Greetings
I am integrating bro into a larger system so that I can use it to keep track
of connections (which seems easier than trying to write a method from
scratch with pcap). I thought it would be straightforward to grep for print
or email or alarm statements to figure out where to put the hooks for an IPC
message but so far it eludes me. Is there a principal module for outputting
the notifications?
Thanks
Mike
It's been a couple weeks since I had a problem, so now I've got two. :)
1) hex-string to addr type conversion
I've got a udp packet that contains an IP address in the packet
contents[*]. I can easily grab it with sub_bytes() and end up with a
string like "\x8d\x8e\xde!" [**]. I'd like to convert that to an addr
so I can do comparisons easily. After looking though the *.bif.bro
files for conversion functions I'm stuck. There's to_addr(), but the
string would need to actually be the IP address and not a hex
representation.
2) table of set initialization (curiosity)
I have something like this that works:
global myset: set[addr] = {192.168.1.1};
global mytable: table[string] of set[addr] = {
["blaa"] = myset,
};
When I try to combine that into one it breaks:
global mytable: table[string] of set[addr] = {
["blaa"] = 192.168.1.1,
};
bad tag in Val::CONVERTER (addr/table)
I read somewhere that 'bad tag' is an internal error and I should never
see it. I saw it. :)
-Mike
[*] -- It's a klog request for afs-kaserver3 through kaforwarder and
fakeka. So the originating requester's IP is stored in the epoch time
field of the RX packet. Whee!
[**] -- 141.142.222.33
We have bro configured to span a firewall, so we are watching the
outside traffic, both inbound and outbound, as well as the internal
interface both in and out. We're doing this as a sanity check to
verify that, when attacks occur, if they penetrate and are successful.
One thing that I'm seeing is that, for example, we can successful
triggers like IRC nickname changes, occur with the server & outside
IP address, but we don't see an equivalent trigger on the internal
interface.
Consider the following alarm:
t=1177511147.420130 no=SensitiveSignature na=NOTICE_ALARM_ALWAYS
sa=A.B.C.D sp=1145/tcp da=E.F.G.H dp=6667/tcp file=s2b-542-10
msg=A.B.C.D:\ CHAT\ IRC\ nick\ change sub=NICK\ Homerpf|CHAMP^J tag=@29
where A.B.C.D is one of the outside IP's associated with either the
NAT or PAT range on our firewall. Should I also not see an equivalent
trigger like:
t=1177511147.420130 no=SensitiveSignature na=NOTICE_ALARM_ALWAYS
sa=192.168.x.x sp=1145/tcp da=E.F.G.H dp=6667/tcp file=s2b-542-10
msg=192.168.x.x:\ CHAT\ IRC\ nick\ change sub=NICK\ Homerpf|CHAMP^J
tag=@29
Where the source is the IP of the internal machine? If not, is there
any way we can configure bro to show those internal entries, since it
will help us find machines that are acting in a naughty manner.
Thanks,
-Eric
Eric Wages
Hi,
This includes the patch I sent yesterday, and a new fix to solve a
problem of dependency issue in Type::Prepare.
BTW, is there a CVS/SVN tree to track the latest code? It will
make patching easier.
Cheers,
Jimmy
____________________________________________________________
The future is not set. There is no fate but what we make
for ourselves. - Terminator II, Judgment Day
------------------------------------------------------------
Bro Gurus,
I'm trying to make Bro run multi-threaded... so wanted to ask if you
guys have any experience with that. First of all, is Bro written to be
multi-threaded? If not, can you guys point me to the places which
would need some work to make it multi-threaded. Apparently with the
complex interplay of data structures, it is hard to find those. I have
fixed one such place in Type.cc in:
BroType* base_type(TypeTag tag)
where it was using a static base_types array. There may more lurking
elsewhere, which I haven't been able to find.
Esp, I'm facing this issue, where I'm trying to create a new Val()
object and bro coredumps in one of the threads.
thanks!
-y
I am facing issue with signature match for the traffic without handshake
signals
I wrote following signature
signature ftp_220response {
ip-proto == tcp
payload /[\n\r ]*(120|220)[^0-9].*\r\n/
event "FTP Response 220 matched"
}
this signature match will happen for the traffic with initial SYN,SYN-ACK,
and ACK followed by the 220 response FTP packet,
but if I gave the traffic without the initial handshakes (i.e. only the 220
response FTP packet ) the same signature will not match, but the signature
without line "ip-proto == tcp" will work i.e.
signature ftp_220response {
payload /[\n\r ]*(120|220)[^0-9].*\r\n/
event "FTP Response 220 matched"
}
the above signature will work for the both the cases(with and without
handshake packets), but i am curious to know why the signatures with the
line "ip-proto == tcp" will not work for the asymmetric case.
is it the desired way of working??
-Sri
I see that there are different connection dictionaries for tcp, udp
and icmp connections. These are indexed by originator/responder
ip/port 4-tuple. Is there a specific reason (apart from performance
maybe?) for going with this approach rather than creating a single
dictionary indexed by a 5-tuple, 5th-tuple being the protocol?
thanks
-y
Hi all,
I was wondering if someone can point me in the right direction
regarding creating custom connection logs in Bro. I'm sorry in
advance if this is a question already asked before, but I could not
find the answer or something remotely close to an answer. I want to
add some fields to current conn.<tag>.log files (namely for instance
tcp sequence numbers) for all tcp connections or I want to create new
connection log files with new fields. I have written new function
(similar to record_connection()) in <hostname>.bro file as well as new
event calling that function. The log files get created, but nothing
is ever logged into them.
I guess my question would be, how do I create an event calling this
function that will just record all tcp network traffic into customized
log files? I really don't want to do anything special to it, I just
want to log the traffic with the format I defined in the function. I
have been using pkt_hdr, ip_hdr, tcp_hdr, udp_hdr data types from
bro.init to add additional fields in fmt(). If you can just give me a
quick format of the event that would do that, it would help
tremendously, I can do the rest myself.
I hope this is enough information, if not please let me know. Thank
you in advance for any help.
Regards,
Alen
Hi,
Attached is a small patch against binpac in bro-1.2.1-devel.tar.gz.
I think its meaning is clear. I hope to contribute more patches
later when I get time. :-)
Best wishes,
Jimmy
Hello,
I find that snort2bro doesn't support "pcre" option in snort rules. Could
anyone tell me the reason? I guess the complexity of dealing with
non-regular-expression features such as backreference in PCRE could be one
of the reasons. But I want to get a confirmed answer. Thanks!
Mengjun Xie