From jlay at slave-tothe-box.net Sun Jul 1 10:47:38 2018 From: jlay at slave-tothe-box.net (James Lay) Date: Sun, 01 Jul 2018 11:47:38 -0600 Subject: [Bro] Bro and systemd without broctl In-Reply-To: <024792ab1bec6f161919f39edc350f309750171c.camel@slave-tothe-box.net> References: <024792ab1bec6f161919f39edc350f309750171c.camel@slave-tothe-box.net> Message-ID: <75832b7f16768272e27ea9d4a3a6912a0aba0cb1.camel@slave-tothe-box.net> Solved: [Unit] Description=Bro After=syslog.target network.target [Service] Type=oneshot ExecStart=/opt/bin/startbro RemainAfterExit=true ExecStop=/usr/bin/killall bro StandardOutput=journal [Install] WantedBy=multi-user.target /opt/bin/startbro is similar to the bro line below. James On Thu, 2018-06-28 at 18:59 -0600, James Lay wrote: > Hey all, > > So...I run a very lean box, and that means not using broctl. With > older versions of linux rc.local was just fine to get a script to > start bro, but with systemd it's not the same. My startup script is > similar to the below: > > cd /opt/bro/spool/bro && /opt/bro/bin/bro -C -i eth0 -i eth1 --filter > 'long filter option here' local "Site::local_nets += { > externalIP,internatNET }" & > > This has worked like a champ but this command in a .service file or > the .service file pointing to a script that contains the above does > not work. So I have a couple points/questions: > > 1. Has anyone worked out a systemd .service file with bro that > doesn't use broctl? > > 2. It would be nice to have a command line flag that can be used to > specify the log path, this way I could forgo the cd command above. > > Thank you. > > James > _______________________________________________Bro mailing > listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/ > bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180701/1e5d2ccf/attachment.html From michalpurzynski1 at gmail.com Sun Jul 1 12:44:55 2018 From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=) Date: Sun, 1 Jul 2018 12:44:55 -0700 Subject: [Bro] Bro and systemd without broctl In-Reply-To: <75832b7f16768272e27ea9d4a3a6912a0aba0cb1.camel@slave-tothe-box.net> References: <024792ab1bec6f161919f39edc350f309750171c.camel@slave-tothe-box.net> <75832b7f16768272e27ea9d4a3a6912a0aba0cb1.camel@slave-tothe-box.net> Message-ID: <7EE8BF35-6317-47EF-BD1C-D25CEF7345C5@gmail.com> Startbro won?t start a cluster correctly, will it? > On Jul 1, 2018, at 10:47 AM, James Lay wrote: > > Solved: > > [Unit] > Description=Bro > After=syslog.target network.target > > [Service] > Type=oneshot > ExecStart=/opt/bin/startbro > RemainAfterExit=true > ExecStop=/usr/bin/killall bro > StandardOutput=journal > > [Install] > WantedBy=multi-user.target > > /opt/bin/startbro is similar to the bro line below. > > James > >> On Thu, 2018-06-28 at 18:59 -0600, James Lay wrote: >> Hey all, >> >> So...I run a very lean box, and that means not using broctl. With older versions of linux rc.local was just fine to get a script to start bro, but with systemd it's not the same. My startup script is similar to the below: >> >> cd /opt/bro/spool/bro && /opt/bro/bin/bro -C -i eth0 -i eth1 --filter 'long filter option here' local "Site::local_nets += { externalIP,internatNET }" & >> >> This has worked like a champ but this command in a .service file or the .service file pointing to a script that contains the above does not work. So I have a couple points/questions: >> >> 1. Has anyone worked out a systemd .service file with bro that doesn't use broctl? >> >> 2. It would be nice to have a command line flag that can be used to specify the log path, this way I could forgo the cd command above. >> >> Thank you. >> >> James >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180701/a7f5fc8c/attachment.html From jlay at slave-tothe-box.net Sun Jul 1 14:42:05 2018 From: jlay at slave-tothe-box.net (James Lay) Date: Sun, 01 Jul 2018 15:42:05 -0600 Subject: [Bro] Bro and systemd without broctl In-Reply-To: <7EE8BF35-6317-47EF-BD1C-D25CEF7345C5@gmail.com> References: <024792ab1bec6f161919f39edc350f309750171c.camel@slave-tothe-box.net> <75832b7f16768272e27ea9d4a3a6912a0aba0cb1.camel@slave-tothe-box.net> <7EE8BF35-6317-47EF-BD1C-D25CEF7345C5@gmail.com> Message-ID: <86e876b44c309ad2998f37106cbb13a7f7b2a405.camel@slave-tothe-box.net> Not that I know of. Using bro proper is different then using broctl...there were several broctl systemd service examples when I looked, one being: https://gist.github.com/JustinAzoff/db71b901b1070a88f2d72738bf212749 my requirements were different however. James On Sun, 2018-07-01 at 12:44 -0700, Micha? Purzy?ski wrote: > Startbro won?t start a cluster correctly, will it? > On Jul 1, 2018, at 10:47 AM, James Lay > wrote: > > > Solved: > > > > [Unit] > > Description=Bro > > After=syslog.target network.target > > > > > > [Service] > > Type=oneshot > > ExecStart=/opt/bin/startbro > > RemainAfterExit=true > > ExecStop=/usr/bin/killall bro > > StandardOutput=journal > > > > > > [Install] > > WantedBy=multi-user.target > > > > > > /opt/bin/startbro is similar to the bro line below. > > > > James > > > > On Thu, 2018-06-28 at 18:59 -0600, James Lay wrote: > > > Hey all, > > > > > > So...I run a very lean box, and that means not using > > > broctl. With older versions of linux rc.local was just fine to > > > get a script to start bro, but with systemd it's not the > > > same. My startup script is similar to the below: > > > > > > cd /opt/bro/spool/bro && /opt/bro/bin/bro -C -i eth0 -i eth1 -- > > > filter 'long filter option here' local "Site::local_nets += { > > > externalIP,internatNET }" & > > > > > > This has worked like a champ but this command in a .service file > > > or the .service file pointing to a script that contains the above > > > does not work. So I have a couple points/questions: > > > > > > 1. Has anyone worked out a systemd .service file with bro that > > > doesn't use broctl? > > > > > > 2. It would be nice to have a command line flag that can be used > > > to specify the log path, this way I could forgo the cd command > > > above. > > > > > > Thank you. > > > > > > James > > > _______________________________________________Bro mailing > > > listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listi > > > nfo/bro > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180701/1d77c09c/attachment.html From mkg at vt.edu Mon Jul 2 05:31:55 2018 From: mkg at vt.edu (Mark Gardner) Date: Mon, 2 Jul 2018 08:31:55 -0400 Subject: [Bro] configure sshd port for bro nodes in cluster mode In-Reply-To: References: Message-ID: On Fri, Jun 29, 2018 at 4:53 PM, OpenShift Ninja wrote: > Is it possible to easily configure Bro in cluster mode to connect on > alternate ports other than 22? The reason I ask is that I'm running my bro > processes inside containers on a host that already has sshd on port 22 (I'm > running a sidecar sshd inside the container on port 2022). I can probably > find it if I dig around, but if someone knows how to do this, let me know. > ?You should be able to map the port Bro is listening on inside the container to another port on the host. For Docker, the option would be ?-p :. See https://docs.docker.com/config/containers/container-networking/ for more details. Mark -- Mark Gardner -- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180702/c9648420/attachment.html From openshift.ninja at gmail.com Mon Jul 2 05:34:32 2018 From: openshift.ninja at gmail.com (Openshift Ninja) Date: Mon, 2 Jul 2018 08:34:32 -0400 Subject: [Bro] configure sshd port for bro nodes in cluster mode In-Reply-To: Message-ID: omg, I totally blanked on this. thanks for reminding me of a container 101 feature. silly me. Thanks! > > On Jul 2, 2018 at 8:31 AM, wrote: > > > > > On Fri, Jun 29, 2018 at 4:53 PM, OpenShift Ninja wrote: > > > > > > > Is it possible to easily configure Bro in cluster mode to connect on alternate ports other than 22? The reason I ask is that I'm running my bro processes inside containers on a host that already has sshd on port 22 (I'm running a sidecar sshd inside the container on port 2022). I can probably find it if I dig around, but if someone knows how to do this, let me know. > > > > > > ?You should be able to map the port Bro is listening on inside the container to another port on the host. For Docker, the option would be ?-p :. See https://docs.docker.com/config/containers/container-networking/ for more details. > > > > Mark > > -- > > Mark Gardner > -- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180702/c87719d8/attachment-0001.html From jazoff at illinois.edu Mon Jul 2 06:04:58 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Mon, 2 Jul 2018 13:04:58 +0000 Subject: [Bro] Bro and systemd without broctl In-Reply-To: <75832b7f16768272e27ea9d4a3a6912a0aba0cb1.camel@slave-tothe-box.net> References: <024792ab1bec6f161919f39edc350f309750171c.camel@slave-tothe-box.net> <75832b7f16768272e27ea9d4a3a6912a0aba0cb1.camel@slave-tothe-box.net> Message-ID: > On Jul 1, 2018, at 1:47 PM, James Lay wrote: > > Solved: > > [Unit] > Description=Bro > After=syslog.target network.target > > [Service] > Type=oneshot > ExecStart=/opt/bin/startbro > RemainAfterExit=true > ExecStop=/usr/bin/killall bro > StandardOutput=journal > > [Install] > WantedBy=multi-user.target > > /opt/bin/startbro is similar to the bro line below. That's not the best way to do that, you want something like this: [Unit] Description=Bro After=syslog.target network.target [Service] Type=simple WorkingDirectory=/opt/bro/spool/bro EnvironmentFile=/etc/default/bro ExecStart=/opt/bro/bin/bro $BRO_ARGS Restart=on-failure RestartSec=10s [Install] WantedBy=multi-user.target where /etc/default/bro contains the BRO_ARGS=-C -i eth0 -i eth1 --filter 'long filter option here' local "Site::local_nets += { externalIP,internatNET }" ? Justin Azoff From openshift.ninja at gmail.com Mon Jul 2 08:03:53 2018 From: openshift.ninja at gmail.com (OpenShift Ninja) Date: Mon, 2 Jul 2018 11:03:53 -0400 Subject: [Bro] configure sshd port for bro nodes in cluster mode In-Reply-To: References:

Message-ID: So I realized a couple of things when I got into work today: 1) I can't remap the port that my sshd is listening on because I'm using host networking - Docker discards the port mapping in host networking mode. 2) My issue isn't the port that bro is listening on but rather the port the manager uses to ssh into the other nodes to run the bro commands to run the workers - you specify the hostnames in the node.cfg, but there doesn't appear to be a way to specify that I need it to ssh on port 2022 instead of the normal 22. This is only a problem because the hosts I'm running this on are already running an sshd that listens on 22. I might be able to get the port changed for that, but it seems easier to just get bro to connect on a different port. I can't use the built-in sshd because I want to run the workers, logger, etc in containers. Obviously I have the source for bro, so I can go and modify it myself, but before I go down that rabbit hole, I want to make sure there isn't a way to do it already. On Mon, Jul 2, 2018 at 8:34 AM Openshift Ninja wrote: > omg, I totally blanked on this. thanks for reminding me of a container 101 > feature. > > silly me. > > Thanks! > > > On Jul 2, 2018 at 8:31 AM, > wrote: > > On Fri, Jun 29, 2018 at 4:53 PM, OpenShift Ninja < > openshift.ninja at gmail.com> wrote: > >> Is it possible to easily configure Bro in cluster mode to connect on >> alternate ports other than 22? The reason I ask is that I'm running my bro >> processes inside containers on a host that already has sshd on port 22 (I'm >> running a sidecar sshd inside the container on port 2022). I can probably >> find it if I dig around, but if someone knows how to do this, let me know. >> > > ?You should be able to map the port Bro is listening on inside the > container to another port on the host. For Docker, the option would be ?-p > :. See > https://docs.docker.com/config/containers/container-networking/ for more > details. > > Mark > -- > Mark Gardner > -- > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180702/acab963d/attachment.html From jazoff at illinois.edu Mon Jul 2 08:25:44 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Mon, 2 Jul 2018 15:25:44 +0000 Subject: [Bro] configure sshd port for bro nodes in cluster mode In-Reply-To: References:

Message-ID: <2088DC8F-7C02-40B8-8B4B-7F1016564708@illinois.edu> > On Jul 2, 2018, at 11:03 AM, OpenShift Ninja wrote: > > So I realized a couple of things when I got into work today: > > 1) I can't remap the port that my sshd is listening on because I'm using host networking - Docker discards the port mapping in host networking mode. > 2) My issue isn't the port that bro is listening on but rather the port the manager uses to ssh into the other nodes to run the bro commands to run the workers - you specify the hostnames in the node.cfg, but there doesn't appear to be a way to specify that I need it to ssh on port 2022 instead of the normal 22. This is only a problem because the hosts I'm running this on are already running an sshd that listens on 22. I might be able to get the port changed for that, but it seems easier to just get bro to connect on a different port. I can't use the built-in sshd because I want to run the workers, logger, etc in containers. > > Obviously I have the source for bro, so I can go and modify it myself, but before I go down that rabbit hole, I want to make sure there isn't a way to do it already. echo "Port 2022" > ~/.ssh/config Though I must say, if you are trying to get bro running on openshift or k8s by running broctl, you are doing it wrong. You don't need to run sshd so broctl can run bro in containers, you just need to run bro in the containers. ? Justin Azoff From openshift.ninja at gmail.com Mon Jul 2 08:46:45 2018 From: openshift.ninja at gmail.com (OpenShift Ninja) Date: Mon, 2 Jul 2018 11:46:45 -0400 Subject: [Bro] configure sshd port for bro nodes in cluster mode In-Reply-To: <2088DC8F-7C02-40B8-8B4B-7F1016564708@illinois.edu> References:

<2088DC8F-7C02-40B8-8B4B-7F1016564708@illinois.edu> Message-ID: I understand, but I'm trying to run in cluster mode, which means there is a manager that is talking to the nodes over ssh. I could run it in non-cluster mode and just have the bro instances analyzing traffic going through the local interface, but we thought going the cluster route would be better. On Mon, Jul 2, 2018 at 11:25 AM Azoff, Justin S wrote: > > > On Jul 2, 2018, at 11:03 AM, OpenShift Ninja > wrote: > > > > So I realized a couple of things when I got into work today: > > > > 1) I can't remap the port that my sshd is listening on because I'm using > host networking - Docker discards the port mapping in host networking mode. > > 2) My issue isn't the port that bro is listening on but rather the port > the manager uses to ssh into the other nodes to run the bro commands to run > the workers - you specify the hostnames in the node.cfg, but there doesn't > appear to be a way to specify that I need it to ssh on port 2022 instead of > the normal 22. This is only a problem because the hosts I'm running this on > are already running an sshd that listens on 22. I might be able to get the > port changed for that, but it seems easier to just get bro to connect on a > different port. I can't use the built-in sshd because I want to run the > workers, logger, etc in containers. > > > > Obviously I have the source for bro, so I can go and modify it myself, > but before I go down that rabbit hole, I want to make sure there isn't a > way to do it already. > > echo "Port 2022" > ~/.ssh/config > > Though I must say, if you are trying to get bro running on openshift or > k8s by running broctl, you are doing it wrong. You don't > need to run sshd so broctl can run bro in containers, you just need to run > bro in the containers. > > ? > Justin Azoff > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180702/28d0c785/attachment.html From openshift.ninja at gmail.com Mon Jul 2 08:47:29 2018 From: openshift.ninja at gmail.com (OpenShift Ninja) Date: Mon, 2 Jul 2018 11:47:29 -0400 Subject: [Bro] configure sshd port for bro nodes in cluster mode In-Reply-To: References:

<2088DC8F-7C02-40B8-8B4B-7F1016564708@illinois.edu> Message-ID: Also, I understand how to make sshd use a different port. What I'm asking is how to make the bro manager connect to the nodes over that different port. On Mon, Jul 2, 2018 at 11:46 AM OpenShift Ninja wrote: > I understand, but I'm trying to run in cluster mode, which means there is > a manager that is talking to the nodes over ssh. I could run it in > non-cluster mode and just have the bro instances analyzing traffic going > through the local interface, but we thought going the cluster route would > be better. > > On Mon, Jul 2, 2018 at 11:25 AM Azoff, Justin S > wrote: > >> >> > On Jul 2, 2018, at 11:03 AM, OpenShift Ninja >> wrote: >> > >> > So I realized a couple of things when I got into work today: >> > >> > 1) I can't remap the port that my sshd is listening on because I'm >> using host networking - Docker discards the port mapping in host networking >> mode. >> > 2) My issue isn't the port that bro is listening on but rather the port >> the manager uses to ssh into the other nodes to run the bro commands to run >> the workers - you specify the hostnames in the node.cfg, but there doesn't >> appear to be a way to specify that I need it to ssh on port 2022 instead of >> the normal 22. This is only a problem because the hosts I'm running this on >> are already running an sshd that listens on 22. I might be able to get the >> port changed for that, but it seems easier to just get bro to connect on a >> different port. I can't use the built-in sshd because I want to run the >> workers, logger, etc in containers. >> > >> > Obviously I have the source for bro, so I can go and modify it myself, >> but before I go down that rabbit hole, I want to make sure there isn't a >> way to do it already. >> >> echo "Port 2022" > ~/.ssh/config >> >> Though I must say, if you are trying to get bro running on openshift or >> k8s by running broctl, you are doing it wrong. You don't >> need to run sshd so broctl can run bro in containers, you just need to >> run bro in the containers. >> >> ? >> Justin Azoff >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180702/d357a067/attachment-0001.html From jazoff at illinois.edu Mon Jul 2 09:10:00 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Mon, 2 Jul 2018 16:10:00 +0000 Subject: [Bro] configure sshd port for bro nodes in cluster mode In-Reply-To: References:

<2088DC8F-7C02-40B8-8B4B-7F1016564708@illinois.edu> Message-ID: <2722DBC5-285E-4061-885C-F069B4878C69@illinois.edu> > On Jul 2, 2018, at 11:46 AM, OpenShift Ninja wrote: > > I understand, but I'm trying to run in cluster mode, which means there is a manager that is talking to the nodes over ssh. I could run it in non-cluster mode and just have the bro instances analyzing traffic going through the local interface, but we thought going the cluster route would be better. The manager does not talk to the nodes over ssh. Broctl uses ssh to start the bro processes on the worker nodes. that is it. If you just start the processes yourself you don't need broctl or ssh. > Also, I understand how to make sshd use a different port. What I'm asking is how to make the bro manager connect to the nodes over that different port. ~/.ssh/config is not the sshd config. ? Justin Azoff From openshift.ninja at gmail.com Mon Jul 2 09:13:25 2018 From: openshift.ninja at gmail.com (OpenShift Ninja) Date: Mon, 2 Jul 2018 12:13:25 -0400 Subject: [Bro] configure sshd port for bro nodes in cluster mode In-Reply-To: <2722DBC5-285E-4061-885C-F069B4878C69@illinois.edu> References:

<2088DC8F-7C02-40B8-8B4B-7F1016564708@illinois.edu> <2722DBC5-285E-4061-885C-F069B4878C69@illinois.edu> Message-ID: Oh ok. Guess I hadn't gotten that far. Ok. I'm all good then. Sorry, I misinterpreted your response on the ssh part. Guess that was a lot simpler than I thought. Sorry for the confusion. :) On Mon, Jul 2, 2018 at 12:10 PM Azoff, Justin S wrote: > The manager does not talk to the nodes over ssh. Broctl uses ssh to start > the bro processes on the worker nodes. that is it. If you just start the > processes yourself you don't need broctl or ssh. > > ~/.ssh/config is not the sshd config. > > ? > Justin Azoff > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180702/cc1b7185/attachment.html From jlay at slave-tothe-box.net Tue Jul 3 10:53:40 2018 From: jlay at slave-tothe-box.net (James Lay) Date: Tue, 03 Jul 2018 11:53:40 -0600 Subject: [Bro] Bro and systemd without broctl In-Reply-To: References: <024792ab1bec6f161919f39edc350f309750171c.camel@slave-tothe-box.net> <75832b7f16768272e27ea9d4a3a6912a0aba0cb1.camel@slave-tothe-box.net> Message-ID: Justin where were you when I needed you :P Thanks I'll use your version instead :) James On 2018-07-02 07:04, Azoff, Justin S wrote: >> On Jul 1, 2018, at 1:47 PM, James Lay >> wrote: >> >> Solved: >> >> [Unit] >> Description=Bro >> After=syslog.target network.target >> >> [Service] >> Type=oneshot >> ExecStart=/opt/bin/startbro >> RemainAfterExit=true >> ExecStop=/usr/bin/killall bro >> StandardOutput=journal >> >> [Install] >> WantedBy=multi-user.target >> >> /opt/bin/startbro is similar to the bro line below. > > That's not the best way to do that, you want something like this: > > [Unit] > Description=Bro > After=syslog.target network.target > > [Service] > Type=simple > WorkingDirectory=/opt/bro/spool/bro > EnvironmentFile=/etc/default/bro > ExecStart=/opt/bro/bin/bro $BRO_ARGS > Restart=on-failure > RestartSec=10s > > [Install] > WantedBy=multi-user.target > > where /etc/default/bro contains the > > BRO_ARGS=-C -i eth0 -i eth1 --filter 'long filter option here' local > "Site::local_nets += { externalIP,internatNET }" > > > > ? > Justin Azoff From openshift.ninja at gmail.com Fri Jul 6 13:11:21 2018 From: openshift.ninja at gmail.com (Jeffrey Poore) Date: Fri, 06 Jul 2018 20:11:21 +0000 Subject: [Bro] Bro Cluster in Containers Message-ID: Thanks to some of the folks on this mailing list, I got my bro cluster in containers up and running, and I did a writeup on it. You can check it out on my blog: https://vault.osninja.net/bro-cluster-in-containers/ --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus From klehigh at iu.edu Mon Jul 9 06:57:15 2018 From: klehigh at iu.edu (Keith Lehigh) Date: Mon, 09 Jul 2018 09:57:15 -0400 Subject: [Bro] BroCon 2018 Call for Presentations In-Reply-To: <53CBFFA9-2E8E-450E-AB5E-BAFC259F2216@iu.edu> References: <53CBFFA9-2E8E-450E-AB5E-BAFC259F2216@iu.edu> Message-ID: Just a reminder that the CFP closes out this Friday! - Keith On 8 Jun 2018, at 13:09, Keith Lehigh wrote: > BroCon 2018 is accepting presentation proposals. We are looking for talks to represent the many applications of Bro. Suitable topics include, but are not limited to: > * as a tool for solving problems; > * interesting user stories, solutions, or research projects; > * a postmortem analysis of a security incident, emphasizing Bro?s contribution; > * the value Bro brings to your professional work; > * and, using Bro for more than intrusion detection. > * Please, no product presentations > > Criteria for evaluating proposals include whether the topic is applicable to multiple types of organizations, gives people ideas to take home and use, can be understood by a broad audience, or is novel to many in the audience. Scrolling through our YouTube Channel may provide some insight into the types of presentations we wish to feature. Plan on limiting your talk to 30-35 minutes with an additional 10 minutes for questions/comments. > > Send abstracts (max 500 words) to: info at bro.org > Subject: BroCon 2018 Call for Presentations > Submission due date: Friday, July 13th > Target date for announcing speakers: Friday, July 27th > > CFPs are selected by the Bro Leadership Team: > Johanna Amann, ICSI / Corelight / LBNL > Seth Hall, Corelight > Keith Lehigh, Indiana University > Vern Paxson, Corelight / ICSI / UC Berkeley > Michal Purzynski, Mozilla Foundation > Aashish Sharma, Lawrence Berkeley Lab > Adam Slagell, National Center for Supercomputing Applications > Robin Sommer, Corelight / ICSI / LBNL > Jan Grash?fer, Karlsruhe Institute of Technology (KIT) > > > - Keith Lehigh > > Technical Program Chair > BroCon 2018_______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3740 bytes Desc: S/MIME digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180709/b48564cc/attachment.bin From huzhenming36 at gmail.com Tue Jul 10 01:50:49 2018 From: huzhenming36 at gmail.com (Star) Date: Tue, 10 Jul 2018 16:50:49 +0800 Subject: [Bro] How does Bro decrypt https traffic? Message-ID: Hi friends My name is Star and I am from Beijing, China,I am working on a project for pcap traffic analysis.Now I want to decrypt https traffic, I don't know if bro supports it? Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180710/5f44dcfc/attachment.html From markjx at gmail.com Tue Jul 10 02:55:13 2018 From: markjx at gmail.com (Mark W. Jeanmougin) Date: Tue, 10 Jul 2018 05:55:13 -0400 Subject: [Bro] How does Bro decrypt https traffic? In-Reply-To: References: Message-ID: ?Hello Star! bro does not support https decryption out of the box. Normally, an enterprise would ?deploy an "https Decryption Appliance". That would perform the decryption and create a stream of unencrypted traffic to go to your Network Security devices, like bro. MJ On Tue, Jul 10, 2018 at 5:00 AM Star wrote: > Hi friends > My name is Star and I am from Beijing, China,I am working on > a project for pcap traffic analysis.Now I want to decrypt https traffic, I > don't know if bro supports it? > > > > > Thank you > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180710/fb486701/attachment.html From michalpurzynski1 at gmail.com Tue Jul 10 02:59:17 2018 From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=) Date: Tue, 10 Jul 2018 02:59:17 -0700 Subject: [Bro] How does Bro decrypt https traffic? In-Reply-To: References: Message-ID: <2CB95799-C6A0-4F09-8A70-AEE905275C8F@gmail.com> Bro does not decrypt ssl traffic. You can do it externally and feed the decrypted traffic into bro. No one should ever be hijacking ssl traffic, though. > On Jul 10, 2018, at 1:50 AM, Star wrote: > > Hi friends > My name is Star and I am from Beijing, China,I am working on a project for pcap traffic analysis.Now I want to decrypt https traffic, I don't know if bro supports it? > > > > Thank you > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180710/a16da8a1/attachment.html From huzhenming36 at gmail.com Tue Jul 10 03:03:12 2018 From: huzhenming36 at gmail.com (huzhenming36 at gmail.com) Date: Tue, 10 Jul 2018 18:03:12 +0800 Subject: [Bro] How does Bro decrypt https traffic? References: , Message-ID: <201807101803106436883@gmail.com> Thank you very much for your reply, now I know that Bro does not support huzhenming36 at gmail.com From: Mark W. Jeanmougin Date: 2018-07-10 17:55 To: huzhenming36 CC: bro Subject: Re: [Bro] How does Bro decrypt https traffic? ?Hello Star! bro does not support https decryption out of the box. Normally, an enterprise would ?deploy an "https Decryption Appliance". That would perform the decryption and create a stream of unencrypted traffic to go to your Network Security devices, like bro. MJ On Tue, Jul 10, 2018 at 5:00 AM Star wrote: Hi friends My name is Star and I am from Beijing, China,I am working on a project for pcap traffic analysis.Now I want to decrypt https traffic, I don't know if bro supports it? Thank you _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180710/8bbe5efa/attachment-0001.html From huzhenming36 at gmail.com Tue Jul 10 03:04:22 2018 From: huzhenming36 at gmail.com (huzhenming36 at gmail.com) Date: Tue, 10 Jul 2018 18:04:22 +0800 Subject: [Bro] How does Bro decrypt https traffic? References: , <2CB95799-C6A0-4F09-8A70-AEE905275C8F@gmail.com> Message-ID: <201807101804093798394@gmail.com> Thank you very much for your reply, I just want to analyze https traffic with authorization. huzhenming36 at gmail.com From: Micha? Purzy?ski Date: 2018-07-10 17:59 To: Star CC: bro Subject: Re: [Bro] How does Bro decrypt https traffic? Bro does not decrypt ssl traffic. You can do it externally and feed the decrypted traffic into bro. No one should ever be hijacking ssl traffic, though. On Jul 10, 2018, at 1:50 AM, Star wrote: Hi friends My name is Star and I am from Beijing, China,I am working on a project for pcap traffic analysis.Now I want to decrypt https traffic, I don't know if bro supports it? Thank you _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180710/dd8cdf00/attachment.html From atodorovic at zyston.com Tue Jul 10 06:17:16 2018 From: atodorovic at zyston.com (Alex Todorovic) Date: Tue, 10 Jul 2018 13:17:16 +0000 Subject: [Bro] Implementing MAC Address Label in Logs Message-ID: Hi, I'm working on a project to monitor network traffic and I want to split up my logs based on the user. I've been using IP addresses for this, but since our network runs DHCP this requires costly computation to get the MAC address associated with the IP address. I did some research and found that mac-logging.bro should do this for me, however my conn.log file doesn't include a mac field despite the existence of mac-logging.bro in /usr/local/bro/share/bro/base/protocols/conn. I also copied mac-logging.bro to /usr/local/bro/share/bro/policy/protocols/conn just to be sure, but still nothing. I rebooted my machine and still nothing. FYI I'm on a security onion distribution of ubuntu 16.04. What do I need to do in order to implement this feature? Thanks in advance! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180710/214b4d3f/attachment.html From openshift.ninja at gmail.com Tue Jul 10 08:27:27 2018 From: openshift.ninja at gmail.com (Jeffrey Poore) Date: Tue, 10 Jul 2018 15:27:27 +0000 Subject: [Bro] bro cluster source Message-ID: I've added the source for my bro cluster blog entry to GitHub so that if you are interested, you can try it yourself: https://github.com/openshiftninja/bro-docker-cluster The blog entry is here: https://vault.osninja.net/bro-cluster-in-containers/ --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180710/5aaa9f5b/attachment.html From jmellander at lbl.gov Tue Jul 10 08:42:35 2018 From: jmellander at lbl.gov (Jim Mellander) Date: Tue, 10 Jul 2018 08:42:35 -0700 Subject: [Bro] Implementing MAC Address Label in Logs In-Reply-To: References: Message-ID: mac-logging.bro isn't loaded by default, so you need to add: @load policy/protocols/conn/mac-logging to local.bro PS - You can look in the loaded-scripts log file to see exactly which bro policies are actually being loaded in your installation. Hope this helps, Jim On Tue, Jul 10, 2018 at 6:17 AM, Alex Todorovic wrote: > Hi, > > > > I?m working on a project to monitor network traffic and I want to split up > my logs based on the user. I?ve been using IP addresses for this, but since > our network runs DHCP this requires costly computation to get the MAC > address associated with the IP address. I did some research and found that > mac-logging.bro should do this for me, however my conn.log file doesn?t > include a mac field despite the existence of mac-logging.bro in > /usr/local/bro/share/bro/base/protocols/conn. I also copied > mac-logging.bro to /usr/local/bro/share/bro/policy/protocols/conn just to > be sure, but still nothing. I rebooted my machine and still nothing. FYI > I?m on a security onion distribution of ubuntu 16.04. > > > > What do I need to do in order to implement this feature? Thanks in advance! > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180710/b8027e7a/attachment-0001.html From soehlert at es.net Tue Jul 10 13:03:48 2018 From: soehlert at es.net (Samuel Oehlert) Date: Tue, 10 Jul 2018 15:03:48 -0500 Subject: [Bro] bro cluster source In-Reply-To: References: Message-ID: Thanks for sharing! Small suggestion: your run_bro.sh file isn't really necessary as `bro deploy` takes the place of the `bro install; bro check; bro start` and makes sure to do it in the correct order. I believe it's the preferred method for starting bro these days. - Sam On Tue, Jul 10, 2018 at 10:36 AM Jeffrey Poore wrote: > I've added the source for my bro cluster blog entry to GitHub so that if > you are interested, you can try it yourself: > > https://github.com/openshiftninja/bro-docker-cluster > > The blog entry is here: > > https://vault.osninja.net/bro-cluster-in-containers/ > > > Virus-free. > www.avast.com > > <#m_-8942870978971646074_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180710/9f25bf28/attachment.html From johanna at icir.org Wed Jul 11 15:35:45 2018 From: johanna at icir.org (Johanna Amann) Date: Wed, 11 Jul 2018 15:35:45 -0700 Subject: [Bro] Save the Date: Bro Workshop Europe (@KIT, Karlsruhe, Germany, September 18th & 19th) Message-ID: <20180711223545.fqpvxdqormiyltbk@Trafalgar.local> Dear Bro Community, We are excited to announce the first Bro Workshop in Europe (which simultaneously is the first official Bro event outside of the USA). The workshop will be held at the Karlsruhe Institute of Technology (KIT) in Karlsruhe, Germany on Tuesday September 18th and Wednesday September 19th. The workshop is a one-day event split in two half-days to allow easy traveling for participants in Europe: the program will start at noon/the early afternoon on Tuesday and end after lunch on Wednesday. The workshop aims to bring together the Bro user community in Europe for which traveling to the US-based events has often been difficult. This will be a smaller, more informal event; we expect 30 to 50 attendees. Registration will open within the next week. We will send another email once this happens. The program will feature a mixture of external talks and talks of the Bro development team; several members of the team will attend the workshop. If you are interested in giving a talk at the Workshop, please send an email to info at bro.org. We thank the Decentralized Systems and Network Services Research Group for hosting us at KIT and extend special thanks to Jan Grash?fer who has put a lot of work into making this possible. Johanna From pssunu6 at gmail.com Wed Jul 11 23:14:52 2018 From: pssunu6 at gmail.com (ps sunu) Date: Thu, 12 Jul 2018 11:44:52 +0530 Subject: [Bro] How To prevent bro creating core dump Message-ID: Hi, How To prevent bro creating core dump -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180712/cd17bb3f/attachment.html From bkeep at alias454studios.com Thu Jul 12 04:25:52 2018 From: bkeep at alias454studios.com (bkeep) Date: Thu, 12 Jul 2018 06:25:52 -0500 Subject: [Bro] RPM package creation results in unlinked libraries when installed Message-ID: <661f8900-4f89-14f2-b7b3-aca1df191558@alias454studios.com> Hi, I am trying to create an rpm package to easily distribute a package to other sensors but seem to be doing something wrong when building the package. The package builds okay but when installed, I end up with an error, which is "bro: error while loading shared libraries: libbroker.so.0: cannot open shared object file: No such file or directory." Running ldd, shows "not found" but on a working instance, the path is populated (/opt/bro/lib/libbroker.so.0). I also double checked that the file exists on the file system and it's there. I can launch broctl and run a few commands but when I do "deploy," I get the above error. On the build system, I have installed the prerequisite software using yum. yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel rpm-build Also installed pf_ring from an rpm using the ntop.org repo. The process I followed for building the package was: git clone --recursive https://github.com/bro/bro.git cd bro LDFLAGS="-lpfring -lpcap" ./configure --prefix=/opt/bro --with-pcap=/usr/local/ --pkg-name-prefix=Bro --binary-package cd build make package scp the file to the intended sensor yum localinstall Bro-2.5-725-Linux-x86_64.rpm The [root at bro00 ~]# ldd /opt/bro/bin/bro |grep libbroker ??? libbroker.so.0 => not found Both the build machine and the intended install target are setup the same. They are Centos 7.5.1804 (Core) VM's running on VMware 6.5 with kernel 3.10.0-862.6.3.el7.x86_64. Compiling BRO from source but leaving off the --binary-package flags resulted in a working install on the build machine as well using make && make install. I am not sure what piece I am missing here so any advice would be appreciated. Regards, Brandon From jsiwek at corelight.com Thu Jul 12 06:50:52 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Thu, 12 Jul 2018 08:50:52 -0500 Subject: [Bro] How To prevent bro creating core dump In-Reply-To: References: Message-ID: On Thu, Jul 12, 2018 at 1:29 AM ps sunu wrote: > How To prevent bro creating core dump If you are using BroControl you could try setting up a hard limit for core dumps (e.g. /etc/security/limits.conf), or else manually patch out where BroControl unlimits the size of core dumps [1]. If you were using `bro` directly, then it's the standard process for managing shell limits (e.g. `ulimit -c 0` for current bash shell, as you may already know). - Jon [1] https://github.com/bro/broctl/blob/c5dd2ba83dda185d2008731a5cd25b2b8131ac78/bin/run-bro#L61 From jsiwek at corelight.com Thu Jul 12 07:06:21 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Thu, 12 Jul 2018 09:06:21 -0500 Subject: [Bro] RPM package creation results in unlinked libraries when installed In-Reply-To: <661f8900-4f89-14f2-b7b3-aca1df191558@alias454studios.com> References: <661f8900-4f89-14f2-b7b3-aca1df191558@alias454studios.com> Message-ID: On Thu, Jul 12, 2018 at 6:35 AM bkeep wrote: > The [root at bro00 ~]# ldd /opt/bro/bin/bro |grep libbroker > libbroker.so.0 => not found Generally seems like you'll want to to teach ld to search inside the non-standard /opt/bro/lib/ path. e.g. look more into how to change /etc/ld.so.conf or /etc/ld.so.conf.d/ and running `ldconfig`. Or if you just wanted to restrict the search behavior to a shell and not the entire system, the LD_LIBRARY_PATH environment variable will do that. > Compiling BRO from source but leaving off the --binary-package flags > resulted in a working install on the build machine as well using make && > make install. I am not sure what piece I am missing here so any advice > would be appreciated. One of the things the --binary-package flag does is prevent the use of RPATHs in the final binary. Normally, an RPATH is like hard-coding the path to a shared library. The thought behind disabling RPATHs when using the --binary-package is that it's generally more flexible to allow the linker to dynamically find it (e.g. via the configuration mentioned above), and I may recall that various Linux distros tend to frown upon using RPATHs in their packaging ecosystems anyway (so serves as good example to follow along). - Jon From cchiaverini at bnl.gov Thu Jul 12 14:48:50 2018 From: cchiaverini at bnl.gov (Chris Chiaverini) Date: Thu, 12 Jul 2018 17:48:50 -0400 Subject: [Bro] multiple clusters - connection summary reports Message-ID: It's not much but any interest in putting this or a variation into the code? Change email subject from: [Bro] Connection summary from ${TIMEFRAME} to [Bro] Connection summary from ${TIMEFRAME} - ${HOSTNAME} # diff ${BROINSTALLPATH}share/broctl/scripts/postprocessors/summarize-connections ${BROINSTALLPATH}/share/broctl/scripts/postprocessors/summarize-connections.orig 25d24 < systemname="$(hostname)" 82c81 ???? "${scriptsdir}"/send-mail "$subject" <$output # -- Regards, Chris Chiaverini Cyber Security Operations Brookhaven National Laboratory Upton, New York 11973 From bkeep at alias454studios.com Thu Jul 12 18:57:20 2018 From: bkeep at alias454studios.com (bkeep) Date: Thu, 12 Jul 2018 20:57:20 -0500 Subject: [Bro] RPM package creation results in unlinked libraries when installed In-Reply-To: References: <661f8900-4f89-14f2-b7b3-aca1df191558@alias454studios.com> Message-ID: <8ba88883-97eb-b2ed-9d37-1ed04c1cc943@alias454studios.com> Thanks for the reply, that got me going the right direction I think, at least it works now. I created a file in /etc/ld.so.conf.d/ named bro-x86_64.conf with the path to /opt/bro/lib and ran ldconfig, which got everything working. I notice there are pre/post install scripts in the build directory. Is this the right place to add commands to be executed during the deployment? Is there a different file that won't get mangled if the repo gets updated or should I just beware and copy changes back in every time I need to do a new build from source? Regards, Brandon On 07/12/2018 09:06 AM, Jon Siwek wrote: > On Thu, Jul 12, 2018 at 6:35 AM bkeep wrote: > >> The [root at bro00 ~]# ldd /opt/bro/bin/bro |grep libbroker >> libbroker.so.0 => not found > Generally seems like you'll want to to teach ld to search inside the > non-standard /opt/bro/lib/ path. > > e.g. look more into how to change /etc/ld.so.conf or > /etc/ld.so.conf.d/ and running `ldconfig`. > > Or if you just wanted to restrict the search behavior to a shell and > not the entire system, the LD_LIBRARY_PATH environment variable will > do that. > >> Compiling BRO from source but leaving off the --binary-package flags >> resulted in a working install on the build machine as well using make && >> make install. I am not sure what piece I am missing here so any advice >> would be appreciated. > One of the things the --binary-package flag does is prevent the use of > RPATHs in the final binary. Normally, an RPATH is like hard-coding > the path to a shared library. The thought behind disabling RPATHs > when using the --binary-package is that it's generally more flexible > to allow the linker to dynamically find it (e.g. via the configuration > mentioned above), and I may recall that various Linux distros tend to > frown upon using RPATHs in their packaging ecosystems anyway (so > serves as good example to follow along). > > - Jon From jsiwek at corelight.com Fri Jul 13 07:42:01 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Fri, 13 Jul 2018 09:42:01 -0500 Subject: [Bro] RPM package creation results in unlinked libraries when installed In-Reply-To: <8ba88883-97eb-b2ed-9d37-1ed04c1cc943@alias454studios.com> References: <661f8900-4f89-14f2-b7b3-aca1df191558@alias454studios.com> <8ba88883-97eb-b2ed-9d37-1ed04c1cc943@alias454studios.com> Message-ID: On Thu, Jul 12, 2018 at 9:13 PM bkeep wrote: > I notice there are pre/post install scripts in the build directory. Is > this the right place to add commands to be executed during the > deployment? Is there a different file that won't get mangled if the repo > gets updated or should I just beware and copy changes back in every time > I need to do a new build from source? I'm not sure exactly which scripts you mean, but yeah it doesn't sound safe to trust that changes to stuff in the build directory won't be clobbered at a later time, so may be a good idea to maintain those changes as part of your own separate script. - Jon From bkeep at alias454studios.com Fri Jul 13 15:32:03 2018 From: bkeep at alias454studios.com (bkeep) Date: Fri, 13 Jul 2018 17:32:03 -0500 Subject: [Bro] RPM package creation results in unlinked libraries when installed In-Reply-To: References: <661f8900-4f89-14f2-b7b3-aca1df191558@alias454studios.com> <8ba88883-97eb-b2ed-9d37-1ed04c1cc943@alias454studios.com> Message-ID: Thanks Jon, I found the right ones located in the /bro/cmake folder. Specifically, package_postupgrade.sh.in and package_preinstall.sh.in, which look like the right ones to edit. However, those didn't cover my entire needs. I figure managing the creation of the /etc/ld.so.conf.d/bro-x86_64.conf file is well handled using the spec file. However, I was having some trouble figuring out where/what to update to make changes stick(I'm still not sure of the right way to do it but I'll keep looking). Eventually, I found the CPackRPM.cmake file, which has a template and then it made sense to me(sorta). Is there any documentation for creating a new template? The way I worked around this as a temporary solution was editing the template in CPackRPM.cmake, which is bad form I'm sure but it works. It's also entirely possible that I am making this way more difficult than it needs to be because of my complete ignorance of the cmake build/package system. Any insights of that process would be welcomed as well. Regards, Brandon From klehigh at iu.edu Mon Jul 16 05:56:12 2018 From: klehigh at iu.edu (Keith Lehigh) Date: Mon, 16 Jul 2018 08:56:12 -0400 Subject: [Bro] BroCon2018 Sponsorship Openings Message-ID: Greetings, As the date for Brocon2018 approaches, I wanted to note that we still have sponsorship opportunities available. You can find a sponsorship prospectus with details and contact information on the BroCon2018 Sponsorship page. [1] Thanks! - Keith [1] https://www.brocon2018.com/event/sponsors -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3740 bytes Desc: S/MIME digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180716/421ddb16/attachment.bin From philosnef at gmail.com Mon Jul 16 08:30:09 2018 From: philosnef at gmail.com (erik clark) Date: Mon, 16 Jul 2018 11:30:09 -0400 Subject: [Bro] CoAP Message-ID: Does anyone know if there is a Bro plugin for CoAP traffic detection and identification? We have the MQTT plugin for IoT bits, but we would like to support CoAP as well. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180716/7c46c7c6/attachment.html From johanna at icir.org Mon Jul 23 10:43:00 2018 From: johanna at icir.org (Johanna Amann) Date: Mon, 23 Jul 2018 10:43:00 -0700 Subject: [Bro] Bro Workshop Europe - Registration open Message-ID: <20180723174300.ye23e65a2gi3ncwv@Trafalgar.local> Hi, the registration for the Bro Workshop Europe (September 18th/19th, @KIT, Karlsruhe, Germany) is now open. To register, please visit https://dsn.tm.kit.edu/english/bro_workshop_europe.php (this is also linked from https://bro.org). The workshop is a one-day event split in two half-days to allow easy traveling for participants in Europe: the program will start at with lunch on Tuesday and end after lunch on Wednesday. The program will consist of talks by the Bro development team and external contributors. A large part of the development team will be attending the workshop. I will send another email once a more detailed program is available. If you are interested in giving a talk at the Workshop, please send an email to info at bro.org. Johanna From adkalkan at gmail.com Tue Jul 24 01:45:55 2018 From: adkalkan at gmail.com (Antonis Kalkanof) Date: Tue, 24 Jul 2018 11:45:55 +0300 Subject: [Bro] Bro/ELK or SecurityOnion Message-ID: Content Removed From shanem at vt.edu Tue Jul 24 05:06:00 2018 From: shanem at vt.edu (Shane Mullins) Date: Tue, 24 Jul 2018 08:06:00 -0400 Subject: [Bro] Bro/ELK or SecurityOnion In-Reply-To: References: Message-ID: Content Removed From adkalkan at gmail.com Tue Jul 24 06:42:13 2018 From: adkalkan at gmail.com (Antonis Kalkanof) Date: Tue, 24 Jul 2018 16:42:13 +0300 Subject: [Bro] Bro/ELK or SecurityOnion In-Reply-To: References:

Message-ID: Content Removed From openshift.ninja at gmail.com Tue Jul 24 06:48:40 2018 From: openshift.ninja at gmail.com (Jeffrey Poore) Date: Tue, 24 Jul 2018 13:48:40 +0000 Subject: [Bro] Bro/ELK or SecurityOnion In-Reply-To: References:

Message-ID: Content Removed From shanem at vt.edu Tue Jul 24 07:27:20 2018 From: shanem at vt.edu (Shane Mullins) Date: Tue, 24 Jul 2018 10:27:20 -0400 Subject: [Bro] Bro/ELK or SecurityOnion In-Reply-To: References:

Message-ID: <3c2ee034-a4ba-cf86-3934-8cbd89dcbb14@vt.edu> Content Removed From openshift.ninja at gmail.com Tue Jul 24 07:28:47 2018 From: openshift.ninja at gmail.com (Jeffrey Poore) Date: Tue, 24 Jul 2018 14:28:47 +0000 Subject: [Bro] Bro/ELK or SecurityOnion In-Reply-To: <3c2ee034-a4ba-cf86-3934-8cbd89dcbb14@vt.edu> References:

<3c2ee034-a4ba-cf86-3934-8cbd89dcbb14@vt.edu> Message-ID: Content Removed From pkelley at hyperionavenue.com Tue Jul 24 07:46:20 2018 From: pkelley at hyperionavenue.com (Patrick Kelley) Date: Tue, 24 Jul 2018 15:46:20 +0100 Subject: [Bro] Bro/ELK or SecurityOnion In-Reply-To: <3c2ee034-a4ba-cf86-3934-8cbd89dcbb14@vt.edu> References:

<3c2ee034-a4ba-cf86-3934-8cbd89dcbb14@vt.edu> Message-ID: <92807F71-EFF8-4201-99BF-0FE0CC203D11@hyperionavenue.com> Content Removed From adkalkan at gmail.com Tue Jul 24 07:51:03 2018 From: adkalkan at gmail.com (Antonis Kalkanof) Date: Tue, 24 Jul 2018 17:51:03 +0300 Subject: [Bro] Bro/ELK or SecurityOnion In-Reply-To: <92807F71-EFF8-4201-99BF-0FE0CC203D11@hyperionavenue.com> References:

<3c2ee034-a4ba-cf86-3934-8cbd89dcbb14@vt.edu> <92807F71-EFF8-4201-99BF-0FE0CC203D11@hyperionavenue.com> Message-ID: Content Removed From doug.burks at gmail.com Tue Jul 24 09:40:44 2018 From: doug.burks at gmail.com (Doug Burks) Date: Tue, 24 Jul 2018 12:40:44 -0400 Subject: [Bro] Bro/ELK or SecurityOnion In-Reply-To: References: Message-ID: Content Removed From undicizeri at gmail.com Wed Jul 25 09:04:09 2018 From: undicizeri at gmail.com (Federico Foschini) Date: Wed, 25 Jul 2018 18:04:09 +0200 Subject: [Bro] Missing or "localhost" host field in bro http logs Message-ID: Hello, I notice that sometimes the field host in a bro-http log is missing or contains localhost as a value. How is that possible? This is an example of a log witth localhost as host: http.11:00:00-12:00:00.bak.gz:{"ts":"2018-07-25T11:39:09.440378Z","uid":"CZDkyn2xwPRU17Qm9g","id_orig_h":"198.134.154.227","id_orig_p":49558,"id_resp_h":"192.168.237.29","id_resp_p":8081,"trans_depth":3,"method":"GET","host":"localhost","uri":"/ospos/index.php/login","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0","request_body_len":0,"response_body_len":0,"status_code":500,"status_msg":"Internal Server Error","tags":[]} In this one the host is missing: http.12:00:00-13:00:00.bak.gz:{"ts":"2018-07-25T12:09:31.955600Z","uid":"CERXcsevwbBQrqWDf","id_orig_h":"192.168.235.47","id_orig_p":57326,"id_resp_h":"192.168.50.201","id_resp_p":80,"trans_depth":2,"request_body_len":0,"response_body_len":0,"tags":[]} Is that a normal behavior? Thanks -- Federico Foschini. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180725/4caf33a9/attachment.html From robin at icir.org Thu Jul 26 11:15:21 2018 From: robin at icir.org (Robin Sommer) Date: Thu, 26 Jul 2018 11:15:21 -0700 Subject: [Bro] BroCon 2018: Early bird deadline extended to Aug 10 In-Reply-To: <20180530222651.GH1911@icir.org> References: <20180530222651.GH1911@icir.org> Message-ID: <20180726181521.GA8385@icir.org> Early bird registration for BroCon 2018 has been extended to August 10. Register here: https://www.brocon2018.com/event/begin The program will be up shortly, the leadership team is currently reviewing the proposals it received. BroCon 2018 will take place October 10-12, in Arlington, VA. It offers the Bro community a chance to meet face-to-face, share new ideas and developments, and better understand and secure their networks. The conference is composed of presentations from members of the community and the Bro development team. Looking forward to seeing everybody there, Robin From peter.hallin at ldc.lu.se Thu Jul 26 11:26:13 2018 From: peter.hallin at ldc.lu.se (Peter Hallin) Date: Thu, 26 Jul 2018 18:26:13 +0000 Subject: [Bro] Fwd: [Contact ICSI] ICSI Notary down? In-Reply-To: <075fae0c-1953-858c-6d1e-82e03e2c4ea7@icsi.berkeley.edu> References: <20180726082710.192B2C92F0@snack.icsi.berkeley.edu>, <075fae0c-1953-858c-6d1e-82e03e2c4ea7@icsi.berkeley.edu> Message-ID: <00A35408-6FCB-471D-9841-7DB0335656DD@ldc.lu.se> Dear Bro, Do you have any info regarding notary.icsi.berkeley.edu? It doesn?t resolve anymore. Thanks, Peter Hallin Lund University IRT Vidarebefordrat brev: Fr?n: Travis Caskey > Datum: 26 juli 2018 19:56:00 CEST Till: >, > ?mne: Re: [Contact ICSI] ICSI Notary down? Svara till: > Peter, I would recommend that you send note of this problem to bro at bro.org, where I believe they can be of further assistance. Travis On 7/26/2018 1:27 AM, peter.hallin at ldc.lu.se wrote: Peter Hallin (peter.hallin at ldc.lu.se) sent a message using the contact form at https://www.icsi.berkeley.edu/icsi/contact. Hello, We are using the SSL certificate notary with our Bro installation, but now it seems down. The website is also unavailabe. Just wanted to check if this is temporary or if the service has been retired. Thanks, Peter Hallin Lund University IRT -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180726/0e192542/attachment.html From jazoff at illinois.edu Thu Jul 26 11:37:05 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 26 Jul 2018 18:37:05 +0000 Subject: [Bro] Missing or "localhost" host field in bro http logs In-Reply-To: References: Message-ID: <43A04B50-FB3C-492D-8186-7DE4136DA871@illinois.edu> > On Jul 25, 2018, at 12:04 PM, Federico Foschini wrote: > > Hello, > I notice that sometimes the field host in a bro-http log is missing or contains localhost as a value. > How is that possible? > > This is an example of a log witth localhost as host: > > http.11:00:00-12:00:00.bak.gz:{"ts":"2018-07-25T11:39:09.440378Z","uid":"CZDkyn2xwPRU17Qm9g","id_orig_h":"198.134.154.227","id_orig_p":49558,"id_resp_h":"192.168.237.29","id_resp_p":8081,"trans_depth":3,"method":"GET","host":"localhost","uri":"/ospos/index.php/login","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0","request_body_len":0,"response_body_len":0,"status_code":500,"status_msg":"Internal Server Error","tags":[]} There is no default value in bro, so if the log says localhost, it means the request was for localhost. > In this one the host is missing: > > http.12:00:00-13:00:00.bak.gz:{"ts":"2018-07-25T12:09:31.955600Z","uid":"CERXcsevwbBQrqWDf","id_orig_h":"192.168.235.47","id_orig_p":57326,"id_resp_h":"192.168.50.201","id_resp_p":80,"trans_depth":2,"request_body_len":0,"response_body_len":0,"tags":[]} > > Is that a normal behavior? request_body_len and response_body_len are both 0, so it looks like the client did something weird here. ? Justin Azoff From johanna at icir.org Thu Jul 26 11:43:09 2018 From: johanna at icir.org (Johanna Amann) Date: Thu, 26 Jul 2018 13:43:09 -0500 Subject: [Bro] [Contact ICSI] ICSI Notary down? In-Reply-To: <00A35408-6FCB-471D-9841-7DB0335656DD@ldc.lu.se> References: <20180726082710.192B2C92F0@snack.icsi.berkeley.edu> <075fae0c-1953-858c-6d1e-82e03e2c4ea7@icsi.berkeley.edu> <00A35408-6FCB-471D-9841-7DB0335656DD@ldc.lu.se> Message-ID: Uh... let me check that. If it does not that is a problem, thanks for the pointer. Johanna On 26 Jul 2018, at 13:26, Peter Hallin wrote: > Dear Bro, > > Do you have any info regarding > notary.icsi.berkeley.edu? It > doesn?t resolve anymore. > > Thanks, > Peter Hallin > Lund University IRT > > > Vidarebefordrat brev: > > Fr?n: Travis Caskey > > > Datum: 26 juli 2018 19:56:00 CEST > Till: >, > > > ?mne: Re: [Contact ICSI] ICSI Notary down? > Svara till: > > > > Peter, > > I would recommend that you send note of this problem to > bro at bro.org, where I believe they can be of > further assistance. > > Travis > > > On 7/26/2018 1:27 AM, > peter.hallin at ldc.lu.se wrote: > Peter Hallin (peter.hallin at ldc.lu.se) > sent a message using the contact form > at https://www.icsi.berkeley.edu/icsi/contact. > > Hello, > > We are using the SSL certificate notary with our Bro installation, but > now it > seems down. The website is also unavailabe. > > Just wanted to check if this is temporary or if the service has been > retired. > > Thanks, > > Peter Hallin > Lund University IRT > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From johanna at icir.org Thu Jul 26 11:45:01 2018 From: johanna at icir.org (Johanna Amann) Date: Thu, 26 Jul 2018 13:45:01 -0500 Subject: [Bro] [Contact ICSI] ICSI Notary down? In-Reply-To: <00A35408-6FCB-471D-9841-7DB0335656DD@ldc.lu.se> References: <20180726082710.192B2C92F0@snack.icsi.berkeley.edu> <075fae0c-1953-858c-6d1e-82e03e2c4ea7@icsi.berkeley.edu> <00A35408-6FCB-471D-9841-7DB0335656DD@ldc.lu.se> Message-ID: <0CF9860E-CDB3-41E7-8127-3EC78F521C77@icir.org> For some reason the dns server crashed without restarting. It is currently loading the zone-files and should be back within the next minute. Thanks a lot for the email. Johanna On 26 Jul 2018, at 13:26, Peter Hallin wrote: > Dear Bro, > > Do you have any info regarding > notary.icsi.berkeley.edu? It > doesn?t resolve anymore. > > Thanks, > Peter Hallin > Lund University IRT > > > Vidarebefordrat brev: > > Fr?n: Travis Caskey > > > Datum: 26 juli 2018 19:56:00 CEST > Till: >, > > > ?mne: Re: [Contact ICSI] ICSI Notary down? > Svara till: > > > > Peter, > > I would recommend that you send note of this problem to > bro at bro.org, where I believe they can be of > further assistance. > > Travis > > > On 7/26/2018 1:27 AM, > peter.hallin at ldc.lu.se wrote: > Peter Hallin (peter.hallin at ldc.lu.se) > sent a message using the contact form > at https://www.icsi.berkeley.edu/icsi/contact. > > Hello, > > We are using the SSL certificate notary with our Bro installation, but > now it > seems down. The website is also unavailabe. > > Just wanted to check if this is temporary or if the service has been > retired. > > Thanks, > > Peter Hallin > Lund University IRT > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From devanshdubeyv007 at gmail.com Sat Jul 28 03:42:53 2018 From: devanshdubeyv007 at gmail.com (Devansh Dubey) Date: Sat, 28 Jul 2018 16:12:53 +0530 Subject: [Bro] Query Message-ID: Hi ,I am Devansh Dubey from INDIA. I am having a doubt that can bro communicate with beats.I hope that you will reply me as soon as possible. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180728/a61ba30b/attachment.html From krasinski at cines.fr Mon Jul 30 08:25:01 2018 From: krasinski at cines.fr (Nicolas KRASINSKI) Date: Mon, 30 Jul 2018 17:25:01 +0200 (CEST) Subject: [Bro] Add a counter in a script (arp_main.bro) In-Reply-To: References: Message-ID: <943150290.724219.1532964301843.JavaMail.zimbra@cines.fr> Hello, On the script arp_main.bro ( https://gist.github.com/grigorescu/a28b814a8fb626e2a7b4715d278198aa ), there is a part of code (line 216 to 228) can detect gratuitous arp (multiple is-at packet) : ----------------------------------------------------------------------------- # Check if reply is unsolicited and get request record local request: Info; if ( [THA, TPA, SPA] !in arp_state$requests ) { request = new_arp_request(THA, SHA); request$unsolicited = T; NOTICE([$note=Unsolicited_Reply, $src=SPA, $msg=fmt("%s: request[%s, %s, %s]", msg, THA, TPA, SPA)]); } else { request = arp_state$requests[THA, TPA, SPA]; delete arp_state$requests[THA, TPA, SPA]; } request$is_at = SHA; ----------------------------------------------------------------------------- The problem is each time the script detect more than one arp packet (is-at), it send an alert : "unsolicited_reply" I would like to add a counter, after x 'is-at' packet, send an alert. Someone can help me ? sorry for my english thanks ? lot! Nicolas. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180730/77953a22/attachment.html