[Bro] Bro Digest, Vol 129, Issue 19
John Edwards
jedwards2728 at gmail.com
Wed Jan 11 18:14:54 PST 2017
Bingo! got it, Thanks James
On Thu, Jan 12, 2017 at 12:05 PM, <bro-request at bro.org> wrote:
> Send Bro mailing list submissions to
> bro at bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
> bro-request at bro.org
>
> You can reach the person managing the list at
> bro-owner at bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
> 1. Downgrade Bro from 2.5 to 2.4 (John Edwards)
> 2. Re: Writing logs to both ACII and JSON (Azoff, Justin S)
> 3. Re: Downgrade Bro from 2.5 to 2.4 (James Lay)
> 4. Re: Writing logs to both ACII and JSON (Jan Grash?fer)
> 5. Re: Segmentation fault while using own signature.
> (Slagell, Adam J)
> 6. Core affinity on AMD Opteron 6276 (Ralph Holz)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 12 Jan 2017 10:10:44 +1100
> From: John Edwards <jedwards2728 at gmail.com>
> Subject: [Bro] Downgrade Bro from 2.5 to 2.4
> To: bro at bro.org
> Message-ID:
> <CAAcg0e+8Je4h2mhgKnXd-t6jn+73DnQFgXVjJV=ULRK8oGyg9g at mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> Can someone point me to an ubuntu .deb 2.4 bro package? I have upgraded our
> production sensor and it has broken the Splunk TA for Bro and HTTP log isnt
> ingesting anymore. quickest way is to downgrade back to 2.4. Anyone know
> where i can find it? Seems everywhere i have looked the repos have the 2.5
> copy only
>
> Cheers,
> John
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/
> 20170112/5c605324/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Wed, 11 Jan 2017 23:12:54 +0000
> From: "Azoff, Justin S" <jazoff at illinois.edu>
> Subject: Re: [Bro] Writing logs to both ACII and JSON
> To: James Gordon <gordonjamesr at gmail.com>
> Cc: "bro at bro-ids.org" <bro at bro-ids.org>
> Message-ID: <FC051DA8-0AA7-4ACB-B560-0D035E74FB2B at illinois.edu>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> > When I run bro against a pcap, I get the following error:
> > "expression error in /opt/bro/share/bro/test/./add-json.bro, line 34:
> field value missing [Log::filter$path]"
> >
> > It looks like that line refers back to the json path. I have the json
> path defined as: const path_json = "/nsm/bro/logs/json/" &redef; - is this
> the correct way to define the log path?
> >
>
> No.. as the error message says there is a problem with filter$path being
> missing, not path_json.
>
> > This script is exactly the functionality I need, I just can't seem to
> get it working correctly. I don't begin to understand why I get different
> results every time I run the same pcap through Bro.
>
> Because the script does this:
>
> for ( id in Log::active_streams )
> {
> if ( (enable_all_json || (id in include_json)) && (id !in
> exclude_json) )
> {
> local filter = Log::get_filter(id, "default");
> filter$name = string_cat(filter$name, "_json");
> filter$path = string_cat(path_json, filter$path,
> "-json");
> filter$config = config_json;
> filter$interv = interv_json;
> Log::add_filter(id, filter);
> }
> }
>
> and Log::active_streams is a hash table populated at startup and the
> iteration order is random:
>
> $ cat b.bro ;echo one:;bro b.bro |head; echo two:; bro b.bro |head
> event bro_init() {
> for ( id in Log::active_streams )
> print id;
> }
> one:
> Weird::LOG
> PacketFilter::LOG
> Conn::LOG
> NetControl::SHUNT
> DNS::LOG
> FTP::LOG
> SIP::LOG
> SNMP::LOG
> Syslog::LOG
> DPD::LOG
> two:
> DPD::LOG
> Software::LOG
> IRC::LOG
> RFB::LOG
> SSL::LOG
> KRB::LOG
> SOCKS::LOG
> Syslog::LOG
> Log::UNKNOWN
> DHCP::LOG
>
>
> It's failing on one of your log files because filter$path is not set. Once
> that happens the event aborts and everything after that does not get json
> added.
>
> The loop needs to check filter?$path before trying to use it.
>
> You also probably have something broken (or at least weird) in your
> configuration because this error does not occur on a stock 2.5 config, so
> it's probably useful to figure out which of your logs has no path for some
> reason.
>
>
> --
> - Justin Azoff
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 11 Jan 2017 16:14:09 -0700
> From: James Lay <jlay at slave-tothe-box.net>
> Subject: Re: [Bro] Downgrade Bro from 2.5 to 2.4
> To: bro at bro.org
> Message-ID: <35e5d291e0cc4fb22c469804ae214aa2 at localhost>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> On 2017-01-11 16:10, John Edwards wrote:
> > Hi,
> >
> > Can someone point me to an ubuntu .deb 2.4 bro package? I have
> > upgraded our production sensor and it has broken the Splunk TA for Bro
> > and HTTP log isnt ingesting anymore. quickest way is to downgrade
> > back to 2.4. Anyone know where i can find it? Seems everywhere i have
> > looked the repos have the 2.5 copy only
> >
> > Cheers,
> > John
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> Might still be in your apt cache at: /var/cache/apt/archives/
>
> James
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 12 Jan 2017 00:22:08 +0100
> From: Jan Grash?fer <jan.grashoefer at gmail.com>
> Subject: Re: [Bro] Writing logs to both ACII and JSON
> To: James Gordon <gordonjamesr at gmail.com>, bro at bro-ids.org
> Message-ID: <4835d2a1-cdf0-7997-28dc-3c7c07ab9e73 at gmail.com>
> Content-Type: text/plain; charset=utf-8
>
> > When I run bro against a pcap, I get the following error:
> > "expression error in /opt/bro/share/bro/test/./add-json.bro, line 34:
> field
> > value missing [Log::filter$path]"
>
> I've just tested the script using 2.4.1 and 2.5 on try.bro.org
> (http://try.bro.org/#/trybro/saved/115989) and locally using 2.5 with a
> different path for JSON-logs. Unfortunately I am unable to reproduce
> this error.
>
> Maybe we can shed some light on this if we know which log doesn't
> provide a path. Can you try to replace line 34 with:
>
> if ( filter?$path )
> filter$path = string_cat(path_json, filter$path, "-json");
> else
> Reporter::error(fmt("Path missing for %s", id));
>
> That should provide some hint on which logs don't define a filter path.
> If you can share your test pcap that might be of interest, too. One
> thing I could imagine would be some kind of timing issue. Maybe playing
> with the events &priority has influence on your results.
>
> Jan
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 12 Jan 2017 00:16:17 +0000
> From: "Slagell, Adam J" <slagell at illinois.edu>
> Subject: Re: [Bro] Segmentation fault while using own signature.
> To: fatema bannatwala <fatema.bannatwala at gmail.com>
> Cc: "bro at bro.org" <bro at bro.org>
> Message-ID: <6773E4E7-E864-46CF-8E40-B107F3161EEB at illinois.edu>
> Content-Type: text/plain; charset="us-ascii"
>
> Not sure, it deserves a response and ticket if no one has done that.
>
> > On Jan 3, 2017, at 4:12 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > Hi all,
> >
> > So I have a case where if I use following regex in sig file, it works,
> but when I edit it and make it more strict I get segmentation fault in like
> 5 minutes after bro gets normally started:
> >
> > The working version:
> >
> > signature rootkit-potential {
> > payload /.*[0-9\.]{7,15}\|[0-9]{1,5}.*/
> > event "Potential rootkit"
> > tcp-state originator
> > }
> >
> > signature rootkit-malware {
> > payload /.*SSH-2\.5-OpenSSH_6\.1\.9.[0-9\.]{7,15}\|\d{1,5}.*/
> > event "rootkit malware"
> > tcp-state originator
> > }
> >
> > When I change regex to be more restrictive, Seg fault occurs:
> >
> > signature rootkit-potential {
> > payload /.*(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\d{1,5}).*/
> > event "Potential rootkit"
> > tcp-state originator
> > }
> >
> > signature rootkit-malware {
> > payload /.*SSH-2\.5-OpenSSH_6\.1\.9.(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\
> d{1,3}\|\d{1,5}).*/
> > event "rootkit malware"
> > tcp-state originator
> > }
> >
> > Any idea what might be going wrong?
> >
> > Thanks,
> > Fatema.
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 12 Jan 2017 01:04:53 +0000
> From: Ralph Holz <ralph.holz.tech at gmail.com>
> Subject: [Bro] Core affinity on AMD Opteron 6276
> To: bro at bro.org
> Message-ID:
> <CAC0zAuUuaHDHBnM+3LAUrHyOw-NufR-+SVrmea7kYZ+vWcDbFg at mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi everyone,
>
> I've been told this is the right place to share experience and maybe a
> script for our Opteron setup, and get feedback if this is the right thing
> to do.
>
> We're trialling Bro on an AMD Opteron 6276 in our campus network and did
> not find much useful information on the net on how to configure this
> particular setup. It's running fine now and we're waiting for students to
> return to uni so we can test under a higher load (they need to watch some
> videos...).
>
> Anyway, the 6276 is a strange machine in that AMD markets it as a 64-core
> machine - 4 sockets, 16 cores each. However, cores are paired within one
> socket, and each pair shares resources and data lines: CPU freq regulation,
> FPU, L2+L3, and instruction fetch and decode circuitry (!). This makes it
> quite unusual - under Linux, you will find that different methods to count
> the cores give you a different number, sometimes 32, sometimes 64.
>
> For our experiments, we chose to use /proc/cpuinfo to determine which cores
> are pairs - they should share "physical ID" and "core ID". The attached
> hacky script generates a node_cluster.cfg that places 32 workers on 32
> cores that should not be paired (logger, manager, proxy are going to sit on
> another host).
>
> As far as I can tell, we are not experiencing packet loss at all with the
> out-of-the-box scripts loaded, but we're at just 2Gbit load atm, and come
> the new semester we'll know more. The moment I add another core, I have one
> worker that is experiencing loss, so I am guessing this is the upper limit.
>
> I'd be happy to receive feedback if this is a reasonable setup and the
> right thing to do.
>
> Ralph
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/
> 20170112/1751bbe9/attachment.html
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: create_config_from_file.py
> Type: text/x-python-script
> Size: 1392 bytes
> Desc: not available
> Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/
> 20170112/1751bbe9/attachment.bin
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro at bro.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 129, Issue 19
> ************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170112/031ad3e8/attachment-0001.html
More information about the Bro
mailing list