Hi christoph,
are you saying that when this is run:
>> bro -r dumpfile brolite
dumpfile is a binary file? I thought bro took a tcpdump file and
tcpdump outputs files in the format of :
src > dst: flags data-seqno ack window urgent options
my packets were captured using a DAG2 system. traces are in DAG
format, which is a fixed 64 bytes record format with 40 bytes of IP
header. I extracted from my binary to make it look like a tcpdump
file.
cheers,
Dana
On Mon, 28 Mar 2005 10:49:01 +0200, Christoph Göldi <goeldich(a)ee.ethz.ch> wrote:
> hi dana
>
> tcpdump is also a binary format.
> how did you catch your dump?
> i mean when you catch it with tcpdump you get exactly what you described:
> packet headers in binary.
>
> cheers
> christoph
>
> --On Montag, 28. März 2005 18:35 +1000 Dana Zhang <berry1.0(a)gmail.com>
> wrote:
>
> > hi Chris,
> >
> >> i'm not sure, but i think that tcpdump is the only format at the moment
> >> which can be read by bro.
> >> what format do you have? maybe there is a converter around...
> >>
> >
> > The current format of my data is just packet headers in binary. I
> > tried to convert to tcpdump format myself. can I confirm that tcpdump
> > format for tcp commections is:
> > src > dst: flags data-seqno ack window urgent options
> >
> > i'm only working with tcp packets.
> > a couple of examples of my packets are as follows
> > 10.0.0.163.1422 > 10.0.0.219.80: . 17193851:17193851(0) ack 1278587442
> > win 8623 10.0.0.7.1202 > 10.0.0.8.25: P 22414518:22415922(1404) ack
> > 20496183 win 8474 10.0.0.67.4945 > 10.0.0.66.80: S
> > 2222637079:2222637079(0) win 32696 urg 0 10.0.0.11.26159 > 10.0.0.12.25:
> > . 868560419:868561879(1460) ack
> > 1691568355 win 61320
> >
> > However, when I run this file with bro using
> >> bro -r dumpfile brolite
> > I receive the error problem with trace file dumpfile - bad dump file
> > format.
> >
> > Is there something I missed?
> > Cheers,
> > Dana
>
>
hi dana
> Page 9 of the reference manual appears to bea list figures and tables.
> I tried to run
> > bro -r example.trace brolite
> and it should work if I had a tcpdump file. Unfortunately my trace
> file are not in tcpdump format.
i'm not sure, but i think that tcpdump is the only format at the moment which
can be read by bro.
what format do you have? maybe there is a converter around...
> On page 18 of the Bro user manual, the following command was suggested
> for use with a tcpdump file.
> > bro -r dumpfile brohost
i meant page 17 of the pdf file which is page number 9 in the reference manual.
(see the number in the right upper corner)
by the way if you have installed bro with the commands "./configure", "make",
"make install" and "make install-brolite" or similar you can start it with the
command
> bro -r dumpfile brolite
you have to replace the word "brohost" in the command with the name of the
policy file you want to load.
read more of it in the user and quick start manuals...
cheers
christoph
> On Sat, 19 Mar 2005 14:11:36 +0100, Christoph Göldi <goeldich(a)ee.ethz.ch>
> wrote:
> > hi
> >
> > if you have tcpdump files, you can easily do this with the -r flag:
> >
> > > bro -r example.trace brolite
> >
> > see page 9 and the following in the reference manual.
> >
> > have fun
> > christoph
> >
> > --On Samstag, 19. März 2005 14:31 +1100 Dana Zhang <berry1.0(a)gmail.com>
> > wrote:
> >
> > > Hi, I'm new to bro and what I would like to do is run bro on 38 hours
> > > of packet traces that I've aquired from another website.
> > > Is there any simple way to do this?
> > > I'm a bit confused as how to do this because I don't want to monitor
> > > the traffic of my own website/network but analyse data that I
> > > extracted from another source.
> > > _______________________________________________
> > > Bro mailing list
> > > bro(a)bro-ids.org
> > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> >
>
Rent-A-Pro.com offers on demand staffing and service delivery for
information technology projects. It is convenient for small businesses
as well as individual developers to get temporary help, consulting
service and outsourcing service from independent contractors around the
world through our site.
We provide functions for posting project requirements, bidding for
projects and rating between buyers and sellers. Buyers and sellers are
protected from fraud by an escrow system and a dispute resolution system.
http://www.rent-a-pro.com/
> 1) currently NOTICE_PAGE and NOTICE_EMAIL are independent actions so we had to do minor modifications in notice.bro
> to be able to send an email as well when NOTICE_PAGE action takes place.
>
> I think would be a good idea to have an email sent while NOTICE_PAGE action takes place.
Yes, we agree. I've added this to the to-do list. Not sure how quickly
it'l be done, though (since the right way to do it is to allow the user
to specify either one, or the other, *or* both, and that sort of flexiblity
doesn't fit with the current exclusive-action model).
> Not sure why we needed '!' in 'if (! mail_notification)' condition because mail_notification is returning false
> irrespective of live_traffic capture or a tcpdump reply.
Well, that was a bug, per the earlier discussion. In any case, it's gone
with the upcoming 0.9a9 release.
Vern
Hello,
About the first problem, could you give us the OS you use ?
And then the second part, did you download the package from
http://www.bro-ids.org or ftp.ee.lbl.gov ?
It's currently bro-0.9a8.tar.gz the latest version i think, i just got it a
few minutes ago (in order to check) from the ftp site and all the process
went smoothly.
Best regards.
Dana Zhang
<berry1.0(a)gmail.com Pour : bro(a)ICSI.Berkeley.EDU
> cc : (ccc : Jean-Philippe LUIGGI/DADM/SAGEM)
Objet : [Bro] Installing Bro
Envoyé par :
bro-admin(a)ICSI.Berk
eley.EDU
22/03/2005 05:18
Veuillez répondre à
Dana Zhang
Remis le :
22/03/2005 05:20
I've been having some trouble install bro on my machine.
First I tried to install the Stable 0.8 Release. After ./configure, I
tried to make it. But in /bro-pub-0.8a88/libedit/history.c there was a
compilation error with variable VIS_WHITE. It appears this variable
appears only once I haven't been able to locate the source of this
variable. Neither can the make file.
Then I tried to install the current 0.9 Development Release. The first
problem I encountered was when untarring the downloaded file from the
bro side, there was an check sum error. That's never a promising sign.
Then when configuring, my installation of libpcap is unable to be
found. I have already installed it in the
~/bro-0.9a8/aux/libpcap-0.7.2 directory.
_______________________________________________
Bro mailing list
bro(a)bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> reading_live_traffic() is defined in bro.bif.bro, but they way it was
> being used there was
> a race condition where it was not always being set correctly.
Minor clarification: this isn't a race condition in terms of not being
deterministic. Rather, the problem is that Bro doesn't know whether it's
reading live traffic until it finishes initializing global variables
(in particular, the "interfaces" variable); so a call to reading_live_traffic()
for a variable's initialization returns F even if later Bro determines
it indeed is going to be reading live traffic.
Vern
I've been having some trouble install bro on my machine.
First I tried to install the Stable 0.8 Release. After ./configure, I
tried to make it. But in /bro-pub-0.8a88/libedit/history.c there was a
compilation error with variable VIS_WHITE. It appears this variable
appears only once I haven't been able to locate the source of this
variable. Neither can the make file.
Then I tried to install the current 0.9 Development Release. The first
problem I encountered was when untarring the downloaded file from the
bro side, there was an check sum error. That's never a promising sign.
Then when configuring, my installation of libpcap is unable to be
found. I have already installed it in the
~/bro-0.9a8/aux/libpcap-0.7.2 directory.
> 1) I am unable to redefine variables sensitive_URIs
> (policy/http-request.bro) and hot_files (policy/ftp.bro) in my site
> policy file.
These are declared inside module scope, so you need <module>::<variable>
to access them. For example:
redef HTTP::sensitive_URIs += /rootdown.pl/;
> 2B) local action = notice_action_filters[n$note](n)
>
> gives the following error in info.log file and bro stops :
Oops, a bug. Patch appended.
> in my site-policy file for getting email/page alert. If I understand it
> correctly, I have to first put rootdown.pl (etc) in Sensitive_URI list
> to get bro generate an alert and then declare that particular alert
> using the above $pred config in my site policy file. Right ?
>
> Since this could lead to lot of $pred declearations, Is it possible to
> have a formation like following for similar category of alerts :
>
> /usr/local/bro/site/hail.ncsa.uiuc.edu.bro, line 157
> (/^?(^.*rootdown.pl.*$)$?/ || /^?(^.*lads.exe.*$)$?/): error, requires
> boolean operands
One of the changes already in place for the next release is use of "||"
and "&&" for combining patterns, for exactly this sort of reason.
Vern
diff -Lpolicy/notice.bro -Lpolicy/notice.bro -u -r1.14 -r1.15
--- policy/notice.bro
+++ policy/notice.bro
@@ -181,13 +181,11 @@
}
}
-function email_notice(n: notice_info)
+function email_notice(n: notice_info, action: NoticeAction)
{
if ( ! reading_live_traffic() || mail_dest == "" )
return;
- local action = notice_action_filters[n$note](n);
-
# Choose destination address based on action type.
local destination = (action == NOTICE_EMAIL) ?
mail_dest : mail_page_dest;
@@ -311,7 +309,7 @@
if ( action != NOTICE_FILE )
{
if ( action == NOTICE_EMAIL || action == NOTICE_PAGE )
- email_notice(n);
+ email_notice(n, action);
if ( use_tagging )
alarm info;
Hello All :
Thanks for the clearing questions in the last email. I need some more
clarifications about email alert generations using bro. I thank you for
your time and help.
I am writing this email in the order alert generation need to be
configured on bro (I think).
1) I am unable to redefine variables sensitive_URIs
(policy/http-request.bro) and hot_files (policy/ftp.bro) in my site
policy file. Right now I am adding all my sensitive_URI's and ftp hot
files into the corresponding policy files.
export {
const sensitive_URIs =
[ policy/http-request.bro; lines 9+ ]
export {
# Indexed by source & destination addresses and the id.
const skip_hot: set[addr, addr, string] &redef;
const hot_files =
[from policy/ftp.bro; lines 12+ ]
So, How do I redef these variables (which are 'export { const ' declared
in the policy files in my site/policy.bro file ?
2) In-order to send emails from bro I had to comment out the following
from notice.bro file :
# if ( ! mail_notification ) ----------------------- (2A)
# return;
# local action = notice_action_filters[n$note](n); --------- (2B)
# Choose destination address based on action type.
# local destination = (action == NOTICE_EMAIL) ?
# mail_dest : mail_page_dest;
local destination = mail_dest ;
2A) I think 'if (! mail_notification)' condition is not holding true at
all. I see the following definition
../policy/notice.bro:global mail_notification = reading_live_traffic()
&redef;
and
../policy/bro.bif.bro:global reading_live_traffic: function(): bool;
I don't see reading_live_traffic function defined anywhere? Do I need to
redef reading_live_traffic() function.
If yes, should it be in the site policy file ? Would its value affect
other policy files ? (its used in conn.bro, load-level.bro and
stats.bro)
2B) local action = notice_action_filters[n$note](n)
gives the following error in info.log file and bro stops :
1111094454.266502 /usr/local/bro/policy/notice.bro, line 193
(notice_action_filters[n$note]): run-time error, no such index
1111094454.266502 /usr/local/bro/policy/notice.bro, line 196 (action):
run-time error, value used but not set
Commenting the action variable makes email work fine but I am not sure
how other things would be affected due to this.
3) Finally declaring sensitive_URI's in (1) and commenting (2) I am
getting email notifications working on bro. As suggested
I am declaring, for example :
[$pred(n: notice_info) =
{
return n?$URL && n$URL == /^.*rootdown.pl.*$/ ;
},
$result = NOTICE_EMAIL,
$priority = 4],
in my site-policy file for getting email/page alert. If I understand it
correctly, I have to first put rootdown.pl (etc) in Sensitive_URI list
to get bro generate an alert and then declare that particular alert
using the above $pred config in my site policy file. Right ?
Since this could lead to lot of $pred declearations, Is it possible to
have a formation like following for similar category of alerts :
/usr/local/bro/site/hail.ncsa.uiuc.edu.bro, line 157
(/^?(^.*rootdown.pl.*$)$?/ || /^?(^.*lads.exe.*$)$?/): error, requires
boolean operands
which is, obviously, errornous right now.
4) I checked again and mail_notice.sh file comes as part of bro tarball
and is available in bro-09a8/scripts folder. However, after running make
install-brolite it does not get copied over to /usr/local/bro/scripts. I
thought should let you know this.
I appriciate all the help here.
Thanks a lot.
Aashish Sharma
Hi, I'm new to bro and what I would like to do is run bro on 38 hours
of packet traces that I've aquired from another website.
Is there any simple way to do this?
I'm a bit confused as how to do this because I don't want to monitor
the traffic of my own website/network but analyse data that I
extracted from another source.
