zeek March 2007

zeek@lists.zeek.org

25 participants
27 discussions

by Mike Muratet

Greetings I am integrating bro into a larger system so that I can use it to keep track of connections (which seems easier than trying to write a method from scratch with pcap). I thought it would be straightforward to grep for print or email or alarm statements to figure out where to put the hooks for an IPC message but so far it eludes me. Is there a principal module for outputting the notifications? Thanks Mike

13 years, 5 months

[Bro] Type conversion and table initialization

by Mike Dopheide

It's been a couple weeks since I had a problem, so now I've got two. :) 1) hex-string to addr type conversion I've got a udp packet that contains an IP address in the packet contents[*]. I can easily grab it with sub_bytes() and end up with a string like "\x8d\x8e\xde!" [**]. I'd like to convert that to an addr so I can do comparisons easily. After looking though the *.bif.bro files for conversion functions I'm stuck. There's to_addr(), but the string would need to actually be the IP address and not a hex representation. 2) table of set initialization (curiosity) I have something like this that works: global myset: set[addr] = {192.168.1.1}; global mytable: table[string] of set[addr] = { ["blaa"] = myset, }; When I try to combine that into one it breaks: global mytable: table[string] of set[addr] = { ["blaa"] = 192.168.1.1, }; bad tag in Val::CONVERTER (addr/table) I read somewhere that 'bad tag' is an internal error and I should never see it. I saw it. :) -Mike [*] -- It's a klog request for afs-kaserver3 through kaforwarder and fakeka. So the originating requester's IP is stored in the epoch time field of the RX packet. Whee! [**] -- 141.142.222.33

13 years, 6 months

[Bro] Using Broccoli to config Bro agents remotely

by Nguoi Khong Mang Ho

Hi all, Do you ever use Broccoli to config, register or implement your own event handlers on remote Bro agents from the central one? Is there any docs or experiences on doing that? Thanks, Bach Hai Duong

13 years, 9 months

[Bro] error compiling pattern: ver. 1.2.1

by Aashish Sharma

Hello All: Just downloaded the latest bro development release version 1.2.1 and I am seeing the following errors when I run bro : /usr/local/bro/policy/http-request.bro, line 34: run-time error: error compiling pattern /((((((((((((((((((((^?.*(etc\/(passwd|shadow|netconfig)))|(^?.*(IFS[ \t]*=)))|(^?.*(nph-test-cgi\?)))|(^?.*((%0a|\.\.)\/(bin|etc|usr|tmp))))|(^?.*(\/Admin_files\/order\.log)))|(^?.*(\/carbo\.dll)))|(^?.*(\/cgi-bin\/(phf|php\.cgi|test-cgi))))|(^?.*(\/cgi-dos\/args\.bat)))|(^?.*(\/cgi-win\/uploader\.exe)))|(^?.*(\/search97\.vts)))|(^?.*(tk\.tgz)))|(^?.*(ownz)))|(^?.*(viewtopic\.php.*%.*\(.*\()))|(^?.*(sshd\.(tar|tgz).*)))|(^?.*([aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(shv4\.(tar|tgz).*)))|(^?.*(lrk\.(tar|tgz).*)))|(^?.*(lyceum\.(tar|tgz).*)))|(^?.*(maxty\.(tar|tgz).*)))|(^?.*(rootII\.(tar|tgz).*)))|(^?.*(invader\.(tar|tgz).*))/ /usr/local/bro/policy/http-request.bro, line 42: run-time error: error compiling pattern /((^?.*(.*\/c\+dir))|(^?.*(.*cool.dll.*)))|(^?.*(.*Admin.dll.*Admin.dll.*))/ /usr/local/bro/policy/http-request.bro, line 48: run-time error: error compiling pattern /^?.*(\/cgi-bin\/(phf|php\.cgi|test-cgi))/ /usr/local/bro/policy/http-request.bro, line 50: run-time error: error compiling pattern /^?.*(wwwroot|WWWROOT)/ /usr/local/bro/policy/http-reply.bro, line 111: run-time error: error compiling pattern /^?.*(^ )/ /usr/local/bro/policy/hot-ids.bro, line 15: run-time error: error compiling pattern /^?.*((y[o0]u)(r|ar[e3])([o0]wn.*))/ /usr/local/bro/policy/ftp.bro, line 43: run-time error: error compiling pattern /((((((((((((((((((((((^?.*(.*(etc\/|master\.)?(passwd|shadow|s?pwd\.db)))|(^?.*(.*snoop\.(tar|tgz).*)))|(^?.*(.*bnc\.(tar|tgz).*)))|(^?.*(.*datapipe.*)))|(^?.*(.*ADMw0rm.*)))|(^?.*(.*newnick.*)))|(^?.*(.*sniffit.*)))|(^?.*(.*neet\.(tar|tgz).*)))|(^?.*(.*\.\.\..*)))|(^?.*(.*ftpscan.txt.*)))|(^?.*(.*jcc.pdf.*)))|(^?.*(.*\.[Ff]rom.*)))|(^?.*(.*sshd\.(tar|tgz).*)))|(^?.*(.*\/rk7.*)))|(^?.*(.*rk7\..*)))|(^?.*(.*[aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(.*[tT][aA][gG][gG][eE][dD].*)))|(^?.*(.*shv4\.(tar|tgz).*)))|(^?.*(.*lrk\.(tar|tgz).*)))|(^?.*(.*lyceum\.(tar|tgz).*)))|(^?.*(.*maxty\.(tar|tgz).*)))|(^?.*(.*rootII\.(tar|tgz).*)))|(^?.*(.*invader\.(tar|tgz).*))/ /usr/local/bro/policy/ftp.bro, line 48: run-time error: error compiling pattern /(^?.*(.*\.rhosts))|(^?.*(.*\.forward))/ /usr/local/bro/policy/ftp.bro, line 51: run-time error: error compiling pattern /^?.*([Ee][Xx][Ee][Cc].*)/ /usr/local/bro/policy/ftp.bro, line 63: run-time error: error compiling pattern /^?.*(,0,0)/ /usr/local/bro/policy/ftp.bro, line 154: run-time error: error compiling pattern /^?.*((\/|[A-Za-z]:[\\\/]).*)/ /usr/local/bro/policy/ftp.bro, line 349: run-time error: error compiling pattern /^?.*([\x00-\x7f])/ /usr/local/bro/policy/ftp.bro, line 462: run-time error: error compiling pattern /^?.*([Ee][Xx][Ee][Cc])/ /usr/local/bro/policy/ftp.bro, line 527: run-time error: error compiling pattern /^?.*(\"([^\"]|\"\")*(\/|\\)([^\"]|\"\")*\")/ /usr/local/bro/policy/ftp.bro, line 545: run-time error: error compiling pattern /^?.*(((\/)+([^\/]|\\\/)+)?((\/)+\.\.(\/)+))/ /usr/local/bro/policy/ftp.bro, line 555: run-time error: error compiling pattern /^?.*((\/){2,})/ /usr/local/bro/policy/ftp.bro, line 700: run-time error: error compiling pattern /^?.*([\x80-\xff]{3})/ /usr/local/bro/policy/ftp.bro, line 735: run-time error: error compiling pattern /^?.*(USER|PASS|ACCT)/ /usr/local/bro/policy/portmapper.bro, line 310: run-time error: error compiling pattern /^?.*(^\[)/ /usr/local/bro/policy/portmapper.bro, line 311: run-time error: error compiling pattern /^?.*(\]$)/ /usr/local/bro/policy/login.bro, line 66: run-time error: error compiling pattern /((((((((((((((((((((((((((((((((^?.*(rewt))|(^?.*(eggdrop)))|(^?.*(\/bin\/eject)))|(^?.*(oir##t)))|(^?.*(ereeto)))|(^?.*((shell|xploit)_?code)))|(^?.*(execshell)))|(^?.*(ff\.core)))|(^?.*(unset[ \t]+(histfile|history|HISTFILE|HISTORY))))|(^?.*(neet\.tar)))|(^?.*(r0kk0)))|(^?.*(su[ \t]+(daemon|news|adm))))|(^?.*(\.\/clean)))|(^?.*(rm[ \t]+-rf[ \t]+secure)))|(^?.*(cd[ \t]+\/dev\/[a-zA-Z]{3})))|(^?.*(solsparc_lpset)))|(^?.*(\.\/[a-z]+[ \t]+passwd)))|(^?.*(\.\/bnc)))|(^?.*(bnc\.conf)))|(^?.*(\"\/bin\/ksh\")))|(^?.*(LAST STAGE OF DELIRIUM)))|(^?.*(SNMPXDMID_PROG)))|(^?.*(snmpXdmid for solaris)))|(^?.*(\"\/bin\/uname)))|(^?.*(gcc[ \t]+1\.c)))|(^?.*(>\/etc\/passwd)))|(^?.*(lynx[ \t]+-source[ \t]+.*(packetstorm|shellcode|linux|sparc))))|(^?.*(gcc.*\/bin\/login)))|(^?.*(#define NOP.*0x)))|(^?.*(printf\(\"overflowing)))|(^?.*(exec[a-z]*\(\"\/usr\/openwin)))|(^?.*(perl[ \t]+.*x.*[0-9][0-9][0-9][0-9])))|(^?.*(ping.*-s.*%d))/ /usr/local/bro/policy/login.bro, line 72: run-time error: error compiling pattern /^?.*([ \t]*(cd|pushd|more|less|cat|vi|emacs|pine)[ \t]+((['"]?\.\.\.)|(["'](\.*)[ \t])))/ /usr/local/bro/policy/login.bro, line 75: run-time error: error compiling pattern /^?.*(No such file or directory)/ /usr/local/bro/policy/login.bro, line 84: run-time error: error compiling pattern /^?.*(.*loadmodule.*)/ /usr/local/bro/policy/login.bro, line 138: run-time error: error compiling pattern /(((((((((((((((((((((((((((((((((((((((((((((((((^?.*(^-r.s.*root.*\/bin\/(sh|csh|tcsh)))|(^?.*(Jumping to address)))|(^?.*(Jumping Address)))|(^?.*(smashdu\.c)))|(^?.*(PATH_UTMP)))|(^?.*(Log started at =)))|(^?.*(www\.anticode\.com)))|(^?.*(www\.uberhax0r\.net)))|(^?.*(smurf\.c by TFreak)))|(^?.*(Super Linux Xploit)))|(^?.*(^# \[root(a))))|(^?.*(^-r.s.*root.*\/bin\/(time|sh|csh|tcsh|bash|ksh))))|(^?.*(invisibleX)))|(^?.*(PATH_(UTMP|WTMP|LASTLOG))))|(^?.*([0-9]{5,} bytes from)))|(^?.*((PATH|STAT):\ .*=>)))|(^?.*(----- \[(FIN|RST|DATA LIMIT|Timed Out)\])))|(^?.*(IDLE TIMEOUT)))|(^?.*(DATA LIMIT)))|(^?.*(-- TCP\/IP LOG --)))|(^?.*(STAT: (FIN|TIMED_OUT) )))|(^?.*((shell|xploit)_code)))|(^?.*(execshell)))|(^?.*(x86_bsd_compaexec)))|(^?.*(\\xbf\\xee\\xee\\xee\\x08\\xb8)))|(^?.*(Coded by James Seter)))|(^?.*(Irc Proxy v)))|(^?.*(Daemon port\.\.\.\.)))|(^?.*(BOT_VERSION)))|(^?.*(NICKCRYPT)))|(^?.*(\/etc\/\.core)))|(^?.*(exec.*\/bin\/newgrp)))|(^?.*(deadcafe)))|(^?.*([ \/]snap\.sh)))|(^?.*(Secure atime,ctime,mtime)))|(^?.*(Can\'t fix checksum)))|(^?.*(Promisc Dectection)))|(^?.*(ADMsn0ofID)))|(^?.*((cd \/; uname -a; pwd; id))))|(^?.*(drw0rm)))|(^?.*([Rr][Ee3][Ww][Tt][Ee3][Dd])))|(^?.*(rpc\.sadmin)))|(^?.*(AbraxaS)))|(^?.*(\[target\])))|(^?.*(ID_SENDSYN)))|(^?.*(ID_DISTROIT)))|(^?.*(by Mixter)))|(^?.*(rap(e?)ing.*using weapons)))|(^?.*(spsiod)))|(^?.*([aA][dD][oO][rR][eE][bB][sS][dD]))/ /usr/local/bro/policy/login.bro, line 141: run-time error: error compiling pattern /^?.*(.*Trojaning in progress.*)/ /usr/local/bro/policy/login.bro, line 147: run-time error: error compiling pattern /((^?.*(^[!-~]*( ?)[#%$] ))|(^?.*(.*no job control)))|(^?.*(WinGate>))/ /usr/local/bro/policy/login.bro, line 149: run-time error: error compiling pattern /^?.*(^ *#.*#)/ /usr/local/bro/policy/login.bro, line 151: run-time error: error compiling pattern /^?.*(VT666|007)/ /usr/local/bro/policy/irc.bro, line 60: run-time error: error compiling pattern /(((^?.*(.*etc\/shadow.*))|(^?.*(.*etc\/ldap.secret.*)))|(^?.*(.*phatbot.*)))|(^?.*(.*botnet.*))/ /usr/local/bro/policy/irc.bro, line 171: run-time error: error compiling pattern /^?.*(.*:$)/ /usr/local/bro/policy/stepping.bro, line 75: run-time error: error compiling pattern /(^?.*(^([Ll]ast +(successful)? *login)))|(^?.*(^Last interactive login))/ /usr/local/bro/policy/stepping.bro, line 78: run-time error: error compiling pattern /^?.*(\001)/ /usr/local/bro/policy/smtp.bro, line 19: run-time error: error compiling pattern /^?.*(.*@.*lbl.gov)/ /usr/local/bro/policy/smtp.bro, line 22: run-time error: error compiling pattern /^?.*(@)/ /usr/local/bro/policy/smtp.bro, line 84: run-time error: error compiling pattern /^?.*(.*<.*@.*:.*>.*)/ /usr/local/bro/policy/smtp.bro, line 85: run-time error: error compiling pattern /^?.*(.*<.*@.*:.*>.*)/ /usr/local/bro/policy/smtp.bro, line 86: run-time error: error compiling pattern /^?.*(.*)/ /usr/local/bro/policy/smtp.bro, line 87: run-time error: error compiling pattern /^?.*(.*)/ /usr/local/bro/policy/smtp.bro, line 88: run-time error: error compiling pattern /^?.*(.*)/ /usr/local/bro/policy/smtp.bro, line 267: run-time error: error compiling pattern /^?.*((<|:|>)*)/ /usr/local/bro/policy/smtp.bro, line 281: run-time error: error compiling pattern /^?.*(<( |\t)*)/ /usr/local/bro/policy/smtp.bro, line 292: run-time error: error compiling pattern /^?.*(( |\t)*>)/ /usr/local/bro/policy/smtp.bro, line 303: run-time error: error compiling pattern /^?.*(:)/ /usr/local/bro/policy/notice-policy.bro, line 58: run-time error: error compiling pattern /^?.*(Solaris listen service)/ /usr/local/bro/policy/notice-policy.bro, line 67: run-time error: error compiling pattern /^?.*(.*\.(gif|GIF|png|PNG|jpg|JPG))/ /usr/local/bro/policy/brolite.bro, line 138: run-time error: error compiling pattern /^?.*(.*exe)/ /usr/local/bro/policy/brolite.bro, line 138: run-time error: error compiling pattern /(^?.*(^?(.*exe)$?))|(^?.*((((^?(.*etc\/shadow.*)$?)|(^?(.*etc\/ldap.secret.*)$?))|(^?(.*phatbot.*)$?))|(^?(.*botnet.*)$?)))/ pcap bufsize = 8192 listening on eth2 pcap bufsize = 8192 listening on eth3 Bro Version: 1.2.1 Started with the following command line options: -W -i eth2 -i eth3 fog.ncsa.uiuc.edu.bro Capture filter: ((((((((((port 6667) or ((ip[6:2] & 0x3fff != 0) and tcp)) or (port 6666)) or (tcp src port 80 or tcp src port 8080 or tcp src port 8000)) or (port telnet or tcp port 513)) or (udp port 69)) or (tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000)) or (port smtp)) or (tcp[13] & 7 != 0)) or (port ftp)) or (port 111) Aashish

13 years, 10 months

[Bro] switched to exim

by David Caldwell

Someone updated a few things on the bro machine and changed over the MTA from sendmail to exim. What needs to be done to get BRO working again here? What config script do I need to run to set BRo up to work through exim? David Caldwell Colsa/HMT

13 years, 10 months

[Bro] Query about IPROTO

by Bindiya V S

Hi, I was experimenting on BRO 1.2 version. I could see that the value of IPPROTO_ICMP defined in bro.init. But it looks like the source files (eg. Discard.cc) are taking the value from the system file /usr/include/netinet/in.h. Is it supposed to work this way? or am I hitting on a bug? Regards, Bindiya

13 years, 10 months

[Bro] ContentGap problem in offline traces

by Thomas, Eric D.

Hi, I have an HTTP trace where I downloaded a 20 meg executable (no encoding). The trace was created by tcpdump, not bro. It was suggested in the archives that if one gets a lot of ContentGap errors when processing a trace off-line it is likely because there are missing packets in the trace. I'm sure my trace has all of the packets because if I run tcpflow on the trace and remove all of the HTTP headers from the larger of the two resulting files, I get a file that is the same size as the executable I downloaded. When I process the trace offline with bro (I have a custom policy that writes the HTTP data out using the http_entity_data event) I get a lot of ContentGap errors. The size of the written file is smaller than the size of the executable. When I add up all of the missing bytes reported by the many ContentGap notices, the sum is exactly the difference between the size (in bytes) of the executable and the size of the written file. Therefore, I assume that Bro is not passing the "missing" data to the http_entity_data handler. When all of the packets are in the trace and my filter (according to print-filter) is "tcp or icmp or udp", what else is a common cause of the ContentGap notice? Is there some tweak that I need to make to account for larger gaps/windows? Eric Thomas edthoma [you know what to do] sandia.gov

13 years, 10 months

[Bro] Regarding signatures

by Ayyappa Suryanarayana T

Hi all, I am having trouble matching same signature for packets in different connections,its matching one connection but its not matching for another connection but the packets have same payload. The signature that is to be matched is the following: signature gtalk_test { event "gtalk test received" payload /\x17\x03\x01/ } I tried the following signature also signature gtalk_one { event "gtalk one received" payload /.{0,0}\x17/ payload /.{1,1}\x03/ payload /.{2,2}\x00/ } The pcap that is not matching is attached along with this mail. can any one help me to know how the signature matching happens in bro-1.2.1 Thanks Ayyappa

13 years, 10 months

[Bro] Why do I get duplicate new_connection event?

by miles grun

Hi, I am quite new in Bro. I have been experimenting with it for a couple of days by now, and couldn't figure out the reason for the problem below (I went through the archives as much as I can but nothing popped up). I am running the following simple bro script on the test data using the steps below: $cat a.bro @load weird event new_connection(c: connection) { print fmt("new connection=%s",c); } $tcpdump -r test.1 -n -tt reading from file test.1, link-type EN10MB (Ethernet) 1007672739.741946 IP 190.84.172.89.2278 > 222.37.1.55.80: S 3585205640:3585205640(0) win 5840 <mss 1460,sackOK,timestamp 4795498 0,nop,wscale 0> 1007672740.081079 IP 222.37.1.55.80 > 190.84.172.89.2278: S 3552369456:3552369456(0) ack 3585205641 win 1460 <mss 1460,sackOK,timestamp 658637388 4795498,nop,wscale 0> 1007672740.083354 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 1 win 5840 <nop,nop,timestamp 4795532 658637388> 1007672740.090794 IP 190.84.172.89.2278 > 222.37.1.55.80: P 1:626(625) ack 1 win 5840 <nop,nop,timestamp 4795532 658637388> 1007672740.443563 IP 222.37.1.55.80 > 190.84.172.89.2278: . ack 626 win 31856 <nop,nop,timestamp 658637423 4795532> 1007672743.331707 IP 222.37.1.55.80 > 190.84.172.89.2278: P 1:206(205) ack 626 win 31856 <nop,nop,timestamp 658637723 4795532> 1007672743.334165 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 206 win 6432 <nop,nop,timestamp 4795857 658637723> 1007672743.478567 IP 190.84.172.89.2278 > 222.37.1.55.80: P 626:1262(636) ack 206 win 6432 <nop,nop,timestamp 4795871 658637723> 1007672743.692464 IP 222.37.1.55.80 > 190.84.172.89.2278: P 206:410(204) ack 1262 win 31856 <nop,nop,timestamp 658637762 4795871> 1007672743.694853 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 410 win 7504 <nop,nop,timestamp 4795893 658637762> 1007672743.838441 IP 190.84.172.89.2278 > 222.37.1.55.80: P 1262:1895(633) ack 410 win 7504 <nop,nop,timestamp 4795907 658637762> 1007672744.048642 IP 222.37.1.55.80 > 190.84.172.89.2278: P 410:614(204) ack 1895 win 31856 <nop,nop,timestamp 658637799 4795907> 1007672744.051076 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 614 win 8576 <nop,nop,timestamp 4795929 658637799> 1007672751.518485 IP 190.84.172.89.2278 > 222.37.1.55.80: F 1895:1895(0) ack 614 win 8576 <nop,nop,timestamp 4796676 658637799> 1007672751.835071 IP 222.37.1.55.80 > 190.84.172.89.2278: . ack 1896 win 31856 <nop,nop,timestamp 658638566 4796676> 1007672751.835299 IP 222.37.1.55.80 > 190.84.172.89.2278: F 614:614(0) ack 1896 win 31856 <nop,nop,timestamp 658638566 4796676> 1007672751.839189 IP 190.84.172.89.2278 > 222.37.1.55.80: . ack 615 win 8576 <nop,nop,timestamp 4796708 658638566> $bro -r test.1 ./a.bro new connection=[id=[orig_h=190.84.172.89, orig_p=2278/tcp, resp_h=222.37.1.55, resp_p=80/tcp], orig=[size=0, state=1], resp=[size=0, state=0], start_time=1007672739.74195, duration=0.0, service=, addl=cc=1, hot=0, history=] (I REMOVED HTTP CONTENT GAP EVENTS FOR CONCISENESS) new connection=[id=[orig_h=190.84.172.89, orig_p=2278/tcp, resp_h=222.37.1.55, resp_p=80/tcp], orig=[size=0, state=0], resp=[size=0, state=0], start_time=1007672751.83919, duration=0.0, service=, addl=, hot=0, history=] $ From the timestamp, it looks to me that the second new connection is triggered by the last ACK. But this ACK is the ACK of the FIN packet from server, so we should not receive a second new_connection event. Is there anything I am missing here, or is it the expected behavior? Note: I am using bro-1.2.1 and did not change anything in the policy directory. Thanks for all your time, ____________________________________________________________________________________ Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains. http://farechase.yahoo.com/promo-generic-14795097

13 years, 10 months

[Bro] Re： How does Bro capture the traffic of ftp data connection ?

by Yongping Xiong

sorry,there're something wrong with my mailer this morning. Thank you for your answer How does bro be aware of the close of ftp data connection if she can't capture the corresponding tcp session packet? via the interactive info appeared in the ftp control connection? And ，To dynamically capture some certain traffic without including all packet, it feels feasible to create a new thread/process to run another bro to capture and analyze，but is this process so long as to miss some packets in that certain session? On Thu, Mar 15, 2007 at 12:01 +0800, you wrote: > So how does it dynamically add the filter string to capture the > temporary traffic? It doesn't. Dynamically changing the BPF filter is too expensive as it would need to be recompiled every time (and the filter would quickly get huge). If you want Bro to analyze the content of ftp-data sessions, you need to manually override the pcap filter to include all packets, e.g., by running with "-f tcp". Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin(a)icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org

13 years, 10 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek March 2007