zeek March 2008

zeek@lists.zeek.org

17 participants
15 discussions

[Bro] http-protocol.pac parsing error on HTTP 1.1 folded headers

by Kelvin Edmison

I've found an interesting binpac parse error when parsing http headers from www.golfsmith.com using http-protocol.pac. The problem is that the golfsmith server is replying with a header that http-protocol.pac is interpreting as corrupt. Here's an example of the golfsmith.com headers HTTP/1.1 200 OK Date: Fri, 01 Feb 2008 17:10:30 GMT Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 DAV/2 PHP/5.2.5 X-Powered-By: PHP/5.2.5 Content-Type: text/html Note the line DAV/2 that is started with a space. That's where the parsing error occurs. However, it seems like this may actually be legal according to the standards. RFC2616 section 2.2 indicates that "HTTP/1.1 header field values can be folded onto multiple lines if the continuation line begins with a space or horizontal tab. All linear white space, including folding, has the same semantics as SP. A recipient MAY replace any linear white space with a single SP before interpreting the field value or forwarding the message downstream." According to this section, the www.golfsmith.com header "Server:" is broken across the two lines, and it's value is actually "Apache/2.2.6 (Unix) mod_ssl/2.2.6<LF><SP>DAV/2 PHP/5.2.5" Does anyone have ideas on how http-protocol.pac should be modified to handle this situation? Thanks, Kelvin Edmison

12 years, 9 months

[Bro] scan.bro error

by Stephen Smith

Hello, I checked out and built the latest version from stable svn tree, and now startup is failing on an error from the scan.bro policy. <snip> bro.rc: Starting ..........bro.rc: Failed to start Bro /usr/local/bro/policy/scan.bro, line 302 (): error, empty list in untyped initialization /usr/local/bro/policy/scan.bro, line 313 (): error, empty list in untyped initialization /usr/local/bro/policy/scan.bro, line 313 (&mergeable): error, &mergeable only applicable to tables/sets /usr/local/bro/policy/scan.bro, line 377 (): error, empty list in untyped initialization /usr/local/bro/policy/scan.bro, line 377 (&mergeable): error, &mergeable only applicable to tables/sets /usr/local/bro/policy/scan.bro, line 385 (): error, empty list in untyped initialization /usr/local/bro/policy/scan.bro, line 385 (&mergeable): error, &mergeable only applicable to tables/sets /usr/local/bro/policy/scan.bro, line 398 (): error, empty list in untyped initialization /usr/local/bro/policy/scan.bro, line 398 (&mergeable): error, &mergeable only applicable to tables/sets /usr/local/bro/policy/scan.bro, line 421 (): error, empty list in untyped initialization /usr/local/bro/policy/scan.bro, line 421 (&mergeable): error, &mergeable only applicable to tables/sets /usr/local/bro/policy/scan.bro, line 424 (): error, empty list in untyped initialization /usr/local/bro/policy/scan.bro, line 424 (&mergeable): error, &mergeable only applicable to tables/sets /usr/local/bro/policy/scan.bro, line 448 (): error, empty list in untyped initialization ... FAILED </snip> I see the "set() &mergeable" notation in other policy files, and I'm not sure I see what is different in this one. Let me know if you need more supporting info. Thanks, -Stephen

12 years, 10 months

[Bro] URL and datastructures.....

by Navdeep Singh

Hi everyone....plz help me out... Actually I want to find out the URL's visited by the users...plz tell me how to do that.... im trying to do that by using followoing event... global http_request: event(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) { print original_URI."------"; } but i dont know the datastructure of original_URI.....plz tell me where r these datastructures defined.....like the data structure for c:connection is... type connection: record { id: conn_id; orig: endpoint; resp: endpoint; start_time: time; duration: interval; service: string; # if empty, service not yet determined addl: string; hot: count; history: string; }; if u have other idea plz let me know.....i new to bro...I will be evry thankful to you.... Thanks & Regards Navdeep Singh +91-094640-77449 --------------------------------- Looking for last minute shopping deals? Find them fast with Yahoo! Search.

12 years, 10 months

[Bro] building custom scripts.....

by Navdeep Singh

hi everyone...somebody plz help me...how can i build custom scripts....plz give me a small code...like... @load ....... <------- // I dont know why this is used for... @prefix ...... <------ // same problem with this..... and do we need to save it as xxx.bro and store in SITE directory and can we access it as #bro -r trace.out xxx.bro plz tell me the procedure so that i can get the start..... Thanks & Regards Navdeep Singh 094640-77449 --------------------------------- Looking for last minute shopping deals? Find them fast with Yahoo! Search.

12 years, 10 months

[Bro] (no subject)

by bec_agarcia＠correo.seguridad.unam.mx

Hi i try to start up bro on ubuntu but when i execute /usr/local/bro/etc/bro.rc --start, i recive the next output with a lot of errors, but i dont know where and how i can resolve them, anybody help me please thanks root@client-honeypot:/usr/local/src/Bro-ids/bro-1.2.1# /usr/local/bro/etc/bro.rc --start bro.rc: Running as non-root user ddjimenez bro.rc: Starting ..........bro.rc: Failed to start Bro /usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5004.inktomisearch.com /usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5005.inktomisearch.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j5006.inktomisearch.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j100.inktomi.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j101.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: j3002.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3000.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3001.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3002.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3003.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si4000.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4001.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4002.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: wm3018.inktomi.com /usr/local/bro/policy/http-request.bro, line 34: run-time error: error compiling pattern /((((((((((((((((((((^?.*(etc\/(passwd|shadow|netconfig)))|(^?.*(IFS[ \t]*=)))|(^?.*(nph-test-cgi\?)))|(^?.*((%0a|\.\.)\/(bin|etc|usr|tmp))))|(^?.*(\/Admin_files\/order\.log)))|(^?.*(\/carbo\.dll)))|(^?.*(\/cgi-bin\/(phf|php\.cgi|test-cgi))))|(^?.*(\/cgi-dos\/args\.bat)))|(^?.*(\/cgi-win\/uploader\.exe)))|(^?.*(\/search97\.vts)))|(^?.*(tk\.tgz)))|(^?.*(ownz)))|(^?.*(viewtopic\.php.*%.*\(.*\()))|(^?.*(sshd\.(tar|tgz).*)))|(^?.*([aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(shv4\.(tar|tgz).*)))|(^?.*(lrk\.(tar|tgz).*)))|(^?.*(lyceum\.(tar|tgz).*)))|(^?.*(maxty\.(tar|tgz).*)))|(^?.*(rootII\.(tar|tgz).*)))|(^?.*(invader\.(tar|tgz).*))/ /usr/local/bro/policy/http-request.bro, line 42: run-time error: error compiling pattern /((^?.*(.*\/c\+dir))|(^?.*(.*cool.dll.*)))|(^?.*(.*Admin.dll.*Admin.dll.*))/ /usr/local/bro/policy/http-request.bro, line 48: run-time error: error compiling pattern /^?.*(\/cgi-bin\/(phf|php\.cgi|test-cgi))/ /usr/local/bro/policy/http-request.bro, line 50: run-time error: error compiling pattern /^?.*(wwwroot|WWWROOT)/ /usr/local/bro/policy/http-reply.bro, line 111: run-time error: error compiling pattern /^?.*(^ )/ /usr/local/bro/policy/hot-ids.bro, line 15: run-time error: error compiling pattern /^?.*((y[o0]u)(r|ar[e3])([o0]wn.*))/ /usr/local/bro/policy/ftp.bro, line 43: run-time error: error compiling pattern /((((((((((((((((((((((^?.*(.*(etc\/|master\.)?(passwd|shadow|s?pwd\.db)))|(^?.*(.*snoop\.(tar|tgz).*)))|(^?.*(.*bnc\.(tar|tgz).*)))|(^?.*(.*datapipe.*)))|(^?.*(.*ADMw0rm.*)))|(^?.*(.*newnick.*)))|(^?.*(.*sniffit.*)))|(^?.*(.*neet\.(tar|tgz).*)))|(^?.*(.*\.\.\..*)))|(^?.*(.*ftpscan.txt.*)))|(^?.*(.*jcc.pdf.*)))|(^?.*(.*\.[Ff]rom.*)))|(^?.*(.*sshd\.(tar|tgz).*)))|(^?.*(.*\/rk7.*)))|(^?.*(.*rk7\..*)))|(^?.*(.*[aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(.*[tT][aA][gG][gG][eE][dD].*)))|(^?.*(.*shv4\.(tar|tgz).*)))|(^?.*(.*lrk\.(tar|tgz).*)))|(^?.*(.*lyceum\.(tar|tgz).*)))|(^?.*(.*maxty\.(tar|tgz).*)))|(^?.*(.*rootII\.(tar|tgz).*)))|(^?.*(.*invader\.(tar|tgz).*))/ /usr/local/bro/policy/ftp.bro, line 48: run-time error: error compiling pattern /(^?.*(.*\.rhosts))|(^?.*(.*\.forward))/ /usr/local/bro/policy/ftp.bro, line 51: run-time error: error compiling pattern /^?.*([Ee][Xx][Ee][Cc].*)/ /usr/local/bro/policy/ftp.bro, line 63: run-time error: error compiling pattern /^?.*(,0,0)/ /usr/local/bro/policy/ftp.bro, line 154: run-time error: error compiling pattern /^?.*((\/|[A-Za-z]:[\\\/]).*)/ /usr/local/bro/policy/ftp.bro, line 349: run-time error: error compiling pattern /^?.*([\x00-\x7f])/ /usr/local/bro/policy/ftp.bro, line 462: run-time error: error compiling pattern /^?.*([Ee][Xx][Ee][Cc])/ /usr/local/bro/policy/ftp.bro, line 527: run-time error: error compiling pattern /^?.*(\"([^\"]|\"\")*(\/|\\)([^\"]|\"\")*\")/ /usr/local/bro/policy/ftp.bro, line 545: run-time error: error compiling pattern /^?.*(((\/)+([^\/]|\\\/)+)?((\/)+\.\.(\/)+))/ /usr/local/bro/policy/ftp.bro, line 555: run-time error: error compiling pattern /^?.*((\/){2,})/ /usr/local/bro/policy/ftp.bro, line 700: run-time error: error compiling pattern /^?.*([\x80-\xff]{3})/ /usr/local/bro/policy/ftp.bro, line 735: run-time error: error compiling pattern /^?.*(USER|PASS|ACCT)/ /usr/local/bro/policy/portmapper.bro, line 310: run-time error: error compiling pattern /^?.*(^\[)/ /usr/local/bro/policy/portmapper.bro, line 311: run-time error: error compiling pattern /^?.*(\]$)/ /usr/local/bro/policy/login.bro, line 66: run-time error: error compiling pattern /((((((((((((((((((((((((((((((((^?.*(rewt))|(^?.*(eggdrop)))|(^?.*(\/bin\/eject)))|(^?.*(oir##t)))|(^?.*(ereeto)))|(^?.*((shell|xploit)_?code)))|(^?.*(execshell)))|(^?.*(ff\.core)))|(^?.*(unset[ \t]+(histfile|history|HISTFILE|HISTORY))))|(^?.*(neet\.tar)))|(^?.*(r0kk0)))|(^?.*(su[ \t]+(daemon|news|adm))))|(^?.*(\.\/clean)))|(^?.*(rm[ \t]+-rf[ \t]+secure)))|(^?.*(cd[ \t]+\/dev\/[a-zA-Z]{3})))|(^?.*(solsparc_lpset)))|(^?.*(\.\/[a-z]+[ \t]+passwd)))|(^?.*(\.\/bnc)))|(^?.*(bnc\.conf)))|(^?.*(\"\/bin\/ksh\")))|(^?.*(LAST STAGE OF DELIRIUM)))|(^?.*(SNMPXDMID_PROG)))|(^?.*(snmpXdmid for solaris)))|(^?.*(\"\/bin\/uname)))|(^?.*(gcc[ \t]+1\.c)))|(^?.*(>\/etc\/passwd)))|(^?.*(lynx[ \t]+-source[ \t]+.*(packetstorm|shellcode|linux|sparc))))|(^?.*(gcc.*\/bin\/login)))|(^?.*(#define NOP.*0x)))|(^?.*(printf\(\"overflowing)))|(^?.*(exec[a-z]*\(\"\/usr\/openwin)))|(^?.*(perl[ \t]+.*x.*[0-9][0-9][0-9][0-9])))|(^?.*(ping.*-s.*%d))/ /usr/local/bro/policy/login.bro, line 72: run-time error: error compiling pattern /^?.*([ \t]*(cd|pushd|more|less|cat|vi|emacs|pine)[ \t]+((['"]?\.\.\.)|(["'](\.*)[ \t])))/ /usr/local/bro/policy/login.bro, line 75: run-time error: error compiling pattern /^?.*(No such file or directory)/ /usr/local/bro/policy/login.bro, line 84: run-time error: error compiling pattern /^?.*(.*loadmodule.*)/ /usr/local/bro/policy/login.bro, line 138: run-time error: error compiling pattern /(((((((((((((((((((((((((((((((((((((((((((((((((^?.*(^-r.s.*root.*\/bin\/(sh|csh|tcsh)))|(^?.*(Jumping to address)))|(^?.*(Jumping Address)))|(^?.*(smashdu\.c)))|(^?.*(PATH_UTMP)))|(^?.*(Log started at =)))|(^?.*(www\.anticode\.com)))|(^?.*(www\.uberhax0r\.net)))|(^?.*(smurf\.c by TFreak)))|(^?.*(Super Linux Xploit)))|(^?.*(^# \[root(a))))|(^?.*(^-r.s.*root.*\/bin\/(time|sh|csh|tcsh|bash|ksh))))|(^?.*(invisibleX)))|(^?.*(PATH_(UTMP|WTMP|LASTLOG))))|(^?.*([0-9]{5,} bytes from)))|(^?.*((PATH|STAT):\ .*=>)))|(^?.*(----- \[(FIN|RST|DATA LIMIT|Timed Out)\])))|(^?.*(IDLE TIMEOUT)))|(^?.*(DATA LIMIT)))|(^?.*(-- TCP\/IP LOG --)))|(^?.*(STAT: (FIN|TIMED_OUT) )))|(^?.*((shell|xploit)_code)))|(^?.*(execshell)))|(^?.*(x86_bsd_compaexec)))|(^?.*(\\xbf\\xee\\xee\\xee\\x08\\xb8)))|(^?.*(Coded by James Seter)))|(^?.*(Irc Proxy v)))|(^?.*(Daemon port\.\.\.\.)))|(^?.*(BOT_VERSION)))|(^?.*(NICKCRYPT)))|(^?.*(\/etc\/\.core)))|(^?.*(exec.*\/bin\/newgrp)))|(^?.*(deadcafe)))|(^?.*([ \/]snap\.sh)))|(^?.*(Secure atime,ctime,mtime)))|(^?.*(Can\'t fix checksum)))|(^?.*(Promisc Dectection)))|(^?.*(ADMsn0ofID)))|(^?.*((cd \/; uname -a; pwd; id))))|(^?.*(drw0rm)))|(^?.*([Rr][Ee3][Ww][Tt][Ee3][Dd])))|(^?.*(rpc\.sadmin)))|(^?.*(AbraxaS)))|(^?.*(\[target\])))|(^?.*(ID_SENDSYN)))|(^?.*(ID_DISTROIT)))|(^?.*(by Mixter)))|(^?.*(rap(e?)ing.*using weapons)))|(^?.*(spsiod)))|(^?.*([aA][dD][oO][rR][eE][bB][sS][dD]))/ /usr/local/bro/policy/login.bro, line 141: run-time error: error compiling pattern /^?.*(.*Trojaning in progress.*)/ /usr/local/bro/policy/login.bro, line 147: run-time error: error compiling pattern /((^?.*(^[!-~]*( ?)[#%$] ))|(^?.*(.*no job control)))|(^?.*(WinGate>))/ /usr/local/bro/policy/login.bro, line 149: run-time error: error compiling pattern /^?.*(^ *#.*#)/ /usr/local/bro/policy/login.bro, line 151: run-time error: error compiling pattern /^?.*(VT666|007)/ /usr/local/bro/policy/irc.bro, line 60: run-time error: error compiling pattern /(((^?.*(.*etc\/shadow.*))|(^?.*(.*etc\/ldap.secret.*)))|(^?.*(.*phatbot.*)))|(^?.*(.*botnet.*))/ /usr/local/bro/policy/irc.bro, line 171: run-time error: error compiling pattern /^?.*(.*:$)/ /usr/local/bro/policy/stepping.bro, line 75: run-time error: error compiling pattern /(^?.*(^([Ll]ast +(successful)? *login)))|(^?.*(^Last interactive login))/ /usr/local/bro/policy/stepping.bro, line 78: run-time error: error compiling pattern /^?.*(\001)/ /usr/local/bro/policy/smtp.bro, line 19: run-time error: error compiling pattern /^?.*(.*@.*lbl.gov)/ /usr/local/bro/policy/smtp.bro, line 22: run-time error: error compiling pattern /^?.*(@)/ /usr/local/bro/policy/smtp.bro, line 84: run-time error: error compiling pattern /^?.*(.*<.*@.*:.*>.*)/ /usr/local/bro/policy/smtp.bro, line 85: run-time error: error compiling pattern /^?.*(.*<.*@.*:.*>.*)/ /usr/local/bro/policy/smtp.bro, line 86: run-time error: error compiling pattern /^?.*(.*)/ /usr/local/bro/policy/smtp.bro, line 87: run-time error: error compiling pattern /^?.*(.*)/ /usr/local/bro/policy/smtp.bro, line 88: run-time error: error compiling pattern /^?.*(.*)/ /usr/local/bro/policy/smtp.bro, line 267: run-time error: error compiling pattern /^?.*((<|:|>)*)/ /usr/local/bro/policy/smtp.bro, line 281: run-time error: error compiling pattern /^?.*(<( |\t)*)/ /usr/local/bro/policy/smtp.bro, line 292: run-time error: error compiling pattern /^?.*(( |\t)*>)/ /usr/local/bro/policy/smtp.bro, line 303: run-time error: error compiling pattern /^?.*(:)/ /usr/local/bro/policy/notice-policy.bro, line 58: run-time error: error compiling pattern /^?.*(Solaris listen service)/ /usr/local/bro/policy/notice-policy.bro, line 67: run-time error: error compiling pattern /^?.*(.*\.(gif|GIF|png|PNG|jpg|JPG))/ /usr/local/bro/policy/brolite.bro, line 138: run-time error: error compiling pattern /^?.*(.*exe)/ /usr/local/bro/policy/brolite.bro, line 138: run-time error: error compiling pattern /(^?.*(^?(.*exe)$?))|(^?.*((((^?(.*etc\/shadow.*)$?)|(^?(.*etc\/ldap.secret.*)$?))|(^?(.*phatbot.*)$?))|(^?(.*botnet.*)$?)))/ /usr/local/bro/bin/bro: problem with interface eth0 - pcap_open_live: socket: Operation not permitted ... FAILED ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.

12 years, 10 months

[Bro] Problems running Bro

by bec_agarcia＠correo.seguridad.unam.mx

Sorry but when i try to read a file i recive the next output root@lobito:/usr/local/bro/etc# /usr/local/bro/bin/bro -r segment190.pcap line 1: error: can't open bro.init root@lobito:/usr/local/bro/etc# netstat -natu -p Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2317/hpiod tcp 0 0 127.0.0.1:36942 0.0.0.0:* LISTEN 2320/python tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2006/portmap tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 2619/inetd tcp 0 0 0.0.0.0:39636 0.0.0.0:* LISTEN 2709/rpc.statd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2433/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2563/exim4 udp 0 0 0.0.0.0:32768 0.0.0.0:* 2507/avahi-daemon: udp 0 0 0.0.0.0:32770 0.0.0.0:* 2709/rpc.statd udp 0 0 192.168.150.134:32787 192.168.150.2:53 ESTABLISHED21988/bro udp 0 0 0.0.0.0:68 0.0.0.0:* 3184/dhclient udp 0 0 0.0.0.0:5353 0.0.0.0:* 2507/avahi-daemon: udp 0 0 0.0.0.0:111 0.0.0.0:* 2006/portmap udp 0 0 0.0.0.0:631 0.0.0.0:* 2433/cupsd udp 0 0 0.0.0.0:765 0.0.0.0:* 2709/rpc.statd Does anybody knows what im doing wrong? or i have to set and another option to read this file??? thanks ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.

12 years, 10 months

[Bro] Memory Usage

by Joel Ebrahimi

I have been testing Bro 1.2.1 and the current 1.3.2. In both cases over time the memory is eventaully exhausted. It takes only a few hours with some intensive pcaps to reach this point. I spent a little bit of time running 1.3.2 through Valgrind but I was not able to find a definitive leak. I will keep looking into this more but I wanted to see if anyone was aware if there are any potential memory leaks or are resources being used that are not being released? Thanks, // Joel

12 years, 10 months

Re: [Bro] undefined value as a SCALAR

by Robin Gruyters

On Fri, Mar 14, 2008 at 03:00:06AM +0100, rmkml wrote: > Hi Robin, > That contains the line 1281 on /usr/local/bin/site-report.pl ? > Regards > Rmkml > The following entry: .. if( !( print $fh $$part ) ) .. site-report.pl is located in the bro source tree under scripts/perl/script. Regards, Robin Gruyters > > On Fri, 14 Mar 2008, Robin Gruyters wrote: > > >Date: Fri, 14 Mar 2008 08:57:27 +0100 > >From: Robin Gruyters <r.gruyters(a)yirdis.nl> > >To: bro(a)ICSI.Berkeley.EDU > >Subject: [Bro] undefined value as a SCALAR > > > >Hi ya, > > > >Yesterday I have installed Bro 1.3.x from SVN on one of our test servers > >and > >noticed the follow message when try to run site-report.pl: > > > >Finished processing alarm files > >Starting processing of conn file > >/nsm/bro/logs/conn.test.08-03-12_13.48.58-08-03-13_00.00.00 > >Finished processing conn file > >Starting processing of conn file > >/nsm/bro/logs/conn.test.08-03-13_13.15.13-08-03-13_13.15.20 > >Finished processing conn file > >Can't use an undefined value as a SCALAR reference at > >/usr/local/bin/site-report.pl line 1281. > >: 1204412358.158256 > >Generating report file: /nsm/bro/reports/yirdis.net.1205481090.21744.rpt > > > >Although it says it is generating a report, the report itself is empty: > > > ># ls -l /nsm/bro/reports/yirdis.net.1205481090.21744.rpt > >-rw-r--r-- 1 root bro 0 Mar 14 08:51 > >/nsm/bro/reports/yirdis.net.1205481090.21744.rpt > > > >Kind regards, > >-- > >Robin Gruyters > >Network and Security Engineer > >Betronic Nederland B.V. > >I: http://yirdis.com > >I: http://betronic.nl > >P: +31 (0)20 5659191 > >F: +31 (0)20 5659190 > >

12 years, 10 months

[Bro] undefined value as a SCALAR

by Robin Gruyters

Hi ya, Yesterday I have installed Bro 1.3.x from SVN on one of our test servers and noticed the follow message when try to run site-report.pl: Finished processing alarm files Starting processing of conn file /nsm/bro/logs/conn.test.08-03-12_13.48.58-08-03-13_00.00.00 Finished processing conn file Starting processing of conn file /nsm/bro/logs/conn.test.08-03-13_13.15.13-08-03-13_13.15.20 Finished processing conn file Can't use an undefined value as a SCALAR reference at /usr/local/bin/site-report.pl line 1281. : 1204412358.158256 Generating report file: /nsm/bro/reports/yirdis.net.1205481090.21744.rpt Although it says it is generating a report, the report itself is empty: # ls -l /nsm/bro/reports/yirdis.net.1205481090.21744.rpt -rw-r--r-- 1 root bro 0 Mar 14 08:51 /nsm/bro/reports/yirdis.net.1205481090.21744.rpt Kind regards, -- Robin Gruyters Network and Security Engineer Betronic Nederland B.V. I: http://yirdis.com I: http://betronic.nl P: +31 (0)20 5659191 F: +31 (0)20 5659190

12 years, 10 months

Re: [Bro] NIDS Cluster

by Matthias Vallentin

I'm cc'ing this issue to the Bro mailing list. On Mar 14, 2008, at 3:46 AM, Anh Le wrote: > Hello Matthias, > > I am very interested in your work on NIDS cluster. I have read both > your Bachelor's thesis and your recent publication in RAID 2007. They > are very nicely done. However, during my reading, I have several > questions regarding the Inter-Connection Analysis which I can not find > the answers. In particular, my questions arise from this paragraph: > > ------------------------------ > Some scripts, however, do require information from multiple > connections. A prominent example is the scan detector, which counts > connection attempts per source address. If these reach a certain > threshold, the system raises an alarm. In the cluster setup, the scan > detector now must count across backends; we therefore synchronize the > corresponding tables of counters (which simply entails annotating the > corresponding script variables with the attribute &synchronized). > Other examples of scripts needing synchronization are the worm > detector (which maintains a global list of infected hosts) and the > SMTP relay detector (which identifies open SMTP relays by associating > incoming with outgoing mails). Overall, we needed to synchronize 29 > script-level variables spanning 19 different types of analysis. > ------------------------------ > > 1. I can not find details about the 19 types of analysis and 29 > variables mentioned above. I wonder if you could help me with the > details about them. Hi Anh, thanks for delving into these issues so profoundly. I hope I can help you with your questions. At the time of writing the thesis, we counted 29 script variables that had to be synchronized in order to maintain the correct global semantics. The 19 types of analysis are simply the different uses, e.g. scan detection, SMTP relay detection, worm detection, etc.. By looking at the &synchronized variables in the code, you can check to which type of analysis the variable corresponds. To this end, consult Robin's work branch with the most recent updates on cluster work. Here is some information that might help you getting started: http://blog.icir.org/search/label/subversion . > 2. I also wonder if during your experimentation, you have any > statistics or insights about the percentage of detection requiring > Inter-Connection Analysis in comparison with the one only requiring > Intra-Connection Analysis. We did not explicitly measure the percentage of of inter-connection vs. intra-connection ratio. When we performed the measurements, the scan detection accounted for largest share of inter-connection analysis. The other types of analysis were comparably negligible. Note that this greatly depends on your traffic's application mix and may greatly vary in different environments. > 3. Finally, does Bro have any DDoS detection policy scripts which > require Inter-Connection Analysis? To my knowledge, no such scripts exist (please correct me if I am wrong!). But if they did, they sure would require inter-connection analysis, as this type of analysis has global semantics. Feel free to ask any further questions, preferably to the Bro mailing list directly! Matthias -- Matthias Vallentin vallentin(a)icsi.berkeley.edu pgp/gpg: 0x37F34C16

12 years, 10 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek March 2008