Greetings
I am integrating bro into a larger system so that I can use it to keep track
of connections (which seems easier than trying to write a method from
scratch with pcap). I thought it would be straightforward to grep for print
or email or alarm statements to figure out where to put the hooks for an IPC
message but so far it eludes me. Is there a principal module for outputting
the notifications?
Thanks
Mike
In trying to turn off stderr spraying to the screen I found something that
doesn't seem to provide enough info - or maybe I'm having a senior moment?
I stumbled across this and couldn't figure out how to implement log_hook
in my policy file:
<http://www.bro-ids.org/Bro-reference-manual/log-Analysis-Script.html#log-An…>
Trying to find more info I notice it is referring to "bro_log_file" but
this is not a reference I can find in the html online docs or in the
online PDF.
Searching bro-ids.org with google finds one other mention:
<http://www.bro-ids.org/Bro-reference-manual/Uncategorized.html>
but does not help me understand the logging much better.
Is there a missing link to a "bro_log_file" reference on the site?
Grep'ing in the policy dir didn't find any examples of "log_hook" to copy.
TIA
--
http://moose.ca
I'm a newbie to Bro and have been reading up and playing the last several
days.
In trying to get an example from the user manual to work I'm not having
much luck.
It's probably something obvious but...
I modified the example on page 40-41 of the User Manual to suit our site.
Here is the policy file (example.bro):
#-----------------
@load bro.init
@load brolite
const web_servers = { moose.ca, };
const mail_servers = { mail.moose.ca, };
redef allow_services_to: set[addr, port] += {
[mail_servers, smtp],
[web_servers, http],
};
if ( service !in allow_services ) NOTICE ($note=SensitiveConnection, $conn=c,]); #### This is the problem line. ####
#-----------------
Running on the cmd line leads to:
root@tester<254>/usr/local/bro # bro -r ~chris/traces/smtp ./site/example.bro
./site/example.bro, line 12: error: unknown identifier service, at or near "service"
Did a grep through $BROHOME/policy/* but couldn't find anything obvious to
load to declare "service" correctly.
What little "tidbit" am I missing?
Is there a repository of really rudimentary policy files somewhere?
TIA
--
http://moose.ca
> thank you for the help but i added some events related
> to Snmp trafic but bro do not consider them : this
> errors
How did you add these? Using event.bif and a new event engine component
that parses SNMP?
Vern
hi
thank you for the help but i added some events related
to Snmp trafic but bro do not consider them : this
errors
line 1: warning: event handlers never invoked:
line 1: warning: Snmp_message
I think that bro consider them as Unused.
can any one help me
Thank you
___________________________________________________________________________
Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel.
Rendez-vous sur http://fr.yahoo.com/set
In the latest user manuals there is a mention of a start-capture-all
script that will turn a Bro installation into a bulk recorder.
I am running Bro-1.x and I cannot find that script in the install.
Should I be looking for script by another name or perhaps bulk recording
is no longer supported?
Thank you in advance for any help
Marc
Marc Weisbrod
Security Engineer
University of California at San Francisco
1855 Folsom Street, Room 602
San Francisco, CA 94103
415.476.1841
mweisbrod(a)its.ucsf.edu
Hi,
can any one please tell mebro is analysing snmp trafic
and if it did not can you please tell me how to add
new events in bro
Thanks in advance
___________________________________________________________________________
Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel.
Rendez-vous sur http://fr.yahoo.com/set
I just got UCSF's first Bro installation going and I am getting an error
in the site-report.pl The error is
"$BRO_CONFIG_FILE" is not exported by the Bro::Config module
Can't continue after import errors at
/opt/bro-1.0/scripts/site-report.pl line 25
BEGIN failed--compilation aborted at /opt/bro-1.0/scripts/site-report.pl
line 25.
What is a typical BRO_CONFIG_FILE varible set for?
Thank you in advance for any assistance.
Marc
Marc Weisbrod
Security Engineer
University of California at San Francisco
1855 Folsom Street, Room 602
San Francisco, CA 94103
415.476.1841
mweisbrod(a)its.ucsf.edu
Hi,
We are currently running Bro on 2 Dell PowerEdge 2650s.
Each has 2 Syskonnect SK-9844 cards.
Each machine is listening to 2 taps (4 interfaces, which represet ingress
and egress traffic for each of the 2 taps).
The systems are running RedHat Enterprise Linux 4 AS.