On the Bro wiki it mentions that Bro can be configured to output
captured packets that look suspicious. The documentation regarding
trace files seems to stop there. I know there is a -w flag, but
that seems to be more related to using bro with the -i option, not
for getting suspicious traffic. What do I need to do to configure
Bro to output a trace file?
That would be one additional capability that I would compliment
separating out my TG traffic and other traffic mentioned in the
'Question about Bro Capabilities' thread.
Thanks,
-Reed
I want to reassemble the http-content for various streams. Right now
I have been able to generically reassembled all of the content, but
with mixed results. The plaintext content seems to be reassembling
fine, however, binary content has had mixed results. I have
successfully reassembled several gifs (minus a newline), but others I
have not. Looking at the hexdump of the content output, it seems
like some gifs are being outputed in ASCII Hex, and others real
binary. I then looked at the packet captures, and ethereal is
showing the binary of the gifs. The subtle difference that I have
noticed is that the successful gifs do not have any "X-..." optional
headers in them, whereas those that are failing have had "X-Cache"
and "X-Pad" for example.
Any thoughts on why Bro changes its output based on the optional
headers? Or why it could be sometimes outputting binary and others
ASCII Hex?
Thanks,
-Reed
Hi all,
configure, make, make install, and make install-brolite were successful
on Leopard 10.5. However, bro failed to start when invoked using the rc
script. Running bro from the command line against pcap files was successful.
Is there anyway that I can debug this?
--mel
Hi all
Can someone help me with this header?
header ip[16:4]
I don't get it? What does it mean. I have read the manual but was not very
helpful
Thx
Moukala.
Hi,
Currently, I'm studying the worm behaviors, such as Blaster, Sasser, ... .
And the policy script blaster.bro can detects instances of the W32.Blaster.
Is there any policy that can be used for detecting Sasser?
Or any other scanning policy can capture the scanning event of Sasser worm?
I would like to understand how (or what approaches) Bro to detect Sasser.
Any help will be appreciated, thanks.
Regards,
Mike
Hi
I have added
ADD_ANALYZER_TIMER(&TCP_Analyzer::AckTimer1,tcp_ACK_timeout,0,TIMER_TCP_EXPI
RE); in TCP.cc file. AckTimer1 is my own function which executes when ACK
doesn't comes within tcp_ACK_timeout (This sets to 6.5 sec). I want to
reset the value of tcp_ACK_timeout when Acknowledgment comes. Can you
give me solution for this?
Bye
LS Kishore
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments contained in it.
Contact your Administrator for further information.
Hi,
I am currently trying to count concurrent connections. I'd like to use
a script like this:
redef ignore_checksums = T;
redef capture_filters += { ["tcp-setup"] = "tcp" };
global conncounter_file = open_log_file ("conncounter");
global total_conn_count = 0;
global concurrent_conn_count = 0;
event connection_established (c: connection) {
++total_conn_count;
++concurrent_conn_count;
if (total_conn_count % 1000 == 0) {
print conncounter_file, fmt ("%.06f total: %08d max concurrent: %d",
network_time(), total_conn_count, concurrent_conn_count);
}
}
event connection_state_removed (c: connection) {
--concurrent_conn_count;
}
However, the numbers I get soon become negative resp. I get a runtime
error - counter negative. A quick check showed me that
connection_state_removed gets thrown up to four times per connection
in only the first few minutes of my trace.
I then tried to replace connection_state_removed() with
connection_reset() and connection_finished(). However I am not
convinced this is enough because even after more then 90 minutes trace
time concurrent_conn_count is still increasing significantly (~1300
per minute on a 1 Gig uplink).
So my question now is: which events are thrown when exactly? Do I have
to track the established connections in the scripting layer? Is there
a way to just query for the size of the bro-internal connection
tracker?
BTW: I am using a header trace. In my opinion this shouldn't make a
difference, but maybe ...
Thanks for help!
Bernhard
--
Technische Universität Berlin
An-Institut Deutsche Telekom Laboratories
FG INET, Research Group Anja Feldmann
Sekr. TEL 4
Ernst-Reuter-Platz 7
D-10587 Berlin
Hello all,
since few weeks I'm watching bruteforce attacks on SMTP AUTH.
It does looks like this:
2007-08-28 22:00:33 plain_login authenticator failed for (ameill-2007)
[222.183.149.252]: 535 Incorrect authentication data (set_id=company)
2007-09-30 07:41:11 plain_login authenticator failed for (ameill-2007)
[222.183.160.28]: 535 Incorrect authentication data (set_id=administrator)
2007-09-30 21:26:16 plain_login authenticator failed for (windows)
[64.72.227.37]: 535 Incorrect authentication data (set_id="null")
Affected box is running exim (just as info). I would like to make bro
recognize such attacks, so could someone be so kind and give me some
hints where to strart? I have checked out src/SMTP.cc, policy/smtp.bro
but it is kind weird.
First problem I can't solve "ad hoc" is:
1192050353.634741 #136 xx.xx.33.62/20241 > xx.xx.xx.44/smtp start external
1192050395.930749 #136 error: command mismatch: **(4) [cmd=**,
cmd_arg=IQ==, reply=0, reply_arg=, cont_reply=F, log_reply=F](4),
AUTH_ANSWER (334 UGFzc3dvcmQ6)
1192050397.092847 #136 error: command mismatch: **(5) [cmd=**, cmd_arg=,
reply=0, reply_arg=, cont_reply=F, log_reply=F](5), AUTH_ANSWER (235
Authentication succeeded)
1192050399.164633 #136 finish
session does look like this:
>> my input
<< server response
SMTP>> EHLO test.pl
SMTP<< 250 banner
SMTP>> AUTH LOGIN
SMTP<< 334 VXNlcm5hbWU6
SMTP>> IQ==
SMTP<< 334 UGFzc3dvcmQ6
SMTP>> <simply_enter>
SMTP<< 235 Authentication succeeded
so commands are in good sequence yet bro does tell me that it is wrong.
Where should I start with fixing, I'm familiar with bro language, have
wrote many other policies from scratch for our company, but I'm a little
bit confused where to start with SMTP.
thx and kind regards,
Rafal
Hi ya,
I'm just wondering, what will be the best approch to filter vlan tags when I
have Bro listening on two interfaces, which one needs to have a vlan
filter and the other doesn't?
If I enable "@load vlan" then Bro only monitors traffic on the interface
which needs to have vlan filter.
Here output from info logfile:
pcap bufsize = 4194304
listening on sf5
pcap bufsize = 4194304
listening on sf7
Bro Version: 1.3.2
Started with the following command line options: -W -i sf5 -i sf7 monitor.bro
Capture filter: (vlan) and (((((((((((port ftp) or (port smtp)) or (tcp[13] & 7 != 0)) or (port 111)) or (tcp src port 80 or tcp src port 8080 or tcp src port 8000)) or (port 6666)) or (port telnet or tcp port 513)) or ((ip[6:2] & 0x3fff != 0) and tcp)) or (udp port 69)) or (port 6667)) or (tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000))
1191794420.634934 received termination signal
949304 packets received on interface sf5, 0 dropped
0 packets received on interface sf7, 0 dropped
As you can see, It hasn't received any packets from sf7. (sf7 = without vlan
tagging)
Kind regards,
--
Robin Gruyters
Network and Security Engineer
YIRDIS - Betronic Services
I: http://yirdis.com
I: http://betronic.nl
P: +31 (0)20 5659191
F: +31 (0)20 5659190