From fatema.bannatwala at gmail.com  Mon May  1 12:24:13 2017
From: fatema.bannatwala at gmail.com (fatema bannatwala)
Date: Mon, 1 May 2017 15:24:13 -0400
Subject: [Bro] files.log
In-Reply-To: <CALGAZaCTTgB65XCDkWE7vgU1g8Kt-ktuCMukVJRfSkQE7BbKHQ@mail.gmail.com>
References: <CALGAZaCTTgB65XCDkWE7vgU1g8Kt-ktuCMukVJRfSkQE7BbKHQ@mail.gmail.com>
Message-ID: <CACX0rUTrttYHZw3aLGHUUF+0cNHm_Vac+7FLDi5EVCoRzWdKWA@mail.gmail.com>

Not sure what you would like to log extra in files.log, but files.log
already has a conn_uids field as well as src and dest IPs.
conn id is a four tuple, and only things missing in files.log with regard
to conn$id are ports (orig_p and resp_p), other then these
two fields files.log has pretty much everything you might be interested in.

Or, I might have mis-understood the question. :)

-Fatema.

On Sun, Apr 30, 2017 at 1:36 PM, ps sunu <pssunu6 at gmail.com> wrote:

>
> Hi ,
>            This method can we add id into files.log
>
>
> global myevent: event(f: fa_file, c: connection, is_orig: bool);
>
>
>
> redef record Files::Info += {
> # tx_cc: string &log &optional;
> #rx_cc: string &log &optional;
>
> #tx_asn: count &log &optional;
> #rx_asn: count &log &optional;
>         id: conn_id &log &optional;
> };
>
>
> event myevent(f: fa_file, c: connection, is_orig: bool) &priority = -10
> {
> if ( ! f?$info )
> return;
>
>          f$info$id = c$id;
>
> }
>
> Regards,
> Sunub
>
> event bro_init()
> {
>
> event myevent( f: fa_file, c: connection, is_orig: bool);
>
> }
>
> event bro_done()
> {
> print "bro_done()";
> }
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170501/80675da2/attachment.html 

From anirudhbiyani at gmail.com  Mon May  1 13:31:24 2017
From: anirudhbiyani at gmail.com (Aniruddha Biyani)
Date: Tue, 2 May 2017 02:01:24 +0530
Subject: [Bro] Learning Resources
Message-ID: <CACRnE_kLw2dfYbf2jNWRwhjA7QsmU_icY_E6AgyqVt+YpGOCug@mail.gmail.com>

Hi Everyone,

Just wanted  to know if there are any good resources to learn Bro other
than the documentation, like a book or videos?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170502/410a527d/attachment.html 

From jdopheid at illinois.edu  Tue May  2 06:58:18 2017
From: jdopheid at illinois.edu (Dopheide, Jeannette M)
Date: Tue, 2 May 2017 13:58:18 +0000
Subject: [Bro] Learning Resources
In-Reply-To: <CACRnE_kLw2dfYbf2jNWRwhjA7QsmU_icY_E6AgyqVt+YpGOCug@mail.gmail.com>
References: <CACRnE_kLw2dfYbf2jNWRwhjA7QsmU_icY_E6AgyqVt+YpGOCug@mail.gmail.com>
Message-ID: <318C871A-3092-4551-870C-B0DFE3DEBB38@illinois.edu>

We have community resources posted here:

https://www.bro.org/community/index.html

It includes links to videos and the Teaching and Training section has links to slideshows.

------
Jeannette Dopheide
Training and Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign


From: <bro-bounces at bro.org> on behalf of Aniruddha Biyani <anirudhbiyani at gmail.com>
Date: Monday, May 1, 2017 at 3:31 PM
To: "bro at bro.org" <bro at bro.org>
Subject: [Bro] Learning Resources

Hi Everyone,

Just wanted  to know if there are any good resources to learn Bro other than the documentation, like a book or videos?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170502/6e5216e4/attachment.html 

From garg.anant at gmail.com  Tue May  2 11:46:05 2017
From: garg.anant at gmail.com (anant garg)
Date: Tue, 2 May 2017 11:46:05 -0700
Subject: [Bro]  Bro for embedded use?
Message-ID: <CAPwm_jSPw3TshMQdsmgzYHTiCgO1YRK+qtYoEiZ9rBESHZGD0Q@mail.gmail.com>

Hi Jordi,

I am trying to run bro on Octeon 2 (from Cavium) network processor
with 32 cores. I saw your post that you were able to run it on this
processor.
I am having some challenges to compile it for simple executive. Can
you help provide some insight on how to compile it for Simple
executive and hows your memory and throughput number are looking ?
My assumption is since bro is monolithic and has lot of dependencies,
it would result in large memory footprints and may not be able to
achieve even ~1gbps.

-Anant

From dave.a.florek at gmail.com  Tue May  2 13:36:26 2017
From: dave.a.florek at gmail.com (Dave Florek)
Date: Tue, 2 May 2017 16:36:26 -0400
Subject: [Bro] Intel alerts not showing up in the notice log
Message-ID: <CA+M9YCnX2Qxq9511fKz1t2k6+4-vL3P6HNWv__RT7dkv-kU=4Q@mail.gmail.com>

Good afternoon,

Was there a resolution to this thread? I'm having the same issue on a
default build and I'm not sure where to start.

http://mailman.icsi.berkeley.edu/pipermail/bro/2014-May/006940.html

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170502/39d79a7a/attachment.html 

From slagell at illinois.edu  Tue May  2 13:53:30 2017
From: slagell at illinois.edu (Slagell, Adam J)
Date: Tue, 2 May 2017 20:53:30 +0000
Subject: [Bro] The Bro Project is looking for developers
Message-ID: <DF6D2588-ED36-42C2-8F31-BBBF9EB928A9@illinois.edu>

The Bro Project is looking for an exceptional engineer to join our core team of Bro developers. If you are interested in helping us advance Bro, please consider applying!

We are looking for candidates who have demonstrated experience leading projects, excellent programming skills in C/C++ and Python, are comfortable at the Unix command line, and have solid knowledge of network technology.  It is a plus if you have implemented network protocols before, been involved with large open-source projects, developed for distributed systems, or have a background in security operations.

This is a full-time position with NCSA?s CyberSecurity and Networking Directorate in Urbana, IL. 

If you are interested, please send your application to info at bro.org (TXT or PDF format only please). Make sure to mention any relevant projects that you have worked on in the past, including your particular role.

------

Adam J. Slagell
Director, Cybersecurity & Networking Division
Chief Information Security Officer
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
www.slagell.info

"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." 










From dopheide at gmail.com  Tue May  2 14:06:37 2017
From: dopheide at gmail.com (Mike Dopheide)
Date: Tue, 2 May 2017 16:06:37 -0500
Subject: [Bro] Intel alerts not showing up in the notice log
In-Reply-To: <CA+M9YCnX2Qxq9511fKz1t2k6+4-vL3P6HNWv__RT7dkv-kU=4Q@mail.gmail.com>
References: <CA+M9YCnX2Qxq9511fKz1t2k6+4-vL3P6HNWv__RT7dkv-kU=4Q@mail.gmail.com>
Message-ID: <CAPy2kFb0Cq182NfppPmqGt42+qdUqys09r=gu7JxLojfnefL0w@mail.gmail.com>

I haven't read the whole thread, but you may need:

@load policy/frameworks/intel/do_notice

As well as have "meta.do_notice" set to T in your .dat files.

-Dop

On Tue, May 2, 2017 at 3:36 PM, Dave Florek <dave.a.florek at gmail.com> wrote:

> Good afternoon,
>
> Was there a resolution to this thread? I'm having the same issue on a
> default build and I'm not sure where to start.
>
> http://mailman.icsi.berkeley.edu/pipermail/bro/2014-May/006940.html
>
> Thanks,
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170502/1a5c28a9/attachment.html 

From pssunu6 at gmail.com  Wed May  3 00:54:43 2017
From: pssunu6 at gmail.com (ps sunu)
Date: Wed, 3 May 2017 13:24:43 +0530
Subject: [Bro] ransomware pcap
Message-ID: <CALGAZaC=+mQxE46CJr7f-Xi+wPATk3Q53j2wpsdF4bSqv79Z2A@mail.gmail.com>

any pcap available for test
https://github.com/fox-it/bro-scripts/blob/master/smb-ransomware/smb-ransomware.bro
script
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170503/fca86a53/attachment.html 

From apumphrey at bricata.com  Thu May  4 07:32:42 2017
From: apumphrey at bricata.com (Adam Pumphrey)
Date: Thu, 4 May 2017 14:32:42 +0000
Subject: [Bro] script to extract elastic search mapping from header of
 bro-logs
Message-ID: <64BC9FA4-9A01-4924-A8B2-26D4F6D2F4D6@bricata.com>

You might be able to accomplish the desired end result with a dynamic template in elasticsearch.  They can be useful for this sort of thing.  Instead of doing a type -> type mapping, you?d be applying data type handling rules in ES based on the names of the fields you?re interested in.  You can do this with the ?path_match? option and patterns like ?*.orig_h? ? if you?re using/allowing dots in the field names..  Attached an example.   You can also override the default behavior for built-in data types, create sub fields or configure type to type mappings.

https://www.elastic.co/guide/en/elasticsearch/reference/current/dynamic-templates.html

Adam

On Apr 26, 2017, at 2:14 AM, Frank Meier <franky.meier.1 at gmx.de> wrote:

Hello,

many of us use Elastic Search as a sink for bro-logs. I am thinking
about written a script to extract the correct mapping from the bro
header.

This would mean:
* mapping data types:
                string, addr, enum -> string
                int, count, port -> long
                interval, double -> double
                time -> epoch_millis
* setting 'not_analyzed' for types like addr where this makes no sense
* handle container types (table, set, vector)

Any ideas? Has anyone done this before?

Franky
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170504/5abb1162/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: es_index_mapping_template.json
Type: application/json
Size: 1976 bytes
Desc: es_index_mapping_template.json
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170504/5abb1162/attachment.bin 

From david.misell at icloud.com  Thu May  4 08:21:04 2017
From: david.misell at icloud.com (D S Misell)
Date: Thu, 04 May 2017 16:21:04 +0100
Subject: [Bro] CVE Identifier: CVE-2017-5689
Message-ID: <38C93C25-AE60-473C-8BD9-D48FAE420A5B@icloud.com>

Dear Sir or Madam,

Has anyone got any scripts to detect active abuse of the Intel Trojan that affect all machine less than 10 years old?


Yours Faithfully,


David S. Misell MIET MBCS CISSP







From dave.a.florek at gmail.com  Thu May  4 11:07:04 2017
From: dave.a.florek at gmail.com (Dave Florek)
Date: Thu, 4 May 2017 14:07:04 -0400
Subject: [Bro] Intel alerts not showing up in the notice log
Message-ID: <CA+M9YCkNN_7WFs1CJNL_AmcEZucPCkh9nhxPR5-S3Cd_O+s+Rw@mail.gmail.com>

Hi Mike,

Thanks for the response. I'm still not seeing the Intel.log entries show up
in my notice.log. I confirmed I have the @load
policy/frameworks/intel/do_notice
and @load frameworks/intel/seen in my local.bro file and the 'T' switch set
on my DAT file entries. I'm not sure what to try next.

Any recommendations?

> Date: Tue, 2 May 2017 16:06:37 -0500
> From: Mike Dopheide <dopheide at gmail.com>
> Subject: Re: [Bro] Intel alerts not showing up in the notice log
> To: Dave Florek <dave.a.florek at gmail.com>
> Cc: "bro at bro.org" <bro at bro.org>
> Message-ID:
>         <CAPy2kFb0Cq182NfppPmqGt42+qdUqys09r=gu7JxLojfnefL0w@
mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I haven't read the whole thread, but you may need:
>
> @load policy/frameworks/intel/do_notice
>
> As well as have "meta.do_notice" set to T in your .dat files.
>
> -Dop
>
>> On Tue, May 2, 2017 at 3:36 PM, Dave Florek <dave.a.florek at gmail.com>
wrote:
>>
>> Good afternoon,
>>
>>  Was there a resolution to this thread? I'm having the same issue on a
>>  default build and I'm not sure where to start.
>>
>>  http://mailman.icsi.berkeley.edu/pipermail/bro/2014-May/006940.html
>>
>>  Thanks,
>>
>>
>>  _______________________________________________
>>  Bro mailing list
>>  bro at bro-ids.org
>>  http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
<http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170504/47c63900/attachment-0001.html 

From dopheide at gmail.com  Thu May  4 11:53:49 2017
From: dopheide at gmail.com (Mike Dopheide)
Date: Thu, 4 May 2017 13:53:49 -0500
Subject: [Bro] Intel alerts not showing up in the notice log
In-Reply-To: <CA+M9YCkNN_7WFs1CJNL_AmcEZucPCkh9nhxPR5-S3Cd_O+s+Rw@mail.gmail.com>
References: <CA+M9YCkNN_7WFs1CJNL_AmcEZucPCkh9nhxPR5-S3Cd_O+s+Rw@mail.gmail.com>
Message-ID: <CAPy2kFbR+3ks1=A+RbkK6aSaSgqzJ1Pk_ov6JrWzNOdZ5Ute0w@mail.gmail.com>

I assume you've also redef'd Intel::read_files as well.

How are you testing it?  If you're running standalone against a small pcap,
I believe Bro may finish processing traffic before it finishes loading the
Intel data.  (Can anyone confirm or deny that?)

-Dop

On Thu, May 4, 2017 at 1:07 PM, Dave Florek <dave.a.florek at gmail.com> wrote:

> Hi Mike,
>
> Thanks for the response. I'm still not seeing the Intel.log entries show
> up in my notice.log. I confirmed I have the @load policy/frameworks/intel/
> do_notice and @load frameworks/intel/seen in my local.bro file and the
> 'T' switch set on my DAT file entries. I'm not sure what to try next.
>
> Any recommendations?
>
> > Date: Tue, 2 May 2017 16:06:37 -0500
> > From: Mike Dopheide <dopheide at gmail.com>
> > Subject: Re: [Bro] Intel alerts not showing up in the notice log
> > To: Dave Florek <dave.a.florek at gmail.com>
> > Cc: "bro at bro.org" <bro at bro.org>
> > Message-ID:
> >         <CAPy2kFb0Cq182NfppPmqGt42+qdUqys09r=gu7JxLojfnefL0w at mail.
> gmail.com>
> > Content-Type: text/plain; charset="utf-8"
>
> >
> > I haven't read the whole thread, but you may need:
> >
> > @load policy/frameworks/intel/do_notice
> >
> > As well as have "meta.do_notice" set to T in your .dat files.
> >
> > -Dop
> >
> >> On Tue, May 2, 2017 at 3:36 PM, Dave Florek <dave.a.florek at gmail.com>
> wrote:
> >>
> >> Good afternoon,
> >>
> >>  Was there a resolution to this thread? I'm having the same issue on a
> >>  default build and I'm not sure where to start.
> >>
> >>  http://mailman.icsi.berkeley.edu/pipermail/bro/2014-May/006940.html
> >>
> >>  Thanks,
> >>
> >>
> >>  _______________________________________________
> >>  Bro mailing list
> >>  bro at bro-ids.org
> >>  http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170504/1cc56413/attachment.html 

From dave.a.florek at gmail.com  Fri May  5 07:53:11 2017
From: dave.a.florek at gmail.com (Dave Florek)
Date: Fri, 5 May 2017 10:53:11 -0400
Subject: [Bro] Bro Digest, Vol 133, Issue 4
In-Reply-To: <mailman.1.1493924401.313.bro@bro.org>
References: <mailman.1.1493924401.313.bro@bro.org>
Message-ID: <CA+M9YCk3ZObF-fLjdyzK3LffNfHFrwEqsHE9+LQTooGXLNKXKQ@mail.gmail.com>

Hi Mike,

Yep. I'm using a custom .dat file:

redef Intel::read_files += {
        "/usr/local/bro/intel/target.dat"
};

I don't think that's the issue though. Those email alerts do show up in the
notice.log and my mailbox when I trigger them by pinging the indicator
sites. I think the issue is with the Critical Stack Intel alerts that show
in the intel.log but not the notice.log. Is there by any chance a separate
config file that controls those alerts since it's a separate addon?

Thanks!

Date: Thu, 4 May 2017 13:53:49 -0500
> From: Mike Dopheide <dopheide at gmail.com>
> Subject: Re: [Bro] Intel alerts not showing up in the notice log
> To: Dave Florek <dave.a.florek at gmail.com>
> Cc: "bro at bro.org" <bro at bro.org>
> Message-ID:
>         <CAPy2kFbR+3ks1=A+RbkK6aSaSgqzJ1Pk_ov6JrWzNOdZ5Ute0w at mail.gmail.
> com>
> Content-Type: text/plain; charset="utf-8"
>
> I assume you've also redef'd Intel::read_files as well.
>
> How are you testing it?  If you're running standalone against a small pcap,
> I believe Bro may finish processing traffic before it finishes loading the
> Intel data.  (Can anyone confirm or deny that?)
>
> -Dop
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170505/51936e97/attachment.html 

From dave.a.florek at gmail.com  Fri May  5 08:25:02 2017
From: dave.a.florek at gmail.com (Dave Florek)
Date: Fri, 5 May 2017 11:25:02 -0400
Subject: [Bro] Bro Digest, Vol 133, Issue 4
In-Reply-To: <CA+M9YCk3ZObF-fLjdyzK3LffNfHFrwEqsHE9+LQTooGXLNKXKQ@mail.gmail.com>
References: <mailman.1.1493924401.313.bro@bro.org>
	<CA+M9YCk3ZObF-fLjdyzK3LffNfHFrwEqsHE9+LQTooGXLNKXKQ@mail.gmail.com>
Message-ID: <CA+M9YC=TRBHOHQ3ZSRTJ2vvAD8Ndic7SjMnobPbiP+WHMH0R6g@mail.gmail.com>

I see it. Nevermind. Problem solved!

On Fri, May 5, 2017 at 10:53 AM, Dave Florek <dave.a.florek at gmail.com>
wrote:

> Hi Mike,
>
> Yep. I'm using a custom .dat file:
>
> redef Intel::read_files += {
>         "/usr/local/bro/intel/target.dat"
> };
>
> I don't think that's the issue though. Those email alerts do show up in
> the notice.log and my mailbox when I trigger them by pinging the indicator
> sites. I think the issue is with the Critical Stack Intel alerts that show
> in the intel.log but not the notice.log. Is there by any chance a separate
> config file that controls those alerts since it's a separate addon?
>
> Thanks!
>
> Date: Thu, 4 May 2017 13:53:49 -0500
>> From: Mike Dopheide <dopheide at gmail.com>
>> Subject: Re: [Bro] Intel alerts not showing up in the notice log
>> To: Dave Florek <dave.a.florek at gmail.com>
>> Cc: "bro at bro.org" <bro at bro.org>
>> Message-ID:
>>         <CAPy2kFbR+3ks1=A+RbkK6aSaSgqzJ1Pk_ov6JrWzNOdZ5Ute0w at mail.
>> gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> I assume you've also redef'd Intel::read_files as well.
>>
>> How are you testing it?  If you're running standalone against a small
>> pcap,
>> I believe Bro may finish processing traffic before it finishes loading the
>> Intel data.  (Can anyone confirm or deny that?)
>>
>> -Dop
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170505/2ef41215/attachment.html 

From mydevmail at gmx.de  Mon May  8 05:06:37 2017
From: mydevmail at gmx.de (gehtdichmalgarnixan gehtdichauchnixan)
Date: Mon, 8 May 2017 14:06:37 +0200
Subject: [Bro] Bro logging connections after specific daytime
Message-ID: <trinity-687a5c85-c922-4e82-9405-23da85c16524-1494245197543@3capp-gmx-bs49>

An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170508/702f311f/attachment.html 

From newfire.bw at gmail.com  Mon May  8 07:16:13 2017
From: newfire.bw at gmail.com (Bowen Li)
Date: Mon, 8 May 2017 22:16:13 +0800
Subject: [Bro] logger large memory usage
Message-ID: <CAJ17UJe+LPML=BKhrPFawLUYWvqNSsr5nmCY6uM8=nfk80EAVA@mail.gmail.com>

Hey all,

I`m running a bro cluster in 10G network, writing logs to redis
server directly use plugins,  when the cluster is running, the memory usage
of the logger has been growing larger and larger(hundreds of Gb), seems
like the logger cannot handle the huge number of the log messages, so the
question is what`s the processing capacity of the logger? In my case, 25000
msgs/sec to redis. And why not use more loggers in one cluster but only one?

Any insight would be helpful.

Bowen Li
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170508/739961d9/attachment.html 

From espressobeanies at gmail.com  Mon May  8 08:29:35 2017
From: espressobeanies at gmail.com (Espresso Beanies)
Date: Mon, 8 May 2017 11:29:35 -0400
Subject: [Bro] Issue defining "Site::local_admins" variable
Message-ID: <CAOeD169W-iyUdpDOQdPe9sG6_uQY_-BH39JT97eoZT4A_yDbxQ@mail.gmail.com>

Good morning,

I'm working on email separation between users and admins on my local Bro
instance and I'm not understanding the syntax for either the
"Site::get_emails" or the "Site::local_admins" variables for
ACTION_EMAIL_ADMIN. Since I avoid functions, I attempted to redefine the
following in my local.bro:

redef Site::local_admins += {
       table([xxx.xxx.xxx.xxx/16] = "emailaddress1 at something.com,
emailaddress2 at something.com");
};

Reference:
https://www.bro.org/sphinx/scripts/base/utils/site.bro.html#id-Site::local_admins

Bro doesn't like this and I'm unable to find previous examples for
guidance. Could someone point me in the right direction?

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170508/d2e57001/attachment.html 

From jazoff at illinois.edu  Mon May  8 08:39:05 2017
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Mon, 8 May 2017 15:39:05 +0000
Subject: [Bro] Issue defining "Site::local_admins" variable
In-Reply-To: <CAOeD169W-iyUdpDOQdPe9sG6_uQY_-BH39JT97eoZT4A_yDbxQ@mail.gmail.com>
References: <CAOeD169W-iyUdpDOQdPe9sG6_uQY_-BH39JT97eoZT4A_yDbxQ@mail.gmail.com>
Message-ID: <E9474B1D-265D-4422-ACE3-41351404A29E@illinois.edu>


> On May 8, 2017, at 11:29 AM, Espresso Beanies <espressobeanies at gmail.com> wrote:
> 
> Good morning,
> 
> I'm working on email separation between users and admins on my local Bro instance and I'm not understanding the syntax for either the "Site::get_emails" or the "Site::local_admins" variables for ACTION_EMAIL_ADMIN. Since I avoid functions, I attempted to redefine the following in my local.bro:
> 
> redef Site::local_admins += {
>        table([xxx.xxx.xxx.xxx/16] = "emailaddress1 at something.com,emailaddress2 at something.com");
> };
> 
> Reference: https://www.bro.org/sphinx/scripts/base/utils/site.bro.html#id-Site::local_admins
> 
> Bro doesn't like this and I'm unable to find previous examples for guidance. Could someone point me in the right direction?

It's a table of a set of strings:

scripts/base/utils/site.bro:    const local_admins: table[subnet] of set[string] = {} &redef;

$ git grep redef.*local_admins
testing/btest/scripts/base/utils/site.test:redef Site::local_admins += {
$ cat testing/btest/scripts/base/utils/site.test
# @TEST-EXEC: bro %INPUT > output
# @TEST-EXEC: btest-diff output

# This is loaded by default.
#@load base/utils/site

global a = { "site-admin at example.com", "other-site-admin at example.com" };
global b = { "net-admin at example.com" };

redef Site::local_admins += {
    [141.142.0.0/16] = a,
    [141.142.100.0/24] = b,
};

event bro_init()
    {
    print Site::get_emails(141.142.1.1);
    print Site::get_emails(141.142.100.100);
    }
$


-- 
- Justin Azoff



From espressobeanies at gmail.com  Mon May  8 09:04:41 2017
From: espressobeanies at gmail.com (Espresso Beanies)
Date: Mon, 8 May 2017 12:04:41 -0400
Subject: [Bro] Issue defining "Site::local_admins" variable
In-Reply-To: <E9474B1D-265D-4422-ACE3-41351404A29E@illinois.edu>
References: <CAOeD169W-iyUdpDOQdPe9sG6_uQY_-BH39JT97eoZT4A_yDbxQ@mail.gmail.com>
	<E9474B1D-265D-4422-ACE3-41351404A29E@illinois.edu>
Message-ID: <CAOeD16984KxiLGPJNyVnYWxwige8LAKphF9KNuvUeu3dv1ca2Q@mail.gmail.com>

Thanks Justin. That worked. :)

Out of curiosity, what does the "print Site::get_emails()" statement do?

On Mon, May 8, 2017 at 11:39 AM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On May 8, 2017, at 11:29 AM, Espresso Beanies <espressobeanies at gmail.com>
> wrote:
> >
> > Good morning,
> >
> > I'm working on email separation between users and admins on my local Bro
> instance and I'm not understanding the syntax for either the
> "Site::get_emails" or the "Site::local_admins" variables for
> ACTION_EMAIL_ADMIN. Since I avoid functions, I attempted to redefine the
> following in my local.bro:
> >
> > redef Site::local_admins += {
> >        table([xxx.xxx.xxx.xxx/16] = "emailaddress1 at something.com,e
> mailaddress2 at something.com");
> > };
> >
> > Reference: https://www.bro.org/sphinx/scripts/base/utils/site.bro.
> html#id-Site::local_admins
> >
> > Bro doesn't like this and I'm unable to find previous examples for
> guidance. Could someone point me in the right direction?
>
> It's a table of a set of strings:
>
> scripts/base/utils/site.bro:    const local_admins: table[subnet] of
> set[string] = {} &redef;
>
> $ git grep redef.*local_admins
> testing/btest/scripts/base/utils/site.test:redef Site::local_admins += {
> $ cat testing/btest/scripts/base/utils/site.test
> # @TEST-EXEC: bro %INPUT > output
> # @TEST-EXEC: btest-diff output
>
> # This is loaded by default.
> #@load base/utils/site
>
> global a = { "site-admin at example.com", "other-site-admin at example.com" };
> global b = { "net-admin at example.com" };
>
> redef Site::local_admins += {
>     [141.142.0.0/16] = a,
>     [141.142.100.0/24] = b,
> };
>
> event bro_init()
>     {
>     print Site::get_emails(141.142.1.1);
>     print Site::get_emails(141.142.100.100);
>     }
> $
>
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170508/012e14db/attachment.html 

From jazoff at illinois.edu  Mon May  8 09:06:02 2017
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Mon, 8 May 2017 16:06:02 +0000
Subject: [Bro] Issue defining "Site::local_admins" variable
In-Reply-To: <CAOeD16984KxiLGPJNyVnYWxwige8LAKphF9KNuvUeu3dv1ca2Q@mail.gmail.com>
References: <CAOeD169W-iyUdpDOQdPe9sG6_uQY_-BH39JT97eoZT4A_yDbxQ@mail.gmail.com>
	<E9474B1D-265D-4422-ACE3-41351404A29E@illinois.edu>
	<CAOeD16984KxiLGPJNyVnYWxwige8LAKphF9KNuvUeu3dv1ca2Q@mail.gmail.com>
Message-ID: <E127811F-0CF3-49BC-BAB9-59BF41E6B007@illinois.edu>


> On May 8, 2017, at 12:04 PM, Espresso Beanies <espressobeanies at gmail.com> wrote:
> 
> Thanks Justin. That worked. :)
> 
> Out of curiosity, what does the "print Site::get_emails()" statement do?

    ## Function that returns a comma-separated list of email addresses
    ## that are considered administrators for the IP address provided as
    ## an argument.
    ## The function inspects :bro:id:`Site::local_admins`.
    global get_emails: function(a: addr): string;

-- 
- Justin Azoff



From espressobeanies at gmail.com  Mon May  8 09:11:15 2017
From: espressobeanies at gmail.com (Espresso Beanies)
Date: Mon, 8 May 2017 12:11:15 -0400
Subject: [Bro] Issue defining "Site::local_admins" variable
In-Reply-To: <E127811F-0CF3-49BC-BAB9-59BF41E6B007@illinois.edu>
References: <CAOeD169W-iyUdpDOQdPe9sG6_uQY_-BH39JT97eoZT4A_yDbxQ@mail.gmail.com>
	<E9474B1D-265D-4422-ACE3-41351404A29E@illinois.edu>
	<CAOeD16984KxiLGPJNyVnYWxwige8LAKphF9KNuvUeu3dv1ca2Q@mail.gmail.com>
	<E127811F-0CF3-49BC-BAB9-59BF41E6B007@illinois.edu>
Message-ID: <CAOeD169WJfb_5SvH_iLNNw4kao-t1A0mLHiF2ok1t+sm_cCT0g@mail.gmail.com>

I see. Thanks again.

On Mon, May 8, 2017 at 12:06 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On May 8, 2017, at 12:04 PM, Espresso Beanies <espressobeanies at gmail.com>
> wrote:
> >
> > Thanks Justin. That worked. :)
> >
> > Out of curiosity, what does the "print Site::get_emails()" statement do?
>
>     ## Function that returns a comma-separated list of email addresses
>     ## that are considered administrators for the IP address provided as
>     ## an argument.
>     ## The function inspects :bro:id:`Site::local_admins`.
>     global get_emails: function(a: addr): string;
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170508/f6113068/attachment.html 

From tomas.bortoli at sit.fraunhofer.de  Tue May  9 01:36:25 2017
From: tomas.bortoli at sit.fraunhofer.de (Bortoli, Tomas)
Date: Tue, 9 May 2017 08:36:25 +0000
Subject: [Bro] logger large memory usage
In-Reply-To: <CAJ17UJe+LPML=BKhrPFawLUYWvqNSsr5nmCY6uM8=nfk80EAVA@mail.gmail.com>
References: <CAJ17UJe+LPML=BKhrPFawLUYWvqNSsr5nmCY6uM8=nfk80EAVA@mail.gmail.com>
Message-ID: <BD7C7C6D722F374C82A3068FEA58120BD421B6@EXCH2010B.sit.fraunhofer.de>

I might be wrong but using Redis you can't store more than your actual RAM capacity
Check out: https://redis.io/topics/faq

Hope this helps,
Tomas

________________________________
From: bro-bounces at bro.org [bro-bounces at bro.org] on behalf of Bowen Li [newfire.bw at gmail.com]
Sent: Monday, May 08, 2017 4:16 PM
To: bro at bro.org
Subject: [Bro] logger large memory usage

Hey all,

I`m running a bro cluster in 10G network, writing logs to redis server directly use plugins,  when the cluster is running, the memory usage of the logger has been growing larger and larger(hundreds of Gb), seems like the logger cannot handle the huge number of the log messages, so the question is what`s the processing capacity of the logger? In my case, 25000 msgs/sec to redis. And why not use more loggers in one cluster but only one?

Any insight would be helpful.

Bowen Li
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170509/e09a0c8f/attachment.html 

From Izik.Birka at hot.net.il  Wed May 10 01:59:56 2017
From: Izik.Birka at hot.net.il (Izik Birka)
Date: Wed, 10 May 2017 08:59:56 +0000
Subject: [Bro] bro files - network drive
Message-ID: <592228F4D0C8504187F2F76658040CB6DFFAB37E@HOT-MAILBOX-02.HOT.NET.IL>

Hi
Why when I only search file in network drive all the files in the network drive are written to files.log ?

How can I detect a real file transfer ?



This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement.

If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately.

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170510/f54d4204/attachment.html 

From josh.guild at morphick.com  Wed May 10 11:18:37 2017
From: josh.guild at morphick.com (Josh Guild)
Date: Wed, 10 May 2017 14:18:37 -0400
Subject: [Bro] Issues with Signature Framework
Message-ID: <CALiPqw50TqtTPDM=muz5ojDqQ6CtpKYO3Ke++HmHwwVEgFuXWw@mail.gmail.com>

Hi all,

I'm pretty sure I know the answer will be "don't use the Signature
Framework" but I'm going to ask this question anyways. Ha.

I'm trying to whitelist an IP as a destination within a signature but it
doesn't seem to work and the sig is still firing. Is this just a quirk
within the SF or am I missing something?

Example:

signature name {
        ip-proto == tcp
        dst-ip != 10.0.0.1
        payload /stuffimlookingfor/
        event "Getting stuff over TCP"
}

Any help would be much appreciated, thanks!

-- 
Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170510/b084cd75/attachment.html 

From philosnef at gmail.com  Thu May 11 07:36:00 2017
From: philosnef at gmail.com (erik clark)
Date: Thu, 11 May 2017 10:36:00 -0400
Subject: [Bro] data_before_established, possible_split_routing
Message-ID: <CAK6atxoaHiUSR+sEof6g9zb38xOkSfnKZsMB3Evq8buSoSnDPw@mail.gmail.com>

We are experiencing these in significant quantity since we moved traffic
from one site to another. Is there any sort of way to bond this data so
that bro wont gut the connections? This is leading to a massive 70% packet
loss on the sensor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170511/25e13c87/attachment.html 

From robin at icir.org  Thu May 11 09:41:00 2017
From: robin at icir.org (Robin Sommer)
Date: Thu, 11 May 2017 09:41:00 -0700
Subject: [Bro] Issues with Signature Framework
In-Reply-To: <CALiPqw50TqtTPDM=muz5ojDqQ6CtpKYO3Ke++HmHwwVEgFuXWw@mail.gmail.com>
References: <CALiPqw50TqtTPDM=muz5ojDqQ6CtpKYO3Ke++HmHwwVEgFuXWw@mail.gmail.com>
Message-ID: <20170511164100.GF55095@icir.org>



On Wed, May 10, 2017 at 14:18 -0400, Josh Guild wrote:

> I'm pretty sure I know the answer will be "don't use the Signature
> Framework" but I'm going to ask this question anyways. Ha.

It's actually ok to use it, just not too heavily. :-)

> I'm trying to whitelist an IP as a destination within a signature but it
> doesn't seem to work and the sig is still firing.

Couple things:

    - I assume you have seen this list of "quirks"?
      https://www.bro.org/sphinx/frameworks/signatures.html#things-to-keep-in-mind-when-writing-signatures

    - If you compile with --enable-debug and run with '-B signatures'
      you get debugging information in debug.log that may help track
      down what's going on (if you don't mind looking at some
      low-level stuff :)

    - If you cannot figure it out I can look into it but would need a
      signature and a trace to reproduce what you're seeing.

Robin

-- 
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin

From jazoff at illinois.edu  Thu May 11 11:22:44 2017
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Thu, 11 May 2017 18:22:44 +0000
Subject: [Bro] logger large memory usage
In-Reply-To: <CAJ17UJe+LPML=BKhrPFawLUYWvqNSsr5nmCY6uM8=nfk80EAVA@mail.gmail.com>
References: <CAJ17UJe+LPML=BKhrPFawLUYWvqNSsr5nmCY6uM8=nfk80EAVA@mail.gmail.com>
Message-ID: <A0A860A8-C189-47E6-BBAB-69B6F0328313@illinois.edu>


> On May 8, 2017, at 10:16 AM, Bowen Li <newfire.bw at gmail.com> wrote:
> 
> Hey all,
> 
> I`m running a bro cluster in 10G network, writing logs to redis server directly use plugins,  when the cluster is running, the memory usage of the logger has been growing larger and larger(hundreds of Gb), seems like the logger cannot handle the huge number of the log messages, so the question is what`s the processing capacity of the logger? In my case, 25000 msgs/sec to redis. And why not use more loggers in one cluster but only one?

Multiple loggers is something that is being worked on.  broctl git repository has initial support for running more than one worker on a cluster.  It doesn't really work right if you are logging to files, but if you are using kafka or redis to aggregate logs it will work fine.


-- 
- Justin Azoff



From craig.edgmand at okstate.edu  Thu May 11 12:36:06 2017
From: craig.edgmand at okstate.edu (Edgmand, Craig)
Date: Thu, 11 May 2017 19:36:06 +0000
Subject: [Bro] Bro 10Gb Performance
Message-ID: <MWHPR03MB27839C8590951C5293D01C68E3ED0@MWHPR03MB2783.namprd03.prod.outlook.com>

We are currently running Bro with 1 Gb intel cards and vanilla PF_RING and we have acceptable packet loss after filtering (1 - 3 percent), but we need to move up to 10 Gb sensors.

Is there anyone that is using commodity hardware and Intel X520 network cards with Bro to process 10GB of traffic using AF_PACKET, vanilla PF_RING or PF_RING ZC?

In the paper 100G Intrusion Detection, they utilized Myricom 10 Gb cards, with the sniffer software and were only running 10 workers per node or up to 1 Gb per worker.  Is this possible on with Intel X520 using AF_PACKET or PF_RING? It is my understanding that AF_PACKET is broken in some kernels (I have used Justin's fanout tool) and requires a driver update.

Is there a diminishing return for number of workers per server?

Michael Purzynski published a great paper on Suricata performance tuning to achieve 20 Gb throughput on commodity hardware using AF_PACKET.  Is there a corresponding Bro document?

Thanks,

Craig Edgmand
IT Security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170511/dca8e76a/attachment.html 

From mus3 at lehigh.edu  Thu May 11 12:42:05 2017
From: mus3 at lehigh.edu (Munroe Sollog)
Date: Thu, 11 May 2017 15:42:05 -0400
Subject: [Bro] Bro 10Gb Performance
In-Reply-To: <MWHPR03MB27839C8590951C5293D01C68E3ED0@MWHPR03MB2783.namprd03.prod.outlook.com>
References: <MWHPR03MB27839C8590951C5293D01C68E3ED0@MWHPR03MB2783.namprd03.prod.outlook.com>
Message-ID: <CAN3u968n1F0NmsokCwQU8rTsz_MKLQF8a-njbH7r=aOV77Y9RQ@mail.gmail.com>

I am using all commodity hardware:
10:00.0 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+
Network Connection (rev 01)

and I am seeing <5% packet loss.  I am currently using Bro 2.5 with
AF_PACKET.  Bro generally sees on average 7-8Gbps from the taps.


On Thu, May 11, 2017 at 3:36 PM, Edgmand, Craig <craig.edgmand at okstate.edu>
wrote:

> We are currently running Bro with 1 Gb intel cards and vanilla PF_RING and
> we have acceptable packet loss after filtering (1 ? 3 percent), but we need
> to move up to 10 Gb sensors.
>
>
>
> Is there anyone that is using commodity hardware and Intel X520 network
> cards with Bro to process 10GB of traffic using AF_PACKET, vanilla PF_RING
> or PF_RING ZC?
>
>
>
> In the paper 100G Intrusion Detection, they utilized Myricom 10 Gb cards,
> with the sniffer software and were only running 10 workers per node or up
> to 1 Gb per worker.  Is this possible on with Intel X520 using AF_PACKET or
> PF_RING? It is my understanding that AF_PACKET is broken in some kernels (I
> have used Justin?s fanout tool) and requires a driver update.
>
>
>
> Is there a diminishing return for number of workers per server?
>
>
>
> Michael Purzynski published a great paper on Suricata performance tuning
> to achieve 20 Gb throughput on commodity hardware using AF_PACKET.  Is
> there a corresponding Bro document?
>
>
>
> Thanks,
>
>
>
> Craig Edgmand
>
> IT Security
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170511/e63a07e5/attachment.html 

From ed.sealing at sealingtech.org  Thu May 11 13:08:02 2017
From: ed.sealing at sealingtech.org (Ed Sealing)
Date: Thu, 11 May 2017 16:08:02 -0400
Subject: [Bro] Bro 10Gb Performance
In-Reply-To: <MWHPR03MB27839C8590951C5293D01C68E3ED0@MWHPR03MB2783.namprd03.prod.outlook.com>
References: <MWHPR03MB27839C8590951C5293D01C68E3ED0@MWHPR03MB2783.namprd03.prod.outlook.com>
Message-ID: <CA+KhvKxNz5c=VYx_chLkGzfTQ5VOVcyr7hb2PP1ss1DOu4p8cg@mail.gmail.com>

I've done some research on the use of commodity hardware and the Intel X710
and XL710 cards (Amazon shows ~$475 or so). They are the only non-capture
card that allows SR-IOV in promiscuous mode (with on-card vlan popping),
which was a requirement for us. AFPacket seems to work well with it (i40e
drivers) and passes Justin's fanout checks on a default RHEL/CentOS 7.3
build).

Did some analysis of the Suricata performance tuning paper WRT bro, and
it's almost universally applicable. Here are some quick recommendations
based on some of our analysis:

- Isolate CPUs in grub (e.g. isolcpus=1-7,9-15)
- # works = CPU Cores - 4. (This leaves 2 cores for the kernel, 1 for
proxy, 1 for manager.
- Lower the Ring Descriptors on the card to ~256 (ethtool -G eth0 rx 256)
- Reduce "Combined RSS" to 1 (ethtool -L eth0 combined 1)

In the Michael's paper, he suggests turning off "irqbalance", but I haven't
seen this make much of a difference, and sometimes hurts more than helps
(but I'm also using a single chip system).

Anyway, hope this helps.

~Ed

On Thu, May 11, 2017 at 3:36 PM, Edgmand, Craig <craig.edgmand at okstate.edu>
wrote:

> We are currently running Bro with 1 Gb intel cards and vanilla PF_RING and
> we have acceptable packet loss after filtering (1 ? 3 percent), but we need
> to move up to 10 Gb sensors.
>
>
>
> Is there anyone that is using commodity hardware and Intel X520 network
> cards with Bro to process 10GB of traffic using AF_PACKET, vanilla PF_RING
> or PF_RING ZC?
>
>
>
> In the paper 100G Intrusion Detection, they utilized Myricom 10 Gb cards,
> with the sniffer software and were only running 10 workers per node or up
> to 1 Gb per worker.  Is this possible on with Intel X520 using AF_PACKET or
> PF_RING? It is my understanding that AF_PACKET is broken in some kernels (I
> have used Justin?s fanout tool) and requires a driver update.
>
>
>
> Is there a diminishing return for number of workers per server?
>
>
>
> Michael Purzynski published a great paper on Suricata performance tuning
> to achieve 20 Gb throughput on commodity hardware using AF_PACKET.  Is
> there a corresponding Bro document?
>
>
>
> Thanks,
>
>
>
> Craig Edgmand
>
> IT Security
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170511/cb2f4857/attachment.html 

From dwaters at bioteam.net  Thu May 11 17:48:46 2017
From: dwaters at bioteam.net (Darrain Waters)
Date: Thu, 11 May 2017 19:48:46 -0500
Subject: [Bro] 100G question
Message-ID: <CAAOdxvMN_7PkO3WpqSYifHZpL1CEZ09SzBP7xDgQ9YL1sJbbmQ@mail.gmail.com>

All

My customer will be installing a 100G I2 port @ multiple sites. I have
specced a 5 node cluster using Arista Danz and myricom 10G cards with SNF
license. The 100G will be tapped using a ixia passive tap. I have built and
installed this set up for a previous customer, which was based on the
Berkeley Lab set up.

Apparently, someone @ corelight has told my customer that this type of BRO
100G cluster setup is not necessary. Further, the corelight person said
that one of the corelight appliances would be able to handle 100G.

Is there a new standard for inspecting 100G, and is corelight BroBox
capable of inspecting 100G flows ?

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170511/d49d7f1f/attachment-0001.html 

From greg at corelight.com  Thu May 11 18:15:02 2017
From: greg at corelight.com (Gregory Bell)
Date: Thu, 11 May 2017 18:15:02 -0700
Subject: [Bro] 100G question
In-Reply-To: <CAAOdxvMN_7PkO3WpqSYifHZpL1CEZ09SzBP7xDgQ9YL1sJbbmQ@mail.gmail.com>
References: <CAAOdxvMN_7PkO3WpqSYifHZpL1CEZ09SzBP7xDgQ9YL1sJbbmQ@mail.gmail.com>
Message-ID: <CAJHFxAoTHVATThq_=Vpc7vm7saVKbFFgsdkF2y84yei=F9jRXA@mail.gmail.com>

Hi Darrain,

I think there's been a misunderstanding?

A single instance of our appliance isn't designed to handle 100G, and this
doesn't sound like the conversation we had with your customer.

Much of our team came from Berkeley Lab, so we're familiar with Science
DMZ.

Let's talk when you have a chance?  will send my number separately.

- Greg

-- 
Gregory Bell
CEO, Corelight
www.corelight.com

On Thu, May 11, 2017 at 5:48 PM, Darrain Waters <dwaters at bioteam.net> wrote:

> All
>
> My customer will be installing a 100G I2 port @ multiple sites. I have
> specced a 5 node cluster using Arista Danz and myricom 10G cards with SNF
> license. The 100G will be tapped using a ixia passive tap. I have built and
> installed this set up for a previous customer, which was based on the
> Berkeley Lab set up.
>
> Apparently, someone @ corelight has told my customer that this type of BRO
> 100G cluster setup is not necessary. Further, the corelight person said
> that one of the corelight appliances would be able to handle 100G.
>
> Is there a new standard for inspecting 100G, and is corelight BroBox
> capable of inspecting 100G flows ?
>
> Thank you
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Gregory Bell
CEO, Corelight
www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170511/6a4c31bb/attachment.html 

From slagell at illinois.edu  Thu May 11 20:11:02 2017
From: slagell at illinois.edu (Slagell, Adam J)
Date: Fri, 12 May 2017 03:11:02 +0000
Subject: [Bro] 100G question
In-Reply-To: <CAAOdxvMN_7PkO3WpqSYifHZpL1CEZ09SzBP7xDgQ9YL1sJbbmQ@mail.gmail.com>
References: <CAAOdxvMN_7PkO3WpqSYifHZpL1CEZ09SzBP7xDgQ9YL1sJbbmQ@mail.gmail.com>
Message-ID: <E1C9DD0E-FD5E-4D64-9AB7-44054426E51E@illinois.edu>

Darrain,

Also, please feel free to contact me at the NCSA for some independent advice about Bro @ 100G. NSF funds the project to help EDUs and NSF projects.

Cheers,
Adam Slagell

> On May 11, 2017, at 7:48 PM, Darrain Waters <dwaters at bioteam.net> wrote:
> 
> All
> 
> My customer will be installing a 100G I2 port @ multiple sites. I have specced a 5 node cluster using Arista Danz and myricom 10G cards with SNF license. The 100G will be tapped using a ixia passive tap. I have built and installed this set up for a previous customer, which was based on the Berkeley Lab set up. 
> 
> Apparently, someone @ corelight has told my customer that this type of BRO 100G cluster setup is not necessary. Further, the corelight person said that one of the corelight appliances would be able to handle 100G.
> 
> Is there a new standard for inspecting 100G, and is corelight BroBox capable of inspecting 100G flows ? 
> 
> Thank you
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3579 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170512/1b5a2db3/attachment.bin 

From seth at corelight.com  Thu May 11 20:23:15 2017
From: seth at corelight.com (Seth Hall)
Date: Thu, 11 May 2017 23:23:15 -0400
Subject: [Bro] Issue defining "Site::local_admins" variable
In-Reply-To: <CAOeD169WJfb_5SvH_iLNNw4kao-t1A0mLHiF2ok1t+sm_cCT0g@mail.gmail.com>
References: <CAOeD169W-iyUdpDOQdPe9sG6_uQY_-BH39JT97eoZT4A_yDbxQ@mail.gmail.com>
	<E9474B1D-265D-4422-ACE3-41351404A29E@illinois.edu>
	<CAOeD16984KxiLGPJNyVnYWxwige8LAKphF9KNuvUeu3dv1ca2Q@mail.gmail.com>
	<E127811F-0CF3-49BC-BAB9-59BF41E6B007@illinois.edu>
	<CAOeD169WJfb_5SvH_iLNNw4kao-t1A0mLHiF2ok1t+sm_cCT0g@mail.gmail.com>
Message-ID: <77B6139D-222C-47DA-A275-1EF2B4D7A262@corelight.com>

For context on this functionality, it was written for Universities with distributed administrators for all of the networks.  It was written so I could load the database of network admins into Bro and have it email the responsible party automatically.

  .Seth

> On May 8, 2017, at 12:11 PM, Espresso Beanies <espressobeanies at gmail.com> wrote:
> 
> I see. Thanks again.
> 
> On Mon, May 8, 2017 at 12:06 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
> 
> > On May 8, 2017, at 12:04 PM, Espresso Beanies <espressobeanies at gmail.com> wrote:
> >
> > Thanks Justin. That worked. :)
> >
> > Out of curiosity, what does the "print Site::get_emails()" statement do?
> 
>     ## Function that returns a comma-separated list of email addresses
>     ## that are considered administrators for the IP address provided as
>     ## an argument.
>     ## The function inspects :bro:id:`Site::local_admins`.
>     global get_emails: function(a: addr): string;
> 
> --
> - Justin Azoff
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com



From michalpurzynski1 at gmail.com  Thu May 11 20:59:03 2017
From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=)
Date: Thu, 11 May 2017 20:59:03 -0700
Subject: [Bro] 100G question
In-Reply-To: <E1C9DD0E-FD5E-4D64-9AB7-44054426E51E@illinois.edu>
References: <CAAOdxvMN_7PkO3WpqSYifHZpL1CEZ09SzBP7xDgQ9YL1sJbbmQ@mail.gmail.com>
	<E1C9DD0E-FD5E-4D64-9AB7-44054426E51E@illinois.edu>
Message-ID: <5ED61BB8-F4CF-45EE-B2C9-EA8BF3500539@gmail.com>

We used to do 60Gbit/s easily at Mozilla a few years ago, with Arista TapAgg and what I like to call a reverse bond interface. Works great and as a nice bonus you can do a rolling cluster restart without missing a bit.

That included a bunch of servers with Myricom, I'd rather use X720 instead.

Depending on your network something else might be an issue - the number of flows. Depends on how much state your scripts keep. Basically bits/sec are not the only thing that matters. We have 128GB per server.

Good luck!!

> On May 11, 2017, at 8:11 PM, Slagell, Adam J <slagell at illinois.edu> wrote:
> 
> Darrain,
> 
> Also, please feel free to contact me at the NCSA for some independent advice about Bro @ 100G. NSF funds the project to help EDUs and NSF projects.
> 
> Cheers,
> Adam Slagell
> 
>> On May 11, 2017, at 7:48 PM, Darrain Waters <dwaters at bioteam.net> wrote:
>> 
>> All
>> 
>> My customer will be installing a 100G I2 port @ multiple sites. I have specced a 5 node cluster using Arista Danz and myricom 10G cards with SNF license. The 100G will be tapped using a ixia passive tap. I have built and installed this set up for a previous customer, which was based on the Berkeley Lab set up. 
>> 
>> Apparently, someone @ corelight has told my customer that this type of BRO 100G cluster setup is not necessary. Further, the corelight person said that one of the corelight appliances would be able to handle 100G.
>> 
>> Is there a new standard for inspecting 100G, and is corelight BroBox capable of inspecting 100G flows ? 
>> 
>> Thank you
>> 
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


From jdopheid at illinois.edu  Fri May 12 07:08:07 2017
From: jdopheid at illinois.edu (Dopheide, Jeannette M)
Date: Fri, 12 May 2017 14:08:07 +0000
Subject: [Bro] The Bro Project is looking for developers
Message-ID: <BC7A5C13-94C1-427B-90A2-6815947FB2F2@illinois.edu>

The Bro Project is looking for an exceptional engineer to join our core team of Bro developers. If you are interested in helping us advance Bro, please consider applying!

We are looking for candidates who have demonstrated experience leading projects, excellent programming skills in C/C++ and Python, are comfortable at the Unix command line, and have solid knowledge of network technology.  It is a plus if you have implemented network protocols before, been involved with large open-source projects, developed for distributed systems, or have a background in security operations.

This is a full-time position with NCSA?s CyberSecurity and Networking Directorate in Urbana, IL.

If you are interested, please send your application to info at bro.org (TXT or PDF format only please). Make sure to mention any relevant projects that you have worked on in the past, including your particular role.

------

Adam J. Slagell
Director, Cybersecurity & Networking Division
Chief Information Security Officer
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
www.slagell.info
 



From jlay at slave-tothe-box.net  Fri May 12 07:39:21 2017
From: jlay at slave-tothe-box.net (James Lay)
Date: Fri, 12 May 2017 08:39:21 -0600
Subject: [Bro] Issues with Signature Framework
In-Reply-To: <CALiPqw50TqtTPDM=muz5ojDqQ6CtpKYO3Ke++HmHwwVEgFuXWw@mail.gmail.com>
References: <CALiPqw50TqtTPDM=muz5ojDqQ6CtpKYO3Ke++HmHwwVEgFuXWw@mail.gmail.com>
Message-ID: <8180230380ff0675287f6c2d8675ad0b@localhost>

Try putting it at the top of the sig list.  If that doesn't work, put it 
at the bottom.  I remember dealing with this myself after updating to 
2.5.

James

On 2017-05-10 12:18, Josh Guild wrote:
> Hi all,
> 
> I'm pretty sure I know the answer will be "don't use the Signature
> Framework" but I'm going to ask this question anyways. Ha.
> 
> I'm trying to whitelist an IP as a destination within a signature but
> it doesn't seem to work and the sig is still firing. Is this just a
> quirk within the SF or am I missing something?
> 
> Example:
> 
> signature name {
>         ip-proto == tcp
> 
>         dst-ip != 10.0.0.1
> 
>         payload /stuffimlookingfor/
>         event "Getting stuff over TCP"
> }
> 
> Any help would be much appreciated, thanks!
> 
> --
> 
> Josh Guild
> Network Intelligence Analyst
>  [1] [2]
> 
> 
> 
> Links:
> ------
> [1] https://twitter.com/stay_spooky
> [2] https://keybase.io/joshuaguild
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

From josh.guild at morphick.com  Fri May 12 08:53:56 2017
From: josh.guild at morphick.com (Josh Guild)
Date: Fri, 12 May 2017 11:53:56 -0400
Subject: [Bro] Issues with Signature Framework
In-Reply-To: <8180230380ff0675287f6c2d8675ad0b@localhost>
References: <CALiPqw50TqtTPDM=muz5ojDqQ6CtpKYO3Ke++HmHwwVEgFuXWw@mail.gmail.com>
	<8180230380ff0675287f6c2d8675ad0b@localhost>
Message-ID: <CALiPqw5XsOmk56f5WB0E+0av_wH5YV+faFBLrLMf-64jEs7WVw@mail.gmail.com>

Hey guys,

Thanks for the responses! I'll try to take a look at the debug output and
see if I can figure anything out there.

James,
Do you mean placing it first/last in the signatures file or putting the
"dst-ip !=" first/last in the signature itself?

On Fri, May 12, 2017 at 10:39 AM, James Lay <jlay at slave-tothe-box.net>
wrote:

> Try putting it at the top of the sig list.  If that doesn't work, put it
> at the bottom.  I remember dealing with this myself after updating to
> 2.5.
>
> James
>
> On 2017-05-10 12:18, Josh Guild wrote:
> > Hi all,
> >
> > I'm pretty sure I know the answer will be "don't use the Signature
> > Framework" but I'm going to ask this question anyways. Ha.
> >
> > I'm trying to whitelist an IP as a destination within a signature but
> > it doesn't seem to work and the sig is still firing. Is this just a
> > quirk within the SF or am I missing something?
> >
> > Example:
> >
> > signature name {
> >         ip-proto == tcp
> >
> >         dst-ip != 10.0.0.1
> >
> >         payload /stuffimlookingfor/
> >         event "Getting stuff over TCP"
> > }
> >
> > Any help would be much appreciated, thanks!
> >
> > --
> >
> > Josh Guild
> > Network Intelligence Analyst
> >  [1] [2]
> >
> >
> >
> > Links:
> > ------
> > [1] https://twitter.com/stay_spooky
> > [2] https://keybase.io/joshuaguild
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170512/b39358e1/attachment.html 

From jlay at slave-tothe-box.net  Fri May 12 10:02:29 2017
From: jlay at slave-tothe-box.net (James Lay)
Date: Fri, 12 May 2017 11:02:29 -0600
Subject: [Bro] Issues with Signature Framework
In-Reply-To: <CALiPqw5XsOmk56f5WB0E+0av_wH5YV+faFBLrLMf-64jEs7WVw@mail.gmail.com>
References: <CALiPqw50TqtTPDM=muz5ojDqQ6CtpKYO3Ke++HmHwwVEgFuXWw@mail.gmail.com>
	<8180230380ff0675287f6c2d8675ad0b@localhost>
	<CALiPqw5XsOmk56f5WB0E+0av_wH5YV+faFBLrLMf-64jEs7WVw@mail.gmail.com>
Message-ID: <01eabd4cf32013284399451cf525e6a5@localhost>

The entire signature.

On 2017-05-12 09:53, Josh Guild wrote:
> Hey guys,
> 
> Thanks for the responses! I'll try to take a look at the debug output
> and see if I can figure anything out there.
> 
> James,
> Do you mean placing it first/last in the signatures file or putting
> the "dst-ip !=" first/last in the signature itself?
> 
> On Fri, May 12, 2017 at 10:39 AM, James Lay <jlay at slave-tothe-box.net>
> wrote:
> 
>> Try putting it at the top of the sig list.  If that doesn't work,
>> put it
>> at the bottom.  I remember dealing with this myself after updating
>> to
>> 2.5.
>> 
>> James
>> 
>> On 2017-05-10 12:18, Josh Guild wrote:
>>> Hi all,
>>> 
>>> I'm pretty sure I know the answer will be "don't use the Signature
>>> Framework" but I'm going to ask this question anyways. Ha.
>>> 
>>> I'm trying to whitelist an IP as a destination within a signature
>> but
>>> it doesn't seem to work and the sig is still firing. Is this just
>> a
>>> quirk within the SF or am I missing something?
>>> 
>>> Example:
>>> 
>>> signature name {
>>> ip-proto == tcp
>>> 
>>> dst-ip != 10.0.0.1
>>> 
>>> payload /stuffimlookingfor/
>>> event "Getting stuff over TCP"
>>> }
>>> 
>>> Any help would be much appreciated, thanks!
>>> 
>>> --
>>> 
>>> Josh Guild
>>> Network Intelligence Analyst
>>> [1] [2]
>>> 
>>> 
>>> 
>>> Links:
>>> ------
>>> [1] https://twitter.com/stay_spooky [1]
>>> [2] https://keybase.io/joshuaguild
>>> 
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [2]
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [2]
> 
> --
> 
> Josh Guild
> Network Intelligence Analyst
>  [1] [3]
> 
> 
> 
> Links:
> ------
> [1] https://twitter.com/stay_spooky
> [2] http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> [3] https://keybase.io/joshuaguild

From josh.guild at morphick.com  Fri May 12 10:25:21 2017
From: josh.guild at morphick.com (Josh Guild)
Date: Fri, 12 May 2017 13:25:21 -0400
Subject: [Bro] Issues with Signature Framework
In-Reply-To: <01eabd4cf32013284399451cf525e6a5@localhost>
References: <CALiPqw50TqtTPDM=muz5ojDqQ6CtpKYO3Ke++HmHwwVEgFuXWw@mail.gmail.com>
	<8180230380ff0675287f6c2d8675ad0b@localhost>
	<CALiPqw5XsOmk56f5WB0E+0av_wH5YV+faFBLrLMf-64jEs7WVw@mail.gmail.com>
	<01eabd4cf32013284399451cf525e6a5@localhost>
Message-ID: <CALiPqw4CZZkZ=G1gfdnDrxe21GjS0U0DoPddb9DiZD5AO+2bAQ@mail.gmail.com>

Awesome, I'll give that a shot. Thanks!

On Fri, May 12, 2017 at 1:02 PM, James Lay <jlay at slave-tothe-box.net> wrote:

> The entire signature.
>
> On 2017-05-12 09:53, Josh Guild wrote:
> > Hey guys,
> >
> > Thanks for the responses! I'll try to take a look at the debug output
> > and see if I can figure anything out there.
> >
> > James,
> > Do you mean placing it first/last in the signatures file or putting
> > the "dst-ip !=" first/last in the signature itself?
> >
> > On Fri, May 12, 2017 at 10:39 AM, James Lay <jlay at slave-tothe-box.net>
> > wrote:
> >
> >> Try putting it at the top of the sig list.  If that doesn't work,
> >> put it
> >> at the bottom.  I remember dealing with this myself after updating
> >> to
> >> 2.5.
> >>
> >> James
> >>
> >> On 2017-05-10 12:18, Josh Guild wrote:
> >>> Hi all,
> >>>
> >>> I'm pretty sure I know the answer will be "don't use the Signature
> >>> Framework" but I'm going to ask this question anyways. Ha.
> >>>
> >>> I'm trying to whitelist an IP as a destination within a signature
> >> but
> >>> it doesn't seem to work and the sig is still firing. Is this just
> >> a
> >>> quirk within the SF or am I missing something?
> >>>
> >>> Example:
> >>>
> >>> signature name {
> >>> ip-proto == tcp
> >>>
> >>> dst-ip != 10.0.0.1
> >>>
> >>> payload /stuffimlookingfor/
> >>> event "Getting stuff over TCP"
> >>> }
> >>>
> >>> Any help would be much appreciated, thanks!
> >>>
> >>> --
> >>>
> >>> Josh Guild
> >>> Network Intelligence Analyst
> >>> [1] [2]
> >>>
> >>>
> >>>
> >>> Links:
> >>> ------
> >>> [1] https://twitter.com/stay_spooky [1]
> >>> [2] https://keybase.io/joshuaguild
> >>>
> >>> _______________________________________________
> >>> Bro mailing list
> >>> bro at bro-ids.org
> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [2]
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [2]
> >
> > --
> >
> > Josh Guild
> > Network Intelligence Analyst
> >  [1] [3]
> >
> >
> >
> > Links:
> > ------
> > [1] https://twitter.com/stay_spooky
> > [2] http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> > [3] https://keybase.io/joshuaguild
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170512/f26974c0/attachment.html 

From Izik.Birka at hot.net.il  Sun May 14 00:28:10 2017
From: Izik.Birka at hot.net.il (Izik Birka)
Date: Sun, 14 May 2017 07:28:10 +0000
Subject: [Bro] smb_cmd.log
Message-ID: <592228F4D0C8504187F2F76658040CB6DFFC01D7@HOT-MAILBOX-02.HOT.NET.IL>

Hi
I enable SMB detection
I have smb_file.log and smb_mapping.log
But  I don't have the smb_cmd.log , why is that ?

thanks

This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement.

If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately.

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170514/12e35520/attachment.html 

From bill.de.ping at gmail.com  Sun May 14 21:11:08 2017
From: bill.de.ping at gmail.com (william de ping)
Date: Mon, 15 May 2017 07:11:08 +0300
Subject: [Bro] smb_cmd.log
Message-ID: <CAKZA8xhT+8SN3RBA_6UE7e5QxvOmfvuBf4-Z66nkyDtdoZHEGA@mail.gmail.com>

Hi Izik,

in share/bro/policy/protocols/smb/main.smb
look for write_cmd_log =F, if you change it to T, it will start the
printing.

good luck
B

On Sun, May 14, 2017 at 10:28 AM, Izik Birka <Izik.Birka at hot.net.il> wrote:

> Hi
>
> I enable SMB detection
>
> I have smb_file.log and smb_mapping.log
>
> But  I don?t have the smb_cmd.log , why is that ?
>
>
>
> thanks
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain materials
> protected by copyright or information that is non-public, proprietary,
> privileged, confidential, and exempt from disclosure under applicable law
> or agreement. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication by error, notify the sender immediately and delete this
> message immediately. Thank you.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/ce618f7b/attachment.html 

From pssunu6 at gmail.com  Mon May 15 00:44:53 2017
From: pssunu6 at gmail.com (ps sunu)
Date: Mon, 15 May 2017 13:14:53 +0530
Subject: [Bro] smb-ransomware.bro enough information in notice.log
Message-ID: <CALGAZaBCK5LXMi7XHVUY-e-hhUV5Po_S3CNoAO4Aeqw=nNRRNA@mail.gmail.com>

Hi
         smb-ransomware.bro script don't have enough information in notice
log ,


https://github.com/fox-it/bro-scripts/blob/master/smb-ransomware/smb-ransomware.bro


below notice log don't have connection info, example where to where
ransomware found

$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
NOTICE([$note=RANSOMWARE_SMB,
$msg="Ransomware encrypting share detected"]);
}]);

regards,
Sunu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/2539ef04/attachment.html 

From rak at capmon.dk  Mon May 15 02:27:54 2017
From: rak at capmon.dk (Raj Kumar)
Date: Mon, 15 May 2017 11:27:54 +0200
Subject: [Bro] BRO IDS
Message-ID: <CAO+LJUULfF=UaJbqbtNHZ3TxCjw7sS78sPEeMnv8nRCnJ_ZDRg@mail.gmail.com>

Hi All,

I have installed bro ids for network security monitoring ,am trying to
 match the ip address of  threats feeds with ip address in  bro logs.But am
getting only multicast  224.0.0.251 239.255.255.250 and not the actual
destination ip .How to get the exact ip address in BRO logs.

Any help would be really helpful

Thanks,
*Raj*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/1969bad6/attachment.html 

From BLMILLER at comerica.com  Mon May 15 06:21:02 2017
From: BLMILLER at comerica.com (Miller, Brad L)
Date: Mon, 15 May 2017 13:21:02 +0000
Subject: [Bro] BRO IDS
In-Reply-To: <CAO+LJUULfF=UaJbqbtNHZ3TxCjw7sS78sPEeMnv8nRCnJ_ZDRg@mail.gmail.com>
References: <CAO+LJUULfF=UaJbqbtNHZ3TxCjw7sS78sPEeMnv8nRCnJ_ZDRg@mail.gmail.com>
Message-ID: <D7A10B8F46BF1F47A4D30051C9CA31CC1DB1B5F7@MIMESMSW03AHCP.US.comerica.net>

I think that entirely depends upon the placement of the sniffing points.  If you sniff on a network without placing at an egress or ingress point, you will see multicast/broadcast traffic that you happen to see, but not much more of interest.

Is your sniffing interface placed well to monitor traffic of interest to you?  What spanning/mirroring technology are you using?

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Raj Kumar
Sent: Monday, May 15, 2017 5:28 AM
To: bro at bro.org
Subject: [Bro] BRO IDS

Hi All,

I have installed bro ids for network security monitoring ,am trying to  match the ip address of  threats feeds with ip address in  bro logs.But am getting only multicast  224.0.0.251 239.255.255.250 and not the actual destination ip .How to get the exact ip address in BRO logs.

Any help would be really helpful

Thanks,
Raj



Please be aware that if you reply directly to this particular message, your reply may not be secure. Do not use email to send us communications that contain unencrypted confidential information such as passwords, account numbers or Social Security numbers. If you must provide this type of information, please visit comerica.com to submit a secure form using any of the ?Contact Us? forms. In addition, you should not send via email any inquiry or request that may be time sensitive. The information in this e-mail is confidential. It is intended for the individual or entity to whom it is addressed. If you have received this email in error, please destroy or delete the message and advise the sender of the error by return email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/c102540b/attachment.html 

From rak at capmon.dk  Mon May 15 06:46:51 2017
From: rak at capmon.dk (Raj Kumar)
Date: Mon, 15 May 2017 15:46:51 +0200
Subject: [Bro] BRO IDS
In-Reply-To: <D7A10B8F46BF1F47A4D30051C9CA31CC1DB1B5F7@MIMESMSW03AHCP.US.comerica.net>
References: <CAO+LJUULfF=UaJbqbtNHZ3TxCjw7sS78sPEeMnv8nRCnJ_ZDRg@mail.gmail.com>
	<D7A10B8F46BF1F47A4D30051C9CA31CC1DB1B5F7@MIMESMSW03AHCP.US.comerica.net>
Message-ID: <CAO+LJUXPu3AA1Nn3n_TwxhZs5cNhGN3kr1Bmk9fQJuTBoRb+bA@mail.gmail.com>

Thank you very much  for the reply.
I just installed the bro in my linux machine and i edited node.cfg
[bro]
type=standalone
host=localhost
interface=eth0
broargs= -i wlan0

thats it :)

Please do let me know ,what has to be done.

On 15 May 2017 at 15:21, Miller, Brad L <BLMILLER at comerica.com> wrote:

> I think that entirely depends upon the placement of the sniffing points.
> If you sniff on a network without placing at an egress or ingress point,
> you will see multicast/broadcast traffic that you happen to see, but not
> much more of interest.
>
>
>
> Is your sniffing interface placed well to monitor traffic of interest to
> you?  What spanning/mirroring technology are you using?
>
>
>
> *From:* bro-bounces at bro.org [mailto:bro-bounces at bro.org] *On Behalf Of *Raj
> Kumar
> *Sent:* Monday, May 15, 2017 5:28 AM
> *To:* bro at bro.org
> *Subject:* [Bro] BRO IDS
>
>
>
> Hi All,
>
>
>
> I have installed bro ids for network security monitoring ,am trying to
>  match the ip address of  threats feeds with ip address in  bro logs.But am
> getting only multicast  224.0.0.251 239.255.255.250 and not the actual
> destination ip .How to get the exact ip address in BRO logs.
>
>
>
> Any help would be really helpful
>
>
>
> Thanks,
>
> *Raj*
>
>
>
>
> Please be aware that if you reply directly to this particular message,
> your reply may not be secure. Do not use email to send us communications
> that contain unencrypted confidential information such as passwords,
> account numbers or Social Security numbers. If you must provide this type
> of information, please visit comerica.com to submit a secure form using
> any of the ?Contact Us? forms. In addition, you should not send via email
> any inquiry or request that may be time sensitive. The information in this
> e-mail is confidential. It is intended for the individual or entity to whom
> it is addressed. If you have received this email in error, please destroy
> or delete the message and advise the sender of the error by return email.
>



-- 
*Raj*
*IT Consultant*
*Mobile:  ** +45 **81923531*

*Lysk?r 9** [image: Inline images 1]*

*2730 Herlev, Denmark  *

*Web:   **http://www.capmon.dk <http://www.capmon.dk/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/a30f5761/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 18048 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/a30f5761/attachment-0001.bin 

From BLMILLER at comerica.com  Mon May 15 06:58:03 2017
From: BLMILLER at comerica.com (Miller, Brad L)
Date: Mon, 15 May 2017 13:58:03 +0000
Subject: [Bro] BRO IDS
In-Reply-To: <CAO+LJUXPu3AA1Nn3n_TwxhZs5cNhGN3kr1Bmk9fQJuTBoRb+bA@mail.gmail.com>
References: <CAO+LJUULfF=UaJbqbtNHZ3TxCjw7sS78sPEeMnv8nRCnJ_ZDRg@mail.gmail.com>
	<D7A10B8F46BF1F47A4D30051C9CA31CC1DB1B5F7@MIMESMSW03AHCP.US.comerica.net>
	<CAO+LJUXPu3AA1Nn3n_TwxhZs5cNhGN3kr1Bmk9fQJuTBoRb+bA@mail.gmail.com>
Message-ID: <D7A10B8F46BF1F47A4D30051C9CA31CC1DB1B783@MIMESMSW03AHCP.US.comerica.net>

I?m a bit confused about the broargs setting.  Are you intending to sniff traffic on wlan0 or eth0?  Depending upon your need and specific hardware, your wlan interface may or may not be able to be put into promiscuous mode, and if not associated with an access point it will probably receive no meaningful traffic except what the host system is generating itself.

I would suggest removing the broargs setting and sniff on eth0 as a test.  You could then send your NSM some meaningful traffic (SMB, ssh, ping) and see if your configuration will logs this traffic as it should be seen.  Given that, you can expand into placing that interface on a span of more interesting traffic (like egress point, inside interface of a proxy, or inside interface of a DNS server).



From: Raj Kumar [mailto:rak at capmon.dk]
Sent: Monday, May 15, 2017 9:47 AM
To: Miller, Brad L
Cc: bro at bro.org
Subject: Re: [Bro] BRO IDS

Thank you very much  for the reply.
I just installed the bro in my linux machine and i edited node.cfg
[bro]
type=standalone
host=localhost
interface=eth0
broargs= -i wlan0

thats it :)

Please do let me know ,what has to be done.

On 15 May 2017 at 15:21, Miller, Brad L <BLMILLER at comerica.com<mailto:BLMILLER at comerica.com>> wrote:
I think that entirely depends upon the placement of the sniffing points.  If you sniff on a network without placing at an egress or ingress point, you will see multicast/broadcast traffic that you happen to see, but not much more of interest.

Is your sniffing interface placed well to monitor traffic of interest to you?  What spanning/mirroring technology are you using?

From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [mailto:bro-bounces at bro.org<mailto:bro-bounces at bro.org>] On Behalf Of Raj Kumar
Sent: Monday, May 15, 2017 5:28 AM
To: bro at bro.org<mailto:bro at bro.org>
Subject: [Bro] BRO IDS

Hi All,

I have installed bro ids for network security monitoring ,am trying to  match the ip address of  threats feeds with ip address in  bro logs.But am getting only multicast  224.0.0.251 239.255.255.250 and not the actual destination ip .How to get the exact ip address in BRO logs.

Any help would be really helpful

Thanks,
Raj



Please be aware that if you reply directly to this particular message, your reply may not be secure. Do not use email to send us communications that contain unencrypted confidential information such as passwords, account numbers or Social Security numbers. If you must provide this type of information, please visit comerica.com<http://comerica.com> to submit a secure form using any of the ?Contact Us? forms. In addition, you should not send via email any inquiry or request that may be time sensitive. The information in this e-mail is confidential. It is intended for the individual or entity to whom it is addressed. If you have received this email in error, please destroy or delete the message and advise the sender of the error by return email.



--
Raj
IT Consultant
Mobile:  +45 81923531

Lysk?r 9 [Inline images 1]

2730 Herlev, Denmark

Web:   http://www.capmon.dk<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.capmon.dk_&d=DwMFaQ&c=dpqHD2syzBCa0pPNCKl-DvX7tsADTsJ29aUMnGj5D6k&r=olt67fAGRuomcrLCANlICG1I04nCMkydvJYMmKU2Apo&m=JaxG9rCJ9aMdp6tiYoW-MGKmBkLgIiQ3nsjdGRsT4ns&s=PHuCltQlPfrWfetKtLnX3TFuQRDVSUE2nrpGChep2pU&e=>


Please be aware that if you reply directly to this particular message, your reply may not be secure. Do not use email to send us communications that contain unencrypted confidential information such as passwords, account numbers or Social Security numbers. If you must provide this type of information, please visit comerica.com to submit a secure form using any of the ?Contact Us? forms. In addition, you should not send via email any inquiry or request that may be time sensitive. The information in this e-mail is confidential. It is intended for the individual or entity to whom it is addressed. If you have received this email in error, please destroy or delete the message and advise the sender of the error by return email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/169bade6/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 18048 bytes
Desc: image001.png
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/169bade6/attachment-0001.bin 

From rak at capmon.dk  Mon May 15 07:23:42 2017
From: rak at capmon.dk (Raj Kumar)
Date: Mon, 15 May 2017 16:23:42 +0200
Subject: [Bro] BRO IDS
In-Reply-To: <D7A10B8F46BF1F47A4D30051C9CA31CC1DB1B783@MIMESMSW03AHCP.US.comerica.net>
References: <CAO+LJUULfF=UaJbqbtNHZ3TxCjw7sS78sPEeMnv8nRCnJ_ZDRg@mail.gmail.com>
	<D7A10B8F46BF1F47A4D30051C9CA31CC1DB1B5F7@MIMESMSW03AHCP.US.comerica.net>
	<CAO+LJUXPu3AA1Nn3n_TwxhZs5cNhGN3kr1Bmk9fQJuTBoRb+bA@mail.gmail.com>
	<D7A10B8F46BF1F47A4D30051C9CA31CC1DB1B783@MIMESMSW03AHCP.US.comerica.net>
Message-ID: <CAO+LJUUBHi4QdTX+Cz_ETNE5YCUGemAF3=+GLXwjLkMr44=ZTA@mail.gmail.com>

Thank you very much  for valuable suggestion ,I will remove  broargs
settings,if we want to sniff both the interfaces like wlan0 and eth0 is it
possible ?


On 15 May 2017 at 15:58, Miller, Brad L <BLMILLER at comerica.com> wrote:

> I?m a bit confused about the broargs setting.  Are you intending to sniff
> traffic on wlan0 or eth0?  Depending upon your need and specific hardware,
> your wlan interface may or may not be able to be put into promiscuous mode,
> and if not associated with an access point it will probably receive no
> meaningful traffic except what the host system is generating itself.
>
>
>
> I would suggest removing the broargs setting and sniff on eth0 as a test.
> You could then send your NSM some meaningful traffic (SMB, ssh, ping) and
> see if your configuration will logs this traffic as it should be seen.
> Given that, you can expand into placing that interface on a span of more
> interesting traffic (like egress point, inside interface of a proxy, or
> inside interface of a DNS server).
>
>
>
>
>
>
>
> *From:* Raj Kumar [mailto:rak at capmon.dk]
> *Sent:* Monday, May 15, 2017 9:47 AM
> *To:* Miller, Brad L
> *Cc:* bro at bro.org
> *Subject:* Re: [Bro] BRO IDS
>
>
>
> Thank you very much  for the reply.
>
> I just installed the bro in my linux machine and i edited node.cfg
>
> [bro]
>
> type=standalone
>
> host=localhost
>
> interface=eth0
>
> broargs= -i wlan0
>
>
>
> thats it :)
>
>
>
> Please do let me know ,what has to be done.
>
>
>
> On 15 May 2017 at 15:21, Miller, Brad L <BLMILLER at comerica.com> wrote:
>
> I think that entirely depends upon the placement of the sniffing points.
> If you sniff on a network without placing at an egress or ingress point,
> you will see multicast/broadcast traffic that you happen to see, but not
> much more of interest.
>
>
>
> Is your sniffing interface placed well to monitor traffic of interest to
> you?  What spanning/mirroring technology are you using?
>
>
>
> *From:* bro-bounces at bro.org [mailto:bro-bounces at bro.org] *On Behalf Of *Raj
> Kumar
> *Sent:* Monday, May 15, 2017 5:28 AM
> *To:* bro at bro.org
> *Subject:* [Bro] BRO IDS
>
>
>
> Hi All,
>
>
>
> I have installed bro ids for network security monitoring ,am trying to
>  match the ip address of  threats feeds with ip address in  bro logs.But am
> getting only multicast  224.0.0.251 239.255.255.250 and not the actual
> destination ip .How to get the exact ip address in BRO logs.
>
>
>
> Any help would be really helpful
>
>
>
> Thanks,
>
> *Raj*
>
>
>
>
>
> Please be aware that if you reply directly to this particular message,
> your reply may not be secure. Do not use email to send us communications
> that contain unencrypted confidential information such as passwords,
> account numbers or Social Security numbers. If you must provide this type
> of information, please visit comerica.com to submit a secure form using
> any of the ?Contact Us? forms. In addition, you should not send via email
> any inquiry or request that may be time sensitive. The information in this
> e-mail is confidential. It is intended for the individual or entity to whom
> it is addressed. If you have received this email in error, please destroy
> or delete the message and advise the sender of the error by return email.
>
>
>
>
>
> --
>
> *Raj*
>
> *IT Consultant*
>
> *Mobile:  **+45 **81923531*
>
> *Lysk?r 9 [image: Inline images 1]*
>
> *2730 Herlev, Denmark  *
>
> *Web:   **http://www.capmon.dk
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.capmon.dk_&d=DwMFaQ&c=dpqHD2syzBCa0pPNCKl-DvX7tsADTsJ29aUMnGj5D6k&r=olt67fAGRuomcrLCANlICG1I04nCMkydvJYMmKU2Apo&m=JaxG9rCJ9aMdp6tiYoW-MGKmBkLgIiQ3nsjdGRsT4ns&s=PHuCltQlPfrWfetKtLnX3TFuQRDVSUE2nrpGChep2pU&e=>*
>
>
> Please be aware that if you reply directly to this particular message,
> your reply may not be secure. Do not use email to send us communications
> that contain unencrypted confidential information such as passwords,
> account numbers or Social Security numbers. If you must provide this type
> of information, please visit comerica.com to submit a secure form using
> any of the ?Contact Us? forms. In addition, you should not send via email
> any inquiry or request that may be time sensitive. The information in this
> e-mail is confidential. It is intended for the individual or entity to whom
> it is addressed. If you have received this email in error, please destroy
> or delete the message and advise the sender of the error by return email.
>



-- 
*Raj*
*IT Consultant*
*Mobile:  ** +45 **81923531*

*Lysk?r 9** [image: Inline images 1]*

*2730 Herlev, Denmark  *

*Web:   **http://www.capmon.dk <http://www.capmon.dk/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/3337d3e4/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 18048 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/3337d3e4/attachment-0002.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 18048 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/3337d3e4/attachment-0003.bin 

From BLMILLER at comerica.com  Mon May 15 08:09:37 2017
From: BLMILLER at comerica.com (Miller, Brad L)
Date: Mon, 15 May 2017 15:09:37 +0000
Subject: [Bro] BRO IDS
In-Reply-To: <CAO+LJUUBHi4QdTX+Cz_ETNE5YCUGemAF3=+GLXwjLkMr44=ZTA@mail.gmail.com>
References: <CAO+LJUULfF=UaJbqbtNHZ3TxCjw7sS78sPEeMnv8nRCnJ_ZDRg@mail.gmail.com>
	<D7A10B8F46BF1F47A4D30051C9CA31CC1DB1B5F7@MIMESMSW03AHCP.US.comerica.net>
	<CAO+LJUXPu3AA1Nn3n_TwxhZs5cNhGN3kr1Bmk9fQJuTBoRb+bA@mail.gmail.com>
	<D7A10B8F46BF1F47A4D30051C9CA31CC1DB1B783@MIMESMSW03AHCP.US.comerica.net>
	<CAO+LJUUBHi4QdTX+Cz_ETNE5YCUGemAF3=+GLXwjLkMr44=ZTA@mail.gmail.com>
Message-ID: <D7A10B8F46BF1F47A4D30051C9CA31CC1DB1B81E@MIMESMSW03AHCP.US.comerica.net>

It may be possible to sniff a wireless interface, but that depends on quite a few variables like the hardware being used.  You also must associate with an access point to sniff the data effectively (I?ve personally done it on many occasions).

It is possible to sniff wireless effectively using Kismet, or airodump-ng.  In both cases you can create logs or packet captures from the tool and those may be read into Bro directly.

Keep in mind that any sniffing of wireless traffic on a wireless network where you are the client will yield interesting data but not all the packets you may be concerned about.  It may be more effective to mirror the ethernet interfaces on access points and send that traffic to your Bro NSM.  You can do that with taps/spans/or more fancy tools.



From: Raj Kumar [mailto:rak at capmon.dk]
Sent: Monday, May 15, 2017 10:24 AM
To: Miller, Brad L
Cc: bro at bro.org
Subject: Re: [Bro] BRO IDS

Thank you very much  for valuable suggestion ,I will remove  broargs settings,if we want to sniff both the interfaces like wlan0 and eth0 is it possible ?


On 15 May 2017 at 15:58, Miller, Brad L <BLMILLER at comerica.com<mailto:BLMILLER at comerica.com>> wrote:
I?m a bit confused about the broargs setting.  Are you intending to sniff traffic on wlan0 or eth0?  Depending upon your need and specific hardware, your wlan interface may or may not be able to be put into promiscuous mode, and if not associated with an access point it will probably receive no meaningful traffic except what the host system is generating itself.

I would suggest removing the broargs setting and sniff on eth0 as a test.  You could then send your NSM some meaningful traffic (SMB, ssh, ping) and see if your configuration will logs this traffic as it should be seen.  Given that, you can expand into placing that interface on a span of more interesting traffic (like egress point, inside interface of a proxy, or inside interface of a DNS server).



From: Raj Kumar [mailto:rak at capmon.dk<mailto:rak at capmon.dk>]
Sent: Monday, May 15, 2017 9:47 AM
To: Miller, Brad L
Cc: bro at bro.org<mailto:bro at bro.org>
Subject: Re: [Bro] BRO IDS

Thank you very much  for the reply.
I just installed the bro in my linux machine and i edited node.cfg
[bro]
type=standalone
host=localhost
interface=eth0
broargs= -i wlan0

thats it :)

Please do let me know ,what has to be done.

On 15 May 2017 at 15:21, Miller, Brad L <BLMILLER at comerica.com<mailto:BLMILLER at comerica.com>> wrote:
I think that entirely depends upon the placement of the sniffing points.  If you sniff on a network without placing at an egress or ingress point, you will see multicast/broadcast traffic that you happen to see, but not much more of interest.

Is your sniffing interface placed well to monitor traffic of interest to you?  What spanning/mirroring technology are you using?

From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [mailto:bro-bounces at bro.org<mailto:bro-bounces at bro.org>] On Behalf Of Raj Kumar
Sent: Monday, May 15, 2017 5:28 AM
To: bro at bro.org<mailto:bro at bro.org>
Subject: [Bro] BRO IDS

Hi All,

I have installed bro ids for network security monitoring ,am trying to  match the ip address of  threats feeds with ip address in  bro logs.But am getting only multicast  224.0.0.251 239.255.255.250 and not the actual destination ip .How to get the exact ip address in BRO logs.

Any help would be really helpful

Thanks,
Raj



Please be aware that if you reply directly to this particular message, your reply may not be secure. Do not use email to send us communications that contain unencrypted confidential information such as passwords, account numbers or Social Security numbers. If you must provide this type of information, please visit comerica.com<http://comerica.com> to submit a secure form using any of the ?Contact Us? forms. In addition, you should not send via email any inquiry or request that may be time sensitive. The information in this e-mail is confidential. It is intended for the individual or entity to whom it is addressed. If you have received this email in error, please destroy or delete the message and advise the sender of the error by return email.



--
Raj
IT Consultant
Mobile:  +45 81923531

Lysk?r 9 [Inline images 1]

2730 Herlev, Denmark

Web:   http://www.capmon.dk<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.capmon.dk_&d=DwMFaQ&c=dpqHD2syzBCa0pPNCKl-DvX7tsADTsJ29aUMnGj5D6k&r=olt67fAGRuomcrLCANlICG1I04nCMkydvJYMmKU2Apo&m=JaxG9rCJ9aMdp6tiYoW-MGKmBkLgIiQ3nsjdGRsT4ns&s=PHuCltQlPfrWfetKtLnX3TFuQRDVSUE2nrpGChep2pU&e=>


Please be aware that if you reply directly to this particular message, your reply may not be secure. Do not use email to send us communications that contain unencrypted confidential information such as passwords, account numbers or Social Security numbers. If you must provide this type of information, please visit comerica.com<http://comerica.com> to submit a secure form using any of the ?Contact Us? forms. In addition, you should not send via email any inquiry or request that may be time sensitive. The information in this e-mail is confidential. It is intended for the individual or entity to whom it is addressed. If you have received this email in error, please destroy or delete the message and advise the sender of the error by return email.



--
Raj
IT Consultant
Mobile:  +45 81923531

Lysk?r 9 [Inline images 1]

2730 Herlev, Denmark

Web:   http://www.capmon.dk<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.capmon.dk_&d=DwMFaQ&c=dpqHD2syzBCa0pPNCKl-DvX7tsADTsJ29aUMnGj5D6k&r=olt67fAGRuomcrLCANlICG1I04nCMkydvJYMmKU2Apo&m=Kgb7ui84m0JREwsobqXmaE1MeUb5RtL8satxR1B5XeU&s=VdYeFnPsEaZYFyQDuCJ64Tw8g6drzeLkUbMzklqZIKM&e=>


Please be aware that if you reply directly to this particular message, your reply may not be secure. Do not use email to send us communications that contain unencrypted confidential information such as passwords, account numbers or Social Security numbers. If you must provide this type of information, please visit comerica.com to submit a secure form using any of the ?Contact Us? forms. In addition, you should not send via email any inquiry or request that may be time sensitive. The information in this e-mail is confidential. It is intended for the individual or entity to whom it is addressed. If you have received this email in error, please destroy or delete the message and advise the sender of the error by return email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/6afef673/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 18048 bytes
Desc: image001.png
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/6afef673/attachment-0001.bin 

From seth at corelight.com  Mon May 15 13:48:36 2017
From: seth at corelight.com (Seth Hall)
Date: Mon, 15 May 2017 16:48:36 -0400
Subject: [Bro] smb_cmd.log
In-Reply-To: <CAKZA8xhT+8SN3RBA_6UE7e5QxvOmfvuBf4-Z66nkyDtdoZHEGA@mail.gmail.com>
References: <CAKZA8xhT+8SN3RBA_6UE7e5QxvOmfvuBf4-Z66nkyDtdoZHEGA@mail.gmail.com>
Message-ID: <0F229A0D-E1AD-45E6-8D56-A52CF5B4D337@corelight.com>


> On May 15, 2017, at 12:11 AM, william de ping <bill.de.ping at gmail.com> wrote:
> 
> in share/bro/policy/protocols/smb/main.smb
> look for write_cmd_log =F, if you change it to T, it will start the printing.

As a small addendum; that log probably isn't very useful.  It was mostly created to be used during development because it logs every single SMB cmd that is seen (and there are *lots* of SMB cmd messages sent around).

  .Seth

--
Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com



From anthony.kasza at gmail.com  Mon May 15 14:51:58 2017
From: anthony.kasza at gmail.com (anthony kasza)
Date: Mon, 15 May 2017 15:51:58 -0600
Subject: [Bro] WannaCrypt traffic
In-Reply-To: <CAEZw2bw_UOGV-XbXPg6Uh9abqaQ77_abrJADCL=kAv+jCYqGRQ@mail.gmail.com>
References: <CAEZw2bx=EOzPKhO6U5PT1LWSpQYcOOAH+jhqW4S1BY_Q5RkjHQ@mail.gmail.com>
	<CAEZw2bw_UOGV-XbXPg6Uh9abqaQ77_abrJADCL=kAv+jCYqGRQ@mail.gmail.com>
Message-ID: <CAEZw2bxM3q_mOODEai=RGhwqQ98Tn8R0SYU5_Ka8Zd+yKU2VvQ@mail.gmail.com>

Has anyone tested a WannaCrypt trace file against Bro's SMB analyzer and
file extraction yet? I'm curious to hear the results.

-AK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/eb582767/attachment.html 

From yuza.rasfar at gmail.com  Mon May 15 20:02:32 2017
From: yuza.rasfar at gmail.com (tkg_cangkul)
Date: Tue, 16 May 2017 10:02:32 +0700
Subject: [Bro] ransomware pcap
In-Reply-To: <CALGAZaC=+mQxE46CJr7f-Xi+wPATk3Q53j2wpsdF4bSqv79Z2A@mail.gmail.com>
References: <CALGAZaC=+mQxE46CJr7f-Xi+wPATk3Q53j2wpsdF4bSqv79Z2A@mail.gmail.com>
Message-ID: <591A6BC8.3030103@gmail.com>

Cool,

do you have any file ransomware to test this bro script?
can you share it here?

Thanks,

On 03/05/17 14:54, ps sunu wrote:
> any pcap available for test 
> https://github.com/fox-it/bro-scripts/blob/master/smb-ransomware/smb-ransomware.bro 
> script
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170516/85422644/attachment.html 

From rak at capmon.dk  Tue May 16 07:23:36 2017
From: rak at capmon.dk (Raj Kumar)
Date: Tue, 16 May 2017 16:23:36 +0200
Subject: [Bro] Ransomware
Message-ID: <CAO+LJUV3rx0+NqmwkneGP1Teu7yiXMRqvp=8bdy5PFrZ=MoLDw@mail.gmail.com>

Hi All,

Is there any ransomware pcap to test the bro smb scripts?


Thanks
*Raj*
*IT Consultant*
*Mobile:  ** +45 **81923531*

*Lysk?r 9** [image: Inline images 1]*

*2730 Herlev, Denmark  *

*Web:   **http://www.capmon.dk <http://www.capmon.dk/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170516/53a793ca/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 18048 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170516/53a793ca/attachment-0001.bin 

From vladg at illinois.edu  Tue May 16 09:43:31 2017
From: vladg at illinois.edu (Vlad Grigorescu)
Date: Tue, 16 May 2017 09:43:31 -0700
Subject: [Bro] bro files - network drive
In-Reply-To: <201705100901.v4A91kg9017488@vladg.net>
References: <201705100901.v4A91kg9017488@vladg.net>
Message-ID: <m0y3tw4urw.fsf@vladg.net>

Izik Birka <Izik.Birka at hot.net.il> writes:

> Why when I only search file in network drive all the files in the
> network drive are written to files.log ?

I'm assuming you mean over SMB? More data than just file transfers is
logged because it can be useful for incident response.

> How can I detect a real file transfer ?

Take a look at the total_bytes and seen_bytes fields.

  --Vlad

From vladg at illinois.edu  Tue May 16 09:49:51 2017
From: vladg at illinois.edu (Vlad Grigorescu)
Date: Tue, 16 May 2017 09:49:51 -0700
Subject: [Bro] On Bro's configuration file
In-Reply-To: <201704151622.v3FGMfiq011994@vladg.net>
References: <201704151622.v3FGMfiq011994@vladg.net>
Message-ID: <m0vap04uhc.fsf@vladg.net>

I didn't see a response, but perhaps I missed it.

"LinuxBSDos.com" <finid at vivaldi.net> writes:

> 1. In node.cfg, what if I have two interfaces on a server that I'll like 
> to monitor, can I add the second interface, like
> "interface=eth0,eth1"?

No, you'll either need to create a bond interface, or add two entries in there.

> 2. Regarding the networks.cfg file, it says it's a "List of local 
> networks", while the docs says it's list of "networks that Bro will 
> consider local to the monitored environment".
>
> By "local", does that mean _any_ IP address network associated with the 
> server, including that that a private interface belongs to, and the 
> loopback interface?

Most deployments add RFC-1918 space to that list as well. That list
mainly feeds a helper function, Site::is_local_addr [1]. This is used in
a few places, such as known_hosts. It's mainly used to differentiate
"your" networks from "other" networks. If you have some RFC-1918 space
that isn't yours, you should consider not including that there, and
possibly listing it as a neighbor network.

  --Vlad

[1] - <https://www.bro.org/sphinx/scripts/base/utils/site.bro.html?highlight=is_local#id-Site::is_local_addr>

From Izik.Birka at hot.net.il  Wed May 17 02:03:05 2017
From: Izik.Birka at hot.net.il (Izik Birka)
Date: Wed, 17 May 2017 09:03:05 +0000
Subject: [Bro] bro files - network drive
In-Reply-To: <m0y3tw4urw.fsf@vladg.net>
References: <201705100901.v4A91kg9017488@vladg.net> <m0y3tw4urw.fsf@vladg.net>
Message-ID: <592228F4D0C8504187F2F76658040CB6DFFD499D@HOT-MAILBOX-02.HOT.NET.IL>

hi
YES , over smb
my problem is when I  searching files on file server all the files are written to files.log (include total_bytes and seen_bytes data) 
and because of that I can't distinguish between search on file server and copy files from the file server

any suggestion ?

thanks







 



-----Original Message-----
From: Vlad Grigorescu [mailto:vladg at illinois.edu] 
Sent: Tuesday, May 16, 2017 7:44 PM
To: Izik Birka <Izik.Birka at hot.net.il>; bro at bro.org
Subject: Re: [Bro] bro files - network drive

Izik Birka <Izik.Birka at hot.net.il> writes:

> Why when I only search file in network drive all the files in the 
> network drive are written to files.log ?

I'm assuming you mean over SMB? More data than just file transfers is logged because it can be useful for incident response.

> How can I detect a real file transfer ?

Take a look at the total_bytes and seen_bytes fields.

  --Vlad

This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement.

If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately.

Thank you.


From tomas.bortoli at sit.fraunhofer.de  Wed May 17 07:39:15 2017
From: tomas.bortoli at sit.fraunhofer.de (Bortoli, Tomas)
Date: Wed, 17 May 2017 14:39:15 +0000
Subject: [Bro] testing binpac generated parser
Message-ID: <BD7C7C6D722F374C82A3068FEA58120BD42408@EXCH2010B.sit.fraunhofer.de>

Hi all,

I am having troubles getting any sign of functioning from a simple parser defined in binpac.

I followed the tutorial at: https://github.com/grigorescu/binpac_quickstart
Then I wrote pretty simple headers definitions on my *-protocol.pac definition, then I added a print `std::cout <<  "Name PDU" << endl;` after the statement that generate the basic PDU event for the bro policy script engine in the *-analyzer.pac. I successfully compiled the parser definitions with binpac and then I recompiled bro (observing that the new parser is included in the compilation process.

But then when I run bro with a pcap file that contains a packet that should be parsed by the binpac generated code, I don't get any output and don't know how to troubleshoot it..

Any suggestion ?

thanks in advance,
Tomas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170517/84e6e7c7/attachment.html 

From anastasakis62 at gmail.com  Thu May 18 08:31:33 2017
From: anastasakis62 at gmail.com (mike anastasakis)
Date: Thu, 18 May 2017 17:31:33 +0200
Subject: [Bro] Connections in conn.log
Message-ID: <CAEHhGZHJUQD4QOnfG9eG_iw4iZXrXCfD+i9TM2vzE6bnVNWrYQ@mail.gmail.com>

Hello,

I have a question regarding how the connections are created in conn.log.
I thought that the combination tuple o (src_ip, src_port, dest_ip,
dest_port)was used to define one connection but this is not the case.

>From my conn.log file I have 6 connections with 6 unique different uids but
with the same exact combination tuple mentioned above.

The first connection is the one that establishes the ssl connection and the
other 5 are identified as *OTH *which is No *SYN seen, just midstream
traffic (a ?partial connection? that was not later closed).*

Are they not all included in the same connection because bro did not
identify the ssl connection closing? If so, does this mean that bro
considers a flow as a unique connection if there is a problem protocol
beggining and ending?


Kind Regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170518/bb0c4511/attachment.html 

From mohan.rao at ranksoftwareinc.com  Thu May 18 13:14:22 2017
From: mohan.rao at ranksoftwareinc.com (Mohan Rao)
Date: Thu, 18 May 2017 20:14:22 +0000
Subject: [Bro] DDS and RTPS protocol analyzer
Message-ID: <BN6PR12MB1795123B0EB646D091FF9830FFE40@BN6PR12MB1795.namprd12.prod.outlook.com>

Does anyone know if a protocol analyzer exists for DDS and RTPS (Real time Pub Sub) - https://en.wikipedia.org/wiki/Data_Distribution_Service and http://www.omg.org/spec/DDSI-RTPS/

If not, can someone point me in the right direction for how I could go about building one ? Is BinPAC the right place to start ?

Appreciate any help !!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170518/03b3599d/attachment.html 

From rak at capmon.dk  Fri May 19 02:38:18 2017
From: rak at capmon.dk (Raj Kumar)
Date: Fri, 19 May 2017 11:38:18 +0200
Subject: [Bro] TORRENT Detection -BRO
Message-ID: <CAO+LJUVnaup5FFDpZOJdgE5nyvzRFNO4fcBXizreUEuE76Jpow@mail.gmail.com>

Hi All,

Will I be able to detect torrent download using bro, i could see some
torrent analyzers,is there any load statement should i include in local.bro
or how  to detect?


Thanks,
*Raj*
*IT Consultant*
*Mobile:  ** +45 **81923531*

*Lysk?r 9** [image: Inline images 1]*

*2730 Herlev, Denmark  *

*Web:   **http://www.capmon.dk <http://www.capmon.dk/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170519/94ab0c8b/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 18048 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170519/94ab0c8b/attachment-0001.bin 

From marcin.nawrocki at fu-berlin.de  Fri May 19 10:21:36 2017
From: marcin.nawrocki at fu-berlin.de (Marcin Nawrocki)
Date: Fri, 19 May 2017 19:21:36 +0200
Subject: [Bro] Connections in conn.log
In-Reply-To: <CAEHhGZHJUQD4QOnfG9eG_iw4iZXrXCfD+i9TM2vzE6bnVNWrYQ@mail.gmail.com>
References: <CAEHhGZHJUQD4QOnfG9eG_iw4iZXrXCfD+i9TM2vzE6bnVNWrYQ@mail.gmail.com>
Message-ID: <88a57497-ad01-a81f-a06f-227ec64d7201@fu-berlin.de>

Hello bro community,

are all connection attempts recorded in conn.log? Let us assume I am 
monitoring interface eth0, will I see every connection in this log file ...

   * ...independent of the transport layer protocol (udp,tcp,mptcp...) 
and its properties (ports)
   * ...independent of firewalls like iptables blocking incoming packets 
on eth0
   * ...independent of firewalls like iptables forwarding incoming 
packets on eth0 to special targets like NFQUEUE and libnetfilter_queue


Regards, Marcin

Am 18-May-17 um 17:31 schrieb mike anastasakis:
> Hello,
>
> I have a question regarding how the connections are created in conn.log.
> I thought that the combination tuple o (src_ip, src_port, dest_ip, 
> dest_port)was used to define one connection but this is not the case.
>
> From my conn.log file I have 6 connections with 6 unique 
> different uids but with the same exact combination tuple mentioned above.
>
> The first connection is the one that establishes the ssl connection 
> and the other 5 are identified as *OTH *which is No /SYN seen, just 
> midstream traffic (a ?partial connection? that was not later closed)./
> /
> /
> Are they not all included in the same connection because bro did not 
> identify the ssl connection closing? If so, does this mean that bro 
> considers a flow as a unique connection if there is a problem protocol 
> beggining and ending?
>
>
> Kind Regards,
> Michael
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170519/017105ca/attachment.html 

From rak at capmon.dk  Mon May 22 01:08:50 2017
From: rak at capmon.dk (Raj Kumar)
Date: Mon, 22 May 2017 10:08:50 +0200
Subject: [Bro] SMB analyzer
Message-ID: <CAO+LJUV00M3pD5Wo76xdBkxanuWYOdY2ceZVBLQSZrmWKRQeXg@mail.gmail.com>

Hi All,

I have enabled smb analyzer in my local.bro, how to test if  the smb
scripts works,because I could see only the usual logs like conn.log,etc

Thanks,
*Raj*
*IT Consultant*
*Mobile:  ** +45 **81923531*

*Lysk?r 9** [image: Inline images 1]*

*2730 Herlev, Denmark  *

*Web:   **http://www.capmon.dk <http://www.capmon.dk/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170522/46bfd42a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 18048 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170522/46bfd42a/attachment-0001.bin 

From cchiaverini at bnl.gov  Mon May 22 11:52:37 2017
From: cchiaverini at bnl.gov (Chris Chiaverini)
Date: Mon, 22 May 2017 14:52:37 -0400
Subject: [Bro] Timemachine question - pkts_to_disk did not flush
Message-ID: <312a6648-803d-6af1-6c15-115be018b882@bnl.gov>

Please help.

I was collecting something in particular an noticed that timemachine is 
not flushing to disk as expected.

I have my "all" class set to 100 packets and the class log shows 108 
packets but there is no pcap file yet.  Is there a way to force 
timemachine to flush to disk (kill switch maybe?)?

This is my timemachine.cfg:

global filter is by host

<OMITTED>

         filter "host xxx.xxx.xxx.xxx";
<OMITTED>

class "all" {
         #filter "";
         precedence 1;
         cutoff no;
         disk 50g;
         filesize 128m;
         mem 5000m;
         pkts_to_disk 100;
}

Here is the class log:

# head -1 classes.timemachine.log && tail -1 classes.timemachine.log
timestamp class stored_bytes stored_pkts cut_bytes cut_pkts mem_bytes 
mem_pkts mem_dt disk_bytes disk_pkts disk_dt
1495478432.93 class_all 7182 108 0 0 7182 108 541110.36 0 0 0.00
#


-- 


Regards,

Chris


From kgoldman at us.ibm.com  Mon May 22 12:43:13 2017
From: kgoldman at us.ibm.com (Kenneth Goldman)
Date: Mon, 22 May 2017 15:43:13 -0400
Subject: [Bro] does bro need root privilege?
Message-ID: <OF65BB1469.2FF13814-ON00258128.006BF0D3-85258128.006C5480@notes.na.collabserv.com>

New user, with a Fedora install. 

1 - Starting with the basics.  As a normal user:

[BroControl] > install
Error: running "bro -v" failed with output:
can't open 'debug.log' for debugging output

Does bro have to run as root?

2 - Is there an NNTP reflector for this mailing list?

--
Ken Goldman   kgoldman at us.ibm.com 
914-945-2415 (862-2415)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170522/2e18f45b/attachment.html 

From dnthayer at illinois.edu  Mon May 22 13:47:08 2017
From: dnthayer at illinois.edu (Daniel Thayer)
Date: Mon, 22 May 2017 15:47:08 -0500
Subject: [Bro] does bro need root privilege?
In-Reply-To: <OF65BB1469.2FF13814-ON00258128.006BF0D3-85258128.006C5480@notes.na.collabserv.com>
References: <OF65BB1469.2FF13814-ON00258128.006BF0D3-85258128.006C5480@notes.na.collabserv.com>
Message-ID: <914dea0f-8cbd-00ea-ed7e-b0b2e60f1650@illinois.edu>

The BroControl documentation explains how to run as a normal user:
https://www.bro.org/sphinx/components/broctl/README.html#using-brocontrol-as-an-unprivileged-user


On 5/22/17 2:43 PM, Kenneth Goldman wrote:
> New user, with a Fedora install.
>
> 1 - Starting with the basics.  As a normal user:
>
> [BroControl] > install
> Error: running "bro -v" failed with output:
> can't open 'debug.log' for debugging output
>
> Does bro have to run as root?
>
> 2 - Is there an NNTP reflector for this mailing list?
>
> --
> Ken Goldman   kgoldman at us.ibm.com
> 914-945-2415 (862-2415)
>
>
>

From asharma at lbl.gov  Mon May 22 16:10:12 2017
From: asharma at lbl.gov (Aashish Sharma)
Date: Mon, 22 May 2017 16:10:12 -0700
Subject: [Bro] Timemachine question - pkts_to_disk did not flush
In-Reply-To: <312a6648-803d-6af1-6c15-115be018b882@bnl.gov>
References: <312a6648-803d-6af1-6c15-115be018b882@bnl.gov>
Message-ID: <20170522231011.GN84772@mac-822.local>

Chris, 


I think because you've got mem 5000m which means about 5GB of pcaps will be in memory before starts writing to disk. 

(Huge mem option is generaully useful for when bro talks to timemachine and needs to extract pcaps for particular notices. TimeMachine searches memory before searching on the disk for said connections)

Aashish 

On Mon, May 22, 2017 at 02:52:37PM -0400, Chris Chiaverini wrote:
> Please help.
> 
> I was collecting something in particular an noticed that timemachine is 
> not flushing to disk as expected.
> 
> I have my "all" class set to 100 packets and the class log shows 108 
> packets but there is no pcap file yet.  Is there a way to force 
> timemachine to flush to disk (kill switch maybe?)?
> 
> This is my timemachine.cfg:
> 
> global filter is by host
> 
> <OMITTED>
> 
>          filter "host xxx.xxx.xxx.xxx";
> <OMITTED>
> 
> class "all" {
>          #filter "";
>          precedence 1;
>          cutoff no;
>          disk 50g;
>          filesize 128m;
>          mem 5000m;
>          pkts_to_disk 100;
> }
> 
> Here is the class log:
> 
> # head -1 classes.timemachine.log && tail -1 classes.timemachine.log
> timestamp class stored_bytes stored_pkts cut_bytes cut_pkts mem_bytes 
> mem_pkts mem_dt disk_bytes disk_pkts disk_dt
> 1495478432.93 class_all 7182 108 0 0 7182 108 541110.36 0 0 0.00
> #
> 
> 
> -- 
> 
> 
> Regards,
> 
> Chris
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

From asharma at lbl.gov  Mon May 22 16:23:17 2017
From: asharma at lbl.gov (Aashish Sharma)
Date: Mon, 22 May 2017 16:23:17 -0700
Subject: [Bro] Timemachine question - pkts_to_disk did not flush
In-Reply-To: <312a6648-803d-6af1-6c15-115be018b882@bnl.gov>
References: <312a6648-803d-6af1-6c15-115be018b882@bnl.gov>
Message-ID: <20170522232316.GO84772@mac-822.local>

(OK, I was wondering about pkts_to_disk option so hand to confirm)

I think, So pkts_to_disk actually has different purpose than you originally thought. check out: doc/howto.rst 

  mem <number>
    Allocate RAM storage of <number> bytes in size.

  pkts_to_disk 2
    The moment packets are to be evicted from the RAM buffers to disk,
    this number determines how many packets to move at a single step.

I'd  try a 0 or a low value for mem and a large value for pkts_to_disk. 

Aashish 

On Mon, May 22, 2017 at 02:52:37PM -0400, Chris Chiaverini wrote:
> Please help.
> 
> I was collecting something in particular an noticed that timemachine is 
> not flushing to disk as expected.
> 
> I have my "all" class set to 100 packets and the class log shows 108 
> packets but there is no pcap file yet.  Is there a way to force 
> timemachine to flush to disk (kill switch maybe?)?
> 
> This is my timemachine.cfg:
> 
> global filter is by host
> 
> <OMITTED>
> 
>          filter "host xxx.xxx.xxx.xxx";
> <OMITTED>
> 
> class "all" {
>          #filter "";
>          precedence 1;
>          cutoff no;
>          disk 50g;
>          filesize 128m;
>          mem 5000m;
>          pkts_to_disk 100;
> }
> 
> Here is the class log:
> 
> # head -1 classes.timemachine.log && tail -1 classes.timemachine.log
> timestamp class stored_bytes stored_pkts cut_bytes cut_pkts mem_bytes 
> mem_pkts mem_dt disk_bytes disk_pkts disk_dt
> 1495478432.93 class_all 7182 108 0 0 7182 108 541110.36 0 0 0.00
> #
> 
> 
> -- 
> 
> 
> Regards,
> 
> Chris
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

From cchiaverini at bnl.gov  Mon May 22 20:51:50 2017
From: cchiaverini at bnl.gov (Chiaverini, Christian)
Date: Tue, 23 May 2017 03:51:50 +0000
Subject: [Bro] Timemachine question - pkts_to_disk did not flush
In-Reply-To: <20170522232316.GO84772@mac-822.local>
References: <312a6648-803d-6af1-6c15-115be018b882@bnl.gov>
	<20170522232316.GO84772@mac-822.local>
Message-ID: <0DEDA79D-9909-4EDF-B6AE-0C983A16AFFD@bnl.gov>

Thank you for clarifying.  On the off chance, is there a kill signal I can send to a current running daemon to flush to disk?  I have one running which I would like to flush to disk before resetting the config as you recommended.

 
 
--
 
 
Regards,
 
Chris 

On 5/22/17, 7:23 PM, "Aashish Sharma" <asharma at lbl.gov> wrote:

    (OK, I was wondering about pkts_to_disk option so hand to confirm)
    
    I think, So pkts_to_disk actually has different purpose than you originally thought. check out: doc/howto.rst 
    
      mem <number>
        Allocate RAM storage of <number> bytes in size.
    
      pkts_to_disk 2
        The moment packets are to be evicted from the RAM buffers to disk,
        this number determines how many packets to move at a single step.
    
    I'd  try a 0 or a low value for mem and a large value for pkts_to_disk. 
    
    Aashish 
    
    On Mon, May 22, 2017 at 02:52:37PM -0400, Chris Chiaverini wrote:
    > Please help.
    > 
    > I was collecting something in particular an noticed that timemachine is 
    > not flushing to disk as expected.
    > 
    > I have my "all" class set to 100 packets and the class log shows 108 
    > packets but there is no pcap file yet.  Is there a way to force 
    > timemachine to flush to disk (kill switch maybe?)?
    > 
    > This is my timemachine.cfg:
    > 
    > global filter is by host
    > 
    > <OMITTED>
    > 
    >          filter "host xxx.xxx.xxx.xxx";
    > <OMITTED>
    > 
    > class "all" {
    >          #filter "";
    >          precedence 1;
    >          cutoff no;
    >          disk 50g;
    >          filesize 128m;
    >          mem 5000m;
    >          pkts_to_disk 100;
    > }
    > 
    > Here is the class log:
    > 
    > # head -1 classes.timemachine.log && tail -1 classes.timemachine.log
    > timestamp class stored_bytes stored_pkts cut_bytes cut_pkts mem_bytes 
    > mem_pkts mem_dt disk_bytes disk_pkts disk_dt
    > 1495478432.93 class_all 7182 108 0 0 7182 108 541110.36 0 0 0.00
    > #
    > 
    > 
    > -- 
    > 
    > 
    > Regards,
    > 
    > Chris
    > 
    > _______________________________________________
    > Bro mailing list
    > bro at bro-ids.org
    > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
    



From seth at corelight.com  Tue May 23 06:31:15 2017
From: seth at corelight.com (Seth Hall)
Date: Tue, 23 May 2017 09:31:15 -0400
Subject: [Bro] SMB analyzer
In-Reply-To: <CAO+LJUV00M3pD5Wo76xdBkxanuWYOdY2ceZVBLQSZrmWKRQeXg@mail.gmail.com>
References: <CAO+LJUV00M3pD5Wo76xdBkxanuWYOdY2ceZVBLQSZrmWKRQeXg@mail.gmail.com>
Message-ID: <9AD0E1A9-54CE-42D1-B263-AE2A3CCCA0FE@corelight.com>


> On May 22, 2017, at 4:08 AM, Raj Kumar <rak at capmon.dk> wrote:
> 
> I have enabled smb analyzer in my local.bro, how to test if  the smb scripts works,because I could see only the usual logs like conn.log,etc

Give it SMB traffic. :)

Sorry for the trite answer, but that's probably the best way as an initial step.

  .Seth

--
Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com



From bro at pingtrip.com  Tue May 23 06:59:31 2017
From: bro at pingtrip.com (Dave Crawford)
Date: Tue, 23 May 2017 09:59:31 -0400
Subject: [Bro] does bro need root privilege?
In-Reply-To: <914dea0f-8cbd-00ea-ed7e-b0b2e60f1650@illinois.edu>
References: <OF65BB1469.2FF13814-ON00258128.006BF0D3-85258128.006C5480@notes.na.collabserv.com>
	<914dea0f-8cbd-00ea-ed7e-b0b2e60f1650@illinois.edu>
Message-ID: <9D7F8B2B-ACDF-4644-A89A-83483E030412@pingtrip.com>

I also created a plugin to automate the necessary ?setcap? calls during installs/deploys:

https://github.com/PingTrip/broctl-setcap <https://github.com/PingTrip/broctl-setcap>

- Dave
 
> On May 22, 2017, at 4:47 PM, Daniel Thayer <dnthayer at illinois.edu> wrote:
> 
> The BroControl documentation explains how to run as a normal user:
> https://www.bro.org/sphinx/components/broctl/README.html#using-brocontrol-as-an-unprivileged-user
> 
> 
> On 5/22/17 2:43 PM, Kenneth Goldman wrote:
>> New user, with a Fedora install.
>> 
>> 1 - Starting with the basics.  As a normal user:
>> 
>> [BroControl] > install
>> Error: running "bro -v" failed with output:
>> can't open 'debug.log' for debugging output
>> 
>> Does bro have to run as root?
>> 
>> 2 - Is there an NNTP reflector for this mailing list?
>> 
>> --
>> Ken Goldman   kgoldman at us.ibm.com
>> 914-945-2415 (862-2415)
>> 
>> 
>> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170523/d141e37e/attachment.html 

From kgoldman at us.ibm.com  Tue May 23 12:08:45 2017
From: kgoldman at us.ibm.com (Kenneth Goldman)
Date: Tue, 23 May 2017 15:08:45 -0400
Subject: [Bro] does bro need root privilege?
In-Reply-To: <914dea0f-8cbd-00ea-ed7e-b0b2e60f1650@illinois.edu>
References: <OF65BB1469.2FF13814-ON00258128.006BF0D3-85258128.006C5480@notes.na.collabserv.com>
	<914dea0f-8cbd-00ea-ed7e-b0b2e60f1650@illinois.edu>
Message-ID: <OF1417593C.9C1CAB6F-ON00258129.0068AC6B-85258129.00692CD1@notes.na.collabserv.com>

Daniel Thayer <dnthayer at illinois.edu> wrote on 05/22/2017 04:47:08 PM:

> From: Daniel Thayer <dnthayer at illinois.edu>
> To: Kenneth Goldman <kgoldman at us.ibm.com>, <bro at bro.org>
> Date: 05/22/2017 04:47 PM
> Subject: Re: [Bro] does bro need root privilege?
> 
> The BroControl documentation explains how to run as a normal user:
> https://www.bro.org/sphinx/components/broctl/README.html#using-
> brocontrol-as-an-unprivileged-user

The spool and logs directories are in my home directory, and I edited 
/etc/bro/broctl.cfg to point to them.  They are rwx.

SpoolDir = /home/kgold/bro/spool
LogDir = /home/kgold/bro/logs

I'm still getting this error:

> > [BroControl] > install
> > Error: running "bro -v" failed with output:
> > can't open 'debug.log' for debugging output

Perhaps I'm editing the wrong configuration file and it's still
trying to open debug.log in a different directory?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170523/b61d0ec1/attachment.html 

From dnthayer at illinois.edu  Wed May 24 08:49:34 2017
From: dnthayer at illinois.edu (Daniel Thayer)
Date: Wed, 24 May 2017 10:49:34 -0500
Subject: [Bro] does bro need root privilege?
In-Reply-To: <OF1417593C.9C1CAB6F-ON00258129.0068AC6B-85258129.00692CD1@notes.na.collabserv.com>
References: <OF65BB1469.2FF13814-ON00258128.006BF0D3-85258128.006C5480@notes.na.collabserv.com>
	<914dea0f-8cbd-00ea-ed7e-b0b2e60f1650@illinois.edu>
	<OF1417593C.9C1CAB6F-ON00258129.0068AC6B-85258129.00692CD1@notes.na.collabserv.com>
Message-ID: <d2d32ea2-324d-8ba1-164c-376b1a9ba2a6@illinois.edu>

Which version of Bro are you using?


On 5/23/17 2:08 PM, Kenneth Goldman wrote:
> Daniel Thayer <dnthayer at illinois.edu> wrote on 05/22/2017 04:47:08 PM:
>
>> From: Daniel Thayer <dnthayer at illinois.edu>
>> To: Kenneth Goldman <kgoldman at us.ibm.com>, <bro at bro.org>
>> Date: 05/22/2017 04:47 PM
>> Subject: Re: [Bro] does bro need root privilege?
>>
>> The BroControl documentation explains how to run as a normal user:
>> https://www.bro.org/sphinx/components/broctl/README.html#using-
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.bro.org_sphinx_components_broctl_README.html-23using-2D&d=DwMFAg&c=8hUWFZcy2Z-Za5rBPlktOQ&r=Bi5qPBnY0NmYPqnRTPj_AfXQKpfQTZUpCzpfFBcawv0&m=u8FYIQiIxTvxjAZvoHkaBXmX11PXfQEHVcqtqMhOs0c&s=j2Dkn5xTwTG46FY_2-Vts26cma-fQB3uqsIRJb48G20&e=>
>> brocontrol-as-an-unprivileged-user
>
> The spool and logs directories are in my home directory, and I edited
> /etc/bro/broctl.cfg to point to them.  They are rwx.
>
> SpoolDir = /home/kgold/bro/spool
> LogDir = /home/kgold/bro/logs
>
> I'm still getting this error:
>
>> > [BroControl] > install
>> > Error: running "bro -v" failed with output:
>> > can't open 'debug.log' for debugging output
>
> Perhaps I'm editing the wrong configuration file and it's still
> trying to open debug.log in a different directory?
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

From daniel_aka_sniper_d at hotmail.com  Wed May 24 11:40:12 2017
From: daniel_aka_sniper_d at hotmail.com (Sniper)
Date: Wed, 24 May 2017 18:40:12 +0000
Subject: [Bro] Creating anomaly detection IDPS
Message-ID: <DB6P190MB0357AF8C2158D2EC334E9D9D87FE0@DB6P190MB0357.EURP190.PROD.OUTLOOK.COM>

Hello Everyone,

I'm currently undertaking my dissertation at the moment, I'm trying to 
find some tutorials on how to implement anomaly detection using BRO. 
Information seems to be very sparse where anomaly detection is concerned 
but there's a wealth of information on sigurature-based detection.

Are there any step-by-step guides anywhere? Implementation, How to 
training network using NSL KDD ect.. I've read a ton of journal but 
there are no instructions.


If you could help me out I would greatly appreciate it. Thanks

Dan


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



From jlay at slave-tothe-box.net  Wed May 24 12:42:56 2017
From: jlay at slave-tothe-box.net (James Lay)
Date: Wed, 24 May 2017 13:42:56 -0600
Subject: [Bro] Creating anomaly detection IDPS
In-Reply-To: <DB6P190MB0357AF8C2158D2EC334E9D9D87FE0@DB6P190MB0357.EURP190.PROD.OUTLOOK.COM>
References: <DB6P190MB0357AF8C2158D2EC334E9D9D87FE0@DB6P190MB0357.EURP190.PROD.OUTLOOK.COM>
Message-ID: <32cea1331f79511905e2b24ee10768b4@localhost>

These might help to get you started:

https://github.com/DigiAngel/bro-protosigs

James

On 2017-05-24 12:40, Sniper wrote:
> Hello Everyone,
> 
> I'm currently undertaking my dissertation at the moment, I'm trying to
> find some tutorials on how to implement anomaly detection using BRO.
> Information seems to be very sparse where anomaly detection is 
> concerned
> but there's a wealth of information on sigurature-based detection.
> 
> Are there any step-by-step guides anywhere? Implementation, How to
> training network using NSL KDD ect.. I've read a ton of journal but
> there are no instructions.
> 
> 
> If you could help me out I would greatly appreciate it. Thanks
> 
> Dan
> 
> 
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

From fatema.bannatwala at gmail.com  Wed May 24 13:21:37 2017
From: fatema.bannatwala at gmail.com (fatema bannatwala)
Date: Wed, 24 May 2017 16:21:37 -0400
Subject: [Bro] Creating anomaly detection IDPS
Message-ID: <CACX0rUSSPZ10x=szqM7R6=yvy_KMS0K0c_tqwXrZ1GmeFbQfuw@mail.gmail.com>

Hi Dan,

There are various ways one can use to detect anomaly using Bro based on the
network traffic.
Use of Intel FW and Scan scripts with Bro gives a start to detect different
types of scanning and other suspicious activity going on in the network.
Not sure what's exactly your use-case is regarding NSL-KDD training sets
with Bro.
Are you trying to use Bro generated network data as the test set for your
classifiers/learning algos?, or trying to feed Bro with the NSL-KDD
training sets? I don't think machine learning is currently being supported
by Bro.
Or I might have mis-understood the question :)

-Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170524/502e6d27/attachment.html 

From BLMILLER at comerica.com  Wed May 24 13:32:22 2017
From: BLMILLER at comerica.com (Miller, Brad L)
Date: Wed, 24 May 2017 20:32:22 +0000
Subject: [Bro] Creating anomaly detection IDPS
In-Reply-To: <CACX0rUSSPZ10x=szqM7R6=yvy_KMS0K0c_tqwXrZ1GmeFbQfuw@mail.gmail.com>
References: <CACX0rUSSPZ10x=szqM7R6=yvy_KMS0K0c_tqwXrZ1GmeFbQfuw@mail.gmail.com>
Message-ID: <D7A10B8F46BF1F47A4D30051C9CA31CC1DB20878@MIMESMSW03AHCP.US.comerica.net>

My take is that while Bro has the intel framework and bro scripts to classify and alert on traffic, the real anomaly detection/heavy lifting should be done where the bro data is stored.  We use Bro as a (big) data source for analytics and discovery.



From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of fatema bannatwala
Sent: Wednesday, May 24, 2017 4:22 PM
To: daniel_aka_sniper_d at hotmail.com
Cc: bro at bro.org
Subject: Re: [Bro] Creating anomaly detection IDPS

Hi Dan,

There are various ways one can use to detect anomaly using Bro based on the network traffic.
Use of Intel FW and Scan scripts with Bro gives a start to detect different types of scanning and other suspicious activity going on in the network.
Not sure what's exactly your use-case is regarding NSL-KDD training sets with Bro.
Are you trying to use Bro generated network data as the test set for your classifiers/learning algos?, or trying to feed Bro with the NSL-KDD training sets? I don't think machine learning is currently being supported by Bro.
Or I might have mis-understood the question :)

-Fatema.


Please be aware that if you reply directly to this particular message, your reply may not be secure. Do not use email to send us communications that contain unencrypted confidential information such as passwords, account numbers or Social Security numbers. If you must provide this type of information, please visit comerica.com to submit a secure form using any of the ?Contact Us? forms. In addition, you should not send via email any inquiry or request that may be time sensitive. The information in this e-mail is confidential. It is intended for the individual or entity to whom it is addressed. If you have received this email in error, please destroy or delete the message and advise the sender of the error by return email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170524/d8b8fa87/attachment.html 

From fatema.bannatwala at gmail.com  Wed May 24 13:42:02 2017
From: fatema.bannatwala at gmail.com (fatema bannatwala)
Date: Wed, 24 May 2017 16:42:02 -0400
Subject: [Bro] does bro need root privilege?
Message-ID: <CACX0rURfGnZnuZubAgOgSXBt2Lx6Y3wWhiCkU0L2LFqmSGE80Q@mail.gmail.com>

Just out of curiosity, can you try giving rwx permissions for the local
user to the src folder where you have compiled Bro, and see if that works?
Usually, the debug.log isn't logged into the spool and log dirs.

Another thing you could try is, try running Bro as root again and once it
succeeds, use "locate debug.log" command to check to see where exactly it
is getting generated and then try giving that folder the rwx permissions
for the local user you would want to run Bro as.

-Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170524/9c310f50/attachment.html 

From briford.wylie at gmail.com  Wed May 24 14:42:18 2017
From: briford.wylie at gmail.com (Brian Wylie)
Date: Wed, 24 May 2017 15:42:18 -0600
Subject: [Bro] Creating anomaly detection IDPS
In-Reply-To: <D7A10B8F46BF1F47A4D30051C9CA31CC1DB20878@MIMESMSW03AHCP.US.comerica.net>
References: <CACX0rUSSPZ10x=szqM7R6=yvy_KMS0K0c_tqwXrZ1GmeFbQfuw@mail.gmail.com>
	<D7A10B8F46BF1F47A4D30051C9CA31CC1DB20878@MIMESMSW03AHCP.US.comerica.net>
Message-ID: <CAOp_npDbSZWpm-xDY68S7MPx6d0EBvQnyyfX0=KGLdUVX009bA@mail.gmail.com>

There are several plugins https://github.com/bro/bro-plugins where you can
move/process the Bro data. If you like Python/Pandas/Scikit-Learn you might
try the Python BroThon package (https://github.com/Kitware/BroThon)  which
I started working on... we're working on anomaly detection using
scikit-learn i-forests and some other stuff with it...

If you want to use Bro Scripts there might be some examples here to start
playing around with:
- https://github.com/phirelight/bro-scripts
- https://github.com/sooshie/bro-scripts
- https://github.com/bro/bro-scripts

On Wed, May 24, 2017 at 2:32 PM, Miller, Brad L <BLMILLER at comerica.com>
wrote:

> My take is that while Bro has the intel framework and bro scripts to
> classify and alert on traffic, the real anomaly detection/heavy lifting
> should be done where the bro data is stored.  We use Bro as a (big) data
> source for analytics and discovery.
>
>
>
>
>
>
>
> *From:* bro-bounces at bro.org [mailto:bro-bounces at bro.org] *On Behalf Of *fatema
> bannatwala
> *Sent:* Wednesday, May 24, 2017 4:22 PM
> *To:* daniel_aka_sniper_d at hotmail.com
> *Cc:* bro at bro.org
> *Subject:* Re: [Bro] Creating anomaly detection IDPS
>
>
>
> Hi Dan,
>
>
>
> There are various ways one can use to detect anomaly using Bro based on
> the network traffic.
>
> Use of Intel FW and Scan scripts with Bro gives a start to detect
> different types of scanning and other suspicious activity going on in the
> network.
>
> Not sure what's exactly your use-case is regarding NSL-KDD training sets
> with Bro.
>
> Are you trying to use Bro generated network data as the test set for your
> classifiers/learning algos?, or trying to feed Bro with the NSL-KDD
> training sets? I don't think machine learning is currently being supported
> by Bro.
>
> Or I might have mis-understood the question :)
>
>
>
> -Fatema.
>
>
> Please be aware that if you reply directly to this particular message,
> your reply may not be secure. Do not use email to send us communications
> that contain unencrypted confidential information such as passwords,
> account numbers or Social Security numbers. If you must provide this type
> of information, please visit comerica.com to submit a secure form using
> any of the ?Contact Us? forms. In addition, you should not send via email
> any inquiry or request that may be time sensitive. The information in this
> e-mail is confidential. It is intended for the individual or entity to whom
> it is addressed. If you have received this email in error, please destroy
> or delete the message and advise the sender of the error by return email.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170524/e5c96208/attachment-0001.html 

From fatema.bannatwala at gmail.com  Wed May 24 17:58:13 2017
From: fatema.bannatwala at gmail.com (fatema bannatwala)
Date: Wed, 24 May 2017 20:58:13 -0400
Subject: [Bro] Creating anomaly detection IDPS
In-Reply-To: <CAOp_npDbSZWpm-xDY68S7MPx6d0EBvQnyyfX0=KGLdUVX009bA@mail.gmail.com>
References: <CACX0rUSSPZ10x=szqM7R6=yvy_KMS0K0c_tqwXrZ1GmeFbQfuw@mail.gmail.com>
	<D7A10B8F46BF1F47A4D30051C9CA31CC1DB20878@MIMESMSW03AHCP.US.comerica.net>
	<CAOp_npDbSZWpm-xDY68S7MPx6d0EBvQnyyfX0=KGLdUVX009bA@mail.gmail.com>
Message-ID: <CACX0rUQMBTy94o5UyqOte2=HH7iez1MhjG7pu3ABO2575n_yCg@mail.gmail.com>

Hi Brian,

This looks really interesting, didn't know about the python package
available for Bro data.
recently I took a course on search and data mining, and wondered if it can
be done on Bro data,
your post comes at perfect timing :) will play around with it. Thanks!

-Fatema.

On Wed, May 24, 2017 at 5:42 PM, Brian Wylie <briford.wylie at gmail.com>
wrote:

> There are several plugins https://github.com/bro/bro-plugins where you
> can move/process the Bro data. If you like Python/Pandas/Scikit-Learn you
> might try the Python BroThon package (https://github.com/Kitware/BroThon)
> which I started working on... we're working on anomaly detection using
> scikit-learn i-forests and some other stuff with it...
>
> If you want to use Bro Scripts there might be some examples here to start
> playing around with:
> - https://github.com/phirelight/bro-scripts
> - https://github.com/sooshie/bro-scripts
> - https://github.com/bro/bro-scripts
>
> On Wed, May 24, 2017 at 2:32 PM, Miller, Brad L <BLMILLER at comerica.com>
> wrote:
>
>> My take is that while Bro has the intel framework and bro scripts to
>> classify and alert on traffic, the real anomaly detection/heavy lifting
>> should be done where the bro data is stored.  We use Bro as a (big) data
>> source for analytics and discovery.
>>
>>
>>
>>
>>
>>
>>
>> *From:* bro-bounces at bro.org [mailto:bro-bounces at bro.org] *On Behalf Of *fatema
>> bannatwala
>> *Sent:* Wednesday, May 24, 2017 4:22 PM
>> *To:* daniel_aka_sniper_d at hotmail.com
>> *Cc:* bro at bro.org
>> *Subject:* Re: [Bro] Creating anomaly detection IDPS
>>
>>
>>
>> Hi Dan,
>>
>>
>>
>> There are various ways one can use to detect anomaly using Bro based on
>> the network traffic.
>>
>> Use of Intel FW and Scan scripts with Bro gives a start to detect
>> different types of scanning and other suspicious activity going on in the
>> network.
>>
>> Not sure what's exactly your use-case is regarding NSL-KDD training sets
>> with Bro.
>>
>> Are you trying to use Bro generated network data as the test set for your
>> classifiers/learning algos?, or trying to feed Bro with the NSL-KDD
>> training sets? I don't think machine learning is currently being supported
>> by Bro.
>>
>> Or I might have mis-understood the question :)
>>
>>
>>
>> -Fatema.
>>
>>
>> Please be aware that if you reply directly to this particular message,
>> your reply may not be secure. Do not use email to send us communications
>> that contain unencrypted confidential information such as passwords,
>> account numbers or Social Security numbers. If you must provide this type
>> of information, please visit comerica.com to submit a secure form using
>> any of the ?Contact Us? forms. In addition, you should not send via email
>> any inquiry or request that may be time sensitive. The information in this
>> e-mail is confidential. It is intended for the individual or entity to whom
>> it is addressed. If you have received this email in error, please destroy
>> or delete the message and advise the sender of the error by return email.
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170524/6500b0e0/attachment.html 

From cchiaverini at bnl.gov  Thu May 25 08:40:50 2017
From: cchiaverini at bnl.gov (Chris Chiaverini)
Date: Thu, 25 May 2017 11:40:50 -0400
Subject: [Bro] Timemachine question - pkts_to_disk did not flush
In-Reply-To: <20170522232316.GO84772@mac-822.local>
References: <312a6648-803d-6af1-6c15-115be018b882@bnl.gov>
	<20170522232316.GO84772@mac-822.local>
Message-ID: <173a306b-7175-9da8-26c5-dfc4f4db944a@bnl.gov>

Weird, same issue.  36 packets in memory:

# head -1 classes.timemachine.log ; tail -1 classes.timemachine.log
timestamp class stored_bytes stored_pkts cut_bytes cut_pkts mem_bytes 
mem_pkts mem_dt disk_bytes disk_pkts disk_dt
1495726546.68 class_all 2394 36 0 0 0 0 0.00 0 0 0.00
#

With configuration:

class "all" {
         #filter "";
         precedence 1;
#       cutoff 10k;
         cutoff no;
         disk 50g;
         #filesize 1g;
         filesize 128m;
         mem 0;
         pkts_to_disk 2;
}



Regards,

Chris Chiaverini
Cyber Security Operations
Brookhaven National Laboratory
Upton, New York 11973

On 05/22/2017 07:23 PM, Aashish Sharma wrote:
> (OK, I was wondering about pkts_to_disk option so hand to confirm)
>
> I think, So pkts_to_disk actually has different purpose than you originally thought. check out: doc/howto.rst
>
>    mem <number>
>      Allocate RAM storage of <number> bytes in size.
>
>    pkts_to_disk 2
>      The moment packets are to be evicted from the RAM buffers to disk,
>      this number determines how many packets to move at a single step.
>
> I'd  try a 0 or a low value for mem and a large value for pkts_to_disk.
>
> Aashish
>
> On Mon, May 22, 2017 at 02:52:37PM -0400, Chris Chiaverini wrote:
>> Please help.
>>
>> I was collecting something in particular an noticed that timemachine is
>> not flushing to disk as expected.
>>
>> I have my "all" class set to 100 packets and the class log shows 108
>> packets but there is no pcap file yet.  Is there a way to force
>> timemachine to flush to disk (kill switch maybe?)?
>>
>> This is my timemachine.cfg:
>>
>> global filter is by host
>>
>> <OMITTED>
>>
>>           filter "host xxx.xxx.xxx.xxx";
>> <OMITTED>
>>
>> class "all" {
>>           #filter "";
>>           precedence 1;
>>           cutoff no;
>>           disk 50g;
>>           filesize 128m;
>>           mem 5000m;
>>           pkts_to_disk 100;
>> }
>>
>> Here is the class log:
>>
>> # head -1 classes.timemachine.log && tail -1 classes.timemachine.log
>> timestamp class stored_bytes stored_pkts cut_bytes cut_pkts mem_bytes
>> mem_pkts mem_dt disk_bytes disk_pkts disk_dt
>> 1495478432.93 class_all 7182 108 0 0 7182 108 541110.36 0 0 0.00
>> #
>>
>>
>> -- 
>>
>>
>> Regards,
>>
>> Chris
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


From liburdi.joshua at gmail.com  Thu May 25 11:55:10 2017
From: liburdi.joshua at gmail.com (Josh Liburdi)
Date: Thu, 25 May 2017 14:55:10 -0400
Subject: [Bro] BroControl config to delete instead of archive on rotation
Message-ID: <CANrCRiHnADrdzNvdGXr1-drpofqBKQ5PaCMLjej3C36paOMqRQ@mail.gmail.com>

Anyone have experience with configuring BroControl to delete log files
instead of archiving them upon rotation? I have a scenario where it's
better for me to delete the rotate log files instead of keeping them
around.

Thanks!
Josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170525/4920c538/attachment-0001.html 

From vladg at illinois.edu  Thu May 25 12:07:10 2017
From: vladg at illinois.edu (Vlad Grigorescu)
Date: Thu, 25 May 2017 14:07:10 -0500
Subject: [Bro] BroControl config to delete instead of archive on rotation
In-Reply-To: <201705251857.v4PIvalG130770@vladg.net>
References: <201705251857.v4PIvalG130770@vladg.net>
Message-ID: <m0fufsdach.fsf@vladg.net>

I don't, but you could try just changing broctl.cfg: CompressCmd = rm

Which really is just (very) lossy compression... :-)

I've been discussing the need for more fine-grained log expiration with
a couple of people, but it's hard to give people all the knobs that they
would need.

  --Vlad

Josh Liburdi <liburdi.joshua at gmail.com> writes:

> Anyone have experience with configuring BroControl to delete log files instead of archiving them upon rotation? I have a scenario where it's better for me to delete the rotate log files instead of keeping them around.
>
> Thanks!
> Josh
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170525/7fb2e52d/attachment.bin 

From liburdi.joshua at gmail.com  Thu May 25 12:18:20 2017
From: liburdi.joshua at gmail.com (Josh Liburdi)
Date: Thu, 25 May 2017 15:18:20 -0400
Subject: [Bro] BroControl config to delete instead of archive on rotation
In-Reply-To: <m0fufsdach.fsf@vladg.net>
References: <201705251857.v4PIvalG130770@vladg.net> <m0fufsdach.fsf@vladg.net>
Message-ID: <CANrCRiHHzUfO+6RS4ciFneDYPfRRpaA6LOWBTAS1anqsC5W52w@mail.gmail.com>

Thanks Vlad, that's an interesting suggestion. We're looking to minimize
unnecessary file activity, so having an explicit option to delete instead
of archive could be useful for some.

On Thu, May 25, 2017 at 3:07 PM, Vlad Grigorescu <vladg at illinois.edu> wrote:

> I don't, but you could try just changing broctl.cfg: CompressCmd = rm
>
> Which really is just (very) lossy compression... :-)
>
> I've been discussing the need for more fine-grained log expiration with
> a couple of people, but it's hard to give people all the knobs that they
> would need.
>
>   --Vlad
>
> Josh Liburdi <liburdi.joshua at gmail.com> writes:
>
> > Anyone have experience with configuring BroControl to delete log files
> instead of archiving them upon rotation? I have a scenario where it's
> better for me to delete the rotate log files instead of keeping them around.
> >
> > Thanks!
> > Josh
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170525/d835526c/attachment.html 

From dnthayer at illinois.edu  Thu May 25 12:48:59 2017
From: dnthayer at illinois.edu (Daniel Thayer)
Date: Thu, 25 May 2017 14:48:59 -0500
Subject: [Bro] BroControl config to delete instead of archive on rotation
In-Reply-To: <CANrCRiHnADrdzNvdGXr1-drpofqBKQ5PaCMLjej3C36paOMqRQ@mail.gmail.com>
References: <CANrCRiHnADrdzNvdGXr1-drpofqBKQ5PaCMLjej3C36paOMqRQ@mail.gmail.com>
Message-ID: <e381ac81-f282-7098-6024-73b98343e8d8@illinois.edu>

BroControl doesn't actually archive logs (Bro does that by running
a script every time the logs are rotated).  BroControl does have
an option to expire archived logs, so you could set something like
this in your broctl.cfg file:
LogExpireInterval = 1hr

You could also turn off compression to reduce the load on your
machine:
CompressLogs = 0

A more drastic option is to modify the archive-log script to delete
the logs before they are archived.



On 5/25/17 1:55 PM, Josh Liburdi wrote:
> Anyone have experience with configuring BroControl to delete log files
> instead of archiving them upon rotation? I have a scenario where it's
> better for me to delete the rotate log files instead of keeping them
> around.
>
> Thanks!
> Josh
>
>

From dnthayer at illinois.edu  Thu May 25 12:52:56 2017
From: dnthayer at illinois.edu (Daniel Thayer)
Date: Thu, 25 May 2017 14:52:56 -0500
Subject: [Bro] BroControl config to delete instead of archive on rotation
In-Reply-To: <m0fufsdach.fsf@vladg.net>
References: <201705251857.v4PIvalG130770@vladg.net> <m0fufsdach.fsf@vladg.net>
Message-ID: <d5e786aa-b625-f9a5-0a1a-8a24a1f04db5@illinois.edu>

On 5/25/17 2:07 PM, Vlad Grigorescu wrote:
> I don't, but you could try just changing broctl.cfg: CompressCmd = rm
>
> Which really is just (very) lossy compression... :-)
>

Doing that would result in an archived log file of zero length.
To truly delete the log would currently require modifications
to the archive-log script.


From jazoff at illinois.edu  Thu May 25 15:19:31 2017
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Thu, 25 May 2017 22:19:31 +0000
Subject: [Bro] BroControl config to delete instead of archive on rotation
In-Reply-To: <d5e786aa-b625-f9a5-0a1a-8a24a1f04db5@illinois.edu>
References: <201705251857.v4PIvalG130770@vladg.net> <m0fufsdach.fsf@vladg.net>
	<d5e786aa-b625-f9a5-0a1a-8a24a1f04db5@illinois.edu>
Message-ID: <00496C48-E7F6-434C-BCC4-BD74FB1A02DD@illinois.edu>

> On May 25, 2017, at 3:52 PM, Daniel Thayer <dnthayer at illinois.edu> wrote:
> 
> On 5/25/17 2:07 PM, Vlad Grigorescu wrote:
>> I don't, but you could try just changing broctl.cfg: CompressCmd = rm
>> 
>> Which really is just (very) lossy compression... :-)
>> 
> 
> Doing that would result in an archived log file of zero length.
> To truly delete the log would currently require modifications
> to the archive-log script.

I think we already support this, it just was never intended to be used for this purpose:

The archive-log script does this:

# Run other postprocessors.
if [ -d "${postprocdir}" ]; then
    for pp in "${postprocdir}"/*; do
        nice "$pp" $@
    done
fi

# Test if the log still exists in case one of the postprocessors archived it.
if [ ! -f $file_name ]; then
    exit 0
fi

So I think all one needs to do is

    ln -s /bin/rm /usr/local/bro/share/broctl/scripts/postprocessors/rm

-- 
- Justin Azoff




From tomas.bortoli at sit.fraunhofer.de  Fri May 26 03:06:39 2017
From: tomas.bortoli at sit.fraunhofer.de (Bortoli, Tomas)
Date: Fri, 26 May 2017 10:06:39 +0000
Subject: [Bro] binpac to bro script types
Message-ID: <BD7C7C6D722F374C82A3068FEA58120BD4264D@EXCH2010B.sit.fraunhofer.de>

Hi all,

I'm writing a plug-in for Bro and I'm having troubles to pass types like timestamps from binpac code to the generated bro events.

I snooped the code under `src/analyzer/protocol/krb/krb-analyzer.pac` to check out how they build data structures for Bro scripts and that works.

But when it comes to pass a uint[8] into a bro timestamp, I don't know how to do it.
Any idea?


Kind regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170526/54404418/attachment.html 

From liburdi.joshua at gmail.com  Fri May 26 08:06:51 2017
From: liburdi.joshua at gmail.com (Josh Liburdi)
Date: Fri, 26 May 2017 11:06:51 -0400
Subject: [Bro] BroControl config to delete instead of archive on rotation
In-Reply-To: <00496C48-E7F6-434C-BCC4-BD74FB1A02DD@illinois.edu>
References: <201705251857.v4PIvalG130770@vladg.net> <m0fufsdach.fsf@vladg.net>
	<d5e786aa-b625-f9a5-0a1a-8a24a1f04db5@illinois.edu>
	<00496C48-E7F6-434C-BCC4-BD74FB1A02DD@illinois.edu>
Message-ID: <CANrCRiHa7VqJrWgghyadoLpWmyUHbAvxtOuzEreaAdVS=71uPQ@mail.gmail.com>

Thanks for the feedback everyone.

Somewhat on this topic, have you guys ever thought about adding a socket
writer (logging via the network) to Bro? That would be the most efficient
way of minimizing disk I/O.

On Thu, May 25, 2017 at 6:19 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

> > On May 25, 2017, at 3:52 PM, Daniel Thayer <dnthayer at illinois.edu>
> wrote:
> >
> > On 5/25/17 2:07 PM, Vlad Grigorescu wrote:
> >> I don't, but you could try just changing broctl.cfg: CompressCmd = rm
> >>
> >> Which really is just (very) lossy compression... :-)
> >>
> >
> > Doing that would result in an archived log file of zero length.
> > To truly delete the log would currently require modifications
> > to the archive-log script.
>
> I think we already support this, it just was never intended to be used for
> this purpose:
>
> The archive-log script does this:
>
> # Run other postprocessors.
> if [ -d "${postprocdir}" ]; then
>     for pp in "${postprocdir}"/*; do
>         nice "$pp" $@
>     done
> fi
>
> # Test if the log still exists in case one of the postprocessors archived
> it.
> if [ ! -f $file_name ]; then
>     exit 0
> fi
>
> So I think all one needs to do is
>
>     ln -s /bin/rm /usr/local/bro/share/broctl/scripts/postprocessors/rm
>
> --
> - Justin Azoff
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170526/d2db7e79/attachment-0001.html 

From jazoff at illinois.edu  Fri May 26 08:08:40 2017
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Fri, 26 May 2017 15:08:40 +0000
Subject: [Bro] BroControl config to delete instead of archive on rotation
In-Reply-To: <CANrCRiHa7VqJrWgghyadoLpWmyUHbAvxtOuzEreaAdVS=71uPQ@mail.gmail.com>
References: <201705251857.v4PIvalG130770@vladg.net> <m0fufsdach.fsf@vladg.net>
	<d5e786aa-b625-f9a5-0a1a-8a24a1f04db5@illinois.edu>
	<00496C48-E7F6-434C-BCC4-BD74FB1A02DD@illinois.edu>
	<CANrCRiHa7VqJrWgghyadoLpWmyUHbAvxtOuzEreaAdVS=71uPQ@mail.gmail.com>
Message-ID: <53E8F115-5052-4EEB-9DB9-CFDB9F9F7520@illinois.edu>


> On May 26, 2017, at 11:06 AM, Josh Liburdi <liburdi.joshua at gmail.com> wrote:
> 
> Thanks for the feedback everyone. 
> 
> Somewhat on this topic, have you guys ever thought about adding a socket writer (logging via the network) to Bro? That would be the most efficient way of minimizing disk I/O.

I've been meaning to write a ZMQ writer and an Exec writer (that you could just use to run something like netcat).



-- 
- Justin Azoff



From vladg at illinois.edu  Fri May 26 08:54:20 2017
From: vladg at illinois.edu (Vlad Grigorescu)
Date: Fri, 26 May 2017 10:54:20 -0500
Subject: [Bro] binpac to bro script types
In-Reply-To: <201705261008.v4QA8Rep016155@vladg.net>
References: <201705261008.v4QA8Rep016155@vladg.net>
Message-ID: <m0h907aa1f.fsf@vladg.net>

Well, I think you're on the right track. You need to do something like
this line in smb-time.pac:

> Val* bro_ts = new Val(secs, TYPE_TIME);

The Val constructor with a type of time takes a double of seconds since
the epoch (UNIX time) and gives you the Bro script timestamp val. How
you actually convert whatever format you're working to UNIX time is up
to you and dependent on the format.

Does that make sense? If you can provide more information on how the
timestamp is actually stored, someone might be able to help figure out
how to convert it.

  --Vlad

"Bortoli, Tomas" <tomas.bortoli at sit.fraunhofer.de> writes:

> Hi all,
>
> I'm writing a plug-in for Bro and I'm having troubles to pass types like timestamps from binpac code to the generated bro events.
>
> I snooped the code under `src/analyzer/protocol/krb/krb-analyzer.pac` to check out how they build data structures for Bro scripts and that works.
>
> But when it comes to pass a uint[8] into a bro timestamp, I don't know how to do it.
> Any idea?
>
>
> Kind regards
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170526/1bdaf8d2/attachment.bin 

From vladg at illinois.edu  Fri May 26 09:06:45 2017
From: vladg at illinois.edu (Vlad Grigorescu)
Date: Fri, 26 May 2017 11:06:45 -0500
Subject: [Bro] DDS and RTPS protocol analyzer
In-Reply-To: <201705182016.v4IKGE9c128023@vladg.net>
References: <201705182016.v4IKGE9c128023@vladg.net>
Message-ID: <m0bmqfa9gq.fsf@vladg.net>

I'm not aware of any. Might be worth searching through GitHub, but I'd
be a bit surprised.

I would start with this page on our website:

https://www.bro.org/development/howtos/binpac-sample-analyzer.html

The BinPAC README will also be a required reference as you start working
on it:

https://www.bro.org/sphinx/components/binpac/README.html

Finally, I gave a presentation at a BroCon a few years back on first
steps into writing a protocol analyzer, which might help:

https://www.youtube.com/watch?v=1eDIl9y6ZnM

Please e-mail this list or the bro-dev list if you run into problems.

  --Vlad

Mohan Rao <mohan.rao at ranksoftwareinc.com> writes:

> Does anyone know if a protocol analyzer exists for DDS and RTPS (Real time Pub Sub) - https://en.wikipedia.org/wiki/Data_Distribution_Service<https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_Data-5FDistribution-5FService&d=DwMFAg&c=8hUWFZcy2Z-Za5rBPlktOQ&r=ORlu3TM4JXTo9I7l9hGPdc4fmi5SpOR_W8d-CNVr-9s&m=D6tYHh0vN9mOhscSqxsKrJMEDj1w7WXQy1DK7nE2fAQ&s=vJXRsMN4itXB34wtepox0epTRNYEICwRmiDSC5BRnw0&e=> and http://www.omg.org/spec/DDSI-RTPS/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.omg.org_spec_DDSI-2DRTPS_&d=DwMFAg&c=8hUWFZcy2Z-Za5rBPlktOQ&r=ORlu3TM4JXTo9I7l9hGPdc4fmi5SpOR_W8d-CNVr-9s&m=D6tYHh0vN9mOhscSqxsKrJMEDj1w7WXQy1DK7nE2fAQ&s=kb6AWDwTvqLnPVUR9V_zLtx2VI_nK0sBzMwFYLkurVI&e=>
>
> If not, can someone point me in the right direction for how I could go about building one ? Is BinPAC the right place to start ?
>
> Appreciate any help !!
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170526/41365de4/attachment.bin 

From vladg at illinois.edu  Fri May 26 09:19:13 2017
From: vladg at illinois.edu (Vlad Grigorescu)
Date: Fri, 26 May 2017 11:19:13 -0500
Subject: [Bro] testing binpac generated parser
In-Reply-To: <201705171440.v4HEeK3K032685@vladg.net>
References: <201705171440.v4HEeK3K032685@vladg.net>
Message-ID: <m060gna8vy.fsf@vladg.net>

Tomas,

Is this still an issue for you? Thanks,

  --Vlad

"Bortoli, Tomas" <tomas.bortoli at sit.fraunhofer.de> writes:

> Hi all,
>
> I am having troubles getting any sign of functioning from a simple parser defined in binpac.
>
> I followed the tutorial at: https://github.com/grigorescu/binpac_quickstart<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_grigorescu_binpac-5Fquickstart&d=DwMFAw&c=8hUWFZcy2Z-Za5rBPlktOQ&r=ORlu3TM4JXTo9I7l9hGPdc4fmi5SpOR_W8d-CNVr-9s&m=goV2DOs6PUNqcykohajsGfdi2A9S-_85KFDtLw7TLGA&s=Q9fAH5dePDO0PSj5ok7cWg4SpWnv76z9JsNcigjAS3c&e=>
> Then I wrote pretty simple headers definitions on my *-protocol.pac definition, then I added a print `std::cout <<  "Name PDU" << endl;` after the statement that generate the basic PDU event for the bro policy script engine in the *-analyzer.pac. I successfully compiled the parser definitions with binpac and then I recompiled bro (observing that the new parser is included in the compilation process.
>
> But then when I run bro with a pcap file that contains a packet that should be parsed by the binpac generated code, I don't get any output and don't know how to troubleshoot it..
>
> Any suggestion ?
>
> thanks in advance,
> Tomas
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170526/2b0d5be8/attachment.bin 

From rak at capmon.dk  Fri May 26 12:02:06 2017
From: rak at capmon.dk (Raj Kumar)
Date: Fri, 26 May 2017 21:02:06 +0200
Subject: [Bro] BRO - Ransomware
Message-ID: <CAO+LJUXiAeg=wkxnVr=hCpGaAkZMBp00322aYGn-Qd09-xXmsQ@mail.gmail.com>

Hi All,

If am trying to add smb-ransomware.bro , to my bro setup ,where should I
include this in the bro directories.

root at csh:/home/raj# find / -name "smb"
/nsm/bro/share/bro/policy/protocols/smb
/nsm/bro/share/bro/base/protocols/smb
/opt/bro/bro-2.5/testing/btest/Traces/smb
/opt/bro/bro-2.5/testing/btest/scripts/base/protocols/smb
/opt/bro/bro-2.5/scripts/policy/protocols/smb
/opt/bro/bro-2.5/scripts/base/protocols/smb
/opt/bro/bro-2.5/build/src/analyzer/protocol/smb
/opt/bro/bro-2.5/src/analyzer/protocol/smb


and after this I can include in local.bro, @load policy/protocols/smb

Thanks,
*Raj*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170526/1afc7595/attachment.html 

From bill.de.ping at gmail.com  Sun May 28 07:36:16 2017
From: bill.de.ping at gmail.com (william de ping)
Date: Sun, 28 May 2017 17:36:16 +0300
Subject: [Bro]  - see all triggered events on a given pcap file
Message-ID: <CAKZA8xhtFDZud9HfaAJmFYHakwnJP8PEmj7kjg2vW5qU+xctcA@mail.gmail.com>

Hi all,

Does anyone know a way to get a list of all triggered events given a pcap
file ?

Currently what I do is just print some indicative message for each
suspected relevant events (quit tedious task)

Thanks
B
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170528/793ce0f7/attachment.html 

From klehigh at iu.edu  Sun May 28 08:06:35 2017
From: klehigh at iu.edu (Keith Lehigh)
Date: Sun, 28 May 2017 11:06:35 -0400
Subject: [Bro] - see all triggered events on a given pcap file
In-Reply-To: <CAKZA8xhtFDZud9HfaAJmFYHakwnJP8PEmj7kjg2vW5qU+xctcA@mail.gmail.com>
References: <CAKZA8xhtFDZud9HfaAJmFYHakwnJP8PEmj7kjg2vW5qU+xctcA@mail.gmail.com>
Message-ID: <37C5E68C-4A95-4558-84AE-F6812FAE6BD7@iu.edu>

 policy/misc/dump-events.bro does exactly what you want.

- Keith
> On May 28, 2017, at 10:36, william de ping <bill.de.ping at gmail.com> wrote:
> 
> Hi all,
> 
> Does anyone know a way to get a list of all triggered events given a pcap file ?
> 
> Currently what I do is just print some indicative message for each suspected relevant events (quit tedious task)
> 
> Thanks
> B
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170528/c59d71f5/attachment.bin 

From bill.de.ping at gmail.com  Sun May 28 08:37:41 2017
From: bill.de.ping at gmail.com (william de ping)
Date: Sun, 28 May 2017 18:37:41 +0300
Subject: [Bro] - see all triggered events on a given pcap file
In-Reply-To: <37C5E68C-4A95-4558-84AE-F6812FAE6BD7@iu.edu>
References: <CAKZA8xhtFDZud9HfaAJmFYHakwnJP8PEmj7kjg2vW5qU+xctcA@mail.gmail.com>
	<37C5E68C-4A95-4558-84AE-F6812FAE6BD7@iu.edu>
Message-ID: <CAKZA8xh6_fkwUcG=yKS9b9OdZ==H-Eypz1wVi2GchoJoZVKOyQ@mail.gmail.com>

Thank you very much !
it works great :)

On Sun, May 28, 2017 at 6:06 PM, Keith Lehigh <klehigh at iu.edu> wrote:

>  policy/misc/dump-events.bro does exactly what you want.
>
> - Keith
> > On May 28, 2017, at 10:36, william de ping <bill.de.ping at gmail.com>
> wrote:
> >
> > Hi all,
> >
> > Does anyone know a way to get a list of all triggered events given a
> pcap file ?
> >
> > Currently what I do is just print some indicative message for each
> suspected relevant events (quit tedious task)
> >
> > Thanks
> > B
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170528/77ae4bc1/attachment.html 

From tomas.bortoli at sit.fraunhofer.de  Mon May 29 01:58:01 2017
From: tomas.bortoli at sit.fraunhofer.de (Bortoli, Tomas)
Date: Mon, 29 May 2017 08:58:01 +0000
Subject: [Bro] testing binpac generated parser
In-Reply-To: <m060gna8vy.fsf@vladg.net>
References: <201705171440.v4HEeK3K032685@vladg.net>, <m060gna8vy.fsf@vladg.net>
Message-ID: <BD7C7C6D722F374C82A3068FEA58120BD426FB@EXCH2010B.sit.fraunhofer.de>

Hi Vlad,

No I found the solution. To enable a certain plug-in, by default is needed to modify the a configuration file of Bro:
/usr/local/bro/share/bro/base/init-default.bro 
by adding:
@load base/protocols/PROTOCOL_NAME

Regards, Tomas

________________________________________
From: Vlad Grigorescu [vladg at illinois.edu]
Sent: Friday, May 26, 2017 6:19 PM
To: Bortoli, Tomas; bro at bro.org
Subject: Re: [Bro] testing binpac generated parser

Tomas,

Is this still an issue for you? Thanks,

  --Vlad

"Bortoli, Tomas" <tomas.bortoli at sit.fraunhofer.de> writes:

> Hi all,
>
> I am having troubles getting any sign of functioning from a simple parser defined in binpac.
>
> I followed the tutorial at: https://github.com/grigorescu/binpac_quickstart<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_grigorescu_binpac-5Fquickstart&d=DwMFAw&c=8hUWFZcy2Z-Za5rBPlktOQ&r=ORlu3TM4JXTo9I7l9hGPdc4fmi5SpOR_W8d-CNVr-9s&m=goV2DOs6PUNqcykohajsGfdi2A9S-_85KFDtLw7TLGA&s=Q9fAH5dePDO0PSj5ok7cWg4SpWnv76z9JsNcigjAS3c&e=>
> Then I wrote pretty simple headers definitions on my *-protocol.pac definition, then I added a print `std::cout <<  "Name PDU" << endl;` after the statement that generate the basic PDU event for the bro policy script engine in the *-analyzer.pac. I successfully compiled the parser definitions with binpac and then I recompiled bro (observing that the new parser is included in the compilation process.
>
> But then when I run bro with a pcap file that contains a packet that should be parsed by the binpac generated code, I don't get any output and don't know how to troubleshoot it..
>
> Any suggestion ?
>
> thanks in advance,
> Tomas
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


From tomas.bortoli at sit.fraunhofer.de  Mon May 29 04:13:15 2017
From: tomas.bortoli at sit.fraunhofer.de (Bortoli, Tomas)
Date: Mon, 29 May 2017 11:13:15 +0000
Subject: [Bro] binpac to bro script types
In-Reply-To: <m0h907aa1f.fsf@vladg.net>
References: <201705261008.v4QA8Rep016155@vladg.net>, <m0h907aa1f.fsf@vladg.net>
Message-ID: <BD7C7C6D722F374C82A3068FEA58120BD42723@EXCH2010B.sit.fraunhofer.de>

That solution looks good but I am stuck with the encoding of the timestamp.

It's a 64 bit timestamp but I don't know how to interpret it. Picture attaced.

Thanks,
Tomas
________________________________________
From: Vlad Grigorescu [vladg at illinois.edu]
Sent: Friday, May 26, 2017 5:54 PM
To: Bortoli, Tomas; bro at bro.org
Subject: Re: [Bro] binpac to bro script types

Well, I think you're on the right track. You need to do something like
this line in smb-time.pac:

> Val* bro_ts = new Val(secs, TYPE_TIME);

The Val constructor with a type of time takes a double of seconds since
the epoch (UNIX time) and gives you the Bro script timestamp val. How
you actually convert whatever format you're working to UNIX time is up
to you and dependent on the format.

Does that make sense? If you can provide more information on how the
timestamp is actually stored, someone might be able to help figure out
how to convert it.

  --Vlad

"Bortoli, Tomas" <tomas.bortoli at sit.fraunhofer.de> writes:

> Hi all,
>
> I'm writing a plug-in for Bro and I'm having troubles to pass types like timestamps from binpac code to the generated bro events.
>
> I snooped the code under `src/analyzer/protocol/krb/krb-analyzer.pac` to check out how they build data structures for Bro scripts and that works.
>
> But when it comes to pass a uint[8] into a bro timestamp, I don't know how to do it.
> Any idea?
>
>
> Kind regards
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2017-05-29 13-06-12.jpg
Type: image/jpeg
Size: 44077 bytes
Desc: Screenshot from 2017-05-29 13-06-12.jpg
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170529/750bd818/attachment-0001.jpg 

From rak at capmon.dk  Mon May 29 06:26:12 2017
From: rak at capmon.dk (Raj Kumar)
Date: Mon, 29 May 2017 15:26:12 +0200
Subject: [Bro] webapp detection
Message-ID: <CAO+LJUVQwSr_DqjOF72Ymapz2CPA0i9dvPNzv--O4Pzcw-b6NA@mail.gmail.com>

Hi All,

Am trying to use the webapp detection script to detect webapps like
facebook etc

I saw previous threads it was mentioned to enable "*Make sure to set your
Sites::local_net variable * If you set it to
0.0.0.0/0

I have included  0.0.0.0/0 in networks.cfg,

I have also included in local.bro
@load protocols/http/detect-webapps
 redef Software::asset_tracking = ALL_HOSTS;

still I couldnt see any webapps traffic mentioning facebook i could see
only multicast address like 224.0.0.251

Any solution ,much appreciated

Thanks,
*Raj*
*IT Consultant*
*Mobile:  ** +45 **81923531*

*Lysk?r 9** [image: Inline images 1]*

*2730 Herlev, Denmark  *

*Web:   **http://www.capmon.dk <http://www.capmon.dk/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170529/3d534510/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 18048 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170529/3d534510/attachment-0001.bin 

From johanna at icir.org  Tue May 30 09:48:24 2017
From: johanna at icir.org (Johanna Amann)
Date: Tue, 30 May 2017 09:48:24 -0700
Subject: [Bro] Bro sqli + xss sans paper
In-Reply-To: <CAHv=MupiuPqbLX6XMfvvnnSMmT9zyB+z6ycq_OGgC4sPw6RjTA@mail.gmail.com>
References: <CAHv=MupiuPqbLX6XMfvvnnSMmT9zyB+z6ycq_OGgC4sPw6RjTA@mail.gmail.com>
Message-ID: <20170530164824.rezilkwhmscjb4sv@wifi109.sys.ICSI.Berkeley.EDU>

Sorry for the slow reply, I hope that this is still useful after this
while.

In any case, http$first_chunk was removed in Bro 2.2; the script needs to
be rewritten with the new http events.

Johanna

On Tue, Apr 11, 2017 at 02:10:08PM +0300, Alex Kefallonitis wrote:
> I am trying to add the two scripts for sqli and xss from this paper
> https://www.sans.org/reading-room/whitepapers/detection/web-application-attack-analysis-bro-ids-34042
> 
> but i get this error HTTP::c$http$first_chunk no such a field in record...
> Anyone knows what is happening?
> 
> 
> Thanks in advanced.

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


From johanna at icir.org  Tue May 30 09:50:35 2017
From: johanna at icir.org (Johanna Amann)
Date: Tue, 30 May 2017 09:50:35 -0700
Subject: [Bro] Bro and GeoIP
In-Reply-To: <2d1013f707467ed9b0de2443b4525cdb@vivaldi.net>
References: <2d1013f707467ed9b0de2443b4525cdb@vivaldi.net>
Message-ID: <20170530165035.py4ceasdxezdm2xs@wifi109.sys.ICSI.Berkeley.EDU>

> If I installed Bro using the package manager, made sure that the GeoIP 
> databases are in the right place, what else do I need to make it work, 
> or does Bro need to be compiled from source for it to have support for 
> GeoIP?

I think this might already have been answered - but just for completeness
sake - yes, it needs to be compiled from source in this case; the
libraries and development headers have to be present during compilation
for this to work (at least until Seth releases his bro-pkg version of
this).

Johanna

From johanna at icir.org  Tue May 30 09:53:20 2017
From: johanna at icir.org (Johanna Amann)
Date: Tue, 30 May 2017 09:53:20 -0700
Subject: [Bro] bro_init
In-Reply-To: <CALGAZaBZO_bwe04S1TAAn5zE89ppKpp_1LBHhWFhz=9-stRaVA@mail.gmail.com>
References: <CALGAZaBZO_bwe04S1TAAn5zE89ppKpp_1LBHhWFhz=9-stRaVA@mail.gmail.com>
Message-ID: <20170530165320.yz2kw5sd5oaoe4ih@wifi109.sys.ICSI.Berkeley.EDU>

>                        Any way to insert any connection related details
> inside event bro_init()

bro_init is called before any traffic processing occurs; because of that,
there are no connection details available yet.

If you mean something else, I sadly didn't get the question :)

Johanna

From johanna at icir.org  Tue May 30 09:54:11 2017
From: johanna at icir.org (Johanna Amann)
Date: Tue, 30 May 2017 09:54:11 -0700
Subject: [Bro] Cross compiling bro for mips core (as a binary)
In-Reply-To: <CAPwm_jSmOjhUjhfh2obhBXm96VPXNf5JzTCWLOyHMcXW9a=CGA@mail.gmail.com>
References: <CAPwm_jSmOjhUjhfh2obhBXm96VPXNf5JzTCWLOyHMcXW9a=CGA@mail.gmail.com>
Message-ID: <20170530165411.mwwvi2lbvq5eoi4h@wifi109.sys.ICSI.Berkeley.EDU>

Just to give an answer to this - I have not heard of anyone trying this.

Johanna

On Fri, Apr 28, 2017 at 01:52:16PM -0700, anant garg wrote:
> Hello there,
> 
> 
> Has anybody got success in cross compiling bro for mips core,
> specifically as Cavium's Octeon binary (simple executive) ?
> 
> I have looked around but did not find any pointer on this information.
> Does not look straightforward to me.  Can somebody help providing any
> information/tips/notes on this if you have tried it before ?
> 
> I appreciate your time on helping out this.
> 
> 
> -Anant
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 

From johanna at icir.org  Tue May 30 10:02:55 2017
From: johanna at icir.org (Johanna Amann)
Date: Tue, 30 May 2017 10:02:55 -0700
Subject: [Bro] Bro logging connections after specific daytime
In-Reply-To: <trinity-687a5c85-c922-4e82-9405-23da85c16524-1494245197543@3capp-gmx-bs49>
References: <trinity-687a5c85-c922-4e82-9405-23da85c16524-1494245197543@3capp-gmx-bs49>
Message-ID: <530881CC-29DD-4001-B19D-1F60BE3DC43F@icir.org>

> Hello,
>
> i'm currently trying to develop a script for a project scenario and i 
> would like to know if there are some more efficient approaches and/or 
> solutions for the current problem.
>
> The main task is defined as logging all connections and 
> connections-attempts occuring after a certain daytime.
>
> At the moment i'm using the functions provided by the script located 
> in base/protocols/conn/main.bro and the following events:
>
>   * event bro_init()?? //used for initializing streams and so on
>
>   * event bro_done()?? //used for clearing
>   * event new_connection()
>
>   * event connection_state_remove()
>
>   * event content_gap() //not sure about this one

If the purpose really is to only log connection information after a 
certain time (where the timestamp that currently is being logged in 
conn.log is between specific times of the day), you can do this even 
easier. The way I would probably go is to use a log predicate to filter 
on the timestamp; 
https://www.bro.org/sphinx/frameworks/logging.html#filter-log-records 
gives an example to do this.

> Now i got stuck with a few questions:
>
>   1. Are those events enough to track every connection being 
> established after a certain daytime? Or do i need additional events 
> like: "event udp_reply()/udp_request()" and "connection_established()" 
> ?

These should be enough. Actually, just connection_state_remove should be 
enough already for the connection information - the timestamp contained 
in the connection record is the timestamp of the first packet.

>   2. Why does the ../conn/main.bro script fills the c$conn-attributes 
> from Conn::Info (function set_conn()), if bro provides them 
> automatically after an event is removed from memory?

I am not quite sure what you mean here (specifically the "if bro 
provides them automatically after an event is removed from memory" part. 
In any case - the Conn::Info record is the record that is used for 
logging. set_conn() copies information into that record so that it can 
be logged; the information originally is directly in the connection 
record, which is not suitable for logging.

>   3. Even if i do include other scripts (e.g. base/protocols/dns/), 
> why are the records still missing in a connection-object provided by 
> the connection_state_remove()-event? I think it makes sense if there 
> is a dns-event and the ssl-record is missing, but even if its a 
> dns-event, there is still no dns-record with additional data about the 
> connection. Am i missing something? Do i have to fill them myself by 
> using Bro-Functions?

You lost me a bit on the question here. The records (like c$dns) are 
filled as events are raised by the protocol parser that contain the 
necessary information for the log field.

>   4. Is it possible to determine how much data was transfered by a 
> specific connection while that connection is still in the memory? As 
> an example: Connection was seen at a certain time, and finished 10 
> seconds later. Is it possible to determine the send bytes 5 seconds 
> after initiation?\

No, that information is not held as far as I am aware.

Johanna

From johanna at icir.org  Tue May 30 10:06:02 2017
From: johanna at icir.org (Johanna Amann)
Date: Tue, 30 May 2017 10:06:02 -0700
Subject: [Bro] data_before_established, possible_split_routing
In-Reply-To: <CAK6atxoaHiUSR+sEof6g9zb38xOkSfnKZsMB3Evq8buSoSnDPw@mail.gmail.com>
References: <CAK6atxoaHiUSR+sEof6g9zb38xOkSfnKZsMB3Evq8buSoSnDPw@mail.gmail.com>
Message-ID: <20170530170602.l7q3uaniqpknerzk@wifi109.sys.ICSI.Berkeley.EDU>

On Thu, May 11, 2017 at 10:36:00AM -0400, erik clark wrote:
> We are experiencing these in significant quantity since we moved traffic
> from one site to another. Is there any sort of way to bond this data so
> that bro wont gut the connections? This is leading to a massive 70% packet
> loss on the sensor.

Just to give a short answer for this - as you probably are aware, Bro
expects the packets to arrive in the correct order on the interfaces it
uses for monitoring. If you have access to several fibers that contain
parts of the full traffic, I think there are network cards/switches that
can merge them back together.

Johanna

From johanna at icir.org  Tue May 30 10:12:49 2017
From: johanna at icir.org (Johanna Amann)
Date: Tue, 30 May 2017 10:12:49 -0700
Subject: [Bro] TORRENT Detection -BRO
In-Reply-To: <CAO+LJUVnaup5FFDpZOJdgE5nyvzRFNO4fcBXizreUEuE76Jpow@mail.gmail.com>
References: <CAO+LJUVnaup5FFDpZOJdgE5nyvzRFNO4fcBXizreUEuE76Jpow@mail.gmail.com>
Message-ID: <20170530171249.d5djtqvpbonczz2x@wifi109.sys.ICSI.Berkeley.EDU>

Hi,

> Will I be able to detect torrent download using bro, i could see some
> torrent analyzers,is there any load statement should i include in local.bro
> or how  to detect?

The Bittorrent analyzer in Bro has not been touched in years and I assume
that it is not functional (it certainly has not been tested by anyone in a
long time).

If you are interested in trying to enable it, you will have to write all
scripts yourself. As you probably are aware for most protocol analyzers we
have scripts in base/ that create the logfiles that are written to disk.
These scripts were never created for the Bittorrent analyzer - you would
have to write them from scratch (and as I mentioned I have doubts if it
still works).

So - short version - there is no quick and easy way to enable it
currently.

Johanna

From johanna at icir.org  Tue May 30 10:16:06 2017
From: johanna at icir.org (Johanna Amann)
Date: Tue, 30 May 2017 10:16:06 -0700
Subject: [Bro] Connections in conn.log
In-Reply-To: <CAEHhGZHJUQD4QOnfG9eG_iw4iZXrXCfD+i9TM2vzE6bnVNWrYQ@mail.gmail.com>
References: <CAEHhGZHJUQD4QOnfG9eG_iw4iZXrXCfD+i9TM2vzE6bnVNWrYQ@mail.gmail.com>
Message-ID: <20170530171606.m7gt6hkoyd4bkxln@wifi109.sys.ICSI.Berkeley.EDU>

On Thu, May 18, 2017 at 05:31:33PM +0200, mike anastasakis wrote:
> Hello,
> 
> I have a question regarding how the connections are created in conn.log.
> I thought that the combination tuple o (src_ip, src_port, dest_ip,
> dest_port)was used to define one connection but this is not the case.

It generally kind of should be the case (with certain gotchas).
Connections are only held in memory for a certain amount of time (so you
can get the same 5-tuple after a period of time passes; the period of time
depends on the packets that were seen and on the protocol and can be as
low as a few seconds and as high as a few hours).

In addition, if you are running a Bro cluster, each worker node logs
connections separately.

> The first connection is the one that establishes the ssl connection and the
> other 5 are identified as *OTH *which is No *SYN seen, just midstream
> traffic (a ?partial connection? that was not later closed).*

Is this a long-lived connection? Is there a chance that a few minutes
passed without any data inbetween? That would cause Bro to flush out the
connection, forget about it, and then recognize the following packets as a
new connection.

The second possibility is that you have a cluster and that packet
distribution is somehow misconfigured.

That would be my ideas, I hope that helps,
 Johanna

From johanna at icir.org  Tue May 30 10:20:20 2017
From: johanna at icir.org (Johanna Amann)
Date: Tue, 30 May 2017 10:20:20 -0700
Subject: [Bro] Connections in conn.log
In-Reply-To: <88a57497-ad01-a81f-a06f-227ec64d7201@fu-berlin.de>
References: <CAEHhGZHJUQD4QOnfG9eG_iw4iZXrXCfD+i9TM2vzE6bnVNWrYQ@mail.gmail.com>
	<88a57497-ad01-a81f-a06f-227ec64d7201@fu-berlin.de>
Message-ID: <20170530172020.hauhjb2ycrvad7vf@wifi109.sys.ICSI.Berkeley.EDU>

On Fri, May 19, 2017 at 07:21:36PM +0200, Marcin Nawrocki wrote:
> Hello bro community,
> 
> are all connection attempts recorded in conn.log? Let us assume I am
> monitoring interface eth0, will I see every connection in this log file ...
> 
>   * ...independent of the transport layer protocol (udp,tcp,mptcp...) and
> its properties (ports)

Kind of. The underlying transport protocol has to be supported by Bro, so
you are limited to udp and tcp.

>   * ...independent of firewalls like iptables blocking incoming packets on
> eth0

Bro will log information about the packets that are delivered to it.
Hence, this depends on your system configuration; if you use a mechanism
that delivers packets to Bro even if iptables has block rules on the
interface, yes; if no then no. That being said, I think that iptables
rules are generally ignored in promiscuous mode.

>   * ...independent of firewalls like iptables forwarding incoming packets on
> eth0 to special targets like NFQUEUE and libnetfilter_queue

Same answer as to the last question - Bro sees whatever libpcap (or
whatever packet source you use) feeds to it.

I hope this helps,
 Johanna

From johanna at icir.org  Tue May 30 10:22:48 2017
From: johanna at icir.org (Johanna Amann)
Date: Tue, 30 May 2017 10:22:48 -0700
Subject: [Bro] BRO - Ransomware
In-Reply-To: <CAO+LJUXiAeg=wkxnVr=hCpGaAkZMBp00322aYGn-Qd09-xXmsQ@mail.gmail.com>
References: <CAO+LJUXiAeg=wkxnVr=hCpGaAkZMBp00322aYGn-Qd09-xXmsQ@mail.gmail.com>
Message-ID: <20170530172248.pghwhdej3lwr67ky@wifi109.sys.ICSI.Berkeley.EDU>

On Fri, May 26, 2017 at 09:02:06PM +0200, Raj Kumar wrote:
> Hi All,
> 
> If am trying to add smb-ransomware.bro , to my bro setup ,where should I
> include this in the bro directories.
> 

Typically user scripts to into site. Looking at the smb ransomware script,
you will probably also need to modify it slightly so it loads
policy/protocols/smb instead of base/protocols/smb.

You should be able to directly load it from local.bro if it in in the
site directory.

Johanna

From johanna at icir.org  Tue May 30 10:24:14 2017
From: johanna at icir.org (Johanna Amann)
Date: Tue, 30 May 2017 10:24:14 -0700
Subject: [Bro] - see all triggered events on a given pcap file
In-Reply-To: <CAKZA8xh6_fkwUcG=yKS9b9OdZ==H-Eypz1wVi2GchoJoZVKOyQ@mail.gmail.com>
References: <CAKZA8xhtFDZud9HfaAJmFYHakwnJP8PEmj7kjg2vW5qU+xctcA@mail.gmail.com>
	<37C5E68C-4A95-4558-84AE-F6812FAE6BD7@iu.edu>
	<CAKZA8xh6_fkwUcG=yKS9b9OdZ==H-Eypz1wVi2GchoJoZVKOyQ@mail.gmail.com>
Message-ID: <20170530172414.h7ycmgfq33d6ij6t@wifi109.sys.ICSI.Berkeley.EDU>

Note that this only will work for events that are already used in other
scripts. If an event is not used at all, it will not show up in the output
of dump-events.

Johanna

On Sun, May 28, 2017 at 06:37:41PM +0300, william de ping wrote:
> Thank you very much !
> it works great :)
> 
> On Sun, May 28, 2017 at 6:06 PM, Keith Lehigh <klehigh at iu.edu> wrote:
> 
> >  policy/misc/dump-events.bro does exactly what you want.
> >
> > - Keith
> > > On May 28, 2017, at 10:36, william de ping <bill.de.ping at gmail.com>
> > wrote:
> > >
> > > Hi all,
> > >
> > > Does anyone know a way to get a list of all triggered events given a
> > pcap file ?
> > >
> > > Currently what I do is just print some indicative message for each
> > suspected relevant events (quit tedious task)
> > >
> > > Thanks
> > > B
> > > _______________________________________________
> > > Bro mailing list
> > > bro at bro-ids.org
> > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> >

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


From johanna at icir.org  Tue May 30 10:30:59 2017
From: johanna at icir.org (Johanna Amann)
Date: Tue, 30 May 2017 10:30:59 -0700
Subject: [Bro] webapp detection
In-Reply-To: <CAO+LJUVQwSr_DqjOF72Ymapz2CPA0i9dvPNzv--O4Pzcw-b6NA@mail.gmail.com>
References: <CAO+LJUVQwSr_DqjOF72Ymapz2CPA0i9dvPNzv--O4Pzcw-b6NA@mail.gmail.com>
Message-ID: <20170530173059.k66vjiu7xda3uc2t@wifi109.sys.ICSI.Berkeley.EDU>

Hi,

you are probably intermingling two things here. Detect-webapps uses
signatures to find software like phpmyadmin; it is not used to find things
like Facebook traffic.

The second one is the software framework, which tracks software versions.
If you load the right scripts it, e.g., logs Windows versions as
determined from some http headers. This also is not used for facebook,
etc.

There was a script to perform logging of information of applications like
facebook (policy/misc/app-stats). This was removed in Bro 2.5, because it
was not maintained enough and not useful in its current state.

I hope that helps,
 Johanna

On Mon, May 29, 2017 at 03:26:12PM +0200, Raj Kumar wrote:
> Hi All,
> 
> Am trying to use the webapp detection script to detect webapps like
> facebook etc
> 
> I saw previous threads it was mentioned to enable "*Make sure to set your
> Sites::local_net variable * If you set it to
> 0.0.0.0/0
> 
> I have included  0.0.0.0/0 in networks.cfg,
> 
> I have also included in local.bro
> @load protocols/http/detect-webapps
>  redef Software::asset_tracking = ALL_HOSTS;
> 
> still I couldnt see any webapps traffic mentioning facebook i could see
> only multicast address like 224.0.0.251
> 
> Any solution ,much appreciated
> 
> Thanks,
> *Raj*
> *IT Consultant*
> *Mobile:  ** +45 **81923531*
> 
> *Lysk?r 9** [image: Inline images 1]*
> 
> *2730 Herlev, Denmark  *
> 
> *Web:   **http://www.capmon.dk <http://www.capmon.dk/>*



> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


From jdopheid at illinois.edu  Tue May 30 11:09:27 2017
From: jdopheid at illinois.edu (Dopheide, Jeannette M)
Date: Tue, 30 May 2017 18:09:27 +0000
Subject: [Bro] Bro Package Manager Questionnaire
Message-ID: <4A1E4075-ED03-4836-9D35-DC9E8AC7CB06@illinois.edu>

The Bro team would like to encourage the development of Bro scripts and plugins by creating a website front-end for the Bro Package Manager, which additional functionality to be determined. We are seeking input from the Bro user community as to what features would be desirable.

Please let us know what features you would like to see by filling out our questionnaire: 

https://goo.gl/forms/VyVH1aRIBB2qdZF53 

------
Jeannette Dopheide
Training and Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
 



From tomas.bortoli at sit.fraunhofer.de  Mon May 29 02:09:18 2017
From: tomas.bortoli at sit.fraunhofer.de (Bortoli, Tomas)
Date: Mon, 29 May 2017 09:09:18 +0000
Subject: [Bro] binpac to bro script types
In-Reply-To: <m0h907aa1f.fsf@vladg.net>
References: <201705261008.v4QA8Rep016155@vladg.net>, <m0h907aa1f.fsf@vladg.net>
Message-ID: <BD7C7C6D722F374C82A3068FEA58120BD4270D@EXCH2010B.sit.fraunhofer.de>

That solution looks good but I am stuck with the encoding of the timestamp.

It's a 64 bit timestamp but I don't know how to interpret it. Picture attaced.

Thanks,
Tomas
________________________________________
From: Vlad Grigorescu [vladg at illinois.edu]
Sent: Friday, May 26, 2017 5:54 PM
To: Bortoli, Tomas; bro at bro.org
Subject: Re: [Bro] binpac to bro script types

Well, I think you're on the right track. You need to do something like
this line in smb-time.pac:

> Val* bro_ts = new Val(secs, TYPE_TIME);

The Val constructor with a type of time takes a double of seconds since
the epoch (UNIX time) and gives you the Bro script timestamp val. How
you actually convert whatever format you're working to UNIX time is up
to you and dependent on the format.

Does that make sense? If you can provide more information on how the
timestamp is actually stored, someone might be able to help figure out
how to convert it.

  --Vlad

"Bortoli, Tomas" <tomas.bortoli at sit.fraunhofer.de> writes:

> Hi all,
>
> I'm writing a plug-in for Bro and I'm having troubles to pass types like timestamps from binpac code to the generated bro events.
>
> I snooped the code under `src/analyzer/protocol/krb/krb-analyzer.pac` to check out how they build data structures for Bro scripts and that works.
>
> But when it comes to pass a uint[8] into a bro timestamp, I don't know how to do it.
> Any idea?
>
>
> Kind regards
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2017-05-29 13-06-12.png
Type: image/png
Size: 76341 bytes
Desc: Screenshot from 2017-05-29 13-06-12.png
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170529/ee17525a/attachment-0001.bin 

From al.kefallonitis at gmail.com  Wed May 31 01:56:55 2017
From: al.kefallonitis at gmail.com (Alex Kefallonitis)
Date: Wed, 31 May 2017 11:56:55 +0300
Subject: [Bro] Bro sqli + xss sans paper
In-Reply-To: <20170530164824.rezilkwhmscjb4sv@wifi109.sys.ICSI.Berkeley.EDU>
References: <CAHv=MupiuPqbLX6XMfvvnnSMmT9zyB+z6ycq_OGgC4sPw6RjTA@mail.gmail.com>
	<20170530164824.rezilkwhmscjb4sv@wifi109.sys.ICSI.Berkeley.EDU>
Message-ID: <CAHv=Muoax-03xz7udv-J6M_9T8EEi-1fioVLqSOi3DpxryKyTQ@mail.gmail.com>

Anyone knows how to change it? Thanks in advanced

2017-05-30 19:48 GMT+03:00 Johanna Amann <johanna at icir.org>:

> Sorry for the slow reply, I hope that this is still useful after this
> while.
>
> In any case, http$first_chunk was removed in Bro 2.2; the script needs to
> be rewritten with the new http events.
>
> Johanna
>
> On Tue, Apr 11, 2017 at 02:10:08PM +0300, Alex Kefallonitis wrote:
> > I am trying to add the two scripts for sqli and xss from this paper
> > https://www.sans.org/reading-room/whitepapers/detection/
> web-application-attack-analysis-bro-ids-34042
> >
> > but i get this error HTTP::c$http$first_chunk no such a field in
> record...
> > Anyone knows what is happening?
> >
> >
> > Thanks in advanced.
>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170531/99b10a6b/attachment.html 

From vladg at illinois.edu  Wed May 31 08:07:55 2017
From: vladg at illinois.edu (Vlad Grigorescu)
Date: Wed, 31 May 2017 10:07:55 -0500
Subject: [Bro] TORRENT Detection -BRO
In-Reply-To: <201705301714.v4UHEAWT031295@vladg.net>
References: <CAO+LJUVnaup5FFDpZOJdgE5nyvzRFNO4fcBXizreUEuE76Jpow@mail.gmail.com>
	<201705301714.v4UHEAWT031295@vladg.net>
Message-ID: <m0k24x83p0.fsf@vladg.net>

I looked at this a while back, and didn't pursue it because the protocol
itself really doesn't have a lot of useful information. There are no
filenames or really any useful metadata in the protocol (that's all
contained in the .torrent file which is downloaded via a different
channel).

There might be something for DHT, but that would require parsing
a completely different protocol.

  --Vlad

Johanna Amann <johanna at icir.org> writes:

> Hi,
>
>> Will I be able to detect torrent download using bro, i could see some
>> torrent analyzers,is there any load statement should i include in local.bro
>> or how  to detect?
>
> The Bittorrent analyzer in Bro has not been touched in years and I assume
> that it is not functional (it certainly has not been tested by anyone in a
> long time).
>
> If you are interested in trying to enable it, you will have to write all
> scripts yourself. As you probably are aware for most protocol analyzers we
> have scripts in base/ that create the logfiles that are written to disk.
> These scripts were never created for the Bittorrent analyzer - you would
> have to write them from scratch (and as I mentioned I have doubts if it
> still works).
>
> So - short version - there is no quick and easy way to enable it
> currently.
>
> Johanna
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170531/741b8dd7/attachment.bin 

From kgoldman at us.ibm.com  Wed May 31 11:31:56 2017
From: kgoldman at us.ibm.com (Kenneth Goldman)
Date: Wed, 31 May 2017 14:31:56 -0400
Subject: [Bro] Missing notice.log, have weird.log
In-Reply-To: <914dea0f-8cbd-00ea-ed7e-b0b2e60f1650@illinois.edu>
References: <OF65BB1469.2FF13814-ON00258128.006BF0D3-85258128.006C5480@notes.na.collabserv.com>
	<914dea0f-8cbd-00ea-ed7e-b0b2e60f1650@illinois.edu>
Message-ID: <OF41EA14D3.719E1C92-ON00258131.0065948A-85258131.0065CE43@notes.na.collabserv.com>

The quick starter refers to a notice.log file.  It's not being created.

Misconfiguration?  What should I look for?

I do have "weird.log", that seems undocumented.  Could the name perhaps 
have changed?

--
Ken Goldman   kgoldman at us.ibm.com 
914-945-2415 (862-2415)




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170531/7d0b1e0e/attachment.html 

From vladg at illinois.edu  Wed May 31 12:13:39 2017
From: vladg at illinois.edu (Vlad Grigorescu)
Date: Wed, 31 May 2017 14:13:39 -0500
Subject: [Bro] binpac to bro script types
In-Reply-To: <201705291113.v4TBDVoa027976@vladg.net>
References: <201705261008.v4QA8Rep016155@vladg.net> <m0h907aa1f.fsf@vladg.net>
	<201705291113.v4TBDVoa027976@vladg.net>
Message-ID: <m07f0w96vw.fsf@vladg.net>

Well, that's protocol specific, but I did some digging:

> >>> TIME_FIXUP_CONSTANT
> 11644473600
> >>> hex(filetime)
> '0x01d238cc0f66a007'
> >>> filetime/10000000.
> 13122978809.960194
> >>> _-TIME_FIXUP_CONSTANT
> 1478505209.9601936
> >>> datetime.datetime.fromtimestamp(1478505209.9601936).strftime('%Y-%m-%d %H:%M:%S')
> '2016-11-07 01:53:29'

This is already implemented in smb-time.pac:
https://github.com/bro/bro/blob/master/src/analyzer/protocol/smb/smb-time.pac#L13

You could try just adding this to your PAC file and then you'll be able
to use that function:

> %include ../smb/smb-time.pac

Check out krb-asn1.pac for an example of including another PAC file:
https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-asn1.pac

  --Vlad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170531/81f50ede/attachment.bin 

From seth at corelight.com  Wed May 31 12:20:51 2017
From: seth at corelight.com (Seth Hall)
Date: Wed, 31 May 2017 15:20:51 -0400
Subject: [Bro] Missing notice.log, have weird.log
In-Reply-To: <OF41EA14D3.719E1C92-ON00258131.0065948A-85258131.0065CE43@notes.na.collabserv.com>
References: <OF65BB1469.2FF13814-ON00258128.006BF0D3-85258128.006C5480@notes.na.collabserv.com>
	<914dea0f-8cbd-00ea-ed7e-b0b2e60f1650@illinois.edu>
	<OF41EA14D3.719E1C92-ON00258131.0065948A-85258131.0065CE43@notes.na.collabserv.com>
Message-ID: <CAAAo3g8neOcu62VvRBazq6WbCDZ8siKLS73_vjXLpcn4TuU1xA@mail.gmail.com>

On Wed, May 31, 2017 at 2:31 PM, Kenneth Goldman <kgoldman at us.ibm.com> wrote:
> The quick starter refers to a notice.log file.  It's not being created.

Logs in Bro are created when they are written to.  It's like that none
of the scripts you have loaded are generating notices.

> I do have "weird.log", that seems undocumented.  Could the name perhaps have
> changed?

The weird log's documentation can be found here:
      https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info

  .Seth

-- 
Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com