Greetings
I am integrating bro into a larger system so that I can use it to keep track
of connections (which seems easier than trying to write a method from
scratch with pcap). I thought it would be straightforward to grep for print
or email or alarm statements to figure out where to put the hooks for an IPC
message but so far it eludes me. Is there a principal module for outputting
the notifications?
Thanks
Mike
A few people have asked about whether or not you need to register for the
SC'06 conference to attend the workshop. The workshop is not affiliated
with the conference, so you do not need to register. However, depending
on where the workshop room is located, there is a chance that people may
need to purchase a guest pass to get to the room. I'd like to try and
prevent this from happening, but we'll try to let people know if that
is going to be the case as soon as we get more info.
--
James J. Barlow <jbarlow(a)ncsa.uiuc.edu>
Head of Security Operations and Incident Response
National Center for Supercomputing Applications Voice : (217)244-6403
1205 West Clark Street, Urbana, IL 61801 Cell : (217)840-0601
http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987
Hi everybody!
Where can I find a documentation about inter-bro communication? I can't
find anything in the archive or the manuals.
I'm using bro 0.9a9, because there is a wireless edition developed at
Dresden University of Technology in Germany. I need the inter-bro
communication to develop distributed policies.
Thanks for all hints!
Sandro
Hi everybody!
Where can I find a documentation about inter-bro communication? I can't
find anything in the archive or the manuals.
I'm using bro 0.9a9, because there is a wireless edition developed at
Dresden University of Technology in Germany. I need the inter-bro
communication to develop distributed policies.
Thanks for all hints!
Sandro
Hi folks,
I was wondering why the following code is commented out of smtp.bro? I
have a patch that looks for "MAIL FROM" and sets those as the
sender in the smtp logs. It adds a couple of functions to mimic the
structure of extract_recipient() etc. The functionality seems to work
well. All of the valid sender addresses seem to get captured, though I
have not done exhaustive testing for invalid addresses.
in policy/smtp.bro
508 # else if ( cmd == "MAIL" && code == 250 )
509 # smtp_command_mail(session, cmd_info);
However, if there is a reason why we shouldn't be doing this, I won't
submit the patch.
Thanks,
Randy
http://www.frenzy.org
"Sed Quis Custodiet Ipsos Custodes?" -Juvenal
Hello,
I'm trying to compile Bro 0.9a11 under Gentoo 2006.1 but I always get
this error:
cd . && /bin/sh /home/wildchild/bro/bro-0.9a11/missing --run autoheader
configure.in:441: warning: AC_TRY_RUN called without default to allow cross
compiling
/usr/bin/autoheader-2.13: Symbol `ns_msg' is not covered by
/usr/share/autoconf/acconfig.h
make: *** [stamp-h.in] Erreur 1
Any idea?
Thanks
Gabriel Lavoie
--
Gabriel Lavoie
glavoie(a)gmail.com
Hi,
I was trying to write signatures for detecting connections to a mail server.
I used
'http-request-header' followed by the payload to be matched.
signature abcd
{
ip-proto == tcp
tcp state established
event "Connection to Mail server"
http-request-header /.*mail/
}
When I tried to start bro, I got the following error message:
"parse error at line x:" i.e., at the line where i have mentioned
http-request-header.
I did load the analyzers.
Can anyone suggest a way to handle this problem.
Thanks,
Dhanesh.
Hi,
While building bro, I got an error because termcap.h was not found.
After I included termcap.h in libedit, term.c got compiled but I got a
segmentation fault saying: Command failed for target
`dce_rpc_pac.cc'. How can I fix this up?
Thanks,
Pallavi
Dear Colleagues,
please find attached the Call For Papers for DIMVA 2007, the Fourth
GI International Conference on Detection of Intrusions & Malware,
and Vulnerability Assessment; which is to be held in Lucerne,
Switzerland, July 12-13, 2007. Complete information is available at
http://www.dimva.org/dimva2007.
Please feel free to distribute this announcement. We apologize if
you receive multiple copies of this message.
Best Regards,
The DIMVA 2007 Organizing Committee
---------------------------------------------------------------------------
CALL FOR PAPERS
DIMVA 2007
Fourth GI International Conference on
Detection of Intrusions & Malware, and Vulnerability Assessment
Organized by the GI Special Interest Group SIDAR
In Cooperation with
IEEE Computer Society Task Force on Information Assurance
Lucerne, Switzerland
July 12 - 13, 2007
http://www.dimva.org/dimva2007
mailto:info@dimva.org
---------------------------------------------------------------------------
The annual DIMVA conference serves as a premier forum for advancing the
state of the art in intrusion detection, malware detection, and
vulnerability assessment. Each year DIMVA brings together international
experts from academia, industry and government to present and discuss
novel research in these areas. DIMVA is organized by the special interest
group "Security - Intrusion Detection and Response" of the German
Informatics Society (GI). The conference proceedings will appear in
Springer's "Lecture Notes in Computer Science" (LNCS) series.
DIMVA solicits submission of high-quality, original scientific work. This
year we invite two types of paper submissions:
- Full papers, presenting novel and mature research results. Full papers
are limited to 20 pages, prepared according to the instructions
provided below. They will be reviewed by the program committee, and
papers accepted for presentation at the conference will be included in
the proceedings.
- Short papers (extended abstracts), presenting original, still ongoing
work that has not yet reached the maturity required for a full paper.
Short papers are limited to 10 pages, prepared according to the
instructions provided below. They will also be reviewed by the program
committee, and papers accepted for presentation at the conference will
be included in the proceedings (containing "Extended Abstract" in the
title).
DIMVA's scope includes, but is not restricted to the following areas:
- Intrusion Detection
* Approaches
* Implementations
* Prevention and response
* Result correlation
* Evaluation
* Potentials and limitations
* Operational experiences
* Evasion and other attacks
* Legal and social aspects
- Malware
* Techniques
* Detection
* Prevention
* Evaluation
* Trends and upcoming risks
* Forensics and recovery
- Vulnerability Assessment
* Vulnerabilities
* Vulnerability detection
* Vulnerability prevention
DIMVA particularly encourages papers that discuss the integration of
intrusion, malware, and vulnerability detection in large-scale
operational communication networks.
ORGANIZING COMMITTEE
--------------------
General Chair: Bernhard Hämmerli, HTA Luzern
info(a)dimva.org
Program Chair: Robin Sommer, LBNL/ICSI
pc-chair(a)dimva.org
Sponsor Chair: Dirk Schadt, Computer Associates
sponsor-chair(a)dimva.org
PROGRAM COMMITTEE
-----------------
Roland Büschkes, RWE (DE)
Weidong Cui, Microsoft Research (US)
Marc Dacier, Eurécom (FR)
Hervé Debar, France Télécom (FR)
Sven Dietrich, Carnegie Mellon University (US)
Toralv Dirro, McAfee (DE)
Holger Dreger, TU Munich (DE)
Mohamed Eltoweissy, Virginia Tech (US)
Ulrich Flegel, University of Dortmund (DE)
Felix C. Freiling, University of Mannheim (DE)
Dirk Häger, BSI (DE)
Bernhard Hämmerli, HTA Lucerne (CH)
Marc Heuse, n.runs (DE)
Ming-Yuh Huang, Boeing (US)
Erland Jonsson, Chalmers University (SE)
Klaus Julisch, IBM Research (US)
Angelos Keromytis, Columbia University (US)
Hartmut König, BTU Cottbus (DE)
Christian Kreibich, ICSI (US)
Christopher Kruegel, TU Vienna (AT)
Pavel Laskov, Fraunhofer FIRST (DE)
Wenke Lee, Georgia Tech (US)
Jun Li, Tsinghua University (CN)
Javier Lopez, University of Malaga (ES)
John McHugh, Dalhousie University (CA)
Michael Meier, University of Dortmund (DE)
R. Sekar, Stony Brook University (US)
Roberto Setola, Univ. CAMPUS Bio-Medico Rome (IT)
Doug Tygar, UC Berkeley (US)
Giovanni Vigna, UC Santa Barbara (US)
Stephen Wolthusen, University of London (GB)
S. Felix Wu, UC Davis (US)
IMPORTANT DATES
---------------
February 9, 2007 Deadline for submission of full and short papers.
April 9, 2007 Notification of acceptance or rejection.
April 27, 2007 Final camera-ready copies due.
July 12-13, 2007 DIMVA conference.
PAPER SUBMISSIONS
-----------------
All papers must be submitted electronically in PDF format via the
conference Web site. Submissions must be formatted according to the
instructions provided by Springer Verlag
(http://www.springer.de/comp/lncs/authors.html). Submitted papers must be
in English and must not substantially overlap work that has been
published before, or that is simultaneously in submission to a journal or
a conference with proceedings. Simultaneous submission, submission of
previously published work, and plagiarism constitute dishonesty or fraud.
DIMVA prohibits these practices and may take appropriate action against
authors who have committed them. Authors of accepted papers must ensure
that their papers will be presented at the conference. Presentations must
also be held in English. Details about the electronic submission
procedure will be provided on the conference Web site by the end of
December 2006. Authors of accepted papers must follow the Springer
guidelines for the preparation of camera-ready copies. Details of the
process will be provided to the authors in time.
SPONSORSHIP OPPORTUNITIES
-------------------------
We solicit interested organizations to serve as sponsors for DIMVA 2007;
please contact the sponsor chair for information regarding corporate
sponsorship at sponsor-chair(a)dimva.org.
STEERING COMMITTEE
------------------
Chairs:
Ulrich Flegel, University of Dortmund
Michael Meier, University of Dortmund
Members:
Roland Büschkes, RWE
Marc Heuse, n.runs
Klaus Julisch, IBM Research
Christopher Kruegel, TU Vienna
Pavel Laskov, Fraunhofer FIRST
There are a group of individuals who decided to have a semi-informal
workshop at the Supercomputing '06 conference this year
(http://sc06.supercomputing.org/). The workshop will be held Tuesday
November 14th from 1 - 5pm and Wednesday the 15th from 9 - 12am.
The reason it was split over two days is because of scheduling conflicts
with the SC'06 event. It may also provide easier travel for people who only
want to attend the workshop on those two days (get in Tuesday morning
and leave Wednesday afternoon).
Here are some of the people who will be giving presentations at the
workshop:
Brian Tierney: Bro Overview
Robin Sommer: New features in Bro and future plans for Bro
Scott Campbell: Bro-to-Bro communication
Jason Lee: Bro Cluster
Seth Hall: RBroccoli - Ruby interface for Broccoli
Other areas of discussion will be around using netflows with Bro (Jim
Mellander has brought up what he is doing on this list), how other
sites are using Bro, feature changes/requests, maybe something on how to
implement Bro and get past the intial hurdles, sharing Bro data between
sites, and any other topics that people want to bring up. Also, in case
people did not know, Bro has been used as the IDS at the Supercomputing
events for a number of years now. So it might be interesting to discuss
how that was set up and configured.
If anyone is interested in attending just send me an email, or you
can post something to the list.
This workshop was put together (kind of at the last minute :) because
of some interest with a few of the sites who use Bro and were going to
be attending the SC'06 event. But we wanted to open it up for any
other site that might be interested in attending. So it will be very
informal and hopefully we can use this event to start something more
formal in future years.
SC'06 is in Tampa, Florida this year, and you can check out the main
web page (http://sc06.supercomputing.org/) for information on where
it's located. There is also a Travel section that has info on hotels
in the area: http://sc06.supercomputing.org/travel/hotels.php
--
James J. Barlow <jbarlow(a)ncsa.uiuc.edu>
Head of Security Operations and Incident Response
National Center for Supercomputing Applications Voice : (217)244-6403
1205 West Clark Street, Urbana, IL 61801 Cell : (217)840-0601
http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987
