From ossamabzos at gmail.com Sat Sep 1 10:54:18 2018 From: ossamabzos at gmail.com (bz Os) Date: Sat, 1 Sep 2018 18:54:18 +0100 Subject: [Bro] meaning of those message in weird.log Message-ID: Hello evry body, I am doing a test in the detection of attack by bro sometime i have those message in the weird.log i want to know what the mean and what can be the cause of those message. pleaz i want know what mean those n dns_unmatched_msg bad_TCP_checksum truncated_tcp_payload *TCP_ack_underflow_or_misorder* inappropriate_FIN dns_unmatched_reply above_hole_data_without_any_acks window_recision Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180901/78737a44/attachment.html From cmason at cmason.us Sat Sep 1 11:34:42 2018 From: cmason at cmason.us (cmason at cmason.us) Date: Sat, 01 Sep 2018 11:34:42 -0700 Subject: [Bro] meaning of those message in weird.log In-Reply-To: References: Message-ID: <59da9cd71c4e81107793a230331744c0@cmason.us> i would also like to know what is the meaning of emailing a new user their password in plain text? this happened. i hope people aren't depending on this system for anything serious, because if that password was sent once like that, it could be a habit. On 2018-09-01 10:54, bz Os wrote: > Hello evry body, > I am doing a test in the detection of attack by bro sometime i have those message in the weird.log i want to know what the mean and what can be the cause of those message. > pleaz i want know what mean those n > dns_unmatched_msg > bad_TCP_checksum > truncated_tcp_payload > > TCP_ACK_UNDERFLOW_OR_MISORDER > > inappropriate_FIN > dns_unmatched_reply > above_hole_data_without_any_acks > window_recision > > Thanks > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180901/e26044ce/attachment.html From wangdj at ffcs.cn Mon Sep 3 02:56:49 2018 From: wangdj at ffcs.cn (wangdj at ffcs.cn) Date: Mon, 3 Sep 2018 17:56:49 +0800 Subject: [Bro] Warning of "did not find requested field indicator" from intelligence data file References: <2018082716104988396524@ffcs.cn>, Message-ID: <2018090317564746233948@ffcs.cn> Hi Jan, Thanks for your reply. The header in myintel.txt file is tab-separated. I will check the the second reason you told. Best Regards DeJin Wang From: Jan Grash?fer Date: 2018-08-28 17:01 To: bro Subject: Re: [Bro] Warning of "did not find requested field indicator" from intelligence data file On 27/08/18 10:10, wangdj at ffcs.cn wrote:> when i run this script with command "./bro -i eth3 mytest" on a shell terminal and run "ping 14.215.177.39" command on another shell terminal, i got the following warning and : > warning: ./myintel.txt/Input::READER_ASCII: Did not find requested field indicator in input data file ./myintel.txt. Keep in mind that the header has to be tab-separated. Furthermore, the default seen scripts report only IPs of established TCP connections (see https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/conn-established.bro). Jan _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180903/5ef41fad/attachment.html From sansan94 at mail.ru Wed Sep 5 02:31:54 2018 From: sansan94 at mail.ru (=?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGAINCa0YPQsdGL0YjQuNC9?=) Date: Wed, 05 Sep 2018 12:31:54 +0300 Subject: [Bro] =?utf-8?q?Trouble_with_pppoe-traffic?= Message-ID: <1536139914.888485850@f344.i.mail.ru> Good day all, My IDS server receives mirrored traffic from the switch. In addition to classic traffic, I also see pppoe traffic. But the bro why does not recognize this traffic. What could be the problem? What kind of customization is needed for the bro to see this type of traffic? Here are links to samples of this traffic: * https://www.dropbox.com/s/2fdxpdxkv0pm31s/pppoe_get.pcap?dl=0 ? * https://www.dropbox.com/s/jb6yazrfeydtrqm/pppoe_get2.pcap?dl=0 -- Alexander Kubyshin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180905/79c587d1/attachment.html From seth at corelight.com Wed Sep 5 12:06:17 2018 From: seth at corelight.com (Seth Hall) Date: Wed, 05 Sep 2018 15:06:17 -0400 Subject: [Bro] Trouble with pppoe-traffic In-Reply-To: <1536139914.888485850@f344.i.mail.ru> References: <1536139914.888485850@f344.i.mail.ru> Message-ID: <459D3A55-C4CB-48CC-A269-1E4659A43E2A@corelight.com> What version of Bro are you running? In your pppoe_get2.pcap file Bro 2.5.3 worked fine for me. I got all of the files that I would expect. The reason the other file didn't work is that your HTTP request in that one doesn't have the TCP handshake and Bro's HTTP analyzer is sensitive to not having the handshake. If the handshake is missing Bro will currently not analyze the connection as HTTP. .Seth On 5 Sep 2018, at 5:31, ????????? ??????? wrote: > Good day all, > > My IDS server receives mirrored traffic from the switch. In addition > to classic traffic, I also see pppoe traffic. > But the bro why does not recognize this traffic. What could be the > problem? > > What kind of customization is needed for the bro to see this type of > traffic? > > Here are links to samples of this traffic: > > * https://www.dropbox.com/s/2fdxpdxkv0pm31s/pppoe_get.pcap?dl=0 ? > * https://www.dropbox.com/s/jb6yazrfeydtrqm/pppoe_get2.pcap?dl=0 > > > -- > Alexander Kubyshin > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Seth Hall * Corelight, Inc * www.corelight.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180905/834061f6/attachment.html From DMurphy at lfcu.com Wed Sep 5 15:18:05 2018 From: DMurphy at lfcu.com (Dillon Murphy) Date: Wed, 5 Sep 2018 22:18:05 +0000 Subject: [Bro] Notice and Sumstats and how to whitelist IPs Message-ID: Hello everyone, I can?t seem to figure out how to break out of scripts that trigger notices based on a sumstats function. I have a few Exfiltration scripts and my network scanner triggers many alerts. I only encounter this problem when sumstats is involved. @load base/frameworks/sumstats @load base/frameworks/notice module Exfiltration; export { redef enum Notice::Type += { notice::icmp_data_exfil, }; const frequent_icmp_senders: set[subnet] {192.168.0.1/32} &redef; const icmp_interval = 2min &redef; const icmp_per_query_interval = 120.0 &redef; } function check_icmp(c:connection) { if (c$id$orig_h in frequent_icmp_senders) return; if (c$id$resp_h in frequent_icmp_senders) return; SumStats::observe("Messages", SumStats::Key($host=c$id$orig_h), SumStats::Observation($num=1)); } event bro_init() { local messages_reducer = SumStats::Reducer($stream="Messages", $apply=set(SumStats::SUM)); SumStats::create([$name = "messages", $epoch = icmp_interval, $reducers = set(messages_reducer), $threshold = icmp_per_query_interval, $threshold_val(key: SumStats::Key, result: SumStats::Result) = { return result["Messages"]$sum; }, $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = { local dur = icmp_interval; NOTICE([$note=notice::icmp_data_exfil, $src=key$host, $msg=fmt("%s sent %s/%s ICMP messages in %s", key$host, result["Messages"]$sum, icmp_per_query_interval, dur), $sub=fmt("Severity: 7"), $suppress_for=10mins, $identifier=cat(key$host)]); } ]); } How do I get it to stop counting and not send a notice if an IP is in a white list? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180905/ff8e000f/attachment-0001.html From carlrotenan at gmail.com Wed Sep 5 17:42:39 2018 From: carlrotenan at gmail.com (Carl Rotenan) Date: Wed, 5 Sep 2018 20:42:39 -0400 Subject: [Bro] Filemagic Message-ID: Hello, Is there a way to dump all the file magic signatures and their corresponding strength in 2.5.5? Thanks, Carl -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180905/83642ff2/attachment.html From jazoff at illinois.edu Thu Sep 6 06:40:46 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 6 Sep 2018 13:40:46 +0000 Subject: [Bro] Notice and Sumstats and how to whitelist IPs In-Reply-To: References: Message-ID: > On Sep 5, 2018, at 6:18 PM, Dillon Murphy wrote: > > Hello everyone, > > I can?t seem to figure out how to break out of scripts that trigger notices based on a sumstats function. I have a few Exfiltration scripts and my network scanner triggers many alerts. I only encounter this problem when sumstats is involved. > > > @load base/frameworks/sumstats > @load base/frameworks/notice > > module Exfiltration; > > export { > redef enum Notice::Type += { > notice::icmp_data_exfil, > }; > > const frequent_icmp_senders: set[subnet] {192.168.0.1/32} &redef; > const icmp_interval = 2min &redef; > const icmp_per_query_interval = 120.0 &redef; > } > > function check_icmp(c:connection) > { > if (c$id$orig_h in frequent_icmp_senders) return; > if (c$id$resp_h in frequent_icmp_senders) return; > > SumStats::observe("Messages", > SumStats::Key($host=c$id$orig_h), > SumStats::Observation($num=1)); > } > That looks right to me. If the orig or resp hosts are in frequent_icmp_senders observe() will never be called and the connections will be effectively ignored. This issue wouldn't have anything to do with sumstats.. if there is a problem it would be with the logic in how observe() is called initially. It could be as simple as a typo of the IP in the frequent senders set. ? Justin Azoff From jsiwek at corelight.com Thu Sep 6 08:23:54 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Thu, 6 Sep 2018 10:23:54 -0500 Subject: [Bro] Filemagic In-Reply-To: References: Message-ID: On Wed, Sep 5, 2018 at 7:54 PM Carl Rotenan wrote: > Is there a way to dump all the file magic signatures and their corresponding strength in 2.5.5? The information should all be available in the files at [1] and I'm only aware of this way of getting Bro to dump related debug information: bro -b --debug-rules base/frameworks/files/magic Beyond that, you may have to do your own parsing or hack something in to output in the format you want. - Jon [1] https://github.com/bro/bro/tree/v2.5.5/scripts/base/frameworks/files/magic From carlrotenan at gmail.com Thu Sep 6 12:38:41 2018 From: carlrotenan at gmail.com (Carl Rotenan) Date: Thu, 6 Sep 2018 15:38:41 -0400 Subject: [Bro] Network traffic events Message-ID: Does anyone know that performance impact of running network based signatures on Bro? I understand that Suricata is a better choice for this task, but the file extraction in the latest versions seems to be borked. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180906/5c05fb0a/attachment.html From smithr at phirelight.com Thu Sep 6 12:48:06 2018 From: smithr at phirelight.com (Rob Smith) Date: Thu, 6 Sep 2018 15:48:06 -0400 Subject: [Bro] Analysers for IoT protocols Message-ID: Newbie here, I am trying to find analysers for IoT protocols (MQTT, CoAP, etc). I have been unable to locate any. I thought I'd reach out and see if anyone has been looking for the same and whether or not something is available. If this has been covered in previous threads, my apologies. *Rob Smith* Senior Solutions Architect Phirelight Support Phirelight Security Solutions Inc. 293 MacLaren Street Ottawa, Ontario, K2P 0L9 tel: + 1 (613) 276-8443 Ext. 325 cel: + 1 (613) 617-8443 alt: + 1 (877) 672-8070 fax:+ 1 (613) 422-8475 email: smithr at phirelight.com web: www.phirelight.com twitter: @PhirelightInc linkedin: Phirelight -- This communication contains confidential information intended solely for the use of the individual(s) and/or entity or entities to whom it was intended to be addressed. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this transmission is prohibited.? If you have received this communication in error, please contact the sender immediately, delete the communication from your system and do not disclose its contents to any third party or use its contents.? Any opinions expressed are solely those of the author and do not necessarily represent those of Phirelight Security Solutions Inc. unless otherwise specifically stated. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180906/a89853d1/attachment.html From DMurphy at lfcu.com Thu Sep 6 13:02:30 2018 From: DMurphy at lfcu.com (Dillon Murphy) Date: Thu, 6 Sep 2018 20:02:30 +0000 Subject: [Bro] Notice and Sumstats and how to whitelist IPs In-Reply-To: References: Message-ID: Hey Justin, I thought the same thing, but I rechecked the IP over and over again and it is correct. I?ve also added the whitelist to the script in many different ways, but still had no luck. I?ve been able to get this to work easily on all scripts that don?t load the sumstats framework. I?ve rewritten the scripts multiple times, tested them out in try.bro.org and my tool and nothing has worked to stop the notices. I?ve tried to break and return in functions and events, but that didn?t work. I?ve even contacted our vendor for my tool who originally added some of the scripts and their head engineer has not been able to solve it yet. It seems to just keep continuing to keep track of the intervals and sends the data to the notice, even if the IP matches what?s in the white list. I?m no major bro scripting expert, but my vendors engineer is a well-known bro scripter, and if they had no luck, my chances are slim. It seems that it should be as easy as returning on any matching IP, but I guess not. I don?t know what I?m missing, and I?m running out of ideas. If you have any questions, please let me know. Thank you for looking at my post! --------------------------------------------------------------- Dillon Murphy ? Information Security Operations Analyst I Logix Federal Credit Union P.O. Box 6759 ? Burbank, CA 91510 (818) 565-2547 Direct (888) 718-5328 ext. 2547 Toll Free dmurphy at lfcu.com ? www.lfcu.com [Logo-Blue] From: Azoff, Justin S Sent: Thursday, September 06, 2018 6:41 AM To: Dillon Murphy Cc: bro at bro.org Subject: Re: [Bro] Notice and Sumstats and how to whitelist IPs > On Sep 5, 2018, at 6:18 PM, Dillon Murphy > wrote: > > Hello everyone, > > I can?t seem to figure out how to break out of scripts that trigger notices based on a sumstats function. I have a few Exfiltration scripts and my network scanner triggers many alerts. I only encounter this problem when sumstats is involved. > > > @load base/frameworks/sumstats > @load base/frameworks/notice > > module Exfiltration; > > export { > redef enum Notice::Type += { > notice::icmp_data_exfil, > }; > > const frequent_icmp_senders: set[subnet] {192.168.0.1/32} &redef; > const icmp_interval = 2min &redef; > const icmp_per_query_interval = 120.0 &redef; > } > > function check_icmp(c:connection) > { > if (c$id$orig_h in frequent_icmp_senders) return; > if (c$id$resp_h in frequent_icmp_senders) return; > > SumStats::observe("Messages", > SumStats::Key($host=c$id$orig_h), > SumStats::Observation($num=1)); > } > That looks right to me. If the orig or resp hosts are in frequent_icmp_senders observe() will never be called and the connections will be effectively ignored. This issue wouldn't have anything to do with sumstats.. if there is a problem it would be with the logic in how observe() is called initially. It could be as simple as a typo of the IP in the frequent senders set. ? Justin Azoff -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180906/1b9642e9/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 7514 bytes Desc: image001.png Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180906/1b9642e9/attachment-0001.bin From jazoff at illinois.edu Thu Sep 6 13:18:47 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 6 Sep 2018 20:18:47 +0000 Subject: [Bro] Notice and Sumstats and how to whitelist IPs In-Reply-To: References: Message-ID: <033D52CC-C94B-47DD-9F39-B5E421CE5B7D@illinois.edu> > On Sep 6, 2018, at 4:02 PM, Dillon Murphy wrote: > > Hey Justin, > > I thought the same thing, but I rechecked the IP over and over again and it is correct. I?ve also added the whitelist to the script in many different ways, but still had no luck. I?ve been able to get this to work easily on all scripts that don?t load the sumstats framework. I?ve rewritten the scripts multiple times, tested them out in try.bro.org and my tool and nothing has worked to stop the notices. I?ve tried to break and return in functions and events, but that didn?t work. > > I?ve even contacted our vendor for my tool who originally added some of the scripts and their head engineer has not been able to solve it yet. It seems to just keep continuing to keep track of the intervals and sends the data to the notice, even if the IP matches what?s in the white list. I?m no major bro scripting expert, but my vendors engineer is a well-known bro scripter, and if they had no luck, my chances are slim. > > It seems that it should be as easy as returning on any matching IP, but I guess not. I don?t know what I?m missing, and I?m running out of ideas. > > If you have any questions, please let me know. > > Thank you for looking at my post! > Hard to tell what is wrong without seeing the scripts. As you say it IS as easy as returning early from a function when an IP matches. If you can share the complete script that is not working properly I can help you fix it :-) ? Justin Azoff From DMurphy at lfcu.com Thu Sep 6 13:42:31 2018 From: DMurphy at lfcu.com (Dillon Murphy) Date: Thu, 6 Sep 2018 20:42:31 +0000 Subject: [Bro] Notice and Sumstats and how to whitelist IPs In-Reply-To: <033D52CC-C94B-47DD-9F39-B5E421CE5B7D@illinois.edu> References: <033D52CC-C94B-47DD-9F39-B5E421CE5B7D@illinois.edu> Message-ID: No problem at all. Here is the complete script. If you need one, I'll work getting you a pcap to run it against. Thank you Justin! @load base/frameworks/sumstats @load base/frameworks/notice module Exfiltration; export { redef enum Notice::Type += { notice::icmp_data_exfil, }; const frequent_icmp_senders: set[subnet] {192.168.0.1/32} &redef; const icmp_interval = 2min &redef; const icmp_per_query_interval = 120.0 &redef; } function check_icmp(c:connection) { if (c$id$orig_h in frequent_icmp_senders) return; if (c$id$resp_h in frequent_icmp_senders) return; if (c$id$orig_h !in Site::local_nets) return; if (c$id$resp_h in Site::local_nets) return; SumStats::observe("Messages", SumStats::Key($host=c$id$orig_h), SumStats::Observation($num=1)); } event bro_init() { local messages_reducer = SumStats::Reducer($stream="Messages", $apply=set(SumStats::SUM)); SumStats::create([$name = "messages", $epoch = icmp_interval, $reducers = set(messages_reducer), $threshold = icmp_per_query_interval, $threshold_val(key: SumStats::Key, result: SumStats::Result) = { return result["Messages"]$sum; }, $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = { local dur = icmp_interval; NOTICE([$note=notice::icmp_data_exfil, $src=key$host, $msg=fmt("%s sent %s/%s ICMP messages in %s", key$host, result["Messages"]$sum, icmp_per_query_interval, dur), $sub=fmt("Severity: 7"), $suppress_for=10mins, $identifier=cat(key$host)]); } ]); } --------------------------------------------------------------- Dillon Murphy ? Information Security Operations Analyst I Logix Federal Credit Union P.O. Box 6759 ? Burbank, CA 91510 (818) 565-2547 Direct (888) 718-5328 ext. 2547 Toll Free dmurphy at lfcu.com ? www.lfcu.com -----Original Message----- From: Azoff, Justin S Sent: Thursday, September 06, 2018 1:19 PM To: Dillon Murphy Cc: bro at bro.org Subject: Re: [Bro] Notice and Sumstats and how to whitelist IPs > On Sep 6, 2018, at 4:02 PM, Dillon Murphy wrote: > > Hey Justin, > > I thought the same thing, but I rechecked the IP over and over again and it is correct. I?ve also added the whitelist to the script in many different ways, but still had no luck. I?ve been able to get this to work easily on all scripts that don?t load the sumstats framework. I?ve rewritten the scripts multiple times, tested them out in try.bro.org and my tool and nothing has worked to stop the notices. I?ve tried to break and return in functions and events, but that didn?t work. > > I?ve even contacted our vendor for my tool who originally added some of the scripts and their head engineer has not been able to solve it yet. It seems to just keep continuing to keep track of the intervals and sends the data to the notice, even if the IP matches what?s in the white list. I?m no major bro scripting expert, but my vendors engineer is a well-known bro scripter, and if they had no luck, my chances are slim. > > It seems that it should be as easy as returning on any matching IP, but I guess not. I don?t know what I?m missing, and I?m running out of ideas. > > If you have any questions, please let me know. > > Thank you for looking at my post! > Hard to tell what is wrong without seeing the scripts. As you say it IS as easy as returning early from a function when an IP matches. If you can share the complete script that is not working properly I can help you fix it :-) ? Justin Azoff -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180906/0b48c672/attachment.html From jazoff at illinois.edu Thu Sep 6 15:00:09 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 6 Sep 2018 22:00:09 +0000 Subject: [Bro] Notice and Sumstats and how to whitelist IPs In-Reply-To: References: <033D52CC-C94B-47DD-9F39-B5E421CE5B7D@illinois.edu> Message-ID: <8B8190D7-9DA7-41A9-B2AA-B461088473A3@illinois.edu> > On Sep 6, 2018, at 4:42 PM, Dillon Murphy wrote: > > No problem at all. Here is the complete script. If you need one, I'll work getting you a pcap to run it against. > > Thank you Justin! > > @load base/frameworks/sumstats > @load base/frameworks/notice > > > module Exfiltration; > > export { > redef enum Notice::Type += { > notice::icmp_data_exfil, > }; > > const frequent_icmp_senders: set[subnet] {192.168.0.1/32} &redef; > const icmp_interval = 2min &redef; > const icmp_per_query_interval = 120.0 &redef; > } > > function check_icmp(c:connection) > { > if (c$id$orig_h in frequent_icmp_senders) return; > if (c$id$resp_h in frequent_icmp_senders) return; > if (c$id$orig_h !in Site::local_nets) return; > if (c$id$resp_h in Site::local_nets) return; > > SumStats::observe("Messages", > SumStats::Key($host=c$id$orig_h), > SumStats::Observation($num=1)); > > } Huh.. well nothing calls this check_icmp function you have there so that script does nothing at all. This looks like a "The princess is in another castle" kind of thing. Is something else calling SumStats::observe("Messages", ... Normally the stream name you use would be named something like "http.sqli.attacker" or "ftp.failed_auth" or in your case "icmp.exfil.connection" If you are just using "Messages", and using that same stream in more than one script, that would explain why you are seeing a lot unexplained notices. ? Justin Azoff From DMurphy at lfcu.com Thu Sep 6 15:24:13 2018 From: DMurphy at lfcu.com (Dillon Murphy) Date: Thu, 6 Sep 2018 22:24:13 +0000 Subject: [Bro] Notice and Sumstats and how to whitelist IPs In-Reply-To: <8B8190D7-9DA7-41A9-B2AA-B461088473A3@illinois.edu> References: <033D52CC-C94B-47DD-9F39-B5E421CE5B7D@illinois.edu> <8B8190D7-9DA7-41A9-B2AA-B461088473A3@illinois.edu> Message-ID: Hey Justin, It looks like half the script is being removed every time I send it. Here is the other half. event bro_init() { local messages_reducer = SumStats::Reducer($stream="Messages", $apply=set(SumStats::SUM)); SumStats::create([$name = "messages", $epoch = icmp_interval, $reducers = set(messages_reducer), $threshold = icmp_per_query_interval, $threshold_val(key: SumStats::Key, result: SumStats::Result) = { return result["Messages"]$sum; }, $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = { print key; local dur = icmp_interval; NOTICE([$note=notice::icmp_data_exfil, $src=key$host, $msg=fmt("%s sent %s/%s ICMP messages in %s", key$host, result["Messages"]$sum, icmp_per_query_interval, dur), $sub=fmt("Severity: 7"), $suppress_for=10mins, $identifier=cat(key$host)]); } ]); } --------------------------------------------------------------- Dillon Murphy ? Information Security Operations Analyst I Logix Federal Credit Union P.O. Box 6759 ? Burbank, CA 91510 (818) 565-2547 Direct (888) 718-5328 ext. 2547 Toll Free dmurphy at lfcu.com ? www.lfcu.com [Logo-Blue] From: Azoff, Justin S Sent: Thursday, September 06, 2018 3:00 PM To: Dillon Murphy Cc: bro at bro.org Subject: Re: [Bro] Notice and Sumstats and how to whitelist IPs > On Sep 6, 2018, at 4:42 PM, Dillon Murphy > wrote: > > No problem at all. Here is the complete script. If you need one, I'll work getting you a pcap to run it against. > > Thank you Justin! > > @load base/frameworks/sumstats > @load base/frameworks/notice > > > module Exfiltration; > > export { > redef enum Notice::Type += { > notice::icmp_data_exfil, > }; > > const frequent_icmp_senders: set[subnet] {192.168.0.1/32} &redef; > const icmp_interval = 2min &redef; > const icmp_per_query_interval = 120.0 &redef; > } > > function check_icmp(c:connection) > { > if (c$id$orig_h in frequent_icmp_senders) return; > if (c$id$resp_h in frequent_icmp_senders) return; > if (c$id$orig_h !in Site::local_nets) return; > if (c$id$resp_h in Site::local_nets) return; > > SumStats::observe("Messages", > SumStats::Key($host=c$id$orig_h), > SumStats::Observation($num=1)); > > } Huh.. well nothing calls this check_icmp function you have there so that script does nothing at all. This looks like a "The princess is in another castle" kind of thing. Is something else calling SumStats::observe("Messages", ... Normally the stream name you use would be named something like "http.sqli.attacker" or "ftp.failed_auth" or in your case "icmp.exfil.connection" If you are just using "Messages", and using that same stream in more than one script, that would explain why you are seeing a lot unexplained notices. ? Justin Azoff -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180906/e14d6fac/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 7514 bytes Desc: image001.png Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180906/e14d6fac/attachment-0001.bin From jazoff at illinois.edu Thu Sep 6 15:44:58 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 6 Sep 2018 22:44:58 +0000 Subject: [Bro] Notice and Sumstats and how to whitelist IPs In-Reply-To: References: <033D52CC-C94B-47DD-9F39-B5E421CE5B7D@illinois.edu> <8B8190D7-9DA7-41A9-B2AA-B461088473A3@illinois.edu> Message-ID: <243789F0-D6AA-4826-BDA4-EEB206ECD7F8@illinois.edu> > On Sep 6, 2018, at 6:24 PM, Dillon Murphy wrote: > > Hey Justin, > > It looks like half the script is being removed every time I send it. Here is the other half. No.. I got that part. By itself, the script that you posted does not do anything. That check_icmp function is never called and may as well not exist, that's why nothing you put in there is changing the result. You have another script that is also calling SumStats::observe("Messages",...) which is what is causing all the confusion. You should not use "Messages" as the stream name, and you should absolutely not use the same stream name in two different unrelated scripts. ? Justin Azoff From whh8b at virginia.edu Thu Sep 6 20:55:10 2018 From: whh8b at virginia.edu (Will Hawkins) Date: Thu, 6 Sep 2018 23:55:10 -0400 Subject: [Bro] Analysers for IoT protocols In-Reply-To: References: Message-ID: Found this on github: https://github.com/supriyask/Bro I have a friend that uses MQTT extensively and he knows that there are wireshark dissectors for MQTT, but neither my friend nor I can verify that code from Github. Just thought I'd toss it out there in case you hadn't seen it. Hope that helps! Will On Thu, Sep 6, 2018 at 3:48 PM, Rob Smith wrote: > Newbie here, > > I am trying to find analysers for IoT protocols (MQTT, CoAP, etc). I have > been unable to locate any. I thought I'd reach out and see if anyone has > been looking for the same and whether or not something is available. > > If this has been covered in previous threads, my apologies. > > > > Rob Smith > Senior Solutions Architect > Phirelight Support > > Phirelight Security Solutions Inc. > 293 MacLaren Street > Ottawa, Ontario, K2P 0L9 > > tel: + 1 (613) 276-8443 Ext. 325 > cel: + 1 (613) 617-8443 > alt: + 1 (877) 672-8070 > fax:+ 1 (613) 422-8475 > email: smithr at phirelight.com > web: www.phirelight.com > twitter: @PhirelightInc > linkedin: Phirelight > > This communication contains confidential information intended solely for the > use of the individual(s) and/or entity or entities to whom it was intended > to be addressed. If you are not the intended recipient, be aware that any > disclosure, copying, distribution or use of the contents of this > transmission is prohibited. If you have received this communication in > error, please contact the sender immediately, delete the communication from > your system and do not disclose its contents to any third party or use its > contents. Any opinions expressed are solely those of the author and do not > necessarily represent those of Phirelight Security Solutions Inc. unless > otherwise specifically stated. > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From seth at corelight.com Fri Sep 7 10:48:36 2018 From: seth at corelight.com (Seth Hall) Date: Fri, 07 Sep 2018 13:48:36 -0400 Subject: [Bro] Analysers for IoT protocols In-Reply-To: References: Message-ID: <283EED48-AB8C-40F6-984A-49F70C440408@corelight.com> I have turned that MQTT analyzer into a plugin (and done a bunch of extra work on it, including fixing some bugs). https://github.com/sethhall/bro-mqtt .Seth On 6 Sep 2018, at 23:55, Will Hawkins wrote: > Found this on github: https://github.com/supriyask/Bro > > I have a friend that uses MQTT extensively and he knows that there are > wireshark dissectors for MQTT, but neither my friend nor I can verify > that code from Github. Just thought I'd toss it out there in case you > hadn't seen it. > > Hope that helps! > Will > > > On Thu, Sep 6, 2018 at 3:48 PM, Rob Smith > wrote: >> Newbie here, >> >> I am trying to find analysers for IoT protocols (MQTT, CoAP, etc). I >> have >> been unable to locate any. I thought I'd reach out and see if anyone >> has >> been looking for the same and whether or not something is available. >> >> If this has been covered in previous threads, my apologies. >> >> >> >> Rob Smith >> Senior Solutions Architect >> Phirelight Support >> >> Phirelight Security Solutions Inc. >> 293 MacLaren Street >> Ottawa, Ontario, K2P 0L9 >> >> tel: + 1 (613) 276-8443 Ext. 325 >> cel: + 1 (613) 617-8443 >> alt: + 1 (877) 672-8070 >> fax:+ 1 (613) 422-8475 >> email: smithr at phirelight.com >> web: www.phirelight.com >> twitter: @PhirelightInc >> linkedin: Phirelight >> >> This communication contains confidential information intended solely >> for the >> use of the individual(s) and/or entity or entities to whom it was >> intended >> to be addressed. If you are not the intended recipient, be aware that >> any >> disclosure, copying, distribution or use of the contents of this >> transmission is prohibited. If you have received this communication >> in >> error, please contact the sender immediately, delete the >> communication from >> your system and do not disclose its contents to any third party or >> use its >> contents. Any opinions expressed are solely those of the author and >> do not >> necessarily represent those of Phirelight Security Solutions Inc. >> unless >> otherwise specifically stated. >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- Seth Hall * Corelight, Inc * www.corelight.com From whh8b at virginia.edu Fri Sep 7 11:04:27 2018 From: whh8b at virginia.edu (Will Hawkins) Date: Fri, 7 Sep 2018 14:04:27 -0400 Subject: [Bro] Analysers for IoT protocols In-Reply-To: <283EED48-AB8C-40F6-984A-49F70C440408@corelight.com> References: <283EED48-AB8C-40F6-984A-49F70C440408@corelight.com> Message-ID: Thanks for sending that along. Sorry I didn't link to yours in the first place. I just copied the first Google result that I found! :-) Will On Fri, Sep 7, 2018 at 1:48 PM, Seth Hall wrote: > I have turned that MQTT analyzer into a plugin (and done a bunch of extra > work on it, including fixing some bugs). > https://github.com/sethhall/bro-mqtt > > .Seth > > > On 6 Sep 2018, at 23:55, Will Hawkins wrote: > >> Found this on github: https://github.com/supriyask/Bro >> >> I have a friend that uses MQTT extensively and he knows that there are >> wireshark dissectors for MQTT, but neither my friend nor I can verify >> that code from Github. Just thought I'd toss it out there in case you >> hadn't seen it. >> >> Hope that helps! >> Will >> >> >> On Thu, Sep 6, 2018 at 3:48 PM, Rob Smith wrote: >>> >>> Newbie here, >>> >>> I am trying to find analysers for IoT protocols (MQTT, CoAP, etc). I >>> have >>> been unable to locate any. I thought I'd reach out and see if anyone has >>> been looking for the same and whether or not something is available. >>> >>> If this has been covered in previous threads, my apologies. >>> >>> >>> >>> Rob Smith >>> Senior Solutions Architect >>> Phirelight Support >>> >>> Phirelight Security Solutions Inc. >>> 293 MacLaren Street >>> Ottawa, Ontario, K2P 0L9 >>> >>> tel: + 1 (613) 276-8443 Ext. 325 >>> cel: + 1 (613) 617-8443 >>> alt: + 1 (877) 672-8070 >>> fax:+ 1 (613) 422-8475 >>> email: smithr at phirelight.com >>> web: www.phirelight.com >>> twitter: @PhirelightInc >>> linkedin: Phirelight >>> >>> This communication contains confidential information intended solely for >>> the >>> use of the individual(s) and/or entity or entities to whom it was >>> intended >>> to be addressed. If you are not the intended recipient, be aware that any >>> disclosure, copying, distribution or use of the contents of this >>> transmission is prohibited. If you have received this communication in >>> error, please contact the sender immediately, delete the communication >>> from >>> your system and do not disclose its contents to any third party or use >>> its >>> contents. Any opinions expressed are solely those of the author and do >>> not >>> necessarily represent those of Phirelight Security Solutions Inc. unless >>> otherwise specifically stated. >>> >>> >>> _______________________________________________ >>> Bro mailing list >>> bro at bro-ids.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > -- > Seth Hall * Corelight, Inc * www.corelight.com From smithr at phirelight.com Fri Sep 7 11:41:46 2018 From: smithr at phirelight.com (Rob Smith) Date: Fri, 7 Sep 2018 14:41:46 -0400 Subject: [Bro] Analysers for IoT protocols In-Reply-To: References: <283EED48-AB8C-40F6-984A-49F70C440408@corelight.com> Message-ID: Thanks guys. I'll be checking both out. Much appreciated. Rob On Fri, Sep 7, 2018 at 2:04 PM, Will Hawkins wrote: > Thanks for sending that along. Sorry I didn't link to yours in the > first place. I just copied the first Google result that I found! :-) > > Will > > On Fri, Sep 7, 2018 at 1:48 PM, Seth Hall wrote: > > I have turned that MQTT analyzer into a plugin (and done a bunch of extra > > work on it, including fixing some bugs). > > https://github.com/sethhall/bro-mqtt > > > > .Seth > > > > > > On 6 Sep 2018, at 23:55, Will Hawkins wrote: > > > >> Found this on github: https://github.com/supriyask/Bro > >> > >> I have a friend that uses MQTT extensively and he knows that there are > >> wireshark dissectors for MQTT, but neither my friend nor I can verify > >> that code from Github. Just thought I'd toss it out there in case you > >> hadn't seen it. > >> > >> Hope that helps! > >> Will > >> > >> > >> On Thu, Sep 6, 2018 at 3:48 PM, Rob Smith > wrote: > >>> > >>> Newbie here, > >>> > >>> I am trying to find analysers for IoT protocols (MQTT, CoAP, etc). I > >>> have > >>> been unable to locate any. I thought I'd reach out and see if anyone > has > >>> been looking for the same and whether or not something is available. > >>> > >>> If this has been covered in previous threads, my apologies. > >>> > >>> > >>> > > > >>> > >>> > >>> _______________________________________________ > >>> Bro mailing list > >>> bro at bro-ids.org > >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > >> > >> _______________________________________________ > >> Bro mailing list > >> bro at bro-ids.org > >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > > > -- > > Seth Hall * Corelight, Inc * www.corelight.com > -- This communication contains confidential information intended solely for the use of the individual(s) and/or entity or entities to whom it was intended to be addressed. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this transmission is prohibited.? If you have received this communication in error, please contact the sender immediately, delete the communication from your system and do not disclose its contents to any third party or use its contents.? Any opinions expressed are solely those of the author and do not necessarily represent those of Phirelight Security Solutions Inc. unless otherwise specifically stated. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180907/6d78c19b/attachment-0001.html From DMurphy at lfcu.com Fri Sep 7 13:58:49 2018 From: DMurphy at lfcu.com (Dillon Murphy) Date: Fri, 7 Sep 2018 20:58:49 +0000 Subject: [Bro] Notice and Sumstats and how to whitelist IPs In-Reply-To: <243789F0-D6AA-4826-BDA4-EEB206ECD7F8@illinois.edu> References: <033D52CC-C94B-47DD-9F39-B5E421CE5B7D@illinois.edu> <8B8190D7-9DA7-41A9-B2AA-B461088473A3@illinois.edu> <243789F0-D6AA-4826-BDA4-EEB206ECD7F8@illinois.edu> Message-ID: I see. I forgot to add the ICMP event. I don?t know about the SumStats::observe("Messages"). I'll have to check on that. Thank you very much for your help Justin!! Dillon Murphy -----Original Message----- From: Azoff, Justin S Sent: Thursday, September 06, 2018 3:45 PM To: Dillon Murphy Cc: bro at bro.org Subject: Re: [Bro] Notice and Sumstats and how to whitelist IPs > On Sep 6, 2018, at 6:24 PM, Dillon Murphy wrote: > > Hey Justin, > > It looks like half the script is being removed every time I send it. Here is the other half. No.. I got that part. By itself, the script that you posted does not do anything. That check_icmp function is never called and may as well not exist, that's why nothing you put in there is changing the result. You have another script that is also calling SumStats::observe("Messages",...) which is what is causing all the confusion. You should not use "Messages" as the stream name, and you should absolutely not use the same stream name in two different unrelated scripts. ? Justin Azoff -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180907/5c5f9c03/attachment.html From sansan94 at mail.ru Mon Sep 10 06:20:35 2018 From: sansan94 at mail.ru (=?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGAINCa0YPQsdGL0YjQuNC9?=) Date: Mon, 10 Sep 2018 16:20:35 +0300 Subject: [Bro] =?utf-8?q?Trouble_with_pppoe-traffic?= In-Reply-To: <459D3A55-C4CB-48CC-A269-1E4659A43E2A@corelight.com> References: <1536139914.888485850@f344.i.mail.ru> <459D3A55-C4CB-48CC-A269-1E4659A43E2A@corelight.com> Message-ID: <1536585635.421993694@f330.i.mail.ru> In my system I use version Bro-2.5.2.? Unfortunately I did not find the difference between the two versions, with respect to pppoe -- ????????? ??????? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180910/ed530a58/attachment.html From neslog at gmail.com Mon Sep 10 08:25:22 2018 From: neslog at gmail.com (Neslog) Date: Mon, 10 Sep 2018 11:25:22 -0400 Subject: [Bro] bro-osquery - socket_events Message-ID: Hello all - I'm looking at gathering host processes that make connections to the network/internet. When trying out bro-osquery I'm getting the following error. 1536590781.935421 error: Bad IP address: fe80::b22f:47fa:b41f:7ce8%em1 1536590781.935421 error: Bad IP address: fe80::b22f:47fa:b41f:7ce8%em1 Here is my scirpt: event host_socket_event(resultInfo: osquery::ResultInfo, action: string, pid: int, path: string, family: int, protocol: int, local_address: string, remote_address: string, local_port: int, remote_port: int, start_time: int, success: int) { print "host_socket_event"; } When looking at socket_events table I'm not seeing any data. I am receiving the following error from auditd. I0910 10:57:12.063364 1615 auditdnetlink.cpp:613] Failed to set the netlink owner I0910 10:57:17.063714 1615 auditdnetlink.cpp:613] Failed to set the netlink owner That is what I'm seeing while trying to run osqueryi. Has anyone run into this before? Looks like there's an open ticket from the iBigQ guys stating that they cannot upgrade their version of OSQuery yet. https://github.com/facebook/osquery/issues/4145 N -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180910/12c97ab9/attachment.html From mxmssh at gmail.com Mon Sep 10 11:07:24 2018 From: mxmssh at gmail.com (Maksim Shudrak) Date: Mon, 10 Sep 2018 11:07:24 -0700 Subject: [Bro] Memory leak in Kerberos protocol parser Message-ID: Hi everyone, I am doing vulnerabilities research in Bro. Recently, I found these memory leaks in the Kerberos protocol analyzer: 1331918844.990000 expression error in /home/mshudrak/bro_hacking/bro/scripts/base/protocols/krb/./main.bro, line 143: field value missing [KRB::msg$service_name] <----------truncated----------------> Direct leak of 144 byte(s) in 1 object(s) allocated from: #0 0x9cc562 in operator new(unsigned long) /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:92:3 #1 0x16d0f10 in binpac::KRB_TCP::proc_krb_kdc_req_arguments(binpac::KRB_TCP::KRB_KDC_REQ*, analyzer::Analyzer*) /home/mshudrak/bro_hacking/bro/build/src/analyzer/protocol/krb/krb_TCP_pac.cc:5495:18 #2 0x16d0994 in binpac::KRB_TCP::KRB_Conn::proc_krb_kdc_req_msg(binpac::KRB_TCP::KRB_KDC_REQ*) /home/mshudrak/bro_hacking/bro/build/src/analyzer/protocol/krb/krb_TCP_pac.cc:79:19 #3 0x16f6038 in binpac::KRB_TCP::KRB_AS_REQ::Parse(unsigned char const*, unsigned char const*, binpac::KRB_TCP::ContextKRB_TCP*, int) /home/mshudrak/bro_hacking/bro/build/src/analyzer/protocol/krb/krb_TCP_pac.cc:3461:35 <-------------truncated----------------> You can find detailed report produced by Leak Sanitizer and a dump of traffic that reproduce this leak under the following links: 1) LASAN output: https://drive.google.com/open?id=1OQVYMaQyj9fEXgJICq3MUbI3-UIwCkNn 2) reproducer: https://drive.google.com/open?id=1tskWWs4MEph0tnIG5adU2Zxm-ukYD1fz I compiled the last version of bro pulled from github repo (bro version 2.5-962-debug). I compiled the project with clang-6.0 (as a part of llvm-6.0) using the following command line arguments: Compile CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" ./configure --enable-debug ASAN_OPTIONS=detect_leaks=0 make -j Run ASAN_OPTIONS=detect_odr_violation=0 ../build/src/bro -r last_4.pcap &> out This leak happens for each Kerberos connection which might lead to out-of-memory and DoS. I was able to write simple exploit to cause DoS (usually takes 2-3 hours to force BRO allocate 40-50GB of RAM without parallelization using Python sockets). ---------------------- Best regards, Maksim Shudrak. tel. +1-415-793-0894 skype: vitality_3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180910/727dd29d/attachment.html From jsiwek at corelight.com Mon Sep 10 16:10:24 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Mon, 10 Sep 2018 18:10:24 -0500 Subject: [Bro] Memory leak in Kerberos protocol parser In-Reply-To: References: Message-ID: On Mon, Sep 10, 2018 at 1:35 PM Maksim Shudrak wrote: > Recently, I found these memory leaks in the Kerberos protocol analyzer: Thanks. See [1] for a fix, now in master branch. - Jon [1] https://github.com/bro/bro/commit/34d0cf886ca16c665f673a299e295b2a2bc14533 From lagoon7 at gmail.com Mon Sep 10 19:58:33 2018 From: lagoon7 at gmail.com (Ludwig Goon) Date: Mon, 10 Sep 2018 22:58:33 -0400 Subject: [Bro] BRO CRON JOBS and LogExpire Interval Message-ID: BRO cron jobs in broctl. 1. Is there a way to see the current/ scheduled cronjobs with "broctl cron" ? Is there a flag or something that I should use on the command like the icream commercail featuring her. 2. I have a bro sensor that has been up for over 200 days. I want to invoke the logExpireInterval which was not set before. 2a. What is the correct way to specify 180 days? is it LogExpireInterval = 180, OR LogExpireInterval = 180 day or LogExpireInterval = 180 Days? 3. Once I get that configured in broctl.cfg, I run either a broctl deploy command or a broctl install command. Will bro clean up all the log directories that are older thatn 180 days? 4. If the cron job is a script how often is it ran? Or how often does it taken. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180910/9d6fd635/attachment.html From dnthayer at illinois.edu Mon Sep 10 23:24:00 2018 From: dnthayer at illinois.edu (Daniel Thayer) Date: Tue, 11 Sep 2018 01:24:00 -0500 Subject: [Bro] BRO CRON JOBS and LogExpire Interval In-Reply-To: References: Message-ID: On 9/10/18 9:58 PM, Ludwig Goon wrote: > BRO cron jobs in broctl. > > > 1. Is there a way to see the current/ scheduled cronjobs with "broctl > cron" ? Is there a flag or something that I should use on the command > like the icream commercail featuring her. Normally, you wouldn't need to run "broctl cron" directly, but instead you would create a cron job (using the "crontab" command), and the cron job would run "broctl cron". The "broctl cron" command is explained in the documentation: https://www.bro.org/sphinx/components/broctl/README.html > 2. I have a bro sensor that has been up for over 200 days. I want to > invoke the logExpireInterval which was not set before. > > 2a.? What is the correct way to specify 180 days? is it > LogExpireInterval = 180, OR LogExpireInterval = 180 day or > LogExpireInterval = 180 Days? Look for "LogExpireInterval" in the documentation: https://www.bro.org/sphinx/components/broctl/README.html#user-options > 3. Once I get that configured in broctl.cfg, I run either a broctl > deploy command or a broctl install command. Will bro clean up all the > log directories that are older thatn 180 days? Yes, but bro itself doesn't delete the logs, they will be removed the next time your cron job runs. From yjohn9691 at gmail.com Tue Sep 11 12:37:14 2018 From: yjohn9691 at gmail.com (john Y) Date: Tue, 11 Sep 2018 22:37:14 +0300 Subject: [Bro] local network warning Message-ID: Hi there! when i run bro command : "bro -r ./file.pcap ./script_path" warning is being shown : "no site :: local_nets have not been defined. its good idea to define your local network." Why is it recommended to define local network, althogh i am reading pcap file? How do i define the network? where? love for some help, john -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180911/9857ddb5/attachment.html From jsiwek at corelight.com Tue Sep 11 13:45:26 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Tue, 11 Sep 2018 15:45:26 -0500 Subject: [Bro] local network warning In-Reply-To: References: Message-ID: On Tue, Sep 11, 2018 at 2:45 PM john Y wrote: > when i run bro command : "bro -r ./file.pcap ./script_path" warning is being shown : "no site :: local_nets have not been defined. its good idea to define your local network." > > Why is it recommended to define local network, althogh i am reading pcap file? It's just a suggestion and typically only seen if you load the tunings/defaults/warnings.bro script usually via site/local.bro. It's recommended because some scripts make decisions based on it and raise notices only if an event in question concerns a host in a local network. If you're only interested in using Bro for the just the protocol analysis aspect of things and not interested in these sorts of policy decisions that it can make, you can probably just ignore the warning. > How do i define the network? where? You can load a custom script that does something like: redef Site::local_nets += { 192.168.0.0/16, 10.0.0.0/8 }; Or just add it to the command-line: bro -r ./file.pcap ./script_path "Site::local_nets += { 192.168.0.0/16, 10.0.0.0/8 }" - Jon From klehigh at iu.edu Wed Sep 12 06:42:35 2018 From: klehigh at iu.edu (Keith Lehigh) Date: Wed, 12 Sep 2018 09:42:35 -0400 Subject: [Bro] BroCon 2018 Keynote and Schedule Message-ID: <0DF8B28B-18A0-43F0-A51C-9FF5B9E09230@iu.edu> Hi, I wanted to update you on progress as we?ve been hard at work finalizing the speaker schedule for BroCon 2018. I think we?ll have a diverse and exciting program this year. Most importantly, we?ll have a great keynote. I?m happy to announce that Marcus Ranum has agreed to keynote BroCon this year. Marcus has many decades of experience in the security industry, at all levels from developing products to leadership positions. Marcus will bring his extensive experience to bear on the topic of ?Challenges in Network Monitoring.? I hope this will be a thought provoking keynote. I?d like to thank Marcus for offering his time and insights to make BroCon 2018 an even more exciting event and I hope to see you all in D.C. in October! You can find a press release about the keynote here : https://globenewswire.com/news-release/2018/09/12/1569854/0/en/BroCon-Announces-Security-Innovator-Marcus-J-Ranum-as-2018-Keynote.html . You can find the full speaker schedule including abstracts on the BroCon 2018 event site at https://www.brocon2018.com/event/schedule . - Keith -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3740 bytes Desc: S/MIME digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180912/5353059d/attachment.bin From huzhenming36 at gmail.com Thu Sep 13 02:22:55 2018 From: huzhenming36 at gmail.com (huzhenming36 at gmail.com) Date: Thu, 13 Sep 2018 17:22:55 +0800 Subject: [Bro] BroCon 2018 Keynote and Schedule References: <0DF8B28B-18A0-43F0-A51C-9FF5B9E09230@iu.edu> Message-ID: <201809131722533200900@gmail.com> I look forward to the opportunity of bro activities to be held in China Beijing. huzhenming36 at gmail.com From: Keith Lehigh Date: 2018-09-12 21:42 To: bro Subject: [Bro] BroCon 2018 Keynote and Schedule Hi, I wanted to update you on progress as we?ve been hard at work finalizing the speaker schedule for BroCon 2018. I think we?ll have a diverse and exciting program this year. Most importantly, we?ll have a great keynote. I?m happy to announce that Marcus Ranum has agreed to keynote BroCon this year. Marcus has many decades of experience in the security industry, at all levels from developing products to leadership positions. Marcus will bring his extensive experience to bear on the topic of ?Challenges in Network Monitoring.? I hope this will be a thought provoking keynote. I?d like to thank Marcus for offering his time and insights to make BroCon 2018 an even more exciting event and I hope to see you all in D.C. in October! You can find a press release about the keynote here : https://globenewswire.com/news-release/2018/09/12/1569854/0/en/BroCon-Announces-Security-Innovator-Marcus-J-Ranum-as-2018-Keynote.html . You can find the full speaker schedule including abstracts on the BroCon 2018 event site at https://www.brocon2018.com/event/schedule . - Keith _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180913/05d6f2a4/attachment.html From lionellevy25 at gmail.com Thu Sep 13 06:34:17 2018 From: lionellevy25 at gmail.com (Lionel Levy) Date: Thu, 13 Sep 2018 09:34:17 -0400 Subject: [Bro] Meaning of Various Acronyms in State Field of Packet Message-ID: Hi All, I am looking at a dataset of features that was generated using Bro-IDS. Can someone please explain the meaning of the various acronyms that could be sent in a state field? I can guess some of them. CON .... Connected? FIN ...... Finished? TIM ....... ?? ECO ....... ?? INT ........ Interrupted? RST ........ Reset? ECR ......... Echo Reply? URP ....... ?? CLO ........ ?? STA ........ ?? ACC ......... ?? Thanks much, Lionel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180913/bcd76b89/attachment.html From jazoff at illinois.edu Thu Sep 13 08:15:54 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 13 Sep 2018 15:15:54 +0000 Subject: [Bro] Meaning of Various Acronyms in State Field of Packet In-Reply-To: References: Message-ID: <6E2CAC77-F1DD-4B71-9C92-CD907713CE16@illinois.edu> > On Sep 13, 2018, at 9:34 AM, Lionel Levy wrote: > > Hi All, > > I am looking at a dataset of features that was generated using Bro-IDS. Can someone please explain the meaning of the various acronyms that could be sent in a state field? I can guess some of them. > > CON .... Connected? > FIN ...... Finished? > TIM ....... ?? > ECO ....... ?? > INT ........ Interrupted? > RST ........ Reset? > ECR ......... Echo Reply? > URP ....... ?? > CLO ........ ?? > STA ........ ?? > ACC ......... ?? Are you sure those came from Bro? Bro doesn't have a state field.. it does have a conn_state field, however the possible values of that field are completely different from what you listed. A google search for "CON FIN TIM ECO INT RST ECR URP CLO STA ACC" finds http://nsmwiki.org/Argus which points to your data set being generated from Argus, not Bro. ? Justin Azoff From lionellevy25 at gmail.com Thu Sep 13 09:17:42 2018 From: lionellevy25 at gmail.com (Lionel Levy) Date: Thu, 13 Sep 2018 12:17:42 -0400 Subject: [Bro] Meaning of Various Acronyms in State Field of Packet In-Reply-To: <6E2CAC77-F1DD-4B71-9C92-CD907713CE16@illinois.edu> References: <6E2CAC77-F1DD-4B71-9C92-CD907713CE16@illinois.edu> Message-ID: Hi Justin, Thanks for the prompt response. I was looking at the UNSW-NB15 Network Data Set within a journal article titled "UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)." According to the paper, there are some matched features for both Argus and Bro-IDS tools. One of these features is called "state", and is described as the state and its dependent protocol, e.g. ACC, CLO. Maybe the authors made a mistake in the paper and this feature is only generated by Argus. Or maybe I am misinterpreting what the authors meant to convey. Regards, Lionel On Thu, Sep 13, 2018 at 11:25 AM Azoff, Justin S wrote: > > > On Sep 13, 2018, at 9:34 AM, Lionel Levy wrote: > > > > Hi All, > > > > I am looking at a dataset of features that was generated using Bro-IDS. > Can someone please explain the meaning of the various acronyms that could > be sent in a state field? I can guess some of them. > > > > CON .... Connected? > > FIN ...... Finished? > > TIM ....... ?? > > ECO ....... ?? > > INT ........ Interrupted? > > RST ........ Reset? > > ECR ......... Echo Reply? > > URP ....... ?? > > CLO ........ ?? > > STA ........ ?? > > ACC ......... ?? > > Are you sure those came from Bro? Bro doesn't have a state field.. it > does have a conn_state field, however > the possible values of that field are completely different from what you > listed. > > > A google search for "CON FIN TIM ECO INT RST ECR URP CLO STA ACC" finds > http://nsmwiki.org/Argus > which points to your data set being generated from Argus, not Bro. > > ? > Justin Azoff > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180913/c09ed0f6/attachment.html From neslog at gmail.com Thu Sep 13 10:31:35 2018 From: neslog at gmail.com (Neslog) Date: Thu, 13 Sep 2018 13:31:35 -0400 Subject: [Bro] Writing to SSL log Message-ID: I've extended the SSL log with 2 fields. redef record SSL::Info += { foo: int &log &optional; bar: string &log &optional; }; I'm trying to set the values win the "connection_state_remove" event with the following. event connection_state_remove(c: connection) { c$ssl$foo = 1; c$ssl$bar = "TEST"; } ssl.log shows the fields in the #fields line but the fields remain "-". I've tried messing with the priority level but it's not working. Something else going on here? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180913/335bfb24/attachment-0001.html From jazoff at illinois.edu Thu Sep 13 10:31:38 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 13 Sep 2018 17:31:38 +0000 Subject: [Bro] Meaning of Various Acronyms in State Field of Packet In-Reply-To: References: <6E2CAC77-F1DD-4B71-9C92-CD907713CE16@illinois.edu> Message-ID: > On Sep 13, 2018, at 12:17 PM, Lionel Levy wrote: > > Hi Justin, > > Thanks for the prompt response. I was looking at the UNSW-NB15 Network Data Set within a journal article titled "UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)." > > According to the paper, there are some matched features for both Argus and Bro-IDS tools. One of these features is called "state", and is described as the state and its dependent protocol, e.g. ACC, CLO. Maybe the authors made a mistake in the paper and this feature is only generated by Argus. Or maybe I am misinterpreting what the authors meant to convey. > > Regards, > > Lionel http://manpages.ubuntu.com/manpages/trusty/man1/ra.1.html describes what all those fields mean.. Bro does have a similar feature, but the data is represented differently and those specific state abbreviations are an argus thing. In bro logs, the different ICMP codes are logged this way: ##! host/port to a destination host/port). Further, ICMP "ports" are to ##! be interpreted as the source port meaning the ICMP message type and ##! the destination port being the ICMP message code. so while argus has URF as a state meaning 'Unreachable need fragmentation' in bro that would just be logged as type 3 code 4 in bro under the port columns. For some of the other fields the information is either in the conn_state or history fields. The documentation for those is here https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info in bro ACC would show up as an h or H in history and a conn_state of SF, S1,S2, or S3 (i think?) CLO would show up as f or F in history and a conn_sate of SF ? Justin Azoff From jazoff at illinois.edu Thu Sep 13 10:50:04 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 13 Sep 2018 17:50:04 +0000 Subject: [Bro] Writing to SSL log In-Reply-To: References: Message-ID: <7EDE90E2-B494-4D0F-B8F9-1495B894142B@illinois.edu> > On Sep 13, 2018, at 1:31 PM, Neslog wrote: > > I've extended the SSL log with 2 fields. > > redef record SSL::Info += { > foo: int &log &optional; > bar: string &log &optional; > }; > > > I'm trying to set the values win the "connection_state_remove" event with the following. > > event connection_state_remove(c: connection) { > c$ssl$foo = 1; > c$ssl$bar = "TEST"; > } > > ssl.log shows the fields in the #fields line but the fields remain "-". I've tried messing with the priority level but it's not working. Something else going on here? That works for most things, but the ssl log is primarily written to at the end of the ssl negotiation, not the end of the connection. if you look in scripts/base/protocols/ssl/main.bro you see that the ssl log is written to by the log_record / finish helper functions, which are called from: ssl_established, connection_state_remove(if not already logged!), and protocol_violation so in your case, what could work is event ssl_established(c: connection) { c$ssl$foo = 1; c$ssl$bar = "TEST"; } However, The ssl script also has this feature: # Hook that can be used to perform actions right before the log record # is written. global ssl_finishing: hook(c: connection); So to ensure you catch everything and run at the right time, this will work even better: hook ssl_finishing(c: connection) { c$ssl$foo = 1; c$ssl$bar = "TEST"; } ? Justin Azoff From neslog at gmail.com Thu Sep 13 12:46:24 2018 From: neslog at gmail.com (Neslog) Date: Thu, 13 Sep 2018 15:46:24 -0400 Subject: [Bro] Writing to SSL log In-Reply-To: <7EDE90E2-B494-4D0F-B8F9-1495B894142B@illinois.edu> References: <7EDE90E2-B494-4D0F-B8F9-1495B894142B@illinois.edu> Message-ID: Justin, thanks! I remember having to use a different before to log it. I loaded up ssl and the following script but it's not firing off. test.bro: hook ssl_finishing(c: connection) { print "SSL Finishing Event!"; } Is there much of a delay for this to execute? On Thu, Sep 13, 2018 at 1:50 PM Azoff, Justin S wrote: > > > On Sep 13, 2018, at 1:31 PM, Neslog wrote: > > > > I've extended the SSL log with 2 fields. > > > > redef record SSL::Info += { > > foo: int &log &optional; > > bar: string &log &optional; > > }; > > > > > > I'm trying to set the values win the "connection_state_remove" event > with the following. > > > > event connection_state_remove(c: connection) { > > c$ssl$foo = 1; > > c$ssl$bar = "TEST"; > > } > > > > ssl.log shows the fields in the #fields line but the fields remain "-". > I've tried messing with the priority level but it's not working. Something > else going on here? > > That works for most things, but the ssl log is primarily written to at the > end of the ssl negotiation, not the end of the connection. > > if you look in scripts/base/protocols/ssl/main.bro you see that the ssl > log is written to by the log_record / finish helper functions, which are > called from: > > ssl_established, connection_state_remove(if not already logged!), and > protocol_violation so in your case, what could work is > > event ssl_established(c: connection) { > c$ssl$foo = 1; > c$ssl$bar = "TEST"; > } > > However, The ssl script also has this feature: > > # Hook that can be used to perform actions right before the log record > # is written. > global ssl_finishing: hook(c: connection); > > So to ensure you catch everything and run at the right time, this will > work even better: > > hook ssl_finishing(c: connection) { > c$ssl$foo = 1; > c$ssl$bar = "TEST"; > } > > > ? > Justin Azoff > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180913/e33beac3/attachment.html From jazoff at illinois.edu Thu Sep 13 12:52:33 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Thu, 13 Sep 2018 19:52:33 +0000 Subject: [Bro] Writing to SSL log In-Reply-To: References: <7EDE90E2-B494-4D0F-B8F9-1495B894142B@illinois.edu> Message-ID: > On Sep 13, 2018, at 3:46 PM, Neslog wrote: > > Justin, thanks! I remember having to use a different before to log it. I loaded up ssl and the following script but it's not firing off. > > test.bro: > > hook ssl_finishing(c: connection) { > print "SSL Finishing Event!"; > } > > Is there much of a delay for this to execute? Oh, that's what I get for not testing on 2.5.x. That hook is new and will be in 2.6, for now you would need to use the event ssl_established. ? Justin Azoff From neslog at gmail.com Thu Sep 13 12:59:25 2018 From: neslog at gmail.com (Neslog) Date: Thu, 13 Sep 2018 15:59:25 -0400 Subject: [Bro] Writing to SSL log In-Reply-To: References: <7EDE90E2-B494-4D0F-B8F9-1495B894142B@illinois.edu> Message-ID: lol, alright. I'll test it out in 2.6. Thanks. On Thu, Sep 13, 2018 at 3:53 PM Azoff, Justin S wrote: > > > On Sep 13, 2018, at 3:46 PM, Neslog wrote: > > > > Justin, thanks! I remember having to use a different before to log it. > I loaded up ssl and the following script but it's not firing off. > > > > test.bro: > > > > hook ssl_finishing(c: connection) { > > print "SSL Finishing Event!"; > > } > > > > Is there much of a delay for this to execute? > > Oh, that's what I get for not testing on 2.5.x. That hook is new and will > be in 2.6, for now you would need > to use the event ssl_established. > > > ? > Justin Azoff > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180913/c91c7977/attachment.html From neslog at gmail.com Thu Sep 13 13:26:53 2018 From: neslog at gmail.com (Neslog) Date: Thu, 13 Sep 2018 16:26:53 -0400 Subject: [Bro] Writing to SSL log In-Reply-To: References: <7EDE90E2-B494-4D0F-B8F9-1495B894142B@illinois.edu> Message-ID: I used the ssl_established event and appears to be a bit of a race condition for what I'm doing. I'm pulling in some data from broker and deliver from broker is slower than network traffic.... On Thu, Sep 13, 2018 at 3:59 PM Neslog wrote: > lol, alright. I'll test it out in 2.6. Thanks. > > On Thu, Sep 13, 2018 at 3:53 PM Azoff, Justin S > wrote: > >> >> > On Sep 13, 2018, at 3:46 PM, Neslog wrote: >> > >> > Justin, thanks! I remember having to use a different before to log >> it. I loaded up ssl and the following script but it's not firing off. >> > >> > test.bro: >> > >> > hook ssl_finishing(c: connection) { >> > print "SSL Finishing Event!"; >> > } >> > >> > Is there much of a delay for this to execute? >> >> Oh, that's what I get for not testing on 2.5.x. That hook is new and >> will be in 2.6, for now you would need >> to use the event ssl_established. >> >> >> ? >> Justin Azoff >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180913/958e0bf3/attachment.html From lionellevy25 at gmail.com Sat Sep 15 12:43:58 2018 From: lionellevy25 at gmail.com (Lionel Levy) Date: Sat, 15 Sep 2018 15:43:58 -0400 Subject: [Bro] Meaning of Various Acronyms in State Field of Packet In-Reply-To: References: <6E2CAC77-F1DD-4B71-9C92-CD907713CE16@illinois.edu> Message-ID: Awesome, thanks! On Thu, Sep 13, 2018 at 1:32 PM Azoff, Justin S wrote: > > > On Sep 13, 2018, at 12:17 PM, Lionel Levy > wrote: > > > > Hi Justin, > > > > Thanks for the prompt response. I was looking at the UNSW-NB15 Network > Data Set within a journal article titled "UNSW-NB15: a comprehensive data > set for network intrusion detection systems (UNSW-NB15 network data set)." > > > > According to the paper, there are some matched features for both Argus > and Bro-IDS tools. One of these features is called "state", and is > described as the state and its dependent protocol, e.g. ACC, CLO. Maybe > the authors made a mistake in the paper and this feature is only generated > by Argus. Or maybe I am misinterpreting what the authors meant to convey. > > > > Regards, > > > > Lionel > > http://manpages.ubuntu.com/manpages/trusty/man1/ra.1.html describes what > all those fields mean.. > > Bro does have a similar feature, but the data is represented differently > and those specific state abbreviations are > an argus thing. > > In bro logs, the different ICMP codes are logged this way: > > ##! host/port to a destination host/port). Further, ICMP "ports" are to > ##! be interpreted as the source port meaning the ICMP message type and > ##! the destination port being the ICMP message code. > > so while argus has URF as a state meaning 'Unreachable need fragmentation' > in bro that would just be logged as > type 3 code 4 in bro under the port columns. > > For some of the other fields the information is either in the conn_state > or history fields. The documentation for those is > here > https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info > > in bro ACC would show up as an h or H in history and a conn_state of SF, > S1,S2, or S3 (i think?) > > CLO would show up as f or F in history and a conn_sate of SF > > > > ? > Justin Azoff > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180915/8ddf423c/attachment.html From openshift.ninja at gmail.com Mon Sep 17 09:59:51 2018 From: openshift.ninja at gmail.com (OpenShift Ninja) Date: Mon, 17 Sep 2018 12:59:51 -0400 Subject: [Bro] bro cluster setup questions Message-ID: A while back I asked some questions about setting up Bro clusters in containers. Let me explain my setup a little and then I can ask my questions. I have a cluster of like 40 machines. We have a ton of traffic that will be coming into that cluster and distributed to the NICs on all host hosts. So my plan was to have a worker on each host processing traffic and then sending that traffic to either a logger or a manager (given the size of the cluster, I think a separate logger is warranted). I also would have one ore more proxies. We are using Mesos/Marathon to deploy containers onto the cluster. I can in theory pin containers to given hosts, although I would prefer to let Marathon manage that if I can. From my experience though, having a manager container and a logger container running on the same host means that Bro will ignore the logger and just use the manager (i.e., I find the logs being collected on the manager). I've been initializing the cluster by having sshd running inside each of the containers and then running broctl install and deploy from inside the manager (and I have the sshd listening on 2022 instead of 22 since we already have sshd running on the machines the containers are running on - I have an ssh config inside of the manager container that makes 2022 the default port to use). This will work fine as long as I only have one bro container on each host in my cluster. If I need to run more than one on any server, then it no longer makes sense. When I asked about this a while back, someone had mentioned that you can initialize the cluster without ssh. How do you do that exactly? Put the node.cfg on each of the hosts and then run broctl install on each? I'm a little confused on how each node knows what type of host it is supposed to be, other than consulting the node.cfg file and seeing the host/type relationship (but if you have the logger and proxy on the same host, how do they know which is which?). The cluster configuration documentation ( https://www.bro.org/sphinx-git/configuration/index.html ) and the broctl documentation (https://www.bro.org/sphinx-git/components/broctl/README.html) doesn't really make it clear to me how this works. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180917/34bc6639/attachment.html From jazoff at illinois.edu Mon Sep 17 10:56:46 2018 From: jazoff at illinois.edu (Azoff, Justin S) Date: Mon, 17 Sep 2018 17:56:46 +0000 Subject: [Bro] bro cluster setup questions In-Reply-To: References: Message-ID: Yeah, you really should not be using broctl for what you are doing. All broctl does is generate the /usr/local/bro/spool/installed-scripts-do-not-touch/auto/cluster-layout.bro and use ssh to start the appropriate bro processes. To start the processes broctl just sets the env var CLUSTER_NODE=whatever And runs the run-bro script with a bunch of options #loggers /usr/local/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p logger local.bro broctl base/frameworks/cluster broctl/auto #manager /usr/local/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster broctl/auto #proxy /usr/local/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local -p proxy-2 local.bro broctl base/frameworks/cluster broctl/auto #worker /usr/local/bro/share/broctl/scripts/run-bro 15 -i myricom::p1p1:6 -U .status -p broctl -p broctl-live -p local -p worker-1 local.bro broctl base/frameworks/cluster broctl/auto The main way they differ is by which prefix(-p) they are told to load, but I believe that doesn't actually do anything these days, so it would just boil down to 2 variations: #loggers, managers, and proxies /usr/local/bro/share/broctl/scripts/run-bro -1 -U .status -p broctl -p broctl-live -p local local.bro broctl base/frameworks/cluster broctl/auto #workers /usr/local/bro/share/broctl/scripts/run-bro -1 -i ethwhatever -U .status -p broctl -p broctl-live -p local local.bro broctl base/frameworks/cluster broctl/auto The main tricky part is you'd probably have to tweak some of the stock cluster scripts so that the cluster can handle dynamic nodes that aren't listed in the cluster_layout. ? Justin Azoff > On Sep 17, 2018, at 12:59 PM, OpenShift Ninja wrote: > > A while back I asked some questions about setting up Bro clusters in containers. Let me explain my setup a little and then I can ask my questions. > > I have a cluster of like 40 machines. We have a ton of traffic that will be coming into that cluster and distributed to the NICs on all host hosts. So my plan was to have a worker on each host processing traffic and then sending that traffic to either a logger or a manager (given the size of the cluster, I think a separate logger is warranted). I also would have one ore more proxies. > > We are using Mesos/Marathon to deploy containers onto the cluster. I can in theory pin containers to given hosts, although I would prefer to let Marathon manage that if I can. From my experience though, having a manager container and a logger container running on the same host means that Bro will ignore the logger and just use the manager (i.e., I find the logs being collected on the manager). > > I've been initializing the cluster by having sshd running inside each of the containers and then running broctl install and deploy from inside the manager (and I have the sshd listening on 2022 instead of 22 since we already have sshd running on the machines the containers are running on - I have an ssh config inside of the manager container that makes 2022 the default port to use). > > This will work fine as long as I only have one bro container on each host in my cluster. If I need to run more than one on any server, then it no longer makes sense. When I asked about this a while back, someone had mentioned that you can initialize the cluster without ssh. How do you do that exactly? Put the node.cfg on each of the hosts and then run broctl install on each? I'm a little confused on how each node knows what type of host it is supposed to be, other than consulting the node.cfg file and seeing the host/type relationship (but if you have the logger and proxy on the same host, how do they know which is which?). > > The cluster configuration documentation (https://www.bro.org/sphinx-git/configuration/index.html) and the broctl documentation (https://www.bro.org/sphinx-git/components/broctl/README.html) doesn't really make it clear to me how this works. > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jsiwek at corelight.com Mon Sep 17 14:36:53 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Mon, 17 Sep 2018 16:36:53 -0500 Subject: [Bro] Bro issue tracking migrated to GitHub Message-ID: Issue tracking for Bro is now handled on GitHub: https://github.com/bro/bro/issues A selection of tickets have been migrated from the old JIRA tracker based on criteria that goes something like "anything that is a reproducible bug or simple enhancement". Tickets left open in JIRA will serve as a historical archive of Good Ideas and are only modifiable to developers. From now on, please create any new issues on GitHub. If there's an old JIRA ticket that has not been migrated and you think it should, you can create a GitHub issue and simply reference the JIRA ticket's URL. A goal of the migration is to make it easier for people to contribute by centralizing around a more familiar git development process and also by improving the ongoing tasks of issue organization and maintenance. - Jon From seth at corelight.com Mon Sep 17 16:17:32 2018 From: seth at corelight.com (Seth Hall) Date: Tue, 18 Sep 2018 01:17:32 +0200 Subject: [Bro] Bro issue tracking migrated to GitHub In-Reply-To: References: Message-ID: <8A94C7F6-161D-49AC-95F0-B399E48DA768@corelight.com> On 17 Sep 2018, at 23:36, Jon Siwek wrote: > Issue tracking for Bro is now handled on GitHub: Hm, who do we need to poke at to get tracker.bro.org to redirect there? .Seth -- Seth Hall * Corelight, Inc * www.corelight.com From johanna at icir.org Mon Sep 17 22:10:49 2018 From: johanna at icir.org (Johanna Amann) Date: Tue, 18 Sep 2018 07:10:49 +0200 Subject: [Bro] Bro issue tracking migrated to GitHub In-Reply-To: <8A94C7F6-161D-49AC-95F0-B399E48DA768@corelight.com> References: <8A94C7F6-161D-49AC-95F0-B399E48DA768@corelight.com> Message-ID: On 18 Sep 2018, at 1:17, Seth Hall wrote: > On 17 Sep 2018, at 23:36, Jon Siwek wrote: > >> Issue tracking for Bro is now handled on GitHub: > > Hm, who do we need to poke at to get tracker.bro.org to redirect there? > > .Seth Me, for example :). Give me a few hours, I will do it later. Johanna From turbidtarantula at gmail.com Tue Sep 18 08:18:29 2018 From: turbidtarantula at gmail.com (Mike M) Date: Tue, 18 Sep 2018 11:18:29 -0400 Subject: [Bro] Running Bro on Alpine Message-ID: Hello, I?m trying to compile and run Bro on Alpine Linux and I?m having an issue with broctl crashing. Out of the box running ./configure and make using the bro 2.5.5 source I get a bunch of errors like that ?'u_char' does not name a type? [1]. I found this project for compiling Bro on Alpine [2]. The build-bro.sh. script includes two patch files and a cmake file [3]. Manually applying those three files gets Bro to the point where it compiles successfully. Bro will run fine from the command line, but running broctl it crashes almost immediately [4]. Broctl reports Bro as crashed, but it briefly produces all the log files I'd expect (conn, dns, etc). There's nothing useful in the stdout, stderr or reporter logs. I built bro with --enable-debug, I've got gdb installed, and I set "ulimit -c unlimited" but I don't see a crash dump anywhere. In the absence of any error messages I'm unsure on how to proceed. Can anyone recommend next steps? thanks, Mike [1] see compile error.txt (attached) [2] https://github.com/danielguerra69/docker-bro-1 [3] https://github.com/danielguerra69/docker-bro-1/tree/master/source [4] see broctl crash.txt (attached) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180918/4fae7f2d/attachment-0001.html -------------- next part -------------- localhost:/usr/local/bro/logs# ../bin/broctl start starting bro ... (bro still initializing) localhost:/usr/local/bro/logs# ../bin/broctl status Name Type Host Status Pid Started bro standalone localhost crashed localhost:/usr/local/bro/logs# ../bin/broctl diag [bro] No core file found. Bro 2.5.5-debug Linux 4.14.69-0-virt Bro plugins: (none found) ==== reporter.log #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path reporter #open 2018-09-18-03-29-35 #fields ts level message location #types time enum string string 1537241375.552718 Reporter::WARNING Your interface is likely receiving invalid TCP checksums, most likely from NIC checksum offloading. By default, packets with invalid checksums are discarded by Bro unless using the -C command-line option or toggling the 'ignore_checksums' variable. Alternatively, disable checksum offloading by the network adapter to ensure Bro analyzes the actual checksums that are transmitted. /usr/local/bro/share/bro/base/misc/find-checksum-offloading.bro, line 54 ==== stderr.log listening on eth0 ==== stdout.log max memory size (kbytes, -m) unlimited data seg size (kbytes, -d) unlimited virtual memory (kbytes, -v) unlimited core file size (blocks, -c) unlimited ==== .cmdline -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto ==== .env_vars PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site CLUSTER_NODE= ==== .status RUNNING [net_run] ==== No prof.log ==== packet_filter.log #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter #open 2018-09-18-03-29-25 #fields ts node filter init success #types time string string bool bool 1537241365.482857 bro ip or not ip T T ==== loaded_scripts.log #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path loaded_scripts #open 2018-09-18-03-29-25 #fields name #types string /usr/local/bro/share/bro/base/init-bare.bro /usr/local/bro/share/bro/base/bif/const.bif.bro /usr/local/bro/share/bro/base/bif/types.bif.bro /usr/local/bro/share/bro/base/bif/strings.bif.bro /usr/local/bro/share/bro/base/bif/bro.bif.bro /usr/local/bro/share/bro/base/bif/reporter.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SNMP.types.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_KRB.types.bif.bro /usr/local/bro/share/bro/base/bif/event.bif.bro /usr/local/bro/share/bro/base/frameworks/broker/__load__.bro /usr/local/bro/share/bro/base/frameworks/broker/main.bro /usr/local/bro/share/bro/base/bif/comm.bif.bro /usr/local/bro/share/bro/base/bif/messaging.bif.bro /usr/local/bro/share/bro/base/frameworks/broker/store.bro /usr/local/bro/share/bro/base/bif/data.bif.bro /usr/local/bro/share/bro/base/bif/store.bif.bro /usr/local/bro/share/bro/base/frameworks/logging/__load__.bro /usr/local/bro/share/bro/base/frameworks/logging/main.bro /usr/local/bro/share/bro/base/bif/logging.bif.bro /usr/local/bro/share/bro/base/frameworks/logging/postprocessors/__load__.bro /usr/local/bro/share/bro/base/frameworks/logging/postprocessors/scp.bro /usr/local/bro/share/bro/base/frameworks/logging/postprocessors/sftp.bro /usr/local/bro/share/bro/base/frameworks/logging/writers/ascii.bro /usr/local/bro/share/bro/base/frameworks/logging/writers/sqlite.bro /usr/local/bro/share/bro/base/frameworks/logging/writers/none.bro /usr/local/bro/share/bro/base/frameworks/input/__load__.bro /usr/local/bro/share/bro/base/frameworks/input/main.bro /usr/local/bro/share/bro/base/bif/input.bif.bro /usr/local/bro/share/bro/base/frameworks/input/readers/ascii.bro /usr/local/bro/share/bro/base/frameworks/input/readers/raw.bro /usr/local/bro/share/bro/base/frameworks/input/readers/benchmark.bro /usr/local/bro/share/bro/base/frameworks/input/readers/binary.bro /usr/local/bro/share/bro/base/frameworks/input/readers/sqlite.bro /usr/local/bro/share/bro/base/frameworks/analyzer/__load__.bro /usr/local/bro/share/bro/base/frameworks/analyzer/main.bro /usr/local/bro/share/bro/base/frameworks/packet-filter/utils.bro /usr/local/bro/share/bro/base/bif/analyzer.bif.bro /usr/local/bro/share/bro/base/frameworks/files/__load__.bro /usr/local/bro/share/bro/base/frameworks/files/main.bro /usr/local/bro/share/bro/base/bif/file_analysis.bif.bro /usr/local/bro/share/bro/base/utils/site.bro /usr/local/bro/share/bro/base/utils/patterns.bro /usr/local/bro/share/bro/base/frameworks/files/magic/__load__.bro /usr/local/bro/share/bro/base/bif/__load__.bro /usr/local/bro/share/bro/base/bif/stats.bif.bro /usr/local/bro/share/bro/base/bif/broxygen.bif.bro /usr/local/bro/share/bro/base/bif/pcap.bif.bro /usr/local/bro/share/bro/base/bif/bloom-filter.bif.bro /usr/local/bro/share/bro/base/bif/cardinality-counter.bif.bro /usr/local/bro/share/bro/base/bif/top-k.bif.bro /usr/local/bro/share/bro/base/bif/plugins/__load__.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_ARP.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_BackDoor.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_BitTorrent.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_ConnSize.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_ConnSize.functions.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_DCE_RPC.consts.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_DCE_RPC.types.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_DCE_RPC.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_DHCP.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_DNP3.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_DNS.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_File.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_Finger.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_FTP.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_FTP.functions.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_Gnutella.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_GSSAPI.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_GTPv1.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_HTTP.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_HTTP.functions.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_ICMP.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_Ident.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_IMAP.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_InterConn.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_IRC.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_KRB.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_Login.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_Login.functions.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_MIME.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_Modbus.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_MySQL.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_NCP.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_NCP.consts.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_NetBIOS.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_NetBIOS.functions.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_NTLM.types.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_NTLM.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_NTP.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_POP3.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_RADIUS.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_RDP.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_RDP.types.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_RFB.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_RPC.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SIP.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SNMP.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb1_events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.smb2_events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.consts.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMB.types.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMTP.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SMTP.functions.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SOCKS.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SSH.types.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SSH.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SSL.types.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SSL.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SSL.functions.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SteppingStone.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_Syslog.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_TCP.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_TCP.functions.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_Teredo.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_UDP.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_XMPP.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_FileEntropy.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_FileExtract.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_FileExtract.functions.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_FileHash.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_PE.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_Unified2.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_Unified2.types.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_X509.events.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_X509.types.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_X509.functions.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_BinaryReader.binary.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_RawReader.raw.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_NoneWriter.none.bif.bro /usr/local/bro/share/bro/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro /usr/local/bro/share/bro/base/init-default.bro /usr/local/bro/share/bro/base/utils/active-http.bro /usr/local/bro/share/bro/base/utils/exec.bro /usr/local/bro/share/bro/base/utils/addrs.bro /usr/local/bro/share/bro/base/utils/conn-ids.bro /usr/local/bro/share/bro/base/utils/dir.bro /usr/local/bro/share/bro/base/frameworks/reporter/__load__.bro /usr/local/bro/share/bro/base/frameworks/reporter/main.bro /usr/local/bro/share/bro/base/utils/paths.bro /usr/local/bro/share/bro/base/utils/directions-and-hosts.bro /usr/local/bro/share/bro/base/utils/email.bro /usr/local/bro/share/bro/base/utils/files.bro /usr/local/bro/share/bro/base/utils/geoip-distance.bro /usr/local/bro/share/bro/base/utils/numbers.bro /usr/local/bro/share/bro/base/utils/queue.bro /usr/local/bro/share/bro/base/utils/strings.bro /usr/local/bro/share/bro/base/utils/thresholds.bro /usr/local/bro/share/bro/base/utils/time.bro /usr/local/bro/share/bro/base/utils/urls.bro /usr/local/bro/share/bro/base/frameworks/notice/__load__.bro /usr/local/bro/share/bro/base/frameworks/notice/main.bro /usr/local/bro/share/bro/base/frameworks/notice/weird.bro /usr/local/bro/share/bro/base/frameworks/notice/actions/drop.bro /usr/local/bro/share/bro/base/frameworks/netcontrol/__load__.bro /usr/local/bro/share/bro/base/frameworks/netcontrol/types.bro /usr/local/bro/share/bro/base/frameworks/netcontrol/main.bro /usr/local/bro/share/bro/base/frameworks/netcontrol/plugin.bro /usr/local/bro/share/bro/base/frameworks/netcontrol/plugins/__load__.bro /usr/local/bro/share/bro/base/frameworks/netcontrol/plugins/debug.bro /usr/local/bro/share/bro/base/frameworks/netcontrol/plugins/openflow.bro /usr/local/bro/share/bro/base/frameworks/openflow/__load__.bro /usr/local/bro/share/bro/base/frameworks/openflow/consts.bro /usr/local/bro/share/bro/base/frameworks/openflow/types.bro /usr/local/bro/share/bro/base/frameworks/openflow/main.bro /usr/local/bro/share/bro/base/frameworks/openflow/plugins/__load__.bro /usr/local/bro/share/bro/base/frameworks/openflow/plugins/ryu.bro /usr/local/bro/share/bro/base/utils/json.bro /usr/local/bro/share/bro/base/frameworks/openflow/plugins/log.bro /usr/local/bro/share/bro/base/frameworks/openflow/plugins/broker.bro /usr/local/bro/share/bro/base/frameworks/cluster/__load__.bro /usr/local/bro/share/bro/base/frameworks/cluster/main.bro /usr/local/bro/share/bro/base/frameworks/control/__load__.bro /usr/local/bro/share/bro/base/frameworks/control/main.bro /usr/local/bro/share/bro/base/frameworks/openflow/non-cluster.bro /usr/local/bro/share/bro/base/frameworks/netcontrol/plugins/packetfilter.bro /usr/local/bro/share/bro/base/frameworks/netcontrol/plugins/broker.bro /usr/local/bro/share/bro/base/frameworks/netcontrol/plugins/acld.bro /usr/local/bro/share/bro/base/frameworks/netcontrol/drop.bro /usr/local/bro/share/bro/base/frameworks/netcontrol/shunt.bro /usr/local/bro/share/bro/base/frameworks/netcontrol/catch-and-release.bro /usr/local/bro/share/bro/base/frameworks/netcontrol/non-cluster.bro /usr/local/bro/share/bro/base/frameworks/notice/actions/email_admin.bro /usr/local/bro/share/bro/base/frameworks/notice/actions/page.bro /usr/local/bro/share/bro/base/frameworks/notice/actions/add-geodata.bro /usr/local/bro/share/bro/base/frameworks/notice/extend-email/hostnames.bro /usr/local/bro/share/bro/base/frameworks/notice/non-cluster.bro /usr/local/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro /usr/local/bro/share/bro/base/frameworks/dpd/__load__.bro /usr/local/bro/share/bro/base/frameworks/dpd/main.bro /usr/local/bro/share/bro/base/frameworks/signatures/__load__.bro /usr/local/bro/share/bro/base/frameworks/signatures/main.bro /usr/local/bro/share/bro/base/frameworks/packet-filter/__load__.bro /usr/local/bro/share/bro/base/frameworks/packet-filter/main.bro /usr/local/bro/share/bro/base/frameworks/packet-filter/netstats.bro /usr/local/bro/share/bro/base/frameworks/software/__load__.bro /usr/local/bro/share/bro/base/frameworks/software/main.bro /usr/local/bro/share/bro/base/frameworks/communication/__load__.bro /usr/local/bro/share/bro/base/frameworks/communication/main.bro /usr/local/bro/share/bro/base/frameworks/intel/__load__.bro /usr/local/bro/share/bro/base/frameworks/intel/main.bro /usr/local/bro/share/bro/base/frameworks/intel/files.bro /usr/local/bro/share/bro/base/frameworks/intel/input.bro /usr/local/bro/share/bro/base/frameworks/sumstats/__load__.bro /usr/local/bro/share/bro/base/frameworks/sumstats/main.bro /usr/local/bro/share/bro/base/frameworks/sumstats/plugins/__load__.bro /usr/local/bro/share/bro/base/frameworks/sumstats/plugins/average.bro /usr/local/bro/share/bro/base/frameworks/sumstats/plugins/hll_unique.bro /usr/local/bro/share/bro/base/frameworks/sumstats/plugins/last.bro /usr/local/bro/share/bro/base/frameworks/sumstats/plugins/max.bro /usr/local/bro/share/bro/base/frameworks/sumstats/plugins/min.bro /usr/local/bro/share/bro/base/frameworks/sumstats/plugins/sample.bro /usr/local/bro/share/bro/base/frameworks/sumstats/plugins/std-dev.bro /usr/local/bro/share/bro/base/frameworks/sumstats/plugins/variance.bro /usr/local/bro/share/bro/base/frameworks/sumstats/plugins/sum.bro /usr/local/bro/share/bro/base/frameworks/sumstats/plugins/topk.bro /usr/local/bro/share/bro/base/frameworks/sumstats/plugins/unique.bro /usr/local/bro/share/bro/base/frameworks/sumstats/non-cluster.bro /usr/local/bro/share/bro/base/frameworks/tunnels/__load__.bro /usr/local/bro/share/bro/base/frameworks/tunnels/main.bro /usr/local/bro/share/bro/base/protocols/conn/__load__.bro /usr/local/bro/share/bro/base/protocols/conn/main.bro /usr/local/bro/share/bro/base/protocols/conn/contents.bro /usr/local/bro/share/bro/base/protocols/conn/inactivity.bro /usr/local/bro/share/bro/base/protocols/conn/polling.bro /usr/local/bro/share/bro/base/protocols/conn/thresholds.bro /usr/local/bro/share/bro/base/protocols/dce-rpc/__load__.bro /usr/local/bro/share/bro/base/protocols/dce-rpc/consts.bro /usr/local/bro/share/bro/base/protocols/dce-rpc/main.bro /usr/local/bro/share/bro/base/protocols/dhcp/__load__.bro /usr/local/bro/share/bro/base/protocols/dhcp/consts.bro /usr/local/bro/share/bro/base/protocols/dhcp/main.bro /usr/local/bro/share/bro/base/protocols/dhcp/utils.bro /usr/local/bro/share/bro/base/protocols/dnp3/__load__.bro /usr/local/bro/share/bro/base/protocols/dnp3/main.bro /usr/local/bro/share/bro/base/protocols/dnp3/consts.bro /usr/local/bro/share/bro/base/protocols/dns/__load__.bro /usr/local/bro/share/bro/base/protocols/dns/consts.bro /usr/local/bro/share/bro/base/protocols/dns/main.bro /usr/local/bro/share/bro/base/protocols/ftp/__load__.bro /usr/local/bro/share/bro/base/protocols/ftp/utils-commands.bro /usr/local/bro/share/bro/base/protocols/ftp/info.bro /usr/local/bro/share/bro/base/protocols/ftp/main.bro /usr/local/bro/share/bro/base/protocols/ftp/utils.bro /usr/local/bro/share/bro/base/protocols/ftp/files.bro /usr/local/bro/share/bro/base/protocols/ftp/gridftp.bro /usr/local/bro/share/bro/base/protocols/ssl/__load__.bro /usr/local/bro/share/bro/base/protocols/ssl/consts.bro /usr/local/bro/share/bro/base/protocols/ssl/main.bro /usr/local/bro/share/bro/base/protocols/ssl/mozilla-ca-list.bro /usr/local/bro/share/bro/base/protocols/ssl/files.bro /usr/local/bro/share/bro/base/files/x509/__load__.bro /usr/local/bro/share/bro/base/files/x509/main.bro /usr/local/bro/share/bro/base/files/hash/__load__.bro /usr/local/bro/share/bro/base/files/hash/main.bro /usr/local/bro/share/bro/base/protocols/http/__load__.bro /usr/local/bro/share/bro/base/protocols/http/main.bro /usr/local/bro/share/bro/base/protocols/http/entities.bro /usr/local/bro/share/bro/base/protocols/http/utils.bro /usr/local/bro/share/bro/base/protocols/http/files.bro /usr/local/bro/share/bro/base/protocols/imap/__load__.bro /usr/local/bro/share/bro/base/protocols/imap/main.bro /usr/local/bro/share/bro/base/protocols/irc/__load__.bro /usr/local/bro/share/bro/base/protocols/irc/main.bro /usr/local/bro/share/bro/base/protocols/irc/dcc-send.bro /usr/local/bro/share/bro/base/protocols/irc/files.bro /usr/local/bro/share/bro/base/protocols/krb/__load__.bro /usr/local/bro/share/bro/base/protocols/krb/main.bro /usr/local/bro/share/bro/base/protocols/krb/consts.bro /usr/local/bro/share/bro/base/protocols/krb/files.bro /usr/local/bro/share/bro/base/protocols/modbus/__load__.bro /usr/local/bro/share/bro/base/protocols/modbus/consts.bro /usr/local/bro/share/bro/base/protocols/modbus/main.bro /usr/local/bro/share/bro/base/protocols/mysql/__load__.bro /usr/local/bro/share/bro/base/protocols/mysql/main.bro /usr/local/bro/share/bro/base/protocols/mysql/consts.bro /usr/local/bro/share/bro/base/protocols/ntlm/__load__.bro /usr/local/bro/share/bro/base/protocols/ntlm/main.bro /usr/local/bro/share/bro/base/protocols/smb/__load__.bro /usr/local/bro/share/bro/base/protocols/smb/consts.bro /usr/local/bro/share/bro/base/protocols/smb/const-dos-error.bro /usr/local/bro/share/bro/base/protocols/smb/const-nt-status.bro /usr/local/bro/share/bro/base/protocols/pop3/__load__.bro /usr/local/bro/share/bro/base/protocols/radius/__load__.bro /usr/local/bro/share/bro/base/protocols/radius/main.bro /usr/local/bro/share/bro/base/protocols/radius/consts.bro /usr/local/bro/share/bro/base/protocols/rdp/__load__.bro /usr/local/bro/share/bro/base/protocols/rdp/consts.bro /usr/local/bro/share/bro/base/protocols/rdp/main.bro /usr/local/bro/share/bro/base/protocols/rfb/__load__.bro /usr/local/bro/share/bro/base/protocols/rfb/main.bro /usr/local/bro/share/bro/base/protocols/sip/__load__.bro /usr/local/bro/share/bro/base/protocols/sip/main.bro /usr/local/bro/share/bro/base/protocols/snmp/__load__.bro /usr/local/bro/share/bro/base/protocols/snmp/main.bro /usr/local/bro/share/bro/base/protocols/smtp/__load__.bro /usr/local/bro/share/bro/base/protocols/smtp/main.bro /usr/local/bro/share/bro/base/protocols/smtp/entities.bro /usr/local/bro/share/bro/base/protocols/smtp/files.bro /usr/local/bro/share/bro/base/protocols/socks/__load__.bro /usr/local/bro/share/bro/base/protocols/socks/consts.bro /usr/local/bro/share/bro/base/protocols/socks/main.bro /usr/local/bro/share/bro/base/protocols/ssh/__load__.bro /usr/local/bro/share/bro/base/protocols/ssh/main.bro /usr/local/bro/share/bro/base/protocols/syslog/__load__.bro /usr/local/bro/share/bro/base/protocols/syslog/consts.bro /usr/local/bro/share/bro/base/protocols/syslog/main.bro /usr/local/bro/share/bro/base/protocols/tunnels/__load__.bro /usr/local/bro/share/bro/base/protocols/xmpp/__load__.bro /usr/local/bro/share/bro/base/protocols/xmpp/main.bro /usr/local/bro/share/bro/base/files/pe/__load__.bro /usr/local/bro/share/bro/base/files/pe/consts.bro /usr/local/bro/share/bro/base/files/pe/main.bro /usr/local/bro/share/bro/base/files/extract/__load__.bro /usr/local/bro/share/bro/base/files/extract/main.bro /usr/local/bro/share/bro/base/files/unified2/__load__.bro /usr/local/bro/share/bro/base/files/unified2/main.bro /usr/local/bro/share/bro/base/misc/find-checksum-offloading.bro /usr/local/bro/share/bro/base/misc/find-filtered-trace.bro /usr/local/bro/share/bro/base/misc/version.bro /usr/local/bro/spool/installed-scripts-do-not-touch/site/local.bro /usr/local/bro/share/bro/policy/misc/loaded-scripts.bro /usr/local/bro/share/bro/policy/tuning/defaults/__load__.bro /usr/local/bro/share/bro/policy/tuning/defaults/packet-fragments.bro /usr/local/bro/share/bro/policy/tuning/defaults/warnings.bro /usr/local/bro/share/bro/policy/tuning/defaults/extracted_file_limits.bro /usr/local/bro/share/bro/policy/misc/capture-loss.bro /usr/local/bro/share/bro/policy/misc/stats.bro /usr/local/bro/share/bro/policy/misc/scan.bro /usr/local/bro/share/bro/policy/frameworks/software/vulnerable.bro /usr/local/bro/share/bro/policy/frameworks/software/version-changes.bro /usr/local/bro/share/bro/policy/protocols/ftp/software.bro /usr/local/bro/share/bro/policy/protocols/smtp/software.bro /usr/local/bro/share/bro/policy/protocols/ssh/software.bro /usr/local/bro/share/bro/policy/protocols/http/software.bro /usr/local/bro/share/bro/policy/protocols/dns/detect-external-names.bro /usr/local/bro/share/bro/policy/protocols/ftp/detect.bro /usr/local/bro/share/bro/policy/protocols/conn/known-hosts.bro /usr/local/bro/share/bro/policy/protocols/conn/known-services.bro /usr/local/bro/share/bro/policy/protocols/ssl/known-certs.bro /usr/local/bro/share/bro/policy/protocols/ssl/validate-certs.bro /usr/local/bro/share/bro/policy/protocols/ssl/log-hostcerts-only.bro /usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro /usr/local/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro /usr/local/bro/share/bro/policy/protocols/ssh/interesting-hostnames.bro /usr/local/bro/share/bro/policy/protocols/http/detect-sqli.bro /usr/local/bro/share/bro/policy/frameworks/files/hash-all-files.bro /usr/local/bro/share/bro/policy/frameworks/files/detect-MHR.bro /usr/local/bro/share/bro/broctl/__load__.bro /usr/local/bro/share/bro/broctl/main.bro /usr/local/bro/share/bro/policy/frameworks/control/controllee.bro /usr/local/bro/share/bro/policy/frameworks/communication/listen.bro /usr/local/bro/share/bro/broctl/standalone.bro /usr/local/bro/spool/installed-scripts-do-not-touch/auto/standalone-layout.bro /usr/local/bro/share/bro/policy/misc/trim-trace-file.bro /usr/local/bro/share/bro/broctl/auto.bro /usr/local/bro/spool/installed-scripts-do-not-touch/auto/local-networks.bro /usr/local/bro/spool/installed-scripts-do-not-touch/auto/broctl-config.bro -------------- next part -------------- localhost:~/bro-2.5.5# ./configure --enable-debug Build Directory : build Source Directory: /root/bro-2.5.5 -- The C compiler identification is GNU 6.4.0 -- The CXX compiler identification is GNU 6.4.0 -- Check for working C compiler: /usr/bin/cc -- Check for working C compiler: /usr/bin/cc -- works -- Detecting C compiler ABI info -- Detecting C compiler ABI info - done -- Detecting C compile features -- Detecting C compile features - done -- Check for working CXX compiler: /usr/bin/c++ -- Check for working CXX compiler: /usr/bin/c++ -- works -- Detecting CXX compiler ABI info -- Detecting CXX compiler ABI info - done -- Detecting CXX compile features -- Detecting CXX compile features - done -- Found sed: /bin/sed -- Found PythonInterp: /usr/bin/python (found version "2.7.15") -- Found FLEX: /usr/bin/flex (found version "2.6.4") -- Found BISON: /usr/bin/bison -- Found PCAP: /usr/lib/libpcap.so -- Performing Test PCAP_LINKS_SOLO -- Performing Test PCAP_LINKS_SOLO - Success -- Looking for pcap_get_pfring_id -- Looking for pcap_get_pfring_id - not found -- Found OpenSSL: /usr/lib/libcrypto.so (found version "2.0.0") -- Performing Test ns_initparse_works_none -- Performing Test ns_initparse_works_none - Success -- Performing Test res_mkquery_works_none -- Performing Test res_mkquery_works_none - Success -- Found BIND: /usr/include -- Found ZLIB: /lib/libz.so (found version "1.2.11") -- Check if the system is big endian -- Searching 16 bit integer -- Looking for sys/types.h -- Looking for sys/types.h - found -- Looking for stdint.h -- Looking for stdint.h - found -- Looking for stddef.h -- Looking for stddef.h - found -- Check size of unsigned short -- Check size of unsigned short - done -- Using unsigned short -- Check if the system is big endian - little endian -- Check size of unsigned int -- Check size of unsigned int - done ==================| BinPAC Build Summary |==================== Install prefix: Install skipped Debug mode: true CC: /usr/bin/cc CFLAGS: -Wall -Wno-unused -g -DDEBUG -DBRO_DEBUG -g CXX: /usr/bin/c++ CXXFLAGS: -Wall -Wno-unused -g -DDEBUG -DBRO_DEBUG -g CPP: /usr/bin/c++ ================================================================ -- Found BinPAC: binpac -- Could NOT find LibGeoIP (missing: LibGeoIP_LIBRARY LibGeoIP_INCLUDE_DIR) -- Could NOT find GooglePerftools (missing: GooglePerftools_LIBRARIES GooglePerftools_LIBRARIES_DEBUG GooglePerftools_INCLUDE_DIR) -- Could NOT find tcmalloc (missing: GooglePerftools_LIBRARIES) -- Check if the system is big endian -- Searching 16 bit integer -- Using unsigned short -- Check if the system is big endian - little endian -- Looking for htonll -- Looking for htonll - not found -- Check size of long int -- Check size of long int - done -- Check size of long long -- Check size of long long - done -- Check size of void * -- Check size of void * - done -- Check size of int32_t -- Check size of int32_t - done -- Check size of u_int32_t -- Check size of u_int32_t - done -- Check size of u_int16_t -- Check size of u_int16_t - done -- Check size of u_int8_t -- Check size of u_int8_t - done -- Check size of socklen_t -- Check size of socklen_t - done -- Check size of struct ip6_opt -- Check size of struct ip6_opt - done -- Check size of struct ip6_ext -- Check size of struct ip6_ext - done -- Looking for include file getopt.h -- Looking for include file getopt.h - found -- Looking for include file memory.h -- Looking for include file memory.h - found -- Looking for include file netinet/ether.h -- Looking for include file netinet/ether.h - found -- Looking for 4 include files sys/socket.h, ..., netinet/if_ether.h -- Looking for 4 include files sys/socket.h, ..., netinet/if_ether.h - found -- Looking for 4 include files sys/socket.h, ..., netinet/ip6.h -- Looking for 4 include files sys/socket.h, ..., netinet/ip6.h - found -- Looking for 3 include files sys/socket.h, ..., net/ethernet.h -- Looking for 3 include files sys/socket.h, ..., net/ethernet.h - found -- Looking for include file sys/ethernet.h -- Looking for include file sys/ethernet.h - not found -- Looking for include file net/ethertypes.h -- Looking for include file net/ethertypes.h - not found -- Looking for include file sys/time.h -- Looking for include file sys/time.h - found -- Looking for include files time.h, sys/time.h -- Looking for include files time.h, sys/time.h - found -- Looking for include file os-proto.h -- Looking for include file os-proto.h - not found -- Performing Test HAVE_READLINE_HISTORY_ENTRIES -- Performing Test HAVE_READLINE_HISTORY_ENTRIES - Failed -- Looking for include files stdio.h, readline/readline.h -- Looking for include files stdio.h, readline/readline.h - not found -- Looking for include files stdio.h, readline/history.h -- Looking for include files stdio.h, readline/history.h - not found -- Performing Test SIN_LEN -- Performing Test SIN_LEN - Failed -- Looking for IPPROTO_HOPOPTS -- Looking for IPPROTO_HOPOPTS - found -- Looking for IPPROTO_IPV6 -- Looking for IPPROTO_IPV6 - found -- Looking for IPPROTO_IPV4 -- Looking for IPPROTO_IPV4 - not found -- Looking for IPPROTO_ROUTING -- Looking for IPPROTO_ROUTING - found -- Looking for IPPROTO_FRAGMENT -- Looking for IPPROTO_FRAGMENT - found -- Looking for IPPROTO_ESP -- Looking for IPPROTO_ESP - found -- Looking for IPPROTO_AH -- Looking for IPPROTO_AH - found -- Looking for IPPROTO_ICMPV6 -- Looking for IPPROTO_ICMPV6 - found -- Looking for IPPROTO_NONE -- Looking for IPPROTO_NONE - found -- Looking for IPPROTO_DSTOPTS -- Looking for IPPROTO_DSTOPTS - found -- Looking for getopt_long -- Looking for getopt_long - found -- Looking for mallinfo -- Looking for mallinfo - not found -- Looking for strcasestr -- Looking for strcasestr - found -- Looking for strerror -- Looking for strerror - found -- Looking for strsep -- Looking for strsep - found -- Looking for sigset -- Looking for sigset - found -- Performing Test DO_SOCK_DECL -- Performing Test DO_SOCK_DECL - Failed -- Performing Test SYSLOG_INT -- Performing Test SYSLOG_INT - Failed -- Looking for include file pcap-int.h -- Looking for include file pcap-int.h - not found -- Looking for pcap_freecode -- Looking for pcap_freecode - found -- Performing Test LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER -- Performing Test LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER - Failed -- Performing Test LIBPCAP_PCAP_COMPILE_NOPCAP_NO_ERROR_PARAMETER -- Performing Test LIBPCAP_PCAP_COMPILE_NOPCAP_NO_ERROR_PARAMETER - Success -- Looking for DLT_PPP_SERIAL -- Looking for DLT_PPP_SERIAL - found -- Performing Test including_ssl_h_works -- Performing Test including_ssl_h_works - Success -- Performing Test openssl_greater_than_0_9_7 -- Performing Test openssl_greater_than_0_9_7 - Success -- Performing Test OPENSSL_D2I_X509_USES_CONST_CHAR -- Performing Test OPENSSL_D2I_X509_USES_CONST_CHAR - Success -- Performing Test OPENSSL_CORRECT_VERSION_NUMBER -- Performing Test OPENSSL_CORRECT_VERSION_NUMBER - Success -- Performing Test have_nameser_header -- Performing Test have_nameser_header - Success -- Performing Test cxx11_header_works -- Performing Test cxx11_header_works - Success -- Looking for pthread.h -- Looking for pthread.h - found -- Looking for pthread_create -- Looking for pthread_create - found -- Found Threads: TRUE -- Found SWIG: /usr/bin/swig (found version "3.0.12") -- Found PythonDev: /usr/bin/python2.7-config CMake Deprecation Warning at /usr/share/cmake/Modules/UseSWIG.cmake:272 (message): SWIG_ADD_MODULE is deprecated. Use SWIG_ADD_LIBRARY instead. Call Stack (most recent call first): aux/broctl/aux/pysubnettree/CMakeLists.txt:41 (swig_add_module) ===============| PySubnetTree Build Summary |================= Install dir: /usr/local/bro/lib/broctl Debug mode: true CC: /usr/bin/cc CFLAGS: -Wall -Wno-unused -g -DDEBUG -DBRO_DEBUG -g CXX: /usr/bin/c++ CXXFLAGS: -Wall -Wno-unused -g -DDEBUG -DBRO_DEBUG -std=c++11 -g CPP: /usr/bin/c++ ================================================================ =================| capstats Build Summary |=================== Install prefix: /usr/local/bro Debug mode: true CXX: /usr/bin/c++ CXXFLAGS: -Wall -Wno-unused -g -DDEBUG -DBRO_DEBUG -std=c++11 -g CPP: /usr/bin/c++ ================================================================ =============| trace-summary Install Summary |================ Install destination: /usr/local/bro/bin ================================================================ -- Found SubnetTree: build from source aux/pysubnettree =================| Broctl Install Summary |=================== Install prefix: /usr/local/bro Bro root: /usr/local/bro Scripts Dir: /usr/local/bro/share/bro Spool Dir: /usr/local/bro/spool Log Dir: /usr/local/bro/logs Config File Dir: /usr/local/bro/etc ================================================================ ==================| Bro-Aux Build Summary |=================== Install prefix: /usr/local/bro Debug mode: true CC: /usr/bin/cc CFLAGS: -Wall -Wno-unused -g -DDEBUG -DBRO_DEBUG -g CXX: /usr/bin/c++ CXXFLAGS: -Wall -Wno-unused -g -DDEBUG -DBRO_DEBUG -std=c++11 -g CPP: /usr/bin/c++ ================================================================ -- Looking for geteuid -- Looking for geteuid - found -- Looking for getpwuid -- Looking for getpwuid - found -- Check size of uint -- Check size of uint - done -- Found Broccoli: broccoli CMake Deprecation Warning at /usr/share/cmake/Modules/UseSWIG.cmake:272 (message): SWIG_ADD_MODULE is deprecated. Use SWIG_ADD_LIBRARY instead. Call Stack (most recent call first): aux/broccoli/bindings/broccoli-python/CMakeLists.txt:38 (swig_add_module) ================| PyBroccoli Build Summary |================== Install dir: /usr/local/bro/lib/broctl Debug mode: true CC: /usr/bin/cc CFLAGS: -Wall -Wno-unused -g -DDEBUG -DBRO_DEBUG -g CPP: /usr/bin/cc ================================================================ -- Not building broccoli-ruby bindings =================| Broccoli Build Summary |=================== Install prefix: /usr/local/bro Library prefix: /usr/local/bro/lib Debug mode: true Shared libs: true Static libs: true Config file: /usr/local/bro/etc/broccoli.conf Packet support: true CC: /usr/bin/cc CFLAGS: -Wall -Wno-unused -g -DDEBUG -DBRO_DEBUG -g CPP: /usr/bin/cc ================================================================ ====================| Bro Build Summary |===================== Install prefix: /usr/local/bro Bro Script Path: /usr/local/bro/share/bro Debug mode: true CC: /usr/bin/cc CFLAGS: -Wall -Wno-unused -g -DDEBUG -DBRO_DEBUG -g CXX: /usr/bin/c++ CXXFLAGS: -Wall -Wno-unused -g -DDEBUG -DBRO_DEBUG -std=c++11 -g CPP: /usr/bin/c++ Broker: false Broker Python: false Broccoli: true Broctl: true Aux. Tools: true GeoIP: false gperftools found: false tcmalloc: false debugging: false jemalloc: false ================================================================ -- Configuring done -- Generating done -- Build files have been written to: /root/bro-2.5.5/build localhost:~/bro-2.5.5# make make -C build all make[1]: Entering directory '/root/bro-2.5.5/build' make[2]: Entering directory '/root/bro-2.5.5/build' make[3]: Entering directory '/root/bro-2.5.5/build' make[3]: Leaving directory '/root/bro-2.5.5/build' make[3]: Entering directory '/root/bro-2.5.5/build' [ 0%] Building CXX object aux/binpac/lib/CMakeFiles/binpac_lib.dir/binpac_buffer.cc.o In file included from /root/bro-2.5.5/aux/binpac/lib/binpac_buffer.cc:7:0: /root/bro-2.5.5/build/aux/binpac/lib/binpac.h:118:27: error: 'u_char' does not name a type inline T UnMarshall(const u_char *data, int byteorder) ^~~~~~ In file included from /root/bro-2.5.5/build/aux/binpac/lib/binpac.h:169:0, from /root/bro-2.5.5/aux/binpac/lib/binpac_buffer.cc:7: /root/bro-2.5.5/aux/binpac/lib/binpac_analyzer.h:13:29: error: 'u_char' does not name a type const u_char *begin_of_data, ^~~~~~ /root/bro-2.5.5/aux/binpac/lib/binpac_analyzer.h:14:29: error: 'u_char' does not name a type const u_char *end_of_data) = 0; ^~~~~~ /root/bro-2.5.5/aux/binpac/lib/binpac_analyzer.h:21:29: error: 'u_char' does not name a type virtual void NewData(const u_char *begin_of_data, ^~~~~~ /root/bro-2.5.5/aux/binpac/lib/binpac_analyzer.h:22:29: error: 'u_char' does not name a type const u_char *end_of_data) = 0; ^~~~~~ make[3]: *** [aux/binpac/lib/CMakeFiles/binpac_lib.dir/build.make:63: aux/binpac/lib/CMakeFiles/binpac_lib.dir/binpac_buffer.cc.o] Error 1 make[3]: Leaving directory '/root/bro-2.5.5/build' make[2]: *** [CMakeFiles/Makefile2:139: aux/binpac/lib/CMakeFiles/binpac_lib.dir/all] Error 2 make[2]: Leaving directory '/root/bro-2.5.5/build' make[1]: *** [Makefile:152: all] Error 2 make[1]: Leaving directory '/root/bro-2.5.5/build' make: *** [Makefile:15: all] Error 2 From daniel.guerra69 at gmail.com Tue Sep 18 08:47:21 2018 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Tue, 18 Sep 2018 17:47:21 +0200 Subject: [Bro] Running Bro on Alpine In-Reply-To: References: Message-ID: Check out For alpine linux you need some patches https://github.com/blacktop/docker-bro/tree/master/2.5 Regards, Daniel Op 18/09/2018 om 17:18 schreef Mike M: > Hello, > > I?m trying to compile and run Bro on Alpine Linux and I?m having an > issue with broctl crashing. > > Out of the box running ./configure and make using the bro 2.5.5 source > I get a bunch of errors like that ?'u_char' does not name a type? [1]. > > I found this project for compiling Bro on Alpine [2]. The > build-bro.sh. script includes two patch files and a cmake file [3]. > Manually applying those three files gets Bro to the point where it > compiles successfully. > > Bro will run fine from the command line, but running broctl it crashes > almost immediately [4]. Broctl reports Bro as crashed, but it briefly > produces all the log files I'd expect (conn, dns, etc). There's > nothing useful in the stdout, stderr or reporter logs. > > I built bro with --enable-debug, I've got gdb installed, and I set > "ulimit -c unlimited" but I don't see a crash dump anywhere. > > In the absence of any error messages I'm unsure on how to proceed. Can > anyone recommend next steps? > > thanks, > Mike > > [1] see compile error.txt (attached) > [2] https://github.com/danielguerra69/docker-bro-1 > [3] https://github.com/danielguerra69/docker-bro-1/tree/master/source > [4] see broctl crash.txt (attached) > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180918/99d4b109/attachment.html From turbidtarantula at gmail.com Tue Sep 18 11:23:40 2018 From: turbidtarantula at gmail.com (Mike M) Date: Tue, 18 Sep 2018 14:23:40 -0400 Subject: [Bro] Running Bro on Alpine In-Reply-To: References: Message-ID: Daniel, Thanks for the help. I rebuilt bro with those patches (although they look identical to the ones I referenced earlier), making sure to grab all the dependencies listed in the docker file. I'm still seeing broctl report that bro crashed. However, what I failed to notice before is that there are actually several bro processes running and bro is still producing logs even when broctl report it has crashed. I suppose I could roll my own scripts to start and stop bro, but I'd prefer to actually get broctl working on alpine. Any ideas as to why it's reporting inaccurate information? thanks, Mike On Tue, Sep 18, 2018 at 11:47 AM Daniel Guerra wrote: > Check out > > > For alpine linux you need some patches > > https://github.com/blacktop/docker-bro/tree/master/2.5 > > > Regards, > > > Daniel > Op 18/09/2018 om 17:18 schreef Mike M: > > Hello, > > I?m trying to compile and run Bro on Alpine Linux and I?m having an issue > with broctl crashing. > > Out of the box running ./configure and make using the bro 2.5.5 source I > get a bunch of errors like that ?'u_char' does not name a type? [1]. > > I found this project for compiling Bro on Alpine [2]. The build-bro.sh. > script includes two patch files and a cmake file [3]. Manually applying > those three files gets Bro to the point where it compiles successfully. > > Bro will run fine from the command line, but running broctl it crashes > almost immediately [4]. Broctl reports Bro as crashed, but it briefly > produces all the log files I'd expect (conn, dns, etc). There's nothing > useful in the stdout, stderr or reporter logs. > > I built bro with --enable-debug, I've got gdb installed, and I set "ulimit > -c unlimited" but I don't see a crash dump anywhere. > > In the absence of any error messages I'm unsure on how to proceed. Can > anyone recommend next steps? > > thanks, > Mike > > [1] see compile error.txt (attached) > [2] https://github.com/danielguerra69/docker-bro-1 > [3] https://github.com/danielguerra69/docker-bro-1/tree/master/source > [4] see broctl crash.txt (attached) > > > _______________________________________________ > Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180918/0b0627f5/attachment.html From dnthayer at illinois.edu Tue Sep 18 12:58:02 2018 From: dnthayer at illinois.edu (Daniel Thayer) Date: Tue, 18 Sep 2018 14:58:02 -0500 Subject: [Bro] Running Bro on Alpine In-Reply-To: References: Message-ID: <5c3ae3e8-8515-8bcf-26b9-c3ff12de468e@illinois.edu> On 9/18/18 1:23 PM, Mike M wrote: > Daniel, > > Thanks for the help. I rebuilt bro with those patches (although they > look identical to the ones I referenced earlier), making sure to grab > all the dependencies listed in the docker file. > > I'm still seeing broctl report that bro crashed. However, what I failed > to notice before is that there are actually several bro processes > running and bro is still producing logs even when broctl report it has > crashed. > > I suppose I could roll my own scripts to start and stop bro, but I'd > prefer to actually get broctl working on alpine. Any ideas as to why > it's reporting inaccurate information? > > thanks, > Mike First, I suggest running "broctl stop". Next, make sure there are no more bro processes running on your machine by running "broctl ps.bro". This command shows all bro processes running, whereas "broctl status" only shows you the ones that broctl knows about. It is important to make sure there are no bro processes running before attempting to start bro using broctl. -Daniel From daniel.guerra69 at gmail.com Tue Sep 18 13:29:40 2018 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Tue, 18 Sep 2018 22:29:40 +0200 Subject: [Bro] Running Bro on Alpine In-Reply-To: References: Message-ID: <7581df63-6d9c-ea62-11ab-1a22523f7be2@gmail.com> Just tried it, for now I can only confirm your problem /tmp/bro # /usr/local/bro/bin/broctl start starting bro ... (bro still initializing) /tmp/bro # /usr/local/bro/bin/broctl status Name???????? Type?????? Host????????? Status??? Pid??? Started bro????????? standalone localhost???? crashed this might help , dmesg output device eth0 entered promiscuous mode traps: bro: stats/Log:[14187] general protection ip:7f92f1865fbb sp:7f92f1a40880 error:0 ?in ld-musl-x86_64.so.1[7f92f1848000+8d000] bro[11051]: segfault at 55ccf2f95900 ip 000055ccf2f95900 sp 00007ffd5d7bbaa8 error 15 bro[11232]: segfault at 7f4df2130df8 ip 00007f4df2130df8 sp 00007ffe154c88e8 error 15 in ld-musl-x86_64.so.1[7f4df2130000+1000] and the ps aux output ? 364 root????? 0:00 {run-bro} /bin/bash /usr/local/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl ? 370 root????? 0:23 /usr/local/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto ? 372 root????? 0:00 /usr/local/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto Op 18/09/2018 om 20:23 schreef Mike M: > Daniel, > > Thanks for the help. I rebuilt bro with those patches (although they > look identical to the ones I referenced earlier), making sure to grab > all the dependencies listed in the docker file.? > > I'm still seeing broctl report that bro crashed. However, what I > failed to notice before is that there are actually several bro > processes running and bro is still producing logs even when broctl > report it has crashed. > > I suppose I could roll my own scripts to start and stop bro, but I'd > prefer to actually get broctl working on alpine. Any ideas as to why > it's reporting inaccurate information? > > thanks, > Mike > > On Tue, Sep 18, 2018 at 11:47 AM Daniel Guerra > > wrote: > > Check out > > > For alpine linux you need some patches > > https://github.com/blacktop/docker-bro/tree/master/2.5 > > > Regards, > > > Daniel > > Op 18/09/2018 om 17:18 schreef Mike M: >> Hello, >> >> I?m trying to compile and run Bro on Alpine Linux and I?m having >> an issue with broctl crashing. >> >> Out of the box running ./configure and make using the bro 2.5.5 >> source I get a bunch of errors like that ?'u_char' does not name >> a type? [1]. >> >> I found this project for compiling Bro on Alpine [2]. The >> build-bro.sh. script includes two patch files and a cmake file >> [3]. Manually applying those three files gets Bro to the point >> where it compiles successfully. >> >> Bro will run fine from the command line, but running broctl it >> crashes almost immediately [4]. Broctl reports Bro as crashed, >> but it briefly produces all the log files I'd expect (conn, dns, >> etc). There's nothing useful in the stdout, stderr or reporter logs. >> >> I built bro with --enable-debug, I've got gdb installed, and I >> set "ulimit -c unlimited" but I don't see a crash dump anywhere. >> >> In the absence of any error messages I'm unsure on how to >> proceed. Can anyone recommend next steps? >> >> thanks, >> Mike >> >> [1] see compile error.txt (attached) >> [2] https://github.com/danielguerra69/docker-bro-1 >> [3] https://github.com/danielguerra69/docker-bro-1/tree/master/source >> [4] see broctl crash.txt (attached) >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180918/329b26ce/attachment.html From DMurphy at lfcu.com Tue Sep 18 14:19:22 2018 From: DMurphy at lfcu.com (Dillon Murphy) Date: Tue, 18 Sep 2018 21:19:22 +0000 Subject: [Bro] IP Whitelist for scan.bro Message-ID: Hello, How do I whitelist IPs for the scan.bro notice? I prefer to whitelist than suppress. I'm running my tests in try.bro.org. I've tried: module scanwhitelist; export { const scan_host_ignore: set[subnet] = { 192.168.0.1/32} &redef; const scan_port_ignore: set[port] = { } &redef; } redef Notice::type_suppression_intervals += { [Scan::Port_Scan] = 4hrs, }; hook Scan::port_scan_policy(scanner: addr, victim: addr, scanned_port: port) { if ((scanner in scanwhitelist::scan_host_ignore) || scanned_port in scanwhitelist::scan_port_ignore) { break; } } And I have also tried this. Found it here: http://mailman.icsi.berkeley.edu/pipermail/bro/2013-April/005662.html const external_port_scanners_whitelist = { 10.2.32.94, 8.8.4.4 }; hook Notice::policy(n: Notice::Info) &priority=10 { if ( n$note == Scan::Port_Scan && n?$src && !(n$src in external_port_scanners_whitelist) ) { add n$actions[Notice::ACTION_LOG]; } } What am I not getting? Thanks you for your help! Dillon Murpy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180918/d37fe370/attachment-0001.html From DMurphy at lfcu.com Tue Sep 18 14:22:55 2018 From: DMurphy at lfcu.com (Dillon Murphy) Date: Tue, 18 Sep 2018 21:22:55 +0000 Subject: [Bro] Bro Digest, Vol 149, Issue 20 In-Reply-To: References: Message-ID: Never Mind! I think I just got the suppression to work. Thank you!! Dillon Murphy From: bro-bounces at bro.org On Behalf Of bro-request at bro.org Sent: Tuesday, September 18, 2018 2:20 PM To: bro at bro.org Subject: Bro Digest, Vol 149, Issue 20 Send Bro mailing list submissions to bro at bro.org To subscribe or unsubscribe via the World Wide Web, visit http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro or, via email, send a message with subject or body 'help' to bro-request at bro.org You can reach the person managing the list at bro-owner at bro.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Bro digest..." Today's Topics: 1. Re: Running Bro on Alpine (Daniel Thayer) 2. Re: Running Bro on Alpine (Daniel Guerra) 3. IP Whitelist for scan.bro (Dillon Murphy) ---------------------------------------------------------------------- Message: 1 Date: Tue, 18 Sep 2018 14:58:02 -0500 From: Daniel Thayer > Subject: Re: [Bro] Running Bro on Alpine To: Mike M > Cc: bro at bro.org Message-ID: <5c3ae3e8-8515-8bcf-26b9-c3ff12de468e at illinois.edu> Content-Type: text/plain; charset="utf-8"; format=flowed On 9/18/18 1:23 PM, Mike M wrote: > Daniel, > > Thanks for the help. I rebuilt bro with those patches (although they > look identical to the ones I referenced earlier), making sure to grab > all the dependencies listed in the docker file. > > I'm still seeing broctl report that bro crashed. However, what I failed > to notice before is that there are actually several bro processes > running and bro is still producing logs even when broctl report it has > crashed. > > I suppose I could roll my own scripts to start and stop bro, but I'd > prefer to actually get broctl working on alpine. Any ideas as to why > it's reporting inaccurate information? > > thanks, > Mike First, I suggest running "broctl stop". Next, make sure there are no more bro processes running on your machine by running "broctl ps.bro". This command shows all bro processes running, whereas "broctl status" only shows you the ones that broctl knows about. It is important to make sure there are no bro processes running before attempting to start bro using broctl. -Daniel ------------------------------ Message: 2 Date: Tue, 18 Sep 2018 22:29:40 +0200 From: Daniel Guerra > Subject: Re: [Bro] Running Bro on Alpine To: Mike M > Cc: bro at bro.org Message-ID: <7581df63-6d9c-ea62-11ab-1a22523f7be2 at gmail.com> Content-Type: text/plain; charset="utf-8" Just tried it, for now I can only confirm your problem /tmp/bro # /usr/local/bro/bin/broctl start starting bro ... (bro still initializing) /tmp/bro # /usr/local/bro/bin/broctl status Name???????? Type?????? Host????????? Status??? Pid??? Started bro????????? standalone localhost???? crashed this might help , dmesg output device eth0 entered promiscuous mode traps: bro: stats/Log:[14187] general protection ip:7f92f1865fbb sp:7f92f1a40880 error:0 ?in ld-musl-x86_64.so.1[7f92f1848000+8d000] bro[11051]: segfault at 55ccf2f95900 ip 000055ccf2f95900 sp 00007ffd5d7bbaa8 error 15 bro[11232]: segfault at 7f4df2130df8 ip 00007f4df2130df8 sp 00007ffe154c88e8 error 15 in ld-musl-x86_64.so.1[7f4df2130000+1000] and the ps aux output ? 364 root????? 0:00 {run-bro} /bin/bash /usr/local/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl ? 370 root????? 0:23 /usr/local/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto ? 372 root????? 0:00 /usr/local/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto Op 18/09/2018 om 20:23 schreef Mike M: > Daniel, > > Thanks for the help. I rebuilt bro with those patches (although they > look identical to the ones I referenced earlier), making sure to grab > all the dependencies listed in the docker file.? > > I'm still seeing broctl report that bro crashed. However, what I > failed to notice before is that there are actually several bro > processes running and bro is still producing logs even when broctl > report it has crashed. > > I suppose I could roll my own scripts to start and stop bro, but I'd > prefer to actually get broctl working on alpine. Any ideas as to why > it's reporting inaccurate information? > > thanks, > Mike > > On Tue, Sep 18, 2018 at 11:47 AM Daniel Guerra > >> wrote: > > Check out > > > For alpine linux you need some patches > > https://github.com/blacktop/docker-bro/tree/master/2.5 > > > Regards, > > > Daniel > > Op 18/09/2018 om 17:18 schreef Mike M: >> Hello, >> >> I?m trying to compile and run Bro on Alpine Linux and I?m having >> an issue with broctl crashing. >> >> Out of the box running ./configure and make using the bro 2.5.5 >> source I get a bunch of errors like that ?'u_char' does not name >> a type? [1]. >> >> I found this project for compiling Bro on Alpine [2]. The >> build-bro.sh. script includes two patch files and a cmake file >> [3]. Manually applying those three files gets Bro to the point >> where it compiles successfully. >> >> Bro will run fine from the command line, but running broctl it >> crashes almost immediately [4]. Broctl reports Bro as crashed, >> but it briefly produces all the log files I'd expect (conn, dns, >> etc). There's nothing useful in the stdout, stderr or reporter logs. >> >> I built bro with --enable-debug, I've got gdb installed, and I >> set "ulimit -c unlimited" but I don't see a crash dump anywhere. >> >> In the absence of any error messages I'm unsure on how to >> proceed. Can anyone recommend next steps? >> >> thanks, >> Mike >> >> [1] see compile error.txt (attached) >> [2] https://github.com/danielguerra69/docker-bro-1 >> [3] https://github.com/danielguerra69/docker-bro-1/tree/master/source >> [4] see broctl crash.txt (attached) >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180918/329b26ce/attachment-0001.html ------------------------------ Message: 3 Date: Tue, 18 Sep 2018 21:19:22 +0000 From: Dillon Murphy > Subject: [Bro] IP Whitelist for scan.bro To: "bro at bro.org" > Message-ID: > Content-Type: text/plain; charset="utf-8" Hello, How do I whitelist IPs for the scan.bro notice? I prefer to whitelist than suppress. I'm running my tests in try.bro.org. I've tried: module scanwhitelist; export { const scan_host_ignore: set[subnet] = { 192.168.0.1/32} &redef; const scan_port_ignore: set[port] = { } &redef; } redef Notice::type_suppression_intervals += { [Scan::Port_Scan] = 4hrs, }; hook Scan::port_scan_policy(scanner: addr, victim: addr, scanned_port: port) { if ((scanner in scanwhitelist::scan_host_ignore) || scanned_port in scanwhitelist::scan_port_ignore) { break; } } And I have also tried this. Found it here: http://mailman.icsi.berkeley.edu/pipermail/bro/2013-April/005662.html const external_port_scanners_whitelist = { 10.2.32.94, 8.8.4.4 }; hook Notice::policy(n: Notice::Info) &priority=10 { if ( n$note == Scan::Port_Scan && n?$src && !(n$src in external_port_scanners_whitelist) ) { add n$actions[Notice::ACTION_LOG]; } } What am I not getting? Thanks you for your help! Dillon Murpy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180918/d37fe370/attachment.html ------------------------------ _______________________________________________ Bro mailing list Bro at bro.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro End of Bro Digest, Vol 149, Issue 20 ************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180918/f1bd6e07/attachment.html From jsiwek at corelight.com Tue Sep 18 17:43:52 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Tue, 18 Sep 2018 19:43:52 -0500 Subject: [Bro] Bro 2.6-beta available Message-ID: The beta release for Bro 2.6 is now available for download at: https://www.bro.org/download/index.html See the NEWS file for the most significant changes: https://www.bro.org/documentation/beta/NEWS.bro.html Feel free to file bugs on GitHub or ask broader questions on this mailing list. Thanks to anyone that can help test and provide feedback. (Note that the beta suffix is indeed starting at -beta2 this time as it's just how things turned out...) - Jon From leejia1989 at 126.com Tue Sep 18 20:20:38 2018 From: leejia1989 at 126.com (=?GBK?B?vNE=?=) Date: Wed, 19 Sep 2018 11:20:38 +0800 (CST) Subject: [Bro] response time of HTTP be recorded in log Message-ID: How does the approximate response time of HTTP be recorded in bro's log? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180919/100a1827/attachment.html From seth at corelight.com Tue Sep 18 23:14:15 2018 From: seth at corelight.com (Seth Hall) Date: Wed, 19 Sep 2018 08:14:15 +0200 Subject: [Bro] Bro issue tracking migrated to GitHub In-Reply-To: References: <8A94C7F6-161D-49AC-95F0-B399E48DA768@corelight.com> Message-ID: On 18 Sep 2018, at 7:10, Johanna Amann wrote: > Me, for example :). > > Give me a few hours, I will do it later. Thanks! .Seth -- Seth Hall * Corelight, Inc * www.corelight.com From rahulbroids at gmail.com Wed Sep 19 01:56:12 2018 From: rahulbroids at gmail.com (rahul rakesh) Date: Wed, 19 Sep 2018 14:26:12 +0530 Subject: [Bro] Enable ssh detection? Message-ID: Hi all, Given SSH example from Bro site is working fine ,when it is tested from the command line . I mean SSH events such as failed and success are generated and also log is created. But with out using ssh guess pcap file, when i do ssh thing between two systems, these events such as ssh_auth_fail and success are *NOT *generating. Can you tell How to solve this issue?. or How can i enable SSH detection? with regards ravi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180919/10e2599c/attachment.html From rahulbroids at gmail.com Wed Sep 19 05:24:00 2018 From: rahulbroids at gmail.com (rahul rakesh) Date: Wed, 19 Sep 2018 17:54:00 +0530 Subject: [Bro] Enable ssh detection? In-Reply-To: References: Message-ID: Hi PFA created pcap file after performing ssh logins. When it was used also , the ssh events are bot generating excepting version event. with regards ravi On 9/19/18, rahul rakesh wrote: > Hi all, > > Given SSH example from Bro site is working fine ,when it is tested from > the command line . > I mean SSH events such as failed and success are generated and also log is > created. > But with out using ssh guess pcap file, when i do ssh thing between two > systems, these > events such as ssh_auth_fail and success are *NOT *generating. Can you tell > How to solve this issue?. or How can i enable SSH detection? > > with regards > ravi > -------------- next part -------------- A non-text attachment was scrubbed... Name: newssh3aes.pcapng Type: application/octet-stream Size: 24372 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180919/5a7aab01/attachment-0001.obj From turbidtarantula at gmail.com Wed Sep 19 06:18:52 2018 From: turbidtarantula at gmail.com (Mike M) Date: Wed, 19 Sep 2018 09:18:52 -0400 Subject: [Bro] Running Bro on Alpine In-Reply-To: <7581df63-6d9c-ea62-11ab-1a22523f7be2@gmail.com> References: <7581df63-6d9c-ea62-11ab-1a22523f7be2@gmail.com> Message-ID: Thanks Daniel T and Daniel G. I verified that no Bro processes were running before running broctl, but still I'm seeing the same behavior as Daniel G. Please let me know if I can assist any further with debugging. cheers, Mike On Tue, Sep 18, 2018 at 4:29 PM Daniel Guerra wrote: > Just tried it, for now I can only confirm your problem > > /tmp/bro # /usr/local/bro/bin/broctl start > starting bro ... > (bro still initializing) > /tmp/bro # /usr/local/bro/bin/broctl status > Name Type Host Status Pid Started > bro standalone localhost crashed > > this might help , dmesg output > > device eth0 entered promiscuous mode > traps: bro: stats/Log:[14187] general protection ip:7f92f1865fbb > sp:7f92f1a40880 error:0 > in ld-musl-x86_64.so.1[7f92f1848000+8d000] > bro[11051]: segfault at 55ccf2f95900 ip 000055ccf2f95900 sp > 00007ffd5d7bbaa8 error 15 > bro[11232]: segfault at 7f4df2130df8 ip 00007f4df2130df8 sp > 00007ffe154c88e8 error 15 in ld-musl-x86_64.so.1[7f4df2130000+1000] > and the ps aux output > > 364 root 0:00 {run-bro} /bin/bash > /usr/local/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl > -p broctl-live -p standalone -p local -p bro local.bro broctl > broctl/standalone broctl > 370 root 0:23 /usr/local/bro/bin/bro -i eth0 -U .status -p broctl > -p broctl-live -p standalone -p local -p bro local.bro broctl > broctl/standalone broctl/auto > 372 root 0:00 /usr/local/bro/bin/bro -i eth0 -U .status -p broctl > -p broctl-live -p standalone -p local -p bro local.bro broctl > broctl/standalone broctl/auto > > > Op 18/09/2018 om 20:23 schreef Mike M: > > Daniel, > > Thanks for the help. I rebuilt bro with those patches (although they look > identical to the ones I referenced earlier), making sure to grab all the > dependencies listed in the docker file. > > I'm still seeing broctl report that bro crashed. However, what I failed to > notice before is that there are actually several bro processes running and > bro is still producing logs even when broctl report it has crashed. > > I suppose I could roll my own scripts to start and stop bro, but I'd > prefer to actually get broctl working on alpine. Any ideas as to why it's > reporting inaccurate information? > > thanks, > Mike > > On Tue, Sep 18, 2018 at 11:47 AM Daniel Guerra > wrote: > >> Check out >> >> >> For alpine linux you need some patches >> >> https://github.com/blacktop/docker-bro/tree/master/2.5 >> >> >> Regards, >> >> >> Daniel >> Op 18/09/2018 om 17:18 schreef Mike M: >> >> Hello, >> >> I?m trying to compile and run Bro on Alpine Linux and I?m having an issue >> with broctl crashing. >> >> Out of the box running ./configure and make using the bro 2.5.5 source I >> get a bunch of errors like that ?'u_char' does not name a type? [1]. >> >> I found this project for compiling Bro on Alpine [2]. The build-bro.sh. >> script includes two patch files and a cmake file [3]. Manually applying >> those three files gets Bro to the point where it compiles successfully. >> >> Bro will run fine from the command line, but running broctl it crashes >> almost immediately [4]. Broctl reports Bro as crashed, but it briefly >> produces all the log files I'd expect (conn, dns, etc). There's nothing >> useful in the stdout, stderr or reporter logs. >> >> I built bro with --enable-debug, I've got gdb installed, and I set >> "ulimit -c unlimited" but I don't see a crash dump anywhere. >> >> In the absence of any error messages I'm unsure on how to proceed. Can >> anyone recommend next steps? >> >> thanks, >> Mike >> >> [1] see compile error.txt (attached) >> [2] https://github.com/danielguerra69/docker-bro-1 >> [3] https://github.com/danielguerra69/docker-bro-1/tree/master/source >> [4] see broctl crash.txt (attached) >> >> >> _______________________________________________ >> Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180919/08ef3bd5/attachment.html From klehigh at iu.edu Wed Sep 19 08:13:22 2018 From: klehigh at iu.edu (Keith Lehigh) Date: Wed, 19 Sep 2018 11:13:22 -0400 Subject: [Bro] BroCon 2018 Hotel block extension Message-ID: Hi Folks, For those of you who are still on the fence about attending BroCon, we have extended the hotel group rate until this Friday, September 21. You can find details about the hotel here : https://www.brocon2018.com/event/location . I hope to see you all next month! - Keith -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3740 bytes Desc: S/MIME digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180919/94a1381e/attachment.bin From jsiwek at corelight.com Wed Sep 19 09:48:44 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Wed, 19 Sep 2018 11:48:44 -0500 Subject: [Bro] Enable ssh detection? In-Reply-To: References: Message-ID: On Wed, Sep 19, 2018 at 7:39 AM rahul rakesh wrote: > PFA created pcap file after performing ssh logins. > When it was used also , the ssh events are bot > generating excepting version event. Maybe attach the particular script you are using to make the determination that the events are not being generated, because I do see `ssh_auth_failed` get raised for that pcap. Or elaborate on what you expect to see versus what you are not seeing. Also note, as the docs say, failure/success determinations are made via packet size analysis and aren't generally guaranteed to be made if there's ambiguity. - Jon From nathan.delboux at gmail.com Thu Sep 20 02:29:04 2018 From: nathan.delboux at gmail.com (Nathan D'Elboux) Date: Thu, 20 Sep 2018 19:29:04 +1000 Subject: [Bro] Bro cluster switching to AMD Message-ID: Hi all. I have had a bro cluster running the latest version on ubuntu 16.04 on a Dell server with Intel processors that have 16 cores. I have found that ram and disk are sufficient but i dont have enough CPUS cores as they are constantly busy so i have setup cpu pinning and load balancing with PF_RING I have come into some hardware that i will use to replace the existing hardware. It has significant ram and disk upgrade but the primary upgrade will be the CPUs. It will have a total of 48 cores but it is based on AMD not intel, my question is there anything different about running bro on ubuntu with PF_RING on AMD architecture than Intel CPU? Do i need to do anything to ensure that bro will utilise all 48 cores? The network link is only a 1GBps but the existing intel CPU is struggling. I cant find many documents stating there is a difference. Ill just ensure the pf ring pinning is set correctly Thank Nathan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180920/0a2d4316/attachment.html From rahulbroids at gmail.com Tue Sep 18 13:06:25 2018 From: rahulbroids at gmail.com (rahul rakesh) Date: Wed, 19 Sep 2018 01:36:25 +0530 Subject: [Bro] Enable ssh detection? In-Reply-To: References: Message-ID: Hi Jon, Thank you for the ,response. In detail, I will explain the issue. I have created one bro script file "log-sample.bro",in which three SSH events are defined with log stmts in simple way. It was also configured properly. After that, SSH client and server connection is made and it is successful. And then ,this whole connection is captured in "newssh3aes.pcapng". Those two files mentioned are attached. When log-sample.bro is executed with newssh3aes.pcapng file, only ssh_client_version event is generated,but other two ssh events such as "ssh_auth_successful" and "ssh_auth_failed" are not generated. But if "log-sample.bro" is executed with "sshguess.pcap" provided by Bro for testing ,then all the above three events are generated. It seems the way bro made the SSH connection and my connection are different. Can you check and tell what mistake i am making either on code side,ssh configuration side? thank you ravi On Wed, Sep 19, 2018 at 10:18 PM Jon Siwek wrote: > On Wed, Sep 19, 2018 at 7:39 AM rahul rakesh > wrote: > > > PFA created pcap file after performing ssh logins. > > When it was used also , the ssh events are bot > > generating excepting version event. > > Maybe attach the particular script you are using to make the > determination that the events are not being generated, because I do > see `ssh_auth_failed` get raised for that pcap. Or elaborate on what > you expect to see versus what you are not seeing. > > Also note, as the docs say, failure/success determinations are made > via packet size analysis and aren't generally guaranteed to be made if > there's ambiguity. > > - Jon > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180919/b2d0b0ec/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: log-sample.bro Type: application/octet-stream Size: 2750 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180919/b2d0b0ec/attachment-0002.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: newssh3aes.pcapng Type: application/octet-stream Size: 24372 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180919/b2d0b0ec/attachment-0003.obj From jsiwek at corelight.com Thu Sep 20 10:15:24 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Thu, 20 Sep 2018 12:15:24 -0500 Subject: [Bro] Enable ssh detection? In-Reply-To: References: Message-ID: On Thu, Sep 20, 2018 at 4:52 AM rahul rakesh wrote: > When log-sample.bro is executed with newssh3aes.pcapng file, only ssh_client_version > event is generated,but other two ssh events such as "ssh_auth_successful" and "ssh_auth_failed" > are not generated. Thanks for explaining. One thing I noticed is that there's a difference in events generated between Bro 2.5.5 and 2.6-beta, with the later raising more events. The patch that results in the difference is at [1] in case you want to try to apply it or else I'd suggest trying out the beta version. - Jon [1] https://github.com/bro/bro/commit/7e374f8c3f800b7fc2cdd4cf36dab753d3013754 From wangdj at ffcs.cn Fri Sep 21 05:38:25 2018 From: wangdj at ffcs.cn (wangdj at ffcs.cn) Date: Fri, 21 Sep 2018 20:38:25 +0800 Subject: [Bro] Does BPF filter of worker has the ability of packet retransmition References: <2018082716104988396524@ffcs.cn> Message-ID: <2018092120382545873641@ffcs.cn> Hi, When i read the document of "Bro Cluster Architecture"(link: https://www.bro.org/sphinx/cluster/index.html) , i cannot understand the following sentence. "The packets can then be passed directly to a monitoring host where each worker has a BPF filter to limit its visibility to only that stream of flows, or onward to a commodity switch to split the traffic out to multiple 1G interfaces for the workers." Does this sentence means worker`s BPF filter can retransmit packets to other switch? If it can not, what the above-mentioned sentence means? If it can, then what this following sentence which is also from "Bro Cluster Architecture" means? "The frontend is a discrete hardware device or on-host technique that splits traffic into many streams or flows. The Bro binary does not do this job" DeJin Wang -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180921/90b53293/attachment.html From nahum at us.ibm.com Fri Sep 21 08:52:40 2018 From: nahum at us.ibm.com (Erich M Nahum) Date: Fri, 21 Sep 2018 11:52:40 -0400 Subject: [Bro] recommendations for 10, 40, and 100 Gbit NICS Message-ID: Hi All, I'm currently preparing to set up a Bro cluster to examine scalability. I'm wondering if anyone has recommendations for 10, 40, and even 100 Gbit NICs. I've read the 100 Gbs Intrusion Detection paper, which used 10 Gigabit Myricom sniffer cards, but this paper is from 2015. I'm wondering if anyone has more recent data than that. Thanks! -Erich -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180921/3fb1f1ab/attachment.html From klehigh at iu.edu Fri Sep 21 12:20:23 2018 From: klehigh at iu.edu (Keith Lehigh) Date: Fri, 21 Sep 2018 15:20:23 -0400 Subject: [Bro] BroCon 2018 is around the corner! Message-ID: Hi Folks, We?re about 2 1/2 weeks out from BroCon 2018. We?ve got a good conference put together with presentations from the community on topics such as writing analyzers, new scripts and packages, working with Bro data and managing Bro deployments. We also have a great keynote scheduled from Marcus Ranum. We?ve extended the hotel block rate until Monday, September 24th so you?ve still got time to make reservations at reduced price. We?re looking forward to seeing everybody in D.C.! - Keith -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3740 bytes Desc: S/MIME digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180921/75482a4f/attachment.bin From vern at corelight.com Sun Sep 23 13:55:16 2018 From: vern at corelight.com (Vern Paxson) Date: Sun, 23 Sep 2018 13:55:16 -0700 Subject: [Bro] Does BPF filter of worker has the ability of packet retransmition In-Reply-To: <2018092120382545873641@ffcs.cn> (Fri, 21 Sep 2018 20:38:25 +0800). Message-ID: <201809232055.w8NKtGsC008323@fruitcake.ICSI.Berkeley.EDU> > "The packets can then be passed directly to a monitoring host where > each worker has a BPF filter to limit its visibility to only that stream > of flows, or onward to a commodity switch to split the traffic out to > multiple 1G interfaces for the workers." > > Does this sentence means worker`s BPF filter can retransmit packets to other switch? The "or onward" part is talking about what the front-end does, rather than what the workers do. The front end *either* sends all packets to a host for which each individual worker applies a (disjoint) BPF filter to the stream to pick out those flows specifically for it; *or* the front end can send the traffic to a switch that explicitly load-balances the traffic across multiple 1G interfaces. Vern From wangdj at ffcs.cn Sun Sep 23 18:56:29 2018 From: wangdj at ffcs.cn (=?UTF-8?B?546L5b635Yqy?=) Date: Mon, 24 Sep 2018 09:56:29 +0800 Subject: [Bro] =?utf-8?b?562U5aSN77yaUmU6ICBEb2VzIEJQRiBmaWx0ZXIgb2Ygd29y?= =?utf-8?q?ker_has_the_ability_of_packet_retransmition?= Message-ID: <608455ae54f1651fd5230a78a142c064@MagicMail> Hi Vern, The span of original sentence is a bit too large to understand for me. But understand now. Thanks for your reply. DeJin Wang ======last communication cotent======From :"Vern Paxson" ; Date :09/24 2018 04:55:20To :"wangdj at ffcs.cn" Cc :"bro" Subject :Re: [Bro] Does BPF filter of worker has the ability of packet retransmition > "The packets can then be passed directly to a monitoring host where > each worker has a BPF filter to limit its visibility to only that stream > of flows, or onward to a commodity switch to split the traffic out to > multiple 1G interfaces for the workers." > > Does this sentence means worker`s BPF filter can retransmit packets to other switch? The "or onward" part is talking about what the front-end does, rather than what the workers do. The front end *either* sends all packets to a host for which each individual worker applies a (disjoint) BPF filter to the stream to pick out those flows specifically for it; *or* the front end can send the traffic to a switch that explicitly load-balances the traffic across multiple 1G interfaces. Vern -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180924/8c1f8737/attachment.html From rahulbroids at gmail.com Mon Sep 24 05:35:21 2018 From: rahulbroids at gmail.com (rahul rakesh) Date: Mon, 24 Sep 2018 18:05:21 +0530 Subject: [Bro] Enable ssh detection? In-Reply-To: References: Message-ID: Hi Jon, Thank you. Made the changes in Bro 2.5.3 as you suggested,it is working fine. One more thing, to execute the detect-MHR.bro file located in frameworks/files folder, I think some pdf is required to test it. So, Can you suggest me where can i get pdf file?. with regards ravi On Thu, Sep 20, 2018 at 10:45 PM Jon Siwek wrote: > On Thu, Sep 20, 2018 at 4:52 AM rahul rakesh > wrote: > > > When log-sample.bro is executed with newssh3aes.pcapng file, only > ssh_client_version > > event is generated,but other two ssh events such as > "ssh_auth_successful" and "ssh_auth_failed" > > are not generated. > > Thanks for explaining. One thing I noticed is that there's a > difference in events generated between Bro 2.5.5 and 2.6-beta, with > the later raising more events. The patch that results in the > difference is at [1] in case you want to try to apply it or else I'd > suggest trying out the beta version. > > - Jon > > [1] > https://github.com/bro/bro/commit/7e374f8c3f800b7fc2cdd4cf36dab753d3013754 > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180924/6700daec/attachment.html From rahulbroids at gmail.com Tue Sep 25 21:33:18 2018 From: rahulbroids at gmail.com (rahul rakesh) Date: Wed, 26 Sep 2018 10:03:18 +0530 Subject: [Bro] Sample file for to run detect-MHR.bro file Message-ID: Dear all C an you suggest me how to run detect-MHR.bro file?. I need some pdf file to test it. If anyone have it , pls send me. with regards bravi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180926/e06a33ed/attachment.html From wangdj at ffcs.cn Thu Sep 27 05:32:21 2018 From: wangdj at ffcs.cn (wangdj at ffcs.cn) Date: Thu, 27 Sep 2018 20:32:21 +0800 Subject: [Bro] Elasticsearch plugin compile error Message-ID: <2018092720312460097828@ffcs.cn> Hi, when i compile Bro elasticsearch plugin, i got the following error: [ 18%] Creating build/lib/bif for Bro::ElasticSearch Error copying directory from "/data/bro-2.5.4/aux/plugins/elasticsearch/build/bif" to "/data/bro-2.5.4/aux/plugins/elasticsearch/build/lib/bif". My compile step is: first, use the following command to compile Bro: #./configure --with-pcap=/usr/lib64 --prefix=/usr/local/bro #make #make install second, use the following command to compile elasticsearch plugin: #cd bro-2.5.4/aux/plugins/elasticsearch #./configure --with-libcurl=/usr/local #make #make install I am sure the libpcap and libcure library path is not wrong. When i make the dir "/data/bro-2.5.4/aux/plugins/elasticsearch/build/bif" manually and compile elasticsearch again, the error disappear. But i do not know what effect it will have if i do this. Can anyone tell me what may leds to this error and how to resolve it. Best Regards DeJin Wang -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180927/cac5fe18/attachment.html From chavez243 at gmail.com Thu Sep 27 06:56:51 2018 From: chavez243 at gmail.com (Rick Chisholm) Date: Thu, 27 Sep 2018 09:56:51 -0400 Subject: [Bro] HTTP Log filter Message-ID: Need to find a way to filter all traffic from a particular user-agent so that it does not get logged. Been reading docs and reviewing .bro files, but still kind of stumped. Any help is greatly appreciated. TIA -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180927/a898a3f3/attachment.html From bill.de.ping at gmail.com Thu Sep 27 07:04:27 2018 From: bill.de.ping at gmail.com (william de ping) Date: Thu, 27 Sep 2018 17:04:27 +0300 Subject: [Bro] - mismatch between conn's service and analyzer Message-ID: Hi all, At various occasions I've came across a conn log indicating a session's service as dns (udp port 53). Yet I do not see that UID from bro's DNS log. Any ideas why ? Does conn's service field should indicate the bro analyzer being used ? Thank you B -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180927/a59b6e31/attachment.html From brandon.sterne at gmail.com Thu Sep 27 21:34:30 2018 From: brandon.sterne at gmail.com (Brandon Sterne) Date: Thu, 27 Sep 2018 21:34:30 -0700 Subject: [Bro] HTTP Log filter In-Reply-To: References: Message-ID: I recently implemented a filter to prevent URLs matching a particular regex from getting logged. You could adapt this to your User-Agent condition fairly easily: ##! This script ignores particular events that we don't want winding up in the ##! Bro logs. ##! ##! Useful docs: ##! https://www.bro.org/development/projects/logging-api.html ##! https://www.bro.org/sphinx-git/frameworks/logging.html#filter-log-records @load base/protocols/http # Filter unwanted HTTP events, like the /app_info/status requests. function http_not_ignored(rec: HTTP::Info) : bool { if (rec?$uri && /app_info/ in rec$uri) { return F; } return T; } event bro_init() { # First remove the default filter for HTTP logs. Log::remove_default_filter(HTTP::LOG); # Add an HTTP filter back in to log only the events we want. Log::add_filter(HTTP::LOG, [$name = "http-not-ignored", $path = "http", $pred = http_not_ignored]); } Cheers, Brandon On Thu, Sep 27, 2018 at 6:59 AM Rick Chisholm wrote: > Need to find a way to filter all traffic from a particular user-agent so > that it does not get logged. > > Been reading docs and reviewing .bro files, but still kind of stumped. > Any help is greatly appreciated. > > TIA > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180927/f12ef9c0/attachment.html From seth at corelight.com Fri Sep 28 05:03:55 2018 From: seth at corelight.com (Seth Hall) Date: Fri, 28 Sep 2018 08:03:55 -0400 Subject: [Bro] HTTP Log filter In-Reply-To: References: Message-ID: <6AF8C1E1-C7BF-4089-8901-035FEF5EC434@corelight.com> On 27 Sep 2018, at 9:56, Rick Chisholm wrote: > Need to find a way to filter all traffic from a particular user-agent > so > that it does not get logged. > > Been reading docs and reviewing .bro files, but still kind of > stumped. Any > help is greatly appreciated. In addition to Brandon's suggestion and code snippet (which is totally the right way to do it!), I'll point you to a blog post I wrote years ago about log filtering that might help you get a broader perspective on how Bro does log filtering. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com From seth at corelight.com Fri Sep 28 05:05:10 2018 From: seth at corelight.com (Seth Hall) Date: Fri, 28 Sep 2018 08:05:10 -0400 Subject: [Bro] HTTP Log filter In-Reply-To: <6AF8C1E1-C7BF-4089-8901-035FEF5EC434@corelight.com> References: <6AF8C1E1-C7BF-4089-8901-035FEF5EC434@corelight.com> Message-ID: <24D26C67-ABAF-4527-8C34-7EA292688727@corelight.com> On 28 Sep 2018, at 8:03, Seth Hall wrote: > In addition to Brandon's suggestion and code snippet (which is totally > the right way to do it!), I'll point you to a blog post I wrote years > ago about log filtering that might help you get a broader perspective > on how Bro does log filtering. I should actually include the link... :) http://blog.bro.org/2012/02/filtering-logs-with-bro.html .Seth -- Seth Hall * Corelight, Inc * www.corelight.com From seth at corelight.com Fri Sep 28 05:11:21 2018 From: seth at corelight.com (Seth Hall) Date: Fri, 28 Sep 2018 08:11:21 -0400 Subject: [Bro] - mismatch between conn's service and analyzer In-Reply-To: References: Message-ID: <1C191FAD-F9FF-476D-B260-8B261D95D087@corelight.com> On 27 Sep 2018, at 10:04, william de ping wrote: > At various occasions I've came across a conn log indicating a > session's > service as dns (udp port 53). > Yet I do not see that UID from bro's DNS log. > > Any ideas why ? You most likely aren't finding the "connections" associted with the query because Bro hasn't timed out the fake UDP connection yet. Since UDP doesn't establish connections, Bro has to create fake connections when a pair of hosts begin communicating back and forth using the same ports. It's very possible that you are looking for the connection during the period where Bro is still tracking the "connection". The default timeout is 1 minute, but that means that if a host is continuing to do queries to another host using the same ephemeral port (which is very common) it can take a very long time before that fake UDP connection times out. > Does conn's service field should indicate the bro analyzer being used > ? Yes. I suspect if you search in your conn log for "dns" you'll probably find some connections. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com From chavez243 at gmail.com Fri Sep 28 06:31:37 2018 From: chavez243 at gmail.com (Rick Chisholm) Date: Fri, 28 Sep 2018 09:31:37 -0400 Subject: [Bro] HTTP Log filter In-Reply-To: References: Message-ID: thanks, that's exactly what I needed to quiet that log down - sharing my snippet in case it's helpful to anyone else: # Filter unwanted HTTP events; Sophos SXL requests. function http_not_ignored(rec: HTTP::Info) : bool { if (rec?$user_agent && "SXL/3.1" in rec$user_agent) { return F; } return T; } event bro_init() { # First remove the default filter for HTTP logs. Log::remove_default_filter(HTTP::LOG); # Add an HTTP filter back in to log only the events we want. Log::add_filter(HTTP::LOG, [$name = "http-not-ignored", $path = "http", $pred = http_not_ignored]); } On Fri, Sep 28, 2018 at 12:34 AM Brandon Sterne wrote: > I recently implemented a filter to prevent URLs matching a particular > regex from getting logged. You could adapt this to your User-Agent > condition fairly easily: > > ##! This script ignores particular events that we don't want winding up in > the > ##! Bro logs. > ##! > ##! Useful docs: > ##! https://www.bro.org/development/projects/logging-api.html > ##! > https://www.bro.org/sphinx-git/frameworks/logging.html#filter-log-records > > @load base/protocols/http > > # Filter unwanted HTTP events, like the /app_info/status requests. > function http_not_ignored(rec: HTTP::Info) : bool > { > if (rec?$uri && /app_info/ in rec$uri) { > return F; > } > return T; > } > > event bro_init() > { > # First remove the default filter for HTTP logs. > Log::remove_default_filter(HTTP::LOG); > > # Add an HTTP filter back in to log only the events we want. > Log::add_filter(HTTP::LOG, [$name = "http-not-ignored", > $path = "http", > $pred = http_not_ignored]); > } > > Cheers, > Brandon > > On Thu, Sep 27, 2018 at 6:59 AM Rick Chisholm wrote: > >> Need to find a way to filter all traffic from a particular user-agent so >> that it does not get logged. >> >> Been reading docs and reviewing .bro files, but still kind of stumped. >> Any help is greatly appreciated. >> >> TIA >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > -- Rick Chisholm ========================= "There is no faith which has never yet been broken, except that of a truly faithful dog." - Konrad Lorenz -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180928/cbe5df9b/attachment-0001.html From maanamen at hotmail.com Sun Sep 30 02:09:15 2018 From: maanamen at hotmail.com (=?iso-8859-1?Q?MA=C1N_ABU_SHAQRA?=) Date: Sun, 30 Sep 2018 09:09:15 +0000 Subject: [Bro] Bro 2.5.5 Duplicate UIDs Message-ID: Hi, were facing this issue with bro whereby its duplicating entries see below: 1536746459.586520 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39011 - maanpc 1 C_INTERNET 32 NB F 1536746460.343566 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39011 - maanpc 1 C_INTERNET 32 NB F 1536746461.107930 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39011 - maanpc 1 C_INTERNET 32 NB F 1536746466.418528 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39013 - maanpc 1 C_INTERNET 32 NB F 1536746467.176333 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39013 - maanpc 1 C_INTERNET 32 NB F 1536746467.940695 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39013 - maanpc 1 C_INTERNET 32 NB F 1536746473.250630 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39017 - maanpc 1 C_INTERNET 32 NB F 1536746474.010337 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39017 - maanpc 1 C_INTERNET 32 NB F 1536746474.773560 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39017 - maanpc 1 C_INTERNET 32 NB F 1536746452.751762 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39009 - maanpc 1 C_INTERNET 32 NB F 1536746453.510702 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39009 - maanpc 1 C_INTERNET 32 NB F 1536746454.275116 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39009 - maanpc 1 C_INTERNET 32 NB F there was like 40% dropped packets ive configured pf_ring and af_packet and managed to get less than 1% packets dropped. however im still seeing duplicated packets mostly in DNS. please advise thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180930/0fc551f7/attachment.html