zeek January 2007

zeek@lists.zeek.org

19 participants
21 discussions

by Mike Muratet

Greetings I am integrating bro into a larger system so that I can use it to keep track of connections (which seems easier than trying to write a method from scratch with pcap). I thought it would be straightforward to grep for print or email or alarm statements to figure out where to put the hooks for an IPC message but so far it eludes me. Is there a principal module for outputting the notifications? Thanks Mike

14 years, 2 months

[Bro] three things

by Mike Dopheide

I'm back and I'm stirring up trouble. I've come across three different issues in the last couple days that the list might like to know about. None of this is a show stopper for me, just curiosities. 1) I've spent quite a bit of time trying to get a regular expression to match packet contents returned by udp_contents(). An example snippet of the contents would be: dopheide\xa2^J\x1b^HNCSA.EDU I'd like to match against /.*NCSA.*/, but the match fails. This morning I finally found clean() which makes the pattern work, but then my bytes count gets shifted all around. (Maybe I should be using signatures...) 2) While looking at (1) I found that all patterns fail with bro-1.2.1 on Fedora Core 5: line 54: run-time error: error compiling pattern /^?.*(.*NCSA.*)/ It happens with patterns I write or any patterns in the provided .bro files. bro-1.1d works just fine on FC5 and bro-1.2.1 works fine on RHEL4 3) bro-1.2.1 won't compile on RHEL3 u8, but will on RHEL4. On RHEL3, make fails with this error: g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac/lib -I../src -I. -I.. -Ilibedit -I/usr/kerberos/include -I../linux-include -O -W -Wall -Wno-unused -I/usr/kerberos/include -I../linux-include -g -O2 -c -o bif_parse.o bif_parse.cc In file included from /afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/iostream.h:31, from /afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/stl_algobase.h:53, from /afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/vector:30, from ../src/builtin-func.y:2: /afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/streambuf.h: In method `struct streampos streambuf::pubseekoff(long long int, ios::seek_dir, int = 3)': /afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/streambuf.h:362: conversion from `__off64_t' to non-scalar type `streampos' requested /afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/streambuf.h: In method `struct streampos streambuf::pubseekpos(_G_fpos64_t, int = 3)': /afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/streambuf.h:364: `struct streampos' used where a `long long int' was expected /afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/streambuf.h:364: warning: control reaches end of non-void function `streambuf::pubseekpos(_G_fpos64_t, int)' make[2]: *** [bif_parse.o] Error 1 make[2]: Leaving directory `/tmp/dopheide/bro-1.2.1/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/tmp/dopheide/bro-1.2.1' make: *** [all] Error 2

14 years, 8 months

[Bro] Traffic characteristics extraction with Bro

by Duc T Ha

Hi, I am trying to extract some flow characteristics from static data with Bro. I've checked the analyzer Conn.bro, but didn't find any suitable information. At present, the characteristics I need are: mean packet size and mean packet inter-arrival time, all per flow. Future work may require packet related information, also per flow. Does anybody know how to do this ? Bro's manual doesn't provide much information about static traffic analysis. Where should I start and what should I do now? I am also quite new with Bro, so any detail is appreciated. Thanks in advance, Duc.

14 years, 8 months

[Bro] Multiple bro nodes

by CS Lee

Hi, I haven't seen any discussion on this matter yet, while I have heard how bro developers fully utilize bro-ids system. What's the good and standard management and maintenance process when one deploy multiple bro-ids nodes in the site? This is tricky, as most of security admins always have their own way of administration, but I would like to know how bro-ids developers such as Vern, Christian or Robin doing it or others who would like to share the idea. How are the analysis and correlation process that can be done through multiple bro-ids node? I know bro-ids documentation is improving especially after wiki is launched. But I still hardly find the answer for the questions above. I would like to know how it is done practically. Thanks. -- Best Regards, CS Lee<geekooL[at]gmail.com>

14 years, 8 months

[Bro] Using Dynamic protocol detection to create a HTTP trace

by Archit Gupta

Hi, Given a trace with all traffic, is it possible to use Bro to produce a trace with just the HTTP traffic? Any hints would be appreciated. Thanks and best regards, Archit

14 years, 8 months

[Bro] web interface

by Jacob Yocom-Piatt

before i get my hands dirty and start installing and configuring bro, i want to know if there is a web interface from which to view alerts, graphs, etc. it is not critical that i have this sort of interface, although it would be nice. if there are any known problems running bro on openbsd, do tell. cheers, jake

14 years, 8 months

[Bro] UDP contents

by Mike Dopheide

I'm having a slight problem getting the contents of Kerberos UDP packets. This is my first attempt at Bro so hopefully my error is something simple. Bro version 1.1d When a client requests an initial kerberos ticket it sends a request to the server (AS_REQ) and the server reply is usually either the ticket or an error. I want to watch the initial AS_REQ, but all I'm seeing is the response from the server. In this case, /tmp/trace2.out is a tcpdump of a couple kerberos requests from the client's perspective and the AS_REQ's are there when looking at the dump via ethereal. /usr/local/bro/bin/bro -r /tmp/trace2.out hostname.bro ====== policy/bro.init ============= ... const udp_content_deliver_all_orig = T &redef; const udp_content_deliver_all_resp = T &redef; ... ====== site/hostname.bro ======== @prefixes = local @load site @load conn.bro # not really needed global dop = open_log_file("dop") &redef; event udp_contents(u: connection, is_orig: bool, contents: string){ local id = u$id; print dop, fmt("KDC %s %s",id$orig_p,id$resp_p); print dop, fmt("contents %s",contents); } =========================== Sample output from one of the requests, this is the server responding back to the client. Again, Bro is running on the client. KDC 32898/udp 88/udp contents ~\x82^A^I0\x82^A^E\xa0^C^B^A^E\xa1^C^B^A\x1e\xa2^Q^X^O20070125213047Z\xa4^Q^X^O20070125213048Z\xa5^E^B^C^F\x80\xb5\xa6^C^B^A^Y\xa7^J\x1b^HNCSA.EDU\xa8^U0^S\xa0^C^B^A^A\xa1^L0^J\x1b^Hdopheide\xa9^J\x1b^HNCSA.EDU\xaa\x1d0\x1b\xa0^C^B^A\0\xa1^T0^R\x1b^Fkrbtgt\x1b^HNCSA.EDU\xab^Q\x1b^ONEEDED_PREAUTH\0\xacf^Dd0b0^I\xa1^C^B^A^B\xa2^B^D\00J\xa1^C^B^A^S\xa2C^DA0?0^E\xa0^C^B^A^R0^E\xa0^C^B^A^P0^E\xa0^C^B^A^A0^E\xa0^C^B^A^C0^I\xa0^C^B^A^A\xa1^B\x1b\00^V\xa0^C^B^A^A\xa1^J\x1b^HNCSA.EDU\xa2^C^D^A^A0^I\xa1^C^B^A^M\xa2^B^D\0 Any thoughts? Is it just because the AS_REQ is outgoing on the system where Bro is running? (And why would that matter?) -Mike

14 years, 8 months

[Bro] Change for 2007 on Daylight Savings Time in Bro.

by matthew.weiner＠us.army.mil

Is Bro affected by the new 2007 change in Daylight Savings Time (DST)? Where does Bro pull its time from? Beginning in 2007, Daylight Saving Time is extended one month and begins for most of the United States at: 2 a.m. on the Second Sunday in March to 2 a.m. on the First Sunday of November. If so, are there any current patches or fixes to ensure Bro pulls the correct time.

14 years, 8 months

[Bro] IPv6 support in Bro

by Julien Desfossez

Hello, I would like to contribute to the IPv6 part of Bro development. So I would like to know what is roadmap in this area and how I could help. Cheers, Julien

14 years, 9 months

[Bro] (Traffic characteristics extraction with Bro - Continue)

by Duc T Ha

Dear all, I have looked at some files while still waiting for some hints for my previous question. Then I found the event "new_packet" , which looks promising. However, I DON"T know if the packet reported there is already "processed", i.e only valid packets for the connection are considered while others such as: duplicate or out of order packets are not reported to the handler? Does anybody know how this event works ? I REALLY need some answers to go on. Thanks, Duc.

14 years, 9 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek January 2007