> I think that ther should be some way to localize information about
> hostnames of machines involved into the policies. It is rather difficult
> to navigate through lots of policies-files.
Yes, I strongly agree. There will be features in the 0.7 release for doing
just this.
> Qest: How can I know that bro works properly? As far as I remember, I
> didn't install additional required libs, but it works.
Many systems come with the required library (libpcap) already installed.
> After checking
> policy-files, it told that it's lissening on interface ed0.Can I be sure
> that it is true.
You can believe the interface it claims to be listening on, that code
is copied straight from tcpdump.
To test it, create a connection that should be observed from the interface,
terminate it, and see if Bro records it in the red.* output file.
Vern
Hello, all!
I think that ther should be some way to localize information about
hostnames of machines involved into the policies. It is rather difficult
to navigate through lots of policies-files.
Qest: How can I know that bro works properly? As far as I remember, I
didn't install additional required libs, but it works. After checking
policy-files, it told that it's lissening on interface ed0.Can I be sure
that it is true.
Vlad Kushka
> We have installed BRO package on our Solaris system. We have a
> "bro-usenix98-revised2.ps" file. Please let us know if there is any more
> documentation for the BRO package.
All the available document is included with the distribution.
Vern
Sir,
We have installed BRO package on our Solaris system. We have a
"bro-usenix98-revised2.ps" file. Please let us know if there is any more
documentation for the BRO package.
Thank You.
Regards,
ISS
> I wonder if there is a repository of attack signatures (e.g., for various
> NetBIOS/SMB-based attacks) that can be added to Bro.
> If not, maybe we should start one?
Bro isn't quite attack-signature based but rather event-pattern based,
but modulo that nit, the only such repository right now is embodied
in the sample policy scripts distributed with the alpha release. It
would be terrific if the community starts working on sets of Bro attack
patterns - that's long been my hope, though I've realized it won't
really start until there's a user manual (which I'm working on but is
very slow in coming).
Vern
> Is there a way to
> specify that the const value is empty where it is declared?
Yes, but in that case you have to specify a type for the variable,
too, since Bro can't infer it. So, for example:
const ftp_servers: set[addr];
With the 0.7 release, there will be significantly smoother support
for defining things like the above and overriding them. For example,
you'll be able to do:
const ftp_servers: set[addr] &redef; # &redef = it's okay to redefine
...
const ftp_servers += { webfarm.myorg.org, webfarm2.myorg.org };
...
const ftp_servers += { departmental.ftp.myorg.org };
...
# Don't consider webfarm.myorg.org an FTP server for our particular
# local policy.
const ftp_servers -= { webfarm.myorg.org };
and at the end of this ftp_servers is initialized to { webfarm2.myorg.org,
departmental.ftp.myorg.org }.
> One more thing. I was unable to subscribe to this mailing list via
> bro-subscribe(a)lbl.gov. lbl.gov responds with a "use unknown" reply. If
> anyone knows why this is, I would appreciate the information.
The mailing list is now run by majordomo. To get on it, send a message to
majordomo(a)listserv.lbl.gov with the *body* "subscribe bro". If you found
stale information somewhere that said to try bro-subscribe(a)llb.gov, please
let me know.
Vern
Hello,
I am having some trouble tracking down the source of this error. It
occurs when I run Bro 0.6 like so:
bro-pub-0.6% bro -f "myFilter" -i lo mt
bro: pcap_compile: parse error
bro-pub-0.6%
The parse error is coming from libpcap's grammar.c, but the reason for
the parse error is unknown. The contents of "myFilter" is the standard
filter that was described in the README of Bro 06. I have tried many
other simple filters, but none seem to work. Bro will run without the
-f option, but of course, it won't pick anything up. Can anyone explain
what is going on, or suggest a place I could try looking? Thank you
very much for any help.
--
Joey McAlerney
Silicon Defense
http://www.silicondefense.com
Hello,
I am working with Bro 0.6 at the moment, and have ran into an issue. In
the policy scripts, there are a number of const values that contain
machines that do not exist in our network, or machines that we are not
interested in (e.g., non_ASCII_hosts in login.bro). Is there a way to
specify that the const value is empty where it is declared? For
example, if our network does not have a ftp_server running, can we
assign a value to the line,
const ftp_servers = { ??? };
that will allow Bro to run, and avoid parsing errors?
I bring this up, because currently I am commenting some const values
out, and any reference to them in the scripts that depend on them. My
intuition tells me there must be another way.
One more thing. I was unable to subscribe to this mailing list via
bro-subscribe(a)lbl.gov. lbl.gov responds with a "use unknown" reply. If
anyone knows why this is, I would appreciate the information.
Thanks,
--
Joey McAlerney
Silicon Defense