Greetings
I am integrating bro into a larger system so that I can use it to keep track
of connections (which seems easier than trying to write a method from
scratch with pcap). I thought it would be straightforward to grep for print
or email or alarm statements to figure out where to put the hooks for an IPC
message but so far it eludes me. Is there a principal module for outputting
the notifications?
Thanks
Mike
Hello everybody.
I've some questions...
Do there's a GUI or something likes this in order to see the various alerts ?
I saw there's perhaps "Brooery" but is it available ?
A tool likes this is very valuable if we plan to install the IDS to people
with a minimum of background with computers.
I recently 'sacrified' an old laptop with an old distro and installed it with
access to Internet (ssh input allowed) behind my gateway, some very easy login/password after
i got a very nice IRC bot...
What i now want to do is to raise up alerts if connections come from the
inside. Sound likes a "nbad.bro" or something else likes this may be helpful ?
We talked in the past of Netflow, the good concept used by "Cisco", how
do you see working with it ?
At least, two choices :
- Using Bro as a Netflow concentrator.
- Using a dedicated tool to capture the flows and then use "Bro" to inspect data.
I work all the day with the "flow-tools" package from "OSU" but there are several
others floating around and each one with different format.
And what about the future things to come (the famous TODO) ?
Thank you.
Best regards.
Here are the summarized results so far.
If you haven't replied yet, please do!
- Using Bro as the primary production network IDS for your site/group
4 (LBL, NERSC, NCSA, 1 small business net)
- Using Bro as the secondary production network IDS for your site/group
1
- Using Bro for off-line analysis for forensics, etc.
1
- Using Bro for traffic characterization studies only
2
- just playing around with Bro.
1
- currently just playing around with Bro, but hoping to use it in
production soon
2
Other replies:
- using Bro as part of a NIDS product
- using Bro for research purposes
Hi,
a few quick questions about the regular expressions used in rule content
conditions.
- Are they PCREs? I see a lot of "# Not supported: pcre" in
scripts/23b/example_bro_files/signatures.sig and wanted to make sure.
- When I want a pattern to match at the beginning of the payload, I
presume I have to say "payload /^", right?
- Can I match on fixed TCP stream content of a given length by giving
the whole string surrounded by ^ and $, i.e., this:
payload /^foo$/
Thanks!
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25http://www.whoop.org
Hi,
I have two policy files: one that builds up persistent state and one
that uses this previously generated persistent state. I want to ensure
that in repeated invocations of the first script, the persistent data
structure is cleared.
I could do this in bro_init(). Is persistent state all set up and ready
by the time bro_init event handlers are executed?
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25http://www.whoop.org
> > What is the size of the reassembly buffer ? Does that grow ? till what
> > size does it grow ?
>
> That's a great question. I'm not aware of any cap on the total size of
> reassembly buffers.
Indeed, there isn't, other than exhausting memory. In a USENIX Security
paper last year with Sarang Dharmapurikar, we showed that in the absence
of an adversary attempting to exhaust this memory, the actual consumption
in operation is quite modest (10s to 100s of KBs). With an adversary, though,
it gets harder, and Bro at present is vulnerable to such an attack.
Vern
Greetings.
I have a couple of questions about BRO's tcp stream reassembly. Please reply
if you have answers.
When does bro allocate memory for doing reassembly (putting the different
blocks of data together) ?
Does it append to this same buffer when subsequent stream data comes ?
What is the size of the reassembly buffer ? Does that grow ? till what size
does it grow ?
Any information or pointers is appreciated.
Thanks a lot
Thomas
Hi All:
We'd like to get a better feel for who is using Bro and how. Please send
me an email stating which of the following best describes your use of
Bro:
- Using Bro as the primary production network IDS for your site/group
- Using Bro as the secondary production network IDS for your site/group
- Using Bro for off-line analysis for forensics, etc.
- Using Bro for traffic characterization studies only
- just playing around with Bro.
Thanks for your reply.
> Which packet filter do you mean?
I meant the libpcap. But:
> Scott Campbell mentioned it may be a problem with the resolver library,
> as others have had similar problems in the past.
this is clearly the problem, given the traceback that terminates inside
the resolver library:
> (gdb) run -i eth0 mt http ftp scan
> Starting program: /opt/bro-1.0/bin/bro -i eth0 mt http ftp scan
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0000000000561ef5 in __ns_initparse ()
> (gdb) bt
> #0 0x0000000000561ef5 in __ns_initparse ()
> Cannot access memory at address 0xffd2a510
This may be a longshot, but in the past folks have worked around resolver
problems on Linux but linking to /usr/lib/libresolv.a directly. Worth
giving a try.
FWIW, we run without problems on Red Hat 2.4.21. But we're not running
64-bit native, which it looks like you are. (Our glibc is a slightly older,
but I don't imagine that matters.)
Scott, do you recall any other fixes?
Vern
Hello, I have an x86_64 RHEL4u2 running a 2.6.14.2 kernel on which I
compiled bro-1.0 with the following options:
./configure --prefix=/opt/bro
And did a make install and make install-brolite to create a base
configuration. After that I attempt to run /opt/bro/etc/bro.rc -start
which results in the following:
[root@endace bro]# etc/bro.rc start
bro.rc: Running as non-root user bro
bro.rc: Starting /opt/bro/etc/bro.rc: line 229: 6635 Segmentation fault
"${BRO}" ${cmd_opts} 2>>"${info_log}" >>"${info_log}"
.........bro.rc: Failed to start Bro
.... FAILED
[root@endace bro]# etc/bro.rc start
bro.rc: Running as non-root user bro
bro.rc: Starting /opt/bro/etc/bro.rc: line 229: 6721 Segmentation fault
"${BRO}" ${cmd_opts} 2>>"${info_log}" >>"${info_log}"
.........bro.rc: Failed to start Bro
.... FAILED
In dmesg the following is shown:
bro[6635]: segfault at 00000000fffcf678 rip 0000000000561ef5 rsp
00000000fffcf650 error 4
bro[6721]: segfault at 00000000ffaafa58 rip 0000000000561ef5 rsp
00000000ffaafa30 error 4
In /var/log/messages the following is shown:
Jan 9 11:38:34 endace su(pam_unix)[6598]: session opened for user bro
by root(uid=0)
Jan 9 11:38:35 endace kernel: bro[6635]: segfault at 00000000fffcf678
rip 0000000000561ef5 rsp 00000000fffcf650 error 4
Jan 9 11:38:40 endace bro.rc: Bro has failed to start. Unknown error,
no messages recieved on STDERR or STDOUT
Jan 9 11:38:40 endace bro.rc: Bro process failed on first start
attempt. No further restart attempts will be made.
Jan 9 11:38:41 endace su(pam_unix)[6598]: session closed for user bro
Jan 9 11:41:16 endace su(pam_unix)[6684]: session opened for user bro
by root(uid=0)
Jan 9 11:41:16 endace kernel: bro[6721]: segfault at 00000000ffaafa58
rip 0000000000561ef5 rsp 00000000ffaafa30 error 4
Jan 9 11:41:21 endace bro.rc: Bro has failed to start. Unknown error,
no messages recieved on STDERR or STDOUT
Jan 9 11:41:21 endace bro.rc: Bro process failed on first start
attempt. No further restart attempts will be made.
Jan 9 11:41:22 endace su(pam_unix)[6684]: session closed for user bro
Notice, info, and alarm logfiles are created in bro's logs directory,
however, all of these files are empty. I also tried the bro-0.9a11
branch, and it behaved the exact same way. Am I missing something? Thanks!
--
| David Vasil <dmvasil(a)ornl.gov>
| Oak Ridge National Laboratory NCCS Division
| High Performance Computing Systems Administrator
| Bldg: 5600-A115 Phone: (865)241-5562