zeek July 2005

zeek@lists.zeek.org

21 participants
28 discussions

by Mike Muratet

Greetings I am integrating bro into a larger system so that I can use it to keep track of connections (which seems easier than trying to write a method from scratch with pcap). I thought it would be straightforward to grep for print or email or alarm statements to figure out where to put the hooks for an IPC message but so far it eludes me. Is there a principal module for outputting the notifications? Thanks Mike

13 years, 11 months

[Bro] re: Alternative from addresses in emails (diff output, and fixed)

by Mcclelland-Bane, Randy

See below for diff -u output. This is based on the development branch 0.9a9. The last message I sent had a bug where the "To:" address wasn't set so sometimes the messages arrived to "Undisclosed recipients." That is fixed now. These will be helpful for those of you who want a configurable FROM: address, or the ability to send a mix of encrypted/plaintext reports. The first patch converts the bro report/notice mailing scripts and config file to use sendmail instead of mail. This allows the configuration of BRO_EMAIL_FROM in bro.cfg, which specifies the From: address on outgoing messages. The second patch expands on the first patch slightly and adds in a failover mode in the mail_reports.sh script which will send plaintext if the gpg process fails. I put this in so that you could have some copies of the reports encrypted if you had the public key for the recipient, and leave others in plaintext if the key did not exist. There should be a more elegant way to check if public key exists and do the checking that way. Right now I'm just basing it off the process failing, but it should do key checking. * Be very careful with the second patch one as you could be sending plaintext when you don't wish it if you have errors with gpg keys, etc. * You can add in the second patch on top of the first one, but don't try it by itself. To apply either of these do: cd /path/to/bro-tar-unpacked/scripts patch < patchfile Cheers, Randy ## BEGIN FIRST PATCH --- bro.cfg.example 2004-12-03 09:37:44.000000000 -0800 +++ ../../BRO/bro.cfg.example 2005-07-26 14:47:56.000000000 -0700 @@ -106,6 +106,9 @@ # Email address for local reports to be mailed to BRO_EMAIL_LOCAL="bro@localhost" +# Email address to send from +BRO_EMAIL_FROM="bro@localhost" + # Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc) BRO_EMAIL_EXTERNAL="NO" --- bro_config.in 2005-02-09 00:22:02.000000000 -0800 +++ ../../BRO/bro_config.in 2005-07-26 14:47:56.000000000 -0700 @@ -334,6 +334,9 @@ # Email address for local reports to be mailed to BRO_EMAIL_LOCAL="${BRO_EMAIL_LOCAL:-NO}" +# Email address to send from +BRO_EMAIL_FROM="${BRO_EMAIL_FROM:-$BRO_EMAIL_LOCAL}" + # Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc) BRO_EMAIL_EXTERNAL="${BRO_EMAIL_EXTERNAL:-NO}" export BRO_EMAIL_EXTERNAL --- mail_notice.sh 2004-12-17 15:03:47.000000000 -0800 +++ ../../BRO/mail_notice.sh 2005-07-27 16:59:55.000000000 -0700 @@ -2,5 +2,26 @@ # # This is a sample script to provide basic email notification for # notices marked NOTICE_EMAIL . +# Usage: mail_notice "subject" recipient (optional config path) -mail -s "Bro alarm: $1" $2 +notice="/tmp/bro.notice.$$" + +# Clean up after ourselves +trap "rm -f $notice; exit" 1 2 15 + +# where are we located +base=`dirname $0` + +#set up the environment +if [ $3 ] ; then + . $3 +else + . $base/../etc/bro.cfg +fi + +echo "From:<$BRO_EMAIL_FROM>" > $notice +echo "To:<$2>" >> $notice +echo "Subject: Bro alarm: $1" >> $notice + +cat $notice | sendmail -oi -f $BRO_EMAIL_FROM $2 +rm -f $notice --- mail_reports.sh 2004-12-09 15:26:19.000000000 -0800 +++ ../../BRO/mail_reports.sh 2005-07-27 18:40:41.000000000 -0700 @@ -6,8 +6,12 @@ # # Usage: mail_reports.sh configFile (default config file = ../etc/bro.cfg) +gpg_error="" +sent_message="" +tmp_file="/tmp/bro.report.$$" + # Clean up after ourselves -trap "rm /tmp/bro.report.$$; exit" 1 2 15 +trap "rm $tmp_file; exit" 1 2 15 # where are we located base=`dirname $0` @@ -23,25 +27,40 @@ report=`ls -1t $BRO_REPORT_DIR/local/$BRO_SITE_NAME*.rpt | head -1` report_interval=`grep Report $report | awk '{print $6,"-",$9}'` +# set up temporary report with subject line embedded +report_subject="Subject: $BRO_HOSTNAME Report: $report_interval" + # and email it # if encrypted make sure we have a good (gpg) bin and keys if [ $BRO_ENCRYPT_EMAIL = "YES" ] ; then if [ -x $BRO_GPG_BIN ] ; then - for recpt in $BRO_EMAIL_LOCAL ; do - cat $report | $BRO_GPG_BIN --yes -ea -r $recpt|mail -s "$BRO_HOSTNAME Report: $report_interval" $recpt + for recpt in $BRO_EMAIL_LOCAL ; do + echo "From: <$BRO_EMAIL_FROM>" > $tmp_file + echo "To: <$recpt>" >> $tmp_file + echo "$report_subject" >> $tmp_file + cat $report | $BRO_GPG_BIN --yes -ea -r $recpt >> $tmp_file + cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt done + sent_message="1" + rm $tmp_file else - echo "Invalid gpg bin $BRO_GPG_BIN" > /tmp/bro.report.$$ + gpg_error="1" fi -else # not ENCRYPTED - cat $report > /tmp/bro.report.$$ fi # if there was an error or we are sending unencrypted ... -if [ -r /tmp/bro.report.$$ ] ; then +if [ -z $sent_message ] ; then for recpt in $BRO_EMAIL_LOCAL ; do - cat /tmp/bro.report.$$ | mail -s "$BRO_HOSTNAME Report: $report_interval" $recpt + echo "From: <$BRO_EMAIL_FROM>" > $tmp_file + echo "To: <$recpt>" >> $tmp_file + echo "$report_subject" >> $tmp_file + cat $report >> $tmp_file + if [ $gpg_error ] ; then + echo "Invalid gpg bin $BRO_GPG_BIN" >> $tmp_file + fi + cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt done - rm /tmp/bro.report.$$ + rm $tmp_file fi exit 0 + ## BEGIN SECOND PATCH --- mail_reports.sh 2005-07-27 18:40:41.000000000 -0700 +++ mail_reportsMIX.sh 2005-07-27 18:40:29.000000000 -0700 @@ -39,6 +39,13 @@ echo "To: <$recpt>" >> $tmp_file echo "$report_subject" >> $tmp_file cat $report | $BRO_GPG_BIN --yes -ea -r $recpt >> $tmp_file + # If the encryption fails, send it unencrypted + if [ $? -ne 0 ] ; then + echo "From:<$BRO_EMAIL_FROM>" > $tmp_file + echo "To: <$recpt>" >> $tmp_file + echo "$report_subject" >> $tmp_file + cat $report >> $tmp_file + fi cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt done sent_message="1"

15 years, 12 months

[Bro] Penguins think broccoli is OK

by Mike Muratet

Christian I just ran your latest broccoli snapshot from a Linux box connecting to the bro peer on the FreeBSD box and got it to handshake. Cool. It must have been the Linux all along. bro works right out of the box on FreeBSD. I'll keep an eye on the cache issue. Cheers Mike

15 years, 12 months

[Bro] fields in the conn.log

by Angelita de Cássia Corrêa

----- Original Message ----- From: "Angelita de Cássia Corrêa" <angelita(a)uol.com.br> To: "Jason Lee" <jrlee(a)lbl.gov> Cc: "Angelita" <angelita(a)uol.com.br> Sent: Wednesday, July 27, 2005 9:56 AM Subject: Re: [Bro] fields in the conn.log I can consider false positive when no bytes were transfered, do you agree? Like your example: 1000057956.062082 ? 10.1.1.1 10.2.2.2 other 2222 3333 tcp ? ? S0 X @142 (we can see that it didn't connect and no bytes were transfered) ----- Original Message ----- From: "Jason Lee" <jrlee(a)lbl.gov> To: "Angelita de Cássia Corrêa" <angelita(a)uol.com.br>; <Bro(a)bro-ids.org> Sent: Friday, July 22, 2005 4:17 PM Subject: [Bro] fields in the conn.log -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Angelita, http://www.bro-ids.org/Bro-reference-manual/Connection-summaries.html Explains how the fields are structured, but its a little out of date. I'll fill in the missing parts and see that the manual gets updated. Given a line like this from the conn.log: 1122055977.662564 0.105927 10.1.1.1 10.2.2.2 http 55985 80 tcp 735 12946 SF L %71 Unix Date/time: 1122055977.662564 Duration of the connection: 0.105927 Originator IP: 10.1.1.1 Responder IP: 10.2.2.2 Protocol: http Originator port: 55985 Responder port: 80 Transport Protocol: tcp Originator bytes sent: 735 Responder bytes sent: 12946 Flags: SF (Normal connection saw both SYN and FIN packets) Additional Flags: L (connection was initiated locally) Tag: %71 Now I can take my tag, and look in the http.log to find out more about that connection (i'm running the http analyzer): http.log looks like this (example): 1121793380.980924 %71 start 10.1.1.1 > 10.2.2.2 1121793380.985317 %71 GET /foo/bar/baz.html (200 "OK" [145]) Having said all this, the alarm.log is very different, its a 'tagged' format that is fairly self descriptive. This is an example from the alarm.log file: t=1000057981.940712 no=AddressScan na=NOTICE_ALARM_ALWAYS sa=10.1.1.1 sp=2222/tcp da=10.2.2.2 dp=3333/tcp msg=10.1.1.1\ has\ scanned\ 2000\ hosts\ (3333/tcp ) tag=@42 t: time no: notice na: notice action sa: source address sp: source port da: destination address dp: destination port msg: message (in this case a host has scanned 20 hosts) tag: identifier to match this to lines in notice.log and conn.log: Now you can take the tag and look in the conn.log to find the connection (with grep): 1000057956.062082 ? 10.1.1.1 10.2.2.2 other 2222 3333 tcp ? ? S0 X @142 (we can see that it didn't connect and no bytes were transfered) Also there is a good section in the manual about alarms: http://www.bro-ids.org/Bro-user-manual/Analysis-of-Incidents-and-Alarms.htm… That should help explain the sort ids. Hope this helps. Cheers, jason Angelita de Cássia Corrêa wrote: > Hi Jason, > > I need to understand more the alert, the definition of each column. > > In your example, could you explain me what each column means? > > *Sep 18 06:51:41 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 > 239 RSTO X %14* > Sep 18 06:51:41 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 > 604 RSTO X %14 > Sep 18 06:51:42 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 > 604 RSTO X %14 > Sep 18 06:51:42 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 > 604 RSTO X %14 > *Date/time:* Sep 18 06:51:42 > *Duration of de connection:* 0.153497 > *Origin IP*: 131.243.2.87 > *Victim IP*: 131.243.2.13 > *Victim Protocol:* http > *???: 2077* > *Victim Port:* 80 > *Transport Protocol:* tcp > *???: 66* > *???: 239 *** (is this the alert SID0?)* > *???: RSTO* > *???: X* > *???: %14* > > > Does the bro use SID to identify the alert description? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC4UZi37vOcEqHLkARAhkpAJ9kMmtwe8hrvMQ9J81Sj4x/s4Su1QCfZdVK 4LR1TMRj8dxXFplZPlZq3Ps= =2q+C -----END PGP SIGNATURE----- _______________________________________________ Bro mailing list bro(a)bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

15 years, 12 months

[Bro] Alternative from addresses in emails

by Mcclelland-Bane, Randy

Attached are a few script changes to convert bro from using the 'mail' program to sendmail. These probably aren't for everyone, but some might find them useful. My problem was that I could not change the From: address when using 'mail.' I needed to change this because of testing on a machine with did not have a fqdn and was sending to an external email address, which blocked the invalid From: header which was created by 'mail.' Thanks, Randy

15 years, 12 months

[Bro] Notes on compiling bro for Linksys

by Jim Mellander

Here's a log of my cross-compiling effort of the latest public Bro distribution to run on a linksys wireless router using the openwrt.org distribution. The goal here was not to cross compile the whole bro environment, but to create a bro binary that will function as expected on the box. The scripts, etc. are copied over from a working installation. The log appears to be one interrupted path of forward progress, whereas in reality, there were numerous false starts, blind alleys, head-scratching, and dumb luck involved. Hopefully, this will be of use to others attempting porting, etc. to odd platforms. BTW the shell used is bash, if you're using another one, YMMV Still to be compiled are utilities (cf, etc.) ====================================================================== 1. Download latest bro 0.9a9 from broids.org 2. compile for host system (linux) and save compiled program 'bifcl' away 3. delete tree & recreate from tarball (all we wanted from step 2 was bifcl) 4. Download openwrt buildroot, see http://downloads.openwrt.org/docs/buildroot-documentation.html 5. Build in home directory - we are really just interested in the cross-compile toolkit. (note: you may need to be running GNU Make 3.80, older versions sometimes fail - OTOH, this version fails in different ways - I compiled & put v3.80 in /usr/local/bin, the original make on my distro is 3.79.1 - so if strange make problems occur, try modifying PATH so that other make is found first). Note that only the cross compile tools in openwrt/staging_dir_mipsel/bin really need to be built, as well as the uclibc stuff (all should be there if you got thru most of the compile) 6. Set PATH to have <basedir>/openwrt/staging_dir_mipsel/bin before other stuff, so cross compile will work. Go into that directory and run: for i in mipsel-linux-*; do ln -s $i `echo $i|sed s/mipsel-linux-//`; done to create gcc, etc. links (running the above probably isn't really necessary.) 7. go into bro directory 8. execute ./configure --build=mipsel-linux to perform cross-compile configure 9. Go into src directory, edit Makefile, comment out stuff unpacking & building libedit, edit ../config.h, uncomment line: #undef HAVE_READLINE 10. copy back in previously compiled bifcl 11. Now we a going to need libpcap - so create a new directory & download libpcap-0.8.3.tar.gz to it. unpack & go into libpcap-0.8.3 11a. Remember that PATH still needs to have the cross compile tools before compiling,etc. 12. execute: ac_cv_linux_vers=2 ./configure --host=mipsel-linux --with-pcap=linux to perform cross-compile configure 13. run make, should complete, and produce a libpcap.a 14. copy libpcap.a and *.h to bro src directory 15. go back into bro src directory, edit Makefile, modify INCLS and LIBS as follows: Original: INCLS = -I${top_srcdir}/linux-include -I${top_srcdir}/aux/libpcap-0.7.2 LIBS = $(LIBEDIT_LIBS) $(LIBIDMEF_LIBS) -L${top_srcdir}/aux/libpcap-0.7.2 -lpcap -lresolv -ltermcap -lm New: INCLS = -I${top_srcdir}/linux-include -I${top_srcdir}/src LIBS = $(LIBEDIT_LIBS) $(LIBIDMEF_LIBS) -L${top_srcdir}/src -lpcap -lresolv -ltermcap -lm 16. Now remember, you've copied in the precompiled bifcl 17. Edit SerialObj.h add line #define SIZEOF_LONG_LONG 8 before message squawking about it. 18. more modifications to Makefile: CFLAGS = -g -O2 -DRETSIGTYPE=void -DRETSIGVAL="" CXXFLAGS = -g -O2 -DRETSIGTYPE=void -DRETSIGVAL="" -static 19. In util.cc need gettimeofday() - modified code to just use /dev/urandom Orig: // Gather up some entropy. gettimeofday((struct timeval *)(buf + pos), 0); pos += sizeof(struct timeval) / sizeof(uint32); #if defined(O_NONBLOCK) int fd = open("/dev/random", O_RDONLY | O_NONBLOCK); #elif defined(O_NDELAY) int fd = open("/dev/random", O_RDONLY | O_NDELAY); #else int fd = open("/dev/random", O_RDONLY); #endif New: // Gather up some entropy. int fd = open("/dev/urandom", O_RDONLY); 19a. Change util.cc to always include sys/time.h - previous change not necessary, but not problematic either. 20 Compile continues until final link, then get error message: ld: cannot find -ledit which indicates looking for libedit which we (supposedly) disabled - edit Makefile, change LIBS, per below: #LIBS = $(LIBEDIT_LIBS) $(LIBIDMEF_LIBS) -L${top_srcdir}/src -lpcap -lresolv -ltermcap -lm LIBS = $(LIBIDMEF_LIBS) -L${top_srcdir}/src -lpcap -lresolv -ltermcap -lm Next error, cannot find -ltermcap, solution: take out of LIBS above Next error, missing Bind functions: nb_dns.o(.text+0x3f0): In function `_nb_dns_mkquery': /tmp/bro-0.9a9/src/nb_dns.c:293: undefined reference to `__res_mkquery' nb_dns.o(.text+0x9b4): In function `nb_dns_activity': /tmp/bro-0.9a9/src/nb_dns.c:476: undefined reference to `__ns_initparse' nb_dns.o(.text+0xb9c):/tmp/bro-0.9a9/src/nb_dns.c:519: undefined reference to `_ns_flagdata' nb_dns.o(.text+0xc94):/tmp/bro-0.9a9/src/nb_dns.c:561: undefined reference to `__ns_parserr' 21. Since these are name server functions, download BIND 9.3.1 source from http://www.isc.org/index.pl?/sw/bind/ to separate directory. go into lib/bind, run: ./configure --host=mipsel-linux --enable-threads --with-randomdev=/dev/urandom run make until error, go into each subdir run make until error 22. Now lets see if we have enough compiled to resolve the undefined symbols: $ find . -name '*.o'|xargs egrep -i 'res_mkquery|ns_initparse|ns_flagdata|ns_parserr' /dev/null Binary file ./nameser/ns_parse.o matches $ nm ./nameser/ns_parse.o U __dn_expand U __dn_skipname U __errno_location U _gp_disp U memset 00000000 D _ns_flagdata 000001a8 T __ns_initparse 00000000 T __ns_msg_getflag 00000384 T __ns_parserr 00000044 T __ns_skiprr 00000174 t setsection cp /home/jmel/bind/bind-9.3.1/lib/bind/nameser/ns_parse.o /tmp/bro-0.9a9/src Add ns_parse.o to LIBS in Makefile Now tackling res_mkquery, source is in lib/bind/resolv, make fails: /home/jmel/bind/bind-9.3.1/lib/bind/port_after.h:384: error: conflicting types for 'getnetgrent_r' ./../include/netdb.h:528: error: previous declaration of 'getnetgrent_r' was here in ../include/netdb.h getnetgrent_r is defined here: #ifdef __GLIBC__ int getnetgrent_r __P((char **, char **, char **, char *, size_t)); #endif Disable definition by wrapping in #if 0 / #endif Compiled far enough to compile res_mkquery, so copy res_mkquery.o to bro/src directory, and add to LIBS I actually ended up going into the top level directory of the bind build tree, and running ar rs libbind.a `find . -name '*.o' -print` ranlib libbind.a then copy into the bro/src directory, and add -lbind to LIBS Compile still fails, with missing pthread stuff, so: Building dietlibc 20. pthread & friends can be gotten from another small C library: dietlibc, so download dietlibc-0.29 (search web for location) and compile in its own dir by: make -n ARCH=mipsel CROSS=mipsel-linux- all >x edit x and globallly remove -fno-pic Also, globally modify -Os to -O0 Then 'sh x' (These steps are necessary to ensure that the code is PIC, which is how Bro is compiled, and to turn off optimization, which is buggy) cd bin-mipsel ar rs libdiet.a *.o ranlib libdiet.a Then copy libdiet.a to bro/src directory, and add to LIBS in Makefile When make is run in bro/src directory, errors in linking are: Func.o(.text+0x8798): In function `bro_system(ValPList*)': /tmp/bro-0.9a9/src/bro.bif:1138: warning: warning: system() is a security risk. Use fork and execvp instead! ../src/libdiet.a(vfscanf.o)(.text+0x24): In function `vfscanf': vfscanf.c: warning: warning: the scanf functions add several kilobytes of bloat. ../src/libdiet.a(vprintf.o)(.text+0x68): In function `vprintf': vprintf.c: warning: warning: the printf functions add several kilobytes of bloat. ../src/libdiet.a(abort.o)(.text+0x8): In function `abort': abort.c: undefined reference to `__stdio_flushall' ../src/libdiet.a(fclose.o)(.text+0x34): In function `fclose_unlocked': fclose.c: undefined reference to `__stdio_root' ../src/libdiet.a(fclose.o)(.text+0x38):fclose.c: undefined reference to `__stdio_root' ../src/libdiet.a(fclose.o)(.text+0x84):fclose.c: undefined reference to `__stdio_root' ../src/libdiet.a(fgetc_unlocked.o)(.text+0x58): In function `fgetc_unlocked': fgetc_unlocked.c: undefined reference to `__fflush4' ../src/libdiet.a(fputc_unlocked.o)(.text+0x24): In function `fputc_unlocked': fputc_unlocked.c: undefined reference to `__fflush4' ../src/libdiet.a(pthread_sys_alloc.o)(.text+0x68): In function `free': pthread_sys_alloc.c: undefined reference to `__libc_free' ../src/libdiet.a(pthread_sys_alloc.o)(.text+0x148): In function `malloc': pthread_sys_alloc.c: undefined reference to `__libc_malloc' ../src/libdiet.a(pthread_sys_alloc.o)(.text+0x23c): In function `realloc': pthread_sys_alloc.c: undefined reference to `__libc_realloc' ../src/libdiet.a(pthread_sys_sigsuspend.o)(.text+0x28): In function `sigsuspend': pthread_sys_sigsuspend.c: undefined reference to `__libc_sigsuspend' ../src/libdiet.a(localtime_r.o)(.text+0x14): In function `localtime_r': localtime_r.c: undefined reference to `__maplocaltime' ../src/libdiet.a(localtime_r.o)(.text+0x2c):localtime_r.c: undefined reference to `__tzfile_map' So, lets just delete some functions from the library, go back in dietlibc directory, then into bin/mipsel, then delete the following files: vfscanf.o vprintf.o abort.o fclose.o fgetc_unlocked.o fputc_unlocked.o pthread_sys_alloc.o pthread_sys_sigsuspend.o localtime_r.o pthread_fgetc.o inet_ntoa_r.o getopt_data.o delete libdiet.a, then rebuild libdiet.a as indicated above, copy back into bro/src directory, run make BTW- Final LIBS in Makefile is: LIBS = $(LIBIDMEF_LIBS) -L${top_srcdir}/src -lpcap -lresolv -lm -lbind -ldiet Bro compiles!! $ ls -l bro -rwxrwxr-x 1 jmel jmel 10562750 Jul 26 14:23 bro $ strip bro $ ls -l bro -rwxrwxr-x 1 jmel jmel 2722728 Jul 26 14:23 bro -- Jim Mellander Incident Response Manager Computer Protection Program Lawrence Berkeley National Laboratory (510) 486-7204 Your fortune for today is: You may be recognized soon. Hide.

15 years, 12 months

[Bro] SSL for FreeBSD/bro

by Mike Muratet

Greetings In an effort to get a working bro+broccoli installation, I have installed FreeBSD v5.4 on a local server. I also installed bro and broccoli. I started bro with ./bro -i xl0 -f tcp broconn.bro. (I found xl0 with ifconfig and I'm guessing it's the same thing as eth0.) I tried to run the broconn program, but it has a dependancy on libssl.so that goes wanting. I'm not trying to do secure communication, it's been tough enough without it ;-) but I'm guessing it still wants the library. I don't see anything relevant on the FreeBSD distribution disks with 'ssl' in the name. Can you point me to a source? Thanks Mike

15 years, 12 months

[Bro] Protocol Detection/Decoding

by Adayadil Thomas

Greetings ! Does Bro do protocol detection and decoding ? .. HTTP/FTP/any other/ detection when web server/ftpserver/any server/ is running on a non standard port ? Thanks

15 years, 12 months

Re: [Bro] Question on bro anonymization

by Roger Winslow

Are you running on a fairly quiet link? If so it can take a long time for packets to start showing up in the logs as data is flushed to files when the handles fill, not when data arrives. Try this in your site policy @load file-flush # flush file writes at 10 second intervals This will flush data to files every ten seconds. Note that the timer used here is network_time(). This means that if no data arrives time does not increment and nothing gets flushed to files. This policy should only be used on links that are not very busy as the file flushing can get expensive the more data there is. Have you verified that Bro is actually running after you start it? Try -> "./bro.rc status" If it shows not running then take a look at syslog or the info file. Also make sure Bro is listening on the interface you expect. Check the info file for what interfaces Bro thinks it's listening on. ----- Original Message ----- From: Antonatos Spiros <antonat(a)ics.forth.gr> Date: Saturday, July 23, 2005 3:01 am Subject: [Bro] Question on bro anonymization > Hi, > I am trying to use the anonymization features of bro but it seems > that I can't enable it since no packets are written to output or > log files. > Is there any documentation about these features? Any example policy > scripts? > Thanks in advance, > Antonatos Spiros > > > _______________________________________________ > Bro mailing list > bro(a)bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >

16 years

[Bro] False positive

by Angelita de Cássia Corrêa

Hi Jason, I need to understand more the alert, the definition of each column. In your example, could you explain me what each column means? Sep 18 06:51:41 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 239 RSTO X %14 Sep 18 06:51:41 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 604 RSTO X %14 Sep 18 06:51:42 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 604 RSTO X %14 Sep 18 06:51:42 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 604 RSTO X %14 Date/time: Sep 18 06:51:42 Duration of de connection: 0.153497 Origin IP: 131.243.2.87 Victim IP: 131.243.2.13 Victim Protocol: http ???: 2077 Victim Port: 80 Transport Protocol: tcp ???: 66 ???: 239 *** (is this the alert SID0?) ???: RSTO ???: X ???: %14 Does the bro use SID to identify the alert description? Thanks Angelita ----- Original Message ----- From: "Jason Lee" <jrlee(a)lbl.gov> To: "Angelita de Cássia Corrêa" <angelita(a)uol.com.br> Sent: Tuesday, July 19, 2005 1:41 PM Subject: Re: [Bro] False positive > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Angelita, > > The logs are already in a human readable format, and they should look > something like (from a conn.log (with altered ips)): > > 1000821101.824702 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 239 RSTO X %14 > 1000821101.979825 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 604 RSTO X %14 > 1000821102.143502 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 604 RSTO X %14 > 1000821102.299239 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 604 RSTO X %14 > > hf just resolves the hostnames in the file: > % ./hf /tmp/foozer > 1000821101.824702 0.153497 foobar wakko http 2077 80 tcp 66 239 RSTO X %14 > 1000821101.979825 0.162454 foobar wakko http 2087 80 tcp 70 604 RSTO X %14 > 1000821102.143502 0.153911 foobar wakko http 2100 80 tcp 80 604 RSTO X %14 > 1000821102.299239 0.165501 foobar wakko http 2115 80 tcp 80 604 RSTO X %14 > > and cf just changes the unix timestamp to a more readable format: > % ./cf /tmp/foozer > Sep 18 06:51:41 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 239 RSTO X %14 > Sep 18 06:51:41 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 604 RSTO X %14 > Sep 18 06:51:42 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 604 RSTO X %14 > Sep 18 06:51:42 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 604 RSTO X %14 > > the manual explains all the various flags and the format of the log files. > > Cheers, > jason > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFC3S0u37vOcEqHLkARApnMAJ9MRFQuWpAt1F0LIdZSdoT68wwXJgCcCXCO > xGzMSjIPdY6JsUw5doh04uI= > =w4bS > -----END PGP SIGNATURE----- >

16 years

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek July 2005