zeek June 2008

zeek@lists.zeek.org

13 participants
12 discussions

[Bro] Reporting problem in http_header event

by Sanmeet Bhatia

Dear sir, I have found a bug in the event called http_header. The value : string it returns has a space at the beginning. Like "www.yahoo.com" will be returned as " www.yahoo.com". I am posting You a script where I found it @load weird @load alarm @load http global path: string; global urls: set[string] ={"www.yahoo.com","mail.google.com","www.ieee.org ","www.youtube.com","www.bro-ids.org"} ; global shanz_log = open_log_file("http") &redef; redef ignore_checksums = T; event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) { path = original_URI; } event http_header(c: connection, is_orig: bool, name: string, value: string) { if(name == "HOST" ) { local v = edit(value," "); if( v in urls) { print shanz_log, fmt("%s:%s->%s:%s",c$id$orig_h,c$id$orig_p,c$id$resp_h,c$id$resp_p); } } } If I simply compare the value it doesn't match. or even if I print the value its printing with one whitespace prefixed at the beginning. Regards, Sanmeet

12 years, 9 months

[Bro] problem with using snort rules by bro

by uday chekuri

Hi, I am having a trace file with BID 10108. I am having converted snort rules of version 2.3.2.by s2b. My bro version is 1.2.1. When I run bro on my pcap file it is running with few error compiling patterns. It is not showing me the exact rule related to 10108 BID in alarm and signature file. I think this is due to those error compiling patterns. To solve that I tried the solution in wiki and archive. But no luck. I am sorry for reposting the same issue. I got no reply previously. But please help me with this issue. Regards, Uday.

12 years, 9 months

[Bro] Debugging policy

by Greg Lindon

OK, so I'm still having problems :( I have a small pcap (1.6 MB) with a telnet login to test with, but it is taking forever for bro to even get to the point of giving me an error with my policy. I am running bro 1.3.2 with: bro -r test.pcap -t tracefile.txt local.clear-passwords.bro which takes around 30 minutes(!?!) to give me a fairly unhelpful error about my policy. Why is it so slow? In tracefile.txt I only get stuff from bro.init about opening log files, and in the terminal I only get the usual stuff from scan.bro about the DNS root servers. Why is scan.bro even being run? As far as I can see, the policy files that I am including (see attached) don't depend on it? I thought the box I was using might be overly taxed with other software, but I installed it somewhere else with the same slow result. Bro doesn't even show up in the first page of "top" processes. Is there some sort of nice-ing going on that I can turn off? Can I tell it to consume more system resources? The error bro gives is "parse error at or near event", the line number is for the "event account_tried" declaration. I'm guessing that I have a syntax error in my password array, but this process is making debugging slow. Thoughts? Greg On Fri, Jun 20, 2008 at 2:19 PM, Robin Sommer <robin(a)icir.org> wrote: > > On Fri, Jun 20, 2008 at 14:12 -0400, Greg Lindon wrote: > >> Thanks guys, that helps. Robin I'll take a look at the cluster, looks like >> you have a standalone config in there, so that will have to do for the time >> being - won't be getting any new boxes in the immediate future to make a >> real cluster. > > Right, that's the idea: the standalone config is for a traditional, > single-box install. You don't need an actual cluster to use the new > framework (perhaps we should at some point rename the framework's > main script from "cluster" to something less specific). > > Robin > > > > -- > Robin Sommer * Phone +1 (510) 666-2886 * robin(a)icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org >

12 years, 9 months

[Bro] error compiling pattern errors

by uday chekuri

Hi, I am having lot of error compiling pattern errors while running bro on pcap files. $ bro -r tracefile.pcap brolite-sigs.bro local.bro I tried the stuff in archives and wiki cd /usr/local/bro cp policy/sigs/dpd.sig site/dpd.sig which is there in archive and $ cd src/ $ rm bif_parse.{cc,h} parse.cc re-parse.{cc,h} rule-parse.{cc,h} which is there in wiki . What else I can do to solve this problem. Thanks, --Uday.

12 years, 10 months

[Bro] Compilation errors

by uday chekuri

Hi, I am having lot of compilation errors while running bro on pcap files. $ bro -r tracefile.pcap brolite-sigs.bro local.bro I tried the stuff in archives and wiki cd /usr/local/bro cp policy/sigs/dpd.sig site/dpd.sig which is there in archive and $ cd src/ $ rm bif_parse.{cc,h} parse.cc re-parse.{cc,h} rule-parse.{cc,h} which is there in wiki . What else I can do to solve this problem. Thanks, --Uday.

12 years, 10 months

[Bro] Debugging and non-interactive install

by Greg Lindon

Hi Guys, I've been playing with Bro (1.3.2 dev release) on and off for a few weeks now. I like the idea of the product, the code looks good, and the scripting language quite powerful. Having said that I'm having a few problems. 1. I need a non-interactive install of Bro. I want to roll it out to a number of red-hat-based sensors, so the usual process that requires human interaction is not feasible/maintainable. My usual approach with other software on the sensors is to create an rpm with a default install and then check the box/network specific configuration out of svn over the top of the defaults. The two-stage install (make install, make install-brolite) makes this a bit complicated. I tried separating out the parts of the install that need to be run on the target system and putting them in the rpm post install (creating bro user, checking kernel params). This involved chopping parts out of the makefile, running the perl scripts in the post, and disabling the prompts by accepting defaults in brolite. Unfortunately I never got all this to work properly. I'm hoping that someone who understands the installation process better than me can either create an rpm or a install-non-interactive Makefile target that drops a default install on the box :) Happy to accept any other suggestions too. 2. I'm having some trouble debugging a simple policy file (I'd include it, but its on another network). I basically want to redefine some of the clear-passwords methods to reduce log noise by checking if this is a password we already know about, and to ignore IRC JOINs with no password. when I run: bro -d -r test.pcap brolite local.clear-passwords or bro -d -r test.pcap local.clear-passwords it never drops into the debugger (and if you Ctrl-C it dies). But if I run bro -d -r test.pcap brolite it drops into the debugger fine. Help? My clear-passwords has the same load statements as the distributed version. Do I need something special to cause the debugger to break? I'm at the stage where bro isn't giving me any errors about the policy but it is not producing any output, at all, for any policy. Any hints? Thanks, Greg

12 years, 10 months

[Bro] error with local nets definition

by uday chekuri

Hi, I am trying to run offline analysis using bro on pcap files. I created local.bro as redef local_nets: set[subnet] = { a.b.c.d/24, }; @load brolite @load brolite-sigs Then I am trying to use bro -r trace1.tcpdump local.bro but giving me errors like this /usr/local/bro//policy/local.bro, line 1 (local_nets): error, "redef" used but not previously defined What can I do to overcome this error. Thanks in advance. --uday

12 years, 10 months

[Bro] solved with local net but more run time compilation errors

by uday chekuri

Hi, I dont know why but giving tcp before local in command not giving redef error. I used bro -r trace1.tcpdump tcp local Then again edited local.bro adding 2 more lines redef local_nets: set[subnet] = { a.b.c.d/24, }; @load brolite @load brolite-sigs I tried the same command but giving more run time compilation errors 964800422.648548 run-time error: error compiling pattern /usr/local/bro//policy/worm.bro, line 23: run-time error: error compiling pattern /^?.*(\.id[aq]\?.*XXXXXXXXXXXXX)/ /usr/local/bro//policy/brolite.bro, line 138: run-time error: error compiling pattern /^?.*(.*exe) /usr/local/bro//policy/smtp.bro, line 281: run-time error: error compiling pattern /^?.*(<( |\t)*)/ /usr/local/bro//policy/irc.bro, line 60: run-time error: error compiling pattern /usr/local/bro//policy/login.bro, line 141: run-time error: error compiling pattern /^?.*(.*Trojaning in progress.*)/ in the same way ftp, portmapper. hot-ids, http-request.bro too.... To solve run time compilation errors I saw in wiki to delete few files and build again with make. but no luck... Plz help to resolve this issue. Thanks --uday

12 years, 10 months

[Bro] Error while trying to compile Bro

by Gregory Edigarov

Hello, I am trying to get bro working on my system: $ uname -a OpenBSD edigarov.sa.net.ua 4.3 GENERIC#0 amd64 $ I am getting the following error. As Bro is written in C++, and I am not a speciallist in this language (I am a C guy, after all) I am asking you to help: gmake[4]: Entering directory `/usr/home/greg/bro-1.2.1/src' if g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac/lib -I../src -I. -I.. -Ilibedit -O -W -Wall -Wno-unused -g -O2 -MT TCP_Rewriter.o -MD -MP -MF ".deps/TCP_Rewriter.Tpo" -c -o TCP_Rewriter.o TCP_Rewriter.cc; \ then mv -f ".deps/TCP_Rewriter.Tpo" ".deps/TCP_Rewriter.Po"; else rm -f ".deps/TCP_Rewriter.Tpo"; exit 1; fi TCP_Rewriter.cc: In member function `int TCP_TracePacket::Finish(pcap_pkthdr*&, const u_char*&, int&, unsigned int, unsigned int)': TCP_Rewriter.cc:328: error: no match for 'operator=' in ' this->TCP_TracePacket::pcap_hdr.pcap_pkthdr::ts = double_to_timeval(double)()' /usr/include/net/bpf.h:129: error: candidates are: bpf_timeval& bpf_timeval::operator=(const bpf_timeval&) gmake[4]: *** [TCP_Rewriter.o] Error 1 gmake[4]: Leaving directory `/usr/home/greg/bro-1.2.1/src' gmake[3]: *** [all-recursive] Error 1 gmake[3]: Leaving directory `/usr/home/greg/bro-1.2.1/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/home/greg/bro-1.2.1/src' gmake[1]: *** [all-recursive] Error 1 gmake[1]: Leaving directory `/usr/home/greg/bro-1.2.1' gmake: *** [all] Error 2 Thanks a lot in advance. -- With best regards, Gregory Edigarov

12 years, 10 months

[Bro] spinning cube

by CS Lee

hi adriel, You may be interested in this too - http://www.cs.ru.ac.za/research/g02v2468/inetvis.html Cheers ;] -- Best Regards, CS Lee<geek00L[at]gmail.com> http://geek00l.blogspot.com

12 years, 10 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek June 2008