zeek April 2005

zeek@lists.zeek.org

10 participants
13 discussions

[Bro] regular expressions in bro signatures (payload)

by Aashish Sharma

Hello All: I have been trying to port some bleeding-edge snort signatures to bro to detect bots on the network. I used s2b or snort2bro.pl script to convert these snort signatures to bro format but the script ignores pcre (perl competible regualar expression) directive and comments its out (refer the signature below) signature sid-2001787 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets # Not supported: pcre: /(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|!scan [0-9]{1,3}\.[0-9]{1,3}|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup))/i event "BLEEDING-EDGE TROJAN IRC Bot scan/exploit command" tcp-state established } How I can (or cannot) use regular expressions in payload directive in bro signatures ? Can you guys point me to a writeup or man page for this ? I see other (converted) signatures do have payload directive which uses regualar expressions but those are fairly straight forward RE searches. Is it possible to create constructs using "or" ( "|"), "{}", "[]", () etc in payload section of signatures ? In other words, how can I port the pcre payload check (above signature) as regualar expression for payload to bro ? Also, are RE in signatures case sensitive too ? Thanks a lot for the help. Aashish Sharma

15 years, 11 months

[Bro] Broccoli 0.7 released

by Christian Kreibich

Hi all, Broccoli 0.7 is now available in tar.gz and RPM formats from http://www.cl.cam.ac.uk/~cpk25/broccoli/index.html The main novelty in this release is connection sharing between multiple processes. You can now create a connection to a remote Bro in one process and concurrently use that connection from other processes thanks to access synchronization in shared memory. The same holds for access from multiple threads. Not everything is documented in the manual yet, but all the gory details are in the ChangeLog: http://www.cl.cam.ac.uk/~cpk25/broccoli/ChangeLog Bug reports, patches, etc are all welcome. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org

15 years, 11 months

[Bro] Zachary P Reimer/IS/UNL/UNEBR is out of the office.

by Zachary P Reimer

I will be out of the office starting 04/24/2005 and will not return until 04/29/2005. I will be checking messages occasionally through the week.

15 years, 11 months

[Bro] Running Bro NOT as root under Linux

by Christoph Goeldi

Hi Does anyone have a clou how to run Bro as a user different than root under Linux? Libpcap has had some buffer-overflow in the past, so it would be very nice if we hadn't to run Bro as root. Thanx for any help Christoph

15 years, 11 months

Re: [Bro] time format

by bchen＠cs.ucf.edu

Vern, thank you for your quick response. Bing Quoting Vern Paxson <vern(a)icir.org>: >> Does anybody know how to print time to readable format something like: >> 04/22/2005 12:00:00 with Bro language ? I couldn't find such format in the >> existing bro scripts. thanks. > > There's a "strftime(fmt: string, d: time): string" function you can call. > > Vern >

15 years, 12 months

Re: [Bro] time format

by Vern Paxson

> Does anybody know how to print time to readable format something like: > 04/22/2005 12:00:00 with Bro language ? I couldn't find such format in the > existing bro scripts. thanks. There's a "strftime(fmt: string, d: time): string" function you can call. Vern

15 years, 12 months

[Bro] time format

by bchen＠cs.ucf.edu

Hi, Does anybody know how to print time to readable format something like: 04/22/2005 12:00:00 with Bro language ? I couldn't find such format in the existing bro scripts. thanks. Bing

15 years, 12 months

[Bro] question about tcpdump logging

by Scott Kelly

The Bro documentation mentions a capability for logging packets in tcpdump format: http://bro-ids.org/Bro-reference-manual/tcpdump-save-file-that-Bro-write s.html But I can't find any further references or figure out how this is done. I looked back through the archives a bit, but don't have time to thoroughly scour them for any reference. Can anyone help? Thanks, Scott

16 years

[Bro] Re: how to add new event to Bro

by bchen＠cs.ucf.edu

Hi Christian, Thank you for your suggestion. I will try this way and put my results on this mailing list. Bing > > it all depends on what kinds of events trigger updates to your > statistical parameters, and whether those elementary events already > exist or not. Generally a good way to find existing events is by looking > at src/event.bif, which lists all events the core can trigger. If you > find suitable building blocks in there, you can start with a new policy > script that maintains state through the event handlers for event types > you're interested in. If you cannot find anything suitable (which, at > least for network-based events, is rather unlikely), you might have to > extend the core to support new events to be handled by your policy > scripts. > > In your case, the event types connection_attempt() and > connection_rejected() sound ideal. In their respective handlers, you can > maintain connection state in a number of tables to achieve what you > want. When you notice that the rate limits you defined are exceeded, you > can trigger an event "manually" using the event() statement, or just > perform the corresponding action directly in the state-maintaining code. > > Have a look at scan.bro for an example of something that is similar what > you want; also check out this thread in the archives: > > http://mailman.icsi.berkeley.edu/pipermail/bro/2005-February/001774.html > > Hope this helps. > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > > > > > --__--__-- > > _______________________________________________ > Bro mailing list > Bro(a)ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > End of Bro Digest >

16 years

[Bro] how to add new event to Bro

by bchen＠cs.ucf.edu

Hi all, I am new in Bro. I want to add new events to Bro. These events would occur when some statistical parameters cross multiple sessions to an internal host/network exceed their thresholds. An example event would be that the number of connections made from external hosts to an monitored internal host exceeds 100 in last two seconds. Another example event would be that the number of Rejected connection requests to my internal network exceeds 200 in last two minutes. Any one knows how to create such events? Another problem I met when I tried to run Bro (./bro.rc --start) in Fedora 3. Success message was displayed on the screen. But when I check the status, it is not running. After I tried to run Bro again, the following error message appears: ============================================================================= [root@localhost etc]# ./bro.rc --start bro.rc: Running as non-root user root bro.rc: Starting .........Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ bro.rc: Failed to start Bro Error in signature (signatures:1803): unknown identifier (dataSizeG100) Error in signature (signatures:1815): unknown identifier (dataSizeG100) Error in signature (signatures:1838): unknown identifier (dataSizeG100) Error in signature (signatures:1850): unknown identifier (dataSizeG100) ................... .... FAILED ============================================================================= I then comment out the following statements in my locat site, Bro works properly. redef signature_files += "sig-addendum"; redef signature_files += "signatures"; Does anyone know what's this problem? thanks for your time Bing

16 years

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek April 2005