Hi,
I am unable to generate dialy reports in bro. it configured and installed
successfully. To which address it will send the reports.
Like in configuring bro
Email addresses for internal reports [bro@localhost]
what type of email address I can provide here.
It went well in every aspect except this. Can you help me generating
reports.
Thanks&Regards,
Kanthi Myneni.
Hi,
In bro-quick start
http://www.bro-ids.org/Bro-quick-start.pdf
In 5th page , the link to the tutorial view graph is not working. It might
be helpful for me in few apects to set up bro.
Thanks&Regards,
Kanthi Myneni.
> You could fake it up using table[string] of XYZ, where XYZ records include
> a string that point back into the table. Not pretty, but seems it should
> work.
(or, slightly easier, a table[count] of XYZ, along with a counter that you
just increment every time you add a new node, which becomes its identifier)
Hello,
I would like to build a tree data structure to track flows at
different aggregate granularities. However, I cannot seem to construct
a recursive record structure.
The following...
type tree_node : record {
data : count;
parent : tree_node;
};
... will lead to...
$ bro tree.bro
./tree.bro, line 3 and ./tree.bro, line 5
(tree_node): error, not a BRO type
... and changing the parent type to 'any' and doing anything w/ the record...
type tree_node : record {
data : count;
parent : any;
};
event bro_init () {
local tn : tree_node;
tn$data = 0;
tn$parent = tn;
}
... will lead to...
$ bro tree.bro
./tree.bro, line 12 (tn$parent = tn): error, type clash in assignment
... because you cannot assign to 'any' type variables, I guess.
So... just wondering if there is some other scheme / mechanism to
build such a tree in Bro, or am I just out-of-luck.
Thanks,
Mike
Hi
I am trying to debug policy files with the -d parameter (version
1.3.2). When I try to enter any debug command ("b
connection_established" in the example), it gets misinterpreted and I
get output similar to this:
root@idsvmifi:/home/irdeto98/bro-1.3.2/out# bin/bro -i eth0 -d brolite
Policy file debugging ON.
listening on eth0
In bro_init() at policy/pcap.bro:99
99 update_default_pcap_filter();
(Bro [0]) b connection_established
Breakpoint 1 set at policy/pcap.bro:99
Ambiguous command; could be
continue
cond
No Matching command for 'nn'.
No Matching command for 'ec'.
No Matching command for 'ti'.
No Matching command for 'on'.
No Matching command for '_e'.
In update_default_pcap_filter() at policy/pcap.bro:86
86 default_pcap_filter = build_default_pcap_filter();
No Matching command for 'ab'.
82 global default_pcap_filter = "<not set>";
83
84 function update_default_pcap_filter()
85 {
86 default_pcap_filter = build_default_pcap_filter();
87
88 if ( ! precompile_pcap_filter(DefaultPcapFilter,
default_pcap_filter) )
89 {
90 print fmt("can't compile filter %s",
default_pcap_filter);
91 exit();
No Matching command for 'sh'.
No Matching command for 'ed'.
Ambiguous command; could be
help
quit
next
s
c
finish
b
cond
d
clear
dis
enable
ignore
set
where
frame
up
down
info
l
display
undisplay
trace
(Bro [1]) (Bro [2]) (Bro [3]) (Bro [4]) (Bro [5]) (Bro [6]) (Bro [7])
(Bro [8]) (Bro [9]) (Bro [10]) (Bro [11]) (Bro [12]) (Bro [13])
Running on Ubuntu 7.10. Anyone have an idea what is wrong? My
suspicion is something with termcap/ncurses...
Regards - Fabian
Hi,
I Started a server on the machine(system 1) where bro is running. I
tried to access to that from other system (system 2).
I observed that it is logged as notice alarm always like
t=1195051259.323269 no=HTTP_SensitiveURI na=NOTICE_ALARM_ALWAYS
sa=157.182.235.186 da=157.182.235.207 method=GET url=/icons/blank.gif
msg=157.182.235.186\ ->\ 157.182.235.207\ %232:\ <no\ reply>
t=1195051259.323269 no=HTTP_SensitiveURI na=NOTICE_ALARM_ALWAYS
sa=157.182.235.186 da=157.182.235.207 method=GET url=/icons/folder.gif
msg=157.182.235.186\ ->\ 157.182.235.207\ %232:\ <no\ reply>
Here system 1 is 157.182.235.207 and system 2 is 157.182.235.186
Few questions regarding the above data
1. On what based it is logged as notice alarm always.
2. I think t stand for time... can I know in what format it is logged.
3. msg=157.182.235.186\ ->\ 157.182.235.207\ %232: in this message
what is %232. Is that is session id.
4. I am getting as 2 different url like url=/icons/folder.gif and
url=/icons/blank.gif why is it logging so.
Sorry to take your valuable time.
Thanks & Regards,
Kanthi.
Hi,
Much more specific into specification based. Like if there is one
specification "a
valid SMTP greeting is no longer than NN bytes long . We need to know
that NN bytes. Similiarly I believe that there are some specifications
built in bro. Is there any way to know more about those specifications
like how threshold is set... Can any one suggest me any reference
which will help me know more about this stuff...
Thanks&Regards,
KAnthi.
> > already be necessary to define what is the normality from a network
> > point of view, which is normal for then giving alarms on what leaves the
> > framework.
>
> Yes, this is a powerful approach, and one for which Bro is well suited.
> In the research world it's termed specification-based intrusion detection,
> but this hasn't yet caught on as a term in the commercial world.
Let me be a bit more precise. You don't define what is *normal*, but
rather what is *allowed* (including rare-but-okay forms of activity).
So you form a specification of allowed behavior and flag any activity
that doesn't comply with it.
The main drawback of this approach is that it takes considerable manual
effort to form the specifications and keep them up to date. (If instead
you automatically learn the specifications, then you're back to doing
anomaly detection.)
Vern
