Greetings
I am integrating bro into a larger system so that I can use it to keep track
of connections (which seems easier than trying to write a method from
scratch with pcap). I thought it would be straightforward to grep for print
or email or alarm statements to figure out where to put the hooks for an IPC
message but so far it eludes me. Is there a principal module for outputting
the notifications?
Thanks
Mike
It's been a couple weeks since I had a problem, so now I've got two. :)
1) hex-string to addr type conversion
I've got a udp packet that contains an IP address in the packet
contents[*]. I can easily grab it with sub_bytes() and end up with a
string like "\x8d\x8e\xde!" [**]. I'd like to convert that to an addr
so I can do comparisons easily. After looking though the *.bif.bro
files for conversion functions I'm stuck. There's to_addr(), but the
string would need to actually be the IP address and not a hex
representation.
2) table of set initialization (curiosity)
I have something like this that works:
global myset: set[addr] = {192.168.1.1};
global mytable: table[string] of set[addr] = {
["blaa"] = myset,
};
When I try to combine that into one it breaks:
global mytable: table[string] of set[addr] = {
["blaa"] = 192.168.1.1,
};
bad tag in Val::CONVERTER (addr/table)
I read somewhere that 'bad tag' is an internal error and I should never
see it. I saw it. :)
-Mike
[*] -- It's a klog request for afs-kaserver3 through kaforwarder and
fakeka. So the originating requester's IP is stored in the epoch time
field of the RX packet. Whee!
[**] -- 141.142.222.33
Hi,
I need to use two-dimensional (2D) arrays and for loops in one of my policy
scripts. Could someone please clarify the following questions for me.
1. I am thinking of implementing 2D arrays as table of tables. Is this the
best of doing this? Is "array[][]" in C equivalent to "global array:
table[count] of table[count] of count" in Bro? Can I access an element of
this array as array[index1][index2]? Also, is there a short-hand notation of
initializing all the elements of the 2D array to 0?
2. The reference manual mentions that Bro lacks ways of controlling the
order in which it iterates over the indices in a for loop. I need to iterate
over a for loop in order. What is the best way of doing this?
Thanks and Regards,
Abhinay
Hi,
I was trying to use the FTP analyzer in the bro1.2 to analyze
FTP packets. We were trying to do some tcpreplays with some
captured pcaps. We have some FTP pcaps that are not having any
TCP handshake packets. On replaying these packets it is
observed that the signature matching for TCP is not getting invoked (ie.signatures with ip-proto == tcp).
It looks like the rulematcher of TCP is not getting called. Is
there any way we can invoke TCP rulematcher for a set of TCP
application packets which dont have any handshake packets?
Thanks
Bindiya
made for 4.0! will fail on current...
http://secure.lv/~nikns/stuff/ports/bro-1.2.1.tar
comments:
1) for bpf_timeval issue would recommend to define struct
pcap_timeval with 32bits tv elements for partability,
take a look on patches in port.
2) nonbloking dns (ports/net/libbind) works fine with openbsd,
except it throws ugly warning about libc and libbind conflicting
symbols. I hope it will get fixed in -current soon.
renaming conflicting symbols helps:
http://secure.lv/~nikns/stuff/ports/libbind-9.3.2p1.diff
3) If building with libbind, then aux/broccoli/test/broping.o
wants linking against -lbind...
4) Including net/ethertypes.h in ARP.h is trivial...
5) There should be possibility to avoid picking up libclamav
or libmagic for example with --without-... configure options...
if any issues with this port [except libbind warnings],
please, contact me, so I can fix this in port...
List,
Thought this might be helpful to the people working on getting bro
1.2.xworking on the OpenBSD
4.0 platforms.
A big thanks to JP for the help and patience...
Step 1 - copy the attached configure.in file into the "bro-1.2.x" directory
Step 2 - patch the source with the attached patch or copy the attached *.cc
and *.h files into the "src" directory
Step 3 - run "autoconf-version-number" (example autoconf-2.60) from the "
bro-1.2x" directory and then run "./configure --with-your-options"
Step 4 - add this to the end of the line for "LIBS=" in your Makefile in the
src directory "-lm". This fixes the error on Openbsd for "strlcpy vs
strcpy"
Let me know if this doesn't work.
Jake
Bro users and developers,
We have modified our notice action filters; some notices/alerts get sent
via email (while others only get logged to file_notice).
A small snippet:
redef notice_action_filters += {
[[AddressScan, PortScan, PasswordGuessing ]] = send_email_notice,
};
redef notice_action_filters += {
[[ProtocolDetector::ProtocolFound, ProtocolDetector::ServerFound ]] =
file_notice,
};
My question is: Is it easily possible to place additional information in
the email notices themselves?
For example, an AddressScan mail might simply say, "10.11.12.13 has
scanned 100 hosts (45653/tcp)". It would save a log of analyst time
("grep time" if you will) if the mail included the hosts which were
considered scanned by Bro.
Thanks,
Matt Cuttler
Hello,
I'm using bro to analyze ftp sessions and I want identify ftp data connections.
If the ftp session is in active mode, in ftp log file there is any
line that indicate a ftp data connection instead in connection log
file there is.
Instead in passive mode there are any lines both in ftp log file and
connection log file.
Are there any istructions that must be enable to print information
about data connections in ftp log file?
Thanks
Christian Novello
Hi guys,
I am trying to integrate GRE protocol in BRO. When I tried
adding pcap filter for the protocol - by adding the following
lines in the bro file in site directory
redef capture_filters = { ["tcp"]= "tcp", ["udp"] = "udp", ["icmp"] = "icmp", ["gre"] = "gre" };
it is giving the following run-time error.
line 1: run-time error: precompile_pcap_filter: pcap_compile((((gre) or (udp)) or (tcp)) or (icmp)): parse error
can't compile filter (((gre) or (udp)) or (tcp)) or (icmp)
When using 1.1, I was able to use empty capture filter - by adding the following line in the hostname.bro file -
redef capture_filters = { };
and get all the packets captured. The same is not working for
1.2 version.
Somebody please help me out.
Thanks,
Bindiya V S
Sorry for a deviate question.
I am wondering if anybody here worked with some existing network traffic
traces and might provide some help.
+ Recently, I went through repositories like NLANR, LBL's and Auckland
to get some statistics. Somehow, the Auckland trace is very strange.
For example, Bro returns nothing about connection statistics (using
"conn" policy file). I checked again with Ethereal and found that in
every connection reported by Ethereal, there's only one flow (the other
direction is completely missing : 0 packets, 0 bytes) . Another tool
returns the same result.
Does anybody here know why?
+ I wonder if there is any mailing list/ group dedicated to this topic
(something like this list).
Any tip will be very much appreciated.
Thanks and best regards,
Duc