From brandon.sterne at gmail.com  Sun Apr  1 21:04:39 2018
From: brandon.sterne at gmail.com (Brandon Sterne)
Date: Sun, 1 Apr 2018 21:04:39 -0700
Subject: [Bro] Bro behind a TLS reverse proxy
Message-ID: <CADXmT7Cq5Fjia9dx_FC9PEh_A5-Nc5OfJ3LaH_mrG5Nx+y=NUA@mail.gmail.com>

Hello,

I am attempting to get Bro working sitting behind a reverse proxy (nginx),
which is receiving connections, terminating TLS, and forwarding cleartext
HTTP to a local app server (Tomcat). I have a really simple test case that
demonstrates the problem I'm running into, which is that Bro HTTP events
are only detected when requests are sent plaintext (without TLS). Here is
the test case I'm using:

```
[guest-vm-bro]$ cat ~/bro-custom/detect-http-request.bro
##! Basic rule to detect HTTP request
@load base/protocols/http

module HTTP;

event http_request(c: connection, method: string, original_URI: string,
                   unescaped_URI: string, version: string) &priority=3
    {
        print "HTTP request. URI: ", original_URI;
    }

event connection_established(c: connection)
    {
        print "Connection: ", c;
    }
[guest-vm-bro]$ sudo /usr/local/bro/bin/bro -C -i eth1
~/bro-custom/detect-http-request.bro
listening on eth1
```

Everything works as expected when requests are sent as plaintext to nginx
port 80:

```
[host-os]$ curl http://uis.local/sample/
<html>
<head>
<title>Sample "Hello, World" Application</title>
</head>
snip...

[guest-vm-bro]$ sudo /usr/local/bro/bin/bro -C -i eth1
~/bro-custom/detect-http-request.bro
listening on eth1

Connection: , [id=[orig_h=192.168.43.1, orig_p=53030/tcp,
resp_h=192.168.43.10, resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1,
num_bytes_ip=64, flow_label=0, l2_addr=0a:00:27:00:00:03], resp=[size=0,
state=4, num_pkts=0, num_bytes_ip=0, flow_label=0,
l2_addr=08:00:27:18:49:26], start_time=1522451133.083394,
duration=0.000023, service={

}, history=Sh, uid=CSecNs4PkfexRaPAp4, tunnel=<uninitialized>,
vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>,
conn=<uninitialized>, extract_orig=F, extract_resp=F,
thresholds=<uninitialized>, dce_rpc=<uninitialized>,
dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>,
dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>,
dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F,
ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>,
irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>,
mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>,
rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>,
sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>,
smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>,
syslog=<uninitialized>]
HTTP request. URI: , /sample/
```

Note the last line, where the http_request event triggered correctly. When
I send the request to the TLS encrypted nginx port, however, I only see the
connection_established event fire:

```
[host-os]$ curl -k https://uis.local/sample/
<html>
<head>
<title>Sample "Hello, World" Application</title>
<head>
snip...

Connection: , [id=[orig_h=192.168.43.1, orig_p=53078/tcp,
resp_h=192.168.43.10, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1,
num_bytes_ip=64, flow_label=0, l2_addr=0a:00:27:00:00:03], resp=[size=0,
state=4, num_pkts=0, num_bytes_ip=0, flow_label=0,
l2_addr=08:00:27:18:49:26], start_time=1522451394.887197,
duration=0.000024, service={

}, history=Sh, uid=Ce2kbh4wXUDiXtRC1i, tunnel=<uninitialized>,
vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>,
conn=<uninitialized>, extract_orig=F, extract_resp=F,
thresholds=<uninitialized>, dce_rpc=<uninitialized>,
dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>,
dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>,
dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F,
ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>,
irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>,
mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>,
rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>,
sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>,
smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>,
syslog=<uninitialized>]
```

A similar event pattern happens if I change the Bro agent to listen on the
loopback interface:

```
[host-os]$ curl http://uis.local/sample/
<html>
<head>
<title>Sample "Hello, World" Application</title>
</head>
snip...
[host-os]$ curl -k https://uis.local/sample/
<html>
<head>
<title>Sample "Hello, World" Application</title>
</head>
snip...

[guest-vm-bro]$ sudo /usr/local/bro/bin/bro -C -i lo
~/bro-custom/detect-http-request.bro
listening on lo

Connection: , [id=[orig_h=127.0.0.1, orig_p=58658/tcp, resp_h=127.0.0.1,
resp_p=8080/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=60,
flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=0,
num_bytes_ip=0, flow_label=0, l2_addr=<uninitialized>],
start_time=1522451684.380294, duration=-1513581075.701362, service={

}, history=Sh, uid=C3NJSO38EkH9aVSRe8, tunnel=<uninitialized>,
vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>,
conn=<uninitialized>, extract_orig=F, extract_resp=F,
thresholds=<uninitialized>, dce_rpc=<uninitialized>,
dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>,
dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>,
dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F,
ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>,
irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>,
mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>,
rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>,
sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>,
smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>,
syslog=<uninitialized>]
Connection: , [id=[orig_h=127.0.0.1, orig_p=58660/tcp, resp_h=127.0.0.1,
resp_p=8080/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=60,
flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=0,
num_bytes_ip=0, flow_label=0, l2_addr=<uninitialized>],
start_time=1522451702.019632, duration=-1513505330.101316, service={

}, history=Sh, uid=CqvuUv2nDCAjXdUcAg, tunnel=<uninitialized>,
vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>,
conn=<uninitialized>, extract_orig=F, extract_resp=F,
thresholds=<uninitialized>, dce_rpc=<uninitialized>,
dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>,
dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>,
dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F,
ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>,
irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>,
mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>,
rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>,
sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>,
smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>,
syslog=<uninitialized>]
```

In this case, I don't receive an http_request event for either the
plaintext or encrypted request sent to nginx. The last case I tested was
sending a request directly to the app server from the guest VM running Bro.
In this case I only saw the connection_established event again, not the
http_request event:

```
[guest-vm-bro]$ curl localhost:8080/sample/
<html>
<head>
<title>Sample "Hello, World" Application</title>
</head>
snip...

Connection: , [id=[orig_h=127.0.0.1, orig_p=58664/tcp, resp_h=127.0.0.1,
resp_p=8080/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=60,
flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=0,
num_bytes_ip=0, flow_label=0, l2_addr=<uninitialized>],
start_time=1522451893.753416, duration=-1512682034.693552, service={

}, history=Sh, uid=CdewMq37K1zzhpTl91, tunnel=<uninitialized>,
vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>,
conn=<uninitialized>, extract_orig=F, extract_resp=F,
thresholds=<uninitialized>, dce_rpc=<uninitialized>,
dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>,
dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>,
dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F,
ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>,
irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>,
mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>,
rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>,
sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>,
smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>,
syslog=<uninitialized>]
```

This was with Bro still listening on lo interface. This case surprises me.
It's a simple GET request to a local HTTP server on 8080, so I'm curious
why this doesn't trigger an http_request event.

Just to be complete, I also re-ran this last test with Bro listening on
eth1, and neither the connection_established or the http_request event
fired.

I would love some help if any of you are willing to provide it. My two
questions are essentially:

1. What needs to be observed by the agent for a http_request event to fire?
2. Does Bro treat traffic traversing the localhost only differently than
traffic it receives over the network?

Thanks very much, in advance, for reading through this and for helping me
to understand what is happening in this case.

Best,
Brandon Sterne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180401/7f5abcfc/attachment.html 

From rahulbroids at gmail.com  Sun Apr  1 23:43:40 2018
From: rahulbroids at gmail.com (rahul rakesh)
Date: Mon, 2 Apr 2018 12:13:40 +0530
Subject: [Bro] Snort 2 Bro Utility
Message-ID: <CADJmW1mUsBz7WsPqvg2hMK8vYjoHUe0sy4DFkcXUh5RHKx+jwQ@mail.gmail.com>

Dear Team,
          Can anyone please share snort2bro utility as i just wanted to
know how the conversion is done. It will help me writing signatures.



Regards,
Rahul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180402/2eb46f1b/attachment.html 

From ambros.novak.89 at gmail.com  Mon Apr  2 03:35:20 2018
From: ambros.novak.89 at gmail.com (Ambros Novak)
Date: Mon, 2 Apr 2018 06:35:20 -0400
Subject: [Bro] Original file name in Extracted files
Message-ID: <3D256AB8-AD30-476B-B69E-3CAB039D48EA@gmail.com>

Hello!

How can the original file name be added to the extracted file name?

Thanks you for your help. 

AN

??

From philosnef at gmail.com  Mon Apr  2 06:22:15 2018
From: philosnef at gmail.com (erik clark)
Date: Mon, 2 Apr 2018 09:22:15 -0400
Subject: [Bro] gluing together suricata and bro alerts in kibana
Message-ID: <CAK6atxqfAiSCZip8jbWoBMLLrpo=vor-5X=dpPw9erApyJ3EoQ@mail.gmail.com>

I am trying to make splunk like searchs in Kibana, but can't figure out how
the syntax works.

EG:

I have alert.signature == myalert, with http.hostname == somedomain.
In bro, I rewrote host to http_host, and want to see the intersection of:

conn.log (conn id)
http.log (http.hostname from suricata events linked to http_host  bro
events here)
alert.signature (from suricata events)

So the result would be in a table I would hope, or soething like that:

http_host, http.http_content_type, http.http_method, http.http_user_agent,
http.http_response_body_printable, payload_printable, fileinfo.filename,
dest_ip, src_ip, conn_id

Drop down events like what you normally get would be fine as well. Hope
this helps explain what I am trying to do. I am still struggling with
lucerne search syntax and the front end.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180402/9dd4831e/attachment.html 

From patrick.kelley at criticalpathsecurity.com  Mon Apr  2 06:43:27 2018
From: patrick.kelley at criticalpathsecurity.com (Patrick Kelley)
Date: Mon, 2 Apr 2018 09:43:27 -0400
Subject: [Bro] Snort 2 Bro Utility
In-Reply-To: <CADJmW1mUsBz7WsPqvg2hMK8vYjoHUe0sy4DFkcXUh5RHKx+jwQ@mail.gmail.com>
References: <CADJmW1mUsBz7WsPqvg2hMK8vYjoHUe0sy4DFkcXUh5RHKx+jwQ@mail.gmail.com>
Message-ID: <CA+WAcdRBkNMq18Vi8yzrrjfnEd2DgM3_cF3SM849xVB-csQg_Q@mail.gmail.com>

Rahul,

That utility has been long deprecated, largely due to difference in
approach by Snort and Bro.

I'll share the demo signature below.  As always, feel free to reach out
directly, should you need.

signature my-first-sig {
    ip-proto == tcp
    dst-port == 80
    payload /.*root/
    event "Found root!"
}



On Mon, Apr 2, 2018 at 2:43 AM, rahul rakesh <rahulbroids at gmail.com> wrote:

> Dear Team,
>           Can anyone please share snort2bro utility as i just wanted to
> know how the conversion is done. It will help me writing signatures.
>
>
>
> Regards,
> Rahul
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 

*Patrick Kelley, CISSP, C|EH, ITIL*
*CTO*
patrick.kelley at criticalpathsecurity.com
(o) 770-224-6482
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180402/ad78ccd7/attachment.html 

From jsiwek at corelight.com  Mon Apr  2 08:03:38 2018
From: jsiwek at corelight.com (Jon Siwek)
Date: Mon, 2 Apr 2018 10:03:38 -0500
Subject: [Bro] [BRO-ISSUE]: bro crash when so many Repoter::Error calls
In-Reply-To: <CAHygEmCkzWmoe7uXNAxwesDWaVLrmDqN98FEW=mkxn05aShLrw@mail.gmail.com>
References: <CAHygEmCkzWmoe7uXNAxwesDWaVLrmDqN98FEW=mkxn05aShLrw@mail.gmail.com>
Message-ID: <35cd8c39-f61a-acab-d01c-8887e3e6b1c9@corelight.com>



On 1/25/18 10:18 AM, Myth Ren wrote:

>  ? ? I'm using bro 2.5.1 for network security monitoring , the message 
> queue is kafka componment (the bro-to-kafka plugin version is v0.5.0, 
> librdkafka version is v0.9.5).

The plugins from Bro v2.5.1 may be a bit old to continue using.  I'd 
generally suggest trying to update to newest version of everything.

> Below listed information is backtrace from core dump. (more on gist 
> <https://gist.github.com/MythRen/b55220647ca28654c6f7e1db12ee6036>)

>     #4? 0x00000000005fee8f in Reporter::Error (this=<optimized out>,
>     fmt=fmt at entry=0x7fe36c719d70 "Kafka send failed: %s") at
>     /opt/download/bro/src/Reporter.cc:76 #5? 0x00007fe36c717fa9 in
>     logging::writer::KafkaWriter::DoWrite (this=0x6369270,
>     num_fields=<optimized out>, fields=<optimized out>, vals=0x69d2080)
>     at /opt/download/bro/aux/plugins/kafka/src/KafkaWriter.cc:156 #6 

This is basically the problem: this version of KafkaWriter is directly 
using Reporter calls and that's not thread-safe.  Here would be the way 
to fix it for your reference (in case you simply can't update things):

https://github.com/apache/metron-bro-plugin-kafka/commit/4968b6537f663c1de061d0cf0aedb42f43ab12ee

- Jon

From pssunu6 at gmail.com  Mon Apr  2 22:46:48 2018
From: pssunu6 at gmail.com (ps sunu)
Date: Tue, 3 Apr 2018 11:16:48 +0530
Subject: [Bro] jzeolla-metron-bro-plugin-kafka
In-Reply-To: <CAM1mTCq7ypoH1KhAxtmvEbxRdyui1K4rpu43u1b1M30iAuH=Kw@mail.gmail.com>
References: <CALGAZaD1d8p+rUqNzd_PS-4VeNMwBrnRqqQpD6L0hFMwaaZmgw@mail.gmail.com>
	<CAM1mTCq7ypoH1KhAxtmvEbxRdyui1K4rpu43u1b1M30iAuH=Kw@mail.gmail.com>
Message-ID: <CALGAZaCuvn7GG05qJckfSiftax_k1PG84mJsawy=oqWKEFjJ5g@mail.gmail.com>

Thanks  Zeolla  , its working fine with ssl key , again thanks

On Fri, Mar 30, 2018 at 5:14 AM, Zeolla at GMail.com <zeolla at gmail.com> wrote:

> Please see my response in https://github.com/JonZeolla/jzeolla-metron-bro-
> plugin-kafka/issues/3
>
> The summary is, in theory yes but I've never tested it.  It uses
> librdkafka underneath, which has ssl support.  See
> https://github.com/edenhill/librdkafka/wiki/Using-SSL-with-librdkafka and
> https://github.com/apache/metron-bro-plugin-kafka/blob/master/README.md
>
> Any configuration value accepted by librdkafka can be added to the
> kafka_conf configuration table.
>
> Jon
>
> On Thu, Mar 29, 2018, 12:05 ps sunu <pssunu6 at gmail.com> wrote:
>
>> Hi,
>>                is jzeolla-metron-bro-plugin-kafka support with ssl key
>> support  ? i am not finding any example for this
>>
>> https://github.com/JonZeolla/jzeolla-metron-bro-plugin-kafka
>>
>>
>> Regards,
>> Sunu
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
>
> Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180403/2d40a2f2/attachment.html 

From mfernandez at mitre.org  Tue Apr  3 02:15:40 2018
From: mfernandez at mitre.org (Fernandez, Mark I)
Date: Tue, 3 Apr 2018 09:15:40 +0000
Subject: [Bro] Intel::FILE_NAME and SMB_files behavior questions
In-Reply-To: <E0487939-B130-4419-8F9D-F56D7D375431@gmail.com>
References: <E0487939-B130-4419-8F9D-F56D7D375431@gmail.com>
Message-ID: <DM5PR0901MB2359FA1365D0FD347099080FCFA50@DM5PR0901MB2359.namprd09.prod.outlook.com>

Hi James,
 
>> I don?t think the Intel framework supports wildcards ? is there a way to alert
>> on files transferred that match a regex such as ?Temp\\[a-zA-Z]{8}.tmp?,
>> or even: ?Temp\\*.tmp??
 
Use the ?file_over_new_connection? event.  You could get the file name from the SMB info in the ?c : connection? input argument to the event handler.  Here is some sample code:
 
event file_over_new_connection(f:fa_file, c:connection, is_orig:bool)
{
                if ( f?$source && f$source == "SMB" && c?$smb_state && c$smb_state?$current_file )
                {
                                local smb_path  = c$smb_state$current_file$path;
                                local smb_name = c$smb_state$current_file$name;
 
                                . . .Do regex pattern matching on smb_path and/or smb_name. . .
                                . . .Use Notice framework to raise an alert. . .
                }
}
 
Cheers,
Mark
 
 
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of James Gordon
Sent: Saturday, March 31, 2018 6:14 PM
To: bro at bro-ids.org
Subject: [Bro] Intel::FILE_NAME and SMB_files behavior questions
 
Hey everyone,
 
I have a few questions on behavioral issues with the intel framework and SMB / SMB file logging:
 
1. I?m not sure if this is expected behavior or not, but it doesn?t look like filenames parsed in smb_files.log are properly being logged in files.log. We had a red team exercise recently where our red team was able to successfully retrieve the ntds.dit file off of one of our domain controllers. This transfer occurred over SMB, so I figured we could add ntds.dit to the Intel framework so that next time we don?t have to dig in logs to find out that our domain is owned ? we?ll have a handy alert to tell us ** I did some testing with this though, and while I see ?ntds.dit? logged clearly in the name field in smb_files.log, I don?t have a corresponding entry in files.log for this file transfer, and therefore no Intel match. What makes this weirder is I have other irrelevant files from this connection logged in files.log, that I didn?t actually touch or move during this connection:
 
bro at SObro:/nsm/bro/logs/current$ cat /opt/bro/share/bro/intel/intel.dat | grep ntds.dit
ntds.dit                Intel::FILE_NAME            domain ownage - update your resume!              F
 
bro at SObro:/nsm/bro/logs/2018-03-31$ zcat smb_files.16\:00\:00-17\:00\:00.log.gz | bro-cut uid id.orig_h id.resp_h id.resp_p action name | grep ntds.dit
C35jBF1HlcrVNLiXW2 1.1.1.1    2.2.2.2  445     SMB::FILE_OPEN  share path\\and more\\more\\my testing directory\\ntds.dit
C35jBF1HlcrVNLiXW2 1.1.1.1    2.2.2.2  445     SMB::FILE_OPEN  share path\\and more\\more\\my testing directory \\ntds.dit <smb://ntds.dit> 
C35jBF1HlcrVNLiXW2 1.1.1.1    2.2.2.2  445     SMB::FILE_OPEN  share path\\and more\\more\\my testing directory \\ntds.dit <smb://ntds.dit> 
C35jBF1HlcrVNLiXW2 1.1.1.1    2.2.2.2  445     SMB::FILE_OPEN  share path\\and more\\more\\my testing directory \\ntds.dit <smb://ntds.dit> 
C35jBF1HlcrVNLiXW2 1.1.1.1    2.2.2.2  445     SMB::FILE_OPEN  ntds.dit
C35jBF1HlcrVNLiXW2 1.1.1.1    2.2.2.2  445     SMB::FILE_OPEN  ntds.dit
C35jBF1HlcrVNLiXW2 1.1.1.1    2.2.2.2  445     SMB::FILE_OPEN  ntds.dit
C35jBF1HlcrVNLiXW2 1.1.1.1    2.2.2.2  445     SMB::FILE_OPEN  ntds.dit
 
If I search for ?ntds.dit? in files log, I get nothing. If I search for the connection UID in files.log, there are some files logged ? but not the only file I actually transferred over this connection!
 
bro@ SObro:/nsm/bro/logs/2018-03-31$ zcat files.16\:00\:00-17\:00\:00.log.gz | bro-cut conn_uids tx_hosts rx_hosts source filename | grep C35jBF1HlcrVNLiXW2
C35jBF1HlcrVNLiXW2      1.1.1.1    2.2.2.2  SMB     desktop.ini
C35jBF1HlcrVNLiXW2      1.1.1.1    2.2.2.2  SMB     share path\\and more\\more\\not my testing directory!? \\desktop.ini <smb://desktop.ini> 
C35jBF1HlcrVNLiXW2      1.1.1.1    2.2.2.2  SMB     share path\\and more\\more\\my testing directory \\random <file://random>  file that lives at this path.exe
C35jBF1HlcrVNLiXW2      1.1.1.1    2.2.2.2  SMB     desktop.ini
C35jBF1HlcrVNLiXW2      1.1.1.1    2.2.2.2  SMB     favorites\\desktop.ini
C35jBF1HlcrVNLiXW2      1.1.1.1    2.2.2.2  SMB     Random excel file that lives in my testing directory.xls
C35jBF1HlcrVNLiXW2      1.1.1.1    2.2.2.2  SMB     random executable that lives in my testing directory.exe
 
Is there something wrong with my Bro instance? I feel like filenames from smb_files ?name? field should *all* be fed into files.log. I tested this with two different share paths and similar results ? everything gets logged as I would expect in smb_files.log but this filename never shows up in files.log. How can I reliably alert on file names transferred over SMB?
 
 
2. As part of the above red team exercise, I found (what I suspect) are some instances of Meterpeter being transferred from popped hosts back to the adversary system over SMB. These were logged in ?smb_files.log? with names like:  ?Temp\\PBetVKZU.tmp? and ?Temp\\FapcPatS.tmp?. I don?t think the Intel framework supports wildcards ? is there a way to alert on files transferred that match a regex such as ?Temp\\[a-zA-Z]{8}.tmp?, or even: ?Temp\\*.tmp??
 
 
3. Unrelated to the Intel framework - it seems like smb_files.log is super noisy. If I browse to a share drive, a massive amount of the contents of the share are enumerated in the smb_files log without taking any action (with the ?action? field indicating SMB::FILE_OPEN). This feels like expected behavior in SMB. Is there any way to ?filter? the log to only log files that are actually opened, written to, moved, deleted, or had any real operation occur against them? 
 
 
We?re running Bro 2.5.3 in Security Onion (Ubuntu 14.04). The intel framework is loaded and successfully fires on other indicators we have running.
 
Thanks!
 
James Gordon
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180403/6fba69b9/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6341 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180403/6fba69b9/attachment-0001.bin 

From email4myth at gmail.com  Tue Apr  3 03:06:14 2018
From: email4myth at gmail.com (Myth Ren)
Date: Tue, 3 Apr 2018 18:06:14 +0800
Subject: [Bro] [BRO-ISSUE]: bro crash when so many Repoter::Error calls
In-Reply-To: <35cd8c39-f61a-acab-d01c-8887e3e6b1c9@corelight.com>
References: <CAHygEmCkzWmoe7uXNAxwesDWaVLrmDqN98FEW=mkxn05aShLrw@mail.gmail.com>
	<35cd8c39-f61a-acab-d01c-8887e3e6b1c9@corelight.com>
Message-ID: <CAHygEmD40tS=fUhjpJ=UM6_XfPd4yaDCNk-LhZpPOv2y7kEPhg@mail.gmail.com>

currently i'm using Apache/metron-kafka-plugin v0.1 and the problem is gone.
thanks Jon.

2018-04-02 23:03 GMT+08:00 Jon Siwek <jsiwek at corelight.com>:

>
>
> On 1/25/18 10:18 AM, Myth Ren wrote:
>
>      I'm using bro 2.5.1 for network security monitoring , the message
>> queue is kafka componment (the bro-to-kafka plugin version is v0.5.0,
>> librdkafka version is v0.9.5).
>>
>
> The plugins from Bro v2.5.1 may be a bit old to continue using.  I'd
> generally suggest trying to update to newest version of everything.
>
> Below listed information is backtrace from core dump. (more on gist <
>> https://gist.github.com/MythRen/b55220647ca28654c6f7e1db12ee6036>)
>>
>
>     #4  0x00000000005fee8f in Reporter::Error (this=<optimized out>,
>>     fmt=fmt at entry=0x7fe36c719d70 "Kafka send failed: %s") at
>>     /opt/download/bro/src/Reporter.cc:76 #5  0x00007fe36c717fa9 in
>>     logging::writer::KafkaWriter::DoWrite (this=0x6369270,
>>     num_fields=<optimized out>, fields=<optimized out>, vals=0x69d2080)
>>     at /opt/download/bro/aux/plugins/kafka/src/KafkaWriter.cc:156 #6
>>
>
> This is basically the problem: this version of KafkaWriter is directly
> using Reporter calls and that's not thread-safe.  Here would be the way to
> fix it for your reference (in case you simply can't update things):
>
> https://github.com/apache/metron-bro-plugin-kafka/commit/496
> 8b6537f663c1de061d0cf0aedb42f43ab12ee
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180403/0037db70/attachment.html 

From roberixion at gmail.com  Tue Apr  3 03:10:52 2018
From: roberixion at gmail.com (=?UTF-8?Q?Rober_Fern=C3=A1ndez?=)
Date: Tue, 3 Apr 2018 12:10:52 +0200
Subject: [Bro] window size
Message-ID: <CAL71vfXb3Paj0WebhOM=_bJHUVVUez7QCj0xWH2M_ApqM7xu7A@mail.gmail.com>

Hi,
Is there any way to get the window size in a connection tcp?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180403/57515de8/attachment.html 

From slagell at illinois.edu  Tue Apr  3 06:05:19 2018
From: slagell at illinois.edu (Slagell, Adam J)
Date: Tue, 3 Apr 2018 13:05:19 +0000
Subject: [Bro] window size
In-Reply-To: <CAL71vfXb3Paj0WebhOM=_bJHUVVUez7QCj0xWH2M_ApqM7xu7A@mail.gmail.com>
References: <CAL71vfXb3Paj0WebhOM=_bJHUVVUez7QCj0xWH2M_ApqM7xu7A@mail.gmail.com>
Message-ID: <633F86C9-2927-4340-A96A-A590056F524F@illinois.edu>

There is no such single value for a connection, right?  It adapts and changes. So what would you be looking for then?

> On Apr 3, 2018, at 5:11 AM, Rober Fern?ndez <roberixion at gmail.com> wrote:
> 
> Hi,
> Is there any way to get the window size in a connection tcp?
> 
> Thanks
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


From jazoff at illinois.edu  Wed Apr  4 15:01:37 2018
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Wed, 4 Apr 2018 22:01:37 +0000
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <CADXmT7Cq5Fjia9dx_FC9PEh_A5-Nc5OfJ3LaH_mrG5Nx+y=NUA@mail.gmail.com>
References: <CADXmT7Cq5Fjia9dx_FC9PEh_A5-Nc5OfJ3LaH_mrG5Nx+y=NUA@mail.gmail.com>
Message-ID: <665D44F3-E658-4DFD-BF1E-2B9CD681ADC4@illinois.edu>


> On Apr 2, 2018, at 12:04 AM, Brandon Sterne <brandon.sterne at gmail.com> wrote:
> 
> Hello,
> 
> I am attempting to get Bro working sitting behind a reverse proxy (nginx), which is receiving connections, terminating TLS, and forwarding cleartext HTTP to a local app server (Tomcat). I have a really simple test case that demonstrates the problem I'm running into, which is that Bro HTTP events are only detected when requests are sent plaintext (without TLS). Here is the test case I'm using:

The output you have included is not enough to tell what is wrong.  Minimally, full conn.log entries are required to figure out what bro is seeing.  Even better would be a full pcap of the traffic that bro is not properly decoding.

To just guess, i'd say your problem is that the MTU on lo is 65536 and bro is not configured by default to handle that.  Throwing a 

redef Pcap::snaplen = 65536

in your script may get things working.


? 
Justin Azoff



From seth at corelight.com  Thu Apr  5 06:16:47 2018
From: seth at corelight.com (Seth Hall)
Date: Thu, 05 Apr 2018 09:16:47 -0400
Subject: [Bro] Intel::FILE_NAME and SMB_files behavior questions
In-Reply-To: <E0487939-B130-4419-8F9D-F56D7D375431@gmail.com>
References: <E0487939-B130-4419-8F9D-F56D7D375431@gmail.com>
Message-ID: <F7488611-DA75-43E0-9BB0-DB8D05E87940@corelight.com>


On 31 Mar 2018, at 18:14, James Gordon wrote:

> I have a few questions on behavioral issues with the intel framework 
> and SMB / SMB file logging:
>
> 1. I?m not sure if this is expected behavior or not, but it 
> doesn?t look like filenames parsed in smb_files.log are properly 
> being logged in files.log.

I checked in our autogenerated documentation and I'm now noticing a 
glaring lack of documentation about *what* that log represents. :(

That log is meant to represent that an action against a file was seen.  
Considering that since SMB is a file system protocol you will see a lot 
of actions that aren't necessarily file transfers.  Most of what I've 
typically seen in smb_files.log is files being opened.  This seems be a 
very common action in SMB, I don't know all of the reasons that an 
application might open a file but not read nor write to it but it's 
definitely seen a lot.  I think that it could be a way for the client to 
get a timestamp for a remote file or other metadata.  Other actions that 
fits into that log are file renames and deletes.  File renames are 
represented through the "name" and "prev_name" fields.  Deletes just 
give the name of the file before it was deleted.

The important field to look at is the "action" field since that's where 
the log tells you what the client was actually doing.  Here are all of 
the potential actions that you will typically see there...
		FILE_OPEN,
		FILE_RENAME,
		FILE_DELETE,

If you wanted, you could add FILE_CLOSE as action that you want logged 
if you add this to your local.bro (I chose to leave this out by default 
since it didn't seem to provide much extra context, but had a great 
increase in log size)...

redef SMB::logged_file_actions += { SMB::FILE_CLOSE };

You could also have it include FILE_WRITE and FILE_READ, but those are 
really not great to include and lead to a massive increase in log size 
but I felt like transfers were better represented through the files.log 
anyway.  Generally if data is seen as being transferred that will be 
represented in files.log since that's the aggregation point for all 
"files" seen by Bro.  smb_files.log can be really helpful if you need to 
know when someone is poking around at files even if they aren't 
transferring them and there is a lot of information there that can be 
useful forensically (MAC times being the big one in my mind).

If you have thoughts on other SMB logs that you'd like to see or if you 
have thoughts on extensions to the smb_files.log I'd love to hear them!  
There is definitely no right or wrong answer to what should be in those 
logs or even what logs should exist.

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com

From gordonjamesr at gmail.com  Thu Apr  5 08:24:15 2018
From: gordonjamesr at gmail.com (James Gordon)
Date: Thu, 5 Apr 2018 08:24:15 -0700
Subject: [Bro] Intel::FILE_NAME and SMB_files behavior questions
In-Reply-To: <F7488611-DA75-43E0-9BB0-DB8D05E87940@corelight.com>
References: <E0487939-B130-4419-8F9D-F56D7D375431@gmail.com>
	<F7488611-DA75-43E0-9BB0-DB8D05E87940@corelight.com>
Message-ID: <CAGJ39vP+hF5CvuBYtorgQYtZdA7KpyRcSOKbPhQ94iqoHkdxgA@mail.gmail.com>

Hey Seth and Mark,

First off, thanks for the info! Mark, I'll work on flushing out that code -
looks like exactly what I need to alert on those types of filenames (if
there turns out to be value there :) )

Seth - in my testing on this, I was transferring a text document titled
'ntds.dit' over an SMB connection that Bro was monitoring. I think my
confusion on this is over what the SMB analyzer chooses to send into
files.log. I would expect to see the filename of a file that was written
over that connection, where in this case I had files that were opened (as
you mentioned, probably just by the client caching timestamps), but not the
file that was actually sent over that connection.

In my original email, I'd mentioned a red team 'adversary' pulled the
ntds.dit file off a domain controller and sent it to his system over an SMB
connection. For this connection, I have an smb_files log entry AND a
files.log entry that log a filename of: temp//ntds.dit being transferred.
When I created a test text document named 'ntds.dit' and sent it to a
remote fileshare, bro recorded the correct name in smb_files.log, but
nothing about that file in files.log!

I'd like to rephrase my questions a little:
1.When does a filename seen over SMB appear in files.log?

As far as flushing out some of the noise in smb_files.log - would it be
possible to only log FILE_OPEN's where the file has a 'time accessed'
timestamp that falls in the duration of the connection? This might not be
foolproof, but could cut down on file_open noise substantially. Just
brainstorming on this - but it seems like that would eliminate a lot of the
noise where the smb client "opens" a file but really just grabs that file's
timestamps or other metadata.




On Thu, Apr 5, 2018 at 6:16 AM, Seth Hall <seth at corelight.com> wrote:

>
> On 31 Mar 2018, at 18:14, James Gordon wrote:
>
> I have a few questions on behavioral issues with the intel framework and
>> SMB / SMB file logging:
>>
>> 1. I?m not sure if this is expected behavior or not, but it doesn?t look
>> like filenames parsed in smb_files.log are properly being logged in
>> files.log.
>>
>
> I checked in our autogenerated documentation and I'm now noticing a
> glaring lack of documentation about *what* that log represents. :(
>
> That log is meant to represent that an action against a file was seen.
> Considering that since SMB is a file system protocol you will see a lot of
> actions that aren't necessarily file transfers.  Most of what I've
> typically seen in smb_files.log is files being opened.  This seems be a
> very common action in SMB, I don't know all of the reasons that an
> application might open a file but not read nor write to it but it's
> definitely seen a lot.  I think that it could be a way for the client to
> get a timestamp for a remote file or other metadata.  Other actions that
> fits into that log are file renames and deletes.  File renames are
> represented through the "name" and "prev_name" fields.  Deletes just give
> the name of the file before it was deleted.
>
> The important field to look at is the "action" field since that's where
> the log tells you what the client was actually doing.  Here are all of the
> potential actions that you will typically see there...
>                 FILE_OPEN,
>                 FILE_RENAME,
>                 FILE_DELETE,
>
> If you wanted, you could add FILE_CLOSE as action that you want logged if
> you add this to your local.bro (I chose to leave this out by default since
> it didn't seem to provide much extra context, but had a great increase in
> log size)...
>
> redef SMB::logged_file_actions += { SMB::FILE_CLOSE };
>
> You could also have it include FILE_WRITE and FILE_READ, but those are
> really not great to include and lead to a massive increase in log size but
> I felt like transfers were better represented through the files.log
> anyway.  Generally if data is seen as being transferred that will be
> represented in files.log since that's the aggregation point for all "files"
> seen by Bro.  smb_files.log can be really helpful if you need to know when
> someone is poking around at files even if they aren't transferring them and
> there is a lot of information there that can be useful forensically (MAC
> times being the big one in my mind).
>
> If you have thoughts on other SMB logs that you'd like to see or if you
> have thoughts on extensions to the smb_files.log I'd love to hear them!
> There is definitely no right or wrong answer to what should be in those
> logs or even what logs should exist.
>
>   .Seth
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180405/5b5a1df5/attachment.html 

From seth at corelight.com  Thu Apr  5 13:16:41 2018
From: seth at corelight.com (Seth Hall)
Date: Thu, 05 Apr 2018 16:16:41 -0400
Subject: [Bro] Intel::FILE_NAME and SMB_files behavior questions
In-Reply-To: <CAGJ39vP+hF5CvuBYtorgQYtZdA7KpyRcSOKbPhQ94iqoHkdxgA@mail.gmail.com>
References: <E0487939-B130-4419-8F9D-F56D7D375431@gmail.com>
	<F7488611-DA75-43E0-9BB0-DB8D05E87940@corelight.com>
	<CAGJ39vP+hF5CvuBYtorgQYtZdA7KpyRcSOKbPhQ94iqoHkdxgA@mail.gmail.com>
Message-ID: <752C045B-2898-413E-B9D3-387E95244E70@corelight.com>



On 5 Apr 2018, at 11:24, James Gordon wrote:

> Seth - in my testing on this, I was transferring a text document 
> titled
> 'ntds.dit' over an SMB connection that Bro was monitoring. I think my
> confusion on this is over what the SMB analyzer chooses to send into
> files.log. I would expect to see the filename of a file that was 
> written
> over that connection, where in this case I had files that were opened 
> (as
> you mentioned, probably just by the client caching timestamps), but 
> not the
> file that was actually sent over that connection.

Now that starts to sound more like a bug or packet loss. :)

Any details about the connection where you'd expect to see the file or 
other logs that showed up that were related would be appreciated.  In an 
ideal world I'd also ask for a PCAP, but that sounds unlikely... maybe?  
Basically I'd like to hear any more of the specifics about what Bro 
*did* see so that we can possibly figure out what did actually happen.

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com

From greg.grasmehr at caltech.edu  Thu Apr  5 16:36:40 2018
From: greg.grasmehr at caltech.edu (Greg Grasmehr)
Date: Thu, 5 Apr 2018 16:36:40 -0700
Subject: [Bro] Worker System Memory Exhaustion
Message-ID: <20180405233640.7affge272ncxqfs5@dakine>

Hello List,

We're running Bro version 2.5-467 and shunting connections in an Arista
5100 via the excellent Dumbno.  The system is essentially a Bro-in-a-box
with 251G RAM and a Myricom SNF+ card.  Bro spawns 32 workers to monitor
a 10G link that averages roughly 5G and spikes to 7 on occasion.  Logs
are rotated every 1/2 hour.

The current configuration has been running for about 2 weeks and thus
far the only problem I have encountered is that given enough time, the
workers will eventually exhaust all of the available system memory
including scratch.

Currently I am running a watcher process which slowly restarts the
workers once available memory is < 4G and this has solved the problem,
but this seems an imperfect solution thus I am wondering if anyone knows
the source of the apparent memory leak?  Loaded scripts are attached and
thanks in advance for any informative illumination on this issue.

--
Sincerely,

Greg Grasmehr
California Institute of Technology (Caltech)
I ain't got a gat, but I have a soldering gun - W.A.Y.
GPGMe: 38E2 F9BD A95E 9824 20AB  331A 9E29 D1A1 AAEE 5F42
pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x9E29D1A1AAEE5F42

-------------- next part --------------
A non-text attachment was scrubbed...
Name: loaded_scripts.11:19:27-11:30:00.log.gz
Type: application/x-gzip
Size: 2863 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180405/c41254e6/attachment.gz 

From jazoff at illinois.edu  Fri Apr  6 05:24:37 2018
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Fri, 6 Apr 2018 12:24:37 +0000
Subject: [Bro] Worker System Memory Exhaustion
In-Reply-To: <20180405233640.7affge272ncxqfs5@dakine>
References: <20180405233640.7affge272ncxqfs5@dakine>
Message-ID: <D7FD0785-02C4-434E-AD48-7D213BF66B68@illinois.edu>


> On Apr 5, 2018, at 7:36 PM, Greg Grasmehr <greg.grasmehr at caltech.edu> wrote:
> 
> Hello List,
> 
> We're running Bro version 2.5-467 and shunting connections in an Arista
> 5100 via the excellent Dumbno.  The system is essentially a Bro-in-a-box
> with 251G RAM and a Myricom SNF+ card.  Bro spawns 32 workers to monitor
> a 10G link that averages roughly 5G and spikes to 7 on occasion.  Logs
> are rotated every 1/2 hour.

Cool :-)

> The current configuration has been running for about 2 weeks and thus
> far the only problem I have encountered is that given enough time, the
> workers will eventually exhaust all of the available system memory
> including scratch.

Less cool :-(

> Currently I am running a watcher process which slowly restarts the
> workers once available memory is < 4G and this has solved the problem,
> but this seems an imperfect solution thus I am wondering if anyone knows
> the source of the apparent memory leak?  Loaded scripts are attached and
> thanks in advance for any informative illumination on this issue.

try commenting out

@load misc/scan

from local.bro.

If you have a lot of address space and bro is before any firewall as opposed to after it, this is likely the source of the problems.

If that fixes it there are other scan detection implementations that are a bit more efficient.

? 
Justin Azoff



From hovsep.sanjay.levi at gmail.com  Fri Apr  6 07:07:24 2018
From: hovsep.sanjay.levi at gmail.com (Hovsep Levi)
Date: Fri, 6 Apr 2018 14:07:24 +0000
Subject: [Bro] Worker System Memory Exhaustion
In-Reply-To: <D7FD0785-02C4-434E-AD48-7D213BF66B68@illinois.edu>
References: <20180405233640.7affge272ncxqfs5@dakine>
	<D7FD0785-02C4-434E-AD48-7D213BF66B68@illinois.edu>
Message-ID: <CAJ19UZCuBsDhdO4fAAQX+syPo8etJha9bCKNtKKSptYKG9PfMA@mail.gmail.com>

This was a battle we endured for many many moons (12+ months), look to the
archives for the pain and suffering.

Final solution :  Enable multiple loggers (now part of Bro), disable
writing logs to disk and stream logs to Kafka.  (Thank you KafkaLogger
author)

Reasoning  :  At some point Bro's log writing cannot keep up with the
volume.  Believed to be a bottleneck with the the default architecture
using a single "Logger" node.

Possible alternative  :  Enable multiple loggers, but when writing to disk
you might have a possible race condition with filenames and dates.  Also
you'll have multiple logs for each rotation interval (ex: 4 loggers means 4
conn.log, 4 http.log, 4 ssh.log, etc...)


^ Hovsep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180406/c5a262e8/attachment.html 

From jazoff at illinois.edu  Fri Apr  6 07:23:40 2018
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Fri, 6 Apr 2018 14:23:40 +0000
Subject: [Bro] Worker System Memory Exhaustion
In-Reply-To: <CAJ19UZCuBsDhdO4fAAQX+syPo8etJha9bCKNtKKSptYKG9PfMA@mail.gmail.com>
References: <20180405233640.7affge272ncxqfs5@dakine>
	<D7FD0785-02C4-434E-AD48-7D213BF66B68@illinois.edu>
	<CAJ19UZCuBsDhdO4fAAQX+syPo8etJha9bCKNtKKSptYKG9PfMA@mail.gmail.com>
Message-ID: <ABF04336-A5FC-41BD-B840-AC291833374D@illinois.edu>


> On Apr 6, 2018, at 10:07 AM, Hovsep Levi <hovsep.sanjay.levi at gmail.com> wrote:
> 
> This was a battle we endured for many many moons (12+ months), look to the archives for the pain and suffering. 
> 
> Final solution :  Enable multiple loggers (now part of Bro), disable writing logs to disk and stream logs to Kafka.  (Thank you KafkaLogger author)
> 
> Reasoning  :  At some point Bro's log writing cannot keep up with the volume.  Believed to be a bottleneck with the the default architecture using a single "Logger" node.
> 
> Possible alternative  :  Enable multiple loggers, but when writing to disk you might have a possible race condition with filenames and dates.  Also you'll have multiple logs for each rotation interval (ex: 4 loggers means 4 conn.log, 4 http.log, 4 ssh.log, etc...)
> 
> 
> ^ Hovsep
> 

Ah, yeah, it could be that too.  Things got better for the most part once the logger node was introduced, so this hasn't been the problem for people recently.

I think most of the remaining problems with the logger node scaling are limited to extremely large log volumes and people who had AMD systems with many slow cores.. I think you had one of those.

In any case, that is easy to check for by looking at broctl top and monitoring the log lag.  If the logs are not behind, the problem is something else.

https://gist.github.com/JustinAzoff/01396a34c8f92d4dda1b


is a script for munin that will output how old the most recent record in the conn.log is.  You can just run it manually though:

[jazoff at bro-dev ~]$ curl -o log_lag.py https://gist.githubusercontent.com/JustinAzoff/01396a34c8f92d4dda1b/raw/2dba7fdf93915748948b238c20de965b4636cb9e/log_lag.py
[jazoff at bro-dev ~]$ python log_lag.py
lag.value 5.526168


The number should be 5-10s and not growing.

? 
Justin Azoff



From pssunu6 at gmail.com  Fri Apr  6 08:19:42 2018
From: pssunu6 at gmail.com (ps sunu)
Date: Fri, 6 Apr 2018 20:49:42 +0530
Subject: [Bro] docker bro with pf_ring
Message-ID: <CALGAZaDMzkkFZAC91H3AMC_dPygJujVJFE5GPV-_P+0Fun+vpA@mail.gmail.com>

How to configure docker bro with pfring any proper steps have to try ?


Regards,
sunu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180406/54119728/attachment-0001.html 

From cpearson at uidaho.edu  Fri Apr  6 10:02:02 2018
From: cpearson at uidaho.edu (Pearson, Carl (cpearson@uidaho.edu))
Date: Fri, 6 Apr 2018 17:02:02 +0000
Subject: [Bro] Worker System Memory Exhaustion
In-Reply-To: <D7FD0785-02C4-434E-AD48-7D213BF66B68@illinois.edu>
References: <20180405233640.7affge272ncxqfs5@dakine>
	<D7FD0785-02C4-434E-AD48-7D213BF66B68@illinois.edu>
Message-ID: <MWHPR04MB03693DCF91AA1A924BAD7FB9A9BA0@MWHPR04MB0369.namprd04.prod.outlook.com>

I endorse commenting out "@load misc/scan", that really stabilized memory usage in our environment. We also commented out "@load misc/detect-traceroute" and that seemed to help as well. 

>From your description I don't know if this applies to your situation, but for what it's worth we use PF_RING and experienced high resource utilization initially due to PF_RING not loading correctly. The issue tracker for it is here: https://bro-tracker.atlassian.net/browse/BIT-1864 - TL;DR, change pfringclusterid in broctl.cfg to 21; if pfringclusterid is set to 0 PF_RING doesn't actually do anything even though everything will indicate it's running. Again, don't know if it applies but thought I'd throw it out there. :)

Thanks,
Carl
University of Idaho

-----Original Message-----
From: bro-bounces at bro.org <bro-bounces at bro.org> On Behalf Of Azoff, Justin S
Sent: Friday, April 6, 2018 05:25
To: Greg Grasmehr <greg.grasmehr at caltech.edu>
Cc: bro at bro.org
Subject: Re: [Bro] Worker System Memory Exhaustion


> On Apr 5, 2018, at 7:36 PM, Greg Grasmehr <greg.grasmehr at caltech.edu> wrote:
> 
> Hello List,
> 
> We're running Bro version 2.5-467 and shunting connections in an 
> Arista
> 5100 via the excellent Dumbno.  The system is essentially a 
> Bro-in-a-box with 251G RAM and a Myricom SNF+ card.  Bro spawns 32 
> workers to monitor a 10G link that averages roughly 5G and spikes to 7 
> on occasion.  Logs are rotated every 1/2 hour.

Cool :-)

> The current configuration has been running for about 2 weeks and thus 
> far the only problem I have encountered is that given enough time, the 
> workers will eventually exhaust all of the available system memory 
> including scratch.

Less cool :-(

> Currently I am running a watcher process which slowly restarts the 
> workers once available memory is < 4G and this has solved the problem, 
> but this seems an imperfect solution thus I am wondering if anyone 
> knows the source of the apparent memory leak?  Loaded scripts are 
> attached and thanks in advance for any informative illumination on this issue.

try commenting out

@load misc/scan

from local.bro.

If you have a lot of address space and bro is before any firewall as opposed to after it, this is likely the source of the problems.

If that fixes it there are other scan detection implementations that are a bit more efficient.

?
Justin Azoff


_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


From greg.grasmehr at caltech.edu  Fri Apr  6 10:57:09 2018
From: greg.grasmehr at caltech.edu (Greg Grasmehr)
Date: Fri, 6 Apr 2018 10:57:09 -0700
Subject: [Bro] Worker System Memory Exhaustion
In-Reply-To: <ABF04336-A5FC-41BD-B840-AC291833374D@illinois.edu>
References: <20180405233640.7affge272ncxqfs5@dakine>
	<D7FD0785-02C4-434E-AD48-7D213BF66B68@illinois.edu>
	<CAJ19UZCuBsDhdO4fAAQX+syPo8etJha9bCKNtKKSptYKG9PfMA@mail.gmail.com>
	<ABF04336-A5FC-41BD-B840-AC291833374D@illinois.edu>
Message-ID: <20180406175709.mx4xt7tg2ktvx2wz@dakine>

Fast Intel CPU and the live logs write to a RAID 1 virtual disk built
on enterprise SSD drives, logs are archived to a virtual disk RAID 10
built on 15K SAS spindles.

I will give your debugging a try and see what it says.

Thanks all and have a good weekend.

Greg

On 04/06/18 14:23:40, Azoff, Justin S wrote:
> 
> > On Apr 6, 2018, at 10:07 AM, Hovsep Levi <hovsep.sanjay.levi at gmail.com> wrote:
> > 
> > This was a battle we endured for many many moons (12+ months), look to the archives for the pain and suffering. 
> > 
> > Final solution :  Enable multiple loggers (now part of Bro), disable writing logs to disk and stream logs to Kafka.  (Thank you KafkaLogger author)
> > 
> > Reasoning  :  At some point Bro's log writing cannot keep up with the volume.  Believed to be a bottleneck with the the default architecture using a single "Logger" node.
> > 
> > Possible alternative  :  Enable multiple loggers, but when writing to disk you might have a possible race condition with filenames and dates.  Also you'll have multiple logs for each rotation interval (ex: 4 loggers means 4 conn.log, 4 http.log, 4 ssh.log, etc...)
> > 
> > 
> > ^ Hovsep
> > 
> 
> Ah, yeah, it could be that too.  Things got better for the most part once the logger node was introduced, so this hasn't been the problem for people recently.
> 
> I think most of the remaining problems with the logger node scaling are limited to extremely large log volumes and people who had AMD systems with many slow cores.. I think you had one of those.
> 
> In any case, that is easy to check for by looking at broctl top and monitoring the log lag.  If the logs are not behind, the problem is something else.
> 
> https://gist.github.com/JustinAzoff/01396a34c8f92d4dda1b

> 
> is a script for munin that will output how old the most recent record in the conn.log is.  You can just run it manually though:
> 
> [jazoff at bro-dev ~]$ curl -o log_lag.py https://gist.githubusercontent.com/JustinAzoff/01396a34c8f92d4dda1b/raw/2dba7fdf93915748948b238c20de965b4636cb9e/log_lag.py
> [jazoff at bro-dev ~]$ python log_lag.py
> lag.value 5.526168
> 
> 
> The number should be 5-10s and not growing.
> 
> ? 
> Justin Azoff
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


From greg.grasmehr at caltech.edu  Fri Apr  6 11:03:04 2018
From: greg.grasmehr at caltech.edu (Greg Grasmehr)
Date: Fri, 6 Apr 2018 11:03:04 -0700
Subject: [Bro] Worker System Memory Exhaustion
In-Reply-To: <MWHPR04MB03693DCF91AA1A924BAD7FB9A9BA0@MWHPR04MB0369.namprd04.prod.outlook.com>
References: <20180405233640.7affge272ncxqfs5@dakine>
	<D7FD0785-02C4-434E-AD48-7D213BF66B68@illinois.edu>
	<MWHPR04MB03693DCF91AA1A924BAD7FB9A9BA0@MWHPR04MB0369.namprd04.prod.outlook.com>
Message-ID: <20180406180304.7tgor2e36ebn7a77@dakine>

Thanks Carl, will consider this avenue too.

Greg

On 04/06/18 17:02:02, Pearson, Carl (cpearson at uidaho.edu) wrote:
> I endorse commenting out "@load misc/scan", that really stabilized memory usage in our environment. We also commented out "@load misc/detect-traceroute" and that seemed to help as well. 
> 
> From your description I don't know if this applies to your situation, but for what it's worth we use PF_RING and experienced high resource utilization initially due to PF_RING not loading correctly. The issue tracker for it is here: https://bro-tracker.atlassian.net/browse/BIT-1864 - TL;DR, change pfringclusterid in broctl.cfg to 21; if pfringclusterid is set to 0 PF_RING doesn't actually do anything even though everything will indicate it's running. Again, don't know if it applies but thought I'd throw it out there. :)
> 
> Thanks,
> Carl
> University of Idaho
> 
> -----Original Message-----
> From: bro-bounces at bro.org <bro-bounces at bro.org> On Behalf Of Azoff, Justin S
> Sent: Friday, April 6, 2018 05:25
> To: Greg Grasmehr <greg.grasmehr at caltech.edu>
> Cc: bro at bro.org
> Subject: Re: [Bro] Worker System Memory Exhaustion
> 
> 
> > On Apr 5, 2018, at 7:36 PM, Greg Grasmehr <greg.grasmehr at caltech.edu> wrote:
> > 
> > Hello List,
> > 
> > We're running Bro version 2.5-467 and shunting connections in an 
> > Arista
> > 5100 via the excellent Dumbno.  The system is essentially a 
> > Bro-in-a-box with 251G RAM and a Myricom SNF+ card.  Bro spawns 32 
> > workers to monitor a 10G link that averages roughly 5G and spikes to 7 
> > on occasion.  Logs are rotated every 1/2 hour.
> 
> Cool :-)
> 
> > The current configuration has been running for about 2 weeks and thus 
> > far the only problem I have encountered is that given enough time, the 
> > workers will eventually exhaust all of the available system memory 
> > including scratch.
> 
> Less cool :-(
> 
> > Currently I am running a watcher process which slowly restarts the 
> > workers once available memory is < 4G and this has solved the problem, 
> > but this seems an imperfect solution thus I am wondering if anyone 
> > knows the source of the apparent memory leak?  Loaded scripts are 
> > attached and thanks in advance for any informative illumination on this issue.
> 
> try commenting out
> 
> @load misc/scan
> 
> from local.bro.
> 
> If you have a lot of address space and bro is before any firewall as opposed to after it, this is likely the source of the problems.
> 
> If that fixes it there are other scan detection implementations that are a bit more efficient.
> 
> ?
> Justin Azoff
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

From greg.grasmehr at caltech.edu  Fri Apr  6 13:31:55 2018
From: greg.grasmehr at caltech.edu (Greg Grasmehr)
Date: Fri, 6 Apr 2018 13:31:55 -0700
Subject: [Bro] Worker System Memory Exhaustion
In-Reply-To: <D7FD0785-02C4-434E-AD48-7D213BF66B68@illinois.edu>
References: <20180405233640.7affge272ncxqfs5@dakine>
	<D7FD0785-02C4-434E-AD48-7D213BF66B68@illinois.edu>
Message-ID: <20180406203155.js2h2e3lc4bdauuu@dakine>

I think Justin hit the nail on the head, we monitor two full /16, 3 /24
and 2 partial /16, in front of any local FW devices; similar to LBL.
Commenting out misc/scan did the trick, memory is now being freed as one
would expect.

We already know we have TONS of scanners traversing the network, so
probably don't need this at all although I am interested in hearing of
good alternatives.

Thanks again everyone, greatly appreciate the help.

Greg

> try commenting out
> 
> @load misc/scan
> 
> from local.bro.
> 
> If you have a lot of address space and bro is before any firewall as opposed to after it, this is likely the source of the problems.
> 
> If that fixes it there are other scan detection implementations that are a bit more efficient.
> 
> ? 
> Justin Azoff
> 

From jazoff at illinois.edu  Fri Apr  6 13:45:50 2018
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Fri, 6 Apr 2018 20:45:50 +0000
Subject: [Bro] Worker System Memory Exhaustion
In-Reply-To: <20180406203155.js2h2e3lc4bdauuu@dakine>
References: <20180405233640.7affge272ncxqfs5@dakine>
	<D7FD0785-02C4-434E-AD48-7D213BF66B68@illinois.edu>
	<20180406203155.js2h2e3lc4bdauuu@dakine>
Message-ID: <3F9460A4-0060-45DC-80B6-474DF1559851@illinois.edu>


> On Apr 6, 2018, at 4:31 PM, Greg Grasmehr <greg.grasmehr at caltech.edu> wrote:
> 
> I think Justin hit the nail on the head, we monitor two full /16, 3 /24
> and 2 partial /16, in front of any local FW devices; similar to LBL.
> Commenting out misc/scan did the trick, memory is now being freed as one
> would expect.
> 
> We already know we have TONS of scanners traversing the network, so
> probably don't need this at all although I am interested in hearing of
> good alternatives.
> 
> Thanks again everyone, greatly appreciate the help.
> 
> Greg

https://github.com/ncsa/bro-simple-scan

https://github.com/initconf/scan-NG

both are available in bro-pkg.  I'm obviously partial to simple-scan, but 
Aashish is closer to you if you need someone to blame if it breaks :-)


? 
Justin Azoff



From asharma at lbl.gov  Fri Apr  6 14:08:13 2018
From: asharma at lbl.gov (Aashish Sharma)
Date: Fri, 6 Apr 2018 14:08:13 -0700
Subject: [Bro] Worker System Memory Exhaustion
In-Reply-To: <3F9460A4-0060-45DC-80B6-474DF1559851@illinois.edu>
References: <20180405233640.7affge272ncxqfs5@dakine>
	<D7FD0785-02C4-434E-AD48-7D213BF66B68@illinois.edu>
	<20180406203155.js2h2e3lc4bdauuu@dakine>
	<3F9460A4-0060-45DC-80B6-474DF1559851@illinois.edu>
Message-ID: <20180406210812.GL7186@MacPro-2331.local>

[ sorry to chime late - still catching up on the thread ] 

Greg, 

I generally shunt (disable) sumstats on all my clusters. back in the day, while
early adapting I had memory issues in cluster and since then I have disabled it
every where for years now. 

Basically: in /usr/local/bro/share/bro/base/frameworks/sumstats/main.bro

to completely make sumstats ineffective - Add a return at the top of "function observe"


--- /home/bro/master/share/bro/base/frameworks/sumstats/main.bro        2018-04-06 14:02:05.131016000 -0700
+++ /home/bro/master/share/bro/base/frameworks/sumstats/main.bro.dis    2018-04-06 14:01:54.384697000 -0700
@@ -402,6 +402,9 @@ function create(ss: SumStat)
 function observe(id: string, key: Key, obs: Observation)
        {

+       ### this retun disables the sumstats
+       return;
+
        if ( id !in reducer_store )
                return;



As of scan-detection: 

Justin did us a favor by releasing bro-simple-scan - its simpler and effective
and flags >90-95% of scans flagged by scan-NG. 

scan-NG needs configurations - see : scan-config.bro in there. 

We've been using scan-NG for > 2years and is our work horse for dynamic firewall
blocking. very minimal FPs compared to old-scan. 

I have never used stock misc/scan  because it was only flagged < 10% of scanners
for us when I ran comparisons many many years ago and memory issues. 

may be start with bro-simple-scan and move to scan-NG if you really find stuff
missing. Send me pcaps if scan-NG is missing something. I'd be curious about
those kinds of scans. 

> Aashish is closer to you if you need someone to blame if it breaks :-)

Totally! :) 

Aashish 

On Fri, Apr 06, 2018 at 08:45:50PM +0000, Azoff, Justin S wrote:
> 
> > On Apr 6, 2018, at 4:31 PM, Greg Grasmehr <greg.grasmehr at caltech.edu> wrote:
> > 
> > I think Justin hit the nail on the head, we monitor two full /16, 3 /24
> > and 2 partial /16, in front of any local FW devices; similar to LBL.
> > Commenting out misc/scan did the trick, memory is now being freed as one
> > would expect.
> > 
> > We already know we have TONS of scanners traversing the network, so
> > probably don't need this at all although I am interested in hearing of
> > good alternatives.
> > 
> > Thanks again everyone, greatly appreciate the help.
> > 
> > Greg
> 
> https://github.com/ncsa/bro-simple-scan
> 
> https://github.com/initconf/scan-NG
> 
> both are available in bro-pkg.  I'm obviously partial to simple-scan, but 
> Aashish is closer to you if you need someone to blame if it breaks :-)
> 
> 
> ? 
> Justin Azoff
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

From paul_nash at harvard.edu  Fri Apr  6 14:16:12 2018
From: paul_nash at harvard.edu (Nash, Paul Edward)
Date: Fri, 6 Apr 2018 21:16:12 +0000
Subject: [Bro] Sample log header generator?
Message-ID: <DC8E299C-2AEC-4C91-BC43-5EDDCB6C64D0@harvard.edu>

Hi All,
  For a given distribution of Bro, is there a simple way to generate the header portions for all of the various (network/protocol related) log files?  Specifically, I?m looking for the names of the individuals fields (the #fields line).   My goal is to use the information to automatically generate back-end splunk configuration files prior to upgrading a live system. While the field names don?t change often, they have in the past.  Relying on live data to generate the individual logs isn?t ideal as actual traffic must be observed or you have to have a sample pcap for every protocol.

While sample logs do exist in the ?testing? directory, I don?t see a quick way to grab samples for each log type that would be repeatable for future releases.

Thanks,
-Paul

--
Paul Nash
HUIT IT Security Operations
617.998.5126

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180406/5ba5e7d2/attachment.html 

From michalpurzynski1 at gmail.com  Fri Apr  6 14:17:47 2018
From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=)
Date: Fri, 6 Apr 2018 14:17:47 -0700
Subject: [Bro] Worker System Memory Exhaustion
In-Reply-To: <3F9460A4-0060-45DC-80B6-474DF1559851@illinois.edu>
References: <20180405233640.7affge272ncxqfs5@dakine>
	<D7FD0785-02C4-434E-AD48-7D213BF66B68@illinois.edu>
	<20180406203155.js2h2e3lc4bdauuu@dakine>
	<3F9460A4-0060-45DC-80B6-474DF1559851@illinois.edu>
Message-ID: <74AACCE6-B557-406F-A11C-605253B7A9B4@gmail.com>

I?ve been monitoring /20 and several small subnets plus internal /8 with Justin?s simple scans and it?s excellent. Highly recommended. It?s also faster when it comes to detection.

> On Apr 6, 2018, at 1:45 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
> 
> 
>> On Apr 6, 2018, at 4:31 PM, Greg Grasmehr <greg.grasmehr at caltech.edu> wrote:
>> 
>> I think Justin hit the nail on the head, we monitor two full /16, 3 /24
>> and 2 partial /16, in front of any local FW devices; similar to LBL.
>> Commenting out misc/scan did the trick, memory is now being freed as one
>> would expect.
>> 
>> We already know we have TONS of scanners traversing the network, so
>> probably don't need this at all although I am interested in hearing of
>> good alternatives.
>> 
>> Thanks again everyone, greatly appreciate the help.
>> 
>> Greg
> 
> https://github.com/ncsa/bro-simple-scan
> 
> https://github.com/initconf/scan-NG
> 
> both are available in bro-pkg.  I'm obviously partial to simple-scan, but 
> Aashish is closer to you if you need someone to blame if it breaks :-)
> 
> 
> ? 
> Justin Azoff
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


From hhoffman at ip-solutions.net  Fri Apr  6 14:30:06 2018
From: hhoffman at ip-solutions.net (Harry Hoffman)
Date: Fri, 06 Apr 2018 21:30:06 +0000
Subject: [Bro] Sample log header generator?
In-Reply-To: <DC8E299C-2AEC-4C91-BC43-5EDDCB6C64D0@harvard.edu>
References: <DC8E299C-2AEC-4C91-BC43-5EDDCB6C64D0@harvard.edu>
Message-ID: <CA+2G-yD4GDAc7xkrKGt1bCdpDyJOSKN3B5SXxDCkDoTA0Dvkaw@mail.gmail.com>

Hi Paul,

Not sure if this is, exactly, what you're looking for as it doesn't break
it down per version of Bro but it maybe enough:

https://www.bro.org/sphinx/script-reference/log-files.html

Cheers,
Harry


On Fri, Apr 6, 2018, 5:25 PM Nash, Paul Edward <paul_nash at harvard.edu>
wrote:

> Hi All,
>
>   For a given distribution of Bro, is there a simple way to generate the
> header portions for all of the various (network/protocol related) log
> files?  Specifically, I?m looking for the names of the individuals fields
> (the #fields line).   My goal is to use the information to automatically
> generate back-end splunk configuration files prior to upgrading a live
> system. While the field names don?t change often, they have in the past.
> Relying on live data to generate the individual logs isn?t ideal as actual
> traffic must be observed or you have to have a sample pcap for every
> protocol.
>
>
>
> While sample logs do exist in the ?testing? directory, I don?t see a quick
> way to grab samples for each log type that would be repeatable for future
> releases.
>
>
>
> Thanks,
>
> -Paul
>
>
>
> --
>
> Paul Nash
>
> HUIT IT Security Operations
>
> 617.998.5126
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180406/b4342170/attachment.html 

From dopheide at gmail.com  Fri Apr  6 14:31:26 2018
From: dopheide at gmail.com (Mike Dopheide)
Date: Fri, 6 Apr 2018 16:31:26 -0500
Subject: [Bro] Worker System Memory Exhaustion
In-Reply-To: <74AACCE6-B557-406F-A11C-605253B7A9B4@gmail.com>
References: <20180405233640.7affge272ncxqfs5@dakine>
	<D7FD0785-02C4-434E-AD48-7D213BF66B68@illinois.edu>
	<20180406203155.js2h2e3lc4bdauuu@dakine>
	<3F9460A4-0060-45DC-80B6-474DF1559851@illinois.edu>
	<74AACCE6-B557-406F-A11C-605253B7A9B4@gmail.com>
Message-ID: <CAPy2kFbKTA=vm0KATFBC3grPZGkmTN-pPK8hHByiomAtGadZTA@mail.gmail.com>

So why not just replace the core misc/scan.bro with Justin's that seems
clearly better?

-Dop

On Fri, Apr 6, 2018 at 4:17 PM, Micha? Purzy?ski <michalpurzynski1 at gmail.com
> wrote:

> I?ve been monitoring /20 and several small subnets plus internal /8 with
> Justin?s simple scans and it?s excellent. Highly recommended. It?s also
> faster when it comes to detection.
>
> > On Apr 6, 2018, at 1:45 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
> >
> >
> >> On Apr 6, 2018, at 4:31 PM, Greg Grasmehr <greg.grasmehr at caltech.edu>
> wrote:
> >>
> >> I think Justin hit the nail on the head, we monitor two full /16, 3 /24
> >> and 2 partial /16, in front of any local FW devices; similar to LBL.
> >> Commenting out misc/scan did the trick, memory is now being freed as one
> >> would expect.
> >>
> >> We already know we have TONS of scanners traversing the network, so
> >> probably don't need this at all although I am interested in hearing of
> >> good alternatives.
> >>
> >> Thanks again everyone, greatly appreciate the help.
> >>
> >> Greg
> >
> > https://github.com/ncsa/bro-simple-scan
> >
> > https://github.com/initconf/scan-NG
> >
> > both are available in bro-pkg.  I'm obviously partial to simple-scan, but
> > Aashish is closer to you if you need someone to blame if it breaks :-)
> >
> >
> > ?
> > Justin Azoff
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180406/06d9e03d/attachment.html 

From assaf.morami at gmail.com  Mon Apr  9 07:05:43 2018
From: assaf.morami at gmail.com (Assaf)
Date: Mon, 9 Apr 2018 17:05:43 +0300
Subject: [Bro] internal error: file analyzer instantiation failed
Message-ID: <CADsFwiejtxOPA1POJ3ABKYVggb5dR0pZ4DgsRipVMgu_+ENz=A@mail.gmail.com>

Hi to all. :-)

When running:
bro -r my.pcap -b -C base/protocols/rdp
(ubuntu server 16.04 - bro version 2.4.1)

I'm getting an error:
Error: 1521789435.202907 internal error: file analyzer instantiation failed

I've found nothing on google or the docs.

How can I fix this?

Thanks,
Assaf.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180409/0c71e0be/attachment.html 

From brandon.sterne at gmail.com  Mon Apr  9 08:56:04 2018
From: brandon.sterne at gmail.com (Brandon Sterne)
Date: Mon, 9 Apr 2018 08:56:04 -0700
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <665D44F3-E658-4DFD-BF1E-2B9CD681ADC4@illinois.edu>
References: <CADXmT7Cq5Fjia9dx_FC9PEh_A5-Nc5OfJ3LaH_mrG5Nx+y=NUA@mail.gmail.com>
	<665D44F3-E658-4DFD-BF1E-2B9CD681ADC4@illinois.edu>
Message-ID: <CADXmT7B8U3od_LN6LaN+2YWDYqSRj-rwGByLMsfTL-+dFPVxTw@mail.gmail.com>

Hi Justin,

Thank you for the reply. I don't think it is the MTU that is preventing the
sensor from decoding the traffic correctly. I ran the same test case with
snaplen=65535 and still received only the connection_established
event:

[vagrant at localhost security-gateway]$ sudo bro -C -i lo snaplen=65535
rules/bro/detect-http-request.bro
<params>, line 1: listening on lo, capture length 65535 bytes

Connection: , [id=[orig_h=127.0.0.1, orig_p=34902/tcp, resp_h=127.0.0.1,
resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=60,
flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0,
flow_label=0], start_time=1523289116.669146, duration=-1516793840.109909,
service={

}, history=Sh, uid=Ch6Tqk39qjgHi6li88, tunnel=<uninitialized>,
dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F,
thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>,
dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>,
ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>,
http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>,
modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>,
rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>,
snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>,
socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]

I'm attaching the script I'm using and the pcap for the same request, taken
with:
sudo tcpdump -i lo -s 0 -w port8080.pcap

Thanks,
Brandon


On Wed, Apr 4, 2018 at 3:01 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:

>
> > On Apr 2, 2018, at 12:04 AM, Brandon Sterne <brandon.sterne at gmail.com>
> wrote:
> >
> > Hello,
> >
> > I am attempting to get Bro working sitting behind a reverse proxy
> (nginx), which is receiving connections, terminating TLS, and forwarding
> cleartext HTTP to a local app server (Tomcat). I have a really simple test
> case that demonstrates the problem I'm running into, which is that Bro HTTP
> events are only detected when requests are sent plaintext (without TLS).
> Here is the test case I'm using:
>
> The output you have included is not enough to tell what is wrong.
> Minimally, full conn.log entries are required to figure out what bro is
> seeing.  Even better would be a full pcap of the traffic that bro is not
> properly decoding.
>
> To just guess, i'd say your problem is that the MTU on lo is 65536 and bro
> is not configured by default to handle that.  Throwing a
>
> redef Pcap::snaplen = 65536
>
> in your script may get things working.
>
>
> ?
> Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180409/4d51b35f/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: detect-http-request.bro
Type: application/octet-stream
Size: 471 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180409/4d51b35f/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: port8080.pcap
Type: application/octet-stream
Size: 2777 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180409/4d51b35f/attachment-0001.obj 

From seth at corelight.com  Mon Apr  9 13:33:53 2018
From: seth at corelight.com (Seth Hall)
Date: Mon, 09 Apr 2018 16:33:53 -0400
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <CADXmT7B8U3od_LN6LaN+2YWDYqSRj-rwGByLMsfTL-+dFPVxTw@mail.gmail.com>
References: <CADXmT7Cq5Fjia9dx_FC9PEh_A5-Nc5OfJ3LaH_mrG5Nx+y=NUA@mail.gmail.com>
	<665D44F3-E658-4DFD-BF1E-2B9CD681ADC4@illinois.edu>
	<CADXmT7B8U3od_LN6LaN+2YWDYqSRj-rwGByLMsfTL-+dFPVxTw@mail.gmail.com>
Message-ID: <61069FD8-7D1F-409E-98A3-FA3BD01EC991@corelight.com>

I don't know how it happened, but the timestamp for the SYN/ACK packet 
in your pcap is March 22, 1970.  Bro uses the timestamps from packets to 
track it's notion of time moving forward and with Bro's internal clock 
being shoved around by nearly 50 years twice in the span of three 
packets will throw it off pretty badly (lots of timeouts take place). ;)

Any clue why the timestamp on that packet would be like that?  It's just 
the one packet in your pcap that is messed up too.

   .Seth

On 9 Apr 2018, at 11:56, Brandon Sterne wrote:

> Hi Justin,
>
> Thank you for the reply. I don't think it is the MTU that is 
> preventing the
> sensor from decoding the traffic correctly. I ran the same test case 
> with
> snaplen=65535 and still received only the connection_established
> event:
>
> [vagrant at localhost security-gateway]$ sudo bro -C -i lo snaplen=65535
> rules/bro/detect-http-request.bro
> <params>, line 1: listening on lo, capture length 65535 bytes
>
> Connection: , [id=[orig_h=127.0.0.1, orig_p=34902/tcp, 
> resp_h=127.0.0.1,
> resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=60,
> flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0,
> flow_label=0], start_time=1523289116.669146, 
> duration=-1516793840.109909,
> service={
>
> }, history=Sh, uid=Ch6Tqk39qjgHi6li88, tunnel=<uninitialized>,
> dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, 
> extract_resp=F,
> thresholds=<uninitialized>, dhcp=<uninitialized>, 
> dnp3=<uninitialized>,
> dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>,
> ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>,
> http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>,
> modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>,
> rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>,
> snmp=<uninitialized>, smtp=<uninitialized>, 
> smtp_state=<uninitialized>,
> socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
>
> I'm attaching the script I'm using and the pcap for the same request, 
> taken
> with:
> sudo tcpdump -i lo -s 0 -w port8080.pcap
>
> Thanks,
> Brandon
>
>
> On Wed, Apr 4, 2018 at 3:01 PM, Azoff, Justin S <jazoff at illinois.edu> 
> wrote:
>
>>
>>> On Apr 2, 2018, at 12:04 AM, Brandon Sterne 
>>> <brandon.sterne at gmail.com>
>> wrote:
>>>
>>> Hello,
>>>
>>> I am attempting to get Bro working sitting behind a reverse proxy
>> (nginx), which is receiving connections, terminating TLS, and 
>> forwarding
>> cleartext HTTP to a local app server (Tomcat). I have a really simple 
>> test
>> case that demonstrates the problem I'm running into, which is that 
>> Bro HTTP
>> events are only detected when requests are sent plaintext (without 
>> TLS).
>> Here is the test case I'm using:
>>
>> The output you have included is not enough to tell what is wrong.
>> Minimally, full conn.log entries are required to figure out what bro 
>> is
>> seeing.  Even better would be a full pcap of the traffic that bro is 
>> not
>> properly decoding.
>>
>> To just guess, i'd say your problem is that the MTU on lo is 65536 
>> and bro
>> is not configured by default to handle that.  Throwing a
>>
>> redef Pcap::snaplen = 65536
>>
>> in your script may get things working.
>>
>>
>> ?
>> Justin Azoff
>>
>>


> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180409/4dcc601b/attachment.html 

From michalpurzynski1 at gmail.com  Mon Apr  9 15:34:08 2018
From: michalpurzynski1 at gmail.com (=?UTF-8?B?TWljaGHFgiBQdXJ6ecWEc2tp?=)
Date: Mon, 9 Apr 2018 15:34:08 -0700
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <61069FD8-7D1F-409E-98A3-FA3BD01EC991@corelight.com>
References: <CADXmT7Cq5Fjia9dx_FC9PEh_A5-Nc5OfJ3LaH_mrG5Nx+y=NUA@mail.gmail.com>
	<665D44F3-E658-4DFD-BF1E-2B9CD681ADC4@illinois.edu>
	<CADXmT7B8U3od_LN6LaN+2YWDYqSRj-rwGByLMsfTL-+dFPVxTw@mail.gmail.com>
	<61069FD8-7D1F-409E-98A3-FA3BD01EC991@corelight.com>
Message-ID: <CAJ6bFK1WuZJ5+TMDrZGNy0FbxOia-C9NYB2LM1ViELCiRZM4-A@mail.gmail.com>

To help with the investigation, I also observed a similar behavior on some
CentOS 7.x hosts, when capturing traffic into a pcap on a live system would
result in some packets being saved with the 70's timestamp.

The question remain - is that a kernel bug, a network card bug, a driver
bug?

On Mon, Apr 9, 2018 at 1:33 PM, Seth Hall <seth at corelight.com> wrote:

> I don't know how it happened, but the timestamp for the SYN/ACK packet in
> your pcap is March 22, 1970. Bro uses the timestamps from packets to track
> it's notion of time moving forward and with Bro's internal clock being
> shoved around by nearly 50 years twice in the span of three packets will
> throw it off pretty badly (lots of timeouts take place). ;)
>
> Any clue why the timestamp on that packet would be like that? It's just
> the one packet in your pcap that is messed up too.
>
> .Seth
>
> On 9 Apr 2018, at 11:56, Brandon Sterne wrote:
>
> Hi Justin,
>
> Thank you for the reply. I don't think it is the MTU that is preventing
> the sensor from decoding the traffic correctly. I ran the same test case
> with snaplen=65535 and still received only the connection_established
> event:
>
> [vagrant at localhost security-gateway]$ sudo bro -C -i lo snaplen=65535
> rules/bro/detect-http-request.bro
> <params>, line 1: listening on lo, capture length 65535 bytes
>
> Connection: , [id=[orig_h=127.0.0.1, orig_p=34902/tcp, resp_h=127.0.0.1,
> resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=60,
> flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0,
> flow_label=0], start_time=1523289116.669146, duration=-1516793840.109909,
> service={
>
> }, history=Sh, uid=Ch6Tqk39qjgHi6li88, tunnel=<uninitialized>,
> dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F,
> thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>,
> dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>,
> ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>,
> http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>,
> modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>,
> rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>,
> snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>,
> socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
>
> I'm attaching the script I'm using and the pcap for the same request,
> taken with:
> sudo tcpdump -i lo -s 0 -w port8080.pcap
>
> Thanks,
> Brandon
>
>
> On Wed, Apr 4, 2018 at 3:01 PM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
>
>>
>> > On Apr 2, 2018, at 12:04 AM, Brandon Sterne <brandon.sterne at gmail.com>
>> wrote:
>> >
>> > Hello,
>> >
>> > I am attempting to get Bro working sitting behind a reverse proxy
>> (nginx), which is receiving connections, terminating TLS, and forwarding
>> cleartext HTTP to a local app server (Tomcat). I have a really simple test
>> case that demonstrates the problem I'm running into, which is that Bro HTTP
>> events are only detected when requests are sent plaintext (without TLS).
>> Here is the test case I'm using:
>>
>> The output you have included is not enough to tell what is wrong.
>> Minimally, full conn.log entries are required to figure out what bro is
>> seeing.  Even better would be a full pcap of the traffic that bro is not
>> properly decoding.
>>
>> To just guess, i'd say your problem is that the MTU on lo is 65536 and
>> bro is not configured by default to handle that.  Throwing a
>>
>> redef Pcap::snaplen = 65536
>>
>> in your script may get things working.
>>
>>
>> ?
>> Justin Azoff
>>
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180409/3e9a634b/attachment.html 

From brandon.sterne at gmail.com  Mon Apr  9 16:25:51 2018
From: brandon.sterne at gmail.com (Brandon Sterne)
Date: Mon, 9 Apr 2018 16:25:51 -0700
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <CAJ6bFK1WuZJ5+TMDrZGNy0FbxOia-C9NYB2LM1ViELCiRZM4-A@mail.gmail.com>
References: <CADXmT7Cq5Fjia9dx_FC9PEh_A5-Nc5OfJ3LaH_mrG5Nx+y=NUA@mail.gmail.com>
	<665D44F3-E658-4DFD-BF1E-2B9CD681ADC4@illinois.edu>
	<CADXmT7B8U3od_LN6LaN+2YWDYqSRj-rwGByLMsfTL-+dFPVxTw@mail.gmail.com>
	<61069FD8-7D1F-409E-98A3-FA3BD01EC991@corelight.com>
	<CAJ6bFK1WuZJ5+TMDrZGNy0FbxOia-C9NYB2LM1ViELCiRZM4-A@mail.gmail.com>
Message-ID: <CADXmT7Aa9cf2LZJmqxUBSVkWGt-ETv=nnMry+mcvwsoUwfJA2A@mail.gmail.com>

This is very interesting. It is totally reproducible with CentOS 7 VMs, but
I confirmed the testcase works as expected with an Ubuntu Server VM. On a
freshly provisioned C7 VM, I see "That 70s Packet" when I capture from the
loopback interface, but not when I capture from the external interface:

```[vagrant at localhost pcaps]$ tshark -t ud -r lo-port80.pcap
  1 2018-04-09 23:16:28          ::1 -> ::1          TCP 94 58156 > http
[SYN] Seq=0 Win=43690 Len=0 MSS=65476 SACK_PERM=1 TSval=8358348 TSecr=0
WS=64
  2 2018-04-09 23:16:28          ::1 -> ::1          TCP 74 http > 58156
[RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  3 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 74 43060 > http
[SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8358349 TSecr=0
WS=64
  4 1971-02-20 11:53:55    127.0.0.1 -> 127.0.0.1    TCP 74 http > 43060
[SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8358349
TSecr=8358349 WS=64
  5 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
[ACK] Seq=1 Ack=1 Win=43712 Len=0 TSval=8358349 TSecr=8358349
  6 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    HTTP 139 GET /
HTTP/1.1
  7 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 http > 43060
[ACK] Seq=1 Ack=74 Win=43712 Len=0 TSval=8358349 TSecr=8358349
  8 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 83 [TCP segment of
a reassembled PDU]
  9 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
[ACK] Seq=74 Ack=18 Win=43712 Len=0 TSval=8358351 TSecr=8358351
 10 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 103 [TCP segment
of a reassembled PDU]
 11 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
[ACK] Seq=74 Ack=55 Win=43712 Len=0 TSval=8358351 TSecr=8358351
 12 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 103 [TCP segment
of a reassembled PDU]
 13 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
[ACK] Seq=74 Ack=92 Win=43712 Len=0 TSval=8358351 TSecr=8358351
 14 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 106 [TCP segment
of a reassembled PDU]
 15 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
[ACK] Seq=74 Ack=132 Win=43712 Len=0 TSval=8358351 TSecr=8358351
 16 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 87 [TCP segment of
a reassembled PDU]
 17 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
[ACK] Seq=74 Ack=153 Win=43712 Len=0 TSval=8358351 TSecr=8358351
 18 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 68 [TCP segment of
a reassembled PDU]
 19 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
[ACK] Seq=74 Ack=155 Win=43712 Len=0 TSval=8358351 TSecr=8358351
 20 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    HTTP 512 HTTP/1.0 200
OK  (text/html)
 21 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
[ACK] Seq=74 Ack=601 Win=44800 Len=0 TSval=8358351 TSecr=8358351
 22 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 http > 43060
[FIN, ACK] Seq=601 Ack=74 Win=43712 Len=0 TSval=8358351 TSecr=8358351
 23 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
[FIN, ACK] Seq=74 Ack=602 Win=44800 Len=0 TSval=8358351 TSecr=8358351
 24 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 http > 43060
[ACK] Seq=602 Ack=75 Win=43712 Len=0 TSval=8358351 TSecr=8358351
[vagrant at localhost pcaps]$ tshark -t ud -r eth1-port80.pcap
  1 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 78 53640 > http
[SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=240784579
TSecr=0 SACK_PERM=1
  2 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 74 http > 53640
[SYN, ACK, ECN] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1
TSval=556841 TSecr=240784579 WS=64
  3 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
[ACK] Seq=1 Ack=1 Win=131744 Len=0 TSval=240784579 TSecr=556841
  4 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 HTTP 415 GET /
HTTP/1.1
  5 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 66 http > 53640
[ACK] Seq=1 Ack=350 Win=30080 Len=0 TSval=556842 TSecr=240784579
  6 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 83 [TCP segment
of a reassembled PDU]
  7 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
[ACK] Seq=350 Ack=18 Win=131744 Len=0 TSval=240784581 TSecr=556843
  8 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 103 [TCP segment
of a reassembled PDU]
  9 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
[ACK] Seq=350 Ack=55 Win=131712 Len=0 TSval=240784581 TSecr=556844
 10 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 103 [TCP segment
of a reassembled PDU]
 11 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
[ACK] Seq=350 Ack=92 Win=131648 Len=0 TSval=240784581 TSecr=556844
 12 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 106 [TCP segment
of a reassembled PDU]
 13 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
[ACK] Seq=350 Ack=132 Win=131616 Len=0 TSval=240784581 TSecr=556844
 14 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 87 [TCP segment
of a reassembled PDU]
 15 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 HTTP 466 HTTP/1.0 200
OK  (text/html)
 16 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
[ACK] Seq=350 Ack=153 Win=131616 Len=0 TSval=240784581 TSecr=556844
 17 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
[ACK] Seq=350 Ack=554 Win=131200 Len=0 TSval=240784581 TSecr=556844
 18 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
[FIN, ACK] Seq=350 Ack=554 Win=131200 Len=0 TSval=240784581 TSecr=556844
 19 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 66 http > 53640
[ACK] Seq=554 Ack=351 Win=30080 Len=0 TSval=556844 TSecr=240784581
```

It's a good question, Micha?. Whose bug is this? I'm happy to go chase it
down with the right audience if we can answer this question. Thanks for
taking the time to look.

Cheers,
Brandon


On Mon, Apr 9, 2018 at 3:34 PM, Micha? Purzy?ski <michalpurzynski1 at gmail.com
> wrote:

> To help with the investigation, I also observed a similar behavior on some
> CentOS 7.x hosts, when capturing traffic into a pcap on a live system would
> result in some packets being saved with the 70's timestamp.
>
> The question remain - is that a kernel bug, a network card bug, a driver
> bug?
>
> On Mon, Apr 9, 2018 at 1:33 PM, Seth Hall <seth at corelight.com> wrote:
>
>> I don't know how it happened, but the timestamp for the SYN/ACK packet in
>> your pcap is March 22, 1970. Bro uses the timestamps from packets to track
>> it's notion of time moving forward and with Bro's internal clock being
>> shoved around by nearly 50 years twice in the span of three packets will
>> throw it off pretty badly (lots of timeouts take place). ;)
>>
>> Any clue why the timestamp on that packet would be like that? It's just
>> the one packet in your pcap that is messed up too.
>>
>> .Seth
>>
>> On 9 Apr 2018, at 11:56, Brandon Sterne wrote:
>>
>> Hi Justin,
>>
>> Thank you for the reply. I don't think it is the MTU that is preventing
>> the sensor from decoding the traffic correctly. I ran the same test case
>> with snaplen=65535 and still received only the connection_established
>> event:
>>
>> [vagrant at localhost security-gateway]$ sudo bro -C -i lo snaplen=65535
>> rules/bro/detect-http-request.bro
>> <params>, line 1: listening on lo, capture length 65535 bytes
>>
>> Connection: , [id=[orig_h=127.0.0.1, orig_p=34902/tcp, resp_h=127.0.0.1,
>> resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=60,
>> flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0,
>> flow_label=0], start_time=1523289116.669146, duration=-1516793840.109909,
>> service={
>>
>> }, history=Sh, uid=Ch6Tqk39qjgHi6li88, tunnel=<uninitialized>,
>> dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F,
>> thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>,
>> dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>,
>> ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>,
>> http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>,
>> modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>,
>> rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>,
>> snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>,
>> socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
>>
>> I'm attaching the script I'm using and the pcap for the same request,
>> taken with:
>> sudo tcpdump -i lo -s 0 -w port8080.pcap
>>
>> Thanks,
>> Brandon
>>
>>
>> On Wed, Apr 4, 2018 at 3:01 PM, Azoff, Justin S <jazoff at illinois.edu>
>> wrote:
>>
>>>
>>> > On Apr 2, 2018, at 12:04 AM, Brandon Sterne <brandon.sterne at gmail.com>
>>> wrote:
>>> >
>>> > Hello,
>>> >
>>> > I am attempting to get Bro working sitting behind a reverse proxy
>>> (nginx), which is receiving connections, terminating TLS, and forwarding
>>> cleartext HTTP to a local app server (Tomcat). I have a really simple test
>>> case that demonstrates the problem I'm running into, which is that Bro HTTP
>>> events are only detected when requests are sent plaintext (without TLS).
>>> Here is the test case I'm using:
>>>
>>> The output you have included is not enough to tell what is wrong.
>>> Minimally, full conn.log entries are required to figure out what bro is
>>> seeing.  Even better would be a full pcap of the traffic that bro is not
>>> properly decoding.
>>>
>>> To just guess, i'd say your problem is that the MTU on lo is 65536 and
>>> bro is not configured by default to handle that.  Throwing a
>>>
>>> redef Pcap::snaplen = 65536
>>>
>>> in your script may get things working.
>>>
>>>
>>> ?
>>> Justin Azoff
>>>
>>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>> --
>> Seth Hall * Corelight, Inc * www.corelight.com
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180409/7f3fa1b0/attachment-0001.html 

From brandon.sterne at gmail.com  Mon Apr  9 21:21:35 2018
From: brandon.sterne at gmail.com (Brandon Sterne)
Date: Mon, 9 Apr 2018 21:21:35 -0700
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <CADXmT7Aa9cf2LZJmqxUBSVkWGt-ETv=nnMry+mcvwsoUwfJA2A@mail.gmail.com>
References: <CADXmT7Cq5Fjia9dx_FC9PEh_A5-Nc5OfJ3LaH_mrG5Nx+y=NUA@mail.gmail.com>
	<665D44F3-E658-4DFD-BF1E-2B9CD681ADC4@illinois.edu>
	<CADXmT7B8U3od_LN6LaN+2YWDYqSRj-rwGByLMsfTL-+dFPVxTw@mail.gmail.com>
	<61069FD8-7D1F-409E-98A3-FA3BD01EC991@corelight.com>
	<CAJ6bFK1WuZJ5+TMDrZGNy0FbxOia-C9NYB2LM1ViELCiRZM4-A@mail.gmail.com>
	<CADXmT7Aa9cf2LZJmqxUBSVkWGt-ETv=nnMry+mcvwsoUwfJA2A@mail.gmail.com>
Message-ID: <CADXmT7CqnNFykCP0dQXmOz+B7wfhsEDrrT25Ct+62UjzA=bW0g@mail.gmail.com>

I can confirm this also happens on a C7 OpenStack VM:
[brandon.sterne at sterne-server ~]$ tshark -t ud -r pcaps/lo-port-80.pcap
  1 2018-04-10 03:35:40    127.0.0.1 -> 127.0.0.1    TCP 74 51546 > http
[SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=595251 TSecr=0
WS=128
  2 2018-04-10 03:35:40    127.0.0.1 -> 127.0.0.1    TCP 54 http > 51546
[RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  3 2018-04-10 03:35:52    127.0.0.1 -> 127.0.0.1    TCP 74 51548 > http
[SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=607469 TSecr=0
WS=128
  4 1970-01-31 04:44:20    127.0.0.1 -> 127.0.0.1    TCP 74 http > 51548
[SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=607469
TSecr=607469 WS=128
  5 2018-04-10 03:35:52    127.0.0.1 -> 127.0.0.1    TCP 66 51548 > http
[ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=607469 TSecr=607469
  6 2018-04-10 03:35:52    127.0.0.1 -> 127.0.0.1    HTTP 139 GET /
HTTP/1.1
  <snip>

I can't locate a C7 bare metal server right at the moment but will try to
test that tomorrow. If someone happens to have a C7 bare metal box and
would be willing to test, here is the sequence of commands to run:
[shell1]$ sudo tcpdump -s 0 -i lo -w lo-port-80.pcap "port 80"
[shell2]$ curl localhost
[shell1]$ ^C
[shell1]$ tshark -t ud -r lo-port-80.pcap


On Mon, Apr 9, 2018 at 4:25 PM, Brandon Sterne <brandon.sterne at gmail.com>
wrote:

> This is very interesting. It is totally reproducible with CentOS 7 VMs,
> but I confirmed the testcase works as expected with an Ubuntu Server VM. On
> a freshly provisioned C7 VM, I see "That 70s Packet" when I capture from
> the loopback interface, but not when I capture from the external interface:
>
> ```[vagrant at localhost pcaps]$ tshark -t ud -r lo-port80.pcap
>   1 2018-04-09 23:16:28          ::1 -> ::1          TCP 94 58156 > http
> [SYN] Seq=0 Win=43690 Len=0 MSS=65476 SACK_PERM=1 TSval=8358348 TSecr=0
> WS=64
>   2 2018-04-09 23:16:28          ::1 -> ::1          TCP 74 http > 58156
> [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
>   3 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 74 43060 > http
> [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8358349 TSecr=0
> WS=64
>   4 1971-02-20 11:53:55    127.0.0.1 -> 127.0.0.1    TCP 74 http > 43060
> [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8358349
> TSecr=8358349 WS=64
>   5 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [ACK] Seq=1 Ack=1 Win=43712 Len=0 TSval=8358349 TSecr=8358349
>   6 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    HTTP 139 GET /
> HTTP/1.1
>   7 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 http > 43060
> [ACK] Seq=1 Ack=74 Win=43712 Len=0 TSval=8358349 TSecr=8358349
>   8 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 83 [TCP segment
> of a reassembled PDU]
>   9 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [ACK] Seq=74 Ack=18 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>  10 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 103 [TCP segment
> of a reassembled PDU]
>  11 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [ACK] Seq=74 Ack=55 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>  12 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 103 [TCP segment
> of a reassembled PDU]
>  13 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [ACK] Seq=74 Ack=92 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>  14 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 106 [TCP segment
> of a reassembled PDU]
>  15 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [ACK] Seq=74 Ack=132 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>  16 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 87 [TCP segment
> of a reassembled PDU]
>  17 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [ACK] Seq=74 Ack=153 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>  18 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 68 [TCP segment
> of a reassembled PDU]
>  19 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [ACK] Seq=74 Ack=155 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>  20 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    HTTP 512 HTTP/1.0 200
> OK  (text/html)
>  21 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [ACK] Seq=74 Ack=601 Win=44800 Len=0 TSval=8358351 TSecr=8358351
>  22 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 http > 43060
> [FIN, ACK] Seq=601 Ack=74 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>  23 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [FIN, ACK] Seq=74 Ack=602 Win=44800 Len=0 TSval=8358351 TSecr=8358351
>  24 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 http > 43060
> [ACK] Seq=602 Ack=75 Win=43712 Len=0 TSval=8358351 TSecr=8358351
> [vagrant at localhost pcaps]$ tshark -t ud -r eth1-port80.pcap
>   1 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 78 53640 > http
> [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=240784579
> TSecr=0 SACK_PERM=1
>   2 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 74 http > 53640
> [SYN, ACK, ECN] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1
> TSval=556841 TSecr=240784579 WS=64
>   3 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
> [ACK] Seq=1 Ack=1 Win=131744 Len=0 TSval=240784579 TSecr=556841
>   4 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 HTTP 415 GET /
> HTTP/1.1
>   5 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 66 http > 53640
> [ACK] Seq=1 Ack=350 Win=30080 Len=0 TSval=556842 TSecr=240784579
>   6 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 83 [TCP segment
> of a reassembled PDU]
>   7 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
> [ACK] Seq=350 Ack=18 Win=131744 Len=0 TSval=240784581 TSecr=556843
>   8 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 103 [TCP segment
> of a reassembled PDU]
>   9 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
> [ACK] Seq=350 Ack=55 Win=131712 Len=0 TSval=240784581 TSecr=556844
>  10 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 103 [TCP segment
> of a reassembled PDU]
>  11 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
> [ACK] Seq=350 Ack=92 Win=131648 Len=0 TSval=240784581 TSecr=556844
>  12 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 106 [TCP segment
> of a reassembled PDU]
>  13 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
> [ACK] Seq=350 Ack=132 Win=131616 Len=0 TSval=240784581 TSecr=556844
>  14 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 87 [TCP segment
> of a reassembled PDU]
>  15 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 HTTP 466 HTTP/1.0
> 200 OK  (text/html)
>  16 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
> [ACK] Seq=350 Ack=153 Win=131616 Len=0 TSval=240784581 TSecr=556844
>  17 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
> [ACK] Seq=350 Ack=554 Win=131200 Len=0 TSval=240784581 TSecr=556844
>  18 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
> [FIN, ACK] Seq=350 Ack=554 Win=131200 Len=0 TSval=240784581 TSecr=556844
>  19 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 66 http > 53640
> [ACK] Seq=554 Ack=351 Win=30080 Len=0 TSval=556844 TSecr=240784581
> ```
>
> It's a good question, Micha?. Whose bug is this? I'm happy to go chase it
> down with the right audience if we can answer this question. Thanks for
> taking the time to look.
>
> Cheers,
> Brandon
>
>
> On Mon, Apr 9, 2018 at 3:34 PM, Micha? Purzy?ski <
> michalpurzynski1 at gmail.com> wrote:
>
>> To help with the investigation, I also observed a similar behavior on
>> some CentOS 7.x hosts, when capturing traffic into a pcap on a live system
>> would result in some packets being saved with the 70's timestamp.
>>
>> The question remain - is that a kernel bug, a network card bug, a driver
>> bug?
>>
>> On Mon, Apr 9, 2018 at 1:33 PM, Seth Hall <seth at corelight.com> wrote:
>>
>>> I don't know how it happened, but the timestamp for the SYN/ACK packet
>>> in your pcap is March 22, 1970. Bro uses the timestamps from packets to
>>> track it's notion of time moving forward and with Bro's internal clock
>>> being shoved around by nearly 50 years twice in the span of three packets
>>> will throw it off pretty badly (lots of timeouts take place). ;)
>>>
>>> Any clue why the timestamp on that packet would be like that? It's just
>>> the one packet in your pcap that is messed up too.
>>>
>>> .Seth
>>>
>>> On 9 Apr 2018, at 11:56, Brandon Sterne wrote:
>>>
>>> Hi Justin,
>>>
>>> Thank you for the reply. I don't think it is the MTU that is preventing
>>> the sensor from decoding the traffic correctly. I ran the same test case
>>> with snaplen=65535 and still received only the connection_established
>>> event:
>>>
>>> [vagrant at localhost security-gateway]$ sudo bro -C -i lo snaplen=65535
>>> rules/bro/detect-http-request.bro
>>> <params>, line 1: listening on lo, capture length 65535 bytes
>>>
>>> Connection: , [id=[orig_h=127.0.0.1, orig_p=34902/tcp, resp_h=127.0.0.1,
>>> resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=60,
>>> flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0,
>>> flow_label=0], start_time=1523289116.669146, duration=-1516793840.109909,
>>> service={
>>>
>>> }, history=Sh, uid=Ch6Tqk39qjgHi6li88, tunnel=<uninitialized>,
>>> dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F,
>>> thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>,
>>> dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>,
>>> ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>,
>>> http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>,
>>> modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>,
>>> rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>,
>>> snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>,
>>> socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
>>>
>>> I'm attaching the script I'm using and the pcap for the same request,
>>> taken with:
>>> sudo tcpdump -i lo -s 0 -w port8080.pcap
>>>
>>> Thanks,
>>> Brandon
>>>
>>>
>>> On Wed, Apr 4, 2018 at 3:01 PM, Azoff, Justin S <jazoff at illinois.edu>
>>> wrote:
>>>
>>>>
>>>> > On Apr 2, 2018, at 12:04 AM, Brandon Sterne <brandon.sterne at gmail.com>
>>>> wrote:
>>>> >
>>>> > Hello,
>>>> >
>>>> > I am attempting to get Bro working sitting behind a reverse proxy
>>>> (nginx), which is receiving connections, terminating TLS, and forwarding
>>>> cleartext HTTP to a local app server (Tomcat). I have a really simple test
>>>> case that demonstrates the problem I'm running into, which is that Bro HTTP
>>>> events are only detected when requests are sent plaintext (without TLS).
>>>> Here is the test case I'm using:
>>>>
>>>> The output you have included is not enough to tell what is wrong.
>>>> Minimally, full conn.log entries are required to figure out what bro is
>>>> seeing.  Even better would be a full pcap of the traffic that bro is not
>>>> properly decoding.
>>>>
>>>> To just guess, i'd say your problem is that the MTU on lo is 65536 and
>>>> bro is not configured by default to handle that.  Throwing a
>>>>
>>>> redef Pcap::snaplen = 65536
>>>>
>>>> in your script may get things working.
>>>>
>>>>
>>>> ?
>>>> Justin Azoff
>>>>
>>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>> --
>>> Seth Hall * Corelight, Inc * www.corelight.com
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180409/678f5f81/attachment-0001.html 

From philosnef at gmail.com  Tue Apr 10 07:48:30 2018
From: philosnef at gmail.com (erik clark)
Date: Tue, 10 Apr 2018 10:48:30 -0400
Subject: [Bro] building a bro plugin
Message-ID: <CAK6atxqrZjAOXpj9QgtZV8WDjGUw8nFcSTLQSMMJgvS8i0Dj=A@mail.gmail.com>

I have tried everything I can think of to get this to compile:

https://github.com/supriyask/Bro

Can someone explain to me what needs to be provided either in the
CMakeLists.txt or at the cmake cli to build this? Thanks. The readme has no
information whatsoever.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/2ef72a8a/attachment.html 

From promero at cenic.org  Tue Apr 10 08:21:00 2018
From: promero at cenic.org (Philip Romero)
Date: Tue, 10 Apr 2018 08:21:00 -0700
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <mailman.79627.1523334105.849.bro@bro.org>
References: <mailman.79627.1523334105.849.bro@bro.org>
Message-ID: <92728a56-e307-7513-5131-93a5ec749b94@cenic.org>

I don't know if this messes up your test, but I didn't have tshark on
the physical box I'm running. Below is the output showing the date via
tcpdump options. It looks correct.?

$ tcpdump -ttttnnr lo-port-80.pcap
reading from file lo-port-80.pcap, link-type EN10MB (Ethernet)
2018-04-10 08:13:20.209770 IP6 ::1.49258 > ::1.80: Flags [S], seq
485780875, win 43690, options [mss 65476,sackOK,TS val 1090368614 ecr
0,nop,wscale 7], length 0
2018-04-10 08:13:20.209809 IP6 ::1.80 > ::1.49258: Flags [R.], seq 0,
ack 485780876, win 0, length 0
2018-04-10 08:13:20.210015 IP 127.0.0.1.43960 > 127.0.0.1.80: Flags [S],
seq 859064153, win 43690, options [mss 65495,sackOK,TS val 1090368615
ecr 0,nop,wscale 7], length 0
2018-04-10 08:13:20.210046 IP 127.0.0.1.80 > 127.0.0.1.43960: Flags
[R.], seq 0, ack 859064154, win 0, length 0
$

Philip


On 4/9/18 9:21 PM, bro-request at bro.org wrote:
> Send Bro mailing list submissions to
> 	bro at bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
> 	bro-request at bro.org
>
> You can reach the person managing the list at
> 	bro-owner at bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
>    1. Re: Bro behind a TLS reverse proxy (Brandon Sterne)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 9 Apr 2018 21:21:35 -0700
> From: Brandon Sterne <brandon.sterne at gmail.com>
> Subject: Re: [Bro] Bro behind a TLS reverse proxy
> To: Micha? Purzy?ski <michalpurzynski1 at gmail.com>
> Cc: Bro-IDS <bro at bro.org>
> Message-ID:
> 	<CADXmT7CqnNFykCP0dQXmOz+B7wfhsEDrrT25Ct+62UjzA=bW0g at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I can confirm this also happens on a C7 OpenStack VM:
> [brandon.sterne at sterne-server ~]$ tshark -t ud -r pcaps/lo-port-80.pcap
>   1 2018-04-10 03:35:40    127.0.0.1 -> 127.0.0.1    TCP 74 51546 > http
> [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=595251 TSecr=0
> WS=128
>   2 2018-04-10 03:35:40    127.0.0.1 -> 127.0.0.1    TCP 54 http > 51546
> [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
>   3 2018-04-10 03:35:52    127.0.0.1 -> 127.0.0.1    TCP 74 51548 > http
> [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=607469 TSecr=0
> WS=128
>   4 1970-01-31 04:44:20    127.0.0.1 -> 127.0.0.1    TCP 74 http > 51548
> [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=607469
> TSecr=607469 WS=128
>   5 2018-04-10 03:35:52    127.0.0.1 -> 127.0.0.1    TCP 66 51548 > http
> [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=607469 TSecr=607469
>   6 2018-04-10 03:35:52    127.0.0.1 -> 127.0.0.1    HTTP 139 GET /
> HTTP/1.1
>   <snip>
>
> I can't locate a C7 bare metal server right at the moment but will try to
> test that tomorrow. If someone happens to have a C7 bare metal box and
> would be willing to test, here is the sequence of commands to run:
> [shell1]$ sudo tcpdump -s 0 -i lo -w lo-port-80.pcap "port 80"
> [shell2]$ curl localhost
> [shell1]$ ^C
> [shell1]$ tshark -t ud -r lo-port-80.pcap
>
>
> On Mon, Apr 9, 2018 at 4:25 PM, Brandon Sterne <brandon.sterne at gmail.com>
> wrote:
>
>> This is very interesting. It is totally reproducible with CentOS 7 VMs,
>> but I confirmed the testcase works as expected with an Ubuntu Server VM. On
>> a freshly provisioned C7 VM, I see "That 70s Packet" when I capture from
>> the loopback interface, but not when I capture from the external interface:
>>
>> ```[vagrant at localhost pcaps]$ tshark -t ud -r lo-port80.pcap
>>   1 2018-04-09 23:16:28          ::1 -> ::1          TCP 94 58156 > http
>> [SYN] Seq=0 Win=43690 Len=0 MSS=65476 SACK_PERM=1 TSval=8358348 TSecr=0
>> WS=64
>>   2 2018-04-09 23:16:28          ::1 -> ::1          TCP 74 http > 58156
>> [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
>>   3 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 74 43060 > http
>> [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8358349 TSecr=0
>> WS=64
>>   4 1971-02-20 11:53:55    127.0.0.1 -> 127.0.0.1    TCP 74 http > 43060
>> [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8358349
>> TSecr=8358349 WS=64
>>   5 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>> [ACK] Seq=1 Ack=1 Win=43712 Len=0 TSval=8358349 TSecr=8358349
>>   6 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    HTTP 139 GET /
>> HTTP/1.1
>>   7 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 http > 43060
>> [ACK] Seq=1 Ack=74 Win=43712 Len=0 TSval=8358349 TSecr=8358349
>>   8 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 83 [TCP segment
>> of a reassembled PDU]
>>   9 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>> [ACK] Seq=74 Ack=18 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>>  10 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 103 [TCP segment
>> of a reassembled PDU]
>>  11 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>> [ACK] Seq=74 Ack=55 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>>  12 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 103 [TCP segment
>> of a reassembled PDU]
>>  13 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>> [ACK] Seq=74 Ack=92 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>>  14 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 106 [TCP segment
>> of a reassembled PDU]
>>  15 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>> [ACK] Seq=74 Ack=132 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>>  16 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 87 [TCP segment
>> of a reassembled PDU]
>>  17 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>> [ACK] Seq=74 Ack=153 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>>  18 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 68 [TCP segment
>> of a reassembled PDU]
>>  19 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>> [ACK] Seq=74 Ack=155 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>>  20 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    HTTP 512 HTTP/1.0 200
>> OK  (text/html)
>>  21 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>> [ACK] Seq=74 Ack=601 Win=44800 Len=0 TSval=8358351 TSecr=8358351
>>  22 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 http > 43060
>> [FIN, ACK] Seq=601 Ack=74 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>>  23 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>> [FIN, ACK] Seq=74 Ack=602 Win=44800 Len=0 TSval=8358351 TSecr=8358351
>>  24 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 http > 43060
>> [ACK] Seq=602 Ack=75 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>> [vagrant at localhost pcaps]$ tshark -t ud -r eth1-port80.pcap
>>   1 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 78 53640 > http
>> [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=240784579
>> TSecr=0 SACK_PERM=1
>>   2 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 74 http > 53640
>> [SYN, ACK, ECN] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1
>> TSval=556841 TSecr=240784579 WS=64
>>   3 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
>> [ACK] Seq=1 Ack=1 Win=131744 Len=0 TSval=240784579 TSecr=556841
>>   4 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 HTTP 415 GET /
>> HTTP/1.1
>>   5 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 66 http > 53640
>> [ACK] Seq=1 Ack=350 Win=30080 Len=0 TSval=556842 TSecr=240784579
>>   6 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 83 [TCP segment
>> of a reassembled PDU]
>>   7 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
>> [ACK] Seq=350 Ack=18 Win=131744 Len=0 TSval=240784581 TSecr=556843
>>   8 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 103 [TCP segment
>> of a reassembled PDU]
>>   9 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
>> [ACK] Seq=350 Ack=55 Win=131712 Len=0 TSval=240784581 TSecr=556844
>>  10 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 103 [TCP segment
>> of a reassembled PDU]
>>  11 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
>> [ACK] Seq=350 Ack=92 Win=131648 Len=0 TSval=240784581 TSecr=556844
>>  12 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 106 [TCP segment
>> of a reassembled PDU]
>>  13 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
>> [ACK] Seq=350 Ack=132 Win=131616 Len=0 TSval=240784581 TSecr=556844
>>  14 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 87 [TCP segment
>> of a reassembled PDU]
>>  15 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 HTTP 466 HTTP/1.0
>> 200 OK  (text/html)
>>  16 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
>> [ACK] Seq=350 Ack=153 Win=131616 Len=0 TSval=240784581 TSecr=556844
>>  17 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
>> [ACK] Seq=350 Ack=554 Win=131200 Len=0 TSval=240784581 TSecr=556844
>>  18 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
>> [FIN, ACK] Seq=350 Ack=554 Win=131200 Len=0 TSval=240784581 TSecr=556844
>>  19 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 66 http > 53640
>> [ACK] Seq=554 Ack=351 Win=30080 Len=0 TSval=556844 TSecr=240784581
>> ```
>>
>> It's a good question, Micha?. Whose bug is this? I'm happy to go chase it
>> down with the right audience if we can answer this question. Thanks for
>> taking the time to look.
>>
>> Cheers,
>> Brandon
>>
>>
>> On Mon, Apr 9, 2018 at 3:34 PM, Micha? Purzy?ski <
>> michalpurzynski1 at gmail.com> wrote:
>>
>>> To help with the investigation, I also observed a similar behavior on
>>> some CentOS 7.x hosts, when capturing traffic into a pcap on a live system
>>> would result in some packets being saved with the 70's timestamp.
>>>
>>> The question remain - is that a kernel bug, a network card bug, a driver
>>> bug?
>>>
>>> On Mon, Apr 9, 2018 at 1:33 PM, Seth Hall <seth at corelight.com> wrote:
>>>
>>>> I don't know how it happened, but the timestamp for the SYN/ACK packet
>>>> in your pcap is March 22, 1970. Bro uses the timestamps from packets to
>>>> track it's notion of time moving forward and with Bro's internal clock
>>>> being shoved around by nearly 50 years twice in the span of three packets
>>>> will throw it off pretty badly (lots of timeouts take place). ;)
>>>>
>>>> Any clue why the timestamp on that packet would be like that? It's just
>>>> the one packet in your pcap that is messed up too.
>>>>
>>>> .Seth
>>>>
>>>> On 9 Apr 2018, at 11:56, Brandon Sterne wrote:
>>>>
>>>> Hi Justin,
>>>>
>>>> Thank you for the reply. I don't think it is the MTU that is preventing
>>>> the sensor from decoding the traffic correctly. I ran the same test case
>>>> with snaplen=65535 and still received only the connection_established
>>>> event:
>>>>
>>>> [vagrant at localhost security-gateway]$ sudo bro -C -i lo snaplen=65535
>>>> rules/bro/detect-http-request.bro
>>>> <params>, line 1: listening on lo, capture length 65535 bytes
>>>>
>>>> Connection: , [id=[orig_h=127.0.0.1, orig_p=34902/tcp, resp_h=127.0.0.1,
>>>> resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=60,
>>>> flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0,
>>>> flow_label=0], start_time=1523289116.669146, duration=-1516793840.109909,
>>>> service={
>>>>
>>>> }, history=Sh, uid=Ch6Tqk39qjgHi6li88, tunnel=<uninitialized>,
>>>> dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F,
>>>> thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>,
>>>> dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>,
>>>> ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>,
>>>> http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>,
>>>> modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>,
>>>> rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>,
>>>> snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>,
>>>> socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
>>>>
>>>> I'm attaching the script I'm using and the pcap for the same request,
>>>> taken with:
>>>> sudo tcpdump -i lo -s 0 -w port8080.pcap
>>>>
>>>> Thanks,
>>>> Brandon
>>>>
>>>>
>>>> On Wed, Apr 4, 2018 at 3:01 PM, Azoff, Justin S <jazoff at illinois.edu>
>>>> wrote:
>>>>
>>>>>> On Apr 2, 2018, at 12:04 AM, Brandon Sterne <brandon.sterne at gmail.com>
>>>>> wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I am attempting to get Bro working sitting behind a reverse proxy
>>>>> (nginx), which is receiving connections, terminating TLS, and forwarding
>>>>> cleartext HTTP to a local app server (Tomcat). I have a really simple test
>>>>> case that demonstrates the problem I'm running into, which is that Bro HTTP
>>>>> events are only detected when requests are sent plaintext (without TLS).
>>>>> Here is the test case I'm using:
>>>>>
>>>>> The output you have included is not enough to tell what is wrong.
>>>>> Minimally, full conn.log entries are required to figure out what bro is
>>>>> seeing.  Even better would be a full pcap of the traffic that bro is not
>>>>> properly decoding.
>>>>>
>>>>> To just guess, i'd say your problem is that the MTU on lo is 65536 and
>>>>> bro is not configured by default to handle that.  Throwing a
>>>>>
>>>>> redef Pcap::snaplen = 65536
>>>>>
>>>>> in your script may get things working.
>>>>>
>>>>>
>>>>> ?
>>>>> Justin Azoff
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>
>>>> --
>>>> Seth Hall * Corelight, Inc * www.corelight.com
>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>
>>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180409/678f5f81/attachment.html 
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro at bro.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 144, Issue 12
> ************************************

-- 
Philip Romero, CISSP, CISA
Sr. Information Security Analyst
CENIC
promero at cenic.org
Phone: (714) 220-3430
Mobile: (562) 237-9290

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/1fe0daeb/attachment-0001.html 

From promero at cenic.org  Tue Apr 10 08:57:16 2018
From: promero at cenic.org (Philip Romero)
Date: Tue, 10 Apr 2018 08:57:16 -0700
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <mailman.79796.1523373666.849.bro@bro.org>
References: <mailman.79796.1523373666.849.bro@bro.org>
Message-ID: <8cabd3dc-51f6-6d71-947e-c75efeef1fbf@cenic.org>

FYI - I was able to run the test commands on a VirtualBox VM and the
results show that the date appears correct.

$ tshark -t ud -r lo-port-80.pcap
? 1 2018-04-10 15:36:12????????? ::1 -> ::1????????? TCP 94 37816 > http
[SYN] Seq=0 Win=43690 Len=0 MSS=65476 SACK_PERM=1 TSval=4294908231
TSecr=0 WS=128
? 2 2018-04-10 15:36:12????????? ::1 -> ::1????????? TCP 74 http > 37816
[RST, ACK] Seq=1 Ack=1 Win=0 Len=0
? 3 2018-04-10 15:36:12??? 127.0.0.1 -> 127.0.0.1??? TCP 74 32966 > http
[SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=4294908231
TSecr=0 WS=128
? 4 2018-04-10 15:36:12??? 127.0.0.1 -> 127.0.0.1??? TCP 54 http > 32966
[RST, ACK] Seq=1 Ack=1 Win=0 Len=0
$

Philip


On 4/10/18 8:21 AM, bro-request at bro.org wrote:
> Send Bro mailing list submissions to
> 	bro at bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
> 	bro-request at bro.org
>
> You can reach the person managing the list at
> 	bro-owner at bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
>    1. building a bro plugin (erik clark)
>    2. Re: Bro behind a TLS reverse proxy (Philip Romero)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 10 Apr 2018 10:48:30 -0400
> From: erik clark <philosnef at gmail.com>
> Subject: [Bro] building a bro plugin
> To: Bro-IDS <bro at bro.org>
> Message-ID:
> 	<CAK6atxqrZjAOXpj9QgtZV8WDjGUw8nFcSTLQSMMJgvS8i0Dj=A at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I have tried everything I can think of to get this to compile:
>
> https://github.com/supriyask/Bro
>
> Can someone explain to me what needs to be provided either in the
> CMakeLists.txt or at the cmake cli to build this? Thanks. The readme has no
> information whatsoever.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/2ef72a8a/attachment-0001.html 
>
> ------------------------------
>
> Message: 2
> Date: Tue, 10 Apr 2018 08:21:00 -0700
> From: Philip Romero <promero at cenic.org>
> Subject: Re: [Bro] Bro behind a TLS reverse proxy
> To: bro at bro.org
> Message-ID: <92728a56-e307-7513-5131-93a5ec749b94 at cenic.org>
> Content-Type: text/plain; charset="utf-8"
>
> I don't know if this messes up your test, but I didn't have tshark on
> the physical box I'm running. Below is the output showing the date via
> tcpdump options. It looks correct.?
>
> $ tcpdump -ttttnnr lo-port-80.pcap
> reading from file lo-port-80.pcap, link-type EN10MB (Ethernet)
> 2018-04-10 08:13:20.209770 IP6 ::1.49258 > ::1.80: Flags [S], seq
> 485780875, win 43690, options [mss 65476,sackOK,TS val 1090368614 ecr
> 0,nop,wscale 7], length 0
> 2018-04-10 08:13:20.209809 IP6 ::1.80 > ::1.49258: Flags [R.], seq 0,
> ack 485780876, win 0, length 0
> 2018-04-10 08:13:20.210015 IP 127.0.0.1.43960 > 127.0.0.1.80: Flags [S],
> seq 859064153, win 43690, options [mss 65495,sackOK,TS val 1090368615
> ecr 0,nop,wscale 7], length 0
> 2018-04-10 08:13:20.210046 IP 127.0.0.1.80 > 127.0.0.1.43960: Flags
> [R.], seq 0, ack 859064154, win 0, length 0
> $
>
> Philip
>
>
> On 4/9/18 9:21 PM, bro-request at bro.org wrote:
>> Send Bro mailing list submissions to
>> 	bro at bro.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> 	http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> or, via email, send a message with subject or body 'help' to
>> 	bro-request at bro.org
>>
>> You can reach the person managing the list at
>> 	bro-owner at bro.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Bro digest..."
>>
>>
>> Today's Topics:
>>
>>    1. Re: Bro behind a TLS reverse proxy (Brandon Sterne)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Mon, 9 Apr 2018 21:21:35 -0700
>> From: Brandon Sterne <brandon.sterne at gmail.com>
>> Subject: Re: [Bro] Bro behind a TLS reverse proxy
>> To: Micha? Purzy?ski <michalpurzynski1 at gmail.com>
>> Cc: Bro-IDS <bro at bro.org>
>> Message-ID:
>> 	<CADXmT7CqnNFykCP0dQXmOz+B7wfhsEDrrT25Ct+62UjzA=bW0g at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> I can confirm this also happens on a C7 OpenStack VM:
>> [brandon.sterne at sterne-server ~]$ tshark -t ud -r pcaps/lo-port-80.pcap
>>   1 2018-04-10 03:35:40    127.0.0.1 -> 127.0.0.1    TCP 74 51546 > http
>> [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=595251 TSecr=0
>> WS=128
>>   2 2018-04-10 03:35:40    127.0.0.1 -> 127.0.0.1    TCP 54 http > 51546
>> [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
>>   3 2018-04-10 03:35:52    127.0.0.1 -> 127.0.0.1    TCP 74 51548 > http
>> [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=607469 TSecr=0
>> WS=128
>>   4 1970-01-31 04:44:20    127.0.0.1 -> 127.0.0.1    TCP 74 http > 51548
>> [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=607469
>> TSecr=607469 WS=128
>>   5 2018-04-10 03:35:52    127.0.0.1 -> 127.0.0.1    TCP 66 51548 > http
>> [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=607469 TSecr=607469
>>   6 2018-04-10 03:35:52    127.0.0.1 -> 127.0.0.1    HTTP 139 GET /
>> HTTP/1.1
>>   <snip>
>>
>> I can't locate a C7 bare metal server right at the moment but will try to
>> test that tomorrow. If someone happens to have a C7 bare metal box and
>> would be willing to test, here is the sequence of commands to run:
>> [shell1]$ sudo tcpdump -s 0 -i lo -w lo-port-80.pcap "port 80"
>> [shell2]$ curl localhost
>> [shell1]$ ^C
>> [shell1]$ tshark -t ud -r lo-port-80.pcap
>>
>>
>> On Mon, Apr 9, 2018 at 4:25 PM, Brandon Sterne <brandon.sterne at gmail.com>
>> wrote:
>>
>>> This is very interesting. It is totally reproducible with CentOS 7 VMs,
>>> but I confirmed the testcase works as expected with an Ubuntu Server VM. On
>>> a freshly provisioned C7 VM, I see "That 70s Packet" when I capture from
>>> the loopback interface, but not when I capture from the external interface:
>>>
>>> ```[vagrant at localhost pcaps]$ tshark -t ud -r lo-port80.pcap
>>>   1 2018-04-09 23:16:28          ::1 -> ::1          TCP 94 58156 > http
>>> [SYN] Seq=0 Win=43690 Len=0 MSS=65476 SACK_PERM=1 TSval=8358348 TSecr=0
>>> WS=64
>>>   2 2018-04-09 23:16:28          ::1 -> ::1          TCP 74 http > 58156
>>> [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
>>>   3 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 74 43060 > http
>>> [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8358349 TSecr=0
>>> WS=64
>>>   4 1971-02-20 11:53:55    127.0.0.1 -> 127.0.0.1    TCP 74 http > 43060
>>> [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8358349
>>> TSecr=8358349 WS=64
>>>   5 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>>> [ACK] Seq=1 Ack=1 Win=43712 Len=0 TSval=8358349 TSecr=8358349
>>>   6 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    HTTP 139 GET /
>>> HTTP/1.1
>>>   7 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 http > 43060
>>> [ACK] Seq=1 Ack=74 Win=43712 Len=0 TSval=8358349 TSecr=8358349
>>>   8 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 83 [TCP segment
>>> of a reassembled PDU]
>>>   9 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>>> [ACK] Seq=74 Ack=18 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>>>  10 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 103 [TCP segment
>>> of a reassembled PDU]
>>>  11 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>>> [ACK] Seq=74 Ack=55 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>>>  12 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 103 [TCP segment
>>> of a reassembled PDU]
>>>  13 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>>> [ACK] Seq=74 Ack=92 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>>>  14 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 106 [TCP segment
>>> of a reassembled PDU]
>>>  15 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>>> [ACK] Seq=74 Ack=132 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>>>  16 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 87 [TCP segment
>>> of a reassembled PDU]
>>>  17 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>>> [ACK] Seq=74 Ack=153 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>>>  18 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 68 [TCP segment
>>> of a reassembled PDU]
>>>  19 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>>> [ACK] Seq=74 Ack=155 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>>>  20 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    HTTP 512 HTTP/1.0 200
>>> OK  (text/html)
>>>  21 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>>> [ACK] Seq=74 Ack=601 Win=44800 Len=0 TSval=8358351 TSecr=8358351
>>>  22 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 http > 43060
>>> [FIN, ACK] Seq=601 Ack=74 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>>>  23 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
>>> [FIN, ACK] Seq=74 Ack=602 Win=44800 Len=0 TSval=8358351 TSecr=8358351
>>>  24 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 http > 43060
>>> [ACK] Seq=602 Ack=75 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>>> [vagrant at localhost pcaps]$ tshark -t ud -r eth1-port80.pcap
>>>   1 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 78 53640 > http
>>> [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=240784579
>>> TSecr=0 SACK_PERM=1
>>>   2 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 74 http > 53640
>>> [SYN, ACK, ECN] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1
>>> TSval=556841 TSecr=240784579 WS=64
>>>   3 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
>>> [ACK] Seq=1 Ack=1 Win=131744 Len=0 TSval=240784579 TSecr=556841
>>>   4 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 HTTP 415 GET /
>>> HTTP/1.1
>>>   5 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 66 http > 53640
>>> [ACK] Seq=1 Ack=350 Win=30080 Len=0 TSval=556842 TSecr=240784579
>>>   6 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 83 [TCP segment
>>> of a reassembled PDU]
>>>   7 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
>>> [ACK] Seq=350 Ack=18 Win=131744 Len=0 TSval=240784581 TSecr=556843
>>>   8 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 103 [TCP segment
>>> of a reassembled PDU]
>>>   9 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
>>> [ACK] Seq=350 Ack=55 Win=131712 Len=0 TSval=240784581 TSecr=556844
>>>  10 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 103 [TCP segment
>>> of a reassembled PDU]
>>>  11 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
>>> [ACK] Seq=350 Ack=92 Win=131648 Len=0 TSval=240784581 TSecr=556844
>>>  12 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 106 [TCP segment
>>> of a reassembled PDU]
>>>  13 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
>>> [ACK] Seq=350 Ack=132 Win=131616 Len=0 TSval=240784581 TSecr=556844
>>>  14 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 87 [TCP segment
>>> of a reassembled PDU]
>>>  15 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 HTTP 466 HTTP/1.0
>>> 200 OK  (text/html)
>>>  16 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
>>> [ACK] Seq=350 Ack=153 Win=131616 Len=0 TSval=240784581 TSecr=556844
>>>  17 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
>>> [ACK] Seq=350 Ack=554 Win=131200 Len=0 TSval=240784581 TSecr=556844
>>>  18 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
>>> [FIN, ACK] Seq=350 Ack=554 Win=131200 Len=0 TSval=240784581 TSecr=556844
>>>  19 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 66 http > 53640
>>> [ACK] Seq=554 Ack=351 Win=30080 Len=0 TSval=556844 TSecr=240784581
>>> ```
>>>
>>> It's a good question, Micha?. Whose bug is this? I'm happy to go chase it
>>> down with the right audience if we can answer this question. Thanks for
>>> taking the time to look.
>>>
>>> Cheers,
>>> Brandon
>>>
>>>
>>> On Mon, Apr 9, 2018 at 3:34 PM, Micha? Purzy?ski <
>>> michalpurzynski1 at gmail.com> wrote:
>>>
>>>> To help with the investigation, I also observed a similar behavior on
>>>> some CentOS 7.x hosts, when capturing traffic into a pcap on a live system
>>>> would result in some packets being saved with the 70's timestamp.
>>>>
>>>> The question remain - is that a kernel bug, a network card bug, a driver
>>>> bug?
>>>>
>>>> On Mon, Apr 9, 2018 at 1:33 PM, Seth Hall <seth at corelight.com> wrote:
>>>>
>>>>> I don't know how it happened, but the timestamp for the SYN/ACK packet
>>>>> in your pcap is March 22, 1970. Bro uses the timestamps from packets to
>>>>> track it's notion of time moving forward and with Bro's internal clock
>>>>> being shoved around by nearly 50 years twice in the span of three packets
>>>>> will throw it off pretty badly (lots of timeouts take place). ;)
>>>>>
>>>>> Any clue why the timestamp on that packet would be like that? It's just
>>>>> the one packet in your pcap that is messed up too.
>>>>>
>>>>> .Seth
>>>>>
>>>>> On 9 Apr 2018, at 11:56, Brandon Sterne wrote:
>>>>>
>>>>> Hi Justin,
>>>>>
>>>>> Thank you for the reply. I don't think it is the MTU that is preventing
>>>>> the sensor from decoding the traffic correctly. I ran the same test case
>>>>> with snaplen=65535 and still received only the connection_established
>>>>> event:
>>>>>
>>>>> [vagrant at localhost security-gateway]$ sudo bro -C -i lo snaplen=65535
>>>>> rules/bro/detect-http-request.bro
>>>>> <params>, line 1: listening on lo, capture length 65535 bytes
>>>>>
>>>>> Connection: , [id=[orig_h=127.0.0.1, orig_p=34902/tcp, resp_h=127.0.0.1,
>>>>> resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=60,
>>>>> flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0,
>>>>> flow_label=0], start_time=1523289116.669146, duration=-1516793840.109909,
>>>>> service={
>>>>>
>>>>> }, history=Sh, uid=Ch6Tqk39qjgHi6li88, tunnel=<uninitialized>,
>>>>> dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F,
>>>>> thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>,
>>>>> dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>,
>>>>> ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>,
>>>>> http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>,
>>>>> modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>,
>>>>> rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>,
>>>>> snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>,
>>>>> socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
>>>>>
>>>>> I'm attaching the script I'm using and the pcap for the same request,
>>>>> taken with:
>>>>> sudo tcpdump -i lo -s 0 -w port8080.pcap
>>>>>
>>>>> Thanks,
>>>>> Brandon
>>>>>
>>>>>
>>>>> On Wed, Apr 4, 2018 at 3:01 PM, Azoff, Justin S <jazoff at illinois.edu>
>>>>> wrote:
>>>>>
>>>>>>> On Apr 2, 2018, at 12:04 AM, Brandon Sterne <brandon.sterne at gmail.com>
>>>>>> wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> I am attempting to get Bro working sitting behind a reverse proxy
>>>>>> (nginx), which is receiving connections, terminating TLS, and forwarding
>>>>>> cleartext HTTP to a local app server (Tomcat). I have a really simple test
>>>>>> case that demonstrates the problem I'm running into, which is that Bro HTTP
>>>>>> events are only detected when requests are sent plaintext (without TLS).
>>>>>> Here is the test case I'm using:
>>>>>>
>>>>>> The output you have included is not enough to tell what is wrong.
>>>>>> Minimally, full conn.log entries are required to figure out what bro is
>>>>>> seeing.  Even better would be a full pcap of the traffic that bro is not
>>>>>> properly decoding.
>>>>>>
>>>>>> To just guess, i'd say your problem is that the MTU on lo is 65536 and
>>>>>> bro is not configured by default to handle that.  Throwing a
>>>>>>
>>>>>> redef Pcap::snaplen = 65536
>>>>>>
>>>>>> in your script may get things working.
>>>>>>
>>>>>>
>>>>>> ?
>>>>>> Justin Azoff
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> Bro mailing list
>>>>> bro at bro-ids.org
>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>>
>>>>> --
>>>>> Seth Hall * Corelight, Inc * www.corelight.com
>>>>>
>>>>> _______________________________________________
>>>>> Bro mailing list
>>>>> bro at bro-ids.org
>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180409/678f5f81/attachment.html 
>>
>> ------------------------------
>>
>> _______________________________________________
>> Bro mailing list
>> Bro at bro.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>> End of Bro Digest, Vol 144, Issue 12
>> ************************************

-- 
Philip Romero, CISSP, CISA
Sr. Information Security Analyst
CENIC
promero at cenic.org
Phone: (714) 220-3430
Mobile: (562) 237-9290

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/2f4b1174/attachment-0001.html 

From brandon.sterne at gmail.com  Tue Apr 10 10:57:08 2018
From: brandon.sterne at gmail.com (Brandon Sterne)
Date: Tue, 10 Apr 2018 10:57:08 -0700
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <8cabd3dc-51f6-6d71-947e-c75efeef1fbf@cenic.org>
References: <mailman.79796.1523373666.849.bro@bro.org>
	<8cabd3dc-51f6-6d71-947e-c75efeef1fbf@cenic.org>
Message-ID: <CADXmT7Cv8sWhD2P=n5of641XaAShk=iECxXLJRP7O_xJ8+COEg@mail.gmail.com>

Hi Philip,

I'm not sure what differs between your environment and mine. On my
VirtualBox C7 box I see the bad packet (pcaps attached):
[vagrant at localhost ~]$ sha1sum pcaps/lo-port80.pcap
6f44be24c1491ddf4285c6e4c585fc1d8b307439  pcaps/lo-port80.pcap
[vagrant at localhost ~]$ tshark -t ud -r pcaps/lo-port80.pcap | head -n6
  1 2018-04-09 23:16:28          ::1 -> ::1          TCP 94 58156 > http
[SYN] Seq=0 Win=43690 Len=0 MSS=65476 SACK_PERM=1 TSval=8358348 TSecr=0
WS=64
  2 2018-04-09 23:16:28          ::1 -> ::1          TCP 74 http > 58156
[RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  3 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 74 43060 > http
[SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8358349 TSecr=0
WS=64
  4 1971-02-20 11:53:55    127.0.0.1 -> 127.0.0.1    TCP 74 http > 43060
[SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8358349
TSecr=8358349 WS=64
  5 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
[ACK] Seq=1 Ack=1 Win=43712 Len=0 TSval=8358349 TSecr=8358349
  6 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    HTTP 139 GET /
HTTP/1.1

I ran another test today on C7 bare metal, and this time I saw a problem
with the first SYN-ACK packet, but this time the timestamp was far in the
future:
[brandon.sterne at s-mxq61403r3 pcaps]$ sha1sum lo-port-80-bm.pcap
20dbe8f5e67668ef1f6e37724910470cd4e47d74  lo-port-80-bm.pcap
[brandon.sterne at s-mxq61403r3 pcaps]$ tshark -t ud -r lo-port-80-bm.pcap |
head -n6
  1 2018-04-10 17:13:22          ::1 -> ::1          TCP 94 53636 > http
[SYN] Seq=0 Win=43690 Len=0 MSS=65476 SACK_PERM=1 TSval=3967522213 TSecr=0
WS=128
  2 2018-04-10 17:13:22          ::1 -> ::1          TCP 74 http > 53636
[RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  3 2018-04-10 17:13:22    127.0.0.1 -> 127.0.0.1    TCP 74 42944 > http
[SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3967522213 TSecr=0
WS=128
  4 2061-07-14 21:16:16    127.0.0.1 -> 127.0.0.1    TCP 74 http > 42944
[SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1
TSval=3967522213 TSecr=3967522213 WS=128
  5 2018-04-10 17:13:22    127.0.0.1 -> 127.0.0.1    TCP 66 42944 > http
[ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3967522213 TSecr=3967522213
  6 2018-04-10 17:13:22    127.0.0.1 -> 127.0.0.1    HTTP 139 GET /
HTTP/1.1

Do others see anything like this? I appreciate any help you can offer in
reducing the testcase and identifying the offending software.

Best,
Brandon


On Tue, Apr 10, 2018 at 8:57 AM, Philip Romero <promero at cenic.org> wrote:

> FYI - I was able to run the test commands on a VirtualBox VM and the
> results show that the date appears correct.
>
> $ tshark -t ud -r lo-port-80.pcap
>   1 2018-04-10 15:36:12          ::1 -> ::1          TCP 94 37816 > http
> [SYN] Seq=0 Win=43690 Len=0 MSS=65476 SACK_PERM=1 TSval=4294908231 TSecr=0
> WS=128
>   2 2018-04-10 15:36:12          ::1 -> ::1          TCP 74 http > 37816
> [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
>   3 2018-04-10 15:36:12    127.0.0.1 -> 127.0.0.1    TCP 74 32966 > http
> [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=4294908231 TSecr=0
> WS=128
>   4 2018-04-10 15:36:12    127.0.0.1 -> 127.0.0.1    TCP 54 http > 32966
> [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
> $
>
> Philip
>
> On 4/10/18 8:21 AM, bro-request at bro.org wrote:
>
> Send Bro mailing list submissions to
> 	bro at bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
> 	bro-request at bro.org
>
> You can reach the person managing the list at
> 	bro-owner at bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
>    1. building a bro plugin (erik clark)
>    2. Re: Bro behind a TLS reverse proxy (Philip Romero)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 10 Apr 2018 10:48:30 -0400
> From: erik clark <philosnef at gmail.com> <philosnef at gmail.com>
> Subject: [Bro] building a bro plugin
> To: Bro-IDS <bro at bro.org> <bro at bro.org>
> Message-ID:
> 	<CAK6atxqrZjAOXpj9QgtZV8WDjGUw8nFcSTLQSMMJgvS8i0Dj=A at mail.gmail.com> <CAK6atxqrZjAOXpj9QgtZV8WDjGUw8nFcSTLQSMMJgvS8i0Dj=A at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I have tried everything I can think of to get this to compile:
> https://github.com/supriyask/Bro
>
> Can someone explain to me what needs to be provided either in the
> CMakeLists.txt or at the cmake cli to build this? Thanks. The readme has no
> information whatsoever.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/2ef72a8a/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Tue, 10 Apr 2018 08:21:00 -0700
> From: Philip Romero <promero at cenic.org> <promero at cenic.org>
> Subject: Re: [Bro] Bro behind a TLS reverse proxy
> To: bro at bro.org
> Message-ID: <92728a56-e307-7513-5131-93a5ec749b94 at cenic.org> <92728a56-e307-7513-5131-93a5ec749b94 at cenic.org>
> Content-Type: text/plain; charset="utf-8"
>
> I don't know if this messes up your test, but I didn't have tshark on
> the physical box I'm running. Below is the output showing the date via
> tcpdump options. It looks correct.?
>
> $ tcpdump -ttttnnr lo-port-80.pcap
> reading from file lo-port-80.pcap, link-type EN10MB (Ethernet)
> 2018-04-10 08:13:20.209770 IP6 ::1.49258 > ::1.80: Flags [S], seq
> 485780875, win 43690, options [mss 65476,sackOK,TS val 1090368614 ecr
> 0,nop,wscale 7], length 0
> 2018-04-10 08:13:20.209809 IP6 ::1.80 > ::1.49258: Flags [R.], seq 0,
> ack 485780876, win 0, length 0
> 2018-04-10 08:13:20.210015 IP 127.0.0.1.43960 > 127.0.0.1.80: Flags [S],
> seq 859064153, win 43690, options [mss 65495,sackOK,TS val 1090368615
> ecr 0,nop,wscale 7], length 0
> 2018-04-10 08:13:20.210046 IP 127.0.0.1.80 > 127.0.0.1.43960: Flags
> [R.], seq 0, ack 859064154, win 0, length 0
> $
>
> Philip
>
>
> On 4/9/18 9:21 PM, bro-request at bro.org wrote:
>
> Send Bro mailing list submissions to
> 	bro at bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
> 	bro-request at bro.org
>
> You can reach the person managing the list at
> 	bro-owner at bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
>    1. Re: Bro behind a TLS reverse proxy (Brandon Sterne)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 9 Apr 2018 21:21:35 -0700
> From: Brandon Sterne <brandon.sterne at gmail.com> <brandon.sterne at gmail.com>
> Subject: Re: [Bro] Bro behind a TLS reverse proxy
> To: Micha? Purzy?ski <michalpurzynski1 at gmail.com> <michalpurzynski1 at gmail.com>
> Cc: Bro-IDS <bro at bro.org> <bro at bro.org>
> Message-ID:
> 	<CADXmT7CqnNFykCP0dQXmOz+B7wfhsEDrrT25Ct+62UjzA=bW0g at mail.gmail.com> <CADXmT7CqnNFykCP0dQXmOz+B7wfhsEDrrT25Ct+62UjzA=bW0g at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I can confirm this also happens on a C7 OpenStack VM:
> [brandon.sterne at sterne-server ~]$ tshark -t ud -r pcaps/lo-port-80.pcap
>   1 2018-04-10 03:35:40    127.0.0.1 -> 127.0.0.1    TCP 74 51546 > http
> [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=595251 TSecr=0
> WS=128
>   2 2018-04-10 03:35:40    127.0.0.1 -> 127.0.0.1    TCP 54 http > 51546
> [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
>   3 2018-04-10 03:35:52    127.0.0.1 -> 127.0.0.1    TCP 74 51548 > http
> [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=607469 TSecr=0
> WS=128
>   4 1970-01-31 04:44:20    127.0.0.1 -> 127.0.0.1    TCP 74 http > 51548
> [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=607469
> TSecr=607469 WS=128
>   5 2018-04-10 03:35:52    127.0.0.1 -> 127.0.0.1    TCP 66 51548 > http
> [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=607469 TSecr=607469
>   6 2018-04-10 03:35:52    127.0.0.1 -> 127.0.0.1    HTTP 139 GET /
> HTTP/1.1
>   <snip>
>
> I can't locate a C7 bare metal server right at the moment but will try to
> test that tomorrow. If someone happens to have a C7 bare metal box and
> would be willing to test, here is the sequence of commands to run:
> [shell1]$ sudo tcpdump -s 0 -i lo -w lo-port-80.pcap "port 80"
> [shell2]$ curl localhost
> [shell1]$ ^C
> [shell1]$ tshark -t ud -r lo-port-80.pcap
>
>
> On Mon, Apr 9, 2018 at 4:25 PM, Brandon Sterne <brandon.sterne at gmail.com> <brandon.sterne at gmail.com>
> wrote:
>
>
> This is very interesting. It is totally reproducible with CentOS 7 VMs,
> but I confirmed the testcase works as expected with an Ubuntu Server VM. On
> a freshly provisioned C7 VM, I see "That 70s Packet" when I capture from
> the loopback interface, but not when I capture from the external interface:
>
> ```[vagrant at localhost pcaps]$ tshark -t ud -r lo-port80.pcap
>   1 2018-04-09 23:16:28          ::1 -> ::1          TCP 94 58156 > http
> [SYN] Seq=0 Win=43690 Len=0 MSS=65476 SACK_PERM=1 TSval=8358348 TSecr=0
> WS=64
>   2 2018-04-09 23:16:28          ::1 -> ::1          TCP 74 http > 58156
> [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
>   3 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 74 43060 > http
> [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8358349 TSecr=0
> WS=64
>   4 1971-02-20 11:53:55    127.0.0.1 -> 127.0.0.1    TCP 74 http > 43060
> [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8358349
> TSecr=8358349 WS=64
>   5 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [ACK] Seq=1 Ack=1 Win=43712 Len=0 TSval=8358349 TSecr=8358349
>   6 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    HTTP 139 GET /
> HTTP/1.1
>   7 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 http > 43060
> [ACK] Seq=1 Ack=74 Win=43712 Len=0 TSval=8358349 TSecr=8358349
>   8 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 83 [TCP segment
> of a reassembled PDU]
>   9 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [ACK] Seq=74 Ack=18 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>  10 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 103 [TCP segment
> of a reassembled PDU]
>  11 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [ACK] Seq=74 Ack=55 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>  12 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 103 [TCP segment
> of a reassembled PDU]
>  13 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [ACK] Seq=74 Ack=92 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>  14 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 106 [TCP segment
> of a reassembled PDU]
>  15 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [ACK] Seq=74 Ack=132 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>  16 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 87 [TCP segment
> of a reassembled PDU]
>  17 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [ACK] Seq=74 Ack=153 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>  18 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 68 [TCP segment
> of a reassembled PDU]
>  19 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [ACK] Seq=74 Ack=155 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>  20 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    HTTP 512 HTTP/1.0 200
> OK  (text/html)
>  21 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [ACK] Seq=74 Ack=601 Win=44800 Len=0 TSval=8358351 TSecr=8358351
>  22 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 http > 43060
> [FIN, ACK] Seq=601 Ack=74 Win=43712 Len=0 TSval=8358351 TSecr=8358351
>  23 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 43060 > http
> [FIN, ACK] Seq=74 Ack=602 Win=44800 Len=0 TSval=8358351 TSecr=8358351
>  24 2018-04-09 23:16:28    127.0.0.1 -> 127.0.0.1    TCP 66 http > 43060
> [ACK] Seq=602 Ack=75 Win=43712 Len=0 TSval=8358351 TSecr=8358351
> [vagrant at localhost pcaps]$ tshark -t ud -r eth1-port80.pcap
>   1 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 78 53640 > http
> [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=240784579
> TSecr=0 SACK_PERM=1
>   2 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 74 http > 53640
> [SYN, ACK, ECN] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1
> TSval=556841 TSecr=240784579 WS=64
>   3 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
> [ACK] Seq=1 Ack=1 Win=131744 Len=0 TSval=240784579 TSecr=556841
>   4 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 HTTP 415 GET /
> HTTP/1.1
>   5 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 66 http > 53640
> [ACK] Seq=1 Ack=350 Win=30080 Len=0 TSval=556842 TSecr=240784579
>   6 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 83 [TCP segment
> of a reassembled PDU]
>   7 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
> [ACK] Seq=350 Ack=18 Win=131744 Len=0 TSval=240784581 TSecr=556843
>   8 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 103 [TCP segment
> of a reassembled PDU]
>   9 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
> [ACK] Seq=350 Ack=55 Win=131712 Len=0 TSval=240784581 TSecr=556844
>  10 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 103 [TCP segment
> of a reassembled PDU]
>  11 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
> [ACK] Seq=350 Ack=92 Win=131648 Len=0 TSval=240784581 TSecr=556844
>  12 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 106 [TCP segment
> of a reassembled PDU]
>  13 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
> [ACK] Seq=350 Ack=132 Win=131616 Len=0 TSval=240784581 TSecr=556844
>  14 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 87 [TCP segment
> of a reassembled PDU]
>  15 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 HTTP 466 HTTP/1.0
> 200 OK  (text/html)
>  16 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
> [ACK] Seq=350 Ack=153 Win=131616 Len=0 TSval=240784581 TSecr=556844
>  17 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
> [ACK] Seq=350 Ack=554 Win=131200 Len=0 TSval=240784581 TSecr=556844
>  18 2018-04-09 21:06:26 192.168.43.1 -> 192.168.43.10 TCP 66 53640 > http
> [FIN, ACK] Seq=350 Ack=554 Win=131200 Len=0 TSval=240784581 TSecr=556844
>  19 2018-04-09 21:06:26 192.168.43.10 -> 192.168.43.1 TCP 66 http > 53640
> [ACK] Seq=554 Ack=351 Win=30080 Len=0 TSval=556844 TSecr=240784581
> ```
>
> It's a good question, Micha?. Whose bug is this? I'm happy to go chase it
> down with the right audience if we can answer this question. Thanks for
> taking the time to look.
>
> Cheers,
> Brandon
>
>
> On Mon, Apr 9, 2018 at 3:34 PM, Micha? Purzy?ski <michalpurzynski1 at gmail.com> wrote:
>
>
> To help with the investigation, I also observed a similar behavior on
> some CentOS 7.x hosts, when capturing traffic into a pcap on a live system
> would result in some packets being saved with the 70's timestamp.
>
> The question remain - is that a kernel bug, a network card bug, a driver
> bug?
>
> On Mon, Apr 9, 2018 at 1:33 PM, Seth Hall <seth at corelight.com> <seth at corelight.com> wrote:
>
>
> I don't know how it happened, but the timestamp for the SYN/ACK packet
> in your pcap is March 22, 1970. Bro uses the timestamps from packets to
> track it's notion of time moving forward and with Bro's internal clock
> being shoved around by nearly 50 years twice in the span of three packets
> will throw it off pretty badly (lots of timeouts take place). ;)
>
> Any clue why the timestamp on that packet would be like that? It's just
> the one packet in your pcap that is messed up too.
>
> .Seth
>
> On 9 Apr 2018, at 11:56, Brandon Sterne wrote:
>
> Hi Justin,
>
> Thank you for the reply. I don't think it is the MTU that is preventing
> the sensor from decoding the traffic correctly. I ran the same test case
> with snaplen=65535 and still received only the connection_established
> event:
>
> [vagrant at localhost security-gateway]$ sudo bro -C -i lo snaplen=65535
> rules/bro/detect-http-request.bro
> <params>, line 1: listening on lo, capture length 65535 bytes
>
> Connection: , [id=[orig_h=127.0.0.1, orig_p=34902/tcp, resp_h=127.0.0.1,
> resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=60,
> flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0,
> flow_label=0], start_time=1523289116.669146, duration=-1516793840.109909,
> service={
>
> }, history=Sh, uid=Ch6Tqk39qjgHi6li88, tunnel=<uninitialized>,
> dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F,
> thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>,
> dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>,
> ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>,
> http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>,
> modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>,
> rdp=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>,
> snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>,
> socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
>
> I'm attaching the script I'm using and the pcap for the same request,
> taken with:
> sudo tcpdump -i lo -s 0 -w port8080.pcap
>
> Thanks,
> Brandon
>
>
> On Wed, Apr 4, 2018 at 3:01 PM, Azoff, Justin S <jazoff at illinois.edu> <jazoff at illinois.edu>
> wrote:
>
>
> On Apr 2, 2018, at 12:04 AM, Brandon Sterne <brandon.sterne at gmail.com> <brandon.sterne at gmail.com>
>
> wrote:
>
> Hello,
>
> I am attempting to get Bro working sitting behind a reverse proxy
>
> (nginx), which is receiving connections, terminating TLS, and forwarding
> cleartext HTTP to a local app server (Tomcat). I have a really simple test
> case that demonstrates the problem I'm running into, which is that Bro HTTP
> events are only detected when requests are sent plaintext (without TLS).
> Here is the test case I'm using:
>
> The output you have included is not enough to tell what is wrong.
> Minimally, full conn.log entries are required to figure out what bro is
> seeing.  Even better would be a full pcap of the traffic that bro is not
> properly decoding.
>
> To just guess, i'd say your problem is that the MTU on lo is 65536 and
> bro is not configured by default to handle that.  Throwing a
>
> redef Pcap::snaplen = 65536
>
> in your script may get things working.
>
>
> ?
> Justin Azoff
>
>
>
> _______________________________________________
> Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
>
> _______________________________________________
> Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180409/678f5f81/attachment.html
>
> ------------------------------
>
> _______________________________________________
> Bro mailing listBro at bro.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 144, Issue 12
> ************************************
>
>
> --
> Philip Romero, CISSP, CISA
> Sr. Information Security Analyst
> CENICpromero at cenic.org
> Phone: (714) 220-3430
> Mobile: (562) 237-9290
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/bf04acd1/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lo-port-80-bm.pcap
Type: application/octet-stream
Size: 2499 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/bf04acd1/attachment-0002.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lo-port80.pcap
Type: application/octet-stream
Size: 2717 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/bf04acd1/attachment-0003.obj 

From promero at cenic.org  Tue Apr 10 11:28:42 2018
From: promero at cenic.org (Philip Romero)
Date: Tue, 10 Apr 2018 11:28:42 -0700
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <mailman.79842.1523383037.849.bro@bro.org>
References: <mailman.79842.1523383037.849.bro@bro.org>
Message-ID: <a50c1a25-821c-ead2-66e8-acd132b73030@cenic.org>

Brandon,

The systems I tested are on are listed below. I also asked my Systems
team to run the test on a datacenter hypervisor CentOS 7 server. Looks
like they got a "normal" response as well.

Physical Server (Old IBM System x3650 server):
$ sudo uname -a
Linux </hostname/> 3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12 22:26:13
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$

VirtualBox (5.2.8 r121009) VM (MacBook Pro Retina 15-inch, Mid 2015):
$ sudo uname -a
Linux </hostname/> 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37
UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$

VM test from Overt 4.1 hypervisor:
kernel - 3.10.0-693.5.2.el7.x86_64
2018-04-10 11:14:11.996559 IP6 ::1.57652 > ::1.80: Flags [S], seq
579221221, win 43690, options [mss 65476,sackOK,TS val 1190091725 ecr
0,nop,wscale 7], length 0
2018-04-10 11:14:11.996579 IP6 ::1.80 > ::1.57652: Flags [R.], seq 0,
ack 579221222, win 0, length 0
2018-04-10 11:14:11.996699 IP 127.0.0.1.43500 > 127.0.0.1.80: Flags [S],
seq 2884971053, win 43690, options [mss 65495,sackOK,TS val 1190091725
ecr 0,nop,wscale 7], length 0
2018-04-10 11:14:11.996715 IP 127.0.0.1.80 > 127.0.0.1.43500: Flags
[R.], seq 0, ack 2884971054, win 0, length 0

-- 
Philip Romero, CISSP, CISA
Sr. Information Security Analyst
CENIC
promero at cenic.org
Phone: (714) 220-3430
Mobile: (562) 237-9290

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/3bd47ba0/attachment.html 

From brandon.sterne at gmail.com  Tue Apr 10 14:14:29 2018
From: brandon.sterne at gmail.com (Brandon Sterne)
Date: Tue, 10 Apr 2018 14:14:29 -0700
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <a50c1a25-821c-ead2-66e8-acd132b73030@cenic.org>
References: <mailman.79842.1523383037.849.bro@bro.org>
	<a50c1a25-821c-ead2-66e8-acd132b73030@cenic.org>
Message-ID: <CADXmT7DHoZToaT-gofxdU5Zfd9gYN1Fk0BnX0iLRQA5-bypQFw@mail.gmail.com>

Hi Philip,

What sequence of commands are you using to test? On all C7 instances I have
tested, virtual and bare metal, when capturing of the lo interface with
tcpdump, and analyzing the pcaps with tshark, I'm seeing 100% of SYN, ACK
packets as having the bogus timestamp.

Are you confident using tcpdump to both capture and replay the packets to
look at field values? Isn't it possible that tcpdump is writing to and
reading from the pcap in the same incorrect way?

Thanks,
Brandon


On Tue, Apr 10, 2018 at 11:28 AM, Philip Romero <promero at cenic.org> wrote:

> Brandon,
>
> The systems I tested are on are listed below. I also asked my Systems team
> to run the test on a datacenter hypervisor CentOS 7 server. Looks like they
> got a "normal" response as well.
>
> Physical Server (Old IBM System x3650 server):
> $ sudo uname -a
> Linux <*hostname*> 3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12 22:26:13
> UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
> $
>
> VirtualBox (5.2.8 r121009) VM (MacBook Pro Retina 15-inch, Mid 2015):
> $ sudo uname -a
> Linux <*hostname*> 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37
> UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
> $
>
> VM test from Overt 4.1 hypervisor:
> kernel - 3.10.0-693.5.2.el7.x86_64
> 2018-04-10 11:14:11.996559 IP6 ::1.57652 > ::1.80: Flags [S], seq
> 579221221, win 43690, options [mss 65476,sackOK,TS val 1190091725 ecr
> 0,nop,wscale 7], length 0
> 2018-04-10 11:14:11.996579 IP6 ::1.80 > ::1.57652: Flags [R.], seq 0, ack
> 579221222, win 0, length 0
> 2018-04-10 11:14:11.996699 IP 127.0.0.1.43500 > 127.0.0.1.80: Flags [S],
> seq 2884971053, win 43690, options [mss 65495,sackOK,TS val 1190091725 ecr
> 0,nop,wscale 7], length 0
> 2018-04-10 11:14:11.996715 IP 127.0.0.1.80 > 127.0.0.1.43500: Flags [R.],
> seq 0, ack 2884971054, win 0, length 0
>
> --
> Philip Romero, CISSP, CISA
> Sr. Information Security Analyst
> CENICpromero at cenic.org
> Phone: (714) 220-3430
> Mobile: (562) 237-9290
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/43a5de2b/attachment.html 

From hovsep.sanjay.levi at gmail.com  Tue Apr 10 14:34:48 2018
From: hovsep.sanjay.levi at gmail.com (Hovsep Levi)
Date: Tue, 10 Apr 2018 21:34:48 +0000
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <CADXmT7DHoZToaT-gofxdU5Zfd9gYN1Fk0BnX0iLRQA5-bypQFw@mail.gmail.com>
References: <mailman.79842.1523383037.849.bro@bro.org>
	<a50c1a25-821c-ead2-66e8-acd132b73030@cenic.org>
	<CADXmT7DHoZToaT-gofxdU5Zfd9gYN1Fk0BnX0iLRQA5-bypQFw@mail.gmail.com>
Message-ID: <CAJ19UZDPO=HD8b+pY7fT6grLBT9N9pRMQr9NAmtj4_ix=E3X+g@mail.gmail.com>

You might check what virtual network adapter is being used.  If it's a
network driver bug then switching adapters would prove that.

https://www.virtualbox.org/manual/ch06.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/f8daaf5f/attachment.html 

From brandon.sterne at gmail.com  Tue Apr 10 14:39:19 2018
From: brandon.sterne at gmail.com (Brandon Sterne)
Date: Tue, 10 Apr 2018 14:39:19 -0700
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <CAJ19UZDPO=HD8b+pY7fT6grLBT9N9pRMQr9NAmtj4_ix=E3X+g@mail.gmail.com>
References: <mailman.79842.1523383037.849.bro@bro.org>
	<a50c1a25-821c-ead2-66e8-acd132b73030@cenic.org>
	<CADXmT7DHoZToaT-gofxdU5Zfd9gYN1Fk0BnX0iLRQA5-bypQFw@mail.gmail.com>
	<CAJ19UZDPO=HD8b+pY7fT6grLBT9N9pRMQr9NAmtj4_ix=E3X+g@mail.gmail.com>
Message-ID: <CADXmT7BQKzMBCRNUbqpN8vrDEPS4RzUM5Fzjo8WPH66r0HiO7w@mail.gmail.com>

I've observed the bad timestamp for loopback captures on three different
virtualization platforms (VirtualBox, OpenStack, Hyper-V), as well as bare
metal.

Thanks,
Brandon


On Tue, Apr 10, 2018 at 2:34 PM, Hovsep Levi <hovsep.sanjay.levi at gmail.com>
wrote:

> You might check what virtual network adapter is being used.  If it's a
> network driver bug then switching adapters would prove that.
>
> https://www.virtualbox.org/manual/ch06.html
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/355adad8/attachment.html 

From hovsep.sanjay.levi at gmail.com  Tue Apr 10 14:46:03 2018
From: hovsep.sanjay.levi at gmail.com (Hovsep Levi)
Date: Tue, 10 Apr 2018 21:46:03 +0000
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <CADXmT7BQKzMBCRNUbqpN8vrDEPS4RzUM5Fzjo8WPH66r0HiO7w@mail.gmail.com>
References: <mailman.79842.1523383037.849.bro@bro.org>
	<a50c1a25-821c-ead2-66e8-acd132b73030@cenic.org>
	<CADXmT7DHoZToaT-gofxdU5Zfd9gYN1Fk0BnX0iLRQA5-bypQFw@mail.gmail.com>
	<CAJ19UZDPO=HD8b+pY7fT6grLBT9N9pRMQr9NAmtj4_ix=E3X+g@mail.gmail.com>
	<CADXmT7BQKzMBCRNUbqpN8vrDEPS4RzUM5Fzjo8WPH66r0HiO7w@mail.gmail.com>
Message-ID: <CAJ19UZB2Kkc91NAA02WEfHnxBVz74LPF4J5Wq5sYFqztV9SHkQ@mail.gmail.com>

Still could be a network driver issue.  What kind of card is eth0 ?

Your original problem looks like Bro is inline or on the same network
instead of behind the nginx proxy.    Maybe even running on the nginx proxy
?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/bca01331/attachment.html 

From brandon.sterne at gmail.com  Tue Apr 10 14:52:02 2018
From: brandon.sterne at gmail.com (Brandon Sterne)
Date: Tue, 10 Apr 2018 14:52:02 -0700
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <CAJ19UZB2Kkc91NAA02WEfHnxBVz74LPF4J5Wq5sYFqztV9SHkQ@mail.gmail.com>
References: <mailman.79842.1523383037.849.bro@bro.org>
	<a50c1a25-821c-ead2-66e8-acd132b73030@cenic.org>
	<CADXmT7DHoZToaT-gofxdU5Zfd9gYN1Fk0BnX0iLRQA5-bypQFw@mail.gmail.com>
	<CAJ19UZDPO=HD8b+pY7fT6grLBT9N9pRMQr9NAmtj4_ix=E3X+g@mail.gmail.com>
	<CADXmT7BQKzMBCRNUbqpN8vrDEPS4RzUM5Fzjo8WPH66r0HiO7w@mail.gmail.com>
	<CAJ19UZB2Kkc91NAA02WEfHnxBVz74LPF4J5Wq5sYFqztV9SHkQ@mail.gmail.com>
Message-ID: <CADXmT7An8BOUmTbOfxAsAjt-5zNV8AtmFjpetVFq_e8pKf7XuQ@mail.gmail.com>

Thank you for responding. I have a simplified testcase that doesn't require
nginx:

[shell1]$ sudo tcpdump -s 0 -i lo -w lo-port-80.pcap "port 80"
[shell2]$ sudo python -m SimpleHTTPServer 80
[shell3]$ curl localhost
[shell1]$ ^C
[shell1]$ tshark -t ud -r lo-port-80.pcap

Note the timestamps for any SYN-ACK packets in the captured streams.

Cheers,
Brandon

On Tue, Apr 10, 2018 at 2:46 PM, Hovsep Levi <hovsep.sanjay.levi at gmail.com>
wrote:

> Still could be a network driver issue.  What kind of card is eth0 ?
>
> Your original problem looks like Bro is inline or on the same network
> instead of behind the nginx proxy.    Maybe even running on the nginx proxy
> ?
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/d6998c06/attachment.html 

From ambros.novak.89 at gmail.com  Tue Apr 10 15:33:31 2018
From: ambros.novak.89 at gmail.com (Ambros Novak)
Date: Tue, 10 Apr 2018 18:33:31 -0400
Subject: [Bro] URL, domains and IP in SMTP
Message-ID: <90ED0350-FEF9-4B37-8339-55712DBB06EA@gmail.com>

Good Mornings

How can I log all URL, domains and IP address in emails, even URL and domains that are not a hyperlink, start with http/https/www or IP address?

Thank you very much for helping. 

Ambros

??

From promero at cenic.org  Tue Apr 10 15:33:49 2018
From: promero at cenic.org (Philip Romero)
Date: Tue, 10 Apr 2018 15:33:49 -0700
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <CADXmT7An8BOUmTbOfxAsAjt-5zNV8AtmFjpetVFq_e8pKf7XuQ@mail.gmail.com>
References: <mailman.79842.1523383037.849.bro@bro.org>
	<a50c1a25-821c-ead2-66e8-acd132b73030@cenic.org>
	<CADXmT7DHoZToaT-gofxdU5Zfd9gYN1Fk0BnX0iLRQA5-bypQFw@mail.gmail.com>
	<CAJ19UZDPO=HD8b+pY7fT6grLBT9N9pRMQr9NAmtj4_ix=E3X+g@mail.gmail.com>
	<CADXmT7BQKzMBCRNUbqpN8vrDEPS4RzUM5Fzjo8WPH66r0HiO7w@mail.gmail.com>
	<CAJ19UZB2Kkc91NAA02WEfHnxBVz74LPF4J5Wq5sYFqztV9SHkQ@mail.gmail.com>
	<CADXmT7An8BOUmTbOfxAsAjt-5zNV8AtmFjpetVFq_e8pKf7XuQ@mail.gmail.com>
Message-ID: <9daa75f9-4623-9ba0-30ca-3a3d6c2d0d11@cenic.org>

Brandon,

Success...? Both my VirtualBox VM and physical server show the wrong
date/time on the SYN/ACK using the updated testing script you sent. This
was just a confirmation for what you had already confirmed as a
reproducible issue though. I don't have any next steps suggestions, sorry.?

$ tshark -t ud -r lo-port-80.pcap
? 1 2018-04-10 22:07:21????????? ::1 -> ::1????????? TCP 94 60782 > http
[SYN] Seq=0 Win=43690 Len=0 MSS=65476 SACK_PERM=1 TSval=4294828850
TSecr=0 WS=128
? 2 2018-04-10 22:07:21????????? ::1 -> ::1????????? TCP 74 http > 60782
[RST, ACK] Seq=1 Ack=1 Win=0 Len=0
? 3 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? TCP 74 39762 > http
[SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=4294828850
TSecr=0 WS=128
? 4 2106-01-31 09:17:55??? 127.0.0.1 -> 127.0.0.1??? TCP 74 http > 39762
[SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1
TSval=4294828850 TSecr=4294828850 WS=128
? 5 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? TCP 66 39762 > http
[ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=4294828850 TSecr=4294828850
? 6 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? HTTP 139 GET /
HTTP/1.1
? 7 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? TCP 66 http > 39762
[ACK] Seq=1 Ack=74 Win=43776 Len=0 TSval=4294828851 TSecr=4294828851
? 8 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? TCP 83 [TCP segment
of a reassembled PDU]
? 9 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? TCP 66 39762 > http
[ACK] Seq=74 Ack=18 Win=43776 Len=0 TSval=4294828856 TSecr=4294828856
?10 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? TCP 103 [TCP
segment of a reassembled PDU]
?11 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? TCP 66 39762 > http
[ACK] Seq=74 Ack=55 Win=43776 Len=0 TSval=4294828856 TSecr=4294828856
?12 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? TCP 103 [TCP
segment of a reassembled PDU]
?13 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? TCP 66 39762 > http
[ACK] Seq=74 Ack=92 Win=43776 Len=0 TSval=4294828856 TSecr=4294828856
?14 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? TCP 129 [TCP
segment of a reassembled PDU]
?15 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? TCP 66 39762 > http
[ACK] Seq=74 Ack=155 Win=43776 Len=0 TSval=4294828856 TSecr=4294828856
?16 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? HTTP 838 HTTP/1.0
200 OK? (text/html)
?17 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? TCP 66 39762 > http
[ACK] Seq=74 Ack=927 Win=45312 Len=0 TSval=4294828856 TSecr=4294828856
?18 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? TCP 66 http > 39762
[FIN, ACK] Seq=927 Ack=74 Win=43776 Len=0 TSval=4294828856 TSecr=4294828856
?19 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? TCP 66 39762 > http
[FIN, ACK] Seq=74 Ack=928 Win=45312 Len=0 TSval=4294828856 TSecr=4294828856
?20 2018-04-10 22:07:21??? 127.0.0.1 -> 127.0.0.1??? TCP 66 http > 39762
[ACK] Seq=928 Ack=75 Win=43776 Len=0 TSval=4294828856 TSecr=4294828856
$

$ tcpdump -ttttnnr lo-port-80.pcap
reading from file lo-port-80.pcap, link-type EN10MB (Ethernet)
2018-04-10 15:28:49.065635 IP6 ::1.49766 > ::1.80: Flags [S], seq
2880441537, win 43690, options [mss 65476,sackOK,TS val 1116497470 ecr
0,nop,wscale 7], length 0
2018-04-10 15:28:49.065668 IP6 ::1.80 > ::1.49766: Flags [R.], seq 0,
ack 2880441538, win 0, length 0
2018-04-10 15:28:49.065840 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [S],
seq 3964604917, win 43690, options [mss 65495,sackOK,TS val 1116497470
ecr 0,nop,wscale 7], length 0
1985-11-08 19:53:43.822714 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[S.], seq 3727387360, ack 3964604918, win 43690, options [mss
65495,sackOK,TS val 1116497470 ecr 1116497470,nop,wscale 7], length 0
2018-04-10 15:28:49.065886 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [.],
ack 1, win 342, options [nop,nop,TS val 1116497470 ecr 1116497470], length 0
2018-04-10 15:28:49.065973 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags
[P.], seq 1:74, ack 1, win 342, options [nop,nop,TS val 1116497471 ecr
1116497470], length 73: HTTP: GET / HTTP/1.1
2018-04-10 15:28:49.065987 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags [.],
ack 74, win 342, options [nop,nop,TS val 1116497471 ecr 1116497471],
length 0
2018-04-10 15:28:49.176734 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[P.], seq 1:18, ack 74, win 342, options [nop,nop,TS val 1116497581 ecr
1116497471], length 17: HTTP: HTTP/1.0 200 OK
2018-04-10 15:28:49.176760 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [.],
ack 18, win 342, options [nop,nop,TS val 1116497581 ecr 1116497581],
length 0
2018-04-10 15:28:49.176813 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[P.], seq 18:55, ack 74, win 342, options [nop,nop,TS val 1116497581 ecr
1116497581], length 37: HTTP
2018-04-10 15:28:49.176831 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [.],
ack 55, win 342, options [nop,nop,TS val 1116497581 ecr 1116497581],
length 0
2018-04-10 15:28:49.176886 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[P.], seq 55:92, ack 74, win 342, options [nop,nop,TS val 1116497581 ecr
1116497581], length 37: HTTP
2018-04-10 15:28:49.176900 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [.],
ack 92, win 342, options [nop,nop,TS val 1116497581 ecr 1116497581],
length 0
2018-04-10 15:28:49.176951 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[P.], seq 92:132, ack 74, win 342, options [nop,nop,TS val 1116497581
ecr 1116497581], length 40: HTTP
2018-04-10 15:28:49.176966 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [.],
ack 132, win 342, options [nop,nop,TS val 1116497582 ecr 1116497581],
length 0
2018-04-10 15:28:49.177003 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[P.], seq 132:154, ack 74, win 342, options [nop,nop,TS val 1116497582
ecr 1116497582], length 22: HTTP
2018-04-10 15:28:49.177016 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [.],
ack 154, win 342, options [nop,nop,TS val 1116497582 ecr 1116497582],
length 0
2018-04-10 15:28:49.177051 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[P.], seq 154:156, ack 74, win 342, options [nop,nop,TS val 1116497582
ecr 1116497582], length 2: HTTP
2018-04-10 15:28:49.177064 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [.],
ack 156, win 342, options [nop,nop,TS val 1116497582 ecr 1116497582],
length 0
2018-04-10 15:28:49.177124 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[P.], seq 156:5992, ack 74, win 342, options [nop,nop,TS val 1116497582
ecr 1116497582], length 5836: HTTP
2018-04-10 15:28:49.177142 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [.],
ack 5992, win 1365, options [nop,nop,TS val 1116497582 ecr 1116497582],
length 0
2018-04-10 15:28:49.177212 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[F.], seq 5992, ack 74, win 342, options [nop,nop,TS val 1116497582 ecr
1116497582], length 0
2018-04-10 15:28:49.178159 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags
[F.], seq 74, ack 5993, win 1365, options [nop,nop,TS val 1116497583 ecr
1116497582], length 0
2018-04-10 15:28:49.178176 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags [.],
ack 75, win 342, options [nop,nop,TS val 1116497583 ecr 1116497583],
length 0
$


On 4/10/18 2:52 PM, Brandon Sterne wrote:
> sudo python -m SimpleHTTPServer 80

-- 
Philip Romero, CISSP, CISA
Sr. Information Security Analyst
CENIC
promero at cenic.org
Phone: (714) 220-3430
Mobile: (562) 237-9290

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/34d86983/attachment.html 

From jazoff at illinois.edu  Tue Apr 10 19:13:43 2018
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Wed, 11 Apr 2018 02:13:43 +0000
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <9daa75f9-4623-9ba0-30ca-3a3d6c2d0d11@cenic.org>
References: <mailman.79842.1523383037.849.bro@bro.org>
	<a50c1a25-821c-ead2-66e8-acd132b73030@cenic.org>
	<CADXmT7DHoZToaT-gofxdU5Zfd9gYN1Fk0BnX0iLRQA5-bypQFw@mail.gmail.com>
	<CAJ19UZDPO=HD8b+pY7fT6grLBT9N9pRMQr9NAmtj4_ix=E3X+g@mail.gmail.com>
	<CADXmT7BQKzMBCRNUbqpN8vrDEPS4RzUM5Fzjo8WPH66r0HiO7w@mail.gmail.com>
	<CAJ19UZB2Kkc91NAA02WEfHnxBVz74LPF4J5Wq5sYFqztV9SHkQ@mail.gmail.com>
	<CADXmT7An8BOUmTbOfxAsAjt-5zNV8AtmFjpetVFq_e8pKf7XuQ@mail.gmail.com>
	<9daa75f9-4623-9ba0-30ca-3a3d6c2d0d11@cenic.org>
Message-ID: <B8F9BC0B-CF9C-4D7D-AECF-9C16EE234753@illinois.edu>


I'm not sure what the problem is here, but it most definitely does not have anything to do with physical/virtual or nic hardware..

The lo interface is handled 100% by the kernel and doesn't touch the hardware, so this looks like some odd kernel or libpcap bug. I don't think libpcap does anything with the timestamps other than to send them along, and the fact that this seems to only happen on the synack packet points more to a kernel issue.

It's probably related to some kind of optimization for completing connections faster over loopback.

If one has time, converting the test case into a reproducable script and using it with git bisect on the kernel could track this down.

? 
Justin Azoff

> On Apr 10, 2018, at 6:33 PM, Philip Romero <promero at cenic.org> wrote:
> 
> Brandon,
> 
> Success...? Both my VirtualBox VM and physical server show the wrong date/time on the SYN/ACK using the updated testing script you sent. 


From pssunu6 at gmail.com  Tue Apr 10 22:43:39 2018
From: pssunu6 at gmail.com (ps sunu)
Date: Wed, 11 Apr 2018 11:13:39 +0530
Subject: [Bro] minimal bro
Message-ID: <CALGAZaCHNM+yi=-QQKw-+=mXD-3nrfbJS6SSdtSbQUMLhk-tAg@mail.gmail.com>

Hi,
                How to build minimal bro only generate conn.log  not
finding any steps for build this

Regards,
sunu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180411/6c512d7a/attachment-0001.html 

From mfernandez at mitre.org  Wed Apr 11 06:02:42 2018
From: mfernandez at mitre.org (Fernandez, Mark I)
Date: Wed, 11 Apr 2018 13:02:42 +0000
Subject: [Bro] minimal bro
In-Reply-To: <CALGAZaCHNM+yi=-QQKw-+=mXD-3nrfbJS6SSdtSbQUMLhk-tAg@mail.gmail.com>
References: <CALGAZaCHNM+yi=-QQKw-+=mXD-3nrfbJS6SSdtSbQUMLhk-tAg@mail.gmail.com>
Message-ID: <DM5PR0901MB23597AA4E33B800FE4C335EDCFBD0@DM5PR0901MB2359.namprd09.prod.outlook.com>

>> How to build minimal bro only generate conn.log
>> not finding any steps for build this

I think you can find the answer in scripts/base/init-default.bro
and in scripts/base/init-bare.bro.

init-default.bro loads all the various protocol analyzers, while
init-bare.bro does not.

Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180411/6fc60e71/attachment.html 

From matiasdavaro at gmail.com  Wed Apr 11 06:09:58 2018
From: matiasdavaro at gmail.com (Matiasd Davaro)
Date: Wed, 11 Apr 2018 09:09:58 -0400
Subject: [Bro] minimal bro
In-Reply-To: <CALGAZaCHNM+yi=-QQKw-+=mXD-3nrfbJS6SSdtSbQUMLhk-tAg@mail.gmail.com>
References: <CALGAZaCHNM+yi=-QQKw-+=mXD-3nrfbJS6SSdtSbQUMLhk-tAg@mail.gmail.com>
Message-ID: <CAAHbCpFa3Q1guV6NOZo3KHQ4Q8FFBx5WN7nyzK6KZvuGPQKW8A@mail.gmail.com>

If I did not misunderstand your question, you could disable logging for the
other protocols and stick directly with the conn.log. Unless someone has a
better script or more efficient alternative option, could you possibly name
this script and @load it in your local.bro:

export {
  const ignore_logs = set( a list of all the logs you don't want to
see)&redef;
}

event bro_init()
{
 for ( i in ignore_logs )
  {
    Log::disable_stream(i);
  }
}

BTW this idea was gotten from Aaron Eppert's excellent bro scripting class
on networkdefense.io.

On Wed, Apr 11, 2018 at 1:43 AM, ps sunu <pssunu6 at gmail.com> wrote:

> Hi,
>                 How to build minimal bro only generate conn.log  not
> finding any steps for build this
>
> Regards,
> sunu
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180411/bf95226d/attachment.html 

From greg.grasmehr at caltech.edu  Wed Apr 11 10:47:20 2018
From: greg.grasmehr at caltech.edu (Greg Grasmehr)
Date: Wed, 11 Apr 2018 10:47:20 -0700
Subject: [Bro] Worker System Memory Exhaustion
Message-ID: <20180411174720.wpjbrsbzaxc5x3gy@dakine>

Hi Aashish,

Have been using scan-NG, seems to be working though I'm curious, why do
you redefine local networks in scan-NG/debug.bro - wouldn't scan-NG pick
up that information from /usr/local/bro/etc/networks.cfg?

Also in regards to debugging, will it tell me if a path can't be found?
I was unsure of the reference
/feeds/BRO-feeds/LBL-subnets.csv-LATEST_BRO in the scan-config.bro - is
that in fact $BRO_PATH/feeds/BRO-feeds/LBL-subnets.csv-LATEST_BRO

Greg

From asharma at lbl.gov  Wed Apr 11 11:11:16 2018
From: asharma at lbl.gov (Aashish Sharma)
Date: Wed, 11 Apr 2018 11:11:16 -0700
Subject: [Bro] Worker System Memory Exhaustion
In-Reply-To: <20180411174720.wpjbrsbzaxc5x3gy@dakine>
References: <20180411174720.wpjbrsbzaxc5x3gy@dakine>
Message-ID: <20180411181113.GC12548@MacPro-2331.local>

HI Greg, 

> you redefine local networks in scan-NG/debug.bro - wouldn't scan-NG pick

This was oversight. I added that as part of debugging when running against
pcaps/tests/standalone. I forgot to remove it before making a git commit. Now
removed. 

In a broctl run, it should pick local_nets out of networks.cfg only. 

> /feeds/BRO-feeds/LBL-subnets.csv-LATEST_BRO in the scan-config.bro - is

this was a problem I faced when releasing this code. for my setup, I infer
Darknet based on file (LBL-subnets.csv-LATEST_BRO). LBL-subnets.csv-LATEST_BRO
is published by the networking based on polling network devices every hour and
has list of allocated subnets in it. Anything which is not in this file is
Darknet and triggers the LandMine heuristics. 

If you'd like to use LandMine heuristics, I'd suggest populate this file with
your list of allocated subnets (could be dynamic where you can keep appending to
this file ) or static. Input-framework takes care of feeding this into BRO and
if a row is removed those changes also get propagated into bro.

So, redef Site::subnet_feed should point to your list of allocated subnets. 

Now, some sites have actually the other way round, where they have a list of
Darknets or unallocated subnets. If thats case with you let me know. I'll send
you a slightly different file. 

(Justin tried to simplify these all in his version but not sure where it was
left).

btw, I am re-writing a ton of scan-NG to make these much more easier to
config/run and distribute. 

Aashish 

On Wed, Apr 11, 2018 at 10:47:20AM -0700, Greg Grasmehr wrote:
> Hi Aashish,
> 
> Have been using scan-NG, seems to be working though I'm curious, why do
> you redefine local networks in scan-NG/debug.bro - wouldn't scan-NG pick
> up that information from /usr/local/bro/etc/networks.cfg?
> 
> Also in regards to debugging, will it tell me if a path can't be found?
> I was unsure of the reference
> /feeds/BRO-feeds/LBL-subnets.csv-LATEST_BRO in the scan-config.bro - is
> that in fact $BRO_PATH/feeds/BRO-feeds/LBL-subnets.csv-LATEST_BRO
> 
> Greg

From jazoff at illinois.edu  Wed Apr 11 11:17:55 2018
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Wed, 11 Apr 2018 18:17:55 +0000
Subject: [Bro] Worker System Memory Exhaustion
In-Reply-To: <20180411181113.GC12548@MacPro-2331.local>
References: <20180411174720.wpjbrsbzaxc5x3gy@dakine>
	<20180411181113.GC12548@MacPro-2331.local>
Message-ID: <C5FC0D4C-2036-494D-B287-744533857D4D@illinois.edu>


> On Apr 11, 2018, at 2:11 PM, Aashish Sharma <asharma at lbl.gov> wrote:
> 
> Now, some sites have actually the other way round, where they have a list of
> Darknets or unallocated subnets. If thats case with you let me know. I'll send
> you a slightly different file. 

> (Justin tried to simplify these all in his version but not sure where it was
> left).

Yes!  I wrote something for this.  I split out from scan.bro into bro-is-darknet:

https://github.com/ncsa/bro-is-darknet

This tries to handle the four possible darknet setups I identified.

bro-simple-scan depends on this package for the darknet based scan detection.

? 
Justin Azoff



From greg.grasmehr at caltech.edu  Wed Apr 11 11:27:34 2018
From: greg.grasmehr at caltech.edu (Greg Grasmehr)
Date: Wed, 11 Apr 2018 11:27:34 -0700
Subject: [Bro] Worker System Memory Exhaustion
In-Reply-To: <C5FC0D4C-2036-494D-B287-744533857D4D@illinois.edu>
References: <20180411174720.wpjbrsbzaxc5x3gy@dakine>
	<20180411181113.GC12548@MacPro-2331.local>
	<C5FC0D4C-2036-494D-B287-744533857D4D@illinois.edu>
Message-ID: <20180411182734.tsef5ijdj5jrzw4q@dakine>

Hi Justin,

I switched to your package for now, thanks for suggesting it, and thanks
for the documentation on GIT regarding how to redefine lit and dark
nets, very nice.

Looking forward to checking out Aashish's rewrite of his scan-NG package
which promises great improvements like easier configuration for
numbskulls like me.  :P

Greg

From robin at icir.org  Wed Apr 11 12:10:54 2018
From: robin at icir.org (Robin Sommer)
Date: Wed, 11 Apr 2018 12:10:54 -0700
Subject: [Bro] Are you ready for BroCon 2018? Save the Date!
Message-ID: <20180411191054.GE24967@icir.org>

Dear Bro Community,

We're excited to announce the details for BroCon 2018!

BroCon offers the Bro community a chance to meet face-to-face, share
new ideas and developments, and better understand and secure their
networks. The conference is composed of presentations from members of
the community and the Bro development team.

We have confirmed the venue for this year and hope to see you all there:

Date:     October 10-12, 2018
Location: Arlington, VA, at the Hyatt Regency Crystal City

Stay tuned for more details. We'll soon provide registration
information, a Call for Presentations, and details on sponsorship
opportunities.

-- 
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin

From perry29 at llnl.gov  Wed Apr 11 12:58:43 2018
From: perry29 at llnl.gov (Perry, David)
Date: Wed, 11 Apr 2018 19:58:43 +0000
Subject: [Bro] broctl print capture_filters failing
Message-ID: <6544D5E0-5AE6-446C-A2B7-C5655D1A3E68@llnl.gov>

I have a two-worker cluster running on an Ubuntu VM.  Bro was installed from the packages provided by OpenSUSE.
Ubuntu 16.04.4 LTS
Bro 2.5.3
BroControl Version 1.7.

Aside from commenting out most "@load protocols/xxx" lines, I have made minimal changes to the configuration.

I am debugging capture filters but unfortunately broctl print capture_filters throws an error.  'broctl status' works fine.

broctl status
Name         Type    Host             Status    Pid    Started
manager      manager localhost        running   11704  10 Apr 15:09:24
proxy-1      proxy   localhost        running   11880  10 Apr 15:09:25
worker-1     worker  localhost        running   11937  10 Apr 15:09:27
worker-2     worker  localhost        running   11938  10 Apr 15:09:27

broctl print capture_filters
     manager   <error: cannot connect to 127.0.0.1:47761>
     proxy-1   <error: cannot connect to 127.0.0.1:47762>
    worker-1   <error: cannot connect to 127.0.0.1:47763>
    worker-2   <error: cannot connect to 127.0.0.1:47764>

I added 'Debug=1' to broctl.cfg, re-ran the commands and looked in /opt/bro/spool/debug.log but found no additional information.

Perhaps I am still missing some software?  Incompatible version of python-broccoli (came from Ubuntu)?

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180411/417a73bb/attachment.html 

From asharma at lbl.gov  Wed Apr 11 13:36:32 2018
From: asharma at lbl.gov (Aashish Sharma)
Date: Wed, 11 Apr 2018 13:36:32 -0700
Subject: [Bro] broctl print capture_filters failing
In-Reply-To: <6544D5E0-5AE6-446C-A2B7-C5655D1A3E68@llnl.gov>
References: <6544D5E0-5AE6-446C-A2B7-C5655D1A3E68@llnl.gov>
Message-ID: <20180411203631.GF12548@MacPro-2331.local>

David, 

I have started using a different technique for debug/dumping now:

I tap into "event reporter_info" 

rough example : 

$cat a.bro  

redef capture_filters += { ["my-net"] = "(vlan and not net 1.2.0.0/16) or not net 1.2.0.0/16", } ; 

event bro_init()
{
    local _msg = "" ; 

        for (a in capture_filters)
        { 
               _msg = fmt ("capture-filters: %s-> %s", a, capture_filters[a]);
                event reporter_info(network_time(), _msg, peer_description);   
        } 
}


then run as: bro -i eth0 ./a.bro 


$cat reporter.log  | fgrep capture-filters 


you should see the output. 

event reporter_info is a good event to tap for dumping info in a cluster setup.
Basically I've used it as a cluster version of "print fmt (" used in standalone. 

Hope this helps, 
Aashish 


On Wed, Apr 11, 2018 at 07:58:43PM +0000, Perry, David wrote:
> I have a two-worker cluster running on an Ubuntu VM.  Bro was installed from the packages provided by OpenSUSE.
> Ubuntu 16.04.4 LTS
> Bro 2.5.3
> BroControl Version 1.7.
> 
> Aside from commenting out most "@load protocols/xxx" lines, I have made minimal changes to the configuration.
> 
> I am debugging capture filters but unfortunately broctl print capture_filters throws an error.  'broctl status' works fine.
> 
> broctl status
> Name         Type    Host             Status    Pid    Started
> manager      manager localhost        running   11704  10 Apr 15:09:24
> proxy-1      proxy   localhost        running   11880  10 Apr 15:09:25
> worker-1     worker  localhost        running   11937  10 Apr 15:09:27
> worker-2     worker  localhost        running   11938  10 Apr 15:09:27
> 
> broctl print capture_filters
>      manager   <error: cannot connect to 127.0.0.1:47761>
>      proxy-1   <error: cannot connect to 127.0.0.1:47762>
>     worker-1   <error: cannot connect to 127.0.0.1:47763>
>     worker-2   <error: cannot connect to 127.0.0.1:47764>
> 
> I added 'Debug=1' to broctl.cfg, re-ran the commands and looked in /opt/bro/spool/debug.log but found no additional information.
> 
> Perhaps I am still missing some software?  Incompatible version of python-broccoli (came from Ubuntu)?
> 
> David

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


From jazoff at illinois.edu  Wed Apr 11 13:47:14 2018
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Wed, 11 Apr 2018 20:47:14 +0000
Subject: [Bro] broctl print capture_filters failing
In-Reply-To: <20180411203631.GF12548@MacPro-2331.local>
References: <6544D5E0-5AE6-446C-A2B7-C5655D1A3E68@llnl.gov>
	<20180411203631.GF12548@MacPro-2331.local>
Message-ID: <80E4F915-B43A-448B-9945-E51B95115D05@illinois.edu>


> On Apr 11, 2018, at 4:36 PM, Aashish Sharma <asharma at lbl.gov> wrote:
> 
> event bro_init()
> {
>    local _msg = "" ; 
> 
>        for (a in capture_filters)
>        { 
>               _msg = fmt ("capture-filters: %s-> %s", a, capture_filters[a]);
>                event reporter_info(network_time(), _msg, peer_description);   
>        } 
> }

You can just

    Reporter::info(fmt ("capture-filters: %s-> %s", a, capture_filters[a]));



? 
Justin Azoff




From assaf.morami at gmail.com  Wed Apr 11 13:47:55 2018
From: assaf.morami at gmail.com (Assaf)
Date: Wed, 11 Apr 2018 23:47:55 +0300
Subject: [Bro] minimal bro
In-Reply-To: <CAAHbCpFa3Q1guV6NOZo3KHQ4Q8FFBx5WN7nyzK6KZvuGPQKW8A@mail.gmail.com>
References: <CALGAZaCHNM+yi=-QQKw-+=mXD-3nrfbJS6SSdtSbQUMLhk-tAg@mail.gmail.com>
	<CAAHbCpFa3Q1guV6NOZo3KHQ4Q8FFBx5WN7nyzK6KZvuGPQKW8A@mail.gmail.com>
Message-ID: <CADsFwieYtuQefhHFacHoBT529XfZf0tqzWzDt+sh9CFrdb1NNg@mail.gmail.com>

bro -r my.pcap -b -C base/protocols/conn

On Wed, Apr 11, 2018 at 4:09 PM, Matiasd Davaro <matiasdavaro at gmail.com>
wrote:

> If I did not misunderstand your question, you could disable logging for
> the other protocols and stick directly with the conn.log. Unless someone
> has a better script or more efficient alternative option, could you
> possibly name this script and @load it in your local.bro:
>
> export {
>   const ignore_logs = set( a list of all the logs you don't want to
> see)&redef;
> }
>
> event bro_init()
> {
>  for ( i in ignore_logs )
>   {
>     Log::disable_stream(i);
>   }
> }
>
> BTW this idea was gotten from Aaron Eppert's excellent bro scripting class
> on networkdefense.io.
>
> On Wed, Apr 11, 2018 at 1:43 AM, ps sunu <pssunu6 at gmail.com> wrote:
>
>> Hi,
>>                 How to build minimal bro only generate conn.log  not
>> finding any steps for build this
>>
>> Regards,
>> sunu
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180411/91ff6971/attachment-0001.html 

From dnthayer at illinois.edu  Wed Apr 11 14:05:57 2018
From: dnthayer at illinois.edu (Daniel Thayer)
Date: Wed, 11 Apr 2018 16:05:57 -0500
Subject: [Bro] broctl print capture_filters failing
In-Reply-To: <6544D5E0-5AE6-446C-A2B7-C5655D1A3E68@llnl.gov>
References: <6544D5E0-5AE6-446C-A2B7-C5655D1A3E68@llnl.gov>
Message-ID: <06bd94b1-9329-c7a6-a8f6-64dcec1c320e@illinois.edu>

On 4/11/18 2:58 PM, Perry, David wrote:
> I have a two-worker cluster running on an Ubuntu VM. ?Bro was installed 
> from the packages provided by OpenSUSE.
> Ubuntu 16.04.4 LTS
> Bro 2.5.3
> BroControl Version 1.7.
> 
> Aside from commenting out most "@load protocols/xxx" lines, I have made 
> minimal changes to the configuration.
> 
> I am debugging capture filters but unfortunately?broctl 
> print?capture_filters?throws an error. ?'broctl status' works fine.
> 
> broctl status
> Name ? ? ? ? Type? ? Host ? ? ? ? ? ? Status? ? Pid? ? Started
> manager? ? ? manager localhost? ? ? ? running ? 11704? 10 Apr 15:09:24
> proxy-1? ? ? proxy ? localhost? ? ? ? running ? 11880? 10 Apr 15:09:25
> worker-1 ? ? worker? localhost? ? ? ? running ? 11937? 10 Apr 15:09:27
> worker-2 ? ? worker? localhost? ? ? ? running ? 11938? 10 Apr 15:09:27
> 
> broctl print capture_filters
>  ? ? ?manager???<error: cannot connect to 127.0.0.1:47761>
>  ? ? ?proxy-1???<error: cannot connect to 127.0.0.1:47762>
>  ? ??worker-1???<error: cannot connect to 127.0.0.1:47763>
>  ? ??worker-2???<error: cannot connect to 127.0.0.1:47764>
> 

Have you verified that Bro is listening on those ports?
(e.g. "netstat -ltn")

From perry29 at llnl.gov  Wed Apr 11 14:34:38 2018
From: perry29 at llnl.gov (Perry, David)
Date: Wed, 11 Apr 2018 21:34:38 +0000
Subject: [Bro] broctl print capture_filters failing
In-Reply-To: <06bd94b1-9329-c7a6-a8f6-64dcec1c320e@illinois.edu>
References: <6544D5E0-5AE6-446C-A2B7-C5655D1A3E68@llnl.gov>
	<06bd94b1-9329-c7a6-a8f6-64dcec1c320e@illinois.edu>
Message-ID: <FC4C7595-6035-437E-B48D-DAFCDE69731D@llnl.gov>

Good question.  Alas, 'netstat' and 'lsof' show bro listening on those ports.


> On Apr 11, 2018, at 2:05 PM, Daniel Thayer <dnthayer at illinois.edu> wrote:
> 
> On 4/11/18 2:58 PM, Perry, David wrote:
>> I have a two-worker cluster running on an Ubuntu VM.  Bro was installed from the packages provided by OpenSUSE.
>> Ubuntu 16.04.4 LTS
>> Bro 2.5.3
>> BroControl Version 1.7.
>> Aside from commenting out most "@load protocols/xxx" lines, I have made minimal changes to the configuration.
>> I am debugging capture filters but unfortunately broctl print capture_filters throws an error.  'broctl status' works fine.
>> broctl status
>> Name         Type    Host             Status    Pid    Started
>> manager      manager localhost        running   11704  10 Apr 15:09:24
>> proxy-1      proxy   localhost        running   11880  10 Apr 15:09:25
>> worker-1     worker  localhost        running   11937  10 Apr 15:09:27
>> worker-2     worker  localhost        running   11938  10 Apr 15:09:27
>> broctl print capture_filters
>>      manager   <error: cannot connect to 127.0.0.1:47761>
>>      proxy-1   <error: cannot connect to 127.0.0.1:47762>
>>     worker-1   <error: cannot connect to 127.0.0.1:47763>
>>     worker-2   <error: cannot connect to 127.0.0.1:47764>
> 
> Have you verified that Bro is listening on those ports?
> (e.g. "netstat -ltn")



From perry29 at llnl.gov  Wed Apr 11 15:07:51 2018
From: perry29 at llnl.gov (Perry, David)
Date: Wed, 11 Apr 2018 22:07:51 +0000
Subject: [Bro] broctl print capture_filters failing
In-Reply-To: <20180411203631.GF12548@MacPro-2331.local>
References: <6544D5E0-5AE6-446C-A2B7-C5655D1A3E68@llnl.gov>
	<20180411203631.GF12548@MacPro-2331.local>
Message-ID: <4ED775B4-B348-4323-8F2C-172722977248@llnl.gov>

Thanks, Aashish.  It does work.

> On Apr 11, 2018, at 1:36 PM, Aashish Sharma <asharma at lbl.gov> wrote:
> 
> David, 
> 
> I have started using a different technique for debug/dumping now:
> 
> I tap into "event reporter_info" 
> 
> rough example : 
> 
> $cat a.bro  
> 
> redef capture_filters += { ["my-net"] = "(vlan and not net 1.2.0.0/16) or not net 1.2.0.0/16", } ; 
> 
> event bro_init()
> {
>    local _msg = "" ; 
> 
>        for (a in capture_filters)
>        { 
>               _msg = fmt ("capture-filters: %s-> %s", a, capture_filters[a]);
>                event reporter_info(network_time(), _msg, peer_description);   
>        } 
> }
> 
> 
> then run as: bro -i eth0 ./a.bro 
> 
> 
> $cat reporter.log  | fgrep capture-filters 
> 
> 
> you should see the output. 
> 
> event reporter_info is a good event to tap for dumping info in a cluster setup.
> Basically I've used it as a cluster version of "print fmt (" used in standalone. 
> 
> Hope this helps, 
> Aashish 
> 
> 
> On Wed, Apr 11, 2018 at 07:58:43PM +0000, Perry, David wrote:
>> I have a two-worker cluster running on an Ubuntu VM.  Bro was installed from the packages provided by OpenSUSE.
>> Ubuntu 16.04.4 LTS
>> Bro 2.5.3
>> BroControl Version 1.7.
>> 
>> Aside from commenting out most "@load protocols/xxx" lines, I have made minimal changes to the configuration.
>> 
>> I am debugging capture filters but unfortunately broctl print capture_filters throws an error.  'broctl status' works fine.
>> 
>> broctl status
>> Name         Type    Host             Status    Pid    Started
>> manager      manager localhost        running   11704  10 Apr 15:09:24
>> proxy-1      proxy   localhost        running   11880  10 Apr 15:09:25
>> worker-1     worker  localhost        running   11937  10 Apr 15:09:27
>> worker-2     worker  localhost        running   11938  10 Apr 15:09:27
>> 
>> broctl print capture_filters
>>     manager   <error: cannot connect to 127.0.0.1:47761>
>>     proxy-1   <error: cannot connect to 127.0.0.1:47762>
>>    worker-1   <error: cannot connect to 127.0.0.1:47763>
>>    worker-2   <error: cannot connect to 127.0.0.1:47764>
>> 
>> I added 'Debug=1' to broctl.cfg, re-ran the commands and looked in /opt/bro/spool/debug.log but found no additional information.
>> 
>> Perhaps I am still missing some software?  Incompatible version of python-broccoli (came from Ubuntu)?
>> 
>> David
> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 



From perry29 at llnl.gov  Wed Apr 11 15:20:18 2018
From: perry29 at llnl.gov (Perry, David)
Date: Wed, 11 Apr 2018 22:20:18 +0000
Subject: [Bro] broctl print capture_filters failing
In-Reply-To: <80E4F915-B43A-448B-9945-E51B95115D05@illinois.edu>
References: <6544D5E0-5AE6-446C-A2B7-C5655D1A3E68@llnl.gov>
	<20180411203631.GF12548@MacPro-2331.local>
	<80E4F915-B43A-448B-9945-E51B95115D05@illinois.edu>
Message-ID: <5DAED3B1-DC0E-42BC-92C0-2A0A1F4E0DFE@llnl.gov>

Thanks, Justin, this works well too.

In both cases, when I re-run bro, the order of pieces printed is different.  I don't know if this order is an artifact, or what, but I think the internal order is important -- non-vlan filters first and vlan filters after....  

The thing I am trying to troubleshoot is that if I concatenate on one line all of the pieces, the filter works as expected.  If I do this:

> redef capture_filters     = { ["subnets"] = "(not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16 or net eee.hhh.ggg.0/28)) or (vlan and (not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16 or net eee.hhh.ggg.0/28)))" };

it works as expected.  However if I do this (much neater looking):

> redef capture_filters     = { 
> ["subnets"]   = "          (not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16))",
> ["iris-1"]    = "          (not (net eee.hhh.ggg.0/28))",
> ["subnets_V"] = "(vlan and (not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16)))",
> ["iris-1_V"]  = "(vlan and (not (net eee.hhh.ggg.0/28)))" 
> };

I do not get the same behavior.  

David


> On Apr 11, 2018, at 1:47 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
> 
> 
>> On Apr 11, 2018, at 4:36 PM, Aashish Sharma <asharma at lbl.gov> wrote:
>> 
>> event bro_init()
>> {
>>   local _msg = "" ; 
>> 
>>       for (a in capture_filters)
>>       { 
>>              _msg = fmt ("capture-filters: %s-> %s", a, capture_filters[a]);
>>               event reporter_info(network_time(), _msg, peer_description);   
>>       } 
>> }
> 
> You can just
> 
>    Reporter::info(fmt ("capture-filters: %s-> %s", a, capture_filters[a]));
> 
> 
> 
> ? 
> Justin Azoff
> 
> 



From jmellander at lbl.gov  Wed Apr 11 15:46:06 2018
From: jmellander at lbl.gov (Jim Mellander)
Date: Wed, 11 Apr 2018 15:46:06 -0700
Subject: [Bro] broctl print capture_filters failing
In-Reply-To: <5DAED3B1-DC0E-42BC-92C0-2A0A1F4E0DFE@llnl.gov>
References: <6544D5E0-5AE6-446C-A2B7-C5655D1A3E68@llnl.gov>
	<20180411203631.GF12548@MacPro-2331.local>
	<80E4F915-B43A-448B-9945-E51B95115D05@illinois.edu>
	<5DAED3B1-DC0E-42BC-92C0-2A0A1F4E0DFE@llnl.gov>
Message-ID: <CADju=b4cFK_usDHXG1Fv2u1cAYCEiRz=PDHfBucXupvbXw1Meg@mail.gmail.com>

Use of vlan in bpf filters can be problematic.  See:
https://stackoverflow.com/questions/31136182/libpcap-filter-strings-using-vlan-are-behaving-weirdly

I don't think the "much neater looking" bpf fragments are necessarily being
applied in the same order that you specify them as the order of traversal
through a table is not specified.

Hope this helps.



On Wed, Apr 11, 2018 at 3:20 PM, Perry, David <perry29 at llnl.gov> wrote:

> Thanks, Justin, this works well too.
>
> In both cases, when I re-run bro, the order of pieces printed is
> different.  I don't know if this order is an artifact, or what, but I think
> the internal order is important -- non-vlan filters first and vlan filters
> after....
>
> The thing I am trying to troubleshoot is that if I concatenate on one line
> all of the pieces, the filter works as expected.  If I do this:
>
> > redef capture_filters     = { ["subnets"] = "(not (src net
> aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16 or net
> eee.hhh.ggg.0/28)) or (vlan and (not (src net aaa.bbb.0.0/16 or src net
> aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16 or net eee.hhh.ggg.0/28)))" };
>
> it works as expected.  However if I do this (much neater looking):
>
> > redef capture_filters     = {
> > ["subnets"]   = "          (not (src net aaa.bbb.0.0/16 or src net
> aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16))",
> > ["iris-1"]    = "          (not (net eee.hhh.ggg.0/28))",
> > ["subnets_V"] = "(vlan and (not (src net aaa.bbb.0.0/16 or src net
> aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16)))",
> > ["iris-1_V"]  = "(vlan and (not (net eee.hhh.ggg.0/28)))"
> > };
>
> I do not get the same behavior.
>
> David
>
>
> > On Apr 11, 2018, at 1:47 PM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
> >
> >
> >> On Apr 11, 2018, at 4:36 PM, Aashish Sharma <asharma at lbl.gov> wrote:
> >>
> >> event bro_init()
> >> {
> >>   local _msg = "" ;
> >>
> >>       for (a in capture_filters)
> >>       {
> >>              _msg = fmt ("capture-filters: %s-> %s", a,
> capture_filters[a]);
> >>               event reporter_info(network_time(), _msg,
> peer_description);
> >>       }
> >> }
> >
> > You can just
> >
> >    Reporter::info(fmt ("capture-filters: %s-> %s", a,
> capture_filters[a]));
> >
> >
> >
> > ?
> > Justin Azoff
> >
> >
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180411/b3fc4613/attachment.html 

From pssunu6 at gmail.com  Wed Apr 11 20:53:36 2018
From: pssunu6 at gmail.com (ps sunu)
Date: Thu, 12 Apr 2018 09:23:36 +0530
Subject: [Bro] minimal bro
In-Reply-To: <CADsFwieYtuQefhHFacHoBT529XfZf0tqzWzDt+sh9CFrdb1NNg@mail.gmail.com>
References: <CALGAZaCHNM+yi=-QQKw-+=mXD-3nrfbJS6SSdtSbQUMLhk-tAg@mail.gmail.com>
	<CAAHbCpFa3Q1guV6NOZo3KHQ4Q8FFBx5WN7nyzK6KZvuGPQKW8A@mail.gmail.com>
	<CADsFwieYtuQefhHFacHoBT529XfZf0tqzWzDt+sh9CFrdb1NNg@mail.gmail.com>
Message-ID: <CALGAZaABQL31XhTMT5sfZnekZxsdqTviQf598Ry=mNSVv4WFOg@mail.gmail.com>

ok thanks guys , i will try this , is it possible while compiling bro as as
minimal ? only generate conn.log ?

On Thu, Apr 12, 2018 at 2:17 AM, Assaf <assaf.morami at gmail.com> wrote:

> bro -r my.pcap -b -C base/protocols/conn
>
> On Wed, Apr 11, 2018 at 4:09 PM, Matiasd Davaro <matiasdavaro at gmail.com>
> wrote:
>
>> If I did not misunderstand your question, you could disable logging for
>> the other protocols and stick directly with the conn.log. Unless someone
>> has a better script or more efficient alternative option, could you
>> possibly name this script and @load it in your local.bro:
>>
>> export {
>>   const ignore_logs = set( a list of all the logs you don't want to
>> see)&redef;
>> }
>>
>> event bro_init()
>> {
>>  for ( i in ignore_logs )
>>   {
>>     Log::disable_stream(i);
>>   }
>> }
>>
>> BTW this idea was gotten from Aaron Eppert's excellent bro scripting
>> class on networkdefense.io.
>>
>> On Wed, Apr 11, 2018 at 1:43 AM, ps sunu <pssunu6 at gmail.com> wrote:
>>
>>> Hi,
>>>                 How to build minimal bro only generate conn.log  not
>>> finding any steps for build this
>>>
>>> Regards,
>>> sunu
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180412/0dbf134b/attachment.html 

From seth at corelight.com  Thu Apr 12 05:36:11 2018
From: seth at corelight.com (Seth Hall)
Date: Thu, 12 Apr 2018 08:36:11 -0400
Subject: [Bro] minimal bro
In-Reply-To: <CALGAZaABQL31XhTMT5sfZnekZxsdqTviQf598Ry=mNSVv4WFOg@mail.gmail.com>
References: <CALGAZaCHNM+yi=-QQKw-+=mXD-3nrfbJS6SSdtSbQUMLhk-tAg@mail.gmail.com>
	<CAAHbCpFa3Q1guV6NOZo3KHQ4Q8FFBx5WN7nyzK6KZvuGPQKW8A@mail.gmail.com>
	<CADsFwieYtuQefhHFacHoBT529XfZf0tqzWzDt+sh9CFrdb1NNg@mail.gmail.com>
	<CALGAZaABQL31XhTMT5sfZnekZxsdqTviQf598Ry=mNSVv4WFOg@mail.gmail.com>
Message-ID: <5A56B683-DBD8-4745-A620-79FB1E2AF2BF@corelight.com>



On 11 Apr 2018, at 23:53, ps sunu wrote:

> ok thanks guys , i will try this , is it possible while compiling bro 
> as as
> minimal ? only generate conn.log ?

There are no options for building Bro in a minimal way, but Assaf's 
suggestion is the direction that I would go.  If you run Bro with the 
'-b' flag it will run in "bare" mode which causes it to not load the 
init-default.bro script.  You will then have to specify every bit of 
functionality that you would like Bro to run which is also why Assaf 
suggested loading the base/protocols/conn script.

This will cause Bro to do less processing than the other suggestion of 
disabling the log streams.  If you disable the log streams Bro will 
still end up doing all of the work internally to create those logs just 
to throw out the data at the last minute.

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com

From seth at corelight.com  Thu Apr 12 05:51:57 2018
From: seth at corelight.com (Seth Hall)
Date: Thu, 12 Apr 2018 08:51:57 -0400
Subject: [Bro] broctl print capture_filters failing
In-Reply-To: <5DAED3B1-DC0E-42BC-92C0-2A0A1F4E0DFE@llnl.gov>
References: <6544D5E0-5AE6-446C-A2B7-C5655D1A3E68@llnl.gov>
	<20180411203631.GF12548@MacPro-2331.local>
	<80E4F915-B43A-448B-9945-E51B95115D05@illinois.edu>
	<5DAED3B1-DC0E-42BC-92C0-2A0A1F4E0DFE@llnl.gov>
Message-ID: <CF135AB3-8261-439F-AAD0-7738469640A3@corelight.com>

Oh, Aashish forwarded this to me off list and I didn't realize it was 
actually posted here.  I'll give a version of the email I sent off list 
to hopefully explain this situation in more detail for everyone else 
too.

The fact that these filters have vlan tags makes this all super 
complicated (as Jim pointed out, thanks!).  Generally I recommend that 
if people have vlan tags, they don't try to do filtering because it's 
going to be seriously mind bending.

Unfortunately, at the moment I have a hard time make a suggestion for a 
filter if you want to use capture_filters, as you've discovered that can 
be complicated based on how filter fragments are combined.  You may want 
to use the full filter you wrote and use that as a 'cmd_line_bpf_filter' 
variable.  I wouldn't normally recommend using the 'cmd_line_bpf_filter' 
variable because it closes some doors of functionality but there isn't a 
good way to avoid it in this case.

redef cmd_line_bpf_filter = "(not (src net aaa.bbb.0.0/16 or src net 
aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16 or net eee.hhh.ggg.0/28)) or 
(vlan and (not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src 
net ddd.jjj.0.0/16 or net eee.hhh.ggg.0/28)))";

I did want to make one other comment about the filter.  You almost 
certainly don't want to use "src" or "dst" in your filters.  Because 
that filtering is done at the packet level, even if the filter works 
correctly it means that you'll only see a single direction of traffic 
which will also be bad for Bro.  Most of Bros functionality expects to 
see both directions of conversations and won't work as well if both 
sides aren't there.  So the line I would actually recommend running is 
this...

redef cmd_line_bpf_filter = "(not (net aaa.bbb.0.0/16 or net 
aaa.ccc.0.0/16 or net ddd.jjj.0.0/16 or net eee.hhh.ggg.0/28)) or (vlan 
and (not (net aaa.bbb.0.0/16 or net aaa.ccc.0.0/16 or net ddd.jjj.0.0/16 
or net eee.hhh.ggg.0/28)))";

VLAN tags and BPF filtering are never any fun.

   .Seth


On 11 Apr 2018, at 18:20, Perry, David wrote:

> Thanks, Justin, this works well too.
>
> In both cases, when I re-run bro, the order of pieces printed is 
> different.  I don't know if this order is an artifact, or what, but I 
> think the internal order is important -- non-vlan filters first and 
> vlan filters after....
>
> The thing I am trying to troubleshoot is that if I concatenate on one 
> line all of the pieces, the filter works as expected.  If I do this:
>
>> redef capture_filters     = { ["subnets"] = "(not (src net 
>> aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16 or 
>> net eee.hhh.ggg.0/28)) or (vlan and (not (src net aaa.bbb.0.0/16 or 
>> src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16 or net 
>> eee.hhh.ggg.0/28)))" };
>
> it works as expected.  However if I do this (much neater looking):
>
>> redef capture_filters     = {
>> ["subnets"]   = "          (not (src net aaa.bbb.0.0/16 or src net 
>> aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16))",
>> ["iris-1"]    = "          (not (net eee.hhh.ggg.0/28))",
>> ["subnets_V"] = "(vlan and (not (src net aaa.bbb.0.0/16 or src net 
>> aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16)))",
>> ["iris-1_V"]  = "(vlan and (not (net eee.hhh.ggg.0/28)))"
>> };
>
> I do not get the same behavior.
>
> David
>
>
>> On Apr 11, 2018, at 1:47 PM, Azoff, Justin S <jazoff at illinois.edu> 
>> wrote:
>>
>>
>>> On Apr 11, 2018, at 4:36 PM, Aashish Sharma <asharma at lbl.gov> wrote:
>>>
>>> event bro_init()
>>> {
>>>   local _msg = "" ;
>>>
>>>       for (a in capture_filters)
>>>       {
>>>              _msg = fmt ("capture-filters: %s-> %s", a, 
>>> capture_filters[a]);
>>>               event reporter_info(network_time(), _msg, 
>>> peer_description);
>>>       }
>>> }
>>
>> You can just
>>
>>    Reporter::info(fmt ("capture-filters: %s-> %s", a, 
>> capture_filters[a]));
>>
>>
>>
>> ?
>> Justin Azoff
>>
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall * Corelight, Inc * www.corelight.com

From seth at corelight.com  Thu Apr 12 07:47:05 2018
From: seth at corelight.com (Seth Hall)
Date: Thu, 12 Apr 2018 10:47:05 -0400
Subject: [Bro] building a bro plugin
In-Reply-To: <CAK6atxqrZjAOXpj9QgtZV8WDjGUw8nFcSTLQSMMJgvS8i0Dj=A@mail.gmail.com>
References: <CAK6atxqrZjAOXpj9QgtZV8WDjGUw8nFcSTLQSMMJgvS8i0Dj=A@mail.gmail.com>
Message-ID: <86A82F93-27B4-4BB3-93A9-AE0397A9B42D@corelight.com>

I just left a comment in an issue of that repository to see if we can 
get some engagement from the author and possibly turn this into a 
plugin.  It looks like this is something that was built into Bro but it 
was ripped out of the internal copy of the repo and jammed into that 
one.

Here's the request I left...
	https://github.com/supriyask/Bro/issues/1

   .Seth

On 10 Apr 2018, at 10:48, erik clark wrote:

> I have tried everything I can think of to get this to compile:
>
> https://github.com/supriyask/Bro
>
> Can someone explain to me what needs to be provided either in the
> CMakeLists.txt or at the cmake cli to build this? Thanks. The readme 
> has no
> information whatsoever.


> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180412/7c3653fc/attachment.html 

From seth at corelight.com  Thu Apr 12 07:54:57 2018
From: seth at corelight.com (Seth Hall)
Date: Thu, 12 Apr 2018 10:54:57 -0400
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <CADXmT7CqnNFykCP0dQXmOz+B7wfhsEDrrT25Ct+62UjzA=bW0g@mail.gmail.com>
References: <CADXmT7Cq5Fjia9dx_FC9PEh_A5-Nc5OfJ3LaH_mrG5Nx+y=NUA@mail.gmail.com>
	<665D44F3-E658-4DFD-BF1E-2B9CD681ADC4@illinois.edu>
	<CADXmT7B8U3od_LN6LaN+2YWDYqSRj-rwGByLMsfTL-+dFPVxTw@mail.gmail.com>
	<61069FD8-7D1F-409E-98A3-FA3BD01EC991@corelight.com>
	<CAJ6bFK1WuZJ5+TMDrZGNy0FbxOia-C9NYB2LM1ViELCiRZM4-A@mail.gmail.com>
	<CADXmT7Aa9cf2LZJmqxUBSVkWGt-ETv=nnMry+mcvwsoUwfJA2A@mail.gmail.com>
	<CADXmT7CqnNFykCP0dQXmOz+B7wfhsEDrrT25Ct+62UjzA=bW0g@mail.gmail.com>
Message-ID: <263E15BD-E438-4DFA-858D-7B2527D32FB0@corelight.com>



On 10 Apr 2018, at 0:21, Brandon Sterne wrote:

> I can confirm this also happens on a C7 OpenStack VM:

Just to keep this fun, you aren't the only one seeing it...
	https://serverfault.com/questions/907037/random-timestamp-on-first-syn-ack-on-loopback

I just replicated it locally, but my timestamp on CentOS 7.4 (non-VM) 
was Jun  7 00:47:18 2034. :)

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com


From perry29 at llnl.gov  Thu Apr 12 08:21:20 2018
From: perry29 at llnl.gov (Perry, David)
Date: Thu, 12 Apr 2018 15:21:20 +0000
Subject: [Bro] broctl print capture_filters failing
In-Reply-To: <CADju=b4cFK_usDHXG1Fv2u1cAYCEiRz=PDHfBucXupvbXw1Meg@mail.gmail.com>
References: <6544D5E0-5AE6-446C-A2B7-C5655D1A3E68@llnl.gov>
	<20180411203631.GF12548@MacPro-2331.local>
	<80E4F915-B43A-448B-9945-E51B95115D05@illinois.edu>
	<5DAED3B1-DC0E-42BC-92C0-2A0A1F4E0DFE@llnl.gov>
	<CADju=b4cFK_usDHXG1Fv2u1cAYCEiRz=PDHfBucXupvbXw1Meg@mail.gmail.com>
Message-ID: <C9ECDC46-F4D8-4ED6-85E6-123AD04658F3@llnl.gov>

Jim,

Thanks very much.

That is a helpful article.  I had known about the VLAN pitfalls from bitter experience and think I navigated around them in the way I intended in the original 'long' version of the filter.  I think the opening line summarizes pretty well "vlan is weird."

I am pretty convinced now that the fragments are being applied in some non-deterministic order, which makes them useless for my application, unfortunately.

David



On Apr 11, 2018, at 3:46 PM, Jim Mellander <jmellander at lbl.gov<mailto:jmellander at lbl.gov>> wrote:

Use of vlan in bpf filters can be problematic.  See: https://stackoverflow.com/questions/31136182/libpcap-filter-strings-using-vlan-are-behaving-weirdly

I don't think the "much neater looking" bpf fragments are necessarily being applied in the same order that you specify them as the order of traversal through a table is not specified.

Hope this helps.



On Wed, Apr 11, 2018 at 3:20 PM, Perry, David <perry29 at llnl.gov<mailto:perry29 at llnl.gov>> wrote:
Thanks, Justin, this works well too.

In both cases, when I re-run bro, the order of pieces printed is different.  I don't know if this order is an artifact, or what, but I think the internal order is important -- non-vlan filters first and vlan filters after....

The thing I am trying to troubleshoot is that if I concatenate on one line all of the pieces, the filter works as expected.  If I do this:

> redef capture_filters     = { ["subnets"] = "(not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16 or net eee.hhh.ggg.0/28)) or (vlan and (not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16 or net eee.hhh.ggg.0/28)))" };

it works as expected.  However if I do this (much neater looking):

> redef capture_filters     = {
> ["subnets"]   = "          (not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16))",
> ["iris-1"]    = "          (not (net eee.hhh.ggg.0/28))",
> ["subnets_V"] = "(vlan and (not (src net aaa.bbb.0.0/16 or src net aaa.ccc.0.0/16 or src net ddd.jjj.0.0/16)))",
> ["iris-1_V"]  = "(vlan and (not (net eee.hhh.ggg.0/28)))"
> };

I do not get the same behavior.

David


> On Apr 11, 2018, at 1:47 PM, Azoff, Justin S <jazoff at illinois.edu<mailto:jazoff at illinois.edu>> wrote:
>
>
>> On Apr 11, 2018, at 4:36 PM, Aashish Sharma <asharma at lbl.gov<mailto:asharma at lbl.gov>> wrote:
>>
>> event bro_init()
>> {
>>   local _msg = "" ;
>>
>>       for (a in capture_filters)
>>       {
>>              _msg = fmt ("capture-filters: %s-> %s", a, capture_filters[a]);
>>               event reporter_info(network_time(), _msg, peer_description);
>>       }
>> }
>
> You can just
>
>    Reporter::info(fmt ("capture-filters: %s-> %s", a, capture_filters[a]));
>
>
>
> ?
> Justin Azoff
>
>


_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180412/5ede0819/attachment-0001.html 

From brandon.sterne at gmail.com  Thu Apr 12 09:16:52 2018
From: brandon.sterne at gmail.com (Brandon Sterne)
Date: Thu, 12 Apr 2018 09:16:52 -0700
Subject: [Bro] Bro behind a TLS reverse proxy
In-Reply-To: <263E15BD-E438-4DFA-858D-7B2527D32FB0@corelight.com>
References: <CADXmT7Cq5Fjia9dx_FC9PEh_A5-Nc5OfJ3LaH_mrG5Nx+y=NUA@mail.gmail.com>
	<665D44F3-E658-4DFD-BF1E-2B9CD681ADC4@illinois.edu>
	<CADXmT7B8U3od_LN6LaN+2YWDYqSRj-rwGByLMsfTL-+dFPVxTw@mail.gmail.com>
	<61069FD8-7D1F-409E-98A3-FA3BD01EC991@corelight.com>
	<CAJ6bFK1WuZJ5+TMDrZGNy0FbxOia-C9NYB2LM1ViELCiRZM4-A@mail.gmail.com>
	<CADXmT7Aa9cf2LZJmqxUBSVkWGt-ETv=nnMry+mcvwsoUwfJA2A@mail.gmail.com>
	<CADXmT7CqnNFykCP0dQXmOz+B7wfhsEDrrT25Ct+62UjzA=bW0g@mail.gmail.com>
	<263E15BD-E438-4DFA-858D-7B2527D32FB0@corelight.com>
Message-ID: <CADXmT7B3UtQ_xAyZAsKgXcMKHpHROZ6NL3Qugmo5bswmMMRT0w@mail.gmail.com>

This is, it turns out, a known Redhat bug and it has been fixed in C7.5. I
haven't tested it yet but it looks like a trivial patch that was already
fixed upstream:
https://patchwork.kernel.org/patch/6275821/

--- a/net/ipv4/tcp_output.c+++ b/net/ipv4/tcp_output.c@@ -2772,6
+2772,8 @@  struct sk_buff *tcp_make_synack(struct s
 	}
 #endif
 +	/* Do not fool tcpdump (if any), clean our debris */+	skb->tstamp.tv64 = 0;
 	return skb;
 }
 EXPORT_SYMBOL(tcp_make_synack);



On Thu, Apr 12, 2018 at 7:54 AM, Seth Hall <seth at corelight.com> wrote:

>
>
> On 10 Apr 2018, at 0:21, Brandon Sterne wrote:
>
> I can confirm this also happens on a C7 OpenStack VM:
>>
>
> Just to keep this fun, you aren't the only one seeing it...
>         https://serverfault.com/questions/907037/random-timestamp-
> on-first-syn-ack-on-loopback
>
> I just replicated it locally, but my timestamp on CentOS 7.4 (non-VM) was
> Jun  7 00:47:18 2034. :)
>
>   .Seth
>
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180412/e8c5f575/attachment.html 

From jmellander at lbl.gov  Thu Apr 12 11:04:25 2018
From: jmellander at lbl.gov (Jim Mellander)
Date: Thu, 12 Apr 2018 11:04:25 -0700
Subject: [Bro] No future updates to GeoIP legacy databases
Message-ID: <CADju=b5urCfgu_YavdWSCNo1HFiSSaX0s69O=N3-VHpodM-1qA@mail.gmail.com>

For those using Bro with libgeoip for IP location data, such as country of
origin, Maxmind has announced that March 2018 will be the last update to
the free legacy database:

https://dev.maxmind.com/geoip/geoip2/geolite2/
https://blog.hqcodeshop.fi/archives/387-MaxMind-GeoIP-database-legacy-version-discontinued.html

Some options appear to be:

   1. Update Bro to use the new Maxmind library.
   2. In the short term, generate legacy databases from the distributed
   CSVs for the new format from
   https://dev.maxmind.com/geoip/geoip2/geolite2/ using code like
   https://github.com/mteodoro/mmutils or
   https://github.com/dankamongmen/sprezzos-world/blob/master/packaging/geoip/debian/src/geoip-csv-to-dat.cpp
   (these would need to be modified to create legacy databases from the new
   format CSVs)....
   3. Hope someone does #2 above and provides access to those generated
   databases.
   4. Become a paying customer of Maxmind to continue to access the legacy
   format databases
   5. Switch to another vendor with free IP location data, such as
   https://lite.ip2location.com/ - requiring a different library to access
   6. Do nothing, in which case convergence from reality will gradually
   emerge.

I would be interested in the group's thoughts about this.


Jim Mellander, ESNet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180412/922888b0/attachment.html 

From graham at american.edu  Thu Apr 12 11:14:41 2018
From: graham at american.edu (Isabelle Grey)
Date: Thu, 12 Apr 2018 18:14:41 +0000
Subject: [Bro] No future updates to GeoIP legacy databases
In-Reply-To: <CADju=b5urCfgu_YavdWSCNo1HFiSSaX0s69O=N3-VHpodM-1qA@mail.gmail.com>
References: <CADju=b5urCfgu_YavdWSCNo1HFiSSaX0s69O=N3-VHpodM-1qA@mail.gmail.com>
Message-ID: <MWHPR0601MB36098B8230BD1BBDF4E6FFD6AEBC0@MWHPR0601MB3609.namprd06.prod.outlook.com>

We switched to the paid version of Maxmind here a little over a year ago for faster updates of the DB. The price is very reasonable and its an easy drop in replacement. We user it with Splunk and some other scripts as well as Bro so it was an easy decision for us.
---
Isabelle Grey
pronouns: she/her
Information Security Engineer
American University
https://www.american.edu/loader.cfm?csModule=security/getfile&pageid=4045420

From greg.grasmehr at caltech.edu  Thu Apr 12 11:43:51 2018
From: greg.grasmehr at caltech.edu (Greg Grasmehr)
Date: Thu, 12 Apr 2018 11:43:51 -0700
Subject: [Bro] No future updates to GeoIP legacy databases
In-Reply-To: <MWHPR0601MB36098B8230BD1BBDF4E6FFD6AEBC0@MWHPR0601MB3609.namprd06.prod.outlook.com>
References: <CADju=b5urCfgu_YavdWSCNo1HFiSSaX0s69O=N3-VHpodM-1qA@mail.gmail.com>
	<MWHPR0601MB36098B8230BD1BBDF4E6FFD6AEBC0@MWHPR0601MB3609.namprd06.prod.outlook.com>
Message-ID: <20180412184351.4qyxvujcsvxb2aqo@dakine>

Hello,

Last I checked (a few years ago) the Maxmind commercial offering was
pretty expensive, so I am interested to find that may no longer be the
case, if you don't mind how much are you paying Isabelle?

We have been using the db-ip API with other processes for quite a while
now as the free Maxmind GeoIP database is often inaccurate.  The db-ip
service is great and the price is super cheap for API use and slightly
more expensive for a DB download which contains necessary data including
LAT and LONG.  Been thinking about incorporating db-ip into Splunk and I
guess now Bro - so this news provides motivation to get that done.

https://db-ip.com

Greg


From carlrotenan at gmail.com  Thu Apr 12 12:03:25 2018
From: carlrotenan at gmail.com (Carl Rotenan)
Date: Thu, 12 Apr 2018 15:03:25 -0400
Subject: [Bro] Test
Message-ID: <CAN-RTm4q+97MF4xXNQnpwihpjAgfFTOBr3TDNPEDXXnmkBKZGA@mail.gmail.com>

Test
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180412/fdbb0f48/attachment.html 

From klehigh at iu.edu  Fri Apr 13 08:49:37 2018
From: klehigh at iu.edu (Keith Lehigh)
Date: Fri, 13 Apr 2018 11:49:37 -0400
Subject: [Bro] disabling PE analyzer
Message-ID: <0D24C51E-F007-4C71-9E20-0A6645D9B678@iu.edu>

Hi Folks,
   I?m trying to identify the source of some memory issues and as part of my troubleshooting, I wanted to try disabling the PE analyzer but I?m unable to get the syntax right.  Below is what I?m trying along w/ some output.  I?m quite surprised that Analyzer::ANALYZER_DHCP, shows up in disabled_analyzers when I redef the variable.  Thanks for any insight.

- Keith


test.bro:

redef Analyzer::disabled_analyzers += { Files::ANALYZER_PE };

event bro_init()
        {
        print Analyzer::disabled_analyzers;
        }

Output :

{
Analyzer::ANALYZER_TCPSTATS,
Analyzer::ANALYZER_DHCP,
Analyzer::ANALYZER_INTERCONN,
Analyzer::ANALYZER_BACKDOOR,
Analyzer::ANALYZER_STEPPINGSTONE
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3740 bytes
Desc: S/MIME digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180413/c6b9fc8e/attachment.bin 

From jazoff at illinois.edu  Fri Apr 13 08:57:34 2018
From: jazoff at illinois.edu (Azoff, Justin S)
Date: Fri, 13 Apr 2018 15:57:34 +0000
Subject: [Bro] disabling PE analyzer
In-Reply-To: <0D24C51E-F007-4C71-9E20-0A6645D9B678@iu.edu>
References: <0D24C51E-F007-4C71-9E20-0A6645D9B678@iu.edu>
Message-ID: <1A4466F9-B339-48CA-ACC2-13AA0C51A8EB@illinois.edu>


> On Apr 13, 2018, at 11:49 AM, Keith Lehigh <klehigh at iu.edu> wrote:
> 
> Hi Folks,
>   I?m trying to identify the source of some memory issues and as part of my troubleshooting, I wanted to try disabling the PE analyzer but I?m unable to get the syntax right.  Below is what I?m trying along w/ some output.  I?m quite surprised that Analyzer::ANALYZER_DHCP, shows up in disabled_analyzers when I redef the variable.  Thanks for any insight.
> 
> - Keith
> 
> 
> test.bro:
> 
> redef Analyzer::disabled_analyzers += { Files::ANALYZER_PE };
> 
> event bro_init()
>        {
>        print Analyzer::disabled_analyzers;
>        }
> 
> Output :
> 
> {
> Analyzer::ANALYZER_TCPSTATS,
> Analyzer::ANALYZER_DHCP,
> Analyzer::ANALYZER_INTERCONN,
> Analyzer::ANALYZER_BACKDOOR,
> Analyzer::ANALYZER_STEPPINGSTONE
> }

I normally use

event bro_init()
{
        Analyzer::disable_analyzer(Analyzer::ANALYZER_SYSLOG);
}

but the PE analyzer isn't a regular analyzer, so I don't think that will work.  It's initialized by the pe script using

const pe_mime_types = { "application/x-dosexec" };

event bro_init() &priority=5
	{
	Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types);
	Log::create_stream(LOG, [$columns=Info, $ev=log_pe, $path="pe"]);
	}

so you can probably disable it by redeffing pe_mime_types to something that won't match anymore.



? 
Justin Azoff




From seth at corelight.com  Fri Apr 13 09:31:25 2018
From: seth at corelight.com (Seth Hall)
Date: Fri, 13 Apr 2018 12:31:25 -0400
Subject: [Bro] disabling PE analyzer
In-Reply-To: <1A4466F9-B339-48CA-ACC2-13AA0C51A8EB@illinois.edu>
References: <0D24C51E-F007-4C71-9E20-0A6645D9B678@iu.edu>
	<1A4466F9-B339-48CA-ACC2-13AA0C51A8EB@illinois.edu>
Message-ID: <7046B0C4-FF8B-4416-AC9E-46DF98CD15F2@corelight.com>



On 13 Apr 2018, at 11:57, Azoff, Justin S wrote:

> so you can probably disable it by redeffing pe_mime_types to something 
> that won't match anymore.

The Files api does have a table to disable file analyzers too.

```bro
redef Files::disable += { [Files::ANALYZER_PE] = T };
```

I'm actually not totally sure if that should be "T" or "F" though 
without some more checking.  I suspect that it's "T" though.

--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180413/90a63f72/attachment.html 

From carlrotenan at gmail.com  Mon Apr 16 20:17:38 2018
From: carlrotenan at gmail.com (Carl Rotenan)
Date: Mon, 16 Apr 2018 23:17:38 -0400
Subject: [Bro] PF_RING 7.0 and Bro 2.5.3 issue
In-Reply-To: <CAN-RTm5PgazaQeQXk8UbmGOaaTh3Lp6EbkQYn_K=gShm-XcBWA@mail.gmail.com>
References: <CAN-RTm5PgazaQeQXk8UbmGOaaTh3Lp6EbkQYn_K=gShm-XcBWA@mail.gmail.com>
Message-ID: <CAN-RTm6TyhqHPZm3NvZ7+mojvo69N-d-pxmV=RE-ERCvrOn5WQ@mail.gmail.com>

Got through configure with prepending LDFLAGS="-lpfring -lpcap"

Example:

LDFLAGS="-lpfring -lpcap" ./configure --enable-perftools --enable-jemalloc
--prefix=/opt/bro --conf-files-dir=/etc/bro --with-pcap=/usr/local/


On Mon, Apr 16, 2018 at 10:22 PM, Carl Rotenan <carlrotenan at gmail.com>
wrote:

> Hello.
>
> I'm trying to install Bro 2.5.3 from source and I'm running into the
> following errors:
>
> ./configure --enable-perftools --enable-jemalloc --prefix=/opt/bro
> --conf-files-dir=/etc/bro --with-pcap=/usr/local/
>
> ...
>
> -- Looking for include file pcap-int.h
> -- Looking for include file pcap-int.h - not found
> -- Looking for pcap_freecode
> -- Looking for pcap_freecode - not found
> -- No implementation for pcap_freecode()
> -- Performing Test LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER
> -- Performing Test LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER -
> Failed
> -- Performing Test LIBPCAP_PCAP_COMPILE_NOPCAP_NO_ERROR_PARAMETER
> -- Performing Test LIBPCAP_PCAP_COMPILE_NOPCAP_NO_ERROR_PARAMETER - Failed
> CMake Error at cmake/PCAPTests.cmake:58 (message):
>   Can't determine if pcap_compile_nopcap takes an error parameter
> Call Stack (most recent call first):
>   CMakeLists.txt:164 (include)
>
>
> -- Configuring incomplete, errors occurred!
> See also "/root/tmp/bro-2.5.3/build/CMakeFiles/CMakeOutput.log".
> See also "/root/tmp/bro-2.5.3/build/CMakeFiles/CMakeError.log".
>
> I've attached the above error logs
>
> Miscellaneous info:
>
> find / -name libpcap*
> /usr/lib64/libpcap.so
> /usr/lib64/libpcap.so.1
> /usr/lib64/libpcap.so.1.5.3
> /usr/share/doc/libpcap-1.5.3
> /usr/local/lib/libpcap.so.1
> /usr/local/lib/libpcap.a
> /usr/local/lib/libpcap.so.1.8.1
>
>
> The PF_RING packages installed are:
>
> rpm -qa |grep pfring
> pfring-7.0.0-1846.x86_64
> pfring-dkms-7.0.0-1846.noarch
>
> Anyone have any thoughts?
>
> Thanks,
>
> Carl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180416/d84c0f74/attachment.html 

From fatema.bannatwala at gmail.com  Tue Apr 17 06:11:38 2018
From: fatema.bannatwala at gmail.com (fatema bannatwala)
Date: Tue, 17 Apr 2018 09:11:38 -0400
Subject: [Bro] binpac exception: out_of_bound: SSLRecord:rec: 41702 > 1350
Message-ID: <CACX0rUS_QVPFZCBf9s2qcoyYvjE77cCbXaVuxHwphrizByTL3Q@mail.gmail.com>

Hi Everyone,

Looking at weird.log file recently showed a lot of weird notices logged for
the bicpac exception: out_of_bound, specifically for SSLRecord.
Hence wanted to ask if these can be safely ignored, or if anything is
broken and there are some serious issues with the traffic Bro is seeing. :)

Here are some of the notices from weird.log:

2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
52113   64.15.123.22    443     binpac exception: out_of_bound:
SSLRecord:rec: 48205 > 1350     -       F       worker-3-6
2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
52113   64.15.123.22    443     binpac exception: out_of_bound:
SSLRecord:rec: 36586 > 1350     -       F       worker-3-6
2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l      128.175.252.224
54493   64.15.123.22    443     binpac exception: out_of_bound:
SSLRecord:rec: 17689 > 1350     -       F       worker-3-7
2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l      128.175.252.224
54493   64.15.123.22    443     binpac exception: out_of_bound:
SSLRecord:rec: 34801 > 1350     -       F       worker-3-7
2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
61457   64.15.123.23    443     binpac exception: out_of_bound:
SSLRecord:rec: 63514 > 1350     -       F       worker-1-1
2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
61457   64.15.123.23    443     binpac exception: out_of_bound:
SSLRecord:rec: 4143 > 1350      -       F       worker-1-1
2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
 65054   173.194.205.189 443     binpac exception: out_of_bound:
SSLRecord:rec: 13126 > 1350     -       F       worker-2-19
2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
 65054   173.194.205.189 443     binpac exception: out_of_bound:
SSLRecord:rec: 13126 > 1261     -       F       worker-2-19
2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
 65054   173.194.205.189 443     binpac exception: out_of_bound:
SSLRecord:rec: 63719 > 41       -       F       worker-2-19
2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
 65054   173.194.205.189 443     binpac exception: out_of_bound:
SSLRecord:rec: 17744 > 35       -       F       worker-2-19
2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
 65054   173.194.205.189 443     binpac exception: out_of_bound:
SSLRecord:rec: 64155 > 38       -       F       worker-2-19
2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
 65054   173.194.205.189 443     binpac exception: out_of_bound:
SSLRecord:rec: 54546 > 41       -       F       worker-2-19

Appreciate any insights. :)

Thanks!
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180417/bc453d02/attachment.html 

From johanna at icir.org  Tue Apr 17 09:20:11 2018
From: johanna at icir.org (Johanna Amann)
Date: Tue, 17 Apr 2018 09:20:11 -0700
Subject: [Bro] binpac exception: out_of_bound: SSLRecord:rec: 41702 >
	1350
In-Reply-To: <CACX0rUS_QVPFZCBf9s2qcoyYvjE77cCbXaVuxHwphrizByTL3Q@mail.gmail.com>
References: <CACX0rUS_QVPFZCBf9s2qcoyYvjE77cCbXaVuxHwphrizByTL3Q@mail.gmail.com>
Message-ID: <20180417162011.pxekt7pnl6u6okyi@user158.sys.ICSI.Berkeley.EDU>

Hi Fatema,

the answer is that you should not see this happen very often. Let me check
if that is something that I can also observe in our local cluster - the
last time I checked things looked more or less normal.

Johanna

On Tue, Apr 17, 2018 at 09:11:38AM -0400, fatema bannatwala wrote:
> Hi Everyone,
> 
> Looking at weird.log file recently showed a lot of weird notices logged for
> the bicpac exception: out_of_bound, specifically for SSLRecord.
> Hence wanted to ask if these can be safely ignored, or if anything is
> broken and there are some serious issues with the traffic Bro is seeing. :)
> 
> Here are some of the notices from weird.log:
> 
> 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
> 52113   64.15.123.22    443     binpac exception: out_of_bound:
> SSLRecord:rec: 48205 > 1350     -       F       worker-3-6
> 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
> 52113   64.15.123.22    443     binpac exception: out_of_bound:
> SSLRecord:rec: 36586 > 1350     -       F       worker-3-6
> 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l      128.175.252.224
> 54493   64.15.123.22    443     binpac exception: out_of_bound:
> SSLRecord:rec: 17689 > 1350     -       F       worker-3-7
> 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l      128.175.252.224
> 54493   64.15.123.22    443     binpac exception: out_of_bound:
> SSLRecord:rec: 34801 > 1350     -       F       worker-3-7
> 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
> 61457   64.15.123.23    443     binpac exception: out_of_bound:
> SSLRecord:rec: 63514 > 1350     -       F       worker-1-1
> 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
> 61457   64.15.123.23    443     binpac exception: out_of_bound:
> SSLRecord:rec: 4143 > 1350      -       F       worker-1-1
> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>  65054   173.194.205.189 443     binpac exception: out_of_bound:
> SSLRecord:rec: 13126 > 1350     -       F       worker-2-19
> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>  65054   173.194.205.189 443     binpac exception: out_of_bound:
> SSLRecord:rec: 13126 > 1261     -       F       worker-2-19
> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>  65054   173.194.205.189 443     binpac exception: out_of_bound:
> SSLRecord:rec: 63719 > 41       -       F       worker-2-19
> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>  65054   173.194.205.189 443     binpac exception: out_of_bound:
> SSLRecord:rec: 17744 > 35       -       F       worker-2-19
> 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>  65054   173.194.205.189 443     binpac exception: out_of_bound:
> SSLRecord:rec: 64155 > 38       -       F       worker-2-19
> 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>  65054   173.194.205.189 443     binpac exception: out_of_bound:
> SSLRecord:rec: 54546 > 41       -       F       worker-2-19
> 
> Appreciate any insights. :)
> 
> Thanks!
> Fatema.

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


From fatema.bannatwala at gmail.com  Tue Apr 17 09:34:12 2018
From: fatema.bannatwala at gmail.com (fatema bannatwala)
Date: Tue, 17 Apr 2018 12:34:12 -0400
Subject: [Bro] binpac exception: out_of_bound: SSLRecord:rec: 41702 >
	1350
In-Reply-To: <20180417162011.pxekt7pnl6u6okyi@user158.sys.ICSI.Berkeley.EDU>
References: <CACX0rUS_QVPFZCBf9s2qcoyYvjE77cCbXaVuxHwphrizByTL3Q@mail.gmail.com>
	<20180417162011.pxekt7pnl6u6okyi@user158.sys.ICSI.Berkeley.EDU>
Message-ID: <CACX0rUSnTZ8JSmZdq2CrZodrdmQVsNqrpBXFEw1wmDiShjvwew@mail.gmail.com>

Hi Johanna,

Thanks for the response.
I was analyzing these more, and looked in the connection logs to see which
these corresponds to.
And seeing UDP connections on 443 which are pretty long, and majority of
dest IPs are Google Inc. owned with some king of video streaming service, I
think YOUTUBE,
hence was thinking if these weird notices are corresponding to any DTLS
traffic to those video streaming services provided by Google.
Also, to my notice, no SSL records got logged as well for these, which I
assumed should have processed by SSL Analyzer. Hmm.

$ current/*.log | grep "C7lzD74mBAzB4usIHe"
1523972950.556723       C7lzD74mBAzB4usIHe      128.4.154.42    59835
 64.15.123.22    *443     udp*     -       983.275963      2555936
162005599       SF    417     165405275       (empty) worker-3-12
1523973692.538113       C7lzD74mBAzB4usIHe      128.4.154.42    59835
 64.15.123.22    443     binpac exception: out_of_bound: SSLRecord:rec:
58376 > 1350
1523973693.501421       C7lzD74mBAzB4usIHe      128.4.154.42    59835
 64.15.123.22    443     binpac exception: out_of_bound: SSLRecord:rec:
11466 > 1350

IP:  64.15.123.22, r7.sn-bvvbax-2iae.googlevideo.com , Aut
onomous_System-YOUTUBE

Thanks,
Fatema.

On Tue, Apr 17, 2018 at 12:20 PM, Johanna Amann <johanna at icir.org> wrote:

> Hi Fatema,
>
> the answer is that you should not see this happen very often. Let me check
> if that is something that I can also observe in our local cluster - the
> last time I checked things looked more or less normal.
>
> Johanna
>
> On Tue, Apr 17, 2018 at 09:11:38AM -0400, fatema bannatwala wrote:
> > Hi Everyone,
> >
> > Looking at weird.log file recently showed a lot of weird notices logged
> for
> > the bicpac exception: out_of_bound, specifically for SSLRecord.
> > Hence wanted to ask if these can be safely ignored, or if anything is
> > broken and there are some serious issues with the traffic Bro is seeing.
> :)
> >
> > Here are some of the notices from weird.log:
> >
> > 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
> > 52113   64.15.123.22    443     binpac exception: out_of_bound:
> > SSLRecord:rec: 48205 > 1350     -       F       worker-3-6
> > 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
> > 52113   64.15.123.22    443     binpac exception: out_of_bound:
> > SSLRecord:rec: 36586 > 1350     -       F       worker-3-6
> > 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l      128.175.252.224
> > 54493   64.15.123.22    443     binpac exception: out_of_bound:
> > SSLRecord:rec: 17689 > 1350     -       F       worker-3-7
> > 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l      128.175.252.224
> > 54493   64.15.123.22    443     binpac exception: out_of_bound:
> > SSLRecord:rec: 34801 > 1350     -       F       worker-3-7
> > 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
> > 61457   64.15.123.23    443     binpac exception: out_of_bound:
> > SSLRecord:rec: 63514 > 1350     -       F       worker-1-1
> > 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
> > 61457   64.15.123.23    443     binpac exception: out_of_bound:
> > SSLRecord:rec: 4143 > 1350      -       F       worker-1-1
> > 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
> >  65054   173.194.205.189 443     binpac exception: out_of_bound:
> > SSLRecord:rec: 13126 > 1350     -       F       worker-2-19
> > 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
> >  65054   173.194.205.189 443     binpac exception: out_of_bound:
> > SSLRecord:rec: 13126 > 1261     -       F       worker-2-19
> > 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
> >  65054   173.194.205.189 443     binpac exception: out_of_bound:
> > SSLRecord:rec: 63719 > 41       -       F       worker-2-19
> > 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
> >  65054   173.194.205.189 443     binpac exception: out_of_bound:
> > SSLRecord:rec: 17744 > 35       -       F       worker-2-19
> > 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
> >  65054   173.194.205.189 443     binpac exception: out_of_bound:
> > SSLRecord:rec: 64155 > 38       -       F       worker-2-19
> > 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
> >  65054   173.194.205.189 443     binpac exception: out_of_bound:
> > SSLRecord:rec: 54546 > 41       -       F       worker-2-19
> >
> > Appreciate any insights. :)
> >
> > Thanks!
> > Fatema.
>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180417/996adac9/attachment-0001.html 

From johanna at icir.org  Tue Apr 17 09:36:55 2018
From: johanna at icir.org (Johanna Amann)
Date: Tue, 17 Apr 2018 09:36:55 -0700
Subject: [Bro] binpac exception: out_of_bound: SSLRecord:rec: 41702 >
	1350
In-Reply-To: <CACX0rUSnTZ8JSmZdq2CrZodrdmQVsNqrpBXFEw1wmDiShjvwew@mail.gmail.com>
References: <CACX0rUS_QVPFZCBf9s2qcoyYvjE77cCbXaVuxHwphrizByTL3Q@mail.gmail.com>
	<20180417162011.pxekt7pnl6u6okyi@user158.sys.ICSI.Berkeley.EDU>
	<CACX0rUSnTZ8JSmZdq2CrZodrdmQVsNqrpBXFEw1wmDiShjvwew@mail.gmail.com>
Message-ID: <6BE18632-DF8A-46B6-8EEA-A675F9001448@icir.org>

Oh - interesting, these are udp.

In that case I instantly feel much less bad about this. It is probably 
google experimenting with something. Let me still check if I see that 
too :)

Johanna

On 17 Apr 2018, at 9:34, fatema bannatwala wrote:

> Hi Johanna,
>
> Thanks for the response.
> I was analyzing these more, and looked in the connection logs to see 
> which
> these corresponds to.
> And seeing UDP connections on 443 which are pretty long, and majority 
> of
> dest IPs are Google Inc. owned with some king of video streaming 
> service, I
> think YOUTUBE,
> hence was thinking if these weird notices are corresponding to any 
> DTLS
> traffic to those video streaming services provided by Google.
> Also, to my notice, no SSL records got logged as well for these, which 
> I
> assumed should have processed by SSL Analyzer. Hmm.
>
> $ current/*.log | grep "C7lzD74mBAzB4usIHe"
> 1523972950.556723       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>  64.15.123.22    *443     udp*     -       983.275963      2555936
> 162005599       SF    417     165405275       (empty) worker-3-12
> 1523973692.538113       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>  64.15.123.22    443     binpac exception: out_of_bound: 
> SSLRecord:rec:
> 58376 > 1350
> 1523973693.501421       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>  64.15.123.22    443     binpac exception: out_of_bound: 
> SSLRecord:rec:
> 11466 > 1350
>
> IP:  64.15.123.22, r7.sn-bvvbax-2iae.googlevideo.com , Aut
> onomous_System-YOUTUBE
>
> Thanks,
> Fatema.
>
> On Tue, Apr 17, 2018 at 12:20 PM, Johanna Amann <johanna at icir.org> 
> wrote:
>
>> Hi Fatema,
>>
>> the answer is that you should not see this happen very often. Let me 
>> check
>> if that is something that I can also observe in our local cluster - 
>> the
>> last time I checked things looked more or less normal.
>>
>> Johanna
>>
>> On Tue, Apr 17, 2018 at 09:11:38AM -0400, fatema bannatwala wrote:
>>> Hi Everyone,
>>>
>>> Looking at weird.log file recently showed a lot of weird notices 
>>> logged
>> for
>>> the bicpac exception: out_of_bound, specifically for SSLRecord.
>>> Hence wanted to ask if these can be safely ignored, or if anything 
>>> is
>>> broken and there are some serious issues with the traffic Bro is 
>>> seeing.
>> :)
>>>
>>> Here are some of the notices from weird.log:
>>>
>>> 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
>>> 52113   64.15.123.22    443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 48205 > 1350     -       F       worker-3-6
>>> 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
>>> 52113   64.15.123.22    443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 36586 > 1350     -       F       worker-3-6
>>> 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l      
>>> 128.175.252.224
>>> 54493   64.15.123.22    443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 17689 > 1350     -       F       worker-3-7
>>> 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l      
>>> 128.175.252.224
>>> 54493   64.15.123.22    443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 34801 > 1350     -       F       worker-3-7
>>> 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
>>> 61457   64.15.123.23    443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 63514 > 1350     -       F       worker-1-1
>>> 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
>>> 61457   64.15.123.23    443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 4143 > 1350      -       F       worker-1-1
>>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 13126 > 1350     -       F       worker-2-19
>>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 13126 > 1261     -       F       worker-2-19
>>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 63719 > 41       -       F       worker-2-19
>>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 17744 > 35       -       F       worker-2-19
>>> 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 64155 > 38       -       F       worker-2-19
>>> 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 54546 > 41       -       F       worker-2-19
>>>
>>> Appreciate any insights. :)
>>>
>>> Thanks!
>>> Fatema.
>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>

From carlrotenan at gmail.com  Wed Apr 18 16:57:23 2018
From: carlrotenan at gmail.com (Carl Rotenan)
Date: Wed, 18 Apr 2018 19:57:23 -0400
Subject: [Bro] Upgrade from 2.4 to 2.5
Message-ID: <CAN-RTm60X_DnPGd7Z12sTQNKeu+y5EqRUA2LeyPcMJhtSxBK7g@mail.gmail.com>

Hello.

I'm upgrading an install from 2.4 to the latest.

Did this ability go away in 2.5:

 write_file(fileh, fmt("filename: %s \r\n", c$http?$filename ?
c$http$filename : "uninitialized"));

Specifically the c$http?$filename.

Is there a list I can reference of thing that may have been deprecated?

Thanks in advance for putting up with my newbie questions.

Carl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180418/d2429709/attachment.html 

From jmellander at lbl.gov  Wed Apr 18 22:06:16 2018
From: jmellander at lbl.gov (Jim Mellander)
Date: Wed, 18 Apr 2018 22:06:16 -0700
Subject: [Bro] Upgrade from 2.4 to 2.5
In-Reply-To: <CAN-RTm60X_DnPGd7Z12sTQNKeu+y5EqRUA2LeyPcMJhtSxBK7g@mail.gmail.com>
References: <CAN-RTm60X_DnPGd7Z12sTQNKeu+y5EqRUA2LeyPcMJhtSxBK7g@mail.gmail.com>
Message-ID: <CADju=b7FjEseRqzdkfxOUUG8BiM82eXojAyFEBPBRGfDzAPhAw@mail.gmail.com>

I ran across this issue just the other day.  Evidently, ?$ no longer works
in a ternary expression, which I presume is a bug, rather than a feature.

Jim


On Wed, Apr 18, 2018 at 4:57 PM, Carl Rotenan <carlrotenan at gmail.com> wrote:

> Hello.
>
> I'm upgrading an install from 2.4 to the latest.
>
> Did this ability go away in 2.5:
>
>  write_file(fileh, fmt("filename: %s \r\n", c$http?$filename ?
> c$http$filename : "uninitialized"));
>
> Specifically the c$http?$filename.
>
> Is there a list I can reference of thing that may have been deprecated?
>
> Thanks in advance for putting up with my newbie questions.
>
> Carl
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180418/df91f3f8/attachment.html 

From charles.mckee at decisivedge.com  Thu Apr 19 07:18:26 2018
From: charles.mckee at decisivedge.com (Charles Mckee)
Date: Thu, 19 Apr 2018 10:18:26 -0400
Subject: [Bro] PCAP help
Message-ID: <cf005358c47ad1a2d09477b5381eca3f@mail.gmail.com>

Hello Bro Team,

I need some help with PCAP.



We noticed when using Bro we see local host traffic.



We want to segment Bro's traffic from the other traffic on a continual
 basis.



We cannot find any information on the net how to do this, so now I  must
reach out to you.



All traffic inbound comes into Bro and at that point we need to all of its
own traffic segmented away somewhere.



Can you help me ?



Can you please send explicit directions for this.





Respectfully Yours

Charles McKee



*Decisiv**E**dge**, LLC*

*O:*  302.299.1570 x43 <(302)%20299-1570>2  *|*  *C:*  302.3
<(302)%20299-0406>20.6968  *|*  *F:*  302.299.1578 <(302)%20299-1578>

131 Continental Dr |  Suite 409  |  Newark, DE 19713
<https://maps.google.com/?q=131+Continental+Dr+%7C+%C2%A0Suite+409+%C2%A0%7C+%C2%A0Newark,+DE+19713&entry=gmail&source=g>

charles.mckee at decisivedge.com  *|*  www.DecisivEdge.com
<http://www.decisivedge.com/>

-- 
This email and any files transmitted with it are considered privileged and 
confidential unless otherwise explicitly stated otherwise. If you are not 
the intended recipient you are notified that disclosing, copying, 
distributing or taking any action in reliance on the contents of this 
information is strictly prohibited. All email data and contents may be 
monitored to ensure that their use is authorized, for management of the 
system, to facilitate protection against unauthorized use, and to verify 
security procedures, survivability and operational security. Under no 
circumstance should the user of this email have an expectation of privacy 
for this correspondence.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180419/52f3696f/attachment.html 

From jsiwek at corelight.com  Thu Apr 19 08:00:43 2018
From: jsiwek at corelight.com (Jon Siwek)
Date: Thu, 19 Apr 2018 10:00:43 -0500
Subject: [Bro] Upgrade from 2.4 to 2.5
In-Reply-To: <CAN-RTm60X_DnPGd7Z12sTQNKeu+y5EqRUA2LeyPcMJhtSxBK7g@mail.gmail.com>
References: <CAN-RTm60X_DnPGd7Z12sTQNKeu+y5EqRUA2LeyPcMJhtSxBK7g@mail.gmail.com>
Message-ID: <39c4a34d-85bd-f34a-bcd1-6dd678b22c0f@corelight.com>



On 4/18/18 6:57 PM, Carl Rotenan wrote:
> Hello.
> 
> I'm upgrading an install from 2.4 to the latest.
> 
> Did this ability go away in 2.5:
> 
>  ?write_file(fileh, fmt("filename: %s \r\n", c$http?$filename ? 
> c$http$filename : "uninitialized"));
> 
> Specifically the c$http?$filename.

Yes, c$http$filename went away (specifically the 'filename' field of the 
HTTP::Info record no longer exists).

Take a look at [1] for the fields that are currently available.  You 
might want to use some of these as replacement:

* c$http$current_entity$filename

* c$http$orig_filenames

* c$http$resp_filenames

> Is there a list I can reference of thing that may have been deprecated?

There's guidance at [2], which is generally derived from the contents of 
the NEWS file inside the Bro source tree.

- Jon

[1] 
https://www.bro.org/sphinx/scripts/base/protocols/http/main.bro.html#type-HTTP::Info

[2] https://www.bro.org/sphinx/install/upgrade.html

From shirkdog.bsd at gmail.com  Thu Apr 19 08:01:54 2018
From: shirkdog.bsd at gmail.com (Michael Shirk)
Date: Thu, 19 Apr 2018 11:01:54 -0400
Subject: [Bro] PCAP help
In-Reply-To: <cf005358c47ad1a2d09477b5381eca3f@mail.gmail.com>
References: <cf005358c47ad1a2d09477b5381eca3f@mail.gmail.com>
Message-ID: <CAL8PkUU+KjdM42Ne=ycJDB0G-zH2_ect-3ufsSm0C030kdaviw@mail.gmail.com>

So what interface is Bro monitoring? and have you configured your
networks.cfg? Need some more details on what traffic you are having
issues splitting out.

On Thu, Apr 19, 2018 at 10:18 AM, Charles Mckee
<charles.mckee at decisivedge.com> wrote:
> Hello Bro Team,
>
> I need some help with PCAP.
>
>
>
> We noticed when using Bro we see local host traffic.
>
>
>
> We want to segment Bro's traffic from the other traffic on a continual
> basis.
>
>
>
> We cannot find any information on the net how to do this, so now I  must
> reach out to you.
>
>
>
> All traffic inbound comes into Bro and at that point we need to all of its
> own traffic segmented away somewhere.
>
>
>
> Can you help me ?
>
>
>
> Can you please send explicit directions for this.
>
>
>
>
>
> Respectfully Yours
>
> Charles McKee
>
>
>
> DecisivEdge, LLC
>
> O:  302.299.1570 x432  |  C:  302.320.6968  |  F:  302.299.1578
>
> 131 Continental Dr |  Suite 409  |  Newark, DE 19713
>
> charles.mckee at decisivedge.com  |  www.DecisivEdge.com
>
>
>
>
> ________________________________
>
> This email and any files transmitted with it are considered privileged and
> confidential unless otherwise explicitly stated otherwise. If you are not
> the intended recipient you are notified that disclosing, copying,
> distributing or taking any action in reliance on the contents of this
> information is strictly prohibited. All email data and contents may be
> monitored to ensure that their use is authorized, for management of the
> system, to facilitate protection against unauthorized use, and to verify
> security procedures, survivability and operational security. Under no
> circumstance should the user of this email have an expectation of privacy
> for this correspondence.
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Michael Shirk
Daemon Security, Inc.
http://www.daemon-security.com

From jsiwek at corelight.com  Thu Apr 19 08:09:05 2018
From: jsiwek at corelight.com (Jon Siwek)
Date: Thu, 19 Apr 2018 10:09:05 -0500
Subject: [Bro] Upgrade from 2.4 to 2.5
In-Reply-To: <CADju=b7FjEseRqzdkfxOUUG8BiM82eXojAyFEBPBRGfDzAPhAw@mail.gmail.com>
References: <CAN-RTm60X_DnPGd7Z12sTQNKeu+y5EqRUA2LeyPcMJhtSxBK7g@mail.gmail.com>
	<CADju=b7FjEseRqzdkfxOUUG8BiM82eXojAyFEBPBRGfDzAPhAw@mail.gmail.com>
Message-ID: <2ec53b21-9f52-ec24-08e6-bfc7b0e1c08c@corelight.com>



On 4/19/18 12:06 AM, Jim Mellander wrote:
> I ran across this issue just the other day.? Evidently, ?$ no longer 
> works in a ternary expression, which I presume is a bug, rather than a 
> feature.

This test case at least still works as expected in git/master:

```bro
type myrec: record { a: string &optional; };
local mr1 = myrec($a = "aaa");
local mr2 = myrec();
print mr1?$a ? "yes" : "no";
print mr2?$a ? "yes" : "no";
```

Can you give more details on exactly what you see or file a bug report 
if you've found a situation where the ?$ or ternary expressions aren't 
working?

- Jon

From patrick.kelley at criticalpathsecurity.com  Thu Apr 19 08:26:48 2018
From: patrick.kelley at criticalpathsecurity.com (Patrick Kelley)
Date: Thu, 19 Apr 2018 11:26:48 -0400
Subject: [Bro] Upgrade from 2.4 to 2.5
In-Reply-To: <2ec53b21-9f52-ec24-08e6-bfc7b0e1c08c@corelight.com>
References: <CAN-RTm60X_DnPGd7Z12sTQNKeu+y5EqRUA2LeyPcMJhtSxBK7g@mail.gmail.com>
	<CADju=b7FjEseRqzdkfxOUUG8BiM82eXojAyFEBPBRGfDzAPhAw@mail.gmail.com>
	<2ec53b21-9f52-ec24-08e6-bfc7b0e1c08c@corelight.com>
Message-ID: <CA+WAcdSvZ-O-gY5SmPA9KKPGRnC_k=56PvQPFyJ6t4G0SiQUrQ@mail.gmail.com>

Jon, for my own edification, what was the driving motivation for removing
the c$http$filename field?

On Thu, Apr 19, 2018 at 11:09 AM, Jon Siwek <jsiwek at corelight.com> wrote:

>
>
> On 4/19/18 12:06 AM, Jim Mellander wrote:
> > I ran across this issue just the other day.  Evidently, ?$ no longer
> > works in a ternary expression, which I presume is a bug, rather than a
> > feature.
>
> This test case at least still works as expected in git/master:
>
> ```bro
> type myrec: record { a: string &optional; };
> local mr1 = myrec($a = "aaa");
> local mr2 = myrec();
> print mr1?$a ? "yes" : "no";
> print mr2?$a ? "yes" : "no";
> ```
>
> Can you give more details on exactly what you see or file a bug report
> if you've found a situation where the ?$ or ternary expressions aren't
> working?
>
> - Jon
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 

*Patrick Kelley, CISSP, C|EH, ITIL*
*CTO*
patrick.kelley at criticalpathsecurity.com
(o) 770-224-6482
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180419/3e3392d5/attachment.html 

From fatema.bannatwala at gmail.com  Thu Apr 19 08:31:40 2018
From: fatema.bannatwala at gmail.com (fatema bannatwala)
Date: Thu, 19 Apr 2018 11:31:40 -0400
Subject: [Bro] PCAP help.
Message-ID: <CACX0rUTJMUv3WJ2PZnRxcw=pf3NorqETNx4L7POSV3xYWDbadA@mail.gmail.com>

Hi Charles,

Just out of curiosity, how are you getting traffic to your Bro sensors? N/w
tap, Port mirror?
Also, did you look at the networks.cfg config file to define your local
nets and private IP ranges?
Depending on how you are feeding traffic to bro, you could potentially
filter the traffic you don't want Bro sensors to process, by using CIDR
filters on port mirroring software or packet filters with BRO bpf on NICs.

It's little unclear (to me), what traffic Bro is seeing on your network and
what you want to do with it.

-Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180419/6792c476/attachment.html 

From dopheide at gmail.com  Thu Apr 19 08:35:09 2018
From: dopheide at gmail.com (Mike Dopheide)
Date: Thu, 19 Apr 2018 10:35:09 -0500
Subject: [Bro] Upgrade from 2.4 to 2.5
In-Reply-To: <CA+WAcdSvZ-O-gY5SmPA9KKPGRnC_k=56PvQPFyJ6t4G0SiQUrQ@mail.gmail.com>
References: <CAN-RTm60X_DnPGd7Z12sTQNKeu+y5EqRUA2LeyPcMJhtSxBK7g@mail.gmail.com>
	<CADju=b7FjEseRqzdkfxOUUG8BiM82eXojAyFEBPBRGfDzAPhAw@mail.gmail.com>
	<2ec53b21-9f52-ec24-08e6-bfc7b0e1c08c@corelight.com>
	<CA+WAcdSvZ-O-gY5SmPA9KKPGRnC_k=56PvQPFyJ6t4G0SiQUrQ@mail.gmail.com>
Message-ID: <CAPy2kFaMO3ne_-TbzB+3_2=xxg+PbDdFagB17tyKyt71NMrrmg@mail.gmail.com>

I think it was just that you can have multiple files per connection so
'filename' became 'filenames'.

On Thu, Apr 19, 2018 at 10:26 AM, Patrick Kelley <
patrick.kelley at criticalpathsecurity.com> wrote:

> Jon, for my own edification, what was the driving motivation for removing
> the c$http$filename field?
>
> On Thu, Apr 19, 2018 at 11:09 AM, Jon Siwek <jsiwek at corelight.com> wrote:
>
>>
>>
>> On 4/19/18 12:06 AM, Jim Mellander wrote:
>> > I ran across this issue just the other day.  Evidently, ?$ no longer
>> > works in a ternary expression, which I presume is a bug, rather than a
>> > feature.
>>
>> This test case at least still works as expected in git/master:
>>
>> ```bro
>> type myrec: record { a: string &optional; };
>> local mr1 = myrec($a = "aaa");
>> local mr2 = myrec();
>> print mr1?$a ? "yes" : "no";
>> print mr2?$a ? "yes" : "no";
>> ```
>>
>> Can you give more details on exactly what you see or file a bug report
>> if you've found a situation where the ?$ or ternary expressions aren't
>> working?
>>
>> - Jon
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
>
> --
>
> *Patrick Kelley, CISSP, C|EH, ITIL*
> *CTO*
> patrick.kelley at criticalpathsecurity.com
> (o) 770-224-6482
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180419/a886757c/attachment-0001.html 

From patrick.kelley at criticalpathsecurity.com  Thu Apr 19 08:37:43 2018
From: patrick.kelley at criticalpathsecurity.com (Patrick Kelley)
Date: Thu, 19 Apr 2018 11:37:43 -0400
Subject: [Bro] Upgrade from 2.4 to 2.5
In-Reply-To: <CAPy2kFaMO3ne_-TbzB+3_2=xxg+PbDdFagB17tyKyt71NMrrmg@mail.gmail.com>
References: <CAN-RTm60X_DnPGd7Z12sTQNKeu+y5EqRUA2LeyPcMJhtSxBK7g@mail.gmail.com>
	<CADju=b7FjEseRqzdkfxOUUG8BiM82eXojAyFEBPBRGfDzAPhAw@mail.gmail.com>
	<2ec53b21-9f52-ec24-08e6-bfc7b0e1c08c@corelight.com>
	<CA+WAcdSvZ-O-gY5SmPA9KKPGRnC_k=56PvQPFyJ6t4G0SiQUrQ@mail.gmail.com>
	<CAPy2kFaMO3ne_-TbzB+3_2=xxg+PbDdFagB17tyKyt71NMrrmg@mail.gmail.com>
Message-ID: <CA+WAcdRT4F_GBQ0G1CcWnpF0+jtoEEz6AhNVFDRqbBPHc_sQ9w@mail.gmail.com>

Copy that

On Thu, Apr 19, 2018 at 11:35 AM, Mike Dopheide <dopheide at gmail.com> wrote:

> I think it was just that you can have multiple files per connection so
> 'filename' became 'filenames'.
>
> On Thu, Apr 19, 2018 at 10:26 AM, Patrick Kelley <patrick.kelley@
> criticalpathsecurity.com> wrote:
>
>> Jon, for my own edification, what was the driving motivation for removing
>> the c$http$filename field?
>>
>> On Thu, Apr 19, 2018 at 11:09 AM, Jon Siwek <jsiwek at corelight.com> wrote:
>>
>>>
>>>
>>> On 4/19/18 12:06 AM, Jim Mellander wrote:
>>> > I ran across this issue just the other day.  Evidently, ?$ no longer
>>> > works in a ternary expression, which I presume is a bug, rather than a
>>> > feature.
>>>
>>> This test case at least still works as expected in git/master:
>>>
>>> ```bro
>>> type myrec: record { a: string &optional; };
>>> local mr1 = myrec($a = "aaa");
>>> local mr2 = myrec();
>>> print mr1?$a ? "yes" : "no";
>>> print mr2?$a ? "yes" : "no";
>>> ```
>>>
>>> Can you give more details on exactly what you see or file a bug report
>>> if you've found a situation where the ?$ or ternary expressions aren't
>>> working?
>>>
>>> - Jon
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>>
>>
>> --
>>
>> *Patrick Kelley, CISSP, C|EH, ITIL*
>> *CTO*
>> patrick.kelley at criticalpathsecurity.com
>> (o) 770-224-6482
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>


-- 

*Patrick Kelley, CISSP, C|EH, ITIL*
*CTO*
patrick.kelley at criticalpathsecurity.com
(o) 770-224-6482
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180419/449b675a/attachment.html 

From jsiwek at corelight.com  Thu Apr 19 08:39:14 2018
From: jsiwek at corelight.com (Jon Siwek)
Date: Thu, 19 Apr 2018 10:39:14 -0500
Subject: [Bro] Upgrade from 2.4 to 2.5
In-Reply-To: <CAPy2kFaMO3ne_-TbzB+3_2=xxg+PbDdFagB17tyKyt71NMrrmg@mail.gmail.com>
References: <CAN-RTm60X_DnPGd7Z12sTQNKeu+y5EqRUA2LeyPcMJhtSxBK7g@mail.gmail.com>
	<CADju=b7FjEseRqzdkfxOUUG8BiM82eXojAyFEBPBRGfDzAPhAw@mail.gmail.com>
	<2ec53b21-9f52-ec24-08e6-bfc7b0e1c08c@corelight.com>
	<CA+WAcdSvZ-O-gY5SmPA9KKPGRnC_k=56PvQPFyJ6t4G0SiQUrQ@mail.gmail.com>
	<CAPy2kFaMO3ne_-TbzB+3_2=xxg+PbDdFagB17tyKyt71NMrrmg@mail.gmail.com>
Message-ID: <6e44a6e0-f6be-aaa1-b429-a637948eae66@corelight.com>

Yes, the reasoning I imagine went something like that -- it was not 
exactly correct to have a singular 'filename' when actually there may be 
many.

- Jon

On 4/19/18 10:35 AM, Mike Dopheide wrote:
> I think it was just that you can have multiple files per connection so 
> 'filename' became 'filenames'.
> 
> On Thu, Apr 19, 2018 at 10:26 AM, Patrick Kelley 
> <patrick.kelley at criticalpathsecurity.com 
> <mailto:patrick.kelley at criticalpathsecurity.com>> wrote:
> 
>     Jon, for my own edification, what was the driving motivation for
>     removing the c$http$filename field?
> 
>     On Thu, Apr 19, 2018 at 11:09 AM, Jon Siwek <jsiwek at corelight.com
>     <mailto:jsiwek at corelight.com>> wrote:
> 
> 
> 
>         On 4/19/18 12:06 AM, Jim Mellander wrote:
>         > I ran across this issue just the other day.? Evidently, ?$ no longer 
>         > works in a ternary expression, which I presume is a bug, rather than a 
>         > feature.
> 
>         This test case at least still works as expected in git/master:
> 
>         ```bro
>         type myrec: record { a: string &optional; };
>         local mr1 = myrec($a = "aaa");
>         local mr2 = myrec();
>         print mr1?$a ? "yes" : "no";
>         print mr2?$a ? "yes" : "no";
>         ```
> 
>         Can you give more details on exactly what you see or file a bug
>         report
>         if you've found a situation where the ?$ or ternary expressions
>         aren't
>         working?
> 
>         - Jon
>         _______________________________________________
>         Bro mailing list
>         bro at bro-ids.org <mailto:bro at bro-ids.org>
>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>         <http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro>
> 
> 
> 
> 
>     -- 
> 
>     *Patrick Kelley, CISSP, C|EH, ITIL*
>     /CTO/
>     patrick.kelley at criticalpathsecurity.com
>     <mailto:patrick.kelley at criticalpathsecurity.com>
>     (o) 770-224-6482
> 
> 
> 
>     _______________________________________________
>     Bro mailing list
>     bro at bro-ids.org <mailto:bro at bro-ids.org>
>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>     <http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro>
> 
> 

From shirkdog.bsd at gmail.com  Thu Apr 19 08:57:01 2018
From: shirkdog.bsd at gmail.com (Michael Shirk)
Date: Thu, 19 Apr 2018 11:57:01 -0400
Subject: [Bro] PCAP help
In-Reply-To: <3df7abe16971f77340e84c81d54aa177@mail.gmail.com>
References: <cf005358c47ad1a2d09477b5381eca3f@mail.gmail.com>
	<CAL8PkUU+KjdM42Ne=ycJDB0G-zH2_ect-3ufsSm0C030kdaviw@mail.gmail.com>
	<3df7abe16971f77340e84c81d54aa177@mail.gmail.com>
Message-ID: <CAL8PkUW6_W42TMsJh9LwY5ohJhwKA9e=K4oJ8T58x6By4GpWAw@mail.gmail.com>

It is advised to not monitor the same network you use to connect to
the Bro sensor, but you can ignore all of the traffic involving the
Bro sensor with bpf filter by adding the following to your local.bro:

redef cmd_line_bpf_filter = "not (host BROIPADDRESS)";



On Thu, Apr 19, 2018 at 11:07 AM, Charles Mckee
<charles.mckee at decisivedge.com> wrote:
> Hello
>
> At this time bro is monitoring all traffic, inbound and outbound. We want to
> filter all of it's own traffic, So if it is em0. We do not want to see any
> of bro own traffic.
>
> Are the present time it is just basically out the box at this point. I am
> trying to configure it do that we see no traffic from itself.
>
> Respectfully Yours
> Charles McKee
>
> DecisivEdge, LLC
> O:  302.299.1570 x432  |  C:  302.320.6968  |  F:  302.299.1578
> 131 Continental Dr |  Suite 409  |  Newark, DE 19713
> charles.mckee at decisivedge.com  |  www.DecisivEdge.com
>
> -----Original Message-----
> From: Michael Shirk [mailto:shirkdog.bsd at gmail.com]
> Sent: Thursday, April 19, 2018 11:02 AM
> To: Charles Mckee <charles.mckee at decisivedge.com>
> Cc: bro <bro at bro.org>
> Subject: Re: [Bro] PCAP help
>
> So what interface is Bro monitoring? and have you configured your
> networks.cfg? Need some more details on what traffic you are having issues
> splitting out.
>
> On Thu, Apr 19, 2018 at 10:18 AM, Charles Mckee
> <charles.mckee at decisivedge.com> wrote:
>> Hello Bro Team,
>>
>> I need some help with PCAP.
>>
>>
>>
>> We noticed when using Bro we see local host traffic.
>>
>>
>>
>> We want to segment Bro's traffic from the other traffic on a continual
>> basis.
>>
>>
>>
>> We cannot find any information on the net how to do this, so now I
>> must reach out to you.
>>
>>
>>
>> All traffic inbound comes into Bro and at that point we need to all of
>> its own traffic segmented away somewhere.
>>
>>
>>
>> Can you help me ?
>>
>>
>>
>> Can you please send explicit directions for this.
>>
>>
>>
>>
>>
>> Respectfully Yours
>>
>> Charles McKee
>>
>>
>>
>> DecisivEdge, LLC
>>
>> O:  302.299.1570 x432  |  C:  302.320.6968  |  F:  302.299.1578
>>
>> 131 Continental Dr |  Suite 409  |  Newark, DE 19713
>>
>> charles.mckee at decisivedge.com  |  www.DecisivEdge.com
>>
>>
>>
>>
>> ________________________________
>>
>> This email and any files transmitted with it are considered privileged
>> and confidential unless otherwise explicitly stated otherwise. If you
>> are not the intended recipient you are notified that disclosing,
>> copying, distributing or taking any action in reliance on the contents
>> of this information is strictly prohibited. All email data and
>> contents may be monitored to ensure that their use is authorized, for
>> management of the system, to facilitate protection against
>> unauthorized use, and to verify security procedures, survivability and
>> operational security. Under no circumstance should the user of this
>> email have an expectation of privacy for this correspondence.
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> Michael Shirk
> Daemon Security, Inc.
> http://www.daemon-security.com
>
> --
> This email and any files transmitted with it are considered privileged and
> confidential unless otherwise explicitly stated otherwise. If you are not
> the intended recipient you are notified that disclosing, copying,
> distributing or taking any action in reliance on the contents of this
> information is strictly prohibited. All email data and contents may be
> monitored to ensure that their use is authorized, for management of the
> system, to facilitate protection against unauthorized use, and to verify
> security procedures, survivability and operational security. Under no
> circumstance should the user of this email have an expectation of privacy
> for this correspondence.



-- 
Michael Shirk
Daemon Security, Inc.
https://www.daemon-security.com

From dwdixon at umich.edu  Thu Apr 19 12:07:34 2018
From: dwdixon at umich.edu (Drew Dixon)
Date: Thu, 19 Apr 2018 15:07:34 -0400
Subject: [Bro] binpac exception: out_of_bound: SSLRecord:rec: 41702 >
	1350
In-Reply-To: <6BE18632-DF8A-46B6-8EEA-A675F9001448@icir.org>
References: <CACX0rUS_QVPFZCBf9s2qcoyYvjE77cCbXaVuxHwphrizByTL3Q@mail.gmail.com>
	<20180417162011.pxekt7pnl6u6okyi@user158.sys.ICSI.Berkeley.EDU>
	<CACX0rUSnTZ8JSmZdq2CrZodrdmQVsNqrpBXFEw1wmDiShjvwew@mail.gmail.com>
	<6BE18632-DF8A-46B6-8EEA-A675F9001448@icir.org>
Message-ID: <CA+pNqTM8C3sxVGDJ9+fLNsaCEUZRe_iY+GBP_ejNgHqwt1D6Ug@mail.gmail.com>

Looks like this is probably just QUIC
<https://en.wikipedia.org/wiki/QUIC> (more
here
<https://docs.google.com/document/d/1lmL9EF6qKrk7gbazY8bIdvq3Pno2Xj_l_YShP40GLQE>)
traffic which is likely tightly intermixed with various Youtube
(streaming,uploading,posting, etc.) application traffic via tcp/443 from
the same IP.

-Drew

On Tue, Apr 17, 2018 at 12:36 PM, Johanna Amann <johanna at icir.org> wrote:

> Oh - interesting, these are udp.
>
> In that case I instantly feel much less bad about this. It is probably
> google experimenting with something. Let me still check if I see that
> too :)
>
> Johanna
>
> On 17 Apr 2018, at 9:34, fatema bannatwala wrote:
>
> > Hi Johanna,
> >
> > Thanks for the response.
> > I was analyzing these more, and looked in the connection logs to see
> > which
> > these corresponds to.
> > And seeing UDP connections on 443 which are pretty long, and majority
> > of
> > dest IPs are Google Inc. owned with some king of video streaming
> > service, I
> > think YOUTUBE,
> > hence was thinking if these weird notices are corresponding to any
> > DTLS
> > traffic to those video streaming services provided by Google.
> > Also, to my notice, no SSL records got logged as well for these, which
> > I
> > assumed should have processed by SSL Analyzer. Hmm.
> >
> > $ current/*.log | grep "C7lzD74mBAzB4usIHe"
> > 1523972950.556723       C7lzD74mBAzB4usIHe      128.4.154.42    59835
> >  64.15.123.22    *443     udp*     -       983.275963      2555936
> > 162005599       SF    417     165405275       (empty) worker-3-12
> > 1523973692.538113       C7lzD74mBAzB4usIHe      128.4.154.42    59835
> >  64.15.123.22    443     binpac exception: out_of_bound:
> > SSLRecord:rec:
> > 58376 > 1350
> > 1523973693.501421       C7lzD74mBAzB4usIHe      128.4.154.42    59835
> >  64.15.123.22    443     binpac exception: out_of_bound:
> > SSLRecord:rec:
> > 11466 > 1350
> >
> > IP:  64.15.123.22, r7.sn-bvvbax-2iae.googlevideo.com , Aut
> > onomous_System-YOUTUBE
> >
> > Thanks,
> > Fatema.
> >
> > On Tue, Apr 17, 2018 at 12:20 PM, Johanna Amann <johanna at icir.org>
> > wrote:
> >
> >> Hi Fatema,
> >>
> >> the answer is that you should not see this happen very often. Let me
> >> check
> >> if that is something that I can also observe in our local cluster -
> >> the
> >> last time I checked things looked more or less normal.
> >>
> >> Johanna
> >>
> >> On Tue, Apr 17, 2018 at 09:11:38AM -0400, fatema bannatwala wrote:
> >>> Hi Everyone,
> >>>
> >>> Looking at weird.log file recently showed a lot of weird notices
> >>> logged
> >> for
> >>> the bicpac exception: out_of_bound, specifically for SSLRecord.
> >>> Hence wanted to ask if these can be safely ignored, or if anything
> >>> is
> >>> broken and there are some serious issues with the traffic Bro is
> >>> seeing.
> >> :)
> >>>
> >>> Here are some of the notices from weird.log:
> >>>
> >>> 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
> >>> 52113   64.15.123.22    443     binpac exception: out_of_bound:
> >>> SSLRecord:rec: 48205 > 1350     -       F       worker-3-6
> >>> 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
> >>> 52113   64.15.123.22    443     binpac exception: out_of_bound:
> >>> SSLRecord:rec: 36586 > 1350     -       F       worker-3-6
> >>> 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l
> >>> 128.175.252.224
> >>> 54493   64.15.123.22    443     binpac exception: out_of_bound:
> >>> SSLRecord:rec: 17689 > 1350     -       F       worker-3-7
> >>> 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l
> >>> 128.175.252.224
> >>> 54493   64.15.123.22    443     binpac exception: out_of_bound:
> >>> SSLRecord:rec: 34801 > 1350     -       F       worker-3-7
> >>> 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
> >>> 61457   64.15.123.23    443     binpac exception: out_of_bound:
> >>> SSLRecord:rec: 63514 > 1350     -       F       worker-1-1
> >>> 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
> >>> 61457   64.15.123.23    443     binpac exception: out_of_bound:
> >>> SSLRecord:rec: 4143 > 1350      -       F       worker-1-1
> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
> >>> SSLRecord:rec: 13126 > 1350     -       F       worker-2-19
> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
> >>> SSLRecord:rec: 13126 > 1261     -       F       worker-2-19
> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
> >>> SSLRecord:rec: 63719 > 41       -       F       worker-2-19
> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
> >>> SSLRecord:rec: 17744 > 35       -       F       worker-2-19
> >>> 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
> >>> SSLRecord:rec: 64155 > 38       -       F       worker-2-19
> >>> 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
> >>> SSLRecord:rec: 54546 > 41       -       F       worker-2-19
> >>>
> >>> Appreciate any insights. :)
> >>>
> >>> Thanks!
> >>> Fatema.
> >>
> >>> _______________________________________________
> >>> Bro mailing list
> >>> bro at bro-ids.org
> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>
> >>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180419/9bc7b605/attachment.html 

From fatema.bannatwala at gmail.com  Thu Apr 19 12:50:36 2018
From: fatema.bannatwala at gmail.com (fatema bannatwala)
Date: Thu, 19 Apr 2018 15:50:36 -0400
Subject: [Bro] binpac exception: out_of_bound: SSLRecord:rec: 41702 >
	1350
In-Reply-To: <CA+pNqTM8C3sxVGDJ9+fLNsaCEUZRe_iY+GBP_ejNgHqwt1D6Ug@mail.gmail.com>
References: <CACX0rUS_QVPFZCBf9s2qcoyYvjE77cCbXaVuxHwphrizByTL3Q@mail.gmail.com>
	<20180417162011.pxekt7pnl6u6okyi@user158.sys.ICSI.Berkeley.EDU>
	<CACX0rUSnTZ8JSmZdq2CrZodrdmQVsNqrpBXFEw1wmDiShjvwew@mail.gmail.com>
	<6BE18632-DF8A-46B6-8EEA-A675F9001448@icir.org>
	<CA+pNqTM8C3sxVGDJ9+fLNsaCEUZRe_iY+GBP_ejNgHqwt1D6Ug@mail.gmail.com>
Message-ID: <CACX0rUTL2fg2EK9U48aztSd25KvKauMC907YXxvQLsN2kKFzSg@mail.gmail.com>

Cool. Thanks Drew.
Yeah, Johanna felt the same, and provided information on what it might be
and could be ignored.

Fatema.

On Thu, Apr 19, 2018 at 3:07 PM, Drew Dixon <dwdixon at umich.edu> wrote:

> Looks like this is probably just QUIC <https://en.wikipedia.org/wiki/QUIC>
> (more here
> <https://docs.google.com/document/d/1lmL9EF6qKrk7gbazY8bIdvq3Pno2Xj_l_YShP40GLQE>)
> traffic which is likely tightly intermixed with various Youtube
> (streaming,uploading,posting, etc.) application traffic via tcp/443 from
> the same IP.
>
> -Drew
>
> On Tue, Apr 17, 2018 at 12:36 PM, Johanna Amann <johanna at icir.org> wrote:
>
>> Oh - interesting, these are udp.
>>
>> In that case I instantly feel much less bad about this. It is probably
>> google experimenting with something. Let me still check if I see that
>> too :)
>>
>> Johanna
>>
>> On 17 Apr 2018, at 9:34, fatema bannatwala wrote:
>>
>> > Hi Johanna,
>> >
>> > Thanks for the response.
>> > I was analyzing these more, and looked in the connection logs to see
>> > which
>> > these corresponds to.
>> > And seeing UDP connections on 443 which are pretty long, and majority
>> > of
>> > dest IPs are Google Inc. owned with some king of video streaming
>> > service, I
>> > think YOUTUBE,
>> > hence was thinking if these weird notices are corresponding to any
>> > DTLS
>> > traffic to those video streaming services provided by Google.
>> > Also, to my notice, no SSL records got logged as well for these, which
>> > I
>> > assumed should have processed by SSL Analyzer. Hmm.
>> >
>> > $ current/*.log | grep "C7lzD74mBAzB4usIHe"
>> > 1523972950.556723       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>> >  64.15.123.22    *443     udp*     -       983.275963      2555936
>> > 162005599       SF    417     165405275       (empty) worker-3-12
>> > 1523973692.538113       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>> >  64.15.123.22    443     binpac exception: out_of_bound:
>> > SSLRecord:rec:
>> > 58376 > 1350
>> > 1523973693.501421       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>> >  64.15.123.22    443     binpac exception: out_of_bound:
>> > SSLRecord:rec:
>> > 11466 > 1350
>> >
>> > IP:  64.15.123.22, r7.sn-bvvbax-2iae.googlevideo.com , Aut
>> > onomous_System-YOUTUBE
>> >
>> > Thanks,
>> > Fatema.
>> >
>> > On Tue, Apr 17, 2018 at 12:20 PM, Johanna Amann <johanna at icir.org>
>> > wrote:
>> >
>> >> Hi Fatema,
>> >>
>> >> the answer is that you should not see this happen very often. Let me
>> >> check
>> >> if that is something that I can also observe in our local cluster -
>> >> the
>> >> last time I checked things looked more or less normal.
>> >>
>> >> Johanna
>> >>
>> >> On Tue, Apr 17, 2018 at 09:11:38AM -0400, fatema bannatwala wrote:
>> >>> Hi Everyone,
>> >>>
>> >>> Looking at weird.log file recently showed a lot of weird notices
>> >>> logged
>> >> for
>> >>> the bicpac exception: out_of_bound, specifically for SSLRecord.
>> >>> Hence wanted to ask if these can be safely ignored, or if anything
>> >>> is
>> >>> broken and there are some serious issues with the traffic Bro is
>> >>> seeing.
>> >> :)
>> >>>
>> >>> Here are some of the notices from weird.log:
>> >>>
>> >>> 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
>> >>> 52113   64.15.123.22    443     binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 48205 > 1350     -       F       worker-3-6
>> >>> 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
>> >>> 52113   64.15.123.22    443     binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 36586 > 1350     -       F       worker-3-6
>> >>> 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l
>> >>> 128.175.252.224
>> >>> 54493   64.15.123.22    443     binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 17689 > 1350     -       F       worker-3-7
>> >>> 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l
>> >>> 128.175.252.224
>> >>> 54493   64.15.123.22    443     binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 34801 > 1350     -       F       worker-3-7
>> >>> 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
>> >>> 61457   64.15.123.23    443     binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 63514 > 1350     -       F       worker-1-1
>> >>> 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
>> >>> 61457   64.15.123.23    443     binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 4143 > 1350      -       F       worker-1-1
>> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 13126 > 1350     -       F       worker-2-19
>> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 13126 > 1261     -       F       worker-2-19
>> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 63719 > 41       -       F       worker-2-19
>> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 17744 > 35       -       F       worker-2-19
>> >>> 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 64155 > 38       -       F       worker-2-19
>> >>> 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 54546 > 41       -       F       worker-2-19
>> >>>
>> >>> Appreciate any insights. :)
>> >>>
>> >>> Thanks!
>> >>> Fatema.
>> >>
>> >>> _______________________________________________
>> >>> Bro mailing list
>> >>> bro at bro-ids.org
>> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> >>
>> >>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180419/1a946542/attachment-0001.html 

From dopheide at gmail.com  Thu Apr 19 13:07:21 2018
From: dopheide at gmail.com (Mike Dopheide)
Date: Thu, 19 Apr 2018 15:07:21 -0500
Subject: [Bro] binpac exception: out_of_bound: SSLRecord:rec: 41702 >
	1350
In-Reply-To: <CACX0rUTL2fg2EK9U48aztSd25KvKauMC907YXxvQLsN2kKFzSg@mail.gmail.com>
References: <CACX0rUS_QVPFZCBf9s2qcoyYvjE77cCbXaVuxHwphrizByTL3Q@mail.gmail.com>
	<20180417162011.pxekt7pnl6u6okyi@user158.sys.ICSI.Berkeley.EDU>
	<CACX0rUSnTZ8JSmZdq2CrZodrdmQVsNqrpBXFEw1wmDiShjvwew@mail.gmail.com>
	<6BE18632-DF8A-46B6-8EEA-A675F9001448@icir.org>
	<CA+pNqTM8C3sxVGDJ9+fLNsaCEUZRe_iY+GBP_ejNgHqwt1D6Ug@mail.gmail.com>
	<CACX0rUTL2fg2EK9U48aztSd25KvKauMC907YXxvQLsN2kKFzSg@mail.gmail.com>
Message-ID: <CAPy2kFYLj-jkbpQpy8RCu5fkw++29PLcyApVBb03n1eW4oMvWw@mail.gmail.com>

If you have a pcap and you bro-pkg you can install the basic QUIC analyzer
and verify.  (Or I can if you are comfortable sending a small sample).

-Dop

On Thu, Apr 19, 2018 at 2:50 PM, fatema bannatwala <
fatema.bannatwala at gmail.com> wrote:

> Cool. Thanks Drew.
> Yeah, Johanna felt the same, and provided information on what it might be
> and could be ignored.
>
> Fatema.
>
> On Thu, Apr 19, 2018 at 3:07 PM, Drew Dixon <dwdixon at umich.edu> wrote:
>
>> Looks like this is probably just QUIC
>> <https://en.wikipedia.org/wiki/QUIC> (more here
>> <https://docs.google.com/document/d/1lmL9EF6qKrk7gbazY8bIdvq3Pno2Xj_l_YShP40GLQE>)
>> traffic which is likely tightly intermixed with various Youtube
>> (streaming,uploading,posting, etc.) application traffic via tcp/443 from
>> the same IP.
>>
>> -Drew
>>
>> On Tue, Apr 17, 2018 at 12:36 PM, Johanna Amann <johanna at icir.org> wrote:
>>
>>> Oh - interesting, these are udp.
>>>
>>> In that case I instantly feel much less bad about this. It is probably
>>> google experimenting with something. Let me still check if I see that
>>> too :)
>>>
>>> Johanna
>>>
>>> On 17 Apr 2018, at 9:34, fatema bannatwala wrote:
>>>
>>> > Hi Johanna,
>>> >
>>> > Thanks for the response.
>>> > I was analyzing these more, and looked in the connection logs to see
>>> > which
>>> > these corresponds to.
>>> > And seeing UDP connections on 443 which are pretty long, and majority
>>> > of
>>> > dest IPs are Google Inc. owned with some king of video streaming
>>> > service, I
>>> > think YOUTUBE,
>>> > hence was thinking if these weird notices are corresponding to any
>>> > DTLS
>>> > traffic to those video streaming services provided by Google.
>>> > Also, to my notice, no SSL records got logged as well for these, which
>>> > I
>>> > assumed should have processed by SSL Analyzer. Hmm.
>>> >
>>> > $ current/*.log | grep "C7lzD74mBAzB4usIHe"
>>> > 1523972950.556723       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>>> >  64.15.123.22    *443     udp*     -       983.275963      2555936
>>> > 162005599       SF    417     165405275       (empty) worker-3-12
>>> > 1523973692.538113       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>>> >  64.15.123.22    443     binpac exception: out_of_bound:
>>> > SSLRecord:rec:
>>> > 58376 > 1350
>>> > 1523973693.501421       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>>> >  64.15.123.22    443     binpac exception: out_of_bound:
>>> > SSLRecord:rec:
>>> > 11466 > 1350
>>> >
>>> > IP:  64.15.123.22, r7.sn-bvvbax-2iae.googlevideo.com , Aut
>>> > onomous_System-YOUTUBE
>>> >
>>> > Thanks,
>>> > Fatema.
>>> >
>>> > On Tue, Apr 17, 2018 at 12:20 PM, Johanna Amann <johanna at icir.org>
>>> > wrote:
>>> >
>>> >> Hi Fatema,
>>> >>
>>> >> the answer is that you should not see this happen very often. Let me
>>> >> check
>>> >> if that is something that I can also observe in our local cluster -
>>> >> the
>>> >> last time I checked things looked more or less normal.
>>> >>
>>> >> Johanna
>>> >>
>>> >> On Tue, Apr 17, 2018 at 09:11:38AM -0400, fatema bannatwala wrote:
>>> >>> Hi Everyone,
>>> >>>
>>> >>> Looking at weird.log file recently showed a lot of weird notices
>>> >>> logged
>>> >> for
>>> >>> the bicpac exception: out_of_bound, specifically for SSLRecord.
>>> >>> Hence wanted to ask if these can be safely ignored, or if anything
>>> >>> is
>>> >>> broken and there are some serious issues with the traffic Bro is
>>> >>> seeing.
>>> >> :)
>>> >>>
>>> >>> Here are some of the notices from weird.log:
>>> >>>
>>> >>> 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
>>> >>> 52113   64.15.123.22    443     binpac exception: out_of_bound:
>>> >>> SSLRecord:rec: 48205 > 1350     -       F       worker-3-6
>>> >>> 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
>>> >>> 52113   64.15.123.22    443     binpac exception: out_of_bound:
>>> >>> SSLRecord:rec: 36586 > 1350     -       F       worker-3-6
>>> >>> 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l
>>> >>> 128.175.252.224
>>> >>> 54493   64.15.123.22    443     binpac exception: out_of_bound:
>>> >>> SSLRecord:rec: 17689 > 1350     -       F       worker-3-7
>>> >>> 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l
>>> >>> 128.175.252.224
>>> >>> 54493   64.15.123.22    443     binpac exception: out_of_bound:
>>> >>> SSLRecord:rec: 34801 > 1350     -       F       worker-3-7
>>> >>> 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
>>> >>> 61457   64.15.123.23    443     binpac exception: out_of_bound:
>>> >>> SSLRecord:rec: 63514 > 1350     -       F       worker-1-1
>>> >>> 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
>>> >>> 61457   64.15.123.23    443     binpac exception: out_of_bound:
>>> >>> SSLRecord:rec: 4143 > 1350      -       F       worker-1-1
>>> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> >>> SSLRecord:rec: 13126 > 1350     -       F       worker-2-19
>>> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> >>> SSLRecord:rec: 13126 > 1261     -       F       worker-2-19
>>> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> >>> SSLRecord:rec: 63719 > 41       -       F       worker-2-19
>>> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> >>> SSLRecord:rec: 17744 > 35       -       F       worker-2-19
>>> >>> 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> >>> SSLRecord:rec: 64155 > 38       -       F       worker-2-19
>>> >>> 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> >>> SSLRecord:rec: 54546 > 41       -       F       worker-2-19
>>> >>>
>>> >>> Appreciate any insights. :)
>>> >>>
>>> >>> Thanks!
>>> >>> Fatema.
>>> >>
>>> >>> _______________________________________________
>>> >>> Bro mailing list
>>> >>> bro at bro-ids.org
>>> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>> >>
>>> >>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180419/e2897262/attachment.html 

From carlrotenan at gmail.com  Thu Apr 19 13:52:43 2018
From: carlrotenan at gmail.com (Carl Rotenan)
Date: Thu, 19 Apr 2018 16:52:43 -0400
Subject: [Bro] Upgrade from 2.4 to 2.5
In-Reply-To: <39c4a34d-85bd-f34a-bcd1-6dd678b22c0f@corelight.com>
References: <CAN-RTm60X_DnPGd7Z12sTQNKeu+y5EqRUA2LeyPcMJhtSxBK7g@mail.gmail.com>
	<39c4a34d-85bd-f34a-bcd1-6dd678b22c0f@corelight.com>
Message-ID: <CAN-RTm6fZYtXQNeo7MFrmBTGqMQj8F_efw8RX1nk-+1fjai67A@mail.gmail.com>

Thanks Jon, and everyone else that responded.

Can you offer suggestions on a fix for:

local ftp = FTP::get_ftp_info(c);



I looked in the release notes / doc and didn't find any mention of it going
away.

Thanks again.

On Thu, Apr 19, 2018 at 11:00 AM, Jon Siwek <jsiwek at corelight.com> wrote:

>
>
> On 4/18/18 6:57 PM, Carl Rotenan wrote:
>
>> Hello.
>>
>> I'm upgrading an install from 2.4 to the latest.
>>
>> Did this ability go away in 2.5:
>>
>>   write_file(fileh, fmt("filename: %s \r\n", c$http?$filename ?
>> c$http$filename : "uninitialized"));
>>
>> Specifically the c$http?$filename.
>>
>
> Yes, c$http$filename went away (specifically the 'filename' field of the
> HTTP::Info record no longer exists).
>
> Take a look at [1] for the fields that are currently available.  You might
> want to use some of these as replacement:
>
> * c$http$current_entity$filename
>
> * c$http$orig_filenames
>
> * c$http$resp_filenames
>
> Is there a list I can reference of thing that may have been deprecated?
>>
>
> There's guidance at [2], which is generally derived from the contents of
> the NEWS file inside the Bro source tree.
>
> - Jon
>
> [1] https://www.bro.org/sphinx/scripts/base/protocols/http/main.
> bro.html#type-HTTP::Info
>
> [2] https://www.bro.org/sphinx/install/upgrade.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180419/2dc95025/attachment.html 

From jsiwek at corelight.com  Thu Apr 19 14:12:55 2018
From: jsiwek at corelight.com (Jon Siwek)
Date: Thu, 19 Apr 2018 16:12:55 -0500
Subject: [Bro] Upgrade from 2.4 to 2.5
In-Reply-To: <CAN-RTm6fZYtXQNeo7MFrmBTGqMQj8F_efw8RX1nk-+1fjai67A@mail.gmail.com>
References: <CAN-RTm60X_DnPGd7Z12sTQNKeu+y5EqRUA2LeyPcMJhtSxBK7g@mail.gmail.com>
	<39c4a34d-85bd-f34a-bcd1-6dd678b22c0f@corelight.com>
	<CAN-RTm6fZYtXQNeo7MFrmBTGqMQj8F_efw8RX1nk-+1fjai67A@mail.gmail.com>
Message-ID: <2cb8c3a0-1276-6fe2-a6ca-18d7f4e3a0dd@corelight.com>



On 4/19/18 3:52 PM, Carl Rotenan wrote:

> Can you offer suggestions on a fix for:
> 
> local ftp = FTP::get_ftp_info(c);

I'm not too sure what that is either, I don't see it in the source code 
for 2.4.  Maybe c$ftp has what you need (the FTP::Info record type) ?

- Jon

From dopheide at gmail.com  Thu Apr 19 14:22:33 2018
From: dopheide at gmail.com (Mike Dopheide)
Date: Thu, 19 Apr 2018 16:22:33 -0500
Subject: [Bro] Upgrade from 2.4 to 2.5
In-Reply-To: <2cb8c3a0-1276-6fe2-a6ca-18d7f4e3a0dd@corelight.com>
References: <CAN-RTm60X_DnPGd7Z12sTQNKeu+y5EqRUA2LeyPcMJhtSxBK7g@mail.gmail.com>
	<39c4a34d-85bd-f34a-bcd1-6dd678b22c0f@corelight.com>
	<CAN-RTm6fZYtXQNeo7MFrmBTGqMQj8F_efw8RX1nk-+1fjai67A@mail.gmail.com>
	<2cb8c3a0-1276-6fe2-a6ca-18d7f4e3a0dd@corelight.com>
Message-ID: <CAPy2kFZsPAk8xdCKO_2SntbKUUcPKe6aq+8gYAhu7S-b8b8fFw@mail.gmail.com>

I'll just tag team with Jon today.  :)

I didn't see a get_ftp_info function as far back as v1.5, so I suspect this
is from a custom policy.  I've got some time tonight to look at it if you
can send me the policy and hopefully whatever you find nearby that declares
that function.

-Dop

On Thu, Apr 19, 2018 at 4:12 PM, Jon Siwek <jsiwek at corelight.com> wrote:

>
>
> On 4/19/18 3:52 PM, Carl Rotenan wrote:
>
> > Can you offer suggestions on a fix for:
> >
> > local ftp = FTP::get_ftp_info(c);
>
> I'm not too sure what that is either, I don't see it in the source code
> for 2.4.  Maybe c$ftp has what you need (the FTP::Info record type) ?
>
> - Jon
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180419/48b5bb3a/attachment.html 

From fatema.bannatwala at gmail.com  Thu Apr 19 14:50:18 2018
From: fatema.bannatwala at gmail.com (fatema bannatwala)
Date: Thu, 19 Apr 2018 17:50:18 -0400
Subject: [Bro] binpac exception: out_of_bound: SSLRecord:rec: 41702 >
	1350
In-Reply-To: <CAPy2kFYLj-jkbpQpy8RCu5fkw++29PLcyApVBb03n1eW4oMvWw@mail.gmail.com>
References: <CACX0rUS_QVPFZCBf9s2qcoyYvjE77cCbXaVuxHwphrizByTL3Q@mail.gmail.com>
	<20180417162011.pxekt7pnl6u6okyi@user158.sys.ICSI.Berkeley.EDU>
	<CACX0rUSnTZ8JSmZdq2CrZodrdmQVsNqrpBXFEw1wmDiShjvwew@mail.gmail.com>
	<6BE18632-DF8A-46B6-8EEA-A675F9001448@icir.org>
	<CA+pNqTM8C3sxVGDJ9+fLNsaCEUZRe_iY+GBP_ejNgHqwt1D6Ug@mail.gmail.com>
	<CACX0rUTL2fg2EK9U48aztSd25KvKauMC907YXxvQLsN2kKFzSg@mail.gmail.com>
	<CAPy2kFYLj-jkbpQpy8RCu5fkw++29PLcyApVBb03n1eW4oMvWw@mail.gmail.com>
Message-ID: <CACX0rUSkO09=8EEXMmy8-urpX_Td6dm2S1kNYZHQLga3gRFbig@mail.gmail.com>

Thanks Mike. I captured a small pcap from the sensor, and analysed it with
wireshark, which classified the traffic
as encrypted QUIC payload.
Unfortunately when ran with the Bro 2.5.1 install on the system in offline
mode,
it didn't generate those weird alerts, maybe because the traffic captured
was for just couple of minutes.
Hence, Johanna and I concluded that Google might be experimenting with the
UDP port 443 and it's the cause of those alerts. :)

I haven't tried the QUIC analyzer though, will try that next!

Thanks,
Fatema.


On Thu, Apr 19, 2018 at 4:07 PM, Mike Dopheide <dopheide at gmail.com> wrote:

> If you have a pcap and you bro-pkg you can install the basic QUIC analyzer
> and verify.  (Or I can if you are comfortable sending a small sample).
>
> -Dop
>
> On Thu, Apr 19, 2018 at 2:50 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
>
>> Cool. Thanks Drew.
>> Yeah, Johanna felt the same, and provided information on what it might be
>> and could be ignored.
>>
>> Fatema.
>>
>> On Thu, Apr 19, 2018 at 3:07 PM, Drew Dixon <dwdixon at umich.edu> wrote:
>>
>>> Looks like this is probably just QUIC
>>> <https://en.wikipedia.org/wiki/QUIC> (more here
>>> <https://docs.google.com/document/d/1lmL9EF6qKrk7gbazY8bIdvq3Pno2Xj_l_YShP40GLQE>)
>>> traffic which is likely tightly intermixed with various Youtube
>>> (streaming,uploading,posting, etc.) application traffic via tcp/443 from
>>> the same IP.
>>>
>>> -Drew
>>>
>>> On Tue, Apr 17, 2018 at 12:36 PM, Johanna Amann <johanna at icir.org>
>>> wrote:
>>>
>>>> Oh - interesting, these are udp.
>>>>
>>>> In that case I instantly feel much less bad about this. It is probably
>>>> google experimenting with something. Let me still check if I see that
>>>> too :)
>>>>
>>>> Johanna
>>>>
>>>> On 17 Apr 2018, at 9:34, fatema bannatwala wrote:
>>>>
>>>> > Hi Johanna,
>>>> >
>>>> > Thanks for the response.
>>>> > I was analyzing these more, and looked in the connection logs to see
>>>> > which
>>>> > these corresponds to.
>>>> > And seeing UDP connections on 443 which are pretty long, and majority
>>>> > of
>>>> > dest IPs are Google Inc. owned with some king of video streaming
>>>> > service, I
>>>> > think YOUTUBE,
>>>> > hence was thinking if these weird notices are corresponding to any
>>>> > DTLS
>>>> > traffic to those video streaming services provided by Google.
>>>> > Also, to my notice, no SSL records got logged as well for these,
>>>> which
>>>> > I
>>>> > assumed should have processed by SSL Analyzer. Hmm.
>>>> >
>>>> > $ current/*.log | grep "C7lzD74mBAzB4usIHe"
>>>> > 1523972950.556723       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>>>> >  64.15.123.22    *443     udp*     -       983.275963      2555936
>>>> > 162005599       SF    417     165405275       (empty) worker-3-12
>>>> > 1523973692.538113       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>>>> >  64.15.123.22    443     binpac exception: out_of_bound:
>>>> > SSLRecord:rec:
>>>> > 58376 > 1350
>>>> > 1523973693.501421       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>>>> >  64.15.123.22    443     binpac exception: out_of_bound:
>>>> > SSLRecord:rec:
>>>> > 11466 > 1350
>>>> >
>>>> > IP:  64.15.123.22, r7.sn-bvvbax-2iae.googlevideo.com , Aut
>>>> > onomous_System-YOUTUBE
>>>> >
>>>> > Thanks,
>>>> > Fatema.
>>>> >
>>>> > On Tue, Apr 17, 2018 at 12:20 PM, Johanna Amann <johanna at icir.org>
>>>> > wrote:
>>>> >
>>>> >> Hi Fatema,
>>>> >>
>>>> >> the answer is that you should not see this happen very often. Let me
>>>> >> check
>>>> >> if that is something that I can also observe in our local cluster -
>>>> >> the
>>>> >> last time I checked things looked more or less normal.
>>>> >>
>>>> >> Johanna
>>>> >>
>>>> >> On Tue, Apr 17, 2018 at 09:11:38AM -0400, fatema bannatwala wrote:
>>>> >>> Hi Everyone,
>>>> >>>
>>>> >>> Looking at weird.log file recently showed a lot of weird notices
>>>> >>> logged
>>>> >> for
>>>> >>> the bicpac exception: out_of_bound, specifically for SSLRecord.
>>>> >>> Hence wanted to ask if these can be safely ignored, or if anything
>>>> >>> is
>>>> >>> broken and there are some serious issues with the traffic Bro is
>>>> >>> seeing.
>>>> >> :)
>>>> >>>
>>>> >>> Here are some of the notices from weird.log:
>>>> >>>
>>>> >>> 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
>>>> >>> 52113   64.15.123.22    443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 48205 > 1350     -       F       worker-3-6
>>>> >>> 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
>>>> >>> 52113   64.15.123.22    443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 36586 > 1350     -       F       worker-3-6
>>>> >>> 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l
>>>> >>> 128.175.252.224
>>>> >>> 54493   64.15.123.22    443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 17689 > 1350     -       F       worker-3-7
>>>> >>> 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l
>>>> >>> 128.175.252.224
>>>> >>> 54493   64.15.123.22    443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 34801 > 1350     -       F       worker-3-7
>>>> >>> 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
>>>> >>> 61457   64.15.123.23    443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 63514 > 1350     -       F       worker-1-1
>>>> >>> 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
>>>> >>> 61457   64.15.123.23    443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 4143 > 1350      -       F       worker-1-1
>>>> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 13126 > 1350     -       F       worker-2-19
>>>> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 13126 > 1261     -       F       worker-2-19
>>>> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 63719 > 41       -       F       worker-2-19
>>>> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 17744 > 35       -       F       worker-2-19
>>>> >>> 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 64155 > 38       -       F       worker-2-19
>>>> >>> 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 54546 > 41       -       F       worker-2-19
>>>> >>>
>>>> >>> Appreciate any insights. :)
>>>> >>>
>>>> >>> Thanks!
>>>> >>> Fatema.
>>>> >>
>>>> >>> _______________________________________________
>>>> >>> Bro mailing list
>>>> >>> bro at bro-ids.org
>>>> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>> >>
>>>> >>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>
>>>
>>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180419/45dc4d5d/attachment-0001.html 

From carlrotenan at gmail.com  Thu Apr 19 15:03:59 2018
From: carlrotenan at gmail.com (Carl Rotenan)
Date: Thu, 19 Apr 2018 18:03:59 -0400
Subject: [Bro] Upgrade from 2.4 to 2.5
In-Reply-To: <CAPy2kFZsPAk8xdCKO_2SntbKUUcPKe6aq+8gYAhu7S-b8b8fFw@mail.gmail.com>
References: <CAN-RTm60X_DnPGd7Z12sTQNKeu+y5EqRUA2LeyPcMJhtSxBK7g@mail.gmail.com>
	<39c4a34d-85bd-f34a-bcd1-6dd678b22c0f@corelight.com>
	<CAN-RTm6fZYtXQNeo7MFrmBTGqMQj8F_efw8RX1nk-+1fjai67A@mail.gmail.com>
	<2cb8c3a0-1276-6fe2-a6ca-18d7f4e3a0dd@corelight.com>
	<CAPy2kFZsPAk8xdCKO_2SntbKUUcPKe6aq+8gYAhu7S-b8b8fFw@mail.gmail.com>
Message-ID: <CAN-RTm7tT7FF=j9En3eAgC4tp5dnYXKgTdHzgccn1dZ=s_durA@mail.gmail.com>

I did a 'grep -Hnr * get_ftp_info' and only found the one reference. I will
keep poking around and hopefully find some more info on it. Thanks for
looking.

On Thu, Apr 19, 2018 at 5:22 PM, Mike Dopheide <dopheide at gmail.com> wrote:

> I'll just tag team with Jon today.  :)
>
> I didn't see a get_ftp_info function as far back as v1.5, so I suspect
> this is from a custom policy.  I've got some time tonight to look at it if
> you can send me the policy and hopefully whatever you find nearby that
> declares that function.
>
> -Dop
>
> On Thu, Apr 19, 2018 at 4:12 PM, Jon Siwek <jsiwek at corelight.com> wrote:
>
>>
>>
>> On 4/19/18 3:52 PM, Carl Rotenan wrote:
>>
>> > Can you offer suggestions on a fix for:
>> >
>> > local ftp = FTP::get_ftp_info(c);
>>
>> I'm not too sure what that is either, I don't see it in the source code
>> for 2.4.  Maybe c$ftp has what you need (the FTP::Info record type) ?
>>
>> - Jon
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180419/78b29577/attachment.html 

From 2015223040113 at stu.scu.edu.cn  Fri Apr 20 01:54:27 2018
From: 2015223040113 at stu.scu.edu.cn (=?GBK?B?wO7RqcDy?=)
Date: Fri, 20 Apr 2018 16:54:27 +0800
Subject: [Bro] BRO: the log files aren't the same every time
Message-ID: <180420165427a4c407c4040f3ca027c2043b89274742@stu.scu.edu.cn>

Hi, everyone,
I've been using BRO for a while, and there is a problem that is when i run BRO , the log files are not the same even if i do the same operation. Specifically, I run BRO at first time, I do some operation, and there is a log file let's say 1.log (because i do the operation, it's definitely generate this file), but when  I then run BRO next time, and also do the same operation, there is no 1.log file. but after a few minutes, when I run it again, the 1.log file comes out! I just don't understand why, this really confuses me, and I think if there is a cache or something.
Can anybody help me? 

Best Regards
Sherry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180420/397f5517/attachment.html 

From klehigh at iu.edu  Fri Apr 20 07:01:43 2018
From: klehigh at iu.edu (Keith Lehigh)
Date: Fri, 20 Apr 2018 10:01:43 -0400
Subject: [Bro] disabling PE analyzer
In-Reply-To: <7046B0C4-FF8B-4416-AC9E-46DF98CD15F2@corelight.com>
References: <0D24C51E-F007-4C71-9E20-0A6645D9B678@iu.edu>
	<1A4466F9-B339-48CA-ACC2-13AA0C51A8EB@illinois.edu>
	<7046B0C4-FF8B-4416-AC9E-46DF98CD15F2@corelight.com>
Message-ID: <C795F446-31AD-45D9-BD83-52C1CEDD0837@iu.edu>

Your approach doesn?t appear to disable the PE analyzer, regardless of whether I use T or F.  I still see logs written when I use the pe.trace file for testing.  Justin?s approach works fine.  I just change it to ?x-fake? mimetype and I see no pe.log.  Thanks!

- Keith

On 13 Apr 2018, at 12:31, Seth Hall wrote:

> On 13 Apr 2018, at 11:57, Azoff, Justin S wrote:
>
>> so you can probably disable it by redeffing pe_mime_types to something that won't match anymore.
>
> The Files api does have a table to disable file analyzers too.
>
> ```bro
> redef Files::disable += { [Files::ANALYZER_PE] = T };
> ```
>
> I'm actually not totally sure if that should be "T" or "F" though without some more checking.  I suspect that it's "T" though.
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180420/f0253ed4/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3740 bytes
Desc: S/MIME digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180420/f0253ed4/attachment.bin 

From jsiwek at corelight.com  Mon Apr 23 08:56:18 2018
From: jsiwek at corelight.com (Jon Siwek)
Date: Mon, 23 Apr 2018 10:56:18 -0500
Subject: [Bro] BRO: the log files aren't the same every time
In-Reply-To: <180420165427a4c407c4040f3ca027c2043b89274742@stu.scu.edu.cn>
References: <180420165427a4c407c4040f3ca027c2043b89274742@stu.scu.edu.cn>
Message-ID: <4f3f3c58-8b1f-d150-ade7-05911136a765@corelight.com>



On 4/20/18 3:54 AM, ??? wrote:
> Hi, everyone,
> I've been using BRO for a while, and there is a problem that is when i 
> run BRO , the log files are not the same even if i do the same 
> operation.

It's generally hard to say what could be causing such a problem, are you 
able to give more details on what you're trying to do?  Are you using 
any custom script that you can share?  Or have an associated pcap file? 
Which Bro version and how are you running it?

- Jon

From seth at corelight.com  Mon Apr 23 11:13:03 2018
From: seth at corelight.com (Seth Hall)
Date: Mon, 23 Apr 2018 14:13:03 -0400
Subject: [Bro] New bro types when writing a plugin
In-Reply-To: <45c7e8a7-b363-87e7-a6af-0cae70691005@googlemail.com>
References: <56872b17-aed5-5d69-20c6-fcc6edbdaedc@googlemail.com>
	<CAH+_UjV9WVgQVCF7jg-7xGprdVcxErurux7Sz+QWmZEiJKU1fA@mail.gmail.com>
	<45c7e8a7-b363-87e7-a6af-0cae70691005@googlemail.com>
Message-ID: <863ACE22-E2BB-4930-8E5D-066E6F1A4118@corelight.com>

Make sure you include the generated header file in your .cc file like 
this...

#include "types.bif.h"

   .Seth

On 28 Mar 2018, at 4:41, DW wrote:

> Hey
>
> thanks for the hint. I declared my types in types.bif and defined them 
> in types.bro now, but now I can't acces them anymore in my Source.cc 
> file. I get following error:
>
> error: 'BifType::Record::My_Type' has not been declared
>
> My .cc line: rl = new RecordVal(BifType::Record::My_Type);
>
> How can I access the types now?
>
> P.S. Yeah, I think the other mailing list is besser for this purpose, 
> but I don't want to start a new question now. :-)
>
> Am 28.03.2018 um 09:32 schrieb Vitaly Repin:
>> Hello,
>>
>>
>> Take a? look into this example: 
>> https://github.com/vitalyrepin/uap-bro I have defined three record 
>> types in that plugin: DeviceRec, UserAgentRec and AgentRec.
>>
>> P.S. I think bro-dev is a better mailing list to discuss bro dev. 
>> issues: http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>>
>> 2018-03-27 19:31 GMT+03:00 D.W. <brot212 at googlemail.com 
>> <mailto:brot212 at googlemail.com>>:
>>
>>     Hey there,
>>
>>     I'm writing an analyzer as a plugin and I would like to create
>>     some new
>>     bro data type (record type to be exact) to hand over some 
>> protocol
>>     data
>>     in a compact form as parameters to the event functions.
>>
>>     For now I have declared the new types in types.bif and defined 
>> them in
>>     init-bare.bro, but I don't think that this is the right way, 
>> because I
>>     have to manually modify the bro source files.
>>
>>     Is there a way to declare and define the new type inside the 
>> plugin
>>     source files, so that the types will be featured in bro after the
>>     plugin
>>     was installed?
>>
>>     Greetings,
>>
>>     Dane
>>
>>     _______________________________________________
>>     Bro mailing list
>>     bro at bro-ids.org <mailto:bro at bro-ids.org>
>>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>     <http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro>
>>
>>
>>
>>
>> -- 
>> WBR & WBW, Vitaly


> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180423/2062d97e/attachment.html 

From carlrotenan at gmail.com  Mon Apr 23 12:38:22 2018
From: carlrotenan at gmail.com (Carl Rotenan)
Date: Mon, 23 Apr 2018 15:38:22 -0400
Subject: [Bro] Signatures on upgrade from 2.4 to 2.5
Message-ID: <CAN-RTm4GCdU3itZ_uGjkSV+gsbfUC3E9E8azBF3SydcjVuFpjA@mail.gmail.com>

Hello,

I'm upgrading a system from from 2.4 to 2.5 and have a question about
signatures. I'm getting an error under 2.5 when I try implementing my 2.4
signatures:

error: Error in signature (/opt/bro/share/bro/foo/./signatures.sig:654):
rule defined twice

Any thoughts?

Thanks as always,

Carl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180423/1a845b1b/attachment.html 

From jsiwek at corelight.com  Mon Apr 23 13:16:25 2018
From: jsiwek at corelight.com (Jon Siwek)
Date: Mon, 23 Apr 2018 15:16:25 -0500
Subject: [Bro] Signatures on upgrade from 2.4 to 2.5
In-Reply-To: <CAN-RTm4GCdU3itZ_uGjkSV+gsbfUC3E9E8azBF3SydcjVuFpjA@mail.gmail.com>
References: <CAN-RTm4GCdU3itZ_uGjkSV+gsbfUC3E9E8azBF3SydcjVuFpjA@mail.gmail.com>
Message-ID: <32d8d26f-2a6e-db1c-1227-44f2e116f75e@corelight.com>



On 4/23/18 2:38 PM, Carl Rotenan wrote:

> I'm upgrading a system from from 2.4 to 2.5 and have a question about 
> signatures. I'm getting an error under 2.5 when I try implementing my 
> 2.4 signatures:
> 
> error: Error in signature (/opt/bro/share/bro/foo/./signatures.sig:654): 
> rule defined twice

Have you checked if the name of the rule on line 654 of that file 
conflicts with the name of a rule provided in one of Bro's *.sig files ?

If it does, then renaming it should be straightforward (if the signature 
generates an event whose name also now conflicts with an event in Bro, 
you may need to change that also).

- Jon

From carlrotenan at gmail.com  Mon Apr 23 13:43:24 2018
From: carlrotenan at gmail.com (Carl Rotenan)
Date: Mon, 23 Apr 2018 16:43:24 -0400
Subject: [Bro] Signatures on upgrade from 2.4 to 2.5
In-Reply-To: <32d8d26f-2a6e-db1c-1227-44f2e116f75e@corelight.com>
References: <CAN-RTm4GCdU3itZ_uGjkSV+gsbfUC3E9E8azBF3SydcjVuFpjA@mail.gmail.com>
	<32d8d26f-2a6e-db1c-1227-44f2e116f75e@corelight.com>
Message-ID: <CAN-RTm57b7b7XvriWZNMZG2xyXyQaysuBUOtsdRjOH08BA2KtA@mail.gmail.com>

If this a new behavior, I'm fairly sure under 2.4 this is working.

On Mon, Apr 23, 2018 at 4:16 PM, Jon Siwek <jsiwek at corelight.com> wrote:

>
>
> On 4/23/18 2:38 PM, Carl Rotenan wrote:
>
> I'm upgrading a system from from 2.4 to 2.5 and have a question about
>> signatures. I'm getting an error under 2.5 when I try implementing my 2.4
>> signatures:
>>
>> error: Error in signature (/opt/bro/share/bro/foo/./signatures.sig:654):
>> rule defined twice
>>
>
> Have you checked if the name of the rule on line 654 of that file
> conflicts with the name of a rule provided in one of Bro's *.sig files ?
>
> If it does, then renaming it should be straightforward (if the signature
> generates an event whose name also now conflicts with an event in Bro, you
> may need to change that also).
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180423/7b1a4baa/attachment.html 

From jsiwek at corelight.com  Mon Apr 23 13:57:02 2018
From: jsiwek at corelight.com (Jon Siwek)
Date: Mon, 23 Apr 2018 15:57:02 -0500
Subject: [Bro] Signatures on upgrade from 2.4 to 2.5
In-Reply-To: <CAN-RTm57b7b7XvriWZNMZG2xyXyQaysuBUOtsdRjOH08BA2KtA@mail.gmail.com>
References: <CAN-RTm4GCdU3itZ_uGjkSV+gsbfUC3E9E8azBF3SydcjVuFpjA@mail.gmail.com>
	<32d8d26f-2a6e-db1c-1227-44f2e116f75e@corelight.com>
	<CAN-RTm57b7b7XvriWZNMZG2xyXyQaysuBUOtsdRjOH08BA2KtA@mail.gmail.com>
Message-ID: <76338b49-fb8a-4ef0-53f4-038f044cf3d4@corelight.com>

The custom signature could have worked under 2.4 while in 2.5 we may 
have introduced a signature in Bro itself whose name conflicts with your 
custom one.  That's why I suggest comparing the signature that's the 
source of that error message with the signatures in all the *.sig files 
that ship w/ Bro 2.5's code and then changing the name of the custom 
rule to avoid conflicts.

- Jon

On 4/23/18 3:43 PM, Carl Rotenan wrote:
> If this a new behavior, I'm fairly sure under 2.4 this is working.
> 
> On Mon, Apr 23, 2018 at 4:16 PM, Jon Siwek <jsiwek at corelight.com 
> <mailto:jsiwek at corelight.com>> wrote:
> 
> 
> 
>     On 4/23/18 2:38 PM, Carl Rotenan wrote:
> 
>         I'm upgrading a system from from 2.4 to 2.5 and have a question
>         about signatures. I'm getting an error under 2.5 when I try
>         implementing my 2.4 signatures:
> 
>         error: Error in signature
>         (/opt/bro/share/bro/foo/./signatures.sig:654): rule defined twice
> 
> 
>     Have you checked if the name of the rule on line 654 of that file
>     conflicts with the name of a rule provided in one of Bro's *.sig files ?
> 
>     If it does, then renaming it should be straightforward (if the
>     signature generates an event whose name also now conflicts with an
>     event in Bro, you may need to change that also).
> 
>     - Jon
> 
> 

From ossamabzos at gmail.com  Mon Apr 23 17:04:50 2018
From: ossamabzos at gmail.com (bz Os)
Date: Tue, 24 Apr 2018 01:04:50 +0100
Subject: [Bro] combine bro and phad alad and netad
Message-ID: <CACNmTY3M3BP+dGRF=2Mzpoh7kdKGKCN3=kNa9Nqjja8VOKEvUA@mail.gmail.com>

 hello every one how can i combine bro and phad ,alad and netad in practice
i will build a next generation ids so i am chosing bro and phad ,alad and
netad for better detection of attack and reducing generation of false alert
,if any one has an other idea about better detection of attack and reducing
alert by combining misuse and anomaly detection tell me (sorry i am not
good in english)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180424/fca1c8e4/attachment.html 

From dpromero at exakt.com.ph  Mon Apr 23 19:55:50 2018
From: dpromero at exakt.com.ph (diana)
Date: Tue, 24 Apr 2018 10:55:50 +0800
Subject: [Bro] (no subject)
Message-ID: <5ade9cb9.c224620a.206c3.52b1@mx.google.com>

Hi Good day! May I ask the cost of bro subscription in business type.

Thanks.

Sent from Mail for Windows 10

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180424/d34e2e0d/attachment.html 

From ossamabzos at gmail.com  Tue Apr 24 04:27:12 2018
From: ossamabzos at gmail.com (bz Os)
Date: Tue, 24 Apr 2018 12:27:12 +0100
Subject: [Bro] what are the important configuration file in bro?
Message-ID: <CACNmTY27wZL8YPdQSPKaLWAhUzyRtVZUvEgy=AvbsNef=93fhQ@mail.gmail.com>

hello wath are the configuration file in bro (such as local.bro)and there
role
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180424/80e0e3b1/attachment-0001.html 

From stu.h at live.com  Wed Apr 25 09:44:46 2018
From: stu.h at live.com (Stuart H)
Date: Wed, 25 Apr 2018 16:44:46 +0000
Subject: [Bro] BinPAC and custom types
Message-ID: <EE835B1E-0102-406E-B315-777B2214C3B1@live.com>

Hi,

I?m making some good progress writing an analyser with BinPAC, only small issue is that I can?t find a way to get custom Bro script types to be parsed on initiation of Bro. I?ve tried adding a types.bif file and defining the type there but can only seem to do a simple definition such as:
                type <module>::<custom type>: record;
rather than the full definition:
type <module>::<custom type>: record {
                                bool_var1: bool;
                                bool_var2: bool;
                                int_var: int;
                };

I have to add the above type manually to the generated Bro_<module>.events.bif.bro file or the core init-bare.bro file.

I?ve had a search around, but all references are to add it to the init-bare.bro file. Changing one of the core files doesn?t seem to fit with the plugin style of development.

Is there any way to add a type without doing it manually or tainting init-bare.bro?

Thanks,
Stu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180425/77a40963/attachment.html 

From seth at corelight.com  Wed Apr 25 11:51:16 2018
From: seth at corelight.com (Seth Hall)
Date: Wed, 25 Apr 2018 13:51:16 -0500
Subject: [Bro] BinPAC and custom types
In-Reply-To: <EE835B1E-0102-406E-B315-777B2214C3B1@live.com>
References: <EE835B1E-0102-406E-B315-777B2214C3B1@live.com>
Message-ID: <E1695864-FD6E-4DA5-A800-55F941D2D919@corelight.com>


On 25 Apr 2018, at 11:44, Stuart H wrote:

> I?m making some good progress writing an analyser with BinPAC, only 
> small issue is that I can?t find a way to get custom Bro script 
> types to be parsed on initiation of Bro. I?ve tried adding a 
> types.bif file and defining the type there but can only seem to do a 
> simple definition such as:
>                 type <module>::<custom type>: record;

You need to define the name and that it's a record in the types.bif file 
and then create a Bro script with the full type definition that is auto 
loaded when your plugin is loaded.  I think that if you used the script 
that autogenerates a structure for you, you should have a file named 
scripts/types.bro that is exactly for this purpose.

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com

From pulgrims at gmail.com  Fri Apr 27 02:47:39 2018
From: pulgrims at gmail.com (Seong Hyeok Seo)
Date: Fri, 27 Apr 2018 18:47:39 +0900
Subject: [Bro] how to get not duplicated packets
Message-ID: <CAG0GWLA4Vr8shpiKPLo6tf7NuFBNKWMmwvje=+X3fQUb7QMWuA@mail.gmail.com>

Hi, we're doing a job that collecting traffic by using Bro and PF_RING
, but  we found that each Bro worker got the same full traffic stream.
We think the packet is duplicated as much as the process number that we set
in a config file(bro/etc/node.cfg)

These are OS, Bro, PF_RING Ver. that we're using.


OS: CentOS 7.4.1708 (Core)
Bro: 2.5.3
PF RING: 7.1.0-1859

we installed those things, referring this page, https://www.bro.org/
documentation/load-balancing.html
and node.cfg is like this
------------------------------------------

[manager]
type=manager
host=X.X.X.X

[proxy-1]
type=proxy
host=X.X.X.X

[worker-1]
type=worker
host=X.X.X.X
interface=eth0
lb_method=pf_ring
lb_procs=8
--------------------------------------------------

please, help us to fix this and thank you in advance.

Sincerely,
Seonghyoek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180427/beb834b5/attachment.html 

From philosnef at gmail.com  Fri Apr 27 05:48:15 2018
From: philosnef at gmail.com (erik clark)
Date: Fri, 27 Apr 2018 08:48:15 -0400
Subject: [Bro] ES cluster and logstash
Message-ID: <CAK6atxrgMV7jDSwGAngqY1fdUkZujLWd3kTvsaMEwNRV9soK9w@mail.gmail.com>

We are looking to set up a proper ES cluster and dumping bro logs into it
via logstash. The thought is to have 6 ES nodes (2 dedicated master, 4 data
nodes). If we are dumping 15 TB of data into the cluster a year (possibly
as high as 20 or 25TB) from Bro, is 4 data nodes sufficient? The boxen will
only have 64 gigs of ram (30 for java heap, 34 for system use) and probably
16 discrete cores. I have a feeling that this is horribly insufficient for
a data cluster of that size.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180427/81915272/attachment.html 

From vlad at es.net  Fri Apr 27 07:33:37 2018
From: vlad at es.net (Vlad Grigorescu)
Date: Fri, 27 Apr 2018 14:33:37 +0000
Subject: [Bro] how to get not duplicated packets
In-Reply-To: <CAG0GWLA4Vr8shpiKPLo6tf7NuFBNKWMmwvje=+X3fQUb7QMWuA@mail.gmail.com>
References: <CAG0GWLA4Vr8shpiKPLo6tf7NuFBNKWMmwvje=+X3fQUb7QMWuA@mail.gmail.com>
Message-ID: <CAPqbkwuvGgZnWcaEBFSXmidQStT80aPbcWGv9hvsMa+p=S4oXw@mail.gmail.com>

Could you provide a bit more detail about your setup? Are the workers all
running on a single server, or are they distributed across multiple servers?

What I'm trying to determine is at what point the duplication is happening.

On Fri, Apr 27, 2018 at 9:47 AM, Seong Hyeok Seo <pulgrims at gmail.com> wrote:

> Hi, we're doing a job that collecting traffic by using Bro and PF_RING
> , but  we found that each Bro worker got the same full traffic stream.
> We think the packet is duplicated as much as the process number that we
> set in a config file(bro/etc/node.cfg)
>
> These are OS, Bro, PF_RING Ver. that we're using.
>
>
> OS: CentOS 7.4.1708 (Core)
> Bro: 2.5.3
> PF RING: 7.1.0-1859
>
> we installed those things, referring this page, https://www.bro.org/docu
> mentation/load-balancing.html
> and node.cfg is like this
> ------------------------------------------
>
> [manager]
> type=manager
> host=X.X.X.X
>
> [proxy-1]
> type=proxy
> host=X.X.X.X
>
> [worker-1]
> type=worker
> host=X.X.X.X
> interface=eth0
> lb_method=pf_ring
> lb_procs=8
> --------------------------------------------------
>
> please, help us to fix this and thank you in advance.
>
> Sincerely,
> Seonghyoek
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180427/050f46b3/attachment.html 

From philosnef at gmail.com  Fri Apr 27 07:49:12 2018
From: philosnef at gmail.com (erik clark)
Date: Fri, 27 Apr 2018 10:49:12 -0400
Subject: [Bro] ES cluster and logstash
In-Reply-To: <BYAPR05MB392878513906A6E0E94290A3958D0@BYAPR05MB3928.namprd05.prod.outlook.com>
References: <CAK6atxrgMV7jDSwGAngqY1fdUkZujLWd3kTvsaMEwNRV9soK9w@mail.gmail.com>
	<BYAPR05MB392878513906A6E0E94290A3958D0@BYAPR05MB3928.namprd05.prod.outlook.com>
Message-ID: <CAK6atxr8P7BP95wwU+6Cj5kpggOsw8Cy=cgmUAN_NNX1p-BuJQ@mail.gmail.com>

1 year retention, 1x replication.

On Fri, Apr 27, 2018 at 10:39 AM, Kinkead, Tanner <
Tanner.Kinkead at franklintempleton.com> wrote:

> How long do you expect to retain logs?  Are you using replica shards?
>
>
>
> *From:* bro-bounces at bro.org [mailto:bro-bounces at bro.org] *On Behalf Of *erik
> clark
> *Sent:* Friday, April 27, 2018 5:48 AM
> *To:* Bro-IDS <bro at bro.org>
> *Subject:* Re: [Bro] ES cluster and logstash
>
>
>
> We are looking to set up a proper ES cluster and dumping bro logs into it
> via logstash. The thought is to have 6 ES nodes (2 dedicated master, 4 data
> nodes). If we are dumping 15 TB of data into the cluster a year (possibly
> as high as 20 or 25TB) from Bro, is 4 data nodes sufficient? The boxen will
> only have 64 gigs of ram (30 for java heap, 34 for system use) and probably
> 16 discrete cores. I have a feeling that this is horribly insufficient for
> a data cluster of that size.
>
>
>
> Notice:  All email and instant messages (including attachments) sent to
> or from Franklin Templeton Investments (FTI) personnel may be retained,
> monitored and/or reviewed by FTI and its agents, or authorized
> law enforcement personnel, without further notice or consent.
> .
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180427/4e4e488f/attachment.html 

From pulgrims at gmail.com  Fri Apr 27 07:56:20 2018
From: pulgrims at gmail.com (Seong Hyeok Seo)
Date: Fri, 27 Apr 2018 14:56:20 +0000
Subject: [Bro] how to get not duplicated packets
In-Reply-To: <CAPqbkwsNgjt2gYq_xX9muTs8tRvYpSsMjK6+n4KHUqSQD8b=Ug@mail.gmail.com>
References: <CAG0GWLA4Vr8shpiKPLo6tf7NuFBNKWMmwvje=+X3fQUb7QMWuA@mail.gmail.com>
	<CAPqbkwuvGgZnWcaEBFSXmidQStT80aPbcWGv9hvsMa+p=S4oXw@mail.gmail.com>
	<CAG0GWLB5BAHgLEWmVE1cxrWVu2_XOExAJGaeuUwXqV+_anQXJg@mail.gmail.com>
	<CAPqbkwsNgjt2gYq_xX9muTs8tRvYpSsMjK6+n4KHUqSQD8b=Ug@mail.gmail.com>
Message-ID: <CAG0GWLDxDVuOYtsv=siBPSKszO_Y_55UULfYP3rv5yCxgUtfGA@mail.gmail.com>

Yes, I will do that.

On Fri, 27 Apr 2018 at 11:54 PM Vlad Grigorescu <vlad at es.net> wrote:

> Would you mind also sending your reply to the bro mailing list? That way
> other people can also help you, and it will provide information to anyone
> else that might run into this same issue in the future. Thanks.
>
> On Fri, Apr 27, 2018 at 2:49 PM, Seong Hyeok Seo <pulgrims at gmail.com>
> wrote:
>
>> we?re working on 2 machines. we set one worker on a single server and a
>> manager and a proxy on the other one.
>> and actually we emailed to a pfring developer and they replied this...
>> ?it seems that Bro is not setting up a pf_ring cluster to distribute the
>> traffic across the instances (it should call pfring_set_cluster),
>> please write to the Bro mailing list as we are not maintaining that code
>> sorry.?
>>
>>
>> On Fri, 27 Apr 2018 at 11:33 PM Vlad Grigorescu <vlad at es.net> wrote:
>>
>>> Could you provide a bit more detail about your setup? Are the workers
>>> all running on a single server, or are they distributed across multiple
>>> servers?
>>>
>>> What I'm trying to determine is at what point the duplication is
>>> happening.
>>>
>>> On Fri, Apr 27, 2018 at 9:47 AM, Seong Hyeok Seo <pulgrims at gmail.com>
>>> wrote:
>>>
>>>> Hi, we're doing a job that collecting traffic by using Bro and PF_RING
>>>> , but  we found that each Bro worker got the same full traffic stream.
>>>> We think the packet is duplicated as much as the process number that we
>>>> set in a config file(bro/etc/node.cfg)
>>>>
>>>> These are OS, Bro, PF_RING Ver. that we're using.
>>>>
>>>>
>>>> OS: CentOS 7.4.1708 (Core)
>>>> Bro: 2.5.3
>>>> PF RING: 7.1.0-1859
>>>>
>>>> we installed those things, referring this page,
>>>> https://www.bro.org/documentation/load-balancing.html
>>>> and node.cfg is like this
>>>> ------------------------------------------
>>>>
>>>> [manager]
>>>> type=manager
>>>> host=X.X.X.X
>>>>
>>>> [proxy-1]
>>>> type=proxy
>>>> host=X.X.X.X
>>>>
>>>> [worker-1]
>>>> type=worker
>>>> host=X.X.X.X
>>>> interface=eth0
>>>> lb_method=pf_ring
>>>> lb_procs=8
>>>> --------------------------------------------------
>>>>
>>>> please, help us to fix this and thank you in advance.
>>>>
>>>> Sincerely,
>>>> Seonghyoek
>>>>
>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180427/1523811b/attachment-0001.html 

From mabuchan at gmail.com  Fri Apr 27 10:22:08 2018
From: mabuchan at gmail.com (Mark Buchanan)
Date: Fri, 27 Apr 2018 17:22:08 +0000
Subject: [Bro] how to get not duplicated packets
In-Reply-To: <CAG0GWLDxDVuOYtsv=siBPSKszO_Y_55UULfYP3rv5yCxgUtfGA@mail.gmail.com>
References: <CAG0GWLA4Vr8shpiKPLo6tf7NuFBNKWMmwvje=+X3fQUb7QMWuA@mail.gmail.com>
	<CAPqbkwuvGgZnWcaEBFSXmidQStT80aPbcWGv9hvsMa+p=S4oXw@mail.gmail.com>
	<CAG0GWLB5BAHgLEWmVE1cxrWVu2_XOExAJGaeuUwXqV+_anQXJg@mail.gmail.com>
	<CAPqbkwsNgjt2gYq_xX9muTs8tRvYpSsMjK6+n4KHUqSQD8b=Ug@mail.gmail.com>
	<CAG0GWLDxDVuOYtsv=siBPSKszO_Y_55UULfYP3rv5yCxgUtfGA@mail.gmail.com>
Message-ID: <CANQDeBN0NvwFeu_7TOzi0s7j_bPmNyZXwRjnHBjsKhPLAvwVhA@mail.gmail.com>

>From of one of Justin's posts a while back (as I have struggled with this
numerous times) - this may or may not be the issue, but putting it out
there if it is as it has the same symptoms.

    [root at bro-dev ~]# broctl config | grep pfring
    pfringclusterid = 21
    pfringclustertype = 4-tuple
    ringfirstappinstance = 0

if you have pfringclusterid set to 0, that's the problem that was just
fixed.  You can easily workaround that by adding

PFRINGClusterID = 21

to your /usr/local/bro/etc/broctl.cfg

Mark

On Fri, Apr 27, 2018 at 9:59 AM Seong Hyeok Seo <pulgrims at gmail.com> wrote:

> Yes, I will do that.
>
> On Fri, 27 Apr 2018 at 11:54 PM Vlad Grigorescu <vlad at es.net> wrote:
>
>> Would you mind also sending your reply to the bro mailing list? That way
>> other people can also help you, and it will provide information to anyone
>> else that might run into this same issue in the future. Thanks.
>>
>> On Fri, Apr 27, 2018 at 2:49 PM, Seong Hyeok Seo <pulgrims at gmail.com>
>> wrote:
>>
>>> we?re working on 2 machines. we set one worker on a single server and a
>>> manager and a proxy on the other one.
>>> and actually we emailed to a pfring developer and they replied this...
>>> ?it seems that Bro is not setting up a pf_ring cluster to distribute
>>> the traffic across the instances (it should call pfring_set_cluster),
>>> please write to the Bro mailing list as we are not maintaining that code
>>> sorry.?
>>>
>>>
>>> On Fri, 27 Apr 2018 at 11:33 PM Vlad Grigorescu <vlad at es.net> wrote:
>>>
>>>> Could you provide a bit more detail about your setup? Are the workers
>>>> all running on a single server, or are they distributed across multiple
>>>> servers?
>>>>
>>>> What I'm trying to determine is at what point the duplication is
>>>> happening.
>>>>
>>>> On Fri, Apr 27, 2018 at 9:47 AM, Seong Hyeok Seo <pulgrims at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi, we're doing a job that collecting traffic by using Bro and PF_RING
>>>>> , but  we found that each Bro worker got the same full traffic stream.
>>>>> We think the packet is duplicated as much as the process number that
>>>>> we set in a config file(bro/etc/node.cfg)
>>>>>
>>>>> These are OS, Bro, PF_RING Ver. that we're using.
>>>>>
>>>>>
>>>>> OS: CentOS 7.4.1708 (Core)
>>>>> Bro: 2.5.3
>>>>> PF RING: 7.1.0-1859
>>>>>
>>>>> we installed those things, referring this page,
>>>>> https://www.bro.org/documentation/load-balancing.html
>>>>> and node.cfg is like this
>>>>> ------------------------------------------
>>>>>
>>>>> [manager]
>>>>> type=manager
>>>>> host=X.X.X.X
>>>>>
>>>>> [proxy-1]
>>>>> type=proxy
>>>>> host=X.X.X.X
>>>>>
>>>>> [worker-1]
>>>>> type=worker
>>>>> host=X.X.X.X
>>>>> interface=eth0
>>>>> lb_method=pf_ring
>>>>> lb_procs=8
>>>>> --------------------------------------------------
>>>>>
>>>>> please, help us to fix this and thank you in advance.
>>>>>
>>>>> Sincerely,
>>>>> Seonghyoek
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Bro mailing list
>>>>> bro at bro-ids.org
>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>>
>>>>
>>>>
>> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Mark Buchanan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180427/5e96a3a3/attachment.html 

From pulgrims at gmail.com  Sun Apr 29 18:08:59 2018
From: pulgrims at gmail.com (Seong Hyeok Seo)
Date: Mon, 30 Apr 2018 10:08:59 +0900
Subject: [Bro] how to get not duplicated packets
In-Reply-To: <CANQDeBN0NvwFeu_7TOzi0s7j_bPmNyZXwRjnHBjsKhPLAvwVhA@mail.gmail.com>
References: <CAG0GWLA4Vr8shpiKPLo6tf7NuFBNKWMmwvje=+X3fQUb7QMWuA@mail.gmail.com>
	<CAPqbkwuvGgZnWcaEBFSXmidQStT80aPbcWGv9hvsMa+p=S4oXw@mail.gmail.com>
	<CAG0GWLB5BAHgLEWmVE1cxrWVu2_XOExAJGaeuUwXqV+_anQXJg@mail.gmail.com>
	<CAPqbkwsNgjt2gYq_xX9muTs8tRvYpSsMjK6+n4KHUqSQD8b=Ug@mail.gmail.com>
	<CAG0GWLDxDVuOYtsv=siBPSKszO_Y_55UULfYP3rv5yCxgUtfGA@mail.gmail.com>
	<CANQDeBN0NvwFeu_7TOzi0s7j_bPmNyZXwRjnHBjsKhPLAvwVhA@mail.gmail.com>
Message-ID: <CAG0GWLC-dKe2F+ndF5OmuCabrEWsdd8RHTLyVGDQGEyFwUjeoA@mail.gmail.com>

thanks a lot, Mark!
it?s solved by adding ?PFRINGClusterID = 21? in the cfg file.
it works well!


2018? 4? 28? ???, Mark Buchanan<mabuchan at gmail.com>?? ??? ???:

> From of one of Justin's posts a while back (as I have struggled with this
> numerous times) - this may or may not be the issue, but putting it out
> there if it is as it has the same symptoms.
>
>     [root at bro-dev ~]# broctl config | grep pfring
>     pfringclusterid = 21
>     pfringclustertype = 4-tuple
>     ringfirstappinstance = 0
>
> if you have pfringclusterid set to 0, that's the problem that was just
> fixed.  You can easily workaround that by adding
>
> PFRINGClusterID = 21
>
> to your /usr/local/bro/etc/broctl.cfg
>
> Mark
>
> On Fri, Apr 27, 2018 at 9:59 AM Seong Hyeok Seo <pulgrims at gmail.com>
> wrote:
>
>> Yes, I will do that.
>>
>> On Fri, 27 Apr 2018 at 11:54 PM Vlad Grigorescu <vlad at es.net> wrote:
>>
>>> Would you mind also sending your reply to the bro mailing list? That way
>>> other people can also help you, and it will provide information to anyone
>>> else that might run into this same issue in the future. Thanks.
>>>
>>> On Fri, Apr 27, 2018 at 2:49 PM, Seong Hyeok Seo <pulgrims at gmail.com>
>>> wrote:
>>>
>>>> we?re working on 2 machines. we set one worker on a single server and a
>>>> manager and a proxy on the other one.
>>>> and actually we emailed to a pfring developer and they replied this...
>>>> ?it seems that Bro is not setting up a pf_ring cluster to distribute
>>>> the traffic across the instances (it should call pfring_set_cluster),
>>>> please write to the Bro mailing list as we are not maintaining that
>>>> code sorry.?
>>>>
>>>>
>>>> On Fri, 27 Apr 2018 at 11:33 PM Vlad Grigorescu <vlad at es.net> wrote:
>>>>
>>>>> Could you provide a bit more detail about your setup? Are the workers
>>>>> all running on a single server, or are they distributed across multiple
>>>>> servers?
>>>>>
>>>>> What I'm trying to determine is at what point the duplication is
>>>>> happening.
>>>>>
>>>>> On Fri, Apr 27, 2018 at 9:47 AM, Seong Hyeok Seo <pulgrims at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi, we're doing a job that collecting traffic by using Bro and PF_RING
>>>>>> , but  we found that each Bro worker got the same full traffic
>>>>>> stream.
>>>>>> We think the packet is duplicated as much as the process number that
>>>>>> we set in a config file(bro/etc/node.cfg)
>>>>>>
>>>>>> These are OS, Bro, PF_RING Ver. that we're using.
>>>>>>
>>>>>>
>>>>>> OS: CentOS 7.4.1708 (Core)
>>>>>> Bro: 2.5.3
>>>>>> PF RING: 7.1.0-1859
>>>>>>
>>>>>> we installed those things, referring this page, https://www.bro.org/
>>>>>> documentation/load-balancing.html
>>>>>> and node.cfg is like this
>>>>>> ------------------------------------------
>>>>>>
>>>>>> [manager]
>>>>>> type=manager
>>>>>> host=X.X.X.X
>>>>>>
>>>>>> [proxy-1]
>>>>>> type=proxy
>>>>>> host=X.X.X.X
>>>>>>
>>>>>> [worker-1]
>>>>>> type=worker
>>>>>> host=X.X.X.X
>>>>>> interface=eth0
>>>>>> lb_method=pf_ring
>>>>>> lb_procs=8
>>>>>> --------------------------------------------------
>>>>>>
>>>>>> please, help us to fix this and thank you in advance.
>>>>>>
>>>>>> Sincerely,
>>>>>> Seonghyoek
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Bro mailing list
>>>>>> bro at bro-ids.org
>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>>>
>>>>>
>>>>>
>>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> Mark Buchanan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180430/05c140e9/attachment.html 

From sm8kk at virginia.edu  Mon Apr 30 15:59:31 2018
From: sm8kk at virginia.edu (sourav maji)
Date: Mon, 30 Apr 2018 18:59:31 -0400
Subject: [Bro] Regarding bro capture_loss
Message-ID: <CAEv6R52E+41TQ3TjQ77fZwq2qVjLp0d+TZQ6BPfQB3H-ct-ecg@mail.gmail.com>

Hi,

    Sorry if my questions have already been answered but it would be really
helpful if anyone can provide information on the following.

1. Does bro capture_loss indicate that packets that are mirrored using a
switch's SPAN/TAP port to a server running bro, drop packets in the
mirroring process somewhere upstream?

In our particular setting, we are seeing zero packet drops reported by
"broctl netstats" but more than 40% packet losses in capture_loss. Does
that imply that the server running bro is not dropping any packets but that
packets are being dropped upstream? Bidirectional traffic is sent to the
server running bro using SPAN ports.

2. Is there a document that explains in detail how capture loss is
computed?
It says "Reported loss is computed in terms of the number of ?gap events?
(ACKs for a sequence number that?s above a gap)."
What exactly is a gap event and how is the function call "get_gap_stats()"
defined? The code in "capture-loss.bro" does not explain how acks and gaps
can be used to estimate capture loss. Any detailed documentation would be
useful.

Thanks and regards,
Sourav Maji
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180430/b92f7f51/attachment.html