible for delivering it to the intended > recipient(s), you are hereby notified that any use, dissemination, > distribution or copying of this communication is strictly prohibited. > If you have received this email in error, please return the original > message to us by email and delete or destroy any copies. Please note > any views or opinions expressed or presented in this email are solely > those of the author and do not necessarily represent those of Bivio > Networks, Inc. The recipient should check this email or any > attachments for the presence of viruses or malware. Bivio Networks, > Inc. accepts no responsibility for any damage caused by any virus or > malware transmitted by this email. Thank you. > > Think Green when printing > > > On 2/14/17, 4:15 PM, "Johanna Amann" wrote: > > To expand a bit on this... > > there is a policy script to perform certificate validation, just > load > policy/protocols/ssl/validate-certs.bro. Note that this uses plain > OpenSSL > for validation and might not be able to validate a few cases which > browsers can validate. > > For OCSP, the situation is a bit less optimal. The script that > Vlad > mentioned performs OCSP validation, but _only_ in case that the > OCSP > response is sent stapled in the TLS handshake - which is rather > rare. > > Outside of this, Bro currently does not support OCSP validatiob. > > Johanna > > On Thu, Feb 09, 2017 at 01:37:44PM -0600, Vlad Grigorescu wrote: > > Tony, > > > > There's an optional script for OCSP validation: > > > https://github.com/bro/bro/blob/v2.5/scripts/policy/protocols/ssl/validate-ocsp.bro > > > > To use: > > > @load protocols/ssl/validate-ocsp > > > > --Vlad > > > > Tony Waller writes: > > > > > I am looking for additional information on utilizing OCSP and > CRL in Bro NSM. I would like to know if certificates from clients can > be checked in real-time or near real-time against a CRL? Also, can Bro > NSM perform a OCSP request to a RA and check a certificate to > determine if it is valid? If this is the case where in Bro NSM do you > set the address for the RA or CRL responder? > > > > > > Sincerely, > > > > > > Tony > > > > > > > > > Tony Waller, CISSP > > > Director, Systems Engineering > > > Bivio Networks, Inc. > > > ?Powering Advanced Cyber Operations? (TM) > > > Mobile (443) 994-0936 > > > > > > [cid:image001.png at 01D27E32.049899E0] > > > > > > *Note: The information contained in this email confidential. > This information is intended only for the individual, individuals or > entity to whom it is addressed. If you are not the intended > recipient(s), the employee or agent responsible for delivering it to > the intended recipient(s), you are hereby notified that any use, > dissemination, distribution or copying of this communication is > strictly prohibited. If you have received this email in error, please > return the original message to us by email and delete or destroy any > copies. Please note any views or opinions expressed or presented in > this email are solely those of the author and do not necessarily > represent those of Bivio Networks, Inc. The recipient should check > this email or any attachments for the presence of viruses or malware. > Bivio Networks, Inc. accepts no responsibility for any damage caused > by any virus or malware transmitted by this email. Thank you. > > > > > > Think Green when printing > > > > > > _______________________________________________ > > > Bro mailing list > > > bro at bro-ids.org > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From john.b.althouse at gmail.com Wed Feb 15 10:23:23 2017 From: john.b.althouse at gmail.com (John B. Althouse) Date: Wed, 15 Feb 2017 13:23:23 -0500 Subject: [Bro] Function for Decimal to Hex Message-ID: Is there a function within Bro that will allow me to turn decimal into hex? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170215/9f5d22ea/attachment.html From dnthayer at illinois.edu Wed Feb 15 10:44:21 2017 From: dnthayer at illinois.edu (Daniel Thayer) Date: Wed, 15 Feb 2017 12:44:21 -0600 Subject: [Bro] Function for Decimal to Hex In-Reply-To: References: Message-ID: You could do something like this ("d" is a count or int value): print fmt("%x", d); On 2/15/17 12:23 PM, John B. Althouse wrote: > > Is there a function within Bro that will allow me to turn decimal into hex? > > From dopheide at gmail.com Wed Feb 15 10:52:01 2017 From: dopheide at gmail.com (Mike Dopheide) Date: Wed, 15 Feb 2017 12:52:01 -0600 Subject: [Bro] Function for Decimal to Hex In-Reply-To: References:

Message-ID: Or, if your decimal is already a string, there's always this: https://www.bro.org/sphinx/scripts/base/bif/bro.bif.bro.html#id-bytestring_to_hexstr -Dop On Wed, Feb 15, 2017 at 12:44 PM, Daniel Thayer wrote: > You could do something like this ("d" is a count or int value): > > print fmt("%x", d); > > > > On 2/15/17 12:23 PM, John B. Althouse wrote: > > > > Is there a function within Bro that will allow me to turn decimal into > hex? > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170215/8a8a3238/attachment-0001.html From john.b.althouse at gmail.com Wed Feb 15 11:06:43 2017 From: john.b.althouse at gmail.com (John B. Althouse) Date: Wed, 15 Feb 2017 14:06:43 -0500 Subject: [Bro] Function for Decimal to Hex In-Reply-To: References:

Message-ID: Sorry, what I want to do is take an integer like: 32154 and convert it to hexidecimal: 7D9A On Wed, Feb 15, 2017 at 1:52 PM, Mike Dopheide wrote: > Or, if your decimal is already a string, there's always this: > > https://www.bro.org/sphinx/scripts/base/bif/bro.bif.bro.html > #id-bytestring_to_hexstr > > -Dop > > On Wed, Feb 15, 2017 at 12:44 PM, Daniel Thayer > wrote: > >> You could do something like this ("d" is a count or int value): >> >> print fmt("%x", d); >> >> >> >> On 2/15/17 12:23 PM, John B. Althouse wrote: >> > >> > Is there a function within Bro that will allow me to turn decimal into >> hex? >> > >> > >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170215/19b096b0/attachment.html From dopheide at gmail.com Wed Feb 15 11:41:07 2017 From: dopheide at gmail.com (Mike Dopheide) Date: Wed, 15 Feb 2017 13:41:07 -0600 Subject: [Bro] Function for Decimal to Hex In-Reply-To: References:

Message-ID: Then what Daniel said is your way forward, if you need capital letters, something like this would work: local num: count = 32154; print fmt("%s",to_upper(fmt("%x",num))); -Dop On Wed, Feb 15, 2017 at 1:06 PM, John B. Althouse wrote: > Sorry, what I want to do is take an integer like: > 32154 > and convert it to hexidecimal: > 7D9A > > On Wed, Feb 15, 2017 at 1:52 PM, Mike Dopheide wrote: > >> Or, if your decimal is already a string, there's always this: >> >> https://www.bro.org/sphinx/scripts/base/bif/bro.bif.bro.html >> #id-bytestring_to_hexstr >> >> -Dop >> >> On Wed, Feb 15, 2017 at 12:44 PM, Daniel Thayer >> wrote: >> >>> You could do something like this ("d" is a count or int value): >>> >>> print fmt("%x", d); >>> >>> >>> >>> On 2/15/17 12:23 PM, John B. Althouse wrote: >>> > >>> > Is there a function within Bro that will allow me to turn decimal into >>> hex? >>> > >>> > >>> _______________________________________________ >>> Bro mailing list >>> bro at bro-ids.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170215/5666096e/attachment.html From dnthayer at illinois.edu Wed Feb 15 11:52:22 2017 From: dnthayer at illinois.edu (Daniel Thayer) Date: Wed, 15 Feb 2017 13:52:22 -0600 Subject: [Bro] Function for Decimal to Hex In-Reply-To: References:

Message-ID: <46828cb3-4f77-767e-653b-9ab665646c44@illinois.edu> The to_upper() function returns a string, so your example can be simplified: print to_upper(fmt("%x",num)); On 2/15/17 1:41 PM, Mike Dopheide wrote: > Then what Daniel said is your way forward, if you need capital letters, > something like this would work: > > local num: count = 32154; > print fmt("%s",to_upper(fmt("%x",num))); > > -Dop > From john.b.althouse at gmail.com Wed Feb 15 12:57:57 2017 From: john.b.althouse at gmail.com (John B. Althouse) Date: Wed, 15 Feb 2017 15:57:57 -0500 Subject: [Bro] Function for Decimal to Hex In-Reply-To: <46828cb3-4f77-767e-653b-9ab665646c44@illinois.edu> References:

<46828cb3-4f77-767e-653b-9ab665646c44@illinois.edu> Message-ID: Awesome, works! Thank you guys! On Wed, Feb 15, 2017 at 2:52 PM, Daniel Thayer wrote: > The to_upper() function returns a string, so your example can be > simplified: > > print to_upper(fmt("%x",num)); > > > On 2/15/17 1:41 PM, Mike Dopheide wrote: > > Then what Daniel said is your way forward, if you need capital letters, > > something like this would work: > > > > local num: count = 32154; > > print fmt("%s",to_upper(fmt("%x",num))); > > > > -Dop > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170215/351d584c/attachment.html From jim.simpson.work at gmail.com Wed Feb 15 13:14:21 2017 From: jim.simpson.work at gmail.com (Jim Simpson) Date: Wed, 15 Feb 2017 16:14:21 -0500 Subject: [Bro] Getting flow stats from Bro Message-ID: Is there an existing set of scripts for Bro to get flow stats? I'm looking for counts, avg, and std dev on small packets, large packets, nonempty packets, interarrival times, etc, similar to what YAF gives with the `--flow-stats` option. I'm also interested in the Shannon entropy of the payload, similar to what YAF gives with the `--entropy` option. https://tools.netsa.cert.org/yaf/yaf.html - Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170215/a60a0f61/attachment.html From fatema.bannatwala at gmail.com Wed Feb 15 13:37:18 2017 From: fatema.bannatwala at gmail.com (fatema bannatwala) Date: Wed, 15 Feb 2017 16:37:18 -0500 Subject: [Bro] Bro seg faults when used with gperftools monitoring. Message-ID: So, I wanted to find out whether there are any memory leaks in any of the code/scripts, that I am loading with Bro, therefore I installed gperftools and compiled Bro 2.5 on a VM with 5GB of memory and centos 7.2. I loaded only the default scripts to start with, i.e didn't include any custom scripts in local.bro. I ran Bro as default on a pcap (~11G) and it terminated normally producing output log files. When I ran Bro with Perftools heap leak checker active on the same pcap, it seg faulted after some time. I was watching memory usage during the run and it didn't seem to be using 100% of available memory. Hence wanted to ask Is there any reason Bro would seg fault while run with HEAPCHECK enabled? My goal was to load custom scripts one by one and everytime run bro with heap check to see what can cause a memory leak. But stumbled upon this at the very beginning, so until I find out why it seg faulted on default configs, I can't really check the custom scripts/code for memory leak :( :( Including the coredump file. Thanks, Fatema. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170215/4fc0b1f6/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: dump Type: application/octet-stream Size: 32024 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170215/4fc0b1f6/attachment-0001.obj From Izik.Birka at hot.net.il Wed Feb 15 23:35:58 2017 From: Izik.Birka at hot.net.il (Izik Birka) Date: Thu, 16 Feb 2017 07:35:58 +0000 Subject: [Bro] SMB References: <592228F4D0C8504187F2F76658040CB6DFE23DFF@HOT-MAILBOX-02.HOT.NET.IL> Message-ID: <592228F4D0C8504187F2F76658040CB6DFE39D1A@HOT-MAILBOX-02.HOT.NET.IL> Hi Any idea ? From: Izik Birka Sent: Tuesday, February 14, 2017 9:15 AM To: 'Martin, Eric J' Subject: RE: SMB Hi I enable them and it's great but I'm looking for SMB bytes statistics , like in conn.log file For example if someone downloaded 300 MB with SMB protocol (form network share) , is there any file that hold this statistics ? with http protocol , I can find it in conn.log file thanks From: Martin, Eric J [mailto:ejmartin2 at wpi.edu] Sent: Tuesday, February 14, 2017 12:09 AM To: Izik Birka > Subject: Re: SMB There's smb_files and smb_mappings that need to be enabled. When you say 'stats', what are you looking for? -- Eric Martin ejmartin2 at wpi.edu Information Security Analyst Office: (508) 831-6070 Worcester Polytechnic Institute www.wpi.edu PGP: C74F 1EBF 2E80 7984 8CB5 064E BF17 D34C C704 B30F For security purposes, this message has been double ROT13 encoded ________________________________ From: bro-bounces at bro.org

> on behalf of Izik Birka > Sent: Monday, February 13, 2017 3:34:29 AM To: bro at bro.org Subject: [Bro] SMB Hi Is there any logs that contains SMB stats ? why conn.log doesn't contains SMB connection ? I have bro 2.5 Thanks Izik Birka This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately. Thank you. This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170216/933ba89f/attachment.html From Izik.Birka at hot.net.il Wed Feb 15 23:36:34 2017 From: Izik.Birka at hot.net.il (Izik Birka) Date: Thu, 16 Feb 2017 07:36:34 +0000 Subject: [Bro] SMB Language References: <592228F4D0C8504187F2F76658040CB6DFE2B50A@HOT-MAILBOX-02.HOT.NET.IL> Message-ID: <592228F4D0C8504187F2F76658040CB6DFE39D45@HOT-MAILBOX-02.HOT.NET.IL> Hi Any help ? Thanks Izik -----Original Message----- From: Izik Birka Sent: Tuesday, February 14, 2017 5:12 PM To: 'Azoff, Justin S' Cc: bro at bro.org Subject: RE: [Bro] SMB Language Can I add utf-8 encoding to bro ? Is there other option ? I'm forward the log file to SIEM system , and it's not readable in that way Thanks -----Original Message----- From: Azoff, Justin S [mailto:jazoff at illinois.edu] Sent: Tuesday, February 14, 2017 4:16 PM To: Izik Birka Cc: bro at bro.org Subject: Re: [Bro] SMB Language > On Feb 14, 2017, at 2:36 AM, Izik Birka wrote: > > Hi > Just enable SMB analyzer , works great > > I have a problem with the Hebrew language , it's looks like it's not supported , I'm getting this files name in log file : > > Test\hello\\\xd7\x92\xd7\x99\xd7\x95\xd7\x9c \xd7\x9b\xd7\x9e\xd7\x95\xd7\xaa\xd7\x99.csv > > The \\\xd7\x92\xd7\x99\xd7\x95\xd7\x9c - is Hebrew words > > is there a way to fix it ? That's just an escaped utf-8 string: >>> s='Test\hello\\\xd7\x92\xd7\x99\xd7\x95\xd7\x9c \xd7\x9b\xd7\x9e\xd7\x95\xd7\xaa\xd7\x99.csv' >>> print s Test\hello\???? ?????.csv (or in python3) >>> s=b'Test\hello\\\xd7\x92\xd7\x99\xd7\x95\xd7\x9c \xd7\x9b\xd7\x9e\xd7\x95\xd7\xaa\xd7\x99.csv' >>> print(s.decode('utf-8')) Test\hello\???? ?????.csv -- - Justin Azoff This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately. Thank you. From andrew.dellana at bayer.com Thu Feb 16 07:40:23 2017 From: andrew.dellana at bayer.com (Andrew Dellana) Date: Thu, 16 Feb 2017 15:40:23 +0000 Subject: [Bro] Connection summary values In-Reply-To: References: <40f9b6e86ef34a8bb8046a97fcc822c9@moxde9.na.bayer.cnb> Message-ID: <32339691ef1544028846b16f410b8dac@moxde9.na.bayer.cnb> Thanks! Is there a way to resolve the DNS connection issues? Freundliche Gr??e / Best regards, Andrew Dellana Intern ________________________ -----Original Message----- From: Vlad Grigorescu [mailto:vladg at illinois.edu] Sent: Tuesday, February 14, 2017 10:05 AM To: Andrew Dellana; bro at bro.org Subject: Re: [Bro] Connection summary values simply means that DNS resolution failed. Andrew Dellana writes: > Hello, > > For the connection summary is there a way to reformat the way the notification looks - Like put each of these on their own line? Also is there way to make the value show its domain name? The value shows up in both the incoming, outgoing and total sections. > > > > #1= #2=(redacted) #3= > > #4= (redacted) #5= (redacted) #6= (redacted) > > #7= (redacted) #8= #9= > > #10= (redacted) #11= #12= (redacted) > > #13= #14= (redacted) #15= > > #16= (redacted) #17= #18= > > #19= #20= (redacted) > > > > > Thanks, > > Andrew Dellana > Intern > ________________________ > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From vladg at illinois.edu Thu Feb 16 08:14:10 2017 From: vladg at illinois.edu (Vlad Grigorescu) Date: Thu, 16 Feb 2017 10:14:10 -0600 Subject: [Bro] Bro seg faults when used with gperftools monitoring. In-Reply-To: References: Message-ID: That's a common config that we test with which I would expect to work. Can you provide some details on how exactly you built and ran Bro? --Vlad fatema bannatwala writes: > So, I wanted to find out whether there are any memory leaks in any of the > code/scripts, > that I am loading with Bro, therefore I installed gperftools and compiled > Bro 2.5 on a VM > with 5GB of memory and centos 7.2. > > I loaded only the default scripts to start with, i.e didn't include any > custom scripts in local.bro. > I ran Bro as default on a pcap (~11G) and it terminated normally producing > output log files. > > When I ran Bro with Perftools heap leak checker active on the same pcap, it > seg faulted > after some time. > I was watching memory usage during the run and it didn't seem to be using > 100% of available > memory. > > Hence wanted to ask Is there any reason Bro would seg fault while run with > HEAPCHECK enabled? > > My goal was to load custom scripts one by one and everytime run bro with > heap check > to see what can cause a memory leak. But stumbled upon this at the very > beginning, > so until I find out why it seg faulted on default configs, I can't really > check the custom scripts/code > for memory leak :( :( > > Including the coredump file. > > Thanks, > Fatema. > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 800 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170216/06f7cf2d/attachment.bin From vladg at illinois.edu Thu Feb 16 08:15:35 2017 From: vladg at illinois.edu (Vlad Grigorescu) Date: Thu, 16 Feb 2017 10:15:35 -0600 Subject: [Bro] Getting flow stats from Bro In-Reply-To: References: Message-ID: Not set of scripts for this that I'm aware of. The closest thing I'm aware of is this script for computing PCR, which might be a good jumping-off point at least: https://github.com/reservoirlabs/bro-producer-consumer-ratio --Vlad Jim Simpson writes: > Is there an existing set of scripts for Bro to get flow stats? > > I'm looking for counts, avg, and std dev on small packets, large packets, > nonempty packets, interarrival times, etc, similar to what YAF gives with > the `--flow-stats` option. I'm also interested in the Shannon entropy of > the payload, similar to what YAF gives with the `--entropy` option. > https://tools.netsa.cert.org/yaf/yaf.html > > - Jim > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 800 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170216/f46acdad/attachment.bin From espressobeanies at gmail.com Thu Feb 16 11:05:19 2017 From: espressobeanies at gmail.com (Espresso Beanies) Date: Thu, 16 Feb 2017 14:05:19 -0500 Subject: [Bro] Question on PacketFilter::DroppedPackets Message-ID: Hi, It seems no matter what I do, I still get these notices "PacketFilter::DroppedPackets". I created more workers, but I have a question about creating new workers via using an existing worker to capture on the same interface using the "lb_procs" method to up the number of "sub-threads?" for multi-CPU processing. What advantage does a new worker give me over "lb_procs"? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170216/0315361a/attachment.html From seth at icir.org Thu Feb 16 11:20:27 2017 From: seth at icir.org (Seth Hall) Date: Thu, 16 Feb 2017 14:20:27 -0500 Subject: [Bro] SMB Language In-Reply-To: <592228F4D0C8504187F2F76658040CB6DFE39D45@HOT-MAILBOX-02.HOT.NET.IL> References: <592228F4D0C8504187F2F76658040CB6DFE2B50A@HOT-MAILBOX-02.HOT.NET.IL> <592228F4D0C8504187F2F76658040CB6DFE39D45@HOT-MAILBOX-02.HOT.NET.IL> Message-ID: <25F2BF5F-A053-42A0-9D48-E69ECB886EC0@icir.org> > On Feb 16, 2017, at 2:36 AM, Izik Birka wrote: > > Any help ? Bro's strings are purely ascii at this time. You would have to interpret the string as UTF8 in whatever you have receiving logs with. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From fatema.bannatwala at gmail.com Thu Feb 16 11:45:35 2017 From: fatema.bannatwala at gmail.com (fatema bannatwala) Date: Thu, 16 Feb 2017 14:45:35 -0500 Subject: [Bro] Bro seg faults when used with gperftools monitoring. In-Reply-To: References: Message-ID: Hi Vlad, I installed Bro from source by getting the tar of v2.5 and performing following to compile and install it: $ sudo yum install cmake make libpcap-devel openssl-devel python-devel swig zlib-devel $ tar -xvfz bro-2.5.tar.gz $ cd bro-2.5 $./configure --enable-debug --enable-perftools --enable-perftools-debug $ make $ sudo make install And before installing Bro, I installed gperftools according to the directions mentioned by the Project Readme: $ wget http://download.savannah.gnu.org/releases/libunwind/libunwind-0.99-beta.tar.gz $ tar -xvzf libunwind-0.99-beta.tar.gz $ cd libunwind-0.99-beta $./configure $ make $ sudo make install $ sudo yum groupinstall 'Development Tools' $ unzip gperftools-master.zip $ cd gperftools-master $ ./autogen.sh $ ./configure $ make $ sudo make install I also ran bro with a small pcap trace (~319MB) capture from one of the Bro sensors, but it seg faulted. # bro -m -r /home/fatemabw/bro-test-vvvsmall.pcap WARNING: Perftools heap leak checker is active -- Performance may suffer Segmentation fault (core dumped) On Thu, Feb 16, 2017 at 11:14 AM, Vlad Grigorescu wrote: > That's a common config that we test with which I would expect to work. > Can you provide some details on how exactly you built and ran Bro? > > --Vlad > > fatema bannatwala writes: > > > So, I wanted to find out whether there are any memory leaks in any of the > > code/scripts, > > that I am loading with Bro, therefore I installed gperftools and compiled > > Bro 2.5 on a VM > > with 5GB of memory and centos 7.2. > > > > I loaded only the default scripts to start with, i.e didn't include any > > custom scripts in local.bro. > > I ran Bro as default on a pcap (~11G) and it terminated normally > producing > > output log files. > > > > When I ran Bro with Perftools heap leak checker active on the same pcap, > it > > seg faulted > > after some time. > > I was watching memory usage during the run and it didn't seem to be using > > 100% of available > > memory. > > > > Hence wanted to ask Is there any reason Bro would seg fault while run > with > > HEAPCHECK enabled? > > > > My goal was to load custom scripts one by one and everytime run bro with > > heap check > > to see what can cause a memory leak. But stumbled upon this at the very > > beginning, > > so until I find out why it seg faulted on default configs, I can't really > > check the custom scripts/code > > for memory leak :( :( > > > > Including the coredump file. > > > > Thanks, > > Fatema. > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170216/4680b732/attachment.html From seth at icir.org Thu Feb 16 13:06:32 2017 From: seth at icir.org (Seth Hall) Date: Thu, 16 Feb 2017 16:06:32 -0500 Subject: [Bro] Conceptual question on main.bro files In-Reply-To: