I have been thinking and trying different things but for now, it appears that if we are to share policies around, there is no easy way to be able to distribute input-files along with policy files.
Basically, right now I use
redef Scan::whitelist_ip_file = "/usr/local/bro/feeds/ip-whitelist.scan" ;
and then expect everyone to edit path as their setup demands it and place accompanying sample file in the directory or create one for themselves - this all introduces errors as well as slows down deployment.
Is there a way I can use relative paths instead of absolute paths for input-framework digestion. At present a new-heuristics dir can have __load__.bro with all policies but input-framework won't read files relative to that directory or where it is placed.
redef Scan::whitelist_ip_file = "../feeds/ip-whitelist.scan" ;
Something similar to __load__.bro model
Also, one question I have is should all input-files go to a 'standard' feeds/input dir in bro or be scattered around along with their accompanied bro policies (ie in individual directories )
Something to think about as with more and more reliance on input-framework i think there is a need for 'standardization' on where to put input-files and how to easily find and read them.
Aashish
Hi all,
looking at PcapSource::OpenLive() in iosource/pcap/Source.cc I was
wondering whether it would be better to use pcap_set_immediate instead
of "setting the smallest time-out possible" with pcap_set_timeout.
Could it be that, especially in high-throughput environments, the
introduced timeout in polling on the socket buffer may cause initial
packet loss?
best,
Valerio
Attention Bro Community,
While we’re in the process of developing a web site for the Bro Package Manager project, we’d like to share the packages we have collected so far. The package names and a short description are listed below:
bro/0xxon/bro-postgresql - A PostgreSQL reader and writer for Bro.
bro/0xxon/bro-sumstats-counttable - Two-dimensional buckets for sumstats (count occurences per $str).
bro/corelight/bro-long-connections - Find and log long-lived connections into a "conn_long" log.
bro/dopheide/bro_notice_correlation - Adds support for multi-notice correlation.
bro/dopheide/venom (installed: master) - https://security.web.cern.ch/security/venom.shtml
bro/hhzzk/dns-tunnels - Detect DNS Tunnels attack.
bro/initconf/CVE-2017-5638_struts.git
bro/initconf/phish-analysis.git
bro/initconf/scan-NG
bro/j-gras/add-json - Additional JSON-logging for Bro.
bro/j-gras/bro-af_packet-plugin - This plugin provides native AF_Packet support for Bro.
bro/j-gras/intel-extensions - Extensions for Bro's intelligence framework.
bro/joesecurity/Joe-Sandbox-Bro - JoeSandbox-Bro extracts files from your internet connection and analyzes them automatically on Joe Sandbox.
bro/jonzeolla/scan-sampling - Modified version of scan.bro to add destination IP sampling.
bro/jsiwek/bro-test-package - An example Bro package for testing purposes.
bro/jswaro/tcprs - TCP Retransmission and State Analyzer plugin for Bro.
bro/ncsa/bro-interface-setup - A broctl plugin that helps you setup capture interfaces
bro/pgaulon/bro-notice-slack - Bro Notices through Slack webhook
bro/scebro/ldap-analyzer - LDAP write operations analyzer for Bro.
bro/sethhall/bro-myricom - Packet source plugin that provides native Myricom SNF v3+v4 support.
bro/sethhall/credit-card-exposure - Detect credit card numbers in HTTP and SMTP with Bro.
bro/sethhall/domain-tld
bro/sethhall/ssn-exposure - Detect US Social Security numbers in HTTP and SMTP with Bro.
bro/srozb/dns_axfr - Find and notice DNS zone transfer attempts.
bro/theflakes/bro-large_uploads - Raise notices on outgoing files over X bytes in size.
To learn how to use the Package Manager, see our documentation here:
http://bro-package-manager.readthedocs.io/en/stable/index.html
------
Jeannette Dopheide
Training and Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
SO with the emergence of logging node, I am encoutering an issue with clusterization and was seeking feedback on whats a better way to do this.
Presently I have been using:
@if (( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER ) || ! Cluster::is_enabled())
@end if
and events worker2manager_events and manager2worker_events.
With logging node:
I can surely do "Cluster::local_node_type() == Cluster::LOGGER" and then events logger2manager_events and logger2worker_events etc etc so on so forth.
The issue I am facing is that to begin with I don't know if someone is only going to run manager only or if someone is going to run logger node as well, making
the following clumsy:
- @if (( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER ) || ! Cluster::is_enabled())
- if manager then use worker2manager and manager2worker events
OR
- @if (( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::LOGGER) || ! Cluster::is_enabled())
- if logger then user logger events ?
Any thoughts on how to handle existence or non-existence of logger node in a clusterization scheme ?
Aashish
Friendly reminder to fill out this questionnaire. Thanks to those who have responded so far!
------
Jeannette Dopheide
Training and Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
On 5/30/17, 1:09 PM, "bro-dev-bounces(a)bro.org on behalf of Dopheide, Jeannette M" <bro-dev-bounces(a)bro.org on behalf of jdopheid(a)illinois.edu> wrote:
The Bro team would like to encourage the development of Bro scripts and plugins by creating a website front-end for the Bro Package Manager, which additional functionality to be determined. We are seeking input from the Bro user community as to what features would be desirable.
Please let us know what features you would like to see by filling out our questionnaire:
https://goo.gl/forms/VyVH1aRIBB2qdZF53
------
Jeannette Dopheide
Training and Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
_______________________________________________
bro-dev mailing list
bro-dev(a)bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
