Greetings
I am integrating bro into a larger system so that I can use it to keep track
of connections (which seems easier than trying to write a method from
scratch with pcap). I thought it would be straightforward to grep for print
or email or alarm statements to figure out where to put the hooks for an IPC
message but so far it eludes me. Is there a principal module for outputting
the notifications?
Thanks
Mike
I'm back and I'm stirring up trouble. I've come across three different
issues in the last couple days that the list might like to know about.
None of this is a show stopper for me, just curiosities.
1)
I've spent quite a bit of time trying to get a regular expression to
match packet contents returned by udp_contents(). An example snippet of
the contents would be:
dopheide\xa2^J\x1b^HNCSA.EDU
I'd like to match against /.*NCSA.*/, but the match fails. This morning
I finally found clean() which makes the pattern work, but then my bytes
count gets shifted all around.
(Maybe I should be using signatures...)
2)
While looking at (1) I found that all patterns fail with bro-1.2.1 on
Fedora Core 5:
line 54: run-time error: error compiling pattern /^?.*(.*NCSA.*)/
It happens with patterns I write or any patterns in the provided .bro
files. bro-1.1d works just fine on FC5 and bro-1.2.1 works fine on RHEL4
3)
bro-1.2.1 won't compile on RHEL3 u8, but will on RHEL4. On RHEL3, make
fails with this error:
g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac/lib -I../src -I.
-I.. -Ilibedit -I/usr/kerberos/include -I../linux-include -O -W -Wall
-Wno-unused -I/usr/kerberos/include -I../linux-include -g -O2 -c -o
bif_parse.o bif_parse.cc
In file included from
/afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/iostream.h:31,
from
/afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/stl_algobase.h:53,
from
/afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/vector:30,
from ../src/builtin-func.y:2:
/afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/streambuf.h:
In method `struct streampos streambuf::pubseekoff(long long int,
ios::seek_dir, int = 3)':
/afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/streambuf.h:362:
conversion from `__off64_t' to non-scalar type `streampos' requested
/afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/streambuf.h:
In method `struct streampos streambuf::pubseekpos(_G_fpos64_t, int =
3)':
/afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/streambuf.h:364:
`struct streampos' used where a `long long int' was expected
/afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/streambuf.h:364:
warning: control reaches end of non-void function
`streambuf::pubseekpos(_G_fpos64_t, int)'
make[2]: *** [bif_parse.o] Error 1
make[2]: Leaving directory `/tmp/dopheide/bro-1.2.1/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/dopheide/bro-1.2.1'
make: *** [all] Error 2
Hi,
I am trying to extract some flow characteristics from static data with
Bro. I've checked the analyzer Conn.bro, but didn't find any suitable
information.
At present, the characteristics I need are: mean packet size and mean
packet inter-arrival time, all per flow. Future work may require packet
related information, also per flow.
Does anybody know how to do this ? Bro's manual doesn't provide much
information about static traffic analysis.
Where should I start and what should I do now?
I am also quite new with Bro, so any detail is appreciated.
Thanks in advance,
Duc.
Hi,
I haven't seen any discussion on this matter yet, while I have heard how bro
developers fully utilize bro-ids system.
What's the good and standard management and maintenance process when one
deploy multiple bro-ids nodes in the site? This is tricky, as most of
security admins always have their own way of administration, but I would
like to know how bro-ids developers such as Vern, Christian or Robin doing
it or others who would like to share the idea.
How are the analysis and correlation process that can be done through
multiple bro-ids node?
I know bro-ids documentation is improving especially after wiki is launched.
But I still hardly find the answer for the questions above. I would like to
know how it is done practically.
Thanks.
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
Hi,
Given a trace with all traffic, is it possible to use Bro to produce a
trace with just the HTTP traffic? Any hints would be appreciated.
Thanks and best regards,
Archit
before i get my hands dirty and start installing and configuring bro, i
want to know if there is a web interface from which to view alerts,
graphs, etc. it is not critical that i have this sort of interface,
although it would be nice.
if there are any known problems running bro on openbsd, do tell.
cheers,
jake
I'm having a slight problem getting the contents of Kerberos UDP
packets. This is my first attempt at Bro so hopefully my error is
something simple.
Bro version 1.1d
When a client requests an initial kerberos ticket it sends a request to
the server (AS_REQ) and the server reply is usually either the ticket or
an error. I want to watch the initial AS_REQ, but all I'm seeing is the
response from the server.
In this case, /tmp/trace2.out is a tcpdump of a couple kerberos requests
from the client's perspective and the AS_REQ's are there when looking
at the dump via ethereal.
/usr/local/bro/bin/bro -r /tmp/trace2.out hostname.bro
====== policy/bro.init =============
...
const udp_content_deliver_all_orig = T &redef;
const udp_content_deliver_all_resp = T &redef;
...
====== site/hostname.bro ========
@prefixes = local
@load site
@load conn.bro # not really needed
global dop = open_log_file("dop") &redef;
event udp_contents(u: connection, is_orig: bool, contents: string){
local id = u$id;
print dop, fmt("KDC %s %s",id$orig_p,id$resp_p);
print dop, fmt("contents %s",contents);
}
===========================
Sample output from one of the requests, this is the server responding
back to the client. Again, Bro is running on the client.
KDC 32898/udp 88/udp
contents
~\x82^A^I0\x82^A^E\xa0^C^B^A^E\xa1^C^B^A\x1e\xa2^Q^X^O20070125213047Z\xa4^Q^X^O20070125213048Z\xa5^E^B^C^F\x80\xb5\xa6^C^B^A^Y\xa7^J\x1b^HNCSA.EDU\xa8^U0^S\xa0^C^B^A^A\xa1^L0^J\x1b^Hdopheide\xa9^J\x1b^HNCSA.EDU\xaa\x1d0\x1b\xa0^C^B^A\0\xa1^T0^R\x1b^Fkrbtgt\x1b^HNCSA.EDU\xab^Q\x1b^ONEEDED_PREAUTH\0\xacf^Dd0b0^I\xa1^C^B^A^B\xa2^B^D\00J\xa1^C^B^A^S\xa2C^DA0?0^E\xa0^C^B^A^R0^E\xa0^C^B^A^P0^E\xa0^C^B^A^A0^E\xa0^C^B^A^C0^I\xa0^C^B^A^A\xa1^B\x1b\00^V\xa0^C^B^A^A\xa1^J\x1b^HNCSA.EDU\xa2^C^D^A^A0^I\xa1^C^B^A^M\xa2^B^D\0
Any thoughts? Is it just because the AS_REQ is outgoing on the system
where Bro is running? (And why would that matter?)
-Mike
Is Bro affected by the new 2007 change in Daylight Savings Time (DST)? Where does Bro pull its time from?
Beginning in 2007, Daylight Saving Time is extended one month and begins for most of the United States at:
2 a.m. on the Second Sunday in March
to
2 a.m. on the First Sunday of November.
If so, are there any current patches or fixes to ensure Bro pulls the correct time.
Hello,
I would like to contribute to the IPv6 part of Bro development.
So I would like to know what is roadmap in this area and how I could help.
Cheers,
Julien
Dear all,
I have looked at some files while still waiting for some hints for my
previous question.
Then I found the event "new_packet" , which looks promising.
However, I DON"T know if the packet reported there is already
"processed", i.e only valid packets for the connection are considered
while others such as: duplicate or out of order packets are not reported
to the handler?
Does anybody know how this event works ? I REALLY need some answers to
go on.
Thanks,
Duc.