From within an event handler, is there a generic way to find out the
name of the event, and the names and types of the parameters that were
passed to the event?
The reason I'm asking is that I'd like a generic way to encapsulate
events and send them to a broccoli listener, which is only requesting
the "wrapper" events. The client would then unwrap it, and then figure
out what to do with it based on it's local configuration (the particular
thing I'd like to write is a broccoli listener that pushes events into a
database).
Ideally, there would be some function such as "whatamI()" that
returned some representation of the calling handler's name, and name
value pairs that corresponded to the parameters names and values. This
could then be the parameter for the wrapper event, which is sent out to
the listener.
Has anyone tried to do this? A lot of the serialization stuff seems
to exist already, so maybe the only new code would be something to peek
under the hood of the call stack?
Steve
Hi, i can't use snort2bro.
I follow the wiky instruction (
http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures#snort2bro)
but it say: snort2bro command not found.
I know that it has to be already installed with bro, but if i give "locate
snort2bro", i can't find it.
How can i use it?
thanks
Paolo Tironi
Hi,
I just checked out the python bindings for broccoli and tried building
it against Bro 1.3.2 using the suggested "python setup.py install". I am
using python 2.4.3 and gcc 4.1.2 on CentOS 5
Unfortunately the build just results in a few screens of compilation
errors and warnings. Looking at the Makefile, I decided to try
regenerating the swing bindings and running setup.pu again. This cut
down the number of errors to only a single screenful. Here's what I'm
getting:
[sychan@panopticon python]$ python setup.py install
running install
running build
running build_py
creating build
creating build/lib.linux-i686-2.4
copying broccoli.py -> build/lib.linux-i686-2.4
running build_ext
building '_broccoli_intern' extension
creating build/temp.linux-i686-2.4
gcc -pthread -fno-strict-aliasing -DNDEBUG -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic
-fasynchronous-unwind-tables -D_GNU_SOURCE -fPIC -fPIC
-I/usr/include/python2.4 -c broccoli_intern_wrap.c -o
build/temp.linux-i686-2.4/broccoli_intern_wrap.o
broccoli_intern_wrap.c:2504: warning: useless storage class specifier in
empty declaration
broccoli_intern_wrap.c: In function ‘valToPyObj’:
broccoli_intern_wrap.c:2595: warning: pointer targets in passing
argument 1 of ‘PyString_FromStringAndSize’ differ in signedness
broccoli_intern_wrap.c: In function ‘pyObjToVal’:
broccoli_intern_wrap.c:2681: warning: pointer targets in assignment
differ in signedness
broccoli_intern_wrap.c: At top level:
broccoli_intern_wrap.c:2762: error: expected declaration specifiers or
‘...’ before ‘BroEvMeta’
broccoli_intern_wrap.c: In function ‘event_callback’:
broccoli_intern_wrap.c:2767: error: ‘meta’ undeclared (first use in this
function)
broccoli_intern_wrap.c:2767: error: (Each undeclared identifier is
reported only once
broccoli_intern_wrap.c:2767: error: for each function it appears in.)
broccoli_intern_wrap.c: In function ‘_wrap_bro_event_add_val’:
broccoli_intern_wrap.c:4716: warning: assignment discards qualifiers
from pointer target type
broccoli_intern_wrap.c: In function ‘_wrap_bro_event_set_val’:
broccoli_intern_wrap.c:4786: warning: assignment discards qualifiers
from pointer target type
broccoli_intern_wrap.c: In function ‘_wrap_bro_event_registry_add_compact’:
broccoli_intern_wrap.c:4988: warning: assignment from incompatible
pointer type
broccoli_intern_wrap.c: In function ‘_wrap_bro_record_add_val’:
broccoli_intern_wrap.c:5849: warning: assignment discards qualifiers
from pointer target type
broccoli_intern_wrap.c: In function ‘_wrap_bro_record_set_nth_val’:
broccoli_intern_wrap.c:6004: warning: assignment discards qualifiers
from pointer target type
broccoli_intern_wrap.c: In function ‘_wrap_bro_record_set_named_val’:
broccoli_intern_wrap.c:6075: warning: assignment discards qualifiers
from pointer target type
error: command 'gcc' failed with exit status 1
[sychan@panopticon python]$
The first error "broccoli_intern_wrap.c:2762: error: expected
declaration specifiers or ‘...’ before ‘BroEvMeta’" references this:
// C-level event handler for events. We register all events with this
callback,
// passing the target Python function in via data.
void event_callback(BroConn *bc, void *data, BroEvMeta *meta)
{
...
I don't see any declaration for the BroEvMeta type anywhere. There's a
reference to this type in
http://svn.icir.org/bro/trunk/bro/aux/broccoli/test/broping.c in the
bro_pong_compact() declaration:
static void bro_pong_compact(BroConn *conn, void *data, BroEvMeta *meta)
However signature in my version of the broping is:
static void bro_pong_compact(BroConn *conn, void *data, int num_args,
BroEvArg *args)
I'm guessing that things have changed since the 1.3.2 release and that
the python bindings are against the current code base. Is that true?
Do I need to download the latest bro source tree via subversion to use
the pythong bindings?
Steve
Hi, I've some problems using bro (offline). When I set a policy on bro to
scan a dump file it happens I have this warnings:
/usr/local/bro/policy//scan.bro, line 92: warning: no such host:
j5004.inktomisearch.com
/usr/local/bro/policy//scan.bro, line 92: warning: no such host:
j5005.inktomisearch.com
/usr/local/bro/policy//scan.bro, line 93: warning: no such host:
j5006.inktomisearch.com
/usr/local/bro/policy//scan.bro, line 93: warning: no such host:
j100.inktomi.com
/usr/local/bro/policy//scan.bro, line 93: warning: no such host:
j101.inktomi.com
/usr/local/bro/policy//scan.bro, line 94: warning: no such host:
j3002.inktomi.com
/usr/local/bro/policy//scan.bro, line 94: warning: no such host:
si3000.inktomi.com
/usr/local/bro/policy//scan.bro, line 94: warning: no such host:
si3001.inktomi.com
/usr/local/bro/policy//scan.bro, line 95: warning: no such host:
si3002.inktomi.com
/usr/local/bro/policy//scan.bro, line 95: warning: no such host:
si3003.inktomi.com
/usr/local/bro/policy//scan.bro, line 95: warning: no such host:
si4000.inktomi.com
/usr/local/bro/policy//scan.bro, line 96: warning: no such host:
si4001.inktomi.com
/usr/local/bro/policy//scan.bro, line 96: warning: no such host:
si4002.inktomi.com
/usr/local/bro/policy//scan.bro, line 96: warning: no such host:
wm3018.inktomi.com
Everytime I have this warnings I have also some errors like:
/usr/local/bro/policy//ftp.bro, line 48: run-time error: error compiling
pattern /(^?.*(.*\.rhosts))|(^?.*(.*\.forward))/
and bro don't create any log or alarm.
I don't understand this error. Can you help me?
I am setting up a Bro IDS running on Freebsd6.3 AMD64 64 bit dual quad-core
processors.
Previous builds using ./configure
This build using ./configure --enable-int64 --enable-shippedpcap
I am getting crashes with the title "bro: out of memory in new".
I am sending the debuger output for one of these crashes. Please advise any
further information needed.
<snip>
#0 0x000000080131860c in kill () from /lib/libc.so.6
#1 0x000000080131749d in abort () from /lib/libc.so.6
#2 0x0000000000437302 in out_of_memory () at SSLInterpreter.cc:31
#3 0x0000000800fee45d in operator new () from /usr/lib/libstdc++.so.5
#4 0x000000000040e78c in std::vector<unsigned char, std::allocator<unsigned
char> >::reserve (this=0x303d168, __n=18446744071662796800) at
new_allocator.h:81
#5 0x0000000000429574 in binpac::SunRPC::RPC_Opaque::Parse (this=0x5449ca8,
t_begin_of_data=0x801459a00 "", t_end_of_data=0x801459a14 "G\bí\231\021Æ{H",
t_byteorder=20022828) at rpc_pac.cc:538
#6 0x0000000000429e77 in binpac::SunRPC::RPC_OpaqueAuth::Parse
(this=0x5cd3eb8, t_begin_of_data=0x8014599fc "", t_end_of_data=0x801459a14
"G\bí\231\021Æ{H", t_byteorder=0) at rpc_pac.cc:611
#7 0x000000000042a103 in binpac::SunRPC::RPC_Call::Parse (this=0x5b9a0b8,
t_begin_of_data=0x8014599e4 "", t_end_of_data=0x801459a14 "G\bí\231\021Æ{H",
t_context=0x3d67838, t_byteorder=0) at rpc_pac.cc:188
#8 0x000000000042b073 in binpac::SunRPC::RPC_Message::Parse
(this=0x552e040, t_begin_of_data=0x8014599dc "\v+4t",
t_end_of_data=0x801459a14 "G\bí\231\021Æ{H", t_context=0x3d67838) at
rpc_pac.h:155
#9 0x000000000042b1f4 in binpac::SunRPC::RPC_Flow::NewData (this=0x2f2f120,
t_begin_of_data=0x8014599dc "\v+4t", t_end_of_data=0x801459a14
"G\bí\231\021Æ{H") at rpc_pac.cc:1009
#10 0x000000000051f69d in RPC_UDP_Analyzer_binpac::DeliverPacket
(this=0x1772508, len=56, data=0x8014599dc "\v+4t", orig=44, seq=-2137894624,
ip=0x7fffffffdf38, caplen=0) at RPC.cc:608
#11 0x0000000000450073 in Analyzer::ForwardPacket (this=0x548d050, len=56,
data=0x8014599dc "\v+4t", is_orig=8, seq=-1, ip=0x7fffffffe480, caplen=64)
at Analyzer.cc:363
#12 0x000000000057396d in UDP_Analyzer::DeliverPacket (this=0x548d050,
len=56, data=0x8014599dc "\v+4t", is_orig=true, seq=-1, ip=0x7fffffffe480,
caplen=64) at UDP.cc:179
#13 0x000000000045fdef in Connection::NextPacket (this=0x5ff39ec,
t=3.8733205149138704e-317, is_orig=6, ip=0x2b0de40, len=64,
caplen=-2137894624, data=@0x7fffffffe3f0, record_packet=@0x7fffffffe3f8,
record_content=@0x7fffffffe3fc, hdr=0x80131862c, pkt=0x10d39 <Address
0x10d39 out of bounds>, hdr_size=0) at Conn.cc:241
#14 0x0000000000543a73 in NetSessions::DoNextPacket (this=0x133f7a8,
t=1216071185.658416, hdr=0x133f498, ip_hdr=0x7fffffffe480, pkt=0x8014599b2
"", hdr_size=14) at Sessions.cc:603
#15 0x0000000000543fe4 in NetSessions::NextPacket (this=0x133f7a8,
t=1216071185.658416, hdr=0x133f498, pkt=0x8014599b2 "", hdr_size=14,
pkt_elem=0x0) at Sessions.cc:294
#16 0x000000000050565e in net_packet_dispatch (t=1216071185.658416,
hdr=0x133f498, pkt=0x8014599b2 "", hdr_size=14, src_ps=0x133f458,
pkt_elem=0x0) at Net.cc:402
#17 0x000000000051233d in PktSrc::Process (this=0x133f458) at PktSrc.cc:211
#18 0x0000000000505d7e in net_run () at Net.cc:492
#19 0x00000000004344b1 in main (argc=9307256, argv=0x0) at main.cc:1008
(gdb)
<snip>
Thanks
Greg
______________________________________________________________________
Gregory Brown
Fermi National Accelerator Laboratory
Hi,
we are 3 students of University of Milan (DTI - Crema): Paolo Tironi, Paolo
Bettini and Matteo Morato.
We study for a project on Bro IDS.
We install BRO only running ./configure and make, and then we setted
$ pwd
/home/christian/devel/bro
$ echo $BROPATH
/home/christian/devel/bro/policy:/home/christian/devel/bro/policy/sigs
Next, we setted the BRO_DNS_FAKE environment variable.
Finally we runned BRO: $ ./src/bro -r trace1.tcpdump tcp scan alarm weird.
We have some problems:
bt bin # bro -r trace1.tcpdump tcp scan alarm weird dns
/usr/local/bro/policy/bro.init, line 1: warning: problem initializing
NB-DNS: connect(200.3.200.5): Network is unreachable
/usr/local/bro/policy/dns.bro, line 123: run-time error: error compiling
pattern /^?.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.in-addr\.arpa)/
/usr/local/bro/policy/dns.bro, line 179: run-time error: error compiling
pattern /^?.*(\.)/
/usr/local/bro/policy/dns.bro, line 557: run-time error: error compiling
pattern /^?.*(\?(PTR|\*.*in-addr).*)/
/usr/local/bro/policy/dns.bro, line 571: run-time error: error compiling
pattern /^?.*(\?(PTR|\*.*in-addr).*)/
line 1: warning: event handlers never invoked:
line 1: warning: account_tried
Is there anybody who can help me?
Hi,
Is there a script readily available to convert l7-filter signatures into Bro signatures?
l7-filter (kernel version) said to use V8 regexps while Bro is said to follow flex regexp.
Thanks.
cj
_________________________________________________________________
Need to know now? Get instant answers with Windows Live Messenger.
http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_W…