Greetings
I am integrating bro into a larger system so that I can use it to keep track
of connections (which seems easier than trying to write a method from
scratch with pcap). I thought it would be straightforward to grep for print
or email or alarm statements to figure out where to put the hooks for an IPC
message but so far it eludes me. Is there a principal module for outputting
the notifications?
Thanks
Mike
Hi,
Is there someone running Bro 1.2 successfully under Solaris 8?
I can compile it after some patching but it always core dump (as
more traffic is on the wire a faster it core dump).
The problem also occurs on Bro 1.1 but not on 0.9.
Best regards,
Stephan Toggweiler
Hello All,
Good news... i was tired to still use the 1.0 so the last two days (i use an old but good
laptop) was dedicated to the stage of making Bro 1.2 working on OpenBSD.
I use OpenBSD 4.0 current and magically :
# uname -a
OpenBSD armada.mynetwork.local 4.0 GENERIC#1227 i386
# ps waux | grep bro
root 25579 0.0 0.4 888 800 p3 I 11:49AM 0:00.07 sh
./bro.rc start
root 14757 0.1 5.8 1868 11164 p3 S 11:49AM 0:01.03
/opt/share/bro-1.2/bin/bro -W -i rl0 brolite.bro
I just had to "slightly" modify "configure.in" and add some #ifdef in the
source tree.
The last surprise was with "bro.rc" and the "old" bug :
# sh ./bro.rc start
./bro.rc[478]: syntax error: (' unexpected
The problem was related to the name of the function in charge to stop the
process. It's called stop() in the script and i suspect a problem with the
shell. I just had to rename it to brostop() to make it functionnal.
so it now works, the next few days will be spent checking if the solution is stable.
Best regards.
That is something I did not know till I got the responses from you
guys. I re-ran brolite, and used the default user [root] for the user
to run under. Now bro has started up and is doing something that
resembles its job at this point. The startup was successful, and we
shall see what kiind of stuff it collects sitting in the internal
office network fro the next couple of hours.
Now with the next question.
Since the service runs as root, and the eth1 interface that it is
running on is going to be exposed to the outside world, what do I
need to do to my firewall config on this box to protect it from attack?
What are your suggestions? I can run some pretty simple firewall
rules to simply deny all on the interface, and allow only internal
requests, but will this hinder bro from being able to do its job?
David
On Nov 29, 2006, at 12:59 PM, Jason Lee wrote:
>
> I think on Linux you have to run bro as root otherwise it can't
> open the Ethernet device in promiscuous mode.
>
> Cheers,
> jason
>
>
>
> David Caldwell wrote:
>> Okay, I now have bro installed. Things appear to be in the right
>> place. I must have missed something in the docs to get this working,
>> and I am sure that it does not help that I am not exactly familiar
>> with Debian. bear with me here as I stumble my way through a new OS
>> and Bro. I expect I am going to ask alot of stupid questions, but I
>> am documenting everything so that it may be used later to update or
>> possibly improve the documentation or help someone else who is in the
>> same boat I am.
>>
>> Here is what I get when I try to start Bro from the command line:
>>
>> jyd:/etc/rc3.d# /etc/init.d/bro.rc start
>> bro.rc: Running as non-root user bro
>> No directory, logging in with HOME=/
>> bro.rc: Starting ..........bro.rc: Failed to start Bro
>> /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live:
>> socket: Operation not permitted
>> .. FAILED
>>
>> here are the outputs in the logs files in /usr/local/bro/logs:
>>
>> /usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live:
>> socket: Operation not permitted
>>
>> Am I missing a permission issue here or what? Do I need to make some
>> changes in a config file that I missed?
>>
>> TIA
>>
>> David Caldwell
>> Colsa-HMT
>>
>> _______________________________________________
>> Bro mailing list
>> bro(a)bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
Hi,
Bro compiles fine, installs fine, but this is what I get while trying to
run it on opensuse 10.1 i585:
/home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 34:
run-time error: error compiling pattern /(((((((((((((((((((((^?.*(etc.*
\/.*(passwd|shadow|netconfig)))|(^?.*(IFS[ \t]*=)))|(^?.*(nph-test-cgi
\?)))|(^?.*((%0a|\.\.)\/(bin|etc|usr|tmp))))|(^?.*(\/Admin_files\/order
\.log)))|(^?.*(\/carbo\.dll)))|(^?.*(\/cgi-bin\/(phf|php\.cgi|
test-cgi))))|(^?.*(\/cgi-dos\/args\.bat)))|(^?.*(\/cgi-win\/uploader
\.exe)))|(^?.*(\/search97\.vts)))|(^?.*(tk
\.tgz)))|(^?.*(ownz)))|(^?.*(viewtopic\.php.*%.*\(.*\()))|(^?.*(sshd
\.(tar|
tgz).*)))|(^?.*([aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*([tT][aA][gG][gG]
[eE][dD].*)))|(^?.*(shv4\.(tar|tgz).*)))|(^?.*(lrk\.(tar|tgz).*)))|(^?.*(lyc
eum\.(tar|tgz).*)))|(^?.*(maxty\.(tar|tgz).*)))|(^?.*(rootII\.(tar|tgz).*)))
|(^?.*(invader\.(tar|tgz).*))/
/home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 42:
run-time error: error compiling pattern /((^?.*(.*\/c\
+dir))|(^?.*(.*cool.dll.*)))|(^?.*(.*Admin.dll.*Admin.dll.*))/
/home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 48:
run-time error: error compiling pattern /^?.*(\/cgi-bin\/(phf|php\.cgi|
test-cgi))/
/home/vish/work/net/bro/bro-soap/policy/http-request.bro, line 50:
run-time error: error compiling pattern /^?.*(wwwroot|WWWROOT)/
/home/vish/work/net/bro/bro-soap/policy/http-reply.bro, line 110:
run-time error: error compiling pattern /^?.*(^ )/
/home/vish/work/net/bro/bro-soap/policy/hot-ids.bro, line 15: run-time
error: error compiling pattern /^?.*((y[o0]u)(r|ar[e3])([o0]wn.*))/
Is there any problem with BRO regular expressions? How can I fix it?
Thanks,
Dhanesh
Hi,
I tried running some SSL PCAP(packet capture) files (using tcpreplay on the primary interface) with bro running on the system. Some of the TCP connections in the PCAP are not having the connection closing handshakes (FIN and ACK). When I try re-running the same PCAP in short intervals (running tcpreplays multiple times on the same PCAP), the packets coming on the connection which didnt have FIN and ACK earlier are not getting logged. The other packets which had their connections neatly closed are getting loggged fine.
I am working on ver 0.9 currently, but the same thing is happening on 1.1 release.
I assumed that conn->IsReuse() in Sessions.cc will return true for these kind of packets. But that is not happening.
Can some one help me out?
Thanks in Advance
Bindiya :)
Hi,
I am working with bro-0.9 signatuers. Please let me know where exactly the
packets is being compared against the all the available signatuers.
Once a signature is matched i want to get the rule->ID( ) of that signature.
When i am using the below piece of code from RuleMatcher.cc
loop_over_list(accepted, i)
{
Rule* r = Rule::rule_table[accepted[i] - 1];
#ifdef MATCHER_PRINT_DEBUG
fprintf(stderr, "%.06f Checking rule: %s\n",
network_time, r->id);
#endif
}
the rule->id's of previously matched signatues are bing displayed.
please help me in this regard.
Regards
Prakash.
Hi,
I am working on bro-0.9, fedora machine. I want to generate logs using
signatures the entire communication during a session.
Due to the following check in RuleMatcher.cc
// Skip if rule already fired for this connection.
if ( state->matched_rules.is_member(r->Index()) )
continue;
i was getting only one log per signature, though it matches second time its
not giving me log.
I tried uncomminting the above two lines, though i am getting logs when ever
it matches i am also getting the logs
for other signatuers which were earlier logged.
say for ex: i have Signature-1 and Signature-2.
first time Signature-1 is matched and i get a log for Signature-1.
secont time when a packet is matched for Signature-2 i am getting log
for Signature-1 and Signature-2 as well.
Please help me to resolve this issue.
Regards
Prakash.
Running FreeBSD, while being a good idea from all sides considering
that was what it was developed on, puts me in a position where I have
to relearn a whole operating system and be abel to function half way
responsibly right this minute. I don't have that option.....yet.
Bro actually won't be parsing data the way we are setting it up. I am
mirroring the ports between the switch outside the firewall (input to
the switch), and the interface of the bro machine. Now the bro
machine is going to be sitting completely outside the firewall, with
no internal connections at all. the admin interface (eth2) will also
be outside the firewall. I will have to ssh to it from wherever. If I
am thinking correctly it really does not matter what ip address I
assign to the bro listening interface because in promiscuous mode the
interface will not really have an ip address anyway.....it just
listens on this interface (please correct me if I am wrong). the
second interface I can set up a quick iptables ruleset to deny all
and allow only internal (to the box) requests.
So while I am not too terribly concerned about this box being used to
circumvent my security inside the firewall, I am concerned about the
box being taken over. Any of you have a suggestion as to how to keep
this from happening, or is my logic sound on my thinking here?
David
On Nov 29, 2006, at 1:29 PM, Robin Sommer wrote:
>
> On Wed, Nov 29, 2006 at 13:03 -0600, you wrote:
>
>> Is that safe?
>
> Um, frankly, no.
>
> Personally I don't think that running Bro as root in production mode
> is a good idea. But Linux does require root privs for packet
> capturing (which is why I wrote this kernel hack to allow non-root
> members of a certain group to do it as well). One thing on my to-do
> list is adding code to Bro which drops the root privs once the
> interface is opened. Haven't got around to do that yet though,
> primarily because most of us here use FreeBSD which doesn't have
> this problem (and is *much* better in capture performance anyway).
>
>> thing is it? Now considering I am going to be running in pro mode I
>> suppose that it really won't have an ip assigned to that particular
>> interface so it really doesn't matter to much who the service runs
>> under, but still.....
>
> Yes, still... Just think about that Bro is parsing the data on the
> network link, e.g., data supplied by external entities...
>
>> I did run brolite to get things going yesterday, and it choked trying
>> to create the user bro. It told me that I had to do it by hand. I did
>> that, but neglected to assign the user a home directory.
>
> (I actually don't know much about the internals of the bro-lite
> framework).
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 931-5555 * robin(a)icir.org
> LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
Okay, I now have bro installed. Things appear to be in the right
place. I must have missed something in the docs to get this working,
and I am sure that it does not help that I am not exactly familiar
with Debian. bear with me here as I stumble my way through a new OS
and Bro. I expect I am going to ask alot of stupid questions, but I
am documenting everything so that it may be used later to update or
possibly improve the documentation or help someone else who is in the
same boat I am.
Here is what I get when I try to start Bro from the command line:
jyd:/etc/rc3.d# /etc/init.d/bro.rc start
bro.rc: Running as non-root user bro
No directory, logging in with HOME=/
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live:
socket: Operation not permitted
.. FAILED
here are the outputs in the logs files in /usr/local/bro/logs:
/usr/local/bro/bin/bro: problem with interface eth1 - pcap_open_live:
socket: Operation not permitted
Am I missing a permission issue here or what? Do I need to make some
changes in a config file that I missed?
TIA
David Caldwell
Colsa-HMT