zeek October 1999

zeek@lists.zeek.org

5 participants
10 discussions

by Vern Paxson

> I think that ther should be some way to localize information about > hostnames of machines involved into the policies. It is rather difficult > to navigate through lots of policies-files. Yes, I strongly agree. There will be features in the 0.7 release for doing just this. > Qest: How can I know that bro works properly? As far as I remember, I > didn't install additional required libs, but it works. Many systems come with the required library (libpcap) already installed. > After checking > policy-files, it told that it's lissening on interface ed0.Can I be sure > that it is true. You can believe the interface it claims to be listening on, that code is copied straight from tcpdump. To test it, create a connection that should be observed from the interface, terminate it, and see if Bro records it in the red.* output file. Vern

21 years, 9 months

hostname

by Vlad Kushka

Hello, all! I think that ther should be some way to localize information about hostnames of machines involved into the policies. It is rather difficult to navigate through lots of policies-files. Qest: How can I know that bro works properly? As far as I remember, I didn't install additional required libs, but it works. After checking policy-files, it told that it's lissening on interface ed0.Can I be sure that it is true. Vlad Kushka

21 years, 9 months

Re: Regarding: Documentation on the BRO package.

by Vern Paxson

> We have installed BRO package on our Solaris system. We have a > "bro-usenix98-revised2.ps" file. Please let us know if there is any more > documentation for the BRO package. All the available document is included with the distribution. Vern

21 years, 9 months

Regarding: Documentation on the BRO package.

by Intelligent Software Solutions Pvt.Ltd

Sir, We have installed BRO package on our Solaris system. We have a "bro-usenix98-revised2.ps" file. Please let us know if there is any more documentation for the BRO package. Thank You. Regards, ISS

21 years, 9 months

"subscribe"

by Intelligent Software Solutions Pvt.Ltd

Sir, This is a request for enrolling us into the mailing list for the BRO package. Thank You. Regards, gurucharan [for ISS]

21 years, 9 months

Re: Event signatures

by Vern Paxson

> I wonder if there is a repository of attack signatures (e.g., for various > NetBIOS/SMB-based attacks) that can be added to Bro. > If not, maybe we should start one? Bro isn't quite attack-signature based but rather event-pattern based, but modulo that nit, the only such repository right now is embodied in the sample policy scripts distributed with the alpha release. It would be terrific if the community starts working on sets of Bro attack patterns - that's long been my hope, though I've realized it won't really start until there's a user manual (which I'm working on but is very slow in coming). Vern

21 years, 9 months

Re: bro: pcap_complile: parse error

by Vern Paxson

> bro-pub-0.6% bro -f "myFilter" -i lo mt -f specifies the filter itself, not a file containing the filter. Vern

21 years, 9 months

Re: Bro 0.6 and empty const values

by Vern Paxson

> Is there a way to > specify that the const value is empty where it is declared? Yes, but in that case you have to specify a type for the variable, too, since Bro can't infer it. So, for example: const ftp_servers: set[addr]; With the 0.7 release, there will be significantly smoother support for defining things like the above and overriding them. For example, you'll be able to do: const ftp_servers: set[addr] &redef; # &redef = it's okay to redefine ... const ftp_servers += { webfarm.myorg.org, webfarm2.myorg.org }; ... const ftp_servers += { departmental.ftp.myorg.org }; ... # Don't consider webfarm.myorg.org an FTP server for our particular # local policy. const ftp_servers -= { webfarm.myorg.org }; and at the end of this ftp_servers is initialized to { webfarm2.myorg.org, departmental.ftp.myorg.org }. > One more thing. I was unable to subscribe to this mailing list via > bro-subscribe(a)lbl.gov. lbl.gov responds with a "use unknown" reply. If > anyone knows why this is, I would appreciate the information. The mailing list is now run by majordomo. To get on it, send a message to majordomo(a)listserv.lbl.gov with the *body* "subscribe bro". If you found stale information somewhere that said to try bro-subscribe(a)llb.gov, please let me know. Vern

21 years, 9 months

bro: pcap_complile: parse error

by Joey McAlerney

Hello, I am having some trouble tracking down the source of this error. It occurs when I run Bro 0.6 like so: bro-pub-0.6% bro -f "myFilter" -i lo mt bro: pcap_compile: parse error bro-pub-0.6% The parse error is coming from libpcap's grammar.c, but the reason for the parse error is unknown. The contents of "myFilter" is the standard filter that was described in the README of Bro 06. I have tried many other simple filters, but none seem to work. Bro will run without the -f option, but of course, it won't pick anything up. Can anyone explain what is going on, or suggest a place I could try looking? Thank you very much for any help. -- Joey McAlerney Silicon Defense http://www.silicondefense.com

21 years, 9 months

Bro 0.6 and empty const values

by Joey McAlerney

Hello, I am working with Bro 0.6 at the moment, and have ran into an issue. In the policy scripts, there are a number of const values that contain machines that do not exist in our network, or machines that we are not interested in (e.g., non_ASCII_hosts in login.bro). Is there a way to specify that the const value is empty where it is declared? For example, if our network does not have a ftp_server running, can we assign a value to the line, const ftp_servers = { ??? }; that will allow Bro to run, and avoid parsing errors? I bring this up, because currently I am commenting some const values out, and any reference to them in the scripts that depend on them. My intuition tells me there must be another way. One more thing. I was unable to subscribe to this mailing list via bro-subscribe(a)lbl.gov. lbl.gov responds with a "use unknown" reply. If anyone knows why this is, I would appreciate the information. Thanks, -- Joey McAlerney Silicon Defense

21 years, 9 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek October 1999