zeek April 2008

zeek@lists.zeek.org

19 participants
25 discussions

[Bro] Reporting problem in http_header event

by Sanmeet Bhatia

Dear sir, I have found a bug in the event called http_header. The value : string it returns has a space at the beginning. Like "www.yahoo.com" will be returned as " www.yahoo.com". I am posting You a script where I found it @load weird @load alarm @load http global path: string; global urls: set[string] ={"www.yahoo.com","mail.google.com","www.ieee.org ","www.youtube.com","www.bro-ids.org"} ; global shanz_log = open_log_file("http") &redef; redef ignore_checksums = T; event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) { path = original_URI; } event http_header(c: connection, is_orig: bool, name: string, value: string) { if(name == "HOST" ) { local v = edit(value," "); if( v in urls) { print shanz_log, fmt("%s:%s->%s:%s",c$id$orig_h,c$id$orig_p,c$id$resp_h,c$id$resp_p); } } } If I simply compare the value it doesn't match. or even if I print the value its printing with one whitespace prefixed at the beginning. Regards, Sanmeet

12 years, 7 months

[Bro] Bug analyzing trace with payload stripped

by Thomas Kho

Hi, I'm trying to run Bro on traces with packet payloads removed and ran across a problem where an analyzer seems to be trying to do a large allocation due to payload that isn't in the trace. I haven't made any modifications to Bro or its policy scripts. I ran across the problem using Bro 1.3.2: (gdb) run -r <trace> mt Starting program: /n/banquet/db/tkho/bin/bro -r <trace> mt bro: out of memory in new. Program received signal SIGABRT, Aborted. 0x004437a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 (gdb) bt #0 0x004437a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 #1 0x00484815 in raise () from /lib/tls/libc.so.6 #2 0x00486279 in abort () from /lib/tls/libc.so.6 #3 0x08053220 in out_of_memory () #4 0x0804f730 in bro_new_handler () at main.cc:373 #5 0x0091944a in operator new () from /usr/lib/libstdc++.so.6 #6 0x081a5243 in std::vector<unsigned char, std::allocator<unsigned char> >::reserve (this=0xa045e78, __n=892614210) at /usr/lib/gcc/i386-redhat-linux/3.4.6/../../../../include/c++/3.4.6/ext/new_allocator.h:81 #7 0x081bc674 in binpac::SunRPC::RPC_Opaque::Parse (this=0xa045e68, t_begin_of_data=0xa02ed60 "546B07", t_end_of_data=0xa02ed7c "", t_byteorder=0) at rpc_pac.cc:577 #8 0x081bcf42 in binpac::SunRPC::RPC_OpaqueAuth::Parse (this=0xa045b28, t_begin_of_data=0xa02ed5c "BNPI546B07", t_end_of_data=0xa02ed7c "", t_byteorder=0) at rpc_pac.cc:654 #9 0x081bd10a in binpac::SunRPC::RPC_Call::Parse (this=0xa045c68, t_begin_of_data=0xa02ed4c "", t_end_of_data=0xa02ed7c "", t_context=0xa040bf0, t_byteorder=0) at rpc_pac.cc:191 #10 0x081be1a9 in binpac::SunRPC::RPC_Message::Parse (this=0xa046688, t_begin_of_data=0xa02ed44 "", t_end_of_data=0xa02ed7c "", t_context=0xa040bf0) at ../src/rpc_pac.h:155 #11 0x081be421 in binpac::SunRPC::RPC_Flow::NewData (this=0xa047910, t_begin_of_data=0xa02ed44 "", t_end_of_data=0xa02ed7c "") at rpc_pac.cc:1062 #12 0x0813139e in RPC_UDP_Analyzer_binpac::DeliverPacket (this=0xa0409b8, len=56, data=0xa02ed44 "", orig=true, seq=-1, ip=0xbff786c0, caplen=8) at RPC.cc:608 #13 0x0806e496 in Analyzer::ForwardPacket (this=0xa0467d8, len=56, data=0xa02ed44 "", is_orig=false, seq=-1, ip=0xbff786c0, caplen=8) at Analyzer.cc:363 #14 0x0817f6b4 in UDP_Analyzer::DeliverPacket (this=0xa0467d8, len=56, data=0xa02ed44 "", is_orig=true, seq=-1, ip=0xbff786c0, caplen=8) at UDP.cc:179 #15 0x0807c2b3 in Connection::NextPacket (this=0xa046d9c, t=1138500525.8319471, is_orig=1, ip=0xbff786c0, len=64, caplen=8, data=@0x0, record_packet=@0xbff78638, record_content=@0xbff7863c, hdr=0xa02e728, pkt=0xa02ed1a "", hdr_size=14) at Conn.cc:241 #16 0x08153270 in NetSessions::DoNextPacket (this=0xa03edc8, t=1138500525.8319471, hdr=0xa02e728, ip_hdr=0xbff786c0, pkt=0xa02ed1a "", hdr_size=14) at Sessions.cc:584 #17 0x081537d1 in NetSessions::NextPacket (this=0xa03edc8, t=1138500525.8319471, hdr=0xa02e728, pkt=0xa02ed1a "", hdr_size=14, pkt_elem=0x0) at Sessions.cc:294 #18 0x0811960e in net_packet_dispatch (t=1138500525.8319471, hdr=0xa02e728, pkt=0xa02ed1a "", hdr_size=14, src_ps=0xa02e6f0, pkt_elem=0x0) at Net.cc:402 #19 0x081198b2 in net_packet_arrival (t=1138500525.8319471, hdr=0xa02e728, pkt=0xa02ed1a "", hdr_size=14, src_ps=0xa02e6f0) at Net.cc:464 #20 0x08126036 in PktSrc::Process (this=0xa02e6f0) at PktSrc.cc:216 #21 0x08119d21 in net_run () at Net.cc:491 #22 0x080508ee in main (argc=4, argv=0xbff78c64) at main.cc:1009 (gdb) and it also occurs in Bro 1.3.27 (rev 5632) I just pulled from SVN: (gdb) run -r <trace> mt Starting program: /n/banquet/db/tkho/bin/bro -r <trace> mt terminate called after throwing an instance of 'std::bad_alloc' what(): St9bad_alloc Program received signal SIGABRT, Aborted. 0x004437a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 (gdb) bt #0 0x004437a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 #1 0x00484815 in raise () from /lib/tls/libc.so.6 #2 0x00486279 in abort () from /lib/tls/libc.so.6 #3 0x0091b1bb in __gnu_cxx::__verbose_terminate_handler () from /usr/lib/libstdc++.so.6 #4 0x00918ed1 in ?? () from /usr/lib/libstdc++.so.6 #5 0x00918f06 in std::terminate () from /usr/lib/libstdc++.so.6 #6 0x0091904f in __cxa_throw () from /usr/lib/libstdc++.so.6 #7 0x0091949c in operator new () from /usr/lib/libstdc++.so.6 #8 0x081aef57 in std::vector<unsigned char, std::allocator<unsigned char> >::reserve (this=0x9454400, __n=892614210) at /usr/lib/gcc/i386-redhat-linux/3.4.6/../../../../include/c++/3.4.6/ext/new_allocator.h:81 #9 0x081cb75c in binpac::SunRPC::RPC_Opaque::Parse (this=0x9455d48, t_begin_of_data=0x943a900 "546B07", t_end_of_data=0x943a91c "", t_byteorder=0) at rpc_pac.cc:577 #10 0x081cc02e in binpac::SunRPC::RPC_OpaqueAuth::Parse (this=0x9454620, t_begin_of_data=0x943a8fc "BNPI546B07", t_end_of_data=0x943a91c "", t_byteorder=0) at rpc_pac.cc:654 #11 0x081cc1f6 in binpac::SunRPC::RPC_Call::Parse (this=0x944e728, t_begin_of_data=0x943a8ec "", t_end_of_data=0x943a91c "", t_context=0x94557c0, t_byteorder=0) at rpc_pac.cc:191 #12 0x081cd295 in binpac::SunRPC::RPC_Message::Parse (this=0x94543d0, t_begin_of_data=0x943a8e4 "", t_end_of_data=0x943a91c "", t_context=0x94557c0) at ../src/rpc_pac.h:155 #13 0x081cd50d in binpac::SunRPC::RPC_Flow::NewData (this=0x944e8d0, t_begin_of_data=0x943a8e4 "", t_end_of_data=0x943a91c "") at rpc_pac.cc:1062 #14 0x08136b42 in RPC_UDP_Analyzer_binpac::DeliverPacket (this=0x944e190, len=56, data=0x943a8e4 "", orig=true, seq=-1, ip=0xbff8b2a0, caplen=8) at RPC.cc:610 #15 0x0806bfa2 in Analyzer::ForwardPacket (this=0x944e480, len=56, data=0x943a8e4 "", is_orig=false, seq=-1, ip=0xbff8b2a0, caplen=8) at Analyzer.cc:371 #16 0x0818826b in UDP_Analyzer::DeliverPacket (this=0x944e480, len=56, data=0x943a8e4 "", is_orig=true, seq=-1, ip=0xbff8b2a0, caplen=8) at UDP.cc:181 #17 0x0807a163 in Connection::NextPacket (this=0x944d7ec, t=1138500525.8319471, is_orig=1, ip=0xbff8b2a0, len=64, caplen=8, data=@0x0, record_packet=@0xbff8b218, record_content=@0xbff8b21c, hdr=0x943a2c8, pkt=0x943a8ba "", hdr_size=14) at Conn.cc:263 #18 0x08159f60 in NetSessions::DoNextPacket (this=0x944a968, t=1138500525.8319471, hdr=0x943a2c8, ip_hdr=0xbff8b2a0, pkt=0x943a8ba "", hdr_size=14) at Sessions.cc:675 #19 0x0815a50d in NetSessions::NextPacket (this=0x944a968, t=1138500525.8319471, hdr=0x943a2c8, pkt=0x943a8ba "", hdr_size=14, pkt_elem=0x0) at Sessions.cc:319 #20 0x0811e8ce in net_packet_dispatch (t=1138500525.8319471, hdr=0x943a2c8, pkt=0x943a8ba "", hdr_size=14, src_ps=0x943a290, pkt_elem=0x0) at Net.cc:417 #21 0x0811eb5a in net_packet_arrival (t=1138500525.8319471, hdr=0x943a2c8, pkt=0x943a8ba "", hdr_size=14, src_ps=0x943a290) at Net.cc:479 #22 0x0812b61a in PktSrc::Process (this=0x943a290) at PktSrc.cc:216 #23 0x0811efce in net_run () at Net.cc:508 #24 0x0805004a in main (argc=4, argv=0xbff8b854) at main.cc:965 (gdb) -Tom

12 years, 9 months

[Bro] [PATCH] Fix signedness issue in src/nb_dns.c

by Kevin Lo

Hi, This patch - uses socklet_t where appropriate - fixes signedness issue Kevin

12 years, 9 months

[Bro] Unicode Parser??

by Dr. Aaron J. Ferguson

Can Bro be configured to look for Unicode code points in network traffic then execute event-oriented analyzers that compare the activity with patterns known bad traffic? I saw a reference language called BINPac that may be able to do this. Thoughts?

12 years, 9 months

[Bro] Connection Events related to scan.bro

by Shoey Fighter

Hello. I am trying to understand the scanning algorithm, and am having some slight problems understanding when certain events are generated. Below I have included a list of the events I am interested in and my best understanding: connection_established A TCP handshake has been completed successfully. partial_connection ? connection_attempt A TCP SYN packet has been sent. connection_rejected A TCP RST was seen in response to a TCP SYN. connection_pending I am not too sure about this one. Can this only happen if the analyzer is shut down in the middle of a connection? connection_half_finished Is this when one side of a connection attempts to close a non-existant connection? Also, slightly unrelated, I noticed in the udp-common.bro, the code relating to "use_TRW_algorithm" is commented out... Is there a special reason for this? Thanks, Cameron Hertel

12 years, 9 months

[Bro] help regarding using bro on application-level byte stream

by Jayanth Kannan

Hi, I have a question regarding running Bro on a application-level TCP byte stream, and was wondering which implementation option to choose. Any help is much appreciated! Details below. I have access to a application-level byte stream (eg: say, a http session consisting of http put and get packets) that I would like to run Bro on it in an online fashion (I specifically plan to use its trace anonymization capabilities). I do not have access to the corresponding TCP byte stream / IP byte stream, but I do have the TCP state information required (source/dest addr, source/dest port). I am wondering how to have Bro process these packets. I can think of the following ways by reading the various docs, but am not sure whether there is anything else I have missed. 1. Cook up fake link-layer, TCP,IP headers, and feed Bro via a FIFO. 2. Use Brocolli to send really low-level events (events being "so and so bytes seen on so and so conn"). These events have to be low-level because I am trying to minimize any application-specific parsing before sending to Bro. 3. Use the Bro source code directly, and somehow instantiate an analyzer directly on the byte-stream. Any state needed (such as connection endpoints) have to be cooked up. After reading the source code and various docs, I am tending towards (3), since it won't have the performance hit of a FIFO/broccoli, but am wondering whether the state is seperable enough for me to do this. Thanks in advance, and if anything is not clear, please let me know, Jayanth

12 years, 9 months

Re: [Bro] Partial tcpdump traces

by Danny Nechay

Hi, could you possibly point me towards which files or functions I should look at to get rid of these sanity checks? I know I'm not exactly using Bro for its proper use - I just need it to provide a ground truth for all flows inside of a trace. So far I've had no problems with full tcpdump traces, but if I could just find a way for it to handle partial tcpdump traces then it would suit my needs perfectly. Thanks. Daniel. On Tue, Apr 22, 2008 at 6:02 PM, Robin Sommer <robin(a)icir.org> wrote: > > On Tue, Apr 22, 2008 at 08:36 -0700, I wrote: > > > I think yes, it should. My guess would have also been that it's the > > checksum check which prevents Bro from doing the matching. I'll try > > it later to see what I can find. > > So I looked briefly into this: there are more sanity checks inside > the TCP analyzer which prevent the payload from reaching the > signature engine. Nothing we'd really want to change though I think. > > Robin > > -- > Robin Sommer * Phone +1 (510) 666-2886 * robin(a)icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org >

12 years, 9 months

[Bro] I can't download current vesion of Bro-ids

by shaw_yxf

Hello: There is always a dialog-box poped up with a connection problem every time i tried to download the current version of Bro. Can any nice guy take the trouble to send me a copy via email. Thanks! Shaw shaw_yxf 2008-04-23

12 years, 9 months

[Bro] Bro 1.3.x / FC5 / Linking Issue

by Joel Ebrahimi

I was trying to build Bro 1.3.2 on FC5. Im running into linking issues and I wanted to see if there is a known fix before I start racking my brain on this. It appears to be having problems with externally defined functions. These problem do not exist for 1.2.x on the same system. Here is a sample of the linking and errors: g++ -g -O2 -o bro DNS-binpac.o HTTP-binpac.o main.o net_util.o util.o parse.o scan.o re-parse.o re-scan.o rule-parse.o rule-scan.o Active.o Analyzer.o Anon.o ARP.o Attr.o BackDoor.o Base64.o BPF_Program.o BroString.o CCL.o ChunkedIO.o CompHash.o Conn.o ConnCompressor.o ContentLine.o DCE_RPC.o DFA.o DNS.o DNS_Mgr.o DbgBreakpoint.o DbgHelp.o DbgWatch.o Debug.o DebugCmds.o DebugLogger.o Desc.o Dict.o Discard.o DPM.o EquivClass.o Event.o EventHandler.o EventLauncher.o EventRegistry.o Expr.o FTP.o <ftp://ftp.o/>File.o FileAnalyzer.o Finger.o Frag.o Frame.o Func.o Gnutella.o HTTP.o Hash.o ICMP.o ID.o Ident.o IntSet.o InterConn.o IOSource.o IRC.o List.o Logger.o Login.o MIME.o NCP.o NFA.o NFS.o NTP.o NVT.o Net.o NetVar.o NetbiosSSN.o Obj.o OSFinger.o PacketFilter.o PacketSort.o PersistenceSerializer.o PktDagSrc.o PktSrc.o PIA.o PolicyFile.o POP3.o Portmap.o PrefixTable.o PriorityQueue.o Queue.o RE.o RPC.o Reassem.o RemoteSerializer.o Rlogin.o RSH.o Rule.o RuleAction.o RuleCondition.o RuleMatcher.o ScriptAnaly.o SmithWaterman.o SMB.o SMTP.o SSH.o Scope.o SerializationFormat.o SerialObj.o Serializer.o Sessions.o StateAccess.o Stats.o SteppingStone.o Stmt.o TCP.o TCP_Endpoint.o TCP_Reassembler.o TCP_Rewriter.o Telnet.o Timer.o Traverse.o Trigger.o TwoWise.o Type.o UDP.o Val.o Var.o XDR.o ZIP.o bsd-getopt-long.o cq.o md5.o patricia.o setsignal.o version.o UDP_Rewriter.o DNS_Rewriter.o PacketDumper.o Rewriter.o strsep.o nb_dns.o X509.o SSLCiphers.o SSLInterpreter.o SSLProxy.o SSLv2.o SSLv3.o SSLv3Automaton.o binpac-lib_pac.o binpac_bro-lib_pac.o dce_rpc_pac.o dce_rpc_simple_pac.o dns_pac.o dns_tcp_pac.o http_pac.o ncp_pac.o rpc_pac.o smb_pac.o -Llibedit -ledit -lmagic -lz -lpcap -lpcap -lssl -lcrypto -lpcap /usr/lib/libresolv.a -ltermcap -ltermcap -lm -L../aux/binpac/lib -lbinpac -lmagic -lz -lpcap -lpcap -lssl -lcrypto -lpcap /usr/lib/libresolv.a -ltermcap -ltermcap main.o: In function `bro_new_handler':/root/BUILD/Bro/bro-1.3.2/src/main.cc:373: undefined reference to `out_of_memory(char const*)' main.o: In function `usage()':/root/BUILD/Bro/bro-1.3.2/src/main.cc:201: undefined reference to `bro_path()' :/root/BUILD/Bro/bro-1.3.2/src/main.cc:202: undefined reference to `bro_prefixes()' main.o: In function `termination_signal()':/root/BUILD/Bro/bro-1.3.2/src/main.cc:279: undefined reference to `message(char const*)' main.o: In function `sig_handler(int)':/root/BUILD/Bro/bro-1.3.2/src/main.cc:298: undefined reference to `internal_error(char const*, ...)' main.o: In function `main':/root/BUILD/Bro/bro-1.3.2/src/main.cc:382: undefined reference to `copy_string(char const*)' :/root/BUILD/Bro/bro-1.3.2/src/main.cc:691: undefined reference to `current_time(bool)' :/root/BUILD/Bro/bro-1.3.2/src/main.cc:693: undefined reference to `init_random_seed(unsigned int, char const*, char const*)' :/root/BUILD/Bro/bro-1.3.2/src/main.cc:553: undefined reference to `streq(char const*, char const*)' :/root/BUILD/Bro/bro-1.3.2/src/main.cc:604: undefined reference to `hash_md5(unsigned int, unsigned char const*, unsigned char*)' Thanks, // Joel

12 years, 9 months

[Bro] Regarding set_record_packets

by Sanmeet Bhatia

Hi, Can u please tell me where the packets traced by set_record_packets() are stored in BRO? Please help. Regards, Sanmeet

12 years, 9 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek April 2008