zeek January 2008

zeek@lists.zeek.org

9 participants
10 discussions

Re: [Bro] Problem in compiling Bro on an Ubuntu 7.10 system (probably something with lpcap)

by Bernhard Ager

On Sun, Jan 27, 2008 at 02:26:01AM +0200, Georgios Spathoulas wrote: > But it again stops complaining about openssl > > checking openssl/ssl.h usability... no > checking openssl/ssl.h presence... no > checking for openssl/ssl.h... no > configure: error: cannot find openssl/ssl.h, sorry > configure: error: /bin/bash './configure' failed for aux/broccoli Just repeat installing libraries. In this case, you'll need some flavor of libssl or openssl and the corresponding "dev" package. There might be more unresolved dependencies like this, and the solution is always the same :-) Bernhard -- Technische Universität Berlin An-Institut Deutsche Telekom Laboratories FG INET, Research Group Anja Feldmann Sekr. TEL 4 Ernst-Reuter-Platz 7 D-10587 Berlin

14 years, 3 months

[Bro] Protocol Violation with Google IPs

by Diogo Corteletti de Oliveira

Hello Guys, Anyone is having ProtocolViolation alarms with Google IPs? Analizying the packet trace I've noticed that either GMAIL or Google Talk is alerting Protocol Violation for the HTTP Analyzer. t=1201268671.707425 no=ProtocolViolation na=NOTICE_ALARM_ALWAYS sa=x.x.x.x sp=1233/tcp da=209.85.171.86 dp=80/tcp msg=x.x.x.x/1233\ >\ 209.85.171.86/http\ analyzer\ HTTP\ disabled\ due\ to\ protocol\ violation sub=not\ a\ http\ reply\ line tag=@4792 Tks

14 years, 3 months

[Bro] Problem in compiling Bro on an Ubuntu 7.10 system (probably something with lpcap)

by Georgios Spathoulas

Hello to all, I am an Intrusion Detection Researcher from Greece. I try to create an experimental setup, in order to test data fusion methods for combining alerts from different IDSs. I am trying to setup Bro IDS on an Ubuntu 7.10 system. I have tried both 1.2and 1.3 versions and I get the same error when I run the ./configure command : checking for local pcap library... not found checking for pcap_open_live in -lpcap... no checking for pcap_open_live in -lpcap... no configure: error: see the INSTALL doc for more info I guess I am missing something. I have Snort installed on the same system, I hope this does not create a problem. Whoever can help, please post to me a probable solution. Thank you in advance. The whole output of the ./configure command is giorgos@m1330:~/Desktop/bro-1.3.2$ ./configure checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking target system type... i686-pc-linux-gnu checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... no checking for mawk... mawk checking whether make sets $(MAKE)... yes checking for style of include used by make... GNU checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed checking dependency style of gcc... gcc3 checking for flex... flex checking for yywrap in -lfl... yes checking lex output file root... lex.yy checking whether yytext is a pointer... yes checking for bison... bison -y checking for g++... g++ checking whether we are using the GNU C++ compiler... yes checking whether g++ accepts -g... yes checking dependency style of g++... gcc3 checking for a BSD-compatible install... /usr/bin/install -c checking whether make sets $(MAKE)... (cached) yes checking for ranlib... ranlib checking for gzip... gzip checking for OPENSSL_add_all_algorithms_conf in -lcrypto... no checking for perl5... no checking for perl... /usr/bin/perl checking for chown... /bin/chown checking Linux kernel version... 2 checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... 64 checking for _LARGE_FILES value needed for large files... no checking how to run the C preprocessor... gcc -E checking for egrep... grep -E checking for ANSI C header files... yes checking return type of signal handlers... void checking for sigset... yes checking for int32_t using gcc... yes checking for u_int32_t using gcc... yes checking for u_int16_t using gcc... yes checking for u_int8_t using gcc... yes checking whether time.h and sys/time.h may both be included... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h.. . yes checking for unistd.h... yes checking for memory.h... (cached) yes checking netinet/in.h usability... yes checking netinet/in.h presence... yes checking for netinet/in.h... yes checking socket.h usability... no checking socket.h presence... no checking for socket.h... no checking getopt.h usability... yes checking getopt.h presence... yes checking for getopt.h... yes checking for net/ethernet.h... yes checking for netinet/ether.h... yes checking for netinet/if_ether.h... yes checking for sys/ethernet.h... no checking for netinet/ip6.h... yes checking for socklen_t... yes checking if syslog returns int... no checking if we should declare socket and friends... no checking for gethostbyname... yes checking for socket... yes checking for putmsg in -lstr... no checking for local pcap library... not found checking for pcap_open_live in -lpcap... no checking for pcap_open_live in -lpcap... no configure: error: see the INSTALL doc for more info

14 years, 3 months

[Bro] Start Problem

by Diogo Corteletti de Oliveira

Hello Guys, After enabling the dpd (const use_dpd = T;) I am having problems starting bro with the following message: bro.rc: Starting ..........bro.rc: Failed to start Bro /usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5004.inktomisearch.com /usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5005.inktomisearch.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j5006.inktomisearch.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j100.inktomi.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j101.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: j3002.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3000.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3001.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3002.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3003.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si4000.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4001.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4002.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: wm3018.inktomi.com line 1: error: Can't open signature file dpd.sig ... FAILED

14 years, 4 months

[Bro] Profilers for Bro

by Abin Moozhiyil

Hai, Currently I'm on the job of profiling Bro. I have been trying to use vtune profiler but has been unsuccessful. As I try to profile the vtune gets hanged. May be because that I haven't given the proper specificatins regarding 1. Application to launch: 2. Application arguments: (optional) 3. Working directory: (optional) I believe that vtune profiles the binary file of Bro. Please tell me the binary file corresponding to the Bro IDS software. Can anybody suggest any other profilers for the software other than vtune which is user friendly? I shall be much obliged if anyone come up with a solution to help me. Specifications: Bro-IDS v1.2.1 Fedora 6 vtune v9.0 Thanking you, Yours sincerely, Abin C M The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments contained in it. Contact your Administrator for further information.

14 years, 4 months

[Bro] Multiple encapsulation

by Fabian Hensel

Hi I have a rather urgent problem. For the evaluation of my diploma thesis, I want to run Bro in a DSL-Core Network. The traffic there is encapsulated multiple times and Bro does not inspect the real payload without adjustment. This is what I could determine from looking at a sample trace: MPLS: 4 bytes MPLS: 4 bytes IP: 20 bytes UDP: 8 bytes L2TP: 8 bytes PPP: 4 bytes Total encapsulation headers: 48 bytes I tried playing around with parse_udp_tunnels, udp_tunnel_port and encap_hdr_size (set to 48), but without any real success. Any chance I can get this working? Regards - Fabian

14 years, 4 months

Re: [Bro] Multiple encapsulation

by Fabian Hensel

I just realized. I had to do a redef capture_filters += { ["mpls"] = "mpls"}; redef encap_hdr_size = 48; Because the outermost encapsulation is MPLS... - Fabian On Jan 17, 2008 4:01 PM, Ashley Thomas <ashley.thomas(a)gmail.com> wrote: > What would be the tcpdump filter you would use in that setup > let's say to capture only tcp packets. > > Bro uses libpcap like tcpdump to capture the packets. > > You can modify the filters that's there in the policy scripts to read > the packets > off the network interface. > > > > On Jan 17, 2008 8:59 AM, Fabian Hensel <irdeto(a)gmail.com> wrote: > > Hi > > > > I have a rather urgent problem. For the evaluation of my diploma > > thesis, I want to run Bro in a DSL-Core Network. The traffic there is > > encapsulated multiple times and Bro does not inspect the real payload > > without adjustment. This is what I could determine from looking at a > > sample trace: > > > > MPLS: 4 bytes > > MPLS: 4 bytes > > IP: 20 bytes > > UDP: 8 bytes > > L2TP: 8 bytes > > PPP: 4 bytes > > Total encapsulation headers: 48 bytes > > > > I tried playing around with parse_udp_tunnels, udp_tunnel_port and > > encap_hdr_size (set to 48), but without any real success. Any chance I > > can get this working? > > > > Regards - Fabian > > _______________________________________________ > > Bro mailing list > > bro(a)bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > > > -- > Karmanye Vadhikaraste Ma Phaleshu Kadachana, Ma Karma Phala Hetur > Bhurmatey Sangostva Akarmani >

14 years, 4 months

[Bro] profile bro ids 1.2.1

by Abin Moozhiyil

hai i'm facing an issue when trying to profile bro ids 1.2.1 using vtune in fedora 6. i gets an error as cannot access bro.init and vtune is not responding. i tried with export BROPATH=/usr/local/bro and still the problem exists. can u help me out in this issue. please recommend some profiling tools to profile bro software and how to profile it. expecting a + reply . thankyou. abin c m The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments contained in it. Contact your Administrator for further information.

14 years, 4 months

[Bro] Can not dump the first packet?

by 马飞腾

14 years, 4 months

[Bro] L flag in conn log

by scott sakai

Have the semantics of the "L" flag in the conn log been changed? >From http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_Event…: Line format: ----- <start> <duration> <local IP> <remote IP> <service> <local port> \ <remote port> <protocol> <org bytes sent>, <res bytes sent> <state> \ <flags> <tag> ----- and ----- L indicates that the connection was initiated locally, i.e., the host corresponding to A_l initiated the connection. If L is missing, then the host corresponding to A_r initiated the connection. ----- However, this does not seem to agree with what I see in the conn log. When interpreted this way, I see strange stuff like a web server making outbound connections from port 80 to some high numbered port. This is even more confusing when trying to figure out which host is portscanning and which one is being scanned. The correct line format seems to be <start> <duration> <originating IP> <responding IP> <service> <originating port> <responding port>... Can anyone confirm this? conn.bro, line 275 suggests that this is the case: ----- local log_msg = fmt("%.6f %s %s %s %s %d %d %s %s %s %s %s", c$start_time, duration, id$orig_h, id$resp_h, s, ----- However, I'd like to make sure that it is. Thanks.

14 years, 4 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek January 2008