Greetings
I am integrating bro into a larger system so that I can use it to keep track
of connections (which seems easier than trying to write a method from
scratch with pcap). I thought it would be straightforward to grep for print
or email or alarm statements to figure out where to put the hooks for an IPC
message but so far it eludes me. Is there a principal module for outputting
the notifications?
Thanks
Mike
Hi all,
We've been having some fun with Bro under Solaris 8. After making slow
progress attempting to iron out problems we've hit something a little more
difficult to track down.
After eliminating /usr/ccs/bin from the environment and setting $CFLAGS to
'-lssl -lsocket', configure ran OK, but then make failed as termcap.h
wasn't found.
Got termcap 1.3 from sunfreeware - made that and tried making bro again -
got past that error and make now complains about missing libstdc++.so.6.
Added /usr/avt/gcc-3.4.2/lib to LD_LIBRARY_PATH and that got over that
hurdle, but have hit this:
make[4]: Entering directory
`/[filepath]/dev/[project]/src/Packages/bro-1.1c/src'
../src/binpac/binpac ./dce_rpc.pac
make[4]: *** [dce_rpc_pac.cc] Segmentation Fault (core dumped)
Any comments / suggestions on what could be causing this? or is more
information needed?
Many thanks,
Pete Sandford
First off, I hope everyone had (is having) a happy holiday season.
I've finally got the daily Bro reporting mechanism working and
sending out emails as I expected. However, after letting it run for a
few days, I'm starting to notice something that's a little unusual.
The Bytes In/Bytes Out pair as well as the Local Host/Remote Host
pairs seem to be opposite.
For example, it will say something like:
Local
Remote Conn.
Local Host Remote Host Bytes
Bytes Count
----------------------- ----------------------- ---------
--------- -------
some.externalhost.commy.internalhost.com 1562 K 142902
2136
This is the exact opposite of what is the actual traffic pattern. Is
there a way that I can tell Bro that my /28 subnet is "local" and
everything else is "remote"? I don't seem to see anything like that
in the configuration files.
Thanks so much!
-Eric
Eric Wages
COLSA Corporation
Operations Manager, HMT ROC
256-721-0372, ext 110
Gentle people,
I have enabled dpd in brolite.bro with
const use_dpd = T;
At the same time I also comment out this line because I want to look into
port 80 traffics.
# redef restrict_filters += [ ["not-http"] = "not (port 80)" ];
I get a lot of this
.....
t=1166923564.867909 no=ProtocolViolation na=NOTICE_ALARM_ALWAYS
sa=1.2.3.5sp=46616/tcp da=
1.2.3.4
dp=80/tcp msg=1.2.3.5/46616\ >\ 1.2.3.4/http\ analyzer\ HTTP\ disabled\ due\
to\ protocol\ violatio
n sub=not\ a\ http\ request\ line tag=@5618
.....
In the wiki, it says that Bro can disable an analyzer on the fly if that
finds that it cannot parse a connection's payload---which most probably
means the protocol detection went wrong. I'm curious about the protocol
violation part. From what I have studied if I enable dpd, it should examine
the traffics via dpd.sig before determine which protocol is used. Since I
have pcap logging, I try to examine the traffic manually with tcpdump and it
seems to be normal http session from 1.2.3.5 to 1.2.3.4. Thus I'm wondering
why it happens as if the http analyzer is disabled then the ids can be
evaded.
Another strange behaviour is the
redef restrict_filters += [ ["not-http"] = "not (port 80)" ];
I have few ports running http traffic, so I need to avoid the report of http
traffics running on port other than 80. For example I have two ports such as
ports 7777 and 7778 running some http kind of daemon, so to do it I just add
this in the dpd section of brolite.bro
redef restrict_filters += [ ["cpanel2"] = "not (port 7777)" ];
redef restrict_filters += [ ["cpanel3"] = "not (port 7778)" ];
So it works as expect but when I add another port for example port 7785
below above two lines,
redef restrict_filters += [ ["cpanel3"] = "not (port 7785)" ];
Suddenly it doesn't work and report http traffics running on those ports. So
I'm curious if anyone have this similar issue. I have tried to define
multiple ports with not(port 7777 and port 7778) for example but it doesn't
work, I read the wiki and it says that restrict_filters introduces "and" so
that's why I have to specify multiple restrict_filters instead.
One interesting issue also that happens to me is that I have tried to enable
the full trace in bro.cfg,
BRO_CREATE_TRACE_FILE=YES
It logs the pcap correctly, so I try to disable it with
BRO_CREATE_TRACE_FILE=NO
Then restart bro-ids with bro.rc checkpoint, however it is still logging,
thus I have to comment out the line
# BRO_CREATE_TRACE_FILE=NO
Restarting bro-ids again and this time the full pcap logging no longer
works. That's all, I know sooner this will be replaced by time machine for
full content logging but just would like to know if this is my problem or
anyone have this.
Thanks and cheers.
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
Hello. I'm new to the list and still a relatively new user of Bro. I've been an avid user of OSSEC (http://www.ossec.net) for quite some time now, and I would like to start incorporating Bro into my network security posture. To that end, I have a couple questions:
1. Has anyone had any experience Bro and OSSEC together?
2. Is there any interest in the Bro community for some sort of interface into OSSEC?
3. Just to make sure I'm not stepping on anyone's toes, there aren't any formal projects underway to create such an interface between Bro and OSSEC are there? I would very much like to work on such a project, but if one is already in progress, I don't want to duplicate efforts or infringe on someone else's territory.
Thanks.
Kurt
perl -e "($_='tjgvlvsuAzbipp/dpn')=~s/(.)/chr(ord($1)-1)/ge;print"
My Blog: http://kwoon.blogspot.com
PGP Public Key (0x71D25CDA) @ http://cryptonomicon.mit.edu/
-----
Inveniemus viam aut faciemus --Hannibal
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Question for you folks - clearly the logging functionality of Bro is
buffered, but will it also be flushed after a certain time has
expired as well?
I'm noticing that the alarm output file can have immediate writes,
but something like the ssh output file will have 0 bytes until I
manually checkpoint the server.
Your thoughts?
Thanks,
-Eric
Eric Wages
COLSA Corporation
Operations Manager, HMT ROC
256-721-0372, ext 110
Christian,
Here's config.log (gzipped in the hope it won't get delayed).
/Sam
Sam Sexton
Infrastructure Group
Transactions Group (Sales & Trading)
Reuters Messaging: sam.sexton.reuters.com(a)reuters.net
(t) +44 24 7625 6562 | (m) +44 7990 563739 | (f) +44 24 7655 5203
Get the latest news at Reuters.com <http://www.reuters.com/>
This email was sent to you by Reuters, the global news and information company.
To find out more about Reuters visit www.about.reuters.com
Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
Christian,
Apologies, in my last response (apparently still in limbo awaiting
moderator approval due to the size), I didn't include config.log or
respond to your question about versions of libstdc++. I'll upload
config.log in my next update, as that will probably go into limbo as
well, but we only have other copies of libstdc++ in other gcc
directories (different versions), which shouldn't come into the picture
at all.
Regards,
/Sam
Sam Sexton
Infrastructure Group
Transactions Group (Sales & Trading)
Reuters Messaging: sam.sexton.reuters.com(a)reuters.net
(t) +44 24 7625 6562 | (m) +44 7990 563739 | (f) +44 24 7655 5203
Get the latest news at Reuters.com <http://www.reuters.com/>
This email was sent to you by Reuters, the global news and information company.
To find out more about Reuters visit www.about.reuters.com
Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.