Have the semantics of the "L" flag in the conn log been changed?
>From http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_Event…:
Line format:
-----
<start> <duration> <local IP> <remote IP> <service> <local port> \
<remote port> <protocol> <org bytes sent>, <res bytes sent> <state> \
<flags> <tag>
-----
and
-----
L indicates that the connection was initiated locally, i.e., the host corresponding to A_l initiated the connection. If L is missing, then the host corresponding to A_r initiated the connection.
-----
However, this does not seem to agree with what I see in the conn log. When interpreted this way, I see strange stuff like a web server making outbound connections from port 80 to some high numbered port. This is even more confusing when trying to figure out which host is portscanning and which one is being scanned.
The correct line format seems to be <start> <duration> <originating IP> <responding IP> <service> <originating port> <responding port>... Can anyone confirm this?
conn.bro, line 275 suggests that this is the case:
-----
local log_msg =
fmt("%.6f %s %s %s %s %d %d %s %s %s %s %s",
c$start_time, duration, id$orig_h, id$resp_h, s,
-----
However, I'd like to make sure that it is.
Thanks.
Hi!
I used Bro version 1.1.0.
I wrote policy for dump data content, which is transferring on unknown
protocol.
And I modified method NewConn() in NetSessions class:
If port value isn't handled I create instance of UnknownConnection class,
which fair events for each request/reply of its connection. These events
are handled in policy script and write the content to HDD.
How can I do the same in new versions Bro?
Best regards,
Anton Korovin
Hi,
is there any implementation of DPD or binpac on kernel-level,
for instance on Linux netfilter?
If not, do you have any plan for it?
I think DPD and binpac are excellent implementations, but they currently
depend on Bro IDS. They would be more useful if they could be combined
into kernel-level firewalls, with enabling detected packets to be dropped
immediately.
As far as I know, L7-filter <http://l7-filter.sourceforge.net> does
similar jobs. It seems to be interesting if DPD/binpac can be ported to
kernel modules on L7-filter, or something like that.
--
Dongsu Park <dpark1978 at gmail.com>
Hi,
I am trying to run bro on trace file specifically on the tcpdump file
provided in bro workshop.
url
http://www.bro-ids.org/bro-workshop-2007/exercises/exercise1.html
but I was unable run that giving me command not found.
sample of my output is
In the url
http://www.bro-ids.org/bro-workshop-2007/exercises/exercise1-solution.html
they asked to create local.bro
I created that file
Then they asked to run some analyzer
they asked to use setenv and bro -r
I used to them but giving me command not found.
loud@1006kro:/usr/local/bro$ sudo vim local.bro
loud@1006kro:/usr/local/bro$ ls
archive etc lib logs policy scripts site var
bin include local.bro perl reports share trace1.tcpdump
loud@1006kro:/usr/local/bro$ cat local.bro
redef local_nets: set[subnet] = {
10.20.1.0/24,
};
loud@1006kro:/usr/local/bro$ sudo setenv BROPATH =
/usr/local/bro/site/:/usr/local/bro/policy/:/usr/local/bro/policy/sigs
sudo: setenv: command not found
loud@1006kro:/usr/local/bro$ setenv BROPATH =
/usr/local/bro/site/:/usr/local/bro/policy/:/usr/local/bro/policy/sigs
bash: setenv: command not found
loud@1006kro:/usr/local/bro$ bro -r trace1.tcpdump local tcp alarm wierd
bash: bro: command not found
loud@1006kro:/usr/local/bro$
are those commands depend on the directory I am present.
In which directory do I need to run that command.
Thanks,
KM.
I want to add the IRC analysis to my list of BRO policies. I'm
running heavy-analysis which causes an error when I add irc...
[rreitz@rhyolite ~]$ bro heavy-analysis irc
/usr/local/bro/policy/heavy.irc.bro, line 3 (IRC::irc_users): error,
"redef" used but not previously defined
/usr/local/bro/policy/heavy.irc.bro, line 4 (IRC::irc_channels):
error, "redef" used but not previously defined
I'm using ...
[rreitz@rhyolite ~]$ bro -v
bro version 1.3.2
I can't find the variables 'irc_users' or 'irc_channels' in any
policy. What am I missing?
Thanks,
Randy Reitz
Fermilab
Hi,
Is there any thing that calculates anomaly/alert score in Bro. What are the
cron jobs that are executed with configuring Bro. Do we need to run every
analyzer by hand or are there any of them which are done automatically. I
got this doubt because for generating reports we need to run that report
generating file.
Thanks&Regards,
Kanthi Myneni.
Hi all
After having resolved my last problem, I'm already facing a new one. I
am trying to setup Broccoli communication between Bro and the
Timemachine. TM and Bro are running on the same machine and I have
included the "listen-clear" and "time-machine" in my policy, in
tm.conf the bro_connect_str is configured accordingly (see the
attached files). What happens is that I can see in the remote.log that
the TM registers to TimeMachine::command and in Bro's tm.log that it
indeed sends queries over to the TM. If I then look at the TM's
logfile, I see that the query was unsuccessful (0 matches). After a
couple of mismatches it seems that some part of the TM crashes. (i.e.
it still logs that it drops all the packets; no increase in CPU usage
though) The TM can then only be shut down by using kill -9. If I don't
use Broccoli at all and instead manually enter the same queries in the
console (replacing the "query feed" part with "query to_file"),
everything works fine. Does anyone have an idea what could be the
problem here? My guess that it something in the TM and not in Bro.
Regards - Fabian
I would like to be able to write nothing but
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count,
qclass: count) {
print fmt("dns: %s", query);
}
in my policy script, and get a print out for every DNS request... but
this dns_request handler does not get called unless I add
@load dns
at the top.
I don't really want all the other stuff that comes with the dns.bro
script. Is there any way around this?
Thanks,
Mike
Thanks for the tip -- I have built my tree as you suggest, storing
nodes in a table and managing the hierarchy simply w/ non-recursive
key references stored in each node.
Now I would like to create a function to walk my tree that takes a
callback function to performn some arbitrary computation on each node
as the tree is traversed. What I'd like is the ability to do the
following:
function callback( i : count ) {
print fmt("i: %d", i);
}
function caller( f : function(j:count) ) {
f(13);
}
event bro_init() {
caller( callback );
}
... but as you will see, lots of type clashing errors are generated
for this code. I have had success defining a global variable for the
callback function and using 'redef' to change its value, but that will
only allow one value for the callback per bro invocation.
AHA! While writing this message, I have discovered the problem -- the
function callback signature and its corresponding function argument
signatures must match *exactly* -- including the argument names. In
the above case, the "i" and "j" cannot be different, they must be the
same. The corrected version of the above would be
function callback( i : count ) {
print fmt("i: %d", i);
}
function caller( f : function(i:count) ) {
f(13);
}
event bro_init() {
caller( callback );
}
.. which prints "i: 13" to stdout. Like I said in the subject, just an FYI.
Thanks,
Mike
On 11/30/07, Vern Paxson <vern(a)icir.org> wrote:
> > You could fake it up using table[string] of XYZ, where XYZ records include
> > a string that point back into the table. Not pretty, but seems it should
> > work.
>
> (or, slightly easier, a table[count] of XYZ, along with a counter that you
> just increment every time you add a new node, which becomes its identifier)
>