[Bro] Bro Digest, Vol 149, Issue 20

Dillon Murphy DMurphy at lfcu.com
Tue Sep 18 14:22:55 PDT 2018 

Never Mind! I think I just got the suppression to work.

Thank you!!

Dillon Murphy

From: bro-bounces at bro.org <bro-bounces at bro.org> On Behalf Of bro-request at bro.org
Sent: Tuesday, September 18, 2018 2:20 PM
To: bro at bro.org
Subject: Bro Digest, Vol 149, Issue 20

Send Bro mailing list submissions to
bro at bro.org<mailto:bro at bro.org>

To subscribe or unsubscribe via the World Wide Web, visit
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro>
or, via email, send a message with subject or body 'help' to
bro-request at bro.org<mailto:bro-request at bro.org>

You can reach the person managing the list at
bro-owner at bro.org<mailto:bro-owner at bro.org>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bro digest..."


Today's Topics:

1. Re: Running Bro on Alpine (Daniel Thayer)
2. Re: Running Bro on Alpine (Daniel Guerra)
3. IP Whitelist for scan.bro (Dillon Murphy)


----------------------------------------------------------------------

Message: 1
Date: Tue, 18 Sep 2018 14:58:02 -0500
From: Daniel Thayer <dnthayer at illinois.edu<mailto:dnthayer at illinois.edu>>
Subject: Re: [Bro] Running Bro on Alpine
To: Mike M <turbidtarantula at gmail.com<mailto:turbidtarantula at gmail.com>>
Cc: bro at bro.org<mailto:bro at bro.org>
Message-ID: <5c3ae3e8-8515-8bcf-26b9-c3ff12de468e at illinois.edu<mailto:5c3ae3e8-8515-8bcf-26b9-c3ff12de468e at illinois.edu>>
Content-Type: text/plain; charset="utf-8"; format=flowed

On 9/18/18 1:23 PM, Mike M wrote:
> Daniel,
>
> Thanks for the help. I rebuilt bro with those patches (although they
> look identical to the ones I referenced earlier), making sure to grab
> all the dependencies listed in the docker file.
>
> I'm still seeing broctl report that bro crashed. However, what I failed
> to notice before is that there are actually several bro processes
> running and bro is still producing logs even when broctl report it has
> crashed.
>
> I suppose I could roll my own scripts to start and stop bro, but I'd
> prefer to actually get broctl working on alpine. Any ideas as to why
> it's reporting inaccurate information?
>
> thanks,
> Mike

First, I suggest running "broctl stop". Next, make sure there
are no more bro processes running on your machine by
running "broctl ps.bro". This command shows all bro processes
running, whereas "broctl status" only shows you the ones that
broctl knows about. It is important to make sure there are
no bro processes running before attempting to start bro
using broctl.

-Daniel



------------------------------

Message: 2
Date: Tue, 18 Sep 2018 22:29:40 +0200
From: Daniel Guerra <daniel.guerra69 at gmail.com<mailto:daniel.guerra69 at gmail.com>>
Subject: Re: [Bro] Running Bro on Alpine
To: Mike M <turbidtarantula at gmail.com<mailto:turbidtarantula at gmail.com>>
Cc: bro at bro.org<mailto:bro at bro.org>
Message-ID: <7581df63-6d9c-ea62-11ab-1a22523f7be2 at gmail.com<mailto:7581df63-6d9c-ea62-11ab-1a22523f7be2 at gmail.com>>
Content-Type: text/plain; charset="utf-8"

Just tried it, for now I can only confirm your problem

/tmp/bro # /usr/local/bro/bin/broctl start
starting bro ...
(bro still initializing)
/tmp/bro # /usr/local/bro/bin/broctl status
Name???????? Type?????? Host????????? Status??? Pid??? Started
bro????????? standalone localhost???? crashed

this might help , dmesg output

device eth0 entered promiscuous mode
traps: bro: stats/Log:[14187] general protection ip:7f92f1865fbb
sp:7f92f1a40880 error:0
?in ld-musl-x86_64.so.1[7f92f1848000+8d000]
bro[11051]: segfault at 55ccf2f95900 ip 000055ccf2f95900 sp
00007ffd5d7bbaa8 error 15
bro[11232]: segfault at 7f4df2130df8 ip 00007f4df2130df8 sp
00007ffe154c88e8 error 15 in ld-musl-x86_64.so.1[7f4df2130000+1000]

and the ps aux output

? 364 root????? 0:00 {run-bro} /bin/bash
/usr/local/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p
broctl -p broctl-live -p standalone -p local -p bro local.bro broctl
broctl/standalone broctl
? 370 root????? 0:23 /usr/local/bro/bin/bro -i eth0 -U .status -p broctl
-p broctl-live -p standalone -p local -p bro local.bro broctl
broctl/standalone broctl/auto
? 372 root????? 0:00 /usr/local/bro/bin/bro -i eth0 -U .status -p broctl
-p broctl-live -p standalone -p local -p bro local.bro broctl
broctl/standalone broctl/auto


Op 18/09/2018 om 20:23 schreef Mike M:
> Daniel,
>
> Thanks for the help. I rebuilt bro with those patches (although they
> look identical to the ones I referenced earlier), making sure to grab
> all the dependencies listed in the docker file.?
>
> I'm still seeing broctl report that bro crashed. However, what I
> failed to notice before is that there are actually several bro
> processes running and bro is still producing logs even when broctl
> report it has crashed.
>
> I suppose I could roll my own scripts to start and stop bro, but I'd
> prefer to actually get broctl working on alpine. Any ideas as to why
> it's reporting inaccurate information?
>
> thanks,
> Mike
>
> On Tue, Sep 18, 2018 at 11:47 AM Daniel Guerra
> <daniel.guerra69 at gmail.com <mailto:daniel.guerra69 at gmail.com<mailto:daniel.guerra69 at gmail.com%20%3cmailto:daniel.guerra69 at gmail.com>>> wrote:
>
> Check out
>
>
> For alpine linux you need some patches
>
> https://github.com/blacktop/docker-bro/tree/master/2.5<https://github.com/blacktop/docker-bro/tree/master/2.5>
>
>
> Regards,
>
>
> Daniel
>
> Op 18/09/2018 om 17:18 schreef Mike M:
>> Hello,
>>
>> I?m trying to compile and run Bro on Alpine Linux and I?m having
>> an issue with broctl crashing.
>>
>> Out of the box running ./configure and make using the bro 2.5.5
>> source I get a bunch of errors like that ?'u_char' does not name
>> a type? [1].
>>
>> I found this project for compiling Bro on Alpine [2]. The
>> build-bro.sh. script includes two patch files and a cmake file
>> [3]. Manually applying those three files gets Bro to the point
>> where it compiles successfully.
>>
>> Bro will run fine from the command line, but running broctl it
>> crashes almost immediately [4]. Broctl reports Bro as crashed,
>> but it briefly produces all the log files I'd expect (conn, dns,
>> etc). There's nothing useful in the stdout, stderr or reporter logs.
>>
>> I built bro with --enable-debug, I've got gdb installed, and I
>> set "ulimit -c unlimited" but I don't see a crash dump anywhere.
>>
>> In the absence of any error messages I'm unsure on how to
>> proceed. Can anyone recommend next steps?
>>
>> thanks,
>> Mike
>>
>> [1] see compile error.txt (attached)
>> [2] https://github.com/danielguerra69/docker-bro-1<https://github.com/danielguerra69/docker-bro-1>
>> [3] https://github.com/danielguerra69/docker-bro-1/tree/master/source<https://github.com/danielguerra69/docker-bro-1/tree/master/source>
>> [4] see broctl crash.txt (attached)
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org<mailto:bro at bro-ids.org> <mailto:bro at bro-ids.org>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180918/329b26ce/attachment-0001.html<http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180918/329b26ce/attachment-0001.html>

------------------------------

Message: 3
Date: Tue, 18 Sep 2018 21:19:22 +0000
From: Dillon Murphy <DMurphy at lfcu.com<mailto:DMurphy at lfcu.com>>
Subject: [Bro] IP Whitelist for scan.bro
To: "bro at bro.org<mailto:bro at bro.org>" <bro at bro.org<mailto:bro at bro.org>>
Message-ID:
<BCB5D74FF567D947A261E8EDCAF0E1530190513F85 at LVXMB02.lockheedfcu.local<mailto:BCB5D74FF567D947A261E8EDCAF0E1530190513F85 at LVXMB02.lockheedfcu.local>>
Content-Type: text/plain; charset="utf-8"


Hello,

How do I whitelist IPs for the scan.bro notice? I prefer to whitelist than suppress. I'm running my tests in try.bro.org.

I've tried:

module scanwhitelist;

export {

const scan_host_ignore: set[subnet] = { 192.168.0.1/32}<http://192.168.0.1/32}> &redef;

const scan_port_ignore: set[port] = { } &redef;
}

redef Notice::type_suppression_intervals += {
[Scan::Port_Scan] = 4hrs,
};

hook Scan::port_scan_policy(scanner: addr, victim: addr, scanned_port: port)
{
if ((scanner in scanwhitelist::scan_host_ignore) || scanned_port in scanwhitelist::scan_port_ignore) {
break;
}
}



And I have also tried this. Found it here: http://mailman.icsi.berkeley.edu/pipermail/bro/2013-April/005662.html<http://mailman.icsi.berkeley.edu/pipermail/bro/2013-April/005662.html>



const external_port_scanners_whitelist = { 10.2.32.94, 8.8.4.4<http://8.8.4.4> };
hook Notice::policy(n: Notice::Info) &priority=10
{
if ( n$note == Scan::Port_Scan && n?$src && !(n$src in external_port_scanners_whitelist) )
{
add n$actions[Notice::ACTION_LOG];
}
}


What am I not getting?

Thanks you for your help!

Dillon Murpy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180918/d37fe370/attachment.html<http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180918/d37fe370/attachment.html>

------------------------------

_______________________________________________
Bro mailing list
Bro at bro.org<mailto:Bro at bro.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro>


End of Bro Digest, Vol 149, Issue 20
************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180918/f1bd6e07/attachment.html

More information about the Bro mailing list