Dear sir,
I have found a bug in the event called http_header. The value : string it
returns has a space at the beginning. Like "www.yahoo.com" will be
returned as " www.yahoo.com".
I am posting You a script where I found it
@load weird
@load alarm
@load http
global path: string;
global urls: set[string] ={"www.yahoo.com","mail.google.com","www.ieee.org
","www.youtube.com","www.bro-ids.org"} ;
global shanz_log = open_log_file("http") &redef;
redef ignore_checksums = T;
event http_request(c: connection, method: string, original_URI: string,
unescaped_URI: string, version: string)
{
path = original_URI;
}
event http_header(c: connection, is_orig: bool, name: string, value: string)
{
if(name == "HOST" )
{
local v = edit(value," ");
if( v in urls)
{
print shanz_log,
fmt("%s:%s->%s:%s",c$id$orig_h,c$id$orig_p,c$id$resp_h,c$id$resp_p);
}
}
}
If I simply compare the value it doesn't match. or even if I print the value
its printing with one whitespace prefixed at the beginning.
Regards,
Sanmeet
Hi,
I am having a trace file with BID 10108. I am having converted snort rules
of version 2.3.2.by s2b. My bro version is 1.2.1. When I run bro on my pcap
file it is running with few error compiling patterns. It is not showing me
the exact rule related to 10108 BID in alarm and signature file. I think
this is due to those error compiling patterns. To solve that I tried the
solution in wiki and archive. But no luck. I am sorry for reposting the same
issue. I got no reply previously. But please help me with this issue.
Regards,
Uday.
OK, so I'm still having problems :(
I have a small pcap (1.6 MB) with a telnet login to test with, but it
is taking forever for bro to even get to the point of giving me an
error with my policy. I am running bro 1.3.2 with:
bro -r test.pcap -t tracefile.txt local.clear-passwords.bro
which takes around 30 minutes(!?!) to give me a fairly unhelpful error
about my policy. Why is it so slow? In tracefile.txt I only get
stuff from bro.init about opening log files, and in the terminal I
only get the usual stuff from scan.bro about the DNS root servers.
Why is scan.bro even being run? As far as I can see, the policy files
that I am including (see attached) don't depend on it?
I thought the box I was using might be overly taxed with other
software, but I installed it somewhere else with the same slow result.
Bro doesn't even show up in the first page of "top" processes. Is
there some sort of nice-ing going on that I can turn off? Can I tell
it to consume more system resources?
The error bro gives is "parse error at or near event", the line number
is for the "event account_tried" declaration. I'm guessing that I
have a syntax error in my password array, but this process is making
debugging slow.
Thoughts?
Greg
On Fri, Jun 20, 2008 at 2:19 PM, Robin Sommer <robin(a)icir.org> wrote:
>
> On Fri, Jun 20, 2008 at 14:12 -0400, Greg Lindon wrote:
>
>> Thanks guys, that helps. Robin I'll take a look at the cluster, looks like
>> you have a standalone config in there, so that will have to do for the time
>> being - won't be getting any new boxes in the immediate future to make a
>> real cluster.
>
> Right, that's the idea: the standalone config is for a traditional,
> single-box install. You don't need an actual cluster to use the new
> framework (perhaps we should at some point rename the framework's
> main script from "cluster" to something less specific).
>
> Robin
>
>
>
> --
> Robin Sommer * Phone +1 (510) 666-2886 * robin(a)icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
>
Hi,
I am having lot of error compiling pattern errors while running bro on pcap
files.
$ bro -r tracefile.pcap brolite-sigs.bro local.bro
I tried the stuff in archives and wiki
cd /usr/local/bro
cp policy/sigs/dpd.sig site/dpd.sig which is there in archive and
$ cd src/
$ rm bif_parse.{cc,h} parse.cc re-parse.{cc,h} rule-parse.{cc,h} which is
there in wiki .
What else I can do to solve this problem.
Thanks,
--Uday.
Hi,
I am having lot of compilation errors while running bro on pcap files.
$ bro -r tracefile.pcap brolite-sigs.bro local.bro
I tried the stuff in archives and wiki
cd /usr/local/bro
cp policy/sigs/dpd.sig site/dpd.sig which is there in archive and
$ cd src/
$ rm bif_parse.{cc,h} parse.cc re-parse.{cc,h} rule-parse.{cc,h} which is
there in wiki .
What else I can do to solve this problem.
Thanks,
--Uday.
Hi Guys,
I've been playing with Bro (1.3.2 dev release) on and off for a few weeks
now. I like the idea of the product, the code looks good, and the scripting
language quite powerful. Having said that I'm having a few problems.
1. I need a non-interactive install of Bro. I want to roll it out to a
number of red-hat-based sensors, so the usual process that requires human
interaction is not feasible/maintainable. My usual approach with other
software on the sensors is to create an rpm with a default install and then
check the box/network specific configuration out of svn over the top of the
defaults.
The two-stage install (make install, make install-brolite) makes this a bit
complicated. I tried separating out the parts of the install that need to
be run on the target system and putting them in the rpm post install
(creating bro user, checking kernel params). This involved chopping parts
out of the makefile, running the perl scripts in the post, and disabling the
prompts by accepting defaults in brolite. Unfortunately I never got all
this to work properly.
I'm hoping that someone who understands the installation process better than
me can either create an rpm or a install-non-interactive Makefile target
that drops a default install on the box :) Happy to accept any other
suggestions too.
2. I'm having some trouble debugging a simple policy file (I'd include it,
but its on another network). I basically want to redefine some of the
clear-passwords methods to reduce log noise by checking if this is a
password we already know about, and to ignore IRC JOINs with no password.
when I run:
bro -d -r test.pcap brolite local.clear-passwords
or
bro -d -r test.pcap local.clear-passwords
it never drops into the debugger (and if you Ctrl-C it dies). But if I run
bro -d -r test.pcap brolite
it drops into the debugger fine. Help? My clear-passwords has the same
load statements as the distributed version. Do I need something special to
cause the debugger to break?
I'm at the stage where bro isn't giving me any errors about the policy but
it is not producing any output, at all, for any policy. Any hints?
Thanks,
Greg
Hi,
I am trying to run offline analysis using bro on pcap files.
I created local.bro as
redef local_nets: set[subnet] = {
a.b.c.d/24,
};
@load brolite
@load brolite-sigs
Then I am trying to use
bro -r trace1.tcpdump local.bro
but giving me errors like this
/usr/local/bro//policy/local.bro, line 1 (local_nets): error, "redef" used
but not previously defined
What can I do to overcome this error.
Thanks in advance.
--uday
Hi,
I dont know why but giving tcp before local in command not giving redef
error. I used
bro -r trace1.tcpdump tcp local
Then again edited local.bro adding 2 more lines
redef local_nets: set[subnet] = {
a.b.c.d/24,
};
@load brolite
@load brolite-sigs
I tried the same command but giving more run time compilation errors
964800422.648548 run-time error: error compiling pattern
/usr/local/bro//policy/worm.bro, line 23: run-time error: error compiling
pattern /^?.*(\.id[aq]\?.*XXXXXXXXXXXXX)/
/usr/local/bro//policy/brolite.bro, line 138: run-time error: error
compiling pattern /^?.*(.*exe)
/usr/local/bro//policy/smtp.bro, line 281: run-time error: error compiling
pattern /^?.*(<( |\t)*)/
/usr/local/bro//policy/irc.bro, line 60: run-time error: error compiling
pattern
/usr/local/bro//policy/login.bro, line 141: run-time error: error compiling
pattern /^?.*(.*Trojaning in progress.*)/
in the same way ftp, portmapper. hot-ids, http-request.bro too....
To solve run time compilation errors I saw in wiki to delete few files and
build again with make.
but no luck...
Plz help to resolve this issue.
Thanks
--uday
Hello,
I am trying to get bro working on my system:
$ uname -a
OpenBSD edigarov.sa.net.ua 4.3 GENERIC#0 amd64
$
I am getting the following error.
As Bro is written in C++, and I am not a speciallist in this language (I am
a C guy, after all) I am asking you to help:
gmake[4]: Entering directory `/usr/home/greg/bro-1.2.1/src'
if g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac/lib -I../src -I.
-I.. -Ilibedit -O -W -Wall -Wno-unused -g -O2 -MT TCP_Rewriter.o -MD -MP
-MF ".deps/TCP_Rewriter.Tpo" -c -o TCP_Rewriter.o TCP_Rewriter.cc; \
then mv -f ".deps/TCP_Rewriter.Tpo" ".deps/TCP_Rewriter.Po"; else rm -f
".deps/TCP_Rewriter.Tpo"; exit 1; fi
TCP_Rewriter.cc: In member function `int
TCP_TracePacket::Finish(pcap_pkthdr*&,
const u_char*&, int&, unsigned int, unsigned int)':
TCP_Rewriter.cc:328: error: no match for 'operator=' in '
this->TCP_TracePacket::pcap_hdr.pcap_pkthdr::ts =
double_to_timeval(double)()'
/usr/include/net/bpf.h:129: error: candidates are: bpf_timeval&
bpf_timeval::operator=(const bpf_timeval&)
gmake[4]: *** [TCP_Rewriter.o] Error 1
gmake[4]: Leaving directory `/usr/home/greg/bro-1.2.1/src'
gmake[3]: *** [all-recursive] Error 1
gmake[3]: Leaving directory `/usr/home/greg/bro-1.2.1/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/usr/home/greg/bro-1.2.1/src'
gmake[1]: *** [all-recursive] Error 1
gmake[1]: Leaving directory `/usr/home/greg/bro-1.2.1'
gmake: *** [all] Error 2
Thanks a lot in advance.
--
With best regards,
Gregory Edigarov