zeek October 2007

zeek@lists.zeek.org

27 participants
25 discussions

by Reed Porada

On the Bro wiki it mentions that Bro can be configured to output captured packets that look suspicious. The documentation regarding trace files seems to stop there. I know there is a -w flag, but that seems to be more related to using bro with the -i option, not for getting suspicious traffic. What do I need to do to configure Bro to output a trace file? That would be one additional capability that I would compliment separating out my TG traffic and other traffic mentioned in the 'Question about Bro Capabilities' thread. Thanks, -Reed

13 years

[Bro] http-body and binary content

by Reed Porada

I want to reassemble the http-content for various streams. Right now I have been able to generically reassembled all of the content, but with mixed results. The plaintext content seems to be reassembling fine, however, binary content has had mixed results. I have successfully reassembled several gifs (minus a newline), but others I have not. Looking at the hexdump of the content output, it seems like some gifs are being outputed in ASCII Hex, and others real binary. I then looked at the packet captures, and ethereal is showing the binary of the gifs. The subtle difference that I have noticed is that the successful gifs do not have any "X-..." optional headers in them, whereas those that are failing have had "X-Cache" and "X-Pad" for example. Any thoughts on why Bro changes its output based on the optional headers? Or why it could be sometimes outputting binary and others ASCII Hex? Thanks, -Reed

13 years

[Bro] Bro 1.3.2 failed to start in Leopard

by mel

Hi all, configure, make, make install, and make install-brolite were successful on Leopard 10.5. However, bro failed to start when invoked using the rc script. Running bro from the command line against pcap files was successful. Is there anyway that I can debug this? --mel

13 years

[Bro] signature header

by Research Team

Hi all Can someone help me with this header? header ip[16:4] I don't get it? What does it mean. I have read the manual but was not very helpful Thx Moukala.

13 years, 1 month

[Bro] Sasser Policy?

by Mike Hsiao

Hi, Currently, I'm studying the worm behaviors, such as Blaster, Sasser, ... . And the policy script blaster.bro can detects instances of the W32.Blaster. Is there any policy that can be used for detecting Sasser? Or any other scanning policy can capture the scanning event of Sasser worm? I would like to understand how (or what approaches) Bro to detect Sasser. Any help will be appreciated, thanks. Regards, Mike

13 years, 1 month

[Bro] How to reset value of the timer

by sangramkishore

Hi I have added ADD_ANALYZER_TIMER(&TCP_Analyzer::AckTimer1,tcp_ACK_timeout,0,TIMER_TCP_EXPI RE); in TCP.cc file. AckTimer1 is my own function which executes when ACK doesn't comes within tcp_ACK_timeout (This sets to 6.5 sec). I want to reset the value of tcp_ACK_timeout when Acknowledgment comes. Can you give me solution for this? Bye LS Kishore The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments contained in it. Contact your Administrator for further information.

13 years, 1 month

[Bro] Small bug in heavy.http.bro

by Fabian Schneider

Hi, i just found another small bug. in heavy.http.bro: redef http_sessions &write_expire = 5 hours; it should be: redef http_sessions &write_expire = 5 hr; bye Fabian -- Fabian Schneider, An-Institut Deutsche Telekom Laboratories Technische Universit�t Berlin, Fakult�t IV -- Elektrotechnik und Informatik address: Sekr. TEL 4, FG INET, Ernst-Reuter-Platz 7, 10587 Berlin e-mail: fabian(a)net.t-labs.tu-berlin.de, WWW: http://www.net.in.tum.de/~schneifa phone: +49 30 8353 - 58513, mobile: +49 160 479 43 97

13 years, 1 month

[Bro] How to count concurrent connections

by Bernhard Ager

Hi, I am currently trying to count concurrent connections. I'd like to use a script like this: redef ignore_checksums = T; redef capture_filters += { ["tcp-setup"] = "tcp" }; global conncounter_file = open_log_file ("conncounter"); global total_conn_count = 0; global concurrent_conn_count = 0; event connection_established (c: connection) { ++total_conn_count; ++concurrent_conn_count; if (total_conn_count % 1000 == 0) { print conncounter_file, fmt ("%.06f total: %08d max concurrent: %d", network_time(), total_conn_count, concurrent_conn_count); } } event connection_state_removed (c: connection) { --concurrent_conn_count; } However, the numbers I get soon become negative resp. I get a runtime error - counter negative. A quick check showed me that connection_state_removed gets thrown up to four times per connection in only the first few minutes of my trace. I then tried to replace connection_state_removed() with connection_reset() and connection_finished(). However I am not convinced this is enough because even after more then 90 minutes trace time concurrent_conn_count is still increasing significantly (~1300 per minute on a 1 Gig uplink). So my question now is: which events are thrown when exactly? Do I have to track the established connections in the scripting layer? Is there a way to just query for the size of the bro-internal connection tracker? BTW: I am using a header trace. In my opinion this shouldn't make a difference, but maybe ... Thanks for help! Bernhard -- Technische Universität Berlin An-Institut Deutsche Telekom Laboratories FG INET, Research Group Anja Feldmann Sekr. TEL 4 Ernst-Reuter-Platz 7 D-10587 Berlin

13 years, 1 month

[Bro] SMTP Analyzer

by Thorolf

Hello all, since few weeks I'm watching bruteforce attacks on SMTP AUTH. It does looks like this: 2007-08-28 22:00:33 plain_login authenticator failed for (ameill-2007) [222.183.149.252]: 535 Incorrect authentication data (set_id=company) 2007-09-30 07:41:11 plain_login authenticator failed for (ameill-2007) [222.183.160.28]: 535 Incorrect authentication data (set_id=administrator) 2007-09-30 21:26:16 plain_login authenticator failed for (windows) [64.72.227.37]: 535 Incorrect authentication data (set_id="null") Affected box is running exim (just as info). I would like to make bro recognize such attacks, so could someone be so kind and give me some hints where to strart? I have checked out src/SMTP.cc, policy/smtp.bro but it is kind weird. First problem I can't solve "ad hoc" is: 1192050353.634741 #136 xx.xx.33.62/20241 > xx.xx.xx.44/smtp start external 1192050395.930749 #136 error: command mismatch: **(4) [cmd=**, cmd_arg=IQ==, reply=0, reply_arg=, cont_reply=F, log_reply=F](4), AUTH_ANSWER (334 UGFzc3dvcmQ6) 1192050397.092847 #136 error: command mismatch: **(5) [cmd=**, cmd_arg=, reply=0, reply_arg=, cont_reply=F, log_reply=F](5), AUTH_ANSWER (235 Authentication succeeded) 1192050399.164633 #136 finish session does look like this: >> my input << server response SMTP>> EHLO test.pl SMTP<< 250 banner SMTP>> AUTH LOGIN SMTP<< 334 VXNlcm5hbWU6 SMTP>> IQ== SMTP<< 334 UGFzc3dvcmQ6 SMTP>> <simply_enter> SMTP<< 235 Authentication succeeded so commands are in good sequence yet bro does tell me that it is wrong. Where should I start with fixing, I'm familiar with bro language, have wrote many other policies from scratch for our company, but I'm a little bit confused where to start with SMTP. thx and kind regards, Rafal

13 years, 1 month

[Bro] Multi interfaces, one with and one without vlan tagging

by Robin Gruyters

Hi ya, I'm just wondering, what will be the best approch to filter vlan tags when I have Bro listening on two interfaces, which one needs to have a vlan filter and the other doesn't? If I enable "@load vlan" then Bro only monitors traffic on the interface which needs to have vlan filter. Here output from info logfile: pcap bufsize = 4194304 listening on sf5 pcap bufsize = 4194304 listening on sf7 Bro Version: 1.3.2 Started with the following command line options: -W -i sf5 -i sf7 monitor.bro Capture filter: (vlan) and (((((((((((port ftp) or (port smtp)) or (tcp[13] & 7 != 0)) or (port 111)) or (tcp src port 80 or tcp src port 8080 or tcp src port 8000)) or (port 6666)) or (port telnet or tcp port 513)) or ((ip[6:2] & 0x3fff != 0) and tcp)) or (udp port 69)) or (port 6667)) or (tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000)) 1191794420.634934 received termination signal 949304 packets received on interface sf5, 0 dropped 0 packets received on interface sf7, 0 dropped As you can see, It hasn't received any packets from sf7. (sf7 = without vlan tagging) Kind regards, -- Robin Gruyters Network and Security Engineer YIRDIS - Betronic Services I: http://yirdis.com I: http://betronic.nl P: +31 (0)20 5659191 F: +31 (0)20 5659190

13 years, 1 month

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek October 2007