From clopmz at outlook.com Mon Oct 1 01:47:35 2018 From: clopmz at outlook.com (Carlos Lopez) Date: Mon, 1 Oct 2018 08:47:35 +0000 Subject: [Bro] OT: SuperMicro hardware recommendations Message-ID: <94D13236-BB53-4807-93D0-F4A1BF0B369F@outlook.com> Hi all, In the following days, we will setup a Bro-IDS distributed architecture using 10 sensors and one manager. Network bandwidth will be between 2GiB-4GiB. Until now we used HP servers, but we are looking at SuperMicro servers as well. Can anyone recommend series or model? -- Regards, C. L. Martinez From michalpurzynski1 at gmail.com Mon Oct 1 03:47:47 2018 From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=) Date: Mon, 1 Oct 2018 12:47:47 +0200 Subject: [Bro] OT: SuperMicro hardware recommendations In-Reply-To: <94D13236-BB53-4807-93D0-F4A1BF0B369F@outlook.com> References: <94D13236-BB53-4807-93D0-F4A1BF0B369F@outlook.com> Message-ID: <151C7D23-39E9-4170-8954-CDFF566E4ED7@gmail.com> I?d recommended everything but super micro. A box of matches to shine the light on the dark corners of your network will behave better than anything built on super micro. HP and other vendors may seem more expensive to buy, but the low quality of super micro servers, apparent lack of support, arbitrary cut support ?we do not support this anymore? and ridiculous replacement policy makes it a non-starter for me. Example: they wanted me to send all dead hard drives back before they can send me a replacement. And that would take days or a week or two weeks. Raid battery problems? SM requires you to send entire server back and in a short 6 weeks - 3 months you will see it back. Maybe. Mechanically, chassis are a joke, too. OOB? No OOB hardware monitoring. And Java 1.6 required. If you have to use any kind of proxies, socks, tunneling - forget. > On Oct 1, 2018, at 10:47 AM, Carlos Lopez wrote: > > Hi all, > > In the following days, we will setup a Bro-IDS distributed architecture using 10 sensors and one manager. Network bandwidth will be between 2GiB-4GiB. Until now we used HP servers, but we are looking at SuperMicro servers as well. Can anyone recommend series or model? > -- > Regards, > C. L. Martinez > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From zeolla at gmail.com Mon Oct 1 05:48:51 2018 From: zeolla at gmail.com (Zeolla@GMail.com) Date: Mon, 1 Oct 2018 08:48:51 -0400 Subject: [Bro] OT: SuperMicro hardware recommendations In-Reply-To: <151C7D23-39E9-4170-8954-CDFF566E4ED7@gmail.com> References: <94D13236-BB53-4807-93D0-F4A1BF0B369F@outlook.com> <151C7D23-39E9-4170-8954-CDFF566E4ED7@gmail.com> Message-ID: I think they released their HTML5 interface for OOB. That said, I'm also not a huge fan. Jon On Mon, Oct 1, 2018 at 7:02 AM Micha? Purzy?ski wrote: > I?d recommended everything but super micro. > > A box of matches to shine the light on the dark corners of your network > will behave better than anything built on super micro. > > HP and other vendors may seem more expensive to buy, but the low quality > of super micro servers, apparent lack of support, arbitrary cut support ?we > do not support this anymore? and ridiculous replacement policy makes it a > non-starter for me. > > Example: they wanted me to send all dead hard drives back before they can > send me a replacement. > And that would take days or a week or two weeks. > > Raid battery problems? > > SM requires you to send entire server back and in a short 6 weeks - 3 > months you will see it back. Maybe. > > Mechanically, chassis are a joke, too. > > OOB? No OOB hardware monitoring. And Java 1.6 required. If you have to use > any kind of proxies, socks, tunneling - forget. > > > > On Oct 1, 2018, at 10:47 AM, Carlos Lopez wrote: > > > > Hi all, > > > > In the following days, we will setup a Bro-IDS distributed architecture > using 10 sensors and one manager. Network bandwidth will be between > 2GiB-4GiB. Until now we used HP servers, but we are looking at SuperMicro > servers as well. Can anyone recommend series or model? > > -- > > Regards, > > C. L. Martinez > > > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181001/734b17e7/attachment.html From markjx at gmail.com Mon Oct 1 06:02:30 2018 From: markjx at gmail.com (Mark W. Jeanmougin) Date: Mon, 1 Oct 2018 09:02:30 -0400 Subject: [Bro] OT: SuperMicro hardware recommendations In-Reply-To: References: <94D13236-BB53-4807-93D0-F4A1BF0B369F@outlook.com> <151C7D23-39E9-4170-8954-CDFF566E4ED7@gmail.com> Message-ID: I've only worked with a few dozen SuperMicro boxes; probably less than 100. I don't consider myself an expert. I found the OOB management sufficient for what we needed. Maybe other vendors are significantly better? I found hard drive support to be exceptional. I could keep a stack of spare drives; if something failed, I'd replace it. If I didn't happen to have the exact model, I could swing by a Micro Center (or use Amazon's fast delivery options) and drop in something similar. Doing things like this was MUCH cheaper (and gave me faster time-to-repair) than the other vendors. Dropping in "weird" SSD's, eBay RAID controllers, HBA's from Amazon, or network cards from NewEgg were all solid. Everything just worked. My experience is that buying small hardware like that through a company's "expense" program is much easier and faster (and cheaper!) than getting a PO through a vendor to get it from an "enterprise" IT vendor. I *love* their 45 bay 4U boxes that I can slam off the shelf SATA drive into. Great way to get LOTS of storage for cheap. I never had mechanical issues with their chassis or rails. I had some boxes in 4 post data center racks. I had some "short depth" boxes mounted in 2post telecom racks out in my branch offices. I know that Palo Alto Networks, Cisco, Nortel, and others used SuperMicro to make a fair bit of their gear. Not sure if they still do. I've worked with hundreds of HP servers in the $250k-1m range where we had on site personnel for hardware and software support. The annual maintenance for a tape drive was more expensive than just buying a spare to keep on the shelf. We had hundreds of tape drives. It was great support, but we paid out the nose for it. I'm just another opinion out on the Internet. :) MJ On Mon, Oct 1, 2018 at 8:51 AM Zeolla at GMail.com wrote: > > I think they released their HTML5 interface for OOB. That said, I'm also not a huge fan. > > Jon > > On Mon, Oct 1, 2018 at 7:02 AM Micha? Purzy?ski wrote: >> >> I?d recommended everything but super micro. >> >> A box of matches to shine the light on the dark corners of your network will behave better than anything built on super micro. >> >> HP and other vendors may seem more expensive to buy, but the low quality of super micro servers, apparent lack of support, arbitrary cut support ?we do not support this anymore? and ridiculous replacement policy makes it a non-starter for me. >> >> Example: they wanted me to send all dead hard drives back before they can send me a replacement. >> And that would take days or a week or two weeks. >> >> Raid battery problems? >> >> SM requires you to send entire server back and in a short 6 weeks - 3 months you will see it back. Maybe. >> >> Mechanically, chassis are a joke, too. >> >> OOB? No OOB hardware monitoring. And Java 1.6 required. If you have to use any kind of proxies, socks, tunneling - forget. >> >> >> > On Oct 1, 2018, at 10:47 AM, Carlos Lopez wrote: >> > >> > Hi all, >> > >> > In the following days, we will setup a Bro-IDS distributed architecture using 10 sensors and one manager. Network bandwidth will be between 2GiB-4GiB. Until now we used HP servers, but we are looking at SuperMicro servers as well. Can anyone recommend series or model? >> > -- >> > Regards, >> > C. L. Martinez >> > >> > >> > _______________________________________________ >> > Bro mailing list >> > bro at bro-ids.org >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > -- > > Jon > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From clopmz at outlook.com Mon Oct 1 06:16:41 2018 From: clopmz at outlook.com (Carlos Lopez) Date: Mon, 1 Oct 2018 13:16:41 +0000 Subject: [Bro] OT: SuperMicro hardware recommendations In-Reply-To: <151C7D23-39E9-4170-8954-CDFF566E4ED7@gmail.com> References: <94D13236-BB53-4807-93D0-F4A1BF0B369F@outlook.com> <151C7D23-39E9-4170-8954-CDFF566E4ED7@gmail.com> Message-ID: Thanks Michal. I didn't know that bad support from SuperMicro. Then I will continue with HP. Do you think the HP DL360 Gen10 are suitable for IDS deployment? -- Regards, C. L. Martinez ?On 01/10/2018, 12:47, "Micha? Purzy?ski" wrote: I?d recommended everything but super micro. A box of matches to shine the light on the dark corners of your network will behave better than anything built on super micro. HP and other vendors may seem more expensive to buy, but the low quality of super micro servers, apparent lack of support, arbitrary cut support ?we do not support this anymore? and ridiculous replacement policy makes it a non-starter for me. Example: they wanted me to send all dead hard drives back before they can send me a replacement. And that would take days or a week or two weeks. Raid battery problems? SM requires you to send entire server back and in a short 6 weeks - 3 months you will see it back. Maybe. Mechanically, chassis are a joke, too. OOB? No OOB hardware monitoring. And Java 1.6 required. If you have to use any kind of proxies, socks, tunneling - forget. > On Oct 1, 2018, at 10:47 AM, Carlos Lopez wrote: > > Hi all, > > In the following days, we will setup a Bro-IDS distributed architecture using 10 sensors and one manager. Network bandwidth will be between 2GiB-4GiB. Until now we used HP servers, but we are looking at SuperMicro servers as well. Can anyone recommend series or model? > -- > Regards, > C. L. Martinez > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From alexwis at gmail.com Mon Oct 1 06:26:06 2018 From: alexwis at gmail.com (Alex Waher) Date: Mon, 1 Oct 2018 15:26:06 +0200 Subject: [Bro] OT: SuperMicro hardware recommendations In-Reply-To: References: <94D13236-BB53-4807-93D0-F4A1BF0B369F@outlook.com> <151C7D23-39E9-4170-8954-CDFF566E4ED7@gmail.com> Message-ID: Can also checkout the offerings from the OpenCompute project; https://www.opencompute.org/products Can even stick with HP if you like, their 'Cloudline' gear supports (some aspects) of OCP. On Mon, Oct 1, 2018 at 3:19 PM Carlos Lopez wrote: > Thanks Michal. I didn't know that bad support from SuperMicro. > Then I will continue with HP. Do you think the HP DL360 Gen10 are suitable > for IDS deployment? > > -- > Regards, > C. L. Martinez > > ?On 01/10/2018, 12:47, "Micha? Purzy?ski" > wrote: > > I?d recommended everything but super micro. > > A box of matches to shine the light on the dark corners of your > network will behave better than anything built on super micro. > > HP and other vendors may seem more expensive to buy, but the low > quality of super micro servers, apparent lack of support, arbitrary cut > support ?we do not support this anymore? and ridiculous replacement policy > makes it a non-starter for me. > > Example: they wanted me to send all dead hard drives back before they > can send me a replacement. > And that would take days or a week or two weeks. > > Raid battery problems? > > SM requires you to send entire server back and in a short 6 weeks - 3 > months you will see it back. Maybe. > > Mechanically, chassis are a joke, too. > > OOB? No OOB hardware monitoring. And Java 1.6 required. If you have to > use any kind of proxies, socks, tunneling - forget. > > > > On Oct 1, 2018, at 10:47 AM, Carlos Lopez > wrote: > > > > Hi all, > > > > In the following days, we will setup a Bro-IDS distributed > architecture using 10 sensors and one manager. Network bandwidth will be > between 2GiB-4GiB. Until now we used HP servers, but we are looking at > SuperMicro servers as well. Can anyone recommend series or model? > > -- > > Regards, > > C. L. Martinez > > > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181001/cc2a59dc/attachment.html From openshift.ninja at gmail.com Mon Oct 1 07:47:07 2018 From: openshift.ninja at gmail.com (Jeffrey Poore) Date: Mon, 01 Oct 2018 14:47:07 +0000 Subject: [Bro] Bro logger not starting with mounted directories Message-ID: So I have a Bro cluster running in some containers, with a single instance of each node type, manager, logger, proxy and worker, all running on different servers. Log files get written to /usr/local/bro-2.5.4/spool/logger on the logger host, and then they get moved to folders under /usr/local/bro-2.5.4/logs. Everything is working ok, but I want to be able to write the logs to a mounted volume so that they can be seen outside the container. I tried mounting folders for both the bro/spool/logger folder and then also the bro/logs folder, but then the logger won't start (I checked that the permissions for the folder allow for reading and writing of any user inside the container, although currently the process is running as root). I was able to mount the bro/logs folder and start everything ok, but obviously the files written to the bro/spool/logger folder are only rotated over to the bro/logs folder periodically. Does anyone have any ideas why the logger wouldn't start? The command to start the logger doesn't seem to output any obvious message that would indicate why it failed, and the bro process itself isn't running after the execution. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181001/afd891e5/attachment.html From michalpurzynski1 at gmail.com Mon Oct 1 10:27:43 2018 From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=) Date: Mon, 1 Oct 2018 19:27:43 +0200 Subject: [Bro] OT: SuperMicro hardware recommendations In-Reply-To: References: <94D13236-BB53-4807-93D0-F4A1BF0B369F@outlook.com> <151C7D23-39E9-4170-8954-CDFF566E4ED7@gmail.com> Message-ID: One other non-HP brand I?ve always been recommending is Fujitsu. People are always surprised that ?Fujitsu makes servers?? but my experience has always been great with both the hardware side and the support. They were cheaper than HP, last time I was buying them. > On Oct 1, 2018, at 3:26 PM, Alex Waher wrote: > > Can also checkout the offerings from the OpenCompute project; https://www.opencompute.org/products > Can even stick with HP if you like, their 'Cloudline' gear supports (some aspects) of OCP. > >> On Mon, Oct 1, 2018 at 3:19 PM Carlos Lopez wrote: >> Thanks Michal. I didn't know that bad support from SuperMicro. >> Then I will continue with HP. Do you think the HP DL360 Gen10 are suitable for IDS deployment? >> >> -- >> Regards, >> C. L. Martinez >> >> ?On 01/10/2018, 12:47, "Micha? Purzy?ski" wrote: >> >> I?d recommended everything but super micro. >> >> A box of matches to shine the light on the dark corners of your network will behave better than anything built on super micro. >> >> HP and other vendors may seem more expensive to buy, but the low quality of super micro servers, apparent lack of support, arbitrary cut support ?we do not support this anymore? and ridiculous replacement policy makes it a non-starter for me. >> >> Example: they wanted me to send all dead hard drives back before they can send me a replacement. >> And that would take days or a week or two weeks. >> >> Raid battery problems? >> >> SM requires you to send entire server back and in a short 6 weeks - 3 months you will see it back. Maybe. >> >> Mechanically, chassis are a joke, too. >> >> OOB? No OOB hardware monitoring. And Java 1.6 required. If you have to use any kind of proxies, socks, tunneling - forget. >> >> >> > On Oct 1, 2018, at 10:47 AM, Carlos Lopez wrote: >> > >> > Hi all, >> > >> > In the following days, we will setup a Bro-IDS distributed architecture using 10 sensors and one manager. Network bandwidth will be between 2GiB-4GiB. Until now we used HP servers, but we are looking at SuperMicro servers as well. Can anyone recommend series or model? >> > -- >> > Regards, >> > C. L. Martinez >> > >> > >> > _______________________________________________ >> > Bro mailing list >> > bro at bro-ids.org >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181001/9b9b62bd/attachment.html From openshift.ninja at gmail.com Mon Oct 1 17:45:25 2018 From: openshift.ninja at gmail.com (OpenShift Ninja) Date: Mon, 1 Oct 2018 20:45:25 -0400 Subject: [Bro] Bro logger not starting with mounted directories Message-ID: The issue turned out to be with our filesystem that was getting mounted. I was able to get the logger started and working. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181001/0b8f5e1f/attachment.html From seth at corelight.com Tue Oct 2 06:37:23 2018 From: seth at corelight.com (Seth Hall) Date: Tue, 02 Oct 2018 09:37:23 -0400 Subject: [Bro] Bro 2.6 beta feedback? Message-ID: I've seen very little feedback from the Bro 2.6 beta that was posted recently. I'm wondering how many people have tried it and if there is any feedback about it? Thanks! .Seth -- Seth Hall * Corelight, Inc * www.corelight.com From shirkdog.bsd at gmail.com Tue Oct 2 07:06:02 2018 From: shirkdog.bsd at gmail.com (Michael Shirk) Date: Tue, 2 Oct 2018 10:06:02 -0400 Subject: [Bro] Bro 2.6 beta feedback? In-Reply-To: References: Message-ID: I can report bro "version 2.6-beta2-3" built and started on 9/21/2018 on FreeBSD 11.2-RELEASE-p2 is still working...no issues for me (no plugins/packages) On Tue, Oct 2, 2018 at 9:52 AM Seth Hall wrote: > > I've seen very little feedback from the Bro 2.6 beta that was posted > recently. I'm wondering how many people have tried it and if there is > any feedback about it? > > Thanks! > .Seth > > -- > Seth Hall * Corelight, Inc * www.corelight.com > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Michael Shirk Daemon Security, Inc. https://www.daemon-security.com From dopheide at gmail.com Tue Oct 2 07:58:43 2018 From: dopheide at gmail.com (Mike Dopheide) Date: Tue, 2 Oct 2018 09:58:43 -0500 Subject: [Bro] Bro 2.6 beta feedback? In-Reply-To: References: Message-ID: Adding to the data points and hopefully confidence of people who may be waiting... ESnet is running dev/2.7 (which includes all of the 2.6 changes) in production with no issues. CentOS 7 and MyricomSNF. -Dop On Tue, Oct 2, 2018 at 9:06 AM, Michael Shirk wrote: > I can report bro "version 2.6-beta2-3" built and started on 9/21/2018 > on FreeBSD 11.2-RELEASE-p2 is still working...no issues for me (no > plugins/packages) > On Tue, Oct 2, 2018 at 9:52 AM Seth Hall wrote: > > > > I've seen very little feedback from the Bro 2.6 beta that was posted > > recently. I'm wondering how many people have tried it and if there is > > any feedback about it? > > > > Thanks! > > .Seth > > > > -- > > Seth Hall * Corelight, Inc * www.corelight.com > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > -- > Michael Shirk > Daemon Security, Inc. > https://www.daemon-security.com > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181002/4955ceca/attachment.html From dhoelzer at enclaveforensics.com Tue Oct 2 13:06:20 2018 From: dhoelzer at enclaveforensics.com (=?UTF-8?Q?David_Hoelzer?=) Date: Tue, 2 Oct 2018 20:06:20 +0000 Subject: [Bro] Bro 2.6 beta feedback? In-Reply-To: References: <9AE95CCE-F5AB-4C64-ADF4-B07E55D123EA@enclaveforensics.com> Message-ID: <01000166366376ef-ee87387b-108e-4fb7-97b3-e36cffc097da-000000@email.amazonses.com> Working great for us. We've had to rewrite some scripts and such, but otherwise, no issues. __ Thanks for your good (hard) work! ?On 10/2/18, 9:37 AM, "Seth Hall" wrote: I've seen very little feedback from the Bro 2.6 beta that was posted recently. I'm wondering how many people have tried it and if there is any feedback about it? Thanks! .Seth -- Seth Hall * Corelight, Inc * www.corelight.com From seth at corelight.com Tue Oct 2 13:38:53 2018 From: seth at corelight.com (Seth Hall) Date: Tue, 02 Oct 2018 16:38:53 -0400 Subject: [Bro] Bro 2.6 beta feedback? In-Reply-To: <01000166366376ef-ee87387b-108e-4fb7-97b3-e36cffc097da-000000@email.amazonses.com> References: <9AE95CCE-F5AB-4C64-ADF4-B07E55D123EA@enclaveforensics.com> <01000166366376ef-ee87387b-108e-4fb7-97b3-e36cffc097da-000000@email.amazonses.com> Message-ID: <59E8B650-F4A4-42CC-A4DC-49765C1088D1@corelight.com> On 2 Oct 2018, at 16:06, David Hoelzer wrote: > Working great for us. We've had to rewrite some scripts and such, but > otherwise, no issues. __ Any comments about what scripts you had to rewrite or the reasons for why they needed rewritten? > Thanks for your good (hard) work! I can't take much credit for this release. I had remarkably little code it, but I think it's a pretty nice release! A ton of work over multiple years has gone into it. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com From asharma at lbl.gov Tue Oct 2 15:03:17 2018 From: asharma at lbl.gov (Aashish Sharma) Date: Tue, 2 Oct 2018 15:03:17 -0700 Subject: [Bro] Bro 2.6 beta feedback? In-Reply-To: <59E8B650-F4A4-42CC-A4DC-49765C1088D1@corelight.com> References: <9AE95CCE-F5AB-4C64-ADF4-B07E55D123EA@enclaveforensics.com> <01000166366376ef-ee87387b-108e-4fb7-97b3-e36cffc097da-000000@email.amazonses.com> <59E8B650-F4A4-42CC-A4DC-49765C1088D1@corelight.com> Message-ID: <20181002220316.GK91054@MacPro-2331.local> So, I tried running this on FreeBSD 10.3-STABLE and I see the following, builds fine but when trying to run: $ ./broctl install Error: running "bro -v" failed with output: Undefined symbol "_ZN6broker5topic8reservedE" referenced from COPY relocation in /home/bro/master/bin/bro I do see that bro builds against its own libcaf: $ ldd ./bro ./bro: libpcap.so.1 => /usr/local/opt/snf/lib/libpcap.so.1 (0x400ef1000) libssl.so.9 => /usr/local/lib/libssl.so.9 (0x40113a000) libcrypto.so.9 => /usr/local/lib/libcrypto.so.9 (0x401400000) libz.so.6 => /lib/libz.so.6 (0x401852000) libbroker.so.0 => /usr/local/lib/libbroker.so.0 (0x401c00000) libcaf_core.so.0.16.0 => /home/bro/master/lib/libcaf_core.so.0.16.0 (0x402200000) libcaf_io.so.0.16.0 => /home/bro/master/lib/libcaf_io.so.0.16.0 (0x402800000) libcaf_openssl.so.0.16.0 => /home/bro/master/lib/libcaf_openssl.so.0.16.0 (0x402c86000) libc++.so.1 => /usr/local/lib/libc++.so.1 (0x402ee0000) libcxxrt.so.1 => /lib/libcxxrt.so.1 (0x4031a0000) libm.so.5 => /lib/libm.so.5 (0x4033bd000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x4035e6000) libthr.so.3 => /lib/libthr.so.3 (0x4037f4000) libc.so.7 => /lib/libc.so.7 (0x403a18000) libsnf.so.0 => /usr/local/opt/snf/lib/libsnf.so.0 (0x403dc6000) libcaf_core.so.0.14.1 => /usr/local/lib/libcaf_core.so.0.14.1 (0x403fd6000) libcaf_io.so.0.14.1 => /usr/local/lib/libcaf_io.so.0.14.1 (0x4042c4000) libcxxrt.so => /usr/local/lib/libcxxrt.so (0x404574000) librt.so.1 => /usr/lib/librt.so.1 (0x404790000) Aashish On Tue, Oct 02, 2018 at 04:38:53PM -0400, Seth Hall wrote: > > > On 2 Oct 2018, at 16:06, David Hoelzer wrote: > > > Working great for us. We've had to rewrite some scripts and such, but > > otherwise, no issues. __ > > Any comments about what scripts you had to rewrite or the reasons for > why they needed rewritten? > > > Thanks for your good (hard) work! > > I can't take much credit for this release. I had remarkably little code > it, but I think it's a pretty nice release! A ton of work over multiple > years has gone into it. > > .Seth > > -- > Seth Hall * Corelight, Inc * www.corelight.com > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jazoff at illinois.edu Tue Oct 2 15:08:51 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Tue, 2 Oct 2018 22:08:51 +0000 Subject: [Bro] Bro 2.6 beta feedback? In-Reply-To: <20181002220316.GK91054@MacPro-2331.local> References: <9AE95CCE-F5AB-4C64-ADF4-B07E55D123EA@enclaveforensics.com> <01000166366376ef-ee87387b-108e-4fb7-97b3-e36cffc097da-000000@email.amazonses.com> <59E8B650-F4A4-42CC-A4DC-49765C1088D1@corelight.com> <20181002220316.GK91054@MacPro-2331.local> Message-ID: <5D23B64A-F9F2-4FD6-82BA-2F3F8707BC00@illinois.edu> > On Oct 2, 2018, at 6:03 PM, Aashish Sharma wrote: > libcaf_core.so.0.16.0 => /home/bro/master/lib/libcaf_core.so.0.16.0 (0x402200000) > libcaf_io.so.0.16.0 => /home/bro/master/lib/libcaf_io.so.0.16.0 (0x402800000) .. > libcaf_core.so.0.14.1 => /usr/local/lib/libcaf_core.so.0.14.1 (0x403fd6000) > libcaf_io.so.0.14.1 => /usr/local/lib/libcaf_io.so.0.14.1 (0x4042c4000) Looks like you have an older version of caf installed in /usr/local that may be conflicting with things. I helped someone on IRC with a similar problem and removing any old caf libraries and header files in /usr/local fixed things. ? Justin Azoff From shirkdog.bsd at gmail.com Tue Oct 2 15:14:34 2018 From: shirkdog.bsd at gmail.com (Michael Shirk) Date: Tue, 2 Oct 2018 18:14:34 -0400 Subject: [Bro] Bro 2.6 beta feedback? In-Reply-To: <20181002220316.GK91054@MacPro-2331.local> References: <9AE95CCE-F5AB-4C64-ADF4-B07E55D123EA@enclaveforensics.com> <01000166366376ef-ee87387b-108e-4fb7-97b3-e36cffc097da-000000@email.amazonses.com> <59E8B650-F4A4-42CC-A4DC-49765C1088D1@corelight.com> <20181002220316.GK91054@MacPro-2331.local> Message-ID: I had that issue where I had to remove the OS installed libcaf on FreeBSD. -- Michael Shirk Daemon Security, Inc. https://www.daemon-security.com On Tue, Oct 2, 2018, 18:12 Aashish Sharma wrote: > So, I tried running this on FreeBSD 10.3-STABLE and I see the following, > builds > fine but when trying to run: > > $ ./broctl install > Error: running "bro -v" failed with output: > Undefined symbol "_ZN6broker5topic8reservedE" referenced from COPY > relocation in /home/bro/master/bin/bro > > > I do see that bro builds against its own libcaf: > > $ ldd ./bro > ./bro: > libpcap.so.1 => /usr/local/opt/snf/lib/libpcap.so.1 (0x400ef1000) > libssl.so.9 => /usr/local/lib/libssl.so.9 (0x40113a000) > libcrypto.so.9 => /usr/local/lib/libcrypto.so.9 (0x401400000) > libz.so.6 => /lib/libz.so.6 (0x401852000) > libbroker.so.0 => /usr/local/lib/libbroker.so.0 (0x401c00000) > libcaf_core.so.0.16.0 => > /home/bro/master/lib/libcaf_core.so.0.16.0 (0x402200000) > libcaf_io.so.0.16.0 => /home/bro/master/lib/libcaf_io.so.0.16.0 > (0x402800000) > libcaf_openssl.so.0.16.0 => > /home/bro/master/lib/libcaf_openssl.so.0.16.0 (0x402c86000) > libc++.so.1 => /usr/local/lib/libc++.so.1 (0x402ee0000) > libcxxrt.so.1 => /lib/libcxxrt.so.1 (0x4031a0000) > libm.so.5 => /lib/libm.so.5 (0x4033bd000) > libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x4035e6000) > libthr.so.3 => /lib/libthr.so.3 (0x4037f4000) > libc.so.7 => /lib/libc.so.7 (0x403a18000) > libsnf.so.0 => /usr/local/opt/snf/lib/libsnf.so.0 (0x403dc6000) > libcaf_core.so.0.14.1 => /usr/local/lib/libcaf_core.so.0.14.1 > (0x403fd6000) > libcaf_io.so.0.14.1 => /usr/local/lib/libcaf_io.so.0.14.1 > (0x4042c4000) > libcxxrt.so => /usr/local/lib/libcxxrt.so (0x404574000) > librt.so.1 => /usr/lib/librt.so.1 (0x404790000) > > > Aashish > > > On Tue, Oct 02, 2018 at 04:38:53PM -0400, Seth Hall wrote: > > > > > > On 2 Oct 2018, at 16:06, David Hoelzer wrote: > > > > > Working great for us. We've had to rewrite some scripts and such, but > > > otherwise, no issues. __ > > > > Any comments about what scripts you had to rewrite or the reasons for > > why they needed rewritten? > > > > > Thanks for your good (hard) work! > > > > I can't take much credit for this release. I had remarkably little code > > it, but I think it's a pretty nice release! A ton of work over multiple > > years has gone into it. > > > > .Seth > > > > -- > > Seth Hall * Corelight, Inc * www.corelight.com > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181002/d596061e/attachment.html From dhoelzer at enclaveforensics.com Tue Oct 2 15:31:24 2018 From: dhoelzer at enclaveforensics.com (=?UTF-8?Q?David_Hoelzer?=) Date: Tue, 2 Oct 2018 22:31:24 +0000 Subject: [Bro] Bro 2.6 beta feedback? In-Reply-To: <59E8B650-F4A4-42CC-A4DC-49765C1088D1@corelight.com> References: <9AE95CCE-F5AB-4C64-ADF4-B07E55D123EA@enclaveforensics.com> <01000166366376ef-ee87387b-108e-4fb7-97b3-e36cffc097da-000000@email.amazonses.com> <59E8B650-F4A4-42CC-A4DC-49765C1088D1@corelight.com> Message-ID: <0100016636e84870-7cce0f1e-bd7e-46ae-a427-f43c5ac6f08c-000000@email.amazonses.com> I'll get back to you on script rewrites. ?On 10/2/18, 4:38 PM, "Seth Hall" wrote: On 2 Oct 2018, at 16:06, David Hoelzer wrote: > Working great for us. We've had to rewrite some scripts and such, but > otherwise, no issues. __ Any comments about what scripts you had to rewrite or the reasons for why they needed rewritten? > Thanks for your good (hard) work! I can't take much credit for this release. I had remarkably little code it, but I think it's a pretty nice release! A ton of work over multiple years has gone into it. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com From seth at corelight.com Tue Oct 2 16:00:41 2018 From: seth at corelight.com (Seth Hall) Date: Tue, 2 Oct 2018 19:00:41 -0400 Subject: [Bro] Bro 2.6 beta feedback? In-Reply-To: <5D23B64A-F9F2-4FD6-82BA-2F3F8707BC00@illinois.edu> References: <9AE95CCE-F5AB-4C64-ADF4-B07E55D123EA@enclaveforensics.com> <01000166366376ef-ee87387b-108e-4fb7-97b3-e36cffc097da-000000@email.amazonses.com> <59E8B650-F4A4-42CC-A4DC-49765C1088D1@corelight.com> <20181002220316.GK91054@MacPro-2331.local> <5D23B64A-F9F2-4FD6-82BA-2F3F8707BC00@illinois.edu> Message-ID: Hm, that makes me wonder if we should do something like set an RPATH to make sure the correct libcaf is used. Jon, does that make sense? It seems that this problem will only come up more frequently as caf is packaged by more systems. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com > On Oct 2, 2018, at 6:08 PM, Azoff, Justin S wrote: > > >> On Oct 2, 2018, at 6:03 PM, Aashish Sharma wrote: >> libcaf_core.so.0.16.0 => /home/bro/master/lib/libcaf_core.so.0.16.0 (0x402200000) >> libcaf_io.so.0.16.0 => /home/bro/master/lib/libcaf_io.so.0.16.0 (0x402800000) > .. >> libcaf_core.so.0.14.1 => /usr/local/lib/libcaf_core.so.0.14.1 (0x403fd6000) >> libcaf_io.so.0.14.1 => /usr/local/lib/libcaf_io.so.0.14.1 (0x4042c4000) > > Looks like you have an older version of caf installed in /usr/local that may be conflicting with things. > > I helped someone on IRC with a similar problem and removing any old caf libraries and header files in /usr/local fixed things. > > ? > Justin Azoff > > From johanna at icir.org Tue Oct 2 17:17:09 2018 From: johanna at icir.org (Johanna Amann) Date: Tue, 02 Oct 2018 17:17:09 -0700 Subject: [Bro] Bro 2.6 beta feedback? In-Reply-To: References: <9AE95CCE-F5AB-4C64-ADF4-B07E55D123EA@enclaveforensics.com> <01000166366376ef-ee87387b-108e-4fb7-97b3-e36cffc097da-000000@email.amazonses.com> <59E8B650-F4A4-42CC-A4DC-49765C1088D1@corelight.com> <20181002220316.GK91054@MacPro-2331.local> <5D23B64A-F9F2-4FD6-82BA-2F3F8707BC00@illinois.edu> Message-ID: <0D4FC046-CDBA-46B3-BEF6-91FEB16D4B9E@icir.org> I am not sure that that will help - setting an rpath in packaged binaries is typically at least discouraged. We actually also don?t do it in the packages that we do (or will) ship. For example, see https://wiki.debian.org/RpathIssue, https://www.debian.org/doc/manuals/maint-guide/advanced.en.html, https://fedoraproject.org/wiki/Packaging_tricks#Acceptable_use_of_rpath (rpmlint raises it as an error; it can be considered ok in fedora for internal libraries), https://en.opensuse.org/openSUSE:Packaging_checks (this seems to outright prohibit its use). But - perhaps we should recognize such situations and refuse to compile/warn users that they mightt have to re-set their dynamic link paths? Johanna On 2 Oct 2018, at 16:00, Seth Hall wrote: > Hm, that makes me wonder if we should do something like set an RPATH > to make sure the correct libcaf is used. > > Jon, does that make sense? It seems that this problem will only come > up more frequently as caf is packaged by more systems. > > .Seth > > -- > Seth Hall * Corelight, Inc * www.corelight.com > > >> On Oct 2, 2018, at 6:08 PM, Azoff, Justin S >> wrote: >> >> >>> On Oct 2, 2018, at 6:03 PM, Aashish Sharma wrote: >>> libcaf_core.so.0.16.0 => >>> /home/bro/master/lib/libcaf_core.so.0.16.0 (0x402200000) >>> libcaf_io.so.0.16.0 => >>> /home/bro/master/lib/libcaf_io.so.0.16.0 (0x402800000) >> .. >>> libcaf_core.so.0.14.1 => /usr/local/lib/libcaf_core.so.0.14.1 >>> (0x403fd6000) >>> libcaf_io.so.0.14.1 => /usr/local/lib/libcaf_io.so.0.14.1 >>> (0x4042c4000) >> >> Looks like you have an older version of caf installed in /usr/local >> that may be conflicting with things. >> >> I helped someone on IRC with a similar problem and removing any old >> caf libraries and header files in /usr/local fixed things. >> >> ? >> Justin Azoff >> >> > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jsiwek at corelight.com Tue Oct 2 17:46:10 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Tue, 2 Oct 2018 19:46:10 -0500 Subject: [Bro] Bro 2.6 beta feedback? In-Reply-To: References: <9AE95CCE-F5AB-4C64-ADF4-B07E55D123EA@enclaveforensics.com> <01000166366376ef-ee87387b-108e-4fb7-97b3-e36cffc097da-000000@email.amazonses.com> <59E8B650-F4A4-42CC-A4DC-49765C1088D1@corelight.com> <20181002220316.GK91054@MacPro-2331.local> <5D23B64A-F9F2-4FD6-82BA-2F3F8707BC00@illinois.edu> Message-ID: On Tue, Oct 2, 2018 at 6:15 PM Seth Hall wrote: > > Hm, that makes me wonder if we should do something like set an RPATH to make sure the correct libcaf is used. > > Jon, does that make sense? It seems that this problem will only come up more frequently as caf is packaged by more systems. An RPATH is already set by default (regardless of platform): $ readelf -d /usr/local/bro/bin/bro | grep RPATH 0x000000000000000f (RPATH) Library rpath: [/usr/local/bro/lib] $ readelf -d /usr/local/bro/lib/libbroker.so | grep RPATH 0x000000000000000f (RPATH) Library rpath: [/usr/local/bro/lib] $ freebsd-version 10.3-RELEASE-p29 I tried reproducing the problem by faking it out with CAF libs installed in /usr/local: $ ls /usr/local/lib/libcaf_* /usr/local/lib/libcaf_core.so /usr/local/lib/libcaf_core.so.0.15.3 /usr/local/lib/libcaf_io.so /usr/local/lib/libcaf_io.so.0.15.3 But that still works fine for me: $ /usr/bin/ldd /usr/local/bro/bin/bro /usr/local/bro/bin/bro: libpcap.so.8 => /lib/libpcap.so.8 (0x80162b000) libssl.so.7 => /usr/lib/libssl.so.7 (0x801870000) libcrypto.so.7 => /lib/libcrypto.so.7 (0x801adc000) libz.so.6 => /lib/libz.so.6 (0x801ed1000) libbroker.so.0 => /usr/local/bro/lib/libbroker.so.0 (0x802200000) libthr.so.3 => /lib/libthr.so.3 (0x802e71000) libcaf_core.so.0.16.0 => /usr/local/bro/lib/libcaf_core.so.0.16.0 (0x803200000) libcaf_io.so.0.16.0 => /usr/local/bro/lib/libcaf_io.so.0.16.0 (0x803c00000) libcaf_openssl.so.0.16.0 => /usr/local/bro/lib/libcaf_openssl.so.0.16.0 (0x80453e000) libc++.so.1 => /usr/lib/libc++.so.1 (0x804844000) libcxxrt.so.1 => /lib/libcxxrt.so.1 (0x804b03000) libm.so.5 => /lib/libm.so.5 (0x804d20000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x804f49000) libc.so.7 => /lib/libc.so.7 (0x805157000) So not sure why Aashish or others had problems with alternate CAF installations. - Jon From jsiwek at corelight.com Tue Oct 2 17:52:00 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Tue, 2 Oct 2018 19:52:00 -0500 Subject: [Bro] Bro 2.6 beta feedback? In-Reply-To: <0D4FC046-CDBA-46B3-BEF6-91FEB16D4B9E@icir.org> References: <9AE95CCE-F5AB-4C64-ADF4-B07E55D123EA@enclaveforensics.com> <01000166366376ef-ee87387b-108e-4fb7-97b3-e36cffc097da-000000@email.amazonses.com> <59E8B650-F4A4-42CC-A4DC-49765C1088D1@corelight.com> <20181002220316.GK91054@MacPro-2331.local> <5D23B64A-F9F2-4FD6-82BA-2F3F8707BC00@illinois.edu> <0D4FC046-CDBA-46B3-BEF6-91FEB16D4B9E@icir.org> Message-ID: On Tue, Oct 2, 2018 at 7:28 PM Johanna Amann wrote: > > I am not sure that that will help - setting an rpath in packaged > binaries is typically at least discouraged. We actually also don?t do > it in the packages that we do (or will) ship. For local installs where we only ever intend to load libraries that were a part of the same build, it seems reasonable to have an RPATH. For binary packages, I agree that it's not as good an idea, and that's what the `configure --binary-package` flag was meant to help with: it disables setting of RPATH instead of doing what normally happens in cmake/SetupRPATH.cmake - Jon From shutchison at cert.org Wed Oct 3 11:46:00 2018 From: shutchison at cert.org (Sean Hutchison) Date: Wed, 3 Oct 2018 18:46:00 +0000 Subject: [Bro] Broctl segmentation fault Message-ID: Hello, After any build of Bro with Broctl 1.7, I'm experiencing the below error when broctl/scripts/check-config is run... /opt/bro/share/broctl/scripts/check-config: line 50: 4463 Segmentation fault "${bro}" $check_option "$@" Anyone encountered this before? Cannot bypass doing broctl check - broctl start results in failed/crashed processes. This is on RHEL7.5, after building Bro-2.5.5 (I've tried other minor versions since 2.5 - same issue). Existing Bro cluster on RHEL7.5 boxes with Bro-2.5 and Broctl 1.5 works fine. Any help would be greatly appreciated. V/R Sean Hutchison -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181003/fdb33a3d/attachment.html From jazoff at illinois.edu Wed Oct 3 12:00:40 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Wed, 3 Oct 2018 19:00:40 +0000 Subject: [Bro] Broctl segmentation fault In-Reply-To: References: Message-ID: <83656C44-986A-49F5-BC68-0DABBC006A29@illinois.edu> > On Oct 3, 2018, at 2:46 PM, Sean Hutchison wrote: > > Hello, > > After any build of Bro with Broctl 1.7, I?m experiencing the below error when broctl/scripts/check-config is run? > > /opt/bro/share/broctl/scripts/check-config: line 50: 4463 Segmentation fault "${bro}" $check_option "$@" > > Anyone encountered this before? Cannot bypass doing broctl check ? broctl start results in failed/crashed processes. > > This is on RHEL7.5, after building Bro-2.5.5 (I?ve tried other minor versions since 2.5 ? same issue). > > Existing Bro cluster on RHEL7.5 boxes with Bro-2.5 and Broctl 1.5 works fine. > > Any help would be greatly appreciated. > check runs bro with the current configuration to see if it can start, so that's bro segfaulting there.. that's why start also fails.. What do you get if you try each of the following? bro -v bro -NN # just see if this runs or crashes bro -b -i lo bro -i lo bro -i lo local You can hit control-c if any of those start successfully to get your prompt back. I'm not aware of any issues like this, so it could be something with your configuration. Do you have a customized local.bro at all? Are you building bro against a particular libpcap or malloc implementation? What does ldd /opt/bro/bin/bro output? ? Justin Azoff From maanamen at hotmail.com Thu Oct 4 03:06:22 2018 From: maanamen at hotmail.com (=?iso-8859-1?Q?MA=C1N_ABU_SHAQRA?=) Date: Thu, 4 Oct 2018 10:06:22 +0000 Subject: [Bro] is there a bro script to ignore duplicated logs? Message-ID: were facing this issue with bro whereby its duplicating entries see below: 1536746459.586520 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39011 - maanpc 1 C_INTERNET 32 NB F 1536746460.343566 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39011 - maanpc 1 C_INTERNET 32 NB F 1536746461.107930 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39011 - maanpc 1 C_INTERNET 32 NB F 1536746466.418528 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39013 - maanpc 1 C_INTERNET 32 NB F 1536746467.176333 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39013 - maanpc 1 C_INTERNET 32 NB F 1536746467.940695 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39013 - maanpc 1 C_INTERNET 32 NB F 1536746473.250630 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39017 - maanpc 1 C_INTERNET 32 NB F 1536746474.010337 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39017 - maanpc 1 C_INTERNET 32 NB F 1536746474.773560 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39017 - maanpc 1 C_INTERNET 32 NB F 1536746452.751762 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39009 - maanpc 1 C_INTERNET 32 NB F 1536746453.510702 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39009 - maanpc 1 C_INTERNET 32 NB F 1536746454.275116 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39009 - maanpc 1 C_INTERNET 32 NB F pf_ring / af packet didnt help. thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181004/2dab4128/attachment.html From michalpurzynski1 at gmail.com Thu Oct 4 03:20:40 2018 From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=) Date: Thu, 4 Oct 2018 11:20:40 +0100 Subject: [Bro] is there a bro script to ignore duplicated logs? In-Reply-To: References: Message-ID: These duplicated logs make it apparent that you?re having some packet capture problems. What?s your packet capture setup? Do you use a span port? Optical taps? Packet brokers? How do you run bro? > On Oct 4, 2018, at 11:06 AM, MA?N ABU SHAQRA wrote: > > were facing this issue with bro whereby its duplicating entries see below: > > 1536746459.586520 CbxxYF1uTyqC499HDe > 192.168.20.15 137 > 10.190.129.26 137 > udp 39011 > - maanpc > 1 C_INTERNET > 32 NB > F > > 1536746460.343566 CbxxYF1uTyqC499HDe > 192.168.20.15 137 > 10.190.129.26 137 > udp 39011 > - maanpc > 1 C_INTERNET > 32 NB > F > > 1536746461.107930 CbxxYF1uTyqC499HDe > 192.168.20.15 137 > 10.190.129.26 137 > udp 39011 > - maanpc > 1 C_INTERNET > 32 NB > F > > 1536746466.418528 CbxxYF1uTyqC499HDe > 192.168.20.15 137 > 10.190.129.26 137 > udp 39013 > - maanpc > 1 C_INTERNET > 32 NB > F > > 1536746467.176333 CbxxYF1uTyqC499HDe > 192.168.20.15 137 > 10.190.129.26 137 > udp 39013 > - maanpc > 1 C_INTERNET > 32 NB > F > > 1536746467.940695 CbxxYF1uTyqC499HDe > 192.168.20.15 137 > 10.190.129.26 137 > udp 39013 > - maanpc > 1 C_INTERNET > 32 NB > F > > 1536746473.250630 CbxxYF1uTyqC499HDe > 192.168.20.15 137 > 10.190.129.26 137 > udp 39017 > - maanpc > 1 C_INTERNET > 32 NB > F > > 1536746474.010337 CbxxYF1uTyqC499HDe > 192.168.20.15 137 > 10.190.129.26 137 > udp 39017 > - maanpc > 1 C_INTERNET > 32 NB > F > > 1536746474.773560 CbxxYF1uTyqC499HDe > 192.168.20.15 137 > 10.190.129.26 137 > udp 39017 > - maanpc > 1 C_INTERNET > 32 NB > F > > 1536746452.751762 CbxxYF1uTyqC499HDe > 192.168.20.15 137 > 10.190.129.26 137 > udp 39009 > - maanpc > 1 C_INTERNET > 32 NB > F > > 1536746453.510702 CbxxYF1uTyqC499HDe > 192.168.20.15 137 > 10.190.129.26 137 > udp 39009 > - maanpc > 1 C_INTERNET > 32 NB > F > > 1536746454.275116 CbxxYF1uTyqC499HDe > 192.168.20.15 137 > 10.190.129.26 137 > udp 39009 > - maanpc > 1 C_INTERNET > 32 NB > F > > > pf_ring / af packet didnt help. > > thanks > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181004/d0df2851/attachment-0001.html From shutchison at cert.org Thu Oct 4 05:01:02 2018 From: shutchison at cert.org (Sean Hutchison) Date: Thu, 4 Oct 2018 12:01:02 +0000 Subject: [Bro] Broctl segmentation fault In-Reply-To: <83656C44-986A-49F5-BC68-0DABBC006A29@illinois.edu> References: <83656C44-986A-49F5-BC68-0DABBC006A29@illinois.edu> Message-ID: # bro -v bro version 2.5.5 # bro -NN Segmentation fault # bro -b -i lo listening on lo ^C1538653437.070325 received termination signal 1538653437.070325 208 packets received on interface lo, 0 dropped # bro -i lo Segmentation fault # bro -i lo local Segmentation fault # ldd /opt/bro/bin/bro linux-vdso.so.1 => (0x00007fff99dfd000) libpcap.so.1 => /lib64/libpcap.so.1 (0x00007f148eec1000) libssl.so.10 => /lib64/libssl.so.10 (0x00007f148ec50000) libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f148e7ef000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f148e5d6000) libz.so.1 => /lib64/libz.so.1 (0x00007f148e3c0000) libGeoIP.so.1 => /lib64/libGeoIP.so.1 (0x00007f148e190000) libtcmalloc.so.4 => /lib64/libtcmalloc.so.4 (0x00007f148dd9b000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f148db7f000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f148d97b000) libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f148d674000) libm.so.6 => /lib64/libm.so.6 (0x00007f148d372000) libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f148d15c000) libc.so.6 => /lib64/libc.so.6 (0x00007f148cd8f000) libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f148cb42000) libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f148c85a000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f148c656000) libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f148c423000) /lib64/ld-linux-x86-64.so.2 (0x00007f148f102000) libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f148c215000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f148c011000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f148bdea000) libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f148bb88000) No custom scripts being loaded via local.bro Nothing in particular - did yum install/update of RedHat-based dependencies according to https://www.bro.org/sphinx/install/install.html#required-dependencies Although I did build it against pfring first, using yum package from ntop repo - same issue, have since removed that and did regular build Only configure switch was --prefix. V/R Sean -----Original Message----- From: Azoff, Justin S [mailto:jazoff at illinois.edu] Sent: Wednesday, October 03, 2018 3:01 PM To: Sean Hutchison Cc: bro at bro.org Subject: Re: [Bro] Broctl segmentation fault > On Oct 3, 2018, at 2:46 PM, Sean Hutchison wrote: > > Hello, > > After any build of Bro with Broctl 1.7, I?m experiencing the below error when broctl/scripts/check-config is run? > > /opt/bro/share/broctl/scripts/check-config: line 50: 4463 Segmentation fault "${bro}" $check_option "$@" > > Anyone encountered this before? Cannot bypass doing broctl check ? broctl start results in failed/crashed processes. > > This is on RHEL7.5, after building Bro-2.5.5 (I?ve tried other minor versions since 2.5 ? same issue). > > Existing Bro cluster on RHEL7.5 boxes with Bro-2.5 and Broctl 1.5 works fine. > > Any help would be greatly appreciated. > check runs bro with the current configuration to see if it can start, so that's bro segfaulting there.. that's why start also fails.. What do you get if you try each of the following? bro -v bro -NN # just see if this runs or crashes bro -b -i lo bro -i lo bro -i lo local You can hit control-c if any of those start successfully to get your prompt back. I'm not aware of any issues like this, so it could be something with your configuration. Do you have a customized local.bro at all? Are you building bro against a particular libpcap or malloc implementation? What does ldd /opt/bro/bin/bro output? ? Justin Azoff From fatema.bannatwala at gmail.com Thu Oct 4 05:57:14 2018 From: fatema.bannatwala at gmail.com (fatema bannatwala) Date: Thu, 4 Oct 2018 08:57:14 -0400 Subject: [Bro] is there a bro script to ignore duplicated logs? Message-ID: How many workers do you have in your cluster? Many months ago, we had split-ed connections issue, where Seth provided a script to add the worker node to conn.log to see where exactly packets are being processed,i.e. which nodes. You can run this script and see if the duplicate connections are happening on which workers and go from there: $ cat add-node-to-conn.bro ##! Add the name of the current node to conn.log @load base/protocols/conn export { redef record Conn::Info += { ## The name of the node where this connection was analyzed. node: string &log &optional; }; } event connection_state_remove(c: connection) &priority=2 { c$conn$node = peer_description; } -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181004/e2dcd517/attachment.html From michalpurzynski1 at gmail.com Thu Oct 4 06:26:03 2018 From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=) Date: Thu, 4 Oct 2018 14:26:03 +0100 Subject: [Bro] is there a bro script to ignore duplicated logs? In-Reply-To: References: Message-ID: Most likely you have separate workers parsing the same traffic. Can you load the script fatema told you about and also a capture loss script and report results for the hour or so? If each worker sees the same duplicate traffic then the amount of packets processed will be very similar. > On Oct 4, 2018, at 1:57 PM, fatema bannatwala wrote: > > How many workers do you have in your cluster? > Many months ago, we had split-ed connections issue, where Seth provided a script to add the worker node to conn.log to see where exactly packets are being processed,i.e. which nodes. > > You can run this script and see if the duplicate connections are happening on which workers and go from there: > > $ cat add-node-to-conn.bro > ##! Add the name of the current node to conn.log > > @load base/protocols/conn > > export { > redef record Conn::Info += { > ## The name of the node where this connection was analyzed. > node: string &log &optional; > }; > } > > event connection_state_remove(c: connection) &priority=2 > { > c$conn$node = peer_description; > } > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181004/5e1d422d/attachment.html From jan.grashoefer at gmail.com Thu Oct 4 06:33:00 2018 From: jan.grashoefer at gmail.com (=?UTF-8?Q?Jan_Grash=c3=b6fer?=) Date: Thu, 4 Oct 2018 15:33:00 +0200 Subject: [Bro] is there a bro script to ignore duplicated logs? In-Reply-To: References: Message-ID: On 04/10/2018 14:57, fatema bannatwala wrote: > You can run this script and see if the duplicate connections are happening > on which workers and go from there: This can be further automated by using Justins bro-doctor script available as a package: https://github.com/ncsa/bro-doctor Jan From ericooi at gmail.com Thu Oct 4 06:42:12 2018 From: ericooi at gmail.com (Eric Ooi) Date: Thu, 4 Oct 2018 09:42:12 -0400 Subject: [Bro] is there a bro script to ignore duplicated logs? In-Reply-To: References:

Message-ID: We had a similar issue and it turned out that the SPAN the network engineer configured was capturing a trunk such that any inter-VLAN traffic was being analyzed multiple times. On Thu, Oct 4, 2018 at 9:37 AM Micha? Purzy?ski wrote: > Most likely you have separate workers parsing the same traffic. > > Can you load the script fatema told you about and also a capture loss > script and report results for the hour or so? > > If each worker sees the same duplicate traffic then the amount of packets > processed will be very similar. > > On Oct 4, 2018, at 1:57 PM, fatema bannatwala > wrote: > > How many workers do you have in your cluster? > Many months ago, we had split-ed connections issue, where Seth provided a > script to add the worker node to conn.log to see where exactly packets are > being processed,i.e. which nodes. > > You can run this script and see if the duplicate connections are happening > on which workers and go from there: > > $ cat add-node-to-conn.bro > ##! Add the name of the current node to conn.log > > @load base/protocols/conn > > export { > redef record Conn::Info += { > ## The name of the node where this connection was analyzed. > node: string &log &optional; > }; > } > > event connection_state_remove(c: connection) &priority=2 > { > c$conn$node = peer_description; > } > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181004/50a6a7ba/attachment-0001.html From jazoff at illinois.edu Thu Oct 4 07:21:55 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 4 Oct 2018 14:21:55 +0000 Subject: [Bro] is there a bro script to ignore duplicated logs? In-Reply-To: References:

Message-ID: <7977D733-513C-450C-B79B-ACF9D8C33E3C@illinois.edu> > On Oct 4, 2018, at 9:42 AM, Eric Ooi wrote: > > We had a similar issue and it turned out that the SPAN the network engineer configured was capturing a trunk such that any inter-VLAN traffic was being analyzed multiple times. Yeah, if the traffic was duplicated 2 (maybe 3) times this could be the problem. In this case it's duplicated 12 times which almost definitely points to an lb_procs=12 in node.cfg and load balancing not working properly. ? Justin Azoff From craig.edgmand at okstate.edu Thu Oct 4 08:35:56 2018 From: craig.edgmand at okstate.edu (Edgmand, Craig) Date: Thu, 4 Oct 2018 15:35:56 +0000 Subject: [Bro] OT: SuperMicro hardware recommendations In-Reply-To: References: <94D13236-BB53-4807-93D0-F4A1BF0B369F@outlook.com> <151C7D23-39E9-4170-8954-CDFF566E4ED7@gmail.com>

Message-ID: With today?s scandal Super Micro might not be around/available for much longer. https://www.cnbc.com/2018/10/04/super-micro-shares-plummet-amid-china-tech-spying-scandal.html From: bro-bounces at bro.org On Behalf Of Michal Purzynski Sent: Monday, October 1, 2018 12:28 PM To: Alex Waher Cc: bro at bro.org List Subject: Re: [Bro] OT: SuperMicro hardware recommendations One other non-HP brand I?ve always been recommending is Fujitsu. People are always surprised that ?Fujitsu makes servers?? but my experience has always been great with both the hardware side and the support. They were cheaper than HP, last time I was buying them. On Oct 1, 2018, at 3:26 PM, Alex Waher > wrote: Can also checkout the offerings from the OpenCompute project; https://www.opencompute.org/products Can even stick with HP if you like, their 'Cloudline' gear supports (some aspects) of OCP. On Mon, Oct 1, 2018 at 3:19 PM Carlos Lopez > wrote: Thanks Michal. I didn't know that bad support from SuperMicro. Then I will continue with HP. Do you think the HP DL360 Gen10 are suitable for IDS deployment? -- Regards, C. L. Martinez ?On 01/10/2018, 12:47, "Micha? Purzy?ski" > wrote: I?d recommended everything but super micro. A box of matches to shine the light on the dark corners of your network will behave better than anything built on super micro. HP and other vendors may seem more expensive to buy, but the low quality of super micro servers, apparent lack of support, arbitrary cut support ?we do not support this anymore? and ridiculous replacement policy makes it a non-starter for me. Example: they wanted me to send all dead hard drives back before they can send me a replacement. And that would take days or a week or two weeks. Raid battery problems? SM requires you to send entire server back and in a short 6 weeks - 3 months you will see it back. Maybe. Mechanically, chassis are a joke, too. OOB? No OOB hardware monitoring. And Java 1.6 required. If you have to use any kind of proxies, socks, tunneling - forget. > On Oct 1, 2018, at 10:47 AM, Carlos Lopez > wrote: > > Hi all, > > In the following days, we will setup a Bro-IDS distributed architecture using 10 sensors and one manager. Network bandwidth will be between 2GiB-4GiB. Until now we used HP servers, but we are looking at SuperMicro servers as well. Can anyone recommend series or model? > -- > Regards, > C. L. Martinez > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181004/773c8c8e/attachment.html From johanna at icir.org Thu Oct 4 08:36:20 2018 From: johanna at icir.org (Johanna Amann) Date: Thu, 04 Oct 2018 08:36:20 -0700 Subject: [Bro] Broctl segmentation fault In-Reply-To: References: <83656C44-986A-49F5-BC68-0DABBC006A29@illinois.edu> Message-ID: <1A3F6849-ED1D-4363-9B54-B7F5D3294275@icir.org> Hi, Is there a change that you have binary plugins installed (netmap plugin, a few bro-pkg ones)? They can cause crashes exactly like this. This behavior is fixed with Bro 2.6 (it will output an error message instead). If that is the case - either recompiling or removing the binary plugins will fix this. Johanna On 4 Oct 2018, at 5:01, Sean Hutchison wrote: > # bro -v > bro version 2.5.5 > > # bro -NN > Segmentation fault > > # bro -b -i lo > listening on lo > > ^C1538653437.070325 received termination signal > 1538653437.070325 208 packets received on interface lo, 0 dropped > > # bro -i lo > Segmentation fault > > # bro -i lo local > Segmentation fault > > # ldd /opt/bro/bin/bro > linux-vdso.so.1 => (0x00007fff99dfd000) > libpcap.so.1 => /lib64/libpcap.so.1 (0x00007f148eec1000) > libssl.so.10 => /lib64/libssl.so.10 (0x00007f148ec50000) > libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f148e7ef000) > libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f148e5d6000) > libz.so.1 => /lib64/libz.so.1 (0x00007f148e3c0000) > libGeoIP.so.1 => /lib64/libGeoIP.so.1 (0x00007f148e190000) > libtcmalloc.so.4 => /lib64/libtcmalloc.so.4 > (0x00007f148dd9b000) > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f148db7f000) > libdl.so.2 => /lib64/libdl.so.2 (0x00007f148d97b000) > libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f148d674000) > libm.so.6 => /lib64/libm.so.6 (0x00007f148d372000) > libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f148d15c000) > libc.so.6 => /lib64/libc.so.6 (0x00007f148cd8f000) > libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 > (0x00007f148cb42000) > libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f148c85a000) > libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f148c656000) > libk5crypto.so.3 => /lib64/libk5crypto.so.3 > (0x00007f148c423000) > /lib64/ld-linux-x86-64.so.2 (0x00007f148f102000) > libkrb5support.so.0 => /lib64/libkrb5support.so.0 > (0x00007f148c215000) > libkeyutils.so.1 => /lib64/libkeyutils.so.1 > (0x00007f148c011000) > libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f148bdea000) > libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f148bb88000) > > No custom scripts being loaded via local.bro > Nothing in particular - did yum install/update of RedHat-based > dependencies according to > https://www.bro.org/sphinx/install/install.html#required-dependencies > Although I did build it against pfring first, using yum package from > ntop repo - same issue, have since removed that and did regular build > > Only configure switch was --prefix. > > V/R > Sean > > -----Original Message----- > From: Azoff, Justin S [mailto:jazoff at illinois.edu] > Sent: Wednesday, October 03, 2018 3:01 PM > To: Sean Hutchison > Cc: bro at bro.org > Subject: Re: [Bro] Broctl segmentation fault > > >> On Oct 3, 2018, at 2:46 PM, Sean Hutchison >> wrote: >> >> Hello, >> >> After any build of Bro with Broctl 1.7, I?m experiencing the below >> error when broctl/scripts/check-config is run? >> >> /opt/bro/share/broctl/scripts/check-config: line 50: 4463 >> Segmentation fault "${bro}" $check_option "$@" >> >> Anyone encountered this before? Cannot bypass doing broctl check ? >> broctl start results in failed/crashed processes. >> >> This is on RHEL7.5, after building Bro-2.5.5 (I?ve tried other >> minor versions since 2.5 ? same issue). >> >> Existing Bro cluster on RHEL7.5 boxes with Bro-2.5 and Broctl 1.5 >> works fine. >> >> Any help would be greatly appreciated. >> > > check runs bro with the current configuration to see if it can start, > so that's bro segfaulting there.. that's why start also fails.. > > What do you get if you try each of the following? > > bro -v > bro -NN # just see if this runs or crashes > bro -b -i lo > bro -i lo > bro -i lo local > > You can hit control-c if any of those start successfully to get your > prompt back. > > I'm not aware of any issues like this, so it could be something with > your configuration. > > Do you have a customized local.bro at all? > Are you building bro against a particular libpcap or malloc > implementation? > What does ldd /opt/bro/bin/bro output? > > ? > Justin Azoff > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From perry at degy.com Thu Oct 4 09:02:27 2018 From: perry at degy.com (Perry Lucas) Date: Thu, 4 Oct 2018 16:02:27 +0000 Subject: [Bro] OT: SuperMicro hardware recommendations In-Reply-To: References: <94D13236-BB53-4807-93D0-F4A1BF0B369F@outlook.com> <151C7D23-39E9-4170-8954-CDFF566E4ED7@gmail.com>

Message-ID: I wouldn?t be surprised if other supply chains have been compromised as well. This is likely just the first. From: bro-bounces at bro.org On Behalf Of Edgmand, Craig Sent: Thursday, October 4, 2018 11:36 AM To: Micha? Purzy?ski ; Alex Waher Cc: bro at bro.org List Subject: Re: [Bro] OT: SuperMicro hardware recommendations With today?s scandal Super Micro might not be around/available for much longer. https://www.cnbc.com/2018/10/04/super-micro-shares-plummet-amid-china-tech-spying-scandal.html From: bro-bounces at bro.org

> On Behalf Of Michal Purzynski Sent: Monday, October 1, 2018 12:28 PM To: Alex Waher > Cc: bro at bro.org List > Subject: Re: [Bro] OT: SuperMicro hardware recommendations One other non-HP brand I?ve always been recommending is Fujitsu. People are always surprised that ?Fujitsu makes servers?? but my experience has always been great with both the hardware side and the support. They were cheaper than HP, last time I was buying them. On Oct 1, 2018, at 3:26 PM, Alex Waher > wrote: Can also checkout the offerings from the OpenCompute project; https://www.opencompute.org/products Can even stick with HP if you like, their 'Cloudline' gear supports (some aspects) of OCP. On Mon, Oct 1, 2018 at 3:19 PM Carlos Lopez > wrote: Thanks Michal. I didn't know that bad support from SuperMicro. Then I will continue with HP. Do you think the HP DL360 Gen10 are suitable for IDS deployment? -- Regards, C. L. Martinez ?On 01/10/2018, 12:47, "Micha? Purzy?ski" > wrote: I?d recommended everything but super micro. A box of matches to shine the light on the dark corners of your network will behave better than anything built on super micro. HP and other vendors may seem more expensive to buy, but the low quality of super micro servers, apparent lack of support, arbitrary cut support ?we do not support this anymore? and ridiculous replacement policy makes it a non-starter for me. Example: they wanted me to send all dead hard drives back before they can send me a replacement. And that would take days or a week or two weeks. Raid battery problems? SM requires you to send entire server back and in a short 6 weeks - 3 months you will see it back. Maybe. Mechanically, chassis are a joke, too. OOB? No OOB hardware monitoring. And Java 1.6 required. If you have to use any kind of proxies, socks, tunneling - forget. > On Oct 1, 2018, at 10:47 AM, Carlos Lopez > wrote: > > Hi all, > > In the following days, we will setup a Bro-IDS distributed architecture using 10 sensors and one manager. Network bandwidth will be between 2GiB-4GiB. Until now we used HP servers, but we are looking at SuperMicro servers as well. Can anyone recommend series or model? > -- > Regards, > C. L. Martinez > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181004/1a7ab72e/attachment.html From michalpurzynski1 at gmail.com Thu Oct 4 09:15:00 2018 From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=) Date: Thu, 4 Oct 2018 17:15:00 +0100 Subject: [Bro] OT: SuperMicro hardware recommendations In-Reply-To: References: <94D13236-BB53-4807-93D0-F4A1BF0B369F@outlook.com> <151C7D23-39E9-4170-8954-CDFF566E4ED7@gmail.com>

Message-ID: <985DB870-0B14-4A41-AFD0-4A0F99CD939A@gmail.com> Didn?t Apple remove super micro back in 2016? Aren?t aws servers custom anyway? So yeah, poor Palo Alto ;) With those allegations true or not, if supermicro goes out of business there?s no support anymore. > On Oct 4, 2018, at 5:02 PM, Perry Lucas wrote: > > I wouldn?t be surprised if other supply chains have been compromised as well. This is likely just the first. > > From: bro-bounces at bro.org On Behalf Of Edgmand, Craig > Sent: Thursday, October 4, 2018 11:36 AM > To: Micha? Purzy?ski ; Alex Waher > Cc: bro at bro.org List > Subject: Re: [Bro] OT: SuperMicro hardware recommendations > > With today?s scandal Super Micro might not be around/available for much longer. > > https://www.cnbc.com/2018/10/04/super-micro-shares-plummet-amid-china-tech-spying-scandal.html > > From: bro-bounces at bro.org On Behalf Of Michal Purzynski > Sent: Monday, October 1, 2018 12:28 PM > To: Alex Waher > Cc: bro at bro.org List > Subject: Re: [Bro] OT: SuperMicro hardware recommendations > > One other non-HP brand I?ve always been recommending is Fujitsu. > People are always surprised that ?Fujitsu makes servers?? but my experience has always been great with both the hardware side and the support. > > They were cheaper than HP, last time I was buying them. > > > On Oct 1, 2018, at 3:26 PM, Alex Waher wrote: > > Can also checkout the offerings from the OpenCompute project; https://www.opencompute.org/products > Can even stick with HP if you like, their 'Cloudline' gear supports (some aspects) of OCP. > > On Mon, Oct 1, 2018 at 3:19 PM Carlos Lopez wrote: > Thanks Michal. I didn't know that bad support from SuperMicro. > Then I will continue with HP. Do you think the HP DL360 Gen10 are suitable for IDS deployment? > > -- > Regards, > C. L. Martinez > > ?On 01/10/2018, 12:47, "Micha? Purzy?ski" wrote: > > I?d recommended everything but super micro. > > A box of matches to shine the light on the dark corners of your network will behave better than anything built on super micro. > > HP and other vendors may seem more expensive to buy, but the low quality of super micro servers, apparent lack of support, arbitrary cut support ?we do not support this anymore? and ridiculous replacement policy makes it a non-starter for me. > > Example: they wanted me to send all dead hard drives back before they can send me a replacement. > And that would take days or a week or two weeks. > > Raid battery problems? > > SM requires you to send entire server back and in a short 6 weeks - 3 months you will see it back. Maybe. > > Mechanically, chassis are a joke, too. > > OOB? No OOB hardware monitoring. And Java 1.6 required. If you have to use any kind of proxies, socks, tunneling - forget. > > > > On Oct 1, 2018, at 10:47 AM, Carlos Lopez wrote: > > > > Hi all, > > > > In the following days, we will setup a Bro-IDS distributed architecture using 10 sensors and one manager. Network bandwidth will be between 2GiB-4GiB. Until now we used HP servers, but we are looking at SuperMicro servers as well. Can anyone recommend series or model? > > -- > > Regards, > > C. L. Martinez > > > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181004/55b23af7/attachment-0001.html From shutchison at cert.org Thu Oct 4 10:14:09 2018 From: shutchison at cert.org (Sean Hutchison) Date: Thu, 4 Oct 2018 17:14:09 +0000 Subject: [Bro] Broctl segmentation fault In-Reply-To: <1A3F6849-ED1D-4363-9B54-B7F5D3294275@icir.org> References: <83656C44-986A-49F5-BC68-0DABBC006A29@illinois.edu> <1A3F6849-ED1D-4363-9B54-B7F5D3294275@icir.org> Message-ID: Yes, and I just removed the Bro Kafka plugin and no more error! Thank you so much. V/R Sean -----Original Message----- From: Johanna Amann [mailto:johanna at icir.org] Sent: Thursday, October 04, 2018 11:36 AM To: Sean Hutchison Cc: Azoff, Justin S ; bro at bro.org Subject: Re: [Bro] Broctl segmentation fault Hi, Is there a change that you have binary plugins installed (netmap plugin, a few bro-pkg ones)? They can cause crashes exactly like this. This behavior is fixed with Bro 2.6 (it will output an error message instead). If that is the case - either recompiling or removing the binary plugins will fix this. Johanna On 4 Oct 2018, at 5:01, Sean Hutchison wrote: > # bro -v > bro version 2.5.5 > > # bro -NN > Segmentation fault > > # bro -b -i lo > listening on lo > > ^C1538653437.070325 received termination signal > 1538653437.070325 208 packets received on interface lo, 0 dropped > > # bro -i lo > Segmentation fault > > # bro -i lo local > Segmentation fault > > # ldd /opt/bro/bin/bro > linux-vdso.so.1 => (0x00007fff99dfd000) > libpcap.so.1 => /lib64/libpcap.so.1 (0x00007f148eec1000) > libssl.so.10 => /lib64/libssl.so.10 (0x00007f148ec50000) > libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f148e7ef000) > libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f148e5d6000) > libz.so.1 => /lib64/libz.so.1 (0x00007f148e3c0000) > libGeoIP.so.1 => /lib64/libGeoIP.so.1 (0x00007f148e190000) > libtcmalloc.so.4 => /lib64/libtcmalloc.so.4 > (0x00007f148dd9b000) > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f148db7f000) > libdl.so.2 => /lib64/libdl.so.2 (0x00007f148d97b000) > libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f148d674000) > libm.so.6 => /lib64/libm.so.6 (0x00007f148d372000) > libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f148d15c000) > libc.so.6 => /lib64/libc.so.6 (0x00007f148cd8f000) > libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 > (0x00007f148cb42000) > libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f148c85a000) > libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f148c656000) > libk5crypto.so.3 => /lib64/libk5crypto.so.3 > (0x00007f148c423000) > /lib64/ld-linux-x86-64.so.2 (0x00007f148f102000) > libkrb5support.so.0 => /lib64/libkrb5support.so.0 > (0x00007f148c215000) > libkeyutils.so.1 => /lib64/libkeyutils.so.1 > (0x00007f148c011000) > libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f148bdea000) > libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f148bb88000) > > No custom scripts being loaded via local.bro Nothing in particular - > did yum install/update of RedHat-based dependencies according to > https://www.bro.org/sphinx/install/install.html#required-dependencies > Although I did build it against pfring first, using yum package from > ntop repo - same issue, have since removed that and did regular build > > Only configure switch was --prefix. > > V/R > Sean > > -----Original Message----- > From: Azoff, Justin S [mailto:jazoff at illinois.edu] > Sent: Wednesday, October 03, 2018 3:01 PM > To: Sean Hutchison > Cc: bro at bro.org > Subject: Re: [Bro] Broctl segmentation fault > > >> On Oct 3, 2018, at 2:46 PM, Sean Hutchison >> wrote: >> >> Hello, >> >> After any build of Bro with Broctl 1.7, I?m experiencing the below >> error when broctl/scripts/check-config is run? >> >> /opt/bro/share/broctl/scripts/check-config: line 50: 4463 >> Segmentation fault "${bro}" $check_option "$@" >> >> Anyone encountered this before? Cannot bypass doing broctl check ? >> broctl start results in failed/crashed processes. >> >> This is on RHEL7.5, after building Bro-2.5.5 (I?ve tried other minor >> versions since 2.5 ? same issue). >> >> Existing Bro cluster on RHEL7.5 boxes with Bro-2.5 and Broctl 1.5 >> works fine. >> >> Any help would be greatly appreciated. >> > > check runs bro with the current configuration to see if it can start, > so that's bro segfaulting there.. that's why start also fails.. > > What do you get if you try each of the following? > > bro -v > bro -NN # just see if this runs or crashes > bro -b -i lo > bro -i lo > bro -i lo local > > You can hit control-c if any of those start successfully to get your > prompt back. > > I'm not aware of any issues like this, so it could be something with > your configuration. > > Do you have a customized local.bro at all? > Are you building bro against a particular libpcap or malloc > implementation? > What does ldd /opt/bro/bin/bro output? > > ? > Justin Azoff > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From zeolla at gmail.com Thu Oct 4 14:06:06 2018 From: zeolla at gmail.com (Zeolla@GMail.com) Date: Thu, 4 Oct 2018 17:06:06 -0400 Subject: [Bro] Broctl segmentation fault In-Reply-To: References: <83656C44-986A-49F5-BC68-0DABBC006A29@illinois.edu> <1A3F6849-ED1D-4363-9B54-B7F5D3294275@icir.org> Message-ID: If you don't mind, can you share the steps you took to build and install the plug-in? What version? Jon On Thu, Oct 4, 2018, 13:23 Sean Hutchison wrote: > Yes, and I just removed the Bro Kafka plugin and no more error! > > Thank you so much. > > V/R > Sean > > -----Original Message----- > From: Johanna Amann [mailto:johanna at icir.org] > Sent: Thursday, October 04, 2018 11:36 AM > To: Sean Hutchison > Cc: Azoff, Justin S ; bro at bro.org > Subject: Re: [Bro] Broctl segmentation fault > > Hi, > > Is there a change that you have binary plugins installed (netmap plugin, a > few bro-pkg ones)? > > They can cause crashes exactly like this. This behavior is fixed with Bro > 2.6 (it will output an error message instead). > > If that is the case - either recompiling or removing the binary plugins > will fix this. > > Johanna > > On 4 Oct 2018, at 5:01, Sean Hutchison wrote: > > > # bro -v > > bro version 2.5.5 > > > > # bro -NN > > Segmentation fault > > > > # bro -b -i lo > > listening on lo > > > > ^C1538653437.070325 received termination signal > > 1538653437.070325 208 packets received on interface lo, 0 dropped > > > > # bro -i lo > > Segmentation fault > > > > # bro -i lo local > > Segmentation fault > > > > # ldd /opt/bro/bin/bro > > linux-vdso.so.1 => (0x00007fff99dfd000) > > libpcap.so.1 => /lib64/libpcap.so.1 (0x00007f148eec1000) > > libssl.so.10 => /lib64/libssl.so.10 (0x00007f148ec50000) > > libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f148e7ef000) > > libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f148e5d6000) > > libz.so.1 => /lib64/libz.so.1 (0x00007f148e3c0000) > > libGeoIP.so.1 => /lib64/libGeoIP.so.1 (0x00007f148e190000) > > libtcmalloc.so.4 => /lib64/libtcmalloc.so.4 > > (0x00007f148dd9b000) > > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f148db7f000) > > libdl.so.2 => /lib64/libdl.so.2 (0x00007f148d97b000) > > libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f148d674000) > > libm.so.6 => /lib64/libm.so.6 (0x00007f148d372000) > > libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f148d15c000) > > libc.so.6 => /lib64/libc.so.6 (0x00007f148cd8f000) > > libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 > > (0x00007f148cb42000) > > libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f148c85a000) > > libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f148c656000) > > libk5crypto.so.3 => /lib64/libk5crypto.so.3 > > (0x00007f148c423000) > > /lib64/ld-linux-x86-64.so.2 (0x00007f148f102000) > > libkrb5support.so.0 => /lib64/libkrb5support.so.0 > > (0x00007f148c215000) > > libkeyutils.so.1 => /lib64/libkeyutils.so.1 > > (0x00007f148c011000) > > libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f148bdea000) > > libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f148bb88000) > > > > No custom scripts being loaded via local.bro Nothing in particular - > > did yum install/update of RedHat-based dependencies according to > > https://www.bro.org/sphinx/install/install.html#required-dependencies > > Although I did build it against pfring first, using yum package from > > ntop repo - same issue, have since removed that and did regular build > > > > Only configure switch was --prefix. > > > > V/R > > Sean > > > > -----Original Message----- > > From: Azoff, Justin S [mailto:jazoff at illinois.edu] > > Sent: Wednesday, October 03, 2018 3:01 PM > > To: Sean Hutchison > > Cc: bro at bro.org > > Subject: Re: [Bro] Broctl segmentation fault > > > > > >> On Oct 3, 2018, at 2:46 PM, Sean Hutchison > >> wrote: > >> > >> Hello, > >> > >> After any build of Bro with Broctl 1.7, I?m experiencing the below > >> error when broctl/scripts/check-config is run? > >> > >> /opt/bro/share/broctl/scripts/check-config: line 50: 4463 > >> Segmentation fault "${bro}" $check_option "$@" > >> > >> Anyone encountered this before? Cannot bypass doing broctl check ? > >> broctl start results in failed/crashed processes. > >> > >> This is on RHEL7.5, after building Bro-2.5.5 (I?ve tried other minor > >> versions since 2.5 ? same issue). > >> > >> Existing Bro cluster on RHEL7.5 boxes with Bro-2.5 and Broctl 1.5 > >> works fine. > >> > >> Any help would be greatly appreciated. > >> > > > > check runs bro with the current configuration to see if it can start, > > so that's bro segfaulting there.. that's why start also fails.. > > > > What do you get if you try each of the following? > > > > bro -v > > bro -NN # just see if this runs or crashes > > bro -b -i lo > > bro -i lo > > bro -i lo local > > > > You can hit control-c if any of those start successfully to get your > > prompt back. > > > > I'm not aware of any issues like this, so it could be something with > > your configuration. > > > > Do you have a customized local.bro at all? > > Are you building bro against a particular libpcap or malloc > > implementation? > > What does ldd /opt/bro/bin/bro output? > > > > ? > > Justin Azoff > > > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181004/6f3ab12b/attachment.html From klehigh at iu.edu Fri Oct 5 03:52:44 2018 From: klehigh at iu.edu (Keith Lehigh) Date: Fri, 05 Oct 2018 06:52:44 -0400 Subject: [Bro] BroCon 2018 Lightning talks Message-ID: <64508E55-0AEB-4A02-81CC-4E11DA36602C@iu.edu> Hi Folks, We would like to have lightning talks again this year. If we have more interest than we have slots available, we?ll review them via the review committee. Google form link : https://goo.gl/forms/qJsc9fG24smSyLUQ2 We ask for your name, email address, organization, talk title and a short description of your talk. Lightning talk abstract: Have you contributed a package to the new Bro Package Manager? Or do you have something interesting to share related to Bro that doesn?t fit into a traditional presentation? Great! We?d love to hear from you. We have scheduled a 45-minute session for lightning talks. Be prepared to quickly identify your point, demonstrate it, and provide a link or contact info for later follow-up. We?d like to accommodate as many talks as possible so please limit your talk to less than 5 minutes. No commercially incentivized presentations, please. - Keith -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3740 bytes Desc: S/MIME digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181005/7ada2bdf/attachment.bin From shutchison at cert.org Fri Oct 5 04:55:30 2018 From: shutchison at cert.org (Sean Hutchison) Date: Fri, 5 Oct 2018 11:55:30 +0000 Subject: [Bro] Broctl segmentation fault In-Reply-To: References: <83656C44-986A-49F5-BC68-0DABBC006A29@illinois.edu> <1A3F6849-ED1D-4363-9B54-B7F5D3294275@icir.org>

Message-ID: Ya, first install librdkafka (there?s probably a newer version ? make sure it supports your Kafka broker version) ? curl --silent -L -k https://github.com/edenhill/librdkafka/archive/v0.9.5.tar.gz | tar xz cd librdkafka-0.9.5 ./configure make make install Then get bro-plugins repo and build kafka plugin against version of Bro you?re using by pointing it to where you extracted bro source? git clone https://github.com/bro/bro-plugins.git cd bro-plugins/kafka/ ./configure --bro-dist=/path/to/bro-2.#.# make && make install Confirm with? bro -N Bro::Kafka See https://archive.apache.org/dist/metron/0.4.0/site-book/metron-sensors/bro-plugin-kafka/index.html for example configurations. V/R Sean From: Zeolla at GMail.com [mailto:zeolla at gmail.com] Sent: Thursday, October 04, 2018 5:06 PM To: Sean Hutchison Cc: Johanna Amann ; bro at bro.org Subject: Re: [Bro] Broctl segmentation fault If you don't mind, can you share the steps you took to build and install the plug-in? What version? Jon On Thu, Oct 4, 2018, 13:23 Sean Hutchison > wrote: Yes, and I just removed the Bro Kafka plugin and no more error! Thank you so much. V/R Sean -----Original Message----- From: Johanna Amann [mailto:johanna at icir.org] Sent: Thursday, October 04, 2018 11:36 AM To: Sean Hutchison > Cc: Azoff, Justin S >; bro at bro.org Subject: Re: [Bro] Broctl segmentation fault Hi, Is there a change that you have binary plugins installed (netmap plugin, a few bro-pkg ones)? They can cause crashes exactly like this. This behavior is fixed with Bro 2.6 (it will output an error message instead). If that is the case - either recompiling or removing the binary plugins will fix this. Johanna On 4 Oct 2018, at 5:01, Sean Hutchison wrote: > # bro -v > bro version 2.5.5 > > # bro -NN > Segmentation fault > > # bro -b -i lo > listening on lo > > ^C1538653437.070325 received termination signal > 1538653437.070325 208 packets received on interface lo, 0 dropped > > # bro -i lo > Segmentation fault > > # bro -i lo local > Segmentation fault > > # ldd /opt/bro/bin/bro > linux-vdso.so.1 => (0x00007fff99dfd000) > libpcap.so.1 => /lib64/libpcap.so.1 (0x00007f148eec1000) > libssl.so.10 => /lib64/libssl.so.10 (0x00007f148ec50000) > libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f148e7ef000) > libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f148e5d6000) > libz.so.1 => /lib64/libz.so.1 (0x00007f148e3c0000) > libGeoIP.so.1 => /lib64/libGeoIP.so.1 (0x00007f148e190000) > libtcmalloc.so.4 => /lib64/libtcmalloc.so.4 > (0x00007f148dd9b000) > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f148db7f000) > libdl.so.2 => /lib64/libdl.so.2 (0x00007f148d97b000) > libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f148d674000) > libm.so.6 => /lib64/libm.so.6 (0x00007f148d372000) > libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f148d15c000) > libc.so.6 => /lib64/libc.so.6 (0x00007f148cd8f000) > libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 > (0x00007f148cb42000) > libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f148c85a000) > libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f148c656000) > libk5crypto.so.3 => /lib64/libk5crypto.so.3 > (0x00007f148c423000) > /lib64/ld-linux-x86-64.so.2 (0x00007f148f102000) > libkrb5support.so.0 => /lib64/libkrb5support.so.0 > (0x00007f148c215000) > libkeyutils.so.1 => /lib64/libkeyutils.so.1 > (0x00007f148c011000) > libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f148bdea000) > libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f148bb88000) > > No custom scripts being loaded via local.bro Nothing in particular - > did yum install/update of RedHat-based dependencies according to > https://www.bro.org/sphinx/install/install.html#required-dependencies > Although I did build it against pfring first, using yum package from > ntop repo - same issue, have since removed that and did regular build > > Only configure switch was --prefix. > > V/R > Sean > > -----Original Message----- > From: Azoff, Justin S [mailto:jazoff at illinois.edu] > Sent: Wednesday, October 03, 2018 3:01 PM > To: Sean Hutchison > > Cc: bro at bro.org > Subject: Re: [Bro] Broctl segmentation fault > > >> On Oct 3, 2018, at 2:46 PM, Sean Hutchison > >> wrote: >> >> Hello, >> >> After any build of Bro with Broctl 1.7, I?m experiencing the below >> error when broctl/scripts/check-config is run? >> >> /opt/bro/share/broctl/scripts/check-config: line 50: 4463 >> Segmentation fault "${bro}" $check_option "$@" >> >> Anyone encountered this before? Cannot bypass doing broctl check ? >> broctl start results in failed/crashed processes. >> >> This is on RHEL7.5, after building Bro-2.5.5 (I?ve tried other minor >> versions since 2.5 ? same issue). >> >> Existing Bro cluster on RHEL7.5 boxes with Bro-2.5 and Broctl 1.5 >> works fine. >> >> Any help would be greatly appreciated. >> > > check runs bro with the current configuration to see if it can start, > so that's bro segfaulting there.. that's why start also fails.. > > What do you get if you try each of the following? > > bro -v > bro -NN # just see if this runs or crashes > bro -b -i lo > bro -i lo > bro -i lo local > > You can hit control-c if any of those start successfully to get your > prompt back. > > I'm not aware of any issues like this, so it could be something with > your configuration. > > Do you have a customized local.bro at all? > Are you building bro against a particular libpcap or malloc > implementation? > What does ldd /opt/bro/bin/bro output? > > ? > Justin Azoff > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181005/8b314469/attachment-0001.html From zeolla at gmail.com Fri Oct 5 09:36:00 2018 From: zeolla at gmail.com (Zeolla@GMail.com) Date: Fri, 5 Oct 2018 12:36:00 -0400 Subject: [Bro] Broctl segmentation fault In-Reply-To: References: <83656C44-986A-49F5-BC68-0DABBC006A29@illinois.edu> <1A3F6849-ED1D-4363-9B54-B7F5D3294275@icir.org>

Message-ID: Sounds like you are looking at a very old version of the plugin, since bro/bro-plugins has been completely deprecated at this point. Can you use bro-pkg to install apache/metron-bro-plugin-kafka? It should be a bit more robust and up to date. Let me know if you have any issues when taking this approach. Jon On Fri, Oct 5, 2018, 07:55 Sean Hutchison wrote: > Ya, first install librdkafka (there?s probably a newer version ? make sure > it supports your Kafka broker version) ? > > curl --silent -L -k > https://github.com/edenhill/librdkafka/archive/v0.9.5.tar.gz | tar xz > > cd librdkafka-0.9.5 > > ./configure > > make > > make install > > > > Then get bro-plugins repo and build kafka plugin against version of Bro > you?re using by pointing it to where you extracted bro source? > > git clone https://github.com/bro/bro-plugins.git > > cd bro-plugins/kafka/ > > ./configure --bro-dist=/path/to/bro-2.#.# > > make && make install > > > > Confirm with? > > bro -N Bro::Kafka > > > > See > https://archive.apache.org/dist/metron/0.4.0/site-book/metron-sensors/bro-plugin-kafka/index.html > for example configurations. > > > > V/R > > Sean > > > > *From:* Zeolla at GMail.com [mailto:zeolla at gmail.com] > *Sent:* Thursday, October 04, 2018 5:06 PM > *To:* Sean Hutchison > *Cc:* Johanna Amann ; bro at bro.org > > > *Subject:* Re: [Bro] Broctl segmentation fault > > > > If you don't mind, can you share the steps you took to build and install > the plug-in? What version? > > > > Jon > > On Thu, Oct 4, 2018, 13:23 Sean Hutchison wrote: > > Yes, and I just removed the Bro Kafka plugin and no more error! > > Thank you so much. > > V/R > Sean > > -----Original Message----- > From: Johanna Amann [mailto:johanna at icir.org] > Sent: Thursday, October 04, 2018 11:36 AM > To: Sean Hutchison > Cc: Azoff, Justin S ; bro at bro.org > Subject: Re: [Bro] Broctl segmentation fault > > Hi, > > Is there a change that you have binary plugins installed (netmap plugin, a > few bro-pkg ones)? > > They can cause crashes exactly like this. This behavior is fixed with Bro > 2.6 (it will output an error message instead). > > If that is the case - either recompiling or removing the binary plugins > will fix this. > > Johanna > > On 4 Oct 2018, at 5:01, Sean Hutchison wrote: > > > # bro -v > > bro version 2.5.5 > > > > # bro -NN > > Segmentation fault > > > > # bro -b -i lo > > listening on lo > > > > ^C1538653437.070325 received termination signal > > 1538653437.070325 208 packets received on interface lo, 0 dropped > > > > # bro -i lo > > Segmentation fault > > > > # bro -i lo local > > Segmentation fault > > > > # ldd /opt/bro/bin/bro > > linux-vdso.so.1 => (0x00007fff99dfd000) > > libpcap.so.1 => /lib64/libpcap.so.1 (0x00007f148eec1000) > > libssl.so.10 => /lib64/libssl.so.10 (0x00007f148ec50000) > > libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f148e7ef000) > > libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f148e5d6000) > > libz.so.1 => /lib64/libz.so.1 (0x00007f148e3c0000) > > libGeoIP.so.1 => /lib64/libGeoIP.so.1 (0x00007f148e190000) > > libtcmalloc.so.4 => /lib64/libtcmalloc.so.4 > > (0x00007f148dd9b000) > > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f148db7f000) > > libdl.so.2 => /lib64/libdl.so.2 (0x00007f148d97b000) > > libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f148d674000) > > libm.so.6 => /lib64/libm.so.6 (0x00007f148d372000) > > libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f148d15c000) > > libc.so.6 => /lib64/libc.so.6 (0x00007f148cd8f000) > > libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 > > (0x00007f148cb42000) > > libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f148c85a000) > > libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f148c656000) > > libk5crypto.so.3 => /lib64/libk5crypto.so.3 > > (0x00007f148c423000) > > /lib64/ld-linux-x86-64.so.2 (0x00007f148f102000) > > libkrb5support.so.0 => /lib64/libkrb5support.so.0 > > (0x00007f148c215000) > > libkeyutils.so.1 => /lib64/libkeyutils.so.1 > > (0x00007f148c011000) > > libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f148bdea000) > > libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f148bb88000) > > > > No custom scripts being loaded via local.bro Nothing in particular - > > did yum install/update of RedHat-based dependencies according to > > https://www.bro.org/sphinx/install/install.html#required-dependencies > > Although I did build it against pfring first, using yum package from > > ntop repo - same issue, have since removed that and did regular build > > > > Only configure switch was --prefix. > > > > V/R > > Sean > > > > -----Original Message----- > > From: Azoff, Justin S [mailto:jazoff at illinois.edu] > > Sent: Wednesday, October 03, 2018 3:01 PM > > To: Sean Hutchison > > Cc: bro at bro.org > > Subject: Re: [Bro] Broctl segmentation fault > > > > > >> On Oct 3, 2018, at 2:46 PM, Sean Hutchison > >> wrote: > >> > >> Hello, > >> > >> After any build of Bro with Broctl 1.7, I?m experiencing the below > >> error when broctl/scripts/check-config is run? > >> > >> /opt/bro/share/broctl/scripts/check-config: line 50: 4463 > >> Segmentation fault "${bro}" $check_option "$@" > >> > >> Anyone encountered this before? Cannot bypass doing broctl check ? > >> broctl start results in failed/crashed processes. > >> > >> This is on RHEL7.5, after building Bro-2.5.5 (I?ve tried other minor > >> versions since 2.5 ? same issue). > >> > >> Existing Bro cluster on RHEL7.5 boxes with Bro-2.5 and Broctl 1.5 > >> works fine. > >> > >> Any help would be greatly appreciated. > >> > > > > check runs bro with the current configuration to see if it can start, > > so that's bro segfaulting there.. that's why start also fails.. > > > > What do you get if you try each of the following? > > > > bro -v > > bro -NN # just see if this runs or crashes > > bro -b -i lo > > bro -i lo > > bro -i lo local > > > > You can hit control-c if any of those start successfully to get your > > prompt back. > > > > I'm not aware of any issues like this, so it could be something with > > your configuration. > > > > Do you have a customized local.bro at all? > > Are you building bro against a particular libpcap or malloc > > implementation? > > What does ldd /opt/bro/bin/bro output? > > > > ? > > Justin Azoff > > > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > -- > > Jon > -- Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181005/922835d5/attachment.html From shutchison at cert.org Fri Oct 5 10:19:14 2018 From: shutchison at cert.org (Sean Hutchison) Date: Fri, 5 Oct 2018 17:19:14 +0000 Subject: [Bro] Broctl segmentation fault In-Reply-To: References: <83656C44-986A-49F5-BC68-0DABBC006A29@illinois.edu> <1A3F6849-ED1D-4363-9B54-B7F5D3294275@icir.org>

Message-ID: Well, we don?t really have a need to use the bro kafka plugin currently ? it was just for a bit of testing previously ? but I can use bro-pkg in the future or for other plugins/scripts. V/R Sean From: Zeolla at GMail.com [mailto:zeolla at gmail.com] Sent: Friday, October 05, 2018 12:36 PM To: Sean Hutchison Cc: Johanna Amann ; bro at bro.org Subject: Re: [Bro] Broctl segmentation fault Sounds like you are looking at a very old version of the plugin, since bro/bro-plugins has been completely deprecated at this point. Can you use bro-pkg to install apache/metron-bro-plugin-kafka? It should be a bit more robust and up to date. Let me know if you have any issues when taking this approach. Jon On Fri, Oct 5, 2018, 07:55 Sean Hutchison > wrote: Ya, first install librdkafka (there?s probably a newer version ? make sure it supports your Kafka broker version) ? curl --silent -L -k https://github.com/edenhill/librdkafka/archive/v0.9.5.tar.gz | tar xz cd librdkafka-0.9.5 ./configure make make install Then get bro-plugins repo and build kafka plugin against version of Bro you?re using by pointing it to where you extracted bro source? git clone https://github.com/bro/bro-plugins.git cd bro-plugins/kafka/ ./configure --bro-dist=/path/to/bro-2.#.# make && make install Confirm with? bro -N Bro::Kafka See https://archive.apache.org/dist/metron/0.4.0/site-book/metron-sensors/bro-plugin-kafka/index.html for example configurations. V/R Sean From: Zeolla at GMail.com [mailto:zeolla at gmail.com] Sent: Thursday, October 04, 2018 5:06 PM To: Sean Hutchison > Cc: Johanna Amann >; bro at bro.org Subject: Re: [Bro] Broctl segmentation fault If you don't mind, can you share the steps you took to build and install the plug-in? What version? Jon On Thu, Oct 4, 2018, 13:23 Sean Hutchison > wrote: Yes, and I just removed the Bro Kafka plugin and no more error! Thank you so much. V/R Sean -----Original Message----- From: Johanna Amann [mailto:johanna at icir.org] Sent: Thursday, October 04, 2018 11:36 AM To: Sean Hutchison > Cc: Azoff, Justin S >; bro at bro.org Subject: Re: [Bro] Broctl segmentation fault Hi, Is there a change that you have binary plugins installed (netmap plugin, a few bro-pkg ones)? They can cause crashes exactly like this. This behavior is fixed with Bro 2.6 (it will output an error message instead). If that is the case - either recompiling or removing the binary plugins will fix this. Johanna On 4 Oct 2018, at 5:01, Sean Hutchison wrote: > # bro -v > bro version 2.5.5 > > # bro -NN > Segmentation fault > > # bro -b -i lo > listening on lo > > ^C1538653437.070325 received termination signal > 1538653437.070325 208 packets received on interface lo, 0 dropped > > # bro -i lo > Segmentation fault > > # bro -i lo local > Segmentation fault > > # ldd /opt/bro/bin/bro > linux-vdso.so.1 => (0x00007fff99dfd000) > libpcap.so.1 => /lib64/libpcap.so.1 (0x00007f148eec1000) > libssl.so.10 => /lib64/libssl.so.10 (0x00007f148ec50000) > libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f148e7ef000) > libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f148e5d6000) > libz.so.1 => /lib64/libz.so.1 (0x00007f148e3c0000) > libGeoIP.so.1 => /lib64/libGeoIP.so.1 (0x00007f148e190000) > libtcmalloc.so.4 => /lib64/libtcmalloc.so.4 > (0x00007f148dd9b000) > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f148db7f000) > libdl.so.2 => /lib64/libdl.so.2 (0x00007f148d97b000) > libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f148d674000) > libm.so.6 => /lib64/libm.so.6 (0x00007f148d372000) > libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f148d15c000) > libc.so.6 => /lib64/libc.so.6 (0x00007f148cd8f000) > libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 > (0x00007f148cb42000) > libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f148c85a000) > libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f148c656000) > libk5crypto.so.3 => /lib64/libk5crypto.so.3 > (0x00007f148c423000) > /lib64/ld-linux-x86-64.so.2 (0x00007f148f102000) > libkrb5support.so.0 => /lib64/libkrb5support.so.0 > (0x00007f148c215000) > libkeyutils.so.1 => /lib64/libkeyutils.so.1 > (0x00007f148c011000) > libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f148bdea000) > libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f148bb88000) > > No custom scripts being loaded via local.bro Nothing in particular - > did yum install/update of RedHat-based dependencies according to > https://www.bro.org/sphinx/install/install.html#required-dependencies > Although I did build it against pfring first, using yum package from > ntop repo - same issue, have since removed that and did regular build > > Only configure switch was --prefix. > > V/R > Sean > > -----Original Message----- > From: Azoff, Justin S [mailto:jazoff at illinois.edu] > Sent: Wednesday, October 03, 2018 3:01 PM > To: Sean Hutchison > > Cc: bro at bro.org > Subject: Re: [Bro] Broctl segmentation fault > > >> On Oct 3, 2018, at 2:46 PM, Sean Hutchison > >> wrote: >> >> Hello, >> >> After any build of Bro with Broctl 1.7, I?m experiencing the below >> error when broctl/scripts/check-config is run? >> >> /opt/bro/share/broctl/scripts/check-config: line 50: 4463 >> Segmentation fault "${bro}" $check_option "$@" >> >> Anyone encountered this before? Cannot bypass doing broctl check ? >> broctl start results in failed/crashed processes. >> >> This is on RHEL7.5, after building Bro-2.5.5 (I?ve tried other minor >> versions since 2.5 ? same issue). >> >> Existing Bro cluster on RHEL7.5 boxes with Bro-2.5 and Broctl 1.5 >> works fine. >> >> Any help would be greatly appreciated. >> > > check runs bro with the current configuration to see if it can start, > so that's bro segfaulting there.. that's why start also fails.. > > What do you get if you try each of the following? > > bro -v > bro -NN # just see if this runs or crashes > bro -b -i lo > bro -i lo > bro -i lo local > > You can hit control-c if any of those start successfully to get your > prompt back. > > I'm not aware of any issues like this, so it could be something with > your configuration. > > Do you have a customized local.bro at all? > Are you building bro against a particular libpcap or malloc > implementation? > What does ldd /opt/bro/bin/bro output? > > ? > Justin Azoff > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Jon -- Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181005/10e9bc76/attachment-0001.html From zeolla at gmail.com Fri Oct 5 11:58:30 2018 From: zeolla at gmail.com (Zeolla@GMail.com) Date: Fri, 5 Oct 2018 14:58:30 -0400 Subject: [Bro] Broctl segmentation fault In-Reply-To: References: <83656C44-986A-49F5-BC68-0DABBC006A29@illinois.edu> <1A3F6849-ED1D-4363-9B54-B7F5D3294275@icir.org>

Message-ID: Gotcha, yeah please do as that is the most updated code and includes some baseline btests (with more coming in the near future). Feel free to reach out to me via the list if you have any questions/concerns/issues on it - thanks! Jon On Fri, Oct 5, 2018 at 1:19 PM Sean Hutchison wrote: > Well, we don?t really have a need to use the bro kafka plugin currently ? > it was just for a bit of testing previously ? but I can use bro-pkg in the > future or for other plugins/scripts. > > > > V/R > > Sean > > > > *From:* Zeolla at GMail.com [mailto:zeolla at gmail.com] > *Sent:* Friday, October 05, 2018 12:36 PM > > > *To:* Sean Hutchison > *Cc:* Johanna Amann ; bro at bro.org > *Subject:* Re: [Bro] Broctl segmentation fault > > > > Sounds like you are looking at a very old version of the plugin, since > bro/bro-plugins has been completely deprecated at this point. Can you use > bro-pkg to install apache/metron-bro-plugin-kafka? It should be a bit more > robust and up to date. Let me know if you have any issues when taking this > approach. > > > > Jon > > On Fri, Oct 5, 2018, 07:55 Sean Hutchison wrote: > > Ya, first install librdkafka (there?s probably a newer version ? make sure > it supports your Kafka broker version) ? > > curl --silent -L -k > https://github.com/edenhill/librdkafka/archive/v0.9.5.tar.gz | tar xz > > cd librdkafka-0.9.5 > > ./configure > > make > > make install > > > > Then get bro-plugins repo and build kafka plugin against version of Bro > you?re using by pointing it to where you extracted bro source? > > git clone https://github.com/bro/bro-plugins.git > > cd bro-plugins/kafka/ > > ./configure --bro-dist=/path/to/bro-2.#.# > > make && make install > > > > Confirm with? > > bro -N Bro::Kafka > > > > See > https://archive.apache.org/dist/metron/0.4.0/site-book/metron-sensors/bro-plugin-kafka/index.html > for example configurations. > > > > V/R > > Sean > > > > *From:* Zeolla at GMail.com [mailto:zeolla at gmail.com] > *Sent:* Thursday, October 04, 2018 5:06 PM > *To:* Sean Hutchison > *Cc:* Johanna Amann ; bro at bro.org > > > *Subject:* Re: [Bro] Broctl segmentation fault > > > > If you don't mind, can you share the steps you took to build and install > the plug-in? What version? > > > > Jon > > On Thu, Oct 4, 2018, 13:23 Sean Hutchison wrote: > > Yes, and I just removed the Bro Kafka plugin and no more error! > > Thank you so much. > > V/R > Sean > > -----Original Message----- > From: Johanna Amann [mailto:johanna at icir.org] > Sent: Thursday, October 04, 2018 11:36 AM > To: Sean Hutchison > Cc: Azoff, Justin S ; bro at bro.org > Subject: Re: [Bro] Broctl segmentation fault > > Hi, > > Is there a change that you have binary plugins installed (netmap plugin, a > few bro-pkg ones)? > > They can cause crashes exactly like this. This behavior is fixed with Bro > 2.6 (it will output an error message instead). > > If that is the case - either recompiling or removing the binary plugins > will fix this. > > Johanna > > On 4 Oct 2018, at 5:01, Sean Hutchison wrote: > > > # bro -v > > bro version 2.5.5 > > > > # bro -NN > > Segmentation fault > > > > # bro -b -i lo > > listening on lo > > > > ^C1538653437.070325 received termination signal > > 1538653437.070325 208 packets received on interface lo, 0 dropped > > > > # bro -i lo > > Segmentation fault > > > > # bro -i lo local > > Segmentation fault > > > > # ldd /opt/bro/bin/bro > > linux-vdso.so.1 => (0x00007fff99dfd000) > > libpcap.so.1 => /lib64/libpcap.so.1 (0x00007f148eec1000) > > libssl.so.10 => /lib64/libssl.so.10 (0x00007f148ec50000) > > libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f148e7ef000) > > libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f148e5d6000) > > libz.so.1 => /lib64/libz.so.1 (0x00007f148e3c0000) > > libGeoIP.so.1 => /lib64/libGeoIP.so.1 (0x00007f148e190000) > > libtcmalloc.so.4 => /lib64/libtcmalloc.so.4 > > (0x00007f148dd9b000) > > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f148db7f000) > > libdl.so.2 => /lib64/libdl.so.2 (0x00007f148d97b000) > > libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f148d674000) > > libm.so.6 => /lib64/libm.so.6 (0x00007f148d372000) > > libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f148d15c000) > > libc.so.6 => /lib64/libc.so.6 (0x00007f148cd8f000) > > libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 > > (0x00007f148cb42000) > > libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f148c85a000) > > libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f148c656000) > > libk5crypto.so.3 => /lib64/libk5crypto.so.3 > > (0x00007f148c423000) > > /lib64/ld-linux-x86-64.so.2 (0x00007f148f102000) > > libkrb5support.so.0 => /lib64/libkrb5support.so.0 > > (0x00007f148c215000) > > libkeyutils.so.1 => /lib64/libkeyutils.so.1 > > (0x00007f148c011000) > > libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f148bdea000) > > libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f148bb88000) > > > > No custom scripts being loaded via local.bro Nothing in particular - > > did yum install/update of RedHat-based dependencies according to > > https://www.bro.org/sphinx/install/install.html#required-dependencies > > Although I did build it against pfring first, using yum package from > > ntop repo - same issue, have since removed that and did regular build > > > > Only configure switch was --prefix. > > > > V/R > > Sean > > > > -----Original Message----- > > From: Azoff, Justin S [mailto:jazoff at illinois.edu] > > Sent: Wednesday, October 03, 2018 3:01 PM > > To: Sean Hutchison > > Cc: bro at bro.org > > Subject: Re: [Bro] Broctl segmentation fault > > > > > >> On Oct 3, 2018, at 2:46 PM, Sean Hutchison > >> wrote: > >> > >> Hello, > >> > >> After any build of Bro with Broctl 1.7, I?m experiencing the below > >> error when broctl/scripts/check-config is run? > >> > >> /opt/bro/share/broctl/scripts/check-config: line 50: 4463 > >> Segmentation fault "${bro}" $check_option "$@" > >> > >> Anyone encountered this before? Cannot bypass doing broctl check ? > >> broctl start results in failed/crashed processes. > >> > >> This is on RHEL7.5, after building Bro-2.5.5 (I?ve tried other minor > >> versions since 2.5 ? same issue). > >> > >> Existing Bro cluster on RHEL7.5 boxes with Bro-2.5 and Broctl 1.5 > >> works fine. > >> > >> Any help would be greatly appreciated. > >> > > > > check runs bro with the current configuration to see if it can start, > > so that's bro segfaulting there.. that's why start also fails.. > > > > What do you get if you try each of the following? > > > > bro -v > > bro -NN # just see if this runs or crashes > > bro -b -i lo > > bro -i lo > > bro -i lo local > > > > You can hit control-c if any of those start successfully to get your > > prompt back. > > > > I'm not aware of any issues like this, so it could be something with > > your configuration. > > > > Do you have a customized local.bro at all? > > Are you building bro against a particular libpcap or malloc > > implementation? > > What does ldd /opt/bro/bin/bro output? > > > > ? > > Justin Azoff > > > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > -- > > Jon > > -- > > Jon > -- Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181005/68ddcb2c/attachment.html From assaf.morami at gmail.com Mon Oct 8 08:15:10 2018 From: assaf.morami at gmail.com (Assaf) Date: Mon, 8 Oct 2018 18:15:10 +0300 Subject: [Bro] Monitor progress and ETA while running bro Message-ID: Hi, I just wanted to share how I monitor progress and ETA while running bro from a pcap file. If I have only one pcap I use pipe viewer (the pv command) like this: pv x.pcap | bro -r - If I have more than one pcap, e.g. from a big tcpdump run, I merge all of them on the fly using joincap ( https://github.com/assafmo/joincap ) like this: joincap *.pcap | pv -s $(du -bc *.pcap | awk '/total/{print $1}') | bro -r - This way pv print progress and ETA information while bro is running. :-) Shameless plug - I wrote joincap specifically for these kind of situations, because mergecap and tcpslice does not handle errors very well. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181008/b13ae9d7/attachment.html From sudesh.barwe at gmail.com Mon Oct 8 14:24:44 2018 From: sudesh.barwe at gmail.com (Sang Dange) Date: Mon, 8 Oct 2018 14:24:44 -0700 Subject: [Bro] Bro Digest, Vol 150, Issue 14 In-Reply-To: References: Message-ID: Hello all, Can anyone point me to any documentation on support of Industrial IOT protocols by Bro? Thanks, Sang On Mon, Oct 8, 2018 at 12:00 PM wrote: > Send Bro mailing list submissions to > bro at bro.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > or, via email, send a message with subject or body 'help' to > bro-request at bro.org > > You can reach the person managing the list at > bro-owner at bro.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Bro digest..." > > > Today's Topics: > > 1. Monitor progress and ETA while running bro (Assaf) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 8 Oct 2018 18:15:10 +0300 > From: Assaf > Subject: [Bro] Monitor progress and ETA while running bro > To: "bro at bro.org List" > Message-ID: > < > CADsFwicap2p7rV1+DAdRrHLL5hVwZOLzdDQkHcfzAvApp_7M6A at mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Hi, I just wanted to share how I monitor progress and ETA while running bro > from a pcap file. > > If I have only one pcap I use pipe viewer (the pv command) like this: > > pv x.pcap | bro -r - > > If I have more than one pcap, e.g. from a big tcpdump run, I merge all of > them on the fly using joincap ( https://github.com/assafmo/joincap ) like > this: > > joincap *.pcap | pv -s $(du -bc *.pcap | awk '/total/{print $1}') | bro -r > - > > This way pv print progress and ETA information while bro is running. :-) > > Shameless plug - I wrote joincap specifically for these kind of situations, > because mergecap and tcpslice does not handle errors very well. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181008/b13ae9d7/attachment-0001.html > > ------------------------------ > > _______________________________________________ > Bro mailing list > Bro at bro.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > End of Bro Digest, Vol 150, Issue 14 > ************************************ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181008/e305f0d6/attachment.html From dnj0496 at gmail.com Tue Oct 9 22:45:59 2018 From: dnj0496 at gmail.com (Dk Jack) Date: Tue, 9 Oct 2018 22:45:59 -0700 Subject: [Bro] x509 error Message-ID: Hi, I am seeing very large number of 'Could not parse X509 certificate' errors in my weird.log. The ssl cert is sent by the server. Could someone chime in on the reasons for this error. Thanks. Dk. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181009/83b47278/attachment.html From johanna at icir.org Wed Oct 10 05:15:23 2018 From: johanna at icir.org (Johanna Amann) Date: Wed, 10 Oct 2018 08:15:23 -0400 Subject: [Bro] x509 error In-Reply-To: References: Message-ID: <3AE6E77F-5A1B-4C39-B408-C130B952609B@icir.org> Hi, could you potentially provide a pcap that shows this and send it to me? Without that it sadly is quite difficult to say what is going on. The error comes more or less directly from OpenSSL - so it does not like something in the data structure sent in the certificate message. Johanna On 10 Oct 2018, at 1:45, Dk Jack wrote: > Hi, > I am seeing very large number of 'Could not parse X509 certificate' > errors > in my weird.log. The ssl cert is sent by the server. Could someone > chime in > on the reasons for this error. Thanks. > > Dk. > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From brucekao at heliosdata.com Thu Oct 11 17:36:41 2018 From: brucekao at heliosdata.com (Bruce Kao) Date: Fri, 12 Oct 2018 00:36:41 +0000 Subject: [Bro] Long lived MySQL session stops generating events Message-ID: Hi All, I am running Bro version 2.5.2, and encountering an issue where an established MySQL session after idling for some time (approximately 10 minutes), the MySQL analyzer events are no longer generated. The MySQL session itself is still alive and still responding to queries, but the analyzer event mysql_command_request stop generating. I've also check packet capture and seen no obvious oddities and the packets are the same as when it was working. I am only issuing a 'Use DB' command for testing. I suspect there is a timeout somewhere or a limit somewhere that I'm not aware of, as I am still fairly new to Bro itself. Does anyone have any ideas on how I can continue to debug this issue? Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181012/4fc80c96/attachment.html From jsiwek at corelight.com Fri Oct 12 15:03:55 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Fri, 12 Oct 2018 17:03:55 -0500 Subject: [Bro] Long lived MySQL session stops generating events In-Reply-To: References: Message-ID: On Thu, Oct 11, 2018 at 7:52 PM Bruce Kao wrote: > I am running Bro version 2.5.2, and encountering an issue where an established MySQL session after idling for some time (approximately 10 minutes), the MySQL analyzer events are no longer generated. I'd first suggest trying with the latest release of Bro (2.5.5) if you can because the MySQL analyzer had some general changes/fixes in 2.5.4. Otherwise, it would be most helpful if you could provide a pcap that reproduces the issue. - Jon From fatema.bannatwala at gmail.com Sat Oct 13 10:23:00 2018 From: fatema.bannatwala at gmail.com (fatema bannatwala) Date: Sat, 13 Oct 2018 13:23:00 -0400 Subject: [Bro] DNSSEC Support Message-ID: >Date: Wed, 27 Apr 2016 20:21:39 -0400 >From: Dave Crawford >Subject: [Bro] DNSSEC Support >To: bro >Message-ID: >Content-Type: text/plain; charset=us-ascii > >It doesn't appear that there is full support for DNSSEC RR types in the current release and I'm >looking for the best option in the meantime. > > For example, answers that include RRSIG's will produce a vector similar to ["192.168.1.1"," > "] with a corresponding event in weird.log of "DNS_RR_unknown_type". > > In protocols/dns/consts.bro I see type 46 is included in the query_type map but based on the >variable name I assume its not applied to answers? > > -Dave Hi Dave, There were some recent commits done to support these DNSSEC RR types parsing in Bro: RRSIG, DNSKEY, DS, NSEC, NSEC3. If you want to give it a try, it's available in dev/2.7 branch or a forked branch from 2.5.4 at following: https://github.com/fatemabw/bro/tree/master (bro 2.5.4 with dnssec) https://github.com/bro/bro/tree/dev/2.7 Apologies for the delay. Fatema. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181013/516f50aa/attachment.html From brucekao at heliosdata.com Mon Oct 15 10:07:51 2018 From: brucekao at heliosdata.com (Bruce Kao) Date: Mon, 15 Oct 2018 17:07:51 +0000 Subject: [Bro] Long lived MySQL session stops generating events In-Reply-To: References: , Message-ID: Hi Jon, I tried the same scenario with Bro 2.5.5 and the same problem with MySQL long session is still reproducible. I am attaching the pcap here which should show the same issue. It is a straight forward MySQL session using mysql command. There is a long period of idling between packet 23 and packet 24, and no mysql events can be generated after packet 24. The last working command with MySQL event generated is packet 21. Any suggestions on how to debug this issue would be greatly appreciated. I am not very familiar with how Bro passes received data into the analyzers for the message parsing, but I would like to find out whether it is that the parsing is failing or if Bro is not picking up the data at all. Thanks in advance for any guidance anyone can provide. ________________________________ From: Jon Siwek Sent: Friday, October 12, 2018 3:03:55 PM To: Bruce Kao Cc: bro Subject: Re: [Bro] Long lived MySQL session stops generating events On Thu, Oct 11, 2018 at 7:52 PM Bruce Kao wrote: > I am running Bro version 2.5.2, and encountering an issue where an established MySQL session after idling for some time (approximately 10 minutes), the MySQL analyzer events are no longer generated. I'd first suggest trying with the latest release of Bro (2.5.5) if you can because the MySQL analyzer had some general changes/fixes in 2.5.4. Otherwise, it would be most helpful if you could provide a pcap that reproduces the issue. - Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181015/8193e7aa/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: out.pcap Type: application/vnd.tcpdump.pcap Size: 4046 bytes Desc: out.pcap Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181015/8193e7aa/attachment.bin From jsiwek at corelight.com Mon Oct 15 12:08:59 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Mon, 15 Oct 2018 14:08:59 -0500 Subject: [Bro] Long lived MySQL session stops generating events In-Reply-To: References:

Message-ID: You can get a bit more in to the mysql.log if you ran like: bro -r out.pcap tcp_inactivity_timeout=10min "DPD::ignore_violations+={Analyzer::ANALYZER_MYSQL}" There were a couple potential issues that's working around when I tested with Bro's git/master branch. The first was that the responses may be malformed -- Wireshark appears to report that it's malformed MySQL and Bro also indicates a parsing problem in dpd.log, showing that the LengthEncodedIntegerLookahead field was expecting to read 8 bytes, but only 6 were available/sent. The default behavior is for Bro to disable analyzers that encounter such protocol violations, but the DPD::ignore_violations customization prevents that. Someone may ultimately want to check into whether the packet is legit following the MySQL protocol, because then the parser in Bro should be updated to understand it better. The second issue was related to the long idle period that you mentioned. The default timeout for TCP sessions in Bro is 5mins, so when eventually new MySQL data is seen, it instantiates a new session/analyzer, however, the MySQL analyzer currently does not handle "partial connections" and everything from then on is just skipped. You can look into tuning the tcp_inactivity_timeout setting to potentially workaround that, or else it would be better if anyone wanted to investigate how much it would take to get the MySQL parser/analyzer able to pick up and analyze sessions already mid-way in progress. - Jon On Mon, Oct 15, 2018 at 12:07 PM Bruce Kao wrote: > > Hi Jon, > > I tried the same scenario with Bro 2.5.5 and the same problem with MySQL long session is still reproducible. I am attaching the pcap here which should show the same issue. > > > It is a straight forward MySQL session using mysql command. There is a long period of idling between packet 23 and packet 24, and no mysql events can be generated after packet 24. > > > The last working command with MySQL event generated is packet 21. > > > Any suggestions on how to debug this issue would be greatly appreciated. I am not very familiar with how Bro passes received data into the analyzers for the message parsing, but I would like to find out whether it is that the parsing is failing or if Bro is not picking up the data at all. > > > Thanks in advance for any guidance anyone can provide. > > ________________________________ > From: Jon Siwek > Sent: Friday, October 12, 2018 3:03:55 PM > To: Bruce Kao > Cc: bro > Subject: Re: [Bro] Long lived MySQL session stops generating events > > On Thu, Oct 11, 2018 at 7:52 PM Bruce Kao wrote: > > > I am running Bro version 2.5.2, and encountering an issue where an established MySQL session after idling for some time (approximately 10 minutes), the MySQL analyzer events are no longer generated. > > I'd first suggest trying with the latest release of Bro (2.5.5) if you > can because the MySQL analyzer had some general changes/fixes in > 2.5.4. > > Otherwise, it would be most helpful if you could provide a pcap that > reproduces the issue. > > - Jon From brucekao at heliosdata.com Mon Oct 15 13:37:34 2018 From: brucekao at heliosdata.com (Bruce Kao) Date: Mon, 15 Oct 2018 20:37:34 +0000 Subject: [Bro] Long lived MySQL session stops generating events In-Reply-To: References:

, Message-ID: Thanks Jon for the tips. I did see that Wireshark is reporting malformed response data, but since Bro was able to produce events initially I did not dig into it too much. My MySQL was installed through Ubuntu which is mysqld Ver 5.7.23-0ubuntu0.16.04.1 for Linux on x86_64 ((Ubuntu)) I will follow your tips and see if I can find more information and report back. Thanks ________________________________ From: Jon Siwek Sent: Monday, October 15, 2018 12:08:59 PM To: Bruce Kao Cc: bro Subject: Re: [Bro] Long lived MySQL session stops generating events You can get a bit more in to the mysql.log if you ran like: bro -r out.pcap tcp_inactivity_timeout=10min "DPD::ignore_violations+={Analyzer::ANALYZER_MYSQL}" There were a couple potential issues that's working around when I tested with Bro's git/master branch. The first was that the responses may be malformed -- Wireshark appears to report that it's malformed MySQL and Bro also indicates a parsing problem in dpd.log, showing that the LengthEncodedIntegerLookahead field was expecting to read 8 bytes, but only 6 were available/sent. The default behavior is for Bro to disable analyzers that encounter such protocol violations, but the DPD::ignore_violations customization prevents that. Someone may ultimately want to check into whether the packet is legit following the MySQL protocol, because then the parser in Bro should be updated to understand it better. The second issue was related to the long idle period that you mentioned. The default timeout for TCP sessions in Bro is 5mins, so when eventually new MySQL data is seen, it instantiates a new session/analyzer, however, the MySQL analyzer currently does not handle "partial connections" and everything from then on is just skipped. You can look into tuning the tcp_inactivity_timeout setting to potentially workaround that, or else it would be better if anyone wanted to investigate how much it would take to get the MySQL parser/analyzer able to pick up and analyze sessions already mid-way in progress. - Jon On Mon, Oct 15, 2018 at 12:07 PM Bruce Kao wrote: > > Hi Jon, > > I tried the same scenario with Bro 2.5.5 and the same problem with MySQL long session is still reproducible. I am attaching the pcap here which should show the same issue. > > > It is a straight forward MySQL session using mysql command. There is a long period of idling between packet 23 and packet 24, and no mysql events can be generated after packet 24. > > > The last working command with MySQL event generated is packet 21. > > > Any suggestions on how to debug this issue would be greatly appreciated. I am not very familiar with how Bro passes received data into the analyzers for the message parsing, but I would like to find out whether it is that the parsing is failing or if Bro is not picking up the data at all. > > > Thanks in advance for any guidance anyone can provide. > > ________________________________ > From: Jon Siwek > Sent: Friday, October 12, 2018 3:03:55 PM > To: Bruce Kao > Cc: bro > Subject: Re: [Bro] Long lived MySQL session stops generating events > > On Thu, Oct 11, 2018 at 7:52 PM Bruce Kao wrote: > > > I am running Bro version 2.5.2, and encountering an issue where an established MySQL session after idling for some time (approximately 10 minutes), the MySQL analyzer events are no longer generated. > > I'd first suggest trying with the latest release of Bro (2.5.5) if you > can because the MySQL analyzer had some general changes/fixes in > 2.5.4. > > Otherwise, it would be most helpful if you could provide a pcap that > reproduces the issue. > > - Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181015/b8d21cf5/attachment.html From nothinrandom at gmail.com Mon Oct 15 22:37:35 2018 From: nothinrandom at gmail.com (TQ) Date: Mon, 15 Oct 2018 22:37:35 -0700 Subject: [Bro] Syntax Question - Nested Switch Case Message-ID: Hello Bro Members, I apologize if this is not the right mailing list... I do not wish to spam everyone. I just picked up Bro a few days ago, to still learning the ropes. I have a syntax question that I can't seem to find anywhere. How do you do a nested switch case inside a record? I have some data 0xAABBCCDD01020304 or 0xAABBCCDD01020405 that I need to verify that the header is 0xAABBCCDD and switch based on the last two bytes, either 0x0304 or 0x0405. Is this a good practice of switch record since data length will change based on the command. The nested case I have below is incorrect and is throwing error "make[3]: *** [test_pac.h] Segmentation fault (core dumped)" Currently, I have: enum cmd_codes { NOP = 0x00000000, DEVICE_HEADER = 0x AABBCCDD, DEVICE_CMD2_1 = 0x0304, DEVICE_CMD2_2 = 0x0405 }; type Header = record { header: uint32; # header cmd1: uint16; # 0x0102 cmd2: uint16; # 0x0304 or 0x0405 } &byteorder=bigendian; type Device_Response = record { header: Device_Header; data: case(header.header) of { DEVICE_HEADER -> head: case(header.cmd2) of { DEVICE_CMD2_1 -> info1: Record_A; DEVICE_CMD2_2 -> info2: Record_B; }; # All the rest default -> unknown: bytestring &restofdata; }; } &byteorder=littleendian; type Record_A = record { # some data goes here } type Record_B = record { # some data goes here } Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181015/14e47c29/attachment-0001.html From undicizeri at gmail.com Tue Oct 16 02:55:42 2018 From: undicizeri at gmail.com (Federico Foschini) Date: Tue, 16 Oct 2018 11:55:42 +0200 Subject: [Bro] /misc/capture_loss percent_lost vs /misc/stats pkts dropped and missed bytes in bro_conn Message-ID: Hello, In one of our bro deployments we are logging some missed byets on bro_conn logs. This is an example of a conn log with missing bytes: "local_resp": false, "tunnel_parents": [], "local_orig": true, "dst_addr": "211.115.118.190", "src_port": 57786, "dst_port": 443, "service": "ssl", "duration": 0.717725, "resp_pkts": 28, "src_addr": "10.16.0.115", "uid": "C7H1Jb1qJhHVg05wq8", "history": "ShADadfF", "orig_pkts": 16, "host": "logstash", "conn_state": "SF", "orig_bytes": 2883, "path": "/var/log/bro/logs/current/conn.log", "@timestamp": "2018-10-16T09:42:14.074Z", "times_created": "2018-10-16T09:42:13.357Z", "tags": [ "bro", "bro_conn" ], "proto": "tcp", "@version": "1", "resp_ip_bytes": 23649, "orig_ip_bytes": 3535, "missed_bytes": 2920, "resp_bytes": 22517, "resp_cc": "IT" } I?m running both /policy/misc/capture_loss and /policy/misc/stats scripts and this is the result: /misc/stats: "_source": { "files": 40386, "mem": 820, "active_icmp_conns": 341, "dns_requests": 0, "active_tcp_conns": 6641, "timers": 542182, "peer": "worker-1-1", "reassem_file_size": 1040104, "events_proc": 2285899, "active_timers": 33245, "host": "logstash", "reassem_frag_size": 10528, "active_files": 208, "icmp_conns": 877, "events_queued": 2285898, "pkts_dropped": 0, "pkts_proc": 10232397, "path": "/var/log/bro/logs/current/stats.log", "pkts_link": 10232664, "udp_conns": 21084, "reassem_unknown_size": 0, "@timestamp": "2018-10-16T09:15:32.648Z", "pkt_lag": 0.007681, "active_dns_requests": 0, "reassem_tcp_size": 863992, "tags": [ "bro", "bro_stats" ], "active_udp_conns": 2207, "tcp_conns": 27070, "@version": "1", "bytes_recv": 6580937768 } /misc/capture_loss: "_source": { "gaps": 92247, "peer": "worker-1-1", "path": "/var/log/bro/logs/current/capture_loss.log", "ts_delta": 900.000031, "@timestamp": "2018-10-16T09:15:32.632Z", "percent_lost": 2.053046, "tags": [ "bro", "bro_stats", "bro_capture_loss" ], "@version": "1", "host": "logstash", "acks": 4493178 } By reading the documentation It looks like the switch SPAN port or the network interface is dropping packets since bro stats doesn?t register any packet drops. I?ve checked on the switch and it doesn?t report any dropped traffic. Is this possible that the network interface of our server is dropping? Is there a way to analyze the problem further? -- Federico Foschini. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181016/e630cfef/attachment.html From jsiwek at corelight.com Tue Oct 16 09:42:35 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Tue, 16 Oct 2018 11:42:35 -0500 Subject: [Bro] Syntax Question - Nested Switch Case In-Reply-To: References: Message-ID: On Tue, Oct 16, 2018 at 12:46 AM TQ wrote: > How do you do a nested switch case inside a record? I have some data 0xAABBCCDD01020304 or 0xAABBCCDD01020405 that I need to verify that the header is 0xAABBCCDD and switch based on the last two bytes, either 0x0304 or 0x0405. Is this a good practice of switch record since data length will change based on the command. The nested case I have below is incorrect and is throwing error "make[3]: *** [test_pac.h] Segmentation fault (core dumped)" It's possible that you've just run into a binpac bug related to nested records and you can file a bug/issue for that on GitHub, but you may also be able to organize things differently. For example, instead of nesting switch/case you can do: type HeaderCmd(cmd: uint16) = case cmd of { DEVICE_CMD2_1 -> info1: Record_A; DEVICE_CMD2_2 -> info2: Record_B; }; type Device_Response = record { header: Header; data: case(header.header) of { DEVICE_HEADER -> head_cmd: HeaderCmd(header.cmd2); default -> unknown: bytestring &restofdata; }; } &byteorder=littleendian; Also, if you only ever expect to see that DEVICE_HEADER value and not any other header values for this protocol, you might just use an &enforce attribute at the top level instead of a switch/case. - Jon From michalpurzynski1 at gmail.com Tue Oct 16 10:29:35 2018 From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=) Date: Tue, 16 Oct 2018 10:29:35 -0700 Subject: [Bro] /misc/capture_loss percent_lost vs /misc/stats pkts dropped and missed bytes in bro_conn In-Reply-To: References: Message-ID: <9D40876E-E32A-4B02-98EB-5B8CA3D7BF32@gmail.com> Tell us what kind of capture method you use and we will take it from here. > On Oct 16, 2018, at 2:55 AM, Federico Foschini wrote: > > Hello, > > In one of our bro deployments we are logging some missed byets on bro_conn logs. This is an example of a conn log with missing bytes: > > "local_resp": false, > "tunnel_parents": [], > "local_orig": true, > "dst_addr": "211.115.118.190", > "src_port": 57786, > "dst_port": 443, > "service": "ssl", > "duration": 0.717725, > "resp_pkts": 28, > "src_addr": "10.16.0.115", > "uid": "C7H1Jb1qJhHVg05wq8", > "history": "ShADadfF", > "orig_pkts": 16, > "host": "logstash", > "conn_state": "SF", > "orig_bytes": 2883, > "path": "/var/log/bro/logs/current/conn.log", > "@timestamp": "2018-10-16T09:42:14.074Z", > "times_created": "2018-10-16T09:42:13.357Z", > "tags": [ > "bro", > "bro_conn" > ], > "proto": "tcp", > "@version": "1", > "resp_ip_bytes": 23649, > "orig_ip_bytes": 3535, > "missed_bytes": 2920, > "resp_bytes": 22517, > "resp_cc": "IT" > } > I?m running both /policy/misc/capture_loss and /policy/misc/stats scripts and this is the result: > /misc/stats: > > "_source": { > "files": 40386, > "mem": 820, > "active_icmp_conns": 341, > "dns_requests": 0, > "active_tcp_conns": 6641, > "timers": 542182, > "peer": "worker-1-1", > "reassem_file_size": 1040104, > "events_proc": 2285899, > "active_timers": 33245, > "host": "logstash", > "reassem_frag_size": 10528, > "active_files": 208, > "icmp_conns": 877, > "events_queued": 2285898, > "pkts_dropped": 0, > "pkts_proc": 10232397, > "path": "/var/log/bro/logs/current/stats.log", > "pkts_link": 10232664, > "udp_conns": 21084, > "reassem_unknown_size": 0, > "@timestamp": "2018-10-16T09:15:32.648Z", > "pkt_lag": 0.007681, > "active_dns_requests": 0, > "reassem_tcp_size": 863992, > "tags": [ > "bro", > "bro_stats" > ], > "active_udp_conns": 2207, > "tcp_conns": 27070, > "@version": "1", > "bytes_recv": 6580937768 > } > /misc/capture_loss: > > "_source": { > "gaps": 92247, > "peer": "worker-1-1", > "path": "/var/log/bro/logs/current/capture_loss.log", > "ts_delta": 900.000031, > "@timestamp": "2018-10-16T09:15:32.632Z", > "percent_lost": 2.053046, > "tags": [ > "bro", > "bro_stats", > "bro_capture_loss" > ], > "@version": "1", > "host": "logstash", > "acks": 4493178 > } > By reading the documentation It looks like the switch SPAN port or the network interface is dropping packets since bro stats doesn?t register any packet drops. > I?ve checked on the switch and it doesn?t report any dropped traffic. > > Is this possible that the network interface of our server is dropping? Is there a way to analyze the problem further? > > -- > Federico Foschini. > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181016/643808c5/attachment-0001.html From openshift.ninja at gmail.com Tue Oct 16 13:11:32 2018 From: openshift.ninja at gmail.com (Jeffrey Poore) Date: Tue, 16 Oct 2018 20:11:32 +0000 Subject: [Bro] getting bro 2.5.5 source Message-ID: Hello community. I have been building Bro from source, but I realized that I don't want to be downloading the tip source but rather the 2.5.5 source. I tried grabbing the source from GitHub at https://github.com/bro/bro/archive/v2.5.5.tar.gz, but when I do a configure inside this directory, it fails because the cmake directory inside is empty. I was doing a recursive clone of the git repo: $ git clone --recursive https://github.com/bro/bro.git I noticed that there is a 2.5 release branch, so I checkout that: $ git checkout release/2.5 But then when I try to run things, it breaks when I run check on the scripts (it's like the Bro interpreter is 2.5 but the scripts are 2.6?). I even tried doing this, without the recursive clone, but it still didn't work: $ git clone https://github.com/bro/bro.git $ git checkout release/2.5 $ git submodule init $ git submodule update $ ./configure Unfortunately, our proxy doesn't let us get to bro.org currently, so I'm trying to make this work from the github repo. Any ideas? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181016/81907afa/attachment.html From jazoff at illinois.edu Tue Oct 16 13:23:47 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Tue, 16 Oct 2018 20:23:47 +0000 Subject: [Bro] getting bro 2.5.5 source In-Reply-To: References: Message-ID: <04692792-F03A-4621-8483-572333E2F1E9@illinois.edu> > On Oct 16, 2018, at 4:11 PM, Jeffrey Poore wrote: > > Hello community. I have been building Bro from source, but I realized that I don't want to be downloading the tip source but rather the 2.5.5 source. I tried grabbing the source from GitHub at https://github.com/bro/bro/archive/v2.5.5.tar.gz, but when I do a configure inside this directory, it fails because the cmake directory inside is empty. The file you are probably looking for is https://www.bro.org/downloads/bro-2.5.5.tar.gz The auto archives from github unfortunately don't include the submodules. > I was doing a recursive clone of the git repo: > > $ git clone --recursive https://github.com/bro/bro.git > > I noticed that there is a 2.5 release branch, so I checkout that: > > $ git checkout release/2.5 > > But then when I try to run things, it breaks when I run check on the scripts (it's like the Bro interpreter is 2.5 but the scripts are 2.6?). I even tried doing this, without the recursive clone, but it still didn't work: > > $ git clone https://github.com/bro/bro.git > $ git checkout release/2.5 > $ git submodule init > $ git submodule update > $ ./configure > > Unfortunately, our proxy doesn't let us get to bro.org currently, so I'm trying to make this work from the github repo. Any ideas? I worked this out a while ago, I think your problem is that updating the submodules only updates the top level, but bro has submodules inside of submodules and you need to do it recursively. These are the commands I used to use when building an arbitrary bro commit: git checkout -f $VERSION git submodule foreach --recursive git submodule init git submodule update --recursive -f || git submodule update --recursive Also, I believe that if you did git clone --branch v2.5.5 --recursive https://github.com/bro/bro.git you would end up with the correct checkout as well. ? Justin Azoff From openshift.ninja at gmail.com Tue Oct 16 13:37:02 2018 From: openshift.ninja at gmail.com (OpenShift Ninja) Date: Tue, 16 Oct 2018 16:37:02 -0400 Subject: [Bro] getting bro 2.5.5 source In-Reply-To: <04692792-F03A-4621-8483-572333E2F1E9@illinois.edu> References: <04692792-F03A-4621-8483-572333E2F1E9@illinois.edu> Message-ID: thank you. that helps a lot! :) On Tue, Oct 16, 2018 at 4:24 PM Azoff, Justin S wrote: > > On Oct 16, 2018, at 4:11 PM, Jeffrey Poore > wrote: > > > > Hello community. I have been building Bro from source, but I realized > that I don't want to be downloading the tip source but rather the 2.5.5 > source. I tried grabbing the source from GitHub at > https://github.com/bro/bro/archive/v2.5.5.tar.gz, but when I do a > configure inside this directory, it fails because the cmake directory > inside is empty. > > The file you are probably looking for is > https://www.bro.org/downloads/bro-2.5.5.tar.gz > > The auto archives from github unfortunately don't include the submodules. > > > I was doing a recursive clone of the git repo: > > > > $ git clone --recursive https://github.com/bro/bro.git > > > > I noticed that there is a 2.5 release branch, so I checkout that: > > > > $ git checkout release/2.5 > > > > But then when I try to run things, it breaks when I run check on the > scripts (it's like the Bro interpreter is 2.5 but the scripts are 2.6?). I > even tried doing this, without the recursive clone, but it still didn't > work: > > > > $ git clone https://github.com/bro/bro.git > > $ git checkout release/2.5 > > $ git submodule init > > $ git submodule update > > $ ./configure > > > > Unfortunately, our proxy doesn't let us get to bro.org currently, so > I'm trying to make this work from the github repo. Any ideas? > > I worked this out a while ago, I think your problem is that updating the > submodules only updates the top level, but bro has submodules inside of > submodules and you need to do it recursively. > > These are the commands I used to use when building an arbitrary bro commit: > > git checkout -f $VERSION > git submodule foreach --recursive git submodule init > git submodule update --recursive -f || git submodule update --recursive > > Also, I believe that if you did > > git clone --branch v2.5.5 --recursive https://github.com/bro/bro.git > > you would end up with the correct checkout as well. > > ? > Justin Azoff > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181016/6d4d6c3f/attachment.html From undicizeri at gmail.com Tue Oct 16 23:49:41 2018 From: undicizeri at gmail.com (Federico Foschini) Date: Wed, 17 Oct 2018 08:49:41 +0200 Subject: [Bro] /misc/capture_loss percent_lost vs /misc/stats pkts dropped and missed bytes in bro_conn In-Reply-To: <9D40876E-E32A-4B02-98EB-5B8CA3D7BF32@gmail.com> References: <9D40876E-E32A-4B02-98EB-5B8CA3D7BF32@gmail.com> Message-ID: Hi, I?m using af_packet. This is my broctl.cfg file: LogRotationInterval = 3600 LogExpireInterval = 5day StatsLogEnable = 1 StatsLogExpireInterval = 14 StatusCmdShowAll = 0 CrashExpireInterval = 0 SitePolicyScripts = local.bro LogDir = /var/log/bro/logs SpoolDir = /var/log/bro/spool CfgDir = /opt/bro/etc lb_custom.InterfacePrefix=af_packet:: And this is my node.cfg file: [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=enp2s0f1 lb_method=custom lb_procs=2 af_packet_fanout_id=21 af_packet_fanout_mode=AF_Packet::FANOUT_HASH af_packet_buffer_size=128*1024*1024 I hope this helps. Thanks for your help! Il giorno mar 16 ott 2018 alle ore 19:29 Micha? Purzy?ski < michalpurzynski1 at gmail.com> ha scritto: > Tell us what kind of capture method you use and we will take it from here. > > > On Oct 16, 2018, at 2:55 AM, Federico Foschini > wrote: > > Hello, > > In one of our bro deployments we are logging some missed byets on > bro_conn logs. This is an example of a conn log with missing bytes: > > "local_resp": false, > "tunnel_parents": [], > "local_orig": true, > "dst_addr": "211.115.118.190", > "src_port": 57786, > "dst_port": 443, > "service": "ssl", > "duration": 0.717725, > "resp_pkts": 28, > "src_addr": "10.16.0.115", > "uid": "C7H1Jb1qJhHVg05wq8", > "history": "ShADadfF", > "orig_pkts": 16, > "host": "logstash", > "conn_state": "SF", > "orig_bytes": 2883, > "path": "/var/log/bro/logs/current/conn.log", > "@timestamp": "2018-10-16T09:42:14.074Z", > "times_created": "2018-10-16T09:42:13.357Z", > "tags": [ > "bro", > "bro_conn" > ], > "proto": "tcp", > "@version": "1", > "resp_ip_bytes": 23649, > "orig_ip_bytes": 3535, > "missed_bytes": 2920, > "resp_bytes": 22517, > "resp_cc": "IT" > } > > I?m running both /policy/misc/capture_loss and /policy/misc/stats scripts > and this is the result: > /misc/stats: > > "_source": { > "files": 40386, > "mem": 820, > "active_icmp_conns": 341, > "dns_requests": 0, > "active_tcp_conns": 6641, > "timers": 542182, > "peer": "worker-1-1", > "reassem_file_size": 1040104, > "events_proc": 2285899, > "active_timers": 33245, > "host": "logstash", > "reassem_frag_size": 10528, > "active_files": 208, > "icmp_conns": 877, > "events_queued": 2285898, > "pkts_dropped": 0, > "pkts_proc": 10232397, > "path": "/var/log/bro/logs/current/stats.log", > "pkts_link": 10232664, > "udp_conns": 21084, > "reassem_unknown_size": 0, > "@timestamp": "2018-10-16T09:15:32.648Z", > "pkt_lag": 0.007681, > "active_dns_requests": 0, > "reassem_tcp_size": 863992, > "tags": [ > "bro", > "bro_stats" > ], > "active_udp_conns": 2207, > "tcp_conns": 27070, > "@version": "1", > "bytes_recv": 6580937768 > } > > /misc/capture_loss: > > "_source": { > "gaps": 92247, > "peer": "worker-1-1", > "path": "/var/log/bro/logs/current/capture_loss.log", > "ts_delta": 900.000031, > "@timestamp": "2018-10-16T09:15:32.632Z", > "percent_lost": 2.053046, > "tags": [ > "bro", > "bro_stats", > "bro_capture_loss" > ], > "@version": "1", > "host": "logstash", > "acks": 4493178 > } > > By reading the documentation It looks like the switch SPAN port or the > network interface is dropping packets since bro stats doesn?t register any > packet drops. > I?ve checked on the switch and it doesn?t report any dropped traffic. > > Is this possible that the network interface of our server is dropping? Is > there a way to analyze the problem further? > -- > Federico Foschini. > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > -- Federico Foschini. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181017/831c3d35/attachment-0001.html From michalpurzynski1 at gmail.com Wed Oct 17 01:40:57 2018 From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=) Date: Wed, 17 Oct 2018 01:40:57 -0700 Subject: [Bro] /misc/capture_loss percent_lost vs /misc/stats pkts dropped and missed bytes in bro_conn In-Reply-To: References: <9D40876E-E32A-4B02-98EB-5B8CA3D7BF32@gmail.com> Message-ID: <9DB248A2-75C3-4E98-A3A4-43754831619F@gmail.com> Excellent choice! We created (with Peter Manev, a Suricata developer) a tuning guide that also applies to Bro. Pay special attention to these two sections - life of a packet - packet drops (near the end) There are a few places packets can be dropped, so it?s important to know all of them. https://github.com/pevma/SEPTun > On Oct 16, 2018, at 11:49 PM, Federico Foschini wrote: > > Hi, I?m using af_packet. This is my broctl.cfg file: > > LogRotationInterval = 3600 > LogExpireInterval = 5day > StatsLogEnable = 1 > StatsLogExpireInterval = 14 > StatusCmdShowAll = 0 > CrashExpireInterval = 0 > SitePolicyScripts = local.bro > LogDir = /var/log/bro/logs > SpoolDir = /var/log/bro/spool > CfgDir = /opt/bro/etc > lb_custom.InterfacePrefix=af_packet:: > And this is my node.cfg file: > > [manager] > type=manager > host=localhost > > [proxy-1] > type=proxy > host=localhost > > [worker-1] > type=worker > host=localhost > interface=enp2s0f1 > lb_method=custom > lb_procs=2 > af_packet_fanout_id=21 > af_packet_fanout_mode=AF_Packet::FANOUT_HASH > af_packet_buffer_size=128*1024*1024 > I hope this helps. Thanks for your help! > > >> Il giorno mar 16 ott 2018 alle ore 19:29 Micha? Purzy?ski ha scritto: >> Tell us what kind of capture method you use and we will take it from here. >> >> >>> On Oct 16, 2018, at 2:55 AM, Federico Foschini wrote: >>> >>> Hello, >>> >>> In one of our bro deployments we are logging some missed byets on bro_conn logs. This is an example of a conn log with missing bytes: >>> >>> "local_resp": false, >>> "tunnel_parents": [], >>> "local_orig": true, >>> "dst_addr": "211.115.118.190", >>> "src_port": 57786, >>> "dst_port": 443, >>> "service": "ssl", >>> "duration": 0.717725, >>> "resp_pkts": 28, >>> "src_addr": "10.16.0.115", >>> "uid": "C7H1Jb1qJhHVg05wq8", >>> "history": "ShADadfF", >>> "orig_pkts": 16, >>> "host": "logstash", >>> "conn_state": "SF", >>> "orig_bytes": 2883, >>> "path": "/var/log/bro/logs/current/conn.log", >>> "@timestamp": "2018-10-16T09:42:14.074Z", >>> "times_created": "2018-10-16T09:42:13.357Z", >>> "tags": [ >>> "bro", >>> "bro_conn" >>> ], >>> "proto": "tcp", >>> "@version": "1", >>> "resp_ip_bytes": 23649, >>> "orig_ip_bytes": 3535, >>> "missed_bytes": 2920, >>> "resp_bytes": 22517, >>> "resp_cc": "IT" >>> } >>> I?m running both /policy/misc/capture_loss and /policy/misc/stats scripts and this is the result: >>> /misc/stats: >>> >>> "_source": { >>> "files": 40386, >>> "mem": 820, >>> "active_icmp_conns": 341, >>> "dns_requests": 0, >>> "active_tcp_conns": 6641, >>> "timers": 542182, >>> "peer": "worker-1-1", >>> "reassem_file_size": 1040104, >>> "events_proc": 2285899, >>> "active_timers": 33245, >>> "host": "logstash", >>> "reassem_frag_size": 10528, >>> "active_files": 208, >>> "icmp_conns": 877, >>> "events_queued": 2285898, >>> "pkts_dropped": 0, >>> "pkts_proc": 10232397, >>> "path": "/var/log/bro/logs/current/stats.log", >>> "pkts_link": 10232664, >>> "udp_conns": 21084, >>> "reassem_unknown_size": 0, >>> "@timestamp": "2018-10-16T09:15:32.648Z", >>> "pkt_lag": 0.007681, >>> "active_dns_requests": 0, >>> "reassem_tcp_size": 863992, >>> "tags": [ >>> "bro", >>> "bro_stats" >>> ], >>> "active_udp_conns": 2207, >>> "tcp_conns": 27070, >>> "@version": "1", >>> "bytes_recv": 6580937768 >>> } >>> /misc/capture_loss: >>> >>> "_source": { >>> "gaps": 92247, >>> "peer": "worker-1-1", >>> "path": "/var/log/bro/logs/current/capture_loss.log", >>> "ts_delta": 900.000031, >>> "@timestamp": "2018-10-16T09:15:32.632Z", >>> "percent_lost": 2.053046, >>> "tags": [ >>> "bro", >>> "bro_stats", >>> "bro_capture_loss" >>> ], >>> "@version": "1", >>> "host": "logstash", >>> "acks": 4493178 >>> } >>> By reading the documentation It looks like the switch SPAN port or the network interface is dropping packets since bro stats doesn?t register any packet drops. >>> I?ve checked on the switch and it doesn?t report any dropped traffic. >>> >>> Is this possible that the network interface of our server is dropping? Is there a way to analyze the problem further? >>> >>> -- >>> Federico Foschini. >>> _______________________________________________ >>> Bro mailing list >>> bro at bro-ids.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > -- > Federico Foschini. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181017/e042107f/attachment.html From seth at corelight.com Wed Oct 17 08:25:52 2018 From: seth at corelight.com (Seth Hall) Date: Wed, 17 Oct 2018 11:25:52 -0400 Subject: [Bro] Long lived MySQL session stops generating events In-Reply-To: References:

Message-ID: <42B1526D-34A7-4F26-A2B6-939825DA8B43@corelight.com> On 15 Oct 2018, at 15:08, Jon Siwek wrote: > else it would be better if anyone > wanted to investigate how much it would take to get the MySQL > parser/analyzer able to pick up and analyze sessions already mid-way > in progress. I don't know how difficult this would be, but personally I've been putting off too much work into these sorts of efforts with the existing binpac analyzers because Spicy should have a mechanism to make analyzers "re-synching". I did it with SMB and it was a little tricky to get right. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com From vern at icir.org Wed Oct 17 21:51:43 2018 From: vern at icir.org (Vern Paxson) Date: Wed, 17 Oct 2018 21:51:43 -0700 Subject: [Bro] renaming the Bro project Message-ID: <201810180451.w9I4phrm001254@fruitcake.ICSI.Berkeley.EDU> As many of you no doubt already know, the Leadership Team has chosen a new name for the project, "Zeek". To read about the change, see my blog post at http://blog.bro.org/2018/10/renaming-bro-project_11.html or, for the media-hungry, the corresponding video from BroCon last week at https://www.youtube.com/watch?v=L88ZYfjPzyk&feature=youtu.be We don't yet have a roadmap/timeline for converting the project over to the new name (though zeek.org is already live, albeit with essentially unmigrated content). The 2.6 release hopefully out within a couple of weeks will still (solely) use the name "Bro". Vern From maanamen at hotmail.com Thu Oct 18 00:07:38 2018 From: maanamen at hotmail.com (=?iso-8859-1?Q?MA=C1N_ABU_SHAQRA?=) Date: Thu, 18 Oct 2018 07:07:38 +0000 Subject: [Bro] is there a bro script to ignore duplicated logs? In-Reply-To: References: , Message-ID: Hi All, @fatema bannatwala im having 2 different interfaces each with 6 workers using af_packet as a load balancer, ive tried the script provided and it showed that both interfaces are streaming same dns/http logs. so i disabled one interface and reduced workers to 3 and kept monitoring one interface only. on conn.log im getting below: 1536746523.249570 CbQGeN3yuYTKQd6xE 10.1.196.178 52851 10.190.129.250 53 udp dns 11.342418 264 88 SF T T 0 Dd 6 432 2 144 (empty) worker-em1-1 on dns.log 1536746526.252543 CbQGeN3yuYTKQd6xE 10.1.196.178 52851 10.190.129.250 53 udp 59985 - 100.2.116.192.in-addr.arpa 1 C_INTERNET 12 PTR - - F 1536746526.252634 CbQGeN3yuYTKQd6xE 10.1.196.178 52851 10.190.129.250 53 udp 59985 - 100.2.116.192.in-addr.arpa 1 C_INTERNET 12 PTR - - F 1536746530.283534 CbQGeN3yuYTKQd6xE 10.1.196.178 52851 10.190.129.250 53 udp 59985 - 100.2.116.192.in-addr.arpa 1 C_INTERNET 12 PTR - - F 1536746530.283625 CbQGeN3yuYTKQd6xE 10.1.196.178 52852 10.190.129.250 53 udp 59985 - 100.2.116.192.in-addr.arpa 1 C_INTERNET 12 PTR - - F 1536746526.252543 CbQGeN3yuYTKQd6xE 10.1.196.178 52852 10.190.129.250 53 udp 59985 - 100.2.116.192.in-addr.arpa 1 C_INTERNET 12 PTR - - F 1536746526.252634 CbQGeN3yuYTKQd6xE 10.1.196.178 52852 10.190.129.250 53 udp 59985 - 100.2.116.192.in-addr.arpa 1 C_INTERNET 12 PTR - - F 1536746530.283534 CbQGeN3yuYTKQd6xE 10.1.196.178 52852 10.190.129.250 53 udp 59985 - 100.2.116.192.in-addr.arpa 1 C_INTERNET 12 PTR - - F 1536746530.283625 CbQGeN3yuYTKQd6xE 10.1.196.178 52852 10.190.129.250 53 udp 59985 - 100.2.116.192.in-addr.arpa 1 C_INTERNET 12 PTR - - F 1536746530.283625 CbQGeN3yuYTKQd6xE 10.1.196.178 52853 10.190.129.250 53 udp 59985 - 100.2.116.192.in-addr.arpa 1 C_INTERNET 12 PTR - - F 1536746530.283625 CbQGeN3yuYTKQd6xE 10.1.196.178 52853 10.190.129.250 53 udp 59985 - 100.2.116.192.in-addr.arpa 1 C_INTERNET 12 PTR - - F 1536746530.283625 CbQGeN3yuYTKQd6xE 10.1.196.178 52853 10.190.129.250 53 udp 59985 - 100.2.116.192.in-addr.arpa 1 C_INTERNET 12 PTR - - F ive also checked the http://try.bro.org/ and ran the exercies , and found the same issue. Try Bro try.bro.org Hello World. Welcome to our interactive Bro tutorial. Click run and see the Bro magic happen. You may need to scroll down a bit to get to the output. the problem is im using the apapche kafka plugin with apache metron and seeing huge amount of duplicate DNS events and UIDs. i have tried to filter out duplicates in the local.bro using below script. Log::add_filter(DNS::LOG, [ $name = "kafka-dns", $writer = Log::WRITER_KAFKAWRITER, $pred(rec: DNS::Info) = { return ! (( |rec$uid| == |rec$uid| )); }, $config = table( ["metadata.broker.list"] = "localhost:9092" ) ]); but got nothing because all dns entries are duplicated. can anyone help me with the syntax of the above code. thanks ________________________________ From: bro-bounces at bro.org on behalf of Jan Grash?fer Sent: Thursday, October 4, 2018 4:33 PM To: bro at bro.org Subject: Re: [Bro] is there a bro script to ignore duplicated logs? On 04/10/2018 14:57, fatema bannatwala wrote: > You can run this script and see if the duplicate connections are happening > on which workers and go from there: This can be further automated by using Justins bro-doctor script available as a package: https://github.com/ncsa/bro-doctor [https://avatars0.githubusercontent.com/u/7528333?s=400&v=4] GitHub - ncsa/bro-doctor github.com Bro Doctor. This plugin provides a "doctor.bro" command for broctl that will help to troubleshoot various common cluster problems. This plugin runs the following checks: Jan _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181018/febc9c2e/attachment-0001.html From bill.de.ping at gmail.com Thu Oct 18 02:36:34 2018 From: bill.de.ping at gmail.com (william de ping) Date: Thu, 18 Oct 2018 12:36:34 +0300 Subject: [Bro] - time diff between bro logs and host clock Message-ID: Hi all, Any idea why new bro logs epoch timestamp is about 1 hour earlier than the actual clock of the host ? I am running a cluster and I was wondering how to fix this issue. Thank you, B -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181018/f06eefd3/attachment.html From jazoff at illinois.edu Thu Oct 18 06:54:36 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 18 Oct 2018 13:54:36 +0000 Subject: [Bro] is there a bro script to ignore duplicated logs? In-Reply-To: References:

Message-ID: <3C502349-3446-4ADA-9556-9CC876CBE0A2@illinois.edu> Can you post your node.cfg? It looks like you may have told bro to load balance, but you are not actually using the af_packet plugin. as in, you have interface=em1 lb_method=custom lb_procs=6 instead of interface=af_packet::em1 lb_method=custom lb_procs=6 ? Justin Azoff > On Oct 18, 2018, at 3:07 AM, MA?N ABU SHAQRA wrote: > > Hi All, > > @fatema bannatwala im having 2 different interfaces each with 6 workers using af_packet as a load balancer, ive tried the script provided and it showed that both interfaces are streaming same dns/http logs. so i disabled one interface and reduced workers to 3 and kept monitoring one interface only. on conn.log im getting below: > > 1536746523.249570 > CbQGeN3yuYTKQd6xE > 10.1.196.178 52851 > 10.190.129.250 53 > udp dns > 11.342418 264 > 88 SF > T T > 0 Dd > 6 432 > 2 144 > (empty) worker-em1-1 > on dns.log > > 1536746526.252543 > CbQGeN3yuYTKQd6xE > 10.1.196.178 > 52851 10.190.129.250 > 53 udp > 59985 - > 100.2.116.192.in-addr.arpa 1 > C_INTERNET 12 > PTR - > - F > 1536746526.252634 > CbQGeN3yuYTKQd6xE > 10.1.196.178 > 52851 10.190.129.250 > 53 udp > 59985 - > 100.2.116.192.in-addr.arpa 1 > C_INTERNET 12 > PTR - > - F > 1536746530.283534 > CbQGeN3yuYTKQd6xE > 10.1.196.178 > 52851 10.190.129.250 > 53 udp > 59985 - > 100.2.116.192.in-addr.arpa 1 > C_INTERNET 12 > PTR - > - F > 1536746530.283625 > CbQGeN3yuYTKQd6xE > 10.1.196.178 > 52852 10.190.129.250 > 53 udp > 59985 - > 100.2.116.192.in-addr.arpa 1 > C_INTERNET 12 > PTR - > - F > 1536746526.252543 > CbQGeN3yuYTKQd6xE > 10.1.196.178 52852 > 10.190.129.250 53 > udp 59985 > - 100.2.116.192.in-addr.arpa > 1 C_INTERNET > 12 PTR > - - > F > 1536746526.252634 > CbQGeN3yuYTKQd6xE > 10.1.196.178 52852 > 10.190.129.250 53 > udp 59985 > - 100.2.116.192.in-addr.arpa > 1 C_INTERNET > 12 PTR > - - > F > 1536746530.283534 > CbQGeN3yuYTKQd6xE > 10.1.196.178 52852 > 10.190.129.250 53 > udp 59985 > - 100.2.116.192.in-addr.arpa > 1 C_INTERNET > 12 PTR > - - > F > 1536746530.283625 > CbQGeN3yuYTKQd6xE > 10.1.196.178 52852 > 10.190.129.250 53 > udp 59985 > - 100.2.116.192.in-addr.arpa > 1 C_INTERNET > 12 PTR > - - > F > 1536746530.283625 > CbQGeN3yuYTKQd6xE > 10.1.196.178 > 52853 > 10.190.129.250 > 53 > udp > 59985 > - > 100.2.116.192.in-addr.arpa > 1 > C_INTERNET > 12 > PTR > - > - > F > 1536746530.283625 > CbQGeN3yuYTKQd6xE > 10.1.196.178 > 52853 > 10.190.129.250 > 53 > udp > 59985 > - > 100.2.116.192.in-addr.arpa > 1 > C_INTERNET > 12 > PTR > - > - > F > 1536746530.283625 > CbQGeN3yuYTKQd6xE > 10.1.196.178 > 52853 > 10.190.129.250 > 53 > udp > 59985 > - > 100.2.116.192.in-addr.arpa > 1 > C_INTERNET > 12 > PTR > - > - > F > > ive also checked the http://try.bro.org/ and ran the exercies , and found the same issue. > Try Bro > try.bro.org > Hello World. Welcome to our interactive Bro tutorial. Click run and see the Bro magic happen. You may need to scroll down a bit to get to the output. > the problem is im using the apapche kafka plugin with apache metron and seeing huge amount of duplicate DNS events and UIDs. i have tried to filter out duplicates in the local.bro using below script. > > Log::add_filter(DNS::LOG, [ > $name = "kafka-dns", > $writer = Log::WRITER_KAFKAWRITER, > $pred(rec: DNS::Info) = { return ! (( |rec$uid| == > |rec$uid| )); }, > $config = table( > ["metadata.broker.list"] = "localhost:9092" > ) > ]); > > but got nothing because all dns entries are duplicated. can anyone help me with the syntax of the above code. > > thanks > > > > From: bro-bounces at bro.org on behalf of Jan Grash?fer > Sent: Thursday, October 4, 2018 4:33 PM > To: bro at bro.org > Subject: Re: [Bro] is there a bro script to ignore duplicated logs? > > On 04/10/2018 14:57, fatema bannatwala wrote: > > You can run this script and see if the duplicate connections are happening > > on which workers and go from there: > > This can be further automated by using Justins bro-doctor script > available as a package: https://github.com/ncsa/bro-doctor > > GitHub - ncsa/bro-doctor > github.com > Bro Doctor. This plugin provides a "doctor.bro" command for broctl that will help to troubleshoot various common cluster problems. This plugin runs the following checks: > > > > Jan > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From maanamen at hotmail.com Thu Oct 18 06:58:20 2018 From: maanamen at hotmail.com (=?utf-8?B?TUHDgU4gQUJVIFNIQVFSQQ==?=) Date: Thu, 18 Oct 2018 13:58:20 +0000 Subject: [Bro] is there a bro script to ignore duplicated logs? In-Reply-To: <3C502349-3446-4ADA-9556-9CC876CBE0A2@illinois.edu> References:

, <3C502349-3446-4ADA-9556-9CC876CBE0A2@illinois.edu> Message-ID: Hi Justin, It is actually set as af_packet::em1 MA?AN ABUSHAQRA Dubai, UAE +971501201752 > On Oct 18, 2018, at 5:54 PM, Azoff, Justin S wrote: > > Can you post your node.cfg? It looks like you may have told bro to load balance, but you are not actually using the af_packet plugin. > > as in, you have > > interface=em1 > lb_method=custom > lb_procs=6 > > instead of > > interface=af_packet::em1 > lb_method=custom > lb_procs=6 > > ? > Justin Azoff > >> On Oct 18, 2018, at 3:07 AM, MA?N ABU SHAQRA wrote: >> >> Hi All, >> >> @fatema bannatwala im having 2 different interfaces each with 6 workers using af_packet as a load balancer, ive tried the script provided and it showed that both interfaces are streaming same dns/http logs. so i disabled one interface and reduced workers to 3 and kept monitoring one interface only. on conn.log im getting below: >> >> 1536746523.249570 >> CbQGeN3yuYTKQd6xE >> 10.1.196.178 52851 >> 10.190.129.250 53 >> udp dns >> 11.342418 264 >> 88 SF >> T T >> 0 Dd >> 6 432 >> 2 144 >> (empty) worker-em1-1 >> on dns.log >> >> 1536746526.252543 >> CbQGeN3yuYTKQd6xE >> 10.1.196.178 >> 52851 10.190.129.250 >> 53 udp >> 59985 - >> 100.2.116.192.in-addr.arpa 1 >> C_INTERNET 12 >> PTR - >> - F >> 1536746526.252634 >> CbQGeN3yuYTKQd6xE >> 10.1.196.178 >> 52851 10.190.129.250 >> 53 udp >> 59985 - >> 100.2.116.192.in-addr.arpa 1 >> C_INTERNET 12 >> PTR - >> - F >> 1536746530.283534 >> CbQGeN3yuYTKQd6xE >> 10.1.196.178 >> 52851 10.190.129.250 >> 53 udp >> 59985 - >> 100.2.116.192.in-addr.arpa 1 >> C_INTERNET 12 >> PTR - >> - F >> 1536746530.283625 >> CbQGeN3yuYTKQd6xE >> 10.1.196.178 >> 52852 10.190.129.250 >> 53 udp >> 59985 - >> 100.2.116.192.in-addr.arpa 1 >> C_INTERNET 12 >> PTR - >> - F >> 1536746526.252543 >> CbQGeN3yuYTKQd6xE >> 10.1.196.178 52852 >> 10.190.129.250 53 >> udp 59985 >> - 100.2.116.192.in-addr.arpa >> 1 C_INTERNET >> 12 PTR >> - - >> F >> 1536746526.252634 >> CbQGeN3yuYTKQd6xE >> 10.1.196.178 52852 >> 10.190.129.250 53 >> udp 59985 >> - 100.2.116.192.in-addr.arpa >> 1 C_INTERNET >> 12 PTR >> - - >> F >> 1536746530.283534 >> CbQGeN3yuYTKQd6xE >> 10.1.196.178 52852 >> 10.190.129.250 53 >> udp 59985 >> - 100.2.116.192.in-addr.arpa >> 1 C_INTERNET >> 12 PTR >> - - >> F >> 1536746530.283625 >> CbQGeN3yuYTKQd6xE >> 10.1.196.178 52852 >> 10.190.129.250 53 >> udp 59985 >> - 100.2.116.192.in-addr.arpa >> 1 C_INTERNET >> 12 PTR >> - - >> F >> 1536746530.283625 >> CbQGeN3yuYTKQd6xE >> 10.1.196.178 >> 52853 >> 10.190.129.250 >> 53 >> udp >> 59985 >> - >> 100.2.116.192.in-addr.arpa >> 1 >> C_INTERNET >> 12 >> PTR >> - >> - >> F >> 1536746530.283625 >> CbQGeN3yuYTKQd6xE >> 10.1.196.178 >> 52853 >> 10.190.129.250 >> 53 >> udp >> 59985 >> - >> 100.2.116.192.in-addr.arpa >> 1 >> C_INTERNET >> 12 >> PTR >> - >> - >> F >> 1536746530.283625 >> CbQGeN3yuYTKQd6xE >> 10.1.196.178 >> 52853 >> 10.190.129.250 >> 53 >> udp >> 59985 >> - >> 100.2.116.192.in-addr.arpa >> 1 >> C_INTERNET >> 12 >> PTR >> - >> - >> F >> >> ive also checked the http://try.bro.org/ and ran the exercies , and found the same issue. >> Try Bro >> try.bro.org >> Hello World. Welcome to our interactive Bro tutorial. Click run and see the Bro magic happen. You may need to scroll down a bit to get to the output. >> the problem is im using the apapche kafka plugin with apache metron and seeing huge amount of duplicate DNS events and UIDs. i have tried to filter out duplicates in the local.bro using below script. >> >> Log::add_filter(DNS::LOG, [ >> $name = "kafka-dns", >> $writer = Log::WRITER_KAFKAWRITER, >> $pred(rec: DNS::Info) = { return ! (( |rec$uid| == >> |rec$uid| )); }, >> $config = table( >> ["metadata.broker.list"] = "localhost:9092" >> ) >> ]); >> >> but got nothing because all dns entries are duplicated. can anyone help me with the syntax of the above code. >> >> thanks >> >> >> >> From: bro-bounces at bro.org on behalf of Jan Grash?fer >> Sent: Thursday, October 4, 2018 4:33 PM >> To: bro at bro.org >> Subject: Re: [Bro] is there a bro script to ignore duplicated logs? >> >>> On 04/10/2018 14:57, fatema bannatwala wrote: >>> You can run this script and see if the duplicate connections are happening >>> on which workers and go from there: >> >> This can be further automated by using Justins bro-doctor script >> available as a package: https://github.com/ncsa/bro-doctor >> >> GitHub - ncsa/bro-doctor >> github.com >> Bro Doctor. This plugin provides a "doctor.bro" command for broctl that will help to troubleshoot various common cluster problems. This plugin runs the following checks: >> >> >> >> Jan >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From jazoff at illinois.edu Thu Oct 18 07:00:24 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 18 Oct 2018 14:00:24 +0000 Subject: [Bro] is there a bro script to ignore duplicated logs? In-Reply-To: References:

<3C502349-3446-4ADA-9556-9CC876CBE0A2@illinois.edu> Message-ID: <013CBD06-4299-4515-A941-705A8CCAFD6A@illinois.edu> > On Oct 18, 2018, at 9:58 AM, MA?N ABU SHAQRA wrote: > > Hi Justin, > > It is actually set as af_packet::em1 Oh :( What did you mean by > ive also checked the http://try.bro.org/ and ran the exercies , and found the same issue. Do you mean you uploaded a pcap file and that showed the same duplicated logs? If so, how did you obtain that pcap? ? Justin Azoff From maanamen at hotmail.com Thu Oct 18 07:05:31 2018 From: maanamen at hotmail.com (=?utf-8?B?TUHDgU4gQUJVIFNIQVFSQQ==?=) Date: Thu, 18 Oct 2018 14:05:31 +0000 Subject: [Bro] is there a bro script to ignore duplicated logs? In-Reply-To: <013CBD06-4299-4515-A941-705A8CCAFD6A@illinois.edu> References:

<3C502349-3446-4ADA-9556-9CC876CBE0A2@illinois.edu> , <013CBD06-4299-4515-A941-705A8CCAFD6A@illinois.edu> Message-ID: No I didn?t upload a pcap, the provided pcaps on the website show duplicate dns UIDs. I suspect that it?s a duplicated packets issue as I?ve analyzed some traffic on wireshark and it had no duplicates. I?d appreciate it if anyone can assist with this, Thanks MA?AN ABUSHAQRA Dubai, UAE > On Oct 18, 2018, at 6:00 PM, Azoff, Justin S wrote: > > >> On Oct 18, 2018, at 9:58 AM, MA?N ABU SHAQRA wrote: >> >> Hi Justin, >> >> It is actually set as af_packet::em1 > > > Oh :( > > What did you mean by > >> ive also checked the http://try.bro.org/ and ran the exercies , and found the same issue. > > Do you mean you uploaded a pcap file and that showed the same duplicated logs? > If so, how did you obtain that pcap? > > > ? > Justin Azoff > From jazoff at illinois.edu Thu Oct 18 07:29:59 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 18 Oct 2018 14:29:59 +0000 Subject: [Bro] is there a bro script to ignore duplicated logs? In-Reply-To: References:

<3C502349-3446-4ADA-9556-9CC876CBE0A2@illinois.edu> <013CBD06-4299-4515-A941-705A8CCAFD6A@illinois.edu> Message-ID: <1E3C7662-1EF5-4306-87A7-8041DB7153EC@illinois.edu> > On Oct 18, 2018, at 10:05 AM, MA?N ABU SHAQRA wrote: > > No I didn?t upload a pcap, the provided pcaps on the website show duplicate dns UIDs. I suspect that it?s a duplicated packets issue as I?ve analyzed some traffic on wireshark and it had no duplicates. > > I?d appreciate it if anyone can assist with this, > > Thanks > > MA?AN ABUSHAQRA > Dubai, UAE > Oh, yes, I see what you are saying now. The repeated entries i see on the pcap on try.bro.org are from netbios queries that are all broadcast queries for WORKGROUP. I believe those are actually just repeated broadcasts with the same 5 tuple which is what causes the duplicates. At this point with your traffic I would stop bro and run a simple tcpdump to generate a pcap file while you generate some known traffic (like a small file download over HTTP) and then inspect the resulting pcap file. You could also set lb_procs=1 to ensure that there is only one bro process running to rule out any issue with af_packet load balancing. One weird thing I see is that for your conn.log entry: 1536746523.249570 CbQGeN3yuYTKQd6xE 10.1.196.178 52851 10.190.129.250 53 udp dns 11.342418 264 88 SF T T 0 Dd 6 432 2 144 (empty) worker-em1-1 The 6 and 2 are orig_pkts and resp_pkts. For a simple DNS lookup, you would expect orig_pkts and resp_pkts to both be one.. one packet for the query and then one packet for the response. But your bro worker somehow saw 6 packets for the query and 2 packets for the response. ? Justin Azoff From fatema.bannatwala at gmail.com Thu Oct 18 07:41:13 2018 From: fatema.bannatwala at gmail.com (fatema bannatwala) Date: Thu, 18 Oct 2018 10:41:13 -0400 Subject: [Bro] Bro load with no traffic Message-ID: Does anyone know why Bro would be using resources when no traffic flowing to the sensor? Recently we were having some ECC errors on one of our sensors and turned off the traffic to that sensor for troubleshooting purposes. Noticed that the load was pretty high (~7) on that sensor, and was wondering what Bro must be doing that would cause that load, shouldn't it be just waiting for the packets without using much cpu/memory resources on the box? Stats when no traffic flowing to the sensor, bro processes running because of cron on manager kicking the bro processes on the workers: $ top top - 12:18:17 up 13 days, 19:12, 2 users, * load average: 6.72, 7.05, 7.34* Tasks: 555 total, 9 running, 546 sleeping, 0 stopped, 0 zombie %Cpu(s): 9.7 us, 5.7 sy, 0.0 ni, 84.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 13191564+total, 95957600 free, 32708392 used, 3249652 buff/cache KiB Swap: 8388600 total, 8388600 free, 0 used. 98285016 avail Mem When the traffic was turned back on, load average: $ top top - 10:39:52 up 1 day, 19:02, 2 users, load average: 12.89, 12.89, 12.82 Tasks: 551 total, 11 running, 540 sleeping, 0 stopped, 0 zombie %Cpu(s): 20.9 us, 6.1 sy, 0.1 ni, 72.4 id, 0.0 wa, 0.0 hi, 0.5 si, 0.0 st KiB Mem : 11540057+total, 59135456 free, 52346920 used, 3918204 buff/cache KiB Swap: 8388600 total, 8388600 free, 0 used. 62253548 avail Mem Any thoughts? :) Thanks, Fatema -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181018/b291fb2f/attachment.html From seth at corelight.com Thu Oct 18 09:38:16 2018 From: seth at corelight.com (Seth Hall) Date: Thu, 18 Oct 2018 12:38:16 -0400 Subject: [Bro] - time diff between bro logs and host clock In-Reply-To: References: Message-ID: <6BD28710-BA74-40A4-9F78-853D54EF875A@corelight.com> On 18 Oct 2018, at 5:36, william de ping wrote: > Any idea why new bro logs epoch timestamp is about 1 hour earlier than > the actual clock of the host ? Is it possible that you are converting timestamps into something readable on a system where the timezone is set differently than you expect? One hour off seems suspicious to me as though it might be a timezone issue (although the unix epoch timestamp doesn't have a timezone built into it so the application of timezone only happens when you do the conversion for viewing). .Seth -- Seth Hall * Corelight, Inc * www.corelight.com From jsiwek at corelight.com Thu Oct 18 15:26:40 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Thu, 18 Oct 2018 17:26:40 -0500 Subject: [Bro] Bro load with no traffic In-Reply-To: References: Message-ID: On Thu, Oct 18, 2018 at 10:01 AM fatema bannatwala wrote: > > Does anyone know why Bro would be using resources when no traffic flowing to the sensor? Currently, Bro's main loop never completely idles in absence of input, so something on the order of 5% cpu usage in absence of network traffic might still be "normal". Also note that that packets aren't the only input source. As an example, if you shut off traffic suddenly, but had a large backlog of Broker messages or continues to send/recv remote messages, that could be processing resources that Bro continues to use for some time. The event engine also continues on with any scheduled events, etc. So not particularly unexpected to hear there's some load in absence of packets, but hard to say specifically what causes the load in this case -- you may need to profile/trace if you're really interested. - Jon From fatema.bannatwala at gmail.com Fri Oct 19 12:13:09 2018 From: fatema.bannatwala at gmail.com (fatema bannatwala) Date: Fri, 19 Oct 2018 15:13:09 -0400 Subject: [Bro] Bro load with no traffic In-Reply-To: References:

Message-ID: