Greetings
I am integrating bro into a larger system so that I can use it to keep track
of connections (which seems easier than trying to write a method from
scratch with pcap). I thought it would be straightforward to grep for print
or email or alarm statements to figure out where to put the hooks for an IPC
message but so far it eludes me. Is there a principal module for outputting
the notifications?
Thanks
Mike
List,
I have a question about the SSL analyzer and the ssl.bro policy file. I'm trying to use this policy to track ssl certificates across a link. However, this policy seems to be broken.
Upon starting bro 1.0 with ssl.bro enabled I get
line 1: warning: event handlers never invoked:
line 1: warning: account_tried
line 1: warning: ssl_ciphersuite_seen
after the first ssl connection or sometimes the second... bro seg faults with no core or debugging information. Also I have recompiled bro with debugging enabled and retried it with no luck as well.
Lastly, I have turned almost everything off in the policy file just to check if thats the issue as well.
Anyone been able to run the ssl analyzer successfully?
Thanks,
Jake Babbin
Hello, I'm using Bro 1.0 with some success at high rates of traffic. I
would like to configure some automatic handling of
signiture/portscans/etc by parsing log output with SEC and syslog-ng. I
set 'redef syslog_alarms = T;' in my site policy after which Bro failed
to start giving this warning:
line 51 (syslog_alarms): error, "redef" used but not previously defined
I tried setting 'global enable_syslog = T &redef;' instead, but it didnt
seem to put any of the warnings from signitures in syslog.
What is the proper way of doing this? Thanks.
--
| David Vasil <dmvasil(a)ornl.gov>
| Oak Ridge National Laboratory NCCS Division
| High Performance Computing Systems Administrator
| Bldg: 5600-A115 Phone: (865)241-5562
Hi all,
Bro can extract flow informations from a dumpfile (I use it with mt
option).
I would split the entire dump in parts, one for each flow included in
the dump.
Is it possible with the sole bro?
TnX,
Manuel.
> I have been noticing that sometimes the daily report Byte Transfer Pair
> information in the Local bytes and Remote Bytes values can be off by a
> very large factor from the actual traffic size.
The problems are artifacts of Bro's use of sequence numbers to compute
connection sizes. The estimates can be too large because of connections
that have malformed sequence numbers (especially in RST packets); or too
small due to connections for which Bro misses the beginning or end (and
hence doesn't compute a size), which in fact is much more likely to happen
for big (and thus long-lived) connections than small ones.
We have a draft paper on incoporating random sampling into Bro's analysis.
This allows it to make more accurate estimates of traffic volume and also
the sizes of individual connections. One part of this is already available
in the Bro distribution using large-conns.bro. Another part (that does
overall traffic profiling) has not yet been integrated.
Vern
I have been noticing that sometimes the daily report Byte Transfer Pair
information in the Local bytes and Remote Bytes values can be off by a
very large factor from the actual traffic size.
Is this caused by the traffic estimation algorithm, and what factors could
contribute to that larger size? The transfers in question were some HTTP
traffic that didn't get to be above 100 K in size, and Bro reported it as
being 1815 M.
This is using the current Bro 1.x branch code.
Thanks for any input you folks can provide.
Randy
Hello All:
So I have been able to successfully compile and install bro on RHEL4.0 with dag support. Looks like bro is able to recognize DAG cards as well.
There were multiple issues which I ended up fixing off-course with the help from this list. Thanks a lot.
Just for future reference :
1) compile libpcap-0.9.4 (latest version which has DAG support) to enable DAG options
./configure --disable-localpcap --libdir=/usr/local/lib --with-dag=/usr/local/dag --prefix=/usr/local CFLAGS="-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
2) I removed "aux" from compilation list
3) Compile bro with the following :
/configure '--disable-localpcap' '--enable-selectloop' '--prefix=/usr/local/bro' '--libdir=/usr/local/lib' CFLAGS='-I/usr/local/include' LDFLAGS='-L/usr/local/lib'
Bro installed successfully and starts/stops just fine but its not capturing any data so far. I have defined dag0 and dag1 as capture interfaces in bro.cfg.
The info.bro file is a little unusual. It does not pick up any capture filter. Is this normal for dag* interfaces ? Is there any default filter then ? If not, how can I fix this capture filter issue.
I tried redefining capture filter in hostname.bro file in site folder but in vein.
Here is the info.bro log :
-------------------------------------------
listening on dag0
Bro Version: 1.0
Started with the following command line options: -W -i dag0 -i dag1 mybrobox.bro
listening on dag1
Reading .state/state.bst ...
Capture filter: <not available>
--------------------------------------------
Any thoughts ??
Thanks a lot for all the help.
Aashish
On Wed, Feb 08, 2006 at 10:57:06AM -0800, Robin Sommer wrote:
>
> On Tue, Feb 07, 2006 at 23:06 -0600, you wrote:
>
> > Yes we would definately like to try your prototypical code for DAG
> > support. Can you please share it with us.
>
> Great! I think I need to get approval from Endace to give out the
> code (the API is subject to non-disclosure) but that shouldn't be a
> problem. I'll then update the code to the current devel version and
> send you a patch. You won't need much of documentation as it
> essentially just acts like any other device. You still need to
> setup the DAG card with the Endace tools though as that's not
> yet part of the code (the API for these things is undocumented).
>
> > Also, is there any specific manner to defie dag interfaces in
> > bro.cfg ? since dag interfaces don't behave like regular network
> > interfaces.
>
> Not sure if I understand what you mean. With the patch, you'll just
> use "dag0" as the capture device and Bro will figure out that it is
> a DAG card. When using the pcap wrapper, it should behave like any
> other pcap device, should it not?
>
> > Also, I tried removing "-I../../include-linux" very coarsely by commenting the code in configure file.
>
> Sorry, then this doesn't help. Was really just a guess as I remember
> having solved some similar problem once by getting rid of this -I.
> (For the pcap error, see my upcoming post to the list).
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 666-2886 * robin(a)icir.org
> ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org
Hi,
We are running Bro 0.9a8.
I am trying to track down an inconsistency with our alarm logs.
Our thresholds for reporting AddressScans from external hosts is defined
in scan.bro as follows:
const report_peer_scan = {
20, 100, 1000, 10000, 50000, 100000, 250000, 500000, 1000000,
} &redef;
This is not redefined elsewhere.
I see AddressScan alarms for a given host when they reach our
first defined threshold of 20.
I don't see entries for the next threshold of 100.
However, when we checkpoint Bro, we see ScanSummary log entries for higher
counts. (We checkpoint Bro every 3 hours.)
Also, we can see ScanSummary entries for hosts that did not have
AddressScan entries during this last log/checkpoint period.
My questions are:
1) Is there something else which might override the report_peer_scan
thresholds?
2) Should checkpointing Bro reset the ScanSummary count, or will we need
to force that?
2A) How do we force the ScanSummary count to reset?
Our ultimate goal is to be able to determine the number of addresses
scanned by a host at the end of our 3-hour checkpoint interval. That
count could be either the true number or else last threshold reached.
Thanks for your help!
Joncarlo Ruggieri
University of CA, Davis
Data Center & Client Services
We are in the process of testing and setting up bro for 10GigE monitoring and are using endace cards (DAG 6.2S) on redhat enterprise 4.0.
Right now we see that bro mis-compiles on RHEL4. This appears to be an issues with the glibc-headers package.
gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I/home/mhoneyfield/libpcap-0.9.4 -I../../linux-include -g -O2 -I/include -I/usr/include -c `test -f ef.c || echo './'`ef.c
In file included from /usr/include/netinet/ether.h:26,
from ef.l:13:
../../linux-include/netinet/if_ether.h:41: error: redefinition of `struct ether_addr'
../../linux-include/netinet/if_ether.h:48: error: redefinition of `struct ether_header'
In file included from ef.l:16:
../../linux-include/netinet/if_ether.h:41: error: redefinition of `struct ether_addr'
../../linux-include/netinet/if_ether.h:48: error: redefinition of `struct ether_header'
../../linux-include/netinet/if_ether.h:77: error: redefinition of `struct ether_arp'
make[4]: *** [ef.o] Error 1
make[4]: Leaving directory `/home/mhoneyfield/bro-1.0/aux/hf'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/home/mhoneyfield/bro-1.0/aux'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/home/mhoneyfield/bro-1.0/aux'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/mhoneyfield/bro-1.0'
make: *** [all] Error 2
Any thoughts on this ? Also, I am wondering if anyone here running bro with endace DAG 6.2 cards ?
Thanks a lot
Aashish Sharma
Hello everybody.
I've some questions...
Do there's a GUI or something likes this in order to see the various alerts ?
I saw there's perhaps "Brooery" but is it available ?
A tool likes this is very valuable if we plan to install the IDS to people
with a minimum of background with computers.
I recently 'sacrified' an old laptop with an old distro and installed it with
access to Internet (ssh input allowed) behind my gateway, some very easy login/password after
i got a very nice IRC bot...
What i now want to do is to raise up alerts if connections come from the
inside. Sound likes a "nbad.bro" or something else likes this may be helpful ?
We talked in the past of Netflow, the good concept used by "Cisco", how
do you see working with it ?
At least, two choices :
- Using Bro as a Netflow concentrator.
- Using a dedicated tool to capture the flows and then use "Bro" to inspect data.
I work all the day with the "flow-tools" package from "OSU" but there are several
others floating around and each one with different format.
And what about the future things to come (the famous TODO) ?
Thank you.
Best regards.
