Greetings
I am integrating bro into a larger system so that I can use it to keep track
of connections (which seems easier than trying to write a method from
scratch with pcap). I thought it would be straightforward to grep for print
or email or alarm statements to figure out where to put the hooks for an IPC
message but so far it eludes me. Is there a principal module for outputting
the notifications?
Thanks
Mike
I am a new user here, I have doubt.
I have a signature.sig in site folder and my site/mydomain.bro looks as
bellow,
# Make any changes to policy starting HERE:
# To run signatures, uncomment the following line.
# @load brolite-sigs
@ifdef ( use_signatures )
# Load Bro signatures. This is the default file containing Bro
# signatures.
redef signature_files += "signatures";
@endif
Did my signature loaded? it seems that # @load brolite-sigs is commented
How to ensure which signature is loaded and which is not?
Hello, all.
I have a question about Bro rules.
Does Bro have some rules of detecting attacks against Microsoft OS
vulnerability?
I attempted to attack against MS03-026 vulnerability of Windows_XP_SP1
on the VMware using Dcom attack code.
Though, Bro does not detect this attack.
If you have a lot of infomation relating to these problem, could you
give me advice?
Thank you.
Hi,everybody:
I just install bro program,while I run it with "bro -i eth0 mt",many warning message occured,they like followed:
/usr/local/bro/policy/hot.bro,line 30:warning:no such host:ph33r.the.eleet.com
/usr/local/bro/policy/scan.bro,line 104:warning:no such host:scooter2.sv.av.com
/usr/local/bro/policy/scan.bro,line 133:warning:no such host:b.root-servers.net
at last,have a error message:problem with eth0 - pcap_open_live:socker:Operation not permitted
what should I do?
thanks very much!
cheers
Shine Qi
shine_qi(a)sina.com
2006-08-24
Today, I released the first version of broccoli ruby bindings I've
been working on. Most things work correctly, but I'd like to hear if
anyone finds things that don't seem to be working.
Limited API docs are here: http://rbroccoli.rubyforge.org/
Project page is here: http://rubyforge.org/projects/rbroccoli/
To install the bindings...
1. Install rubygems (http://rubygems.org)
2. Make sure that broccoli-config is in your path
3. Run this command: sudo gem install rbroccoli
If you want to see some example applications, download the rbroccoli
source tarball from here:
http://rubyforge.org/frs/download.php/12615/rbroccoli-1.1.0.tgz
The "examples" directory has three scripts that demonstrate the API.
Better documentation is forthcoming.
Have fun!
.Seth
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Smith, Stephen G., OIG DoD wrote:
> I'm looking at needing to put ~400 entries in the sensitive lookup table.
> Does anyone know whether Bro will be able to handle this without freaking,
> and has anyone done this many on their own system?
>
>
>
> Thanks,
>
> Steve
>
>
>
> --
>
> Stephen G. Smith
>
> DODIG NETSEC Division
>
> stephen.smith(a)dodig.mil
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Bro mailing list
> bro(a)bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
I have an instance of bro with a table that contains O(22k) entries, and
there seems to be no ill effect on the system at all. As this table is
part of the bottom half of the main loop in the check_scan() function,
it is exercised well.
good luck!
scott
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
iD8DBQFE43STK2Plq8B7ZBwRAgssAKCcqWsJSREc6+otd1xWKdHAHI+aBwCfa7+f
VFv4//r+R3XmAdPwvSXoHwg=
=cbSH
-----END PGP SIGNATURE-----
Hi there,
Thanks
I have download <bro-0.9-stable.tar.gz>,and install it.
My OS is RedHat Linux 9.0,I enter a new terminal with user bro,
typing: bro.rc start,it will run successfully,
if I just run /usr/local/bro/bin/bro,it will report a error:Line 1:error:can't open bro.init
I can't understand them.
help me
xajhzhqxl(a)sohu.com
2006-08-15
version: 0.9a11
OS: FC5
kernal: 2.6.17-1.2157_FC5 i686
GCC: gcc version 4.1.1 20060525 (Red Hat 4.1.1-1)
./configure
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... gawk
checking whether make sets ${MAKE}... yes
checking for style of include used by make... GNU
checking for gcc... gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking dependency style of gcc... gcc3
checking for flex... flex
checking for flex... (cached) flex
checking for yywrap in -lfl... yes
checking lex output file root... lex.yy
checking whether yytext is a pointer... yes
checking for bison... bison -y
checking for g++... g++
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking for a BSD-compatible install... /usr/bin/install -c
checking whether make sets ${MAKE}... (cached) yes
checking for gzip... gzip
checking for OPENSSL_add_all_algorithms_conf in -lcrypto... yes
checking for SSL_new in -lssl... yes
checking whether OPENSSL_add_all_algorithms_conf is declared... yes
checking for OpenSSL >= 0.9.7... yes
checking for perl5... no
checking for perl... /usr/bin/perl
checking for chown... /bin/chown
checking Linux kernel version... 2
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... 64
checking for _LARGE_FILES value needed for large files... no
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking return type of signal handlers... void
checking for sigset... yes
checking for int32_t using gcc... yes
checking for u_int32_t using gcc... yes
checking for u_int16_t using gcc... yes
checking for u_int8_t using gcc... yes
checking whether time.h and sys/time.h may both be included... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for memory.h... (cached) yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking socket.h usability... no
checking socket.h presence... no
checking for socket.h... no
checking for net/ethernet.h... yes
checking for netinet/ether.h... yes
checking for netinet/if_ether.h... yes
checking for netinet/ip6.h... yes
checking for socklen_t... yes
checking if syslog returns int... no
checking if we should declare socket and friends... no
checking for working memcmp... yes
checking for strftime... yes
checking for strerror... yes
checking for strsep... yes
checking for mallinfo... yes
checking for library containing inet_aton... none required
checking for ns_initparse in -lresolv... no
checking for ns_initparse in resolver... yes
checking for tgetnum in -ltermcap... yes
checking readline/readline.h usability... yes
checking readline/readline.h presence... yes
checking for readline/readline.h... yes
checking whether byte ordering is bigendian... no
checking for ns_msg... yes
checking for res_mkquery... yes
checking for union semun... no
checking for struct sembuf... yes
checking for struct sockaddr_in.sin_len... no
checking for long long... yes
checking size of long long... 8
checking for long int... yes
checking size of long int... 4
checking for void *... yes
checking size of void *... 4
Using shipped pcap
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating doc/Makefile
config.status: creating doc/ref-manual/Makefile
config.status: creating doc/quick-start/Makefile
config.status: creating doc/user-manual/Makefile
config.status: creating aux/adtrace/Makefile
config.status: creating aux/cf/Makefile
config.status: creating aux/hf/Makefile
config.status: creating aux/scripts/Makefile
config.status: creating aux/bdcat/Makefile
config.status: creating aux/rst/Makefile
config.status: creating aux/Makefile
config.status: creating policy/Makefile
config.status: creating policy/sigs/Makefile
config.status: creating scripts/Makefile
config.status: creating scripts/bro_config
config.status: creating scripts/bro.rc
config.status: creating scripts/localnetMAC.pl
config.status: creating scripts/s2b/Makefile
config.status: creating scripts/s2b/bro-include/Makefile
config.status: creating scripts/s2b/example_bro_files/Makefile
config.status: creating scripts/s2b/etc/Makefile
config.status: creating scripts/s2b/bin/Makefile
config.status: creating scripts/s2b/pm/Makefile
config.status: creating scripts/s2b/snort_rules2.2/Makefile
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing default-1 commands
config.status: executing default commands
Using install prefix /usr/local/bro
Compiling Bro with OpenSSL support: Yes
Using perl /usr/bin/perl
Using non-blocking main loop: No
====================================================
make
Making all in bdcat
make[4]: Entering directory `/home/hkong/download/bro-0.9a11/aux/bdcat'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory `/home/hkong/download/bro-0.9a11/aux/bdcat'
make[4]: Entering directory `/home/hkong/download/bro-0.9a11/aux'
make[4]: Nothing to be done for `all-am'.
make[4]: Leaving directory `/home/hkong/download/bro-0.9a11/aux'
make[3]: Leaving directory `/home/hkong/download/bro-0.9a11/aux'
make[2]: Leaving directory `/home/hkong/download/bro-0.9a11/aux'
Making all in src
make[2]: Entering directory `/home/hkong/download/bro-0.9a11/src'
make all-am
make[3]: Entering directory `/home/hkong/download/bro-0.9a11/src'
source='main.cc' object='main.o' libtool=no \
depfile='.deps/main.Po' tmpdepfile='.deps/main.TPo' \
depmode=gcc3 /bin/sh ../depcomp \
g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src -I. -I.. -Ilibedit
-I../linux-include -I../aux/libpcap-0.7.2 -O -g -O2 -c -o main.o `test -f
main.cc || echo './'`main.cc
RE.h:224: error: extra qualification 'RE_Matcher::' on member 'Serialize'
RE.h:225: error: extra qualification 'RE_Matcher::' on member 'Unserialize'
Conn.h:64: error: extra qualification 'ConnID::' on member 'BuildConnKey'
make[3]: *** [main.o] Error 1
make[3]: Leaving directory `/home/hkong/download/bro-0.9a11/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/home/hkong/download/bro-0.9a11/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/hkong/download/bro-0.9a11'
make: *** [all] Error 2
Hello!Bro
Version: 0.8a88
Question: While make install,report a error as follow
# make install
bro /usr/local/sbin
input in flex scanner failed
make: *** [install] Error 2
Thanks very much!
XuLiang Qi
xajhzhqxl(a)sohu.com
2006-08-10
hi ,
Can someone help me on how to turn the DEBUG Messages in BRO-0.911
Current Release .
I did try ./configure --enable-debug and also by defining #define DEBUG
in main.cc .
But i could not find the Debug Messages.
I was playing around the code to Drop the Telnet Packets based on
Connections. But BRO gets Autorestarted or Stoped at a time when the
timer gets invoked seems to be Expiry Timer .. which invokes
ConnCompress::Remove()
and finally landing in tcp_conns.RemoveEntry(k) which lands in this
debug msg -> internal_error(fmt("connection missing"))
Could somebody shed some light on this ?
Thanks,
Anand
--
http://www.fastmail.fm - The way an email service should be