zeek July 2008

zeek@lists.zeek.org

12 participants
11 discussions

by Stephen Chan

From within an event handler, is there a generic way to find out the name of the event, and the names and types of the parameters that were passed to the event? The reason I'm asking is that I'd like a generic way to encapsulate events and send them to a broccoli listener, which is only requesting the "wrapper" events. The client would then unwrap it, and then figure out what to do with it based on it's local configuration (the particular thing I'd like to write is a broccoli listener that pushes events into a database). Ideally, there would be some function such as "whatamI()" that returned some representation of the calling handler's name, and name value pairs that corresponded to the parameters names and values. This could then be the parameter for the wrapper event, which is sent out to the listener. Has anyone tried to do this? A lot of the serialization stuff seems to exist already, so maybe the only new code would be something to peek under the hood of the call stack? Steve

13 years, 11 months

[Bro] IGMP analyzer

by uday chekuri

I am just wondering whether the IGMP analyzer is available in the new version of bro 1.3.2???

13 years, 11 months

[Bro] Multiple interfaces

by Adayadil Thomas

Greetings. Can bro (running as a single process) read packets (monitor traffic) from multiple interfaces (say eth0 and eth1) ? Thanks

13 years, 11 months

[Bro] Using snort2bro

by Paolo Tironi

Hi, i can't use snort2bro. I follow the wiky instruction ( http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures#snort2bro) but it say: snort2bro command not found. I know that it has to be already installed with bro, but if i give "locate snort2bro", i can't find it. How can i use it? thanks Paolo Tironi

13 years, 11 months

[Bro] Errors while building pybroccoli?

by Stephen Chan

Hi, I just checked out the python bindings for broccoli and tried building it against Bro 1.3.2 using the suggested "python setup.py install". I am using python 2.4.3 and gcc 4.1.2 on CentOS 5 Unfortunately the build just results in a few screens of compilation errors and warnings. Looking at the Makefile, I decided to try regenerating the swing bindings and running setup.pu again. This cut down the number of errors to only a single screenful. Here's what I'm getting: [sychan@panopticon python]$ python setup.py install running install running build running build_py creating build creating build/lib.linux-i686-2.4 copying broccoli.py -> build/lib.linux-i686-2.4 running build_ext building '_broccoli_intern' extension creating build/temp.linux-i686-2.4 gcc -pthread -fno-strict-aliasing -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -D_GNU_SOURCE -fPIC -fPIC -I/usr/include/python2.4 -c broccoli_intern_wrap.c -o build/temp.linux-i686-2.4/broccoli_intern_wrap.o broccoli_intern_wrap.c:2504: warning: useless storage class specifier in empty declaration broccoli_intern_wrap.c: In function ‘valToPyObj’: broccoli_intern_wrap.c:2595: warning: pointer targets in passing argument 1 of ‘PyString_FromStringAndSize’ differ in signedness broccoli_intern_wrap.c: In function ‘pyObjToVal’: broccoli_intern_wrap.c:2681: warning: pointer targets in assignment differ in signedness broccoli_intern_wrap.c: At top level: broccoli_intern_wrap.c:2762: error: expected declaration specifiers or ‘...’ before ‘BroEvMeta’ broccoli_intern_wrap.c: In function ‘event_callback’: broccoli_intern_wrap.c:2767: error: ‘meta’ undeclared (first use in this function) broccoli_intern_wrap.c:2767: error: (Each undeclared identifier is reported only once broccoli_intern_wrap.c:2767: error: for each function it appears in.) broccoli_intern_wrap.c: In function ‘_wrap_bro_event_add_val’: broccoli_intern_wrap.c:4716: warning: assignment discards qualifiers from pointer target type broccoli_intern_wrap.c: In function ‘_wrap_bro_event_set_val’: broccoli_intern_wrap.c:4786: warning: assignment discards qualifiers from pointer target type broccoli_intern_wrap.c: In function ‘_wrap_bro_event_registry_add_compact’: broccoli_intern_wrap.c:4988: warning: assignment from incompatible pointer type broccoli_intern_wrap.c: In function ‘_wrap_bro_record_add_val’: broccoli_intern_wrap.c:5849: warning: assignment discards qualifiers from pointer target type broccoli_intern_wrap.c: In function ‘_wrap_bro_record_set_nth_val’: broccoli_intern_wrap.c:6004: warning: assignment discards qualifiers from pointer target type broccoli_intern_wrap.c: In function ‘_wrap_bro_record_set_named_val’: broccoli_intern_wrap.c:6075: warning: assignment discards qualifiers from pointer target type error: command 'gcc' failed with exit status 1 [sychan@panopticon python]$ The first error "broccoli_intern_wrap.c:2762: error: expected declaration specifiers or ‘...’ before ‘BroEvMeta’" references this: // C-level event handler for events. We register all events with this callback, // passing the target Python function in via data. void event_callback(BroConn *bc, void *data, BroEvMeta *meta) { ... I don't see any declaration for the BroEvMeta type anywhere. There's a reference to this type in http://svn.icir.org/bro/trunk/bro/aux/broccoli/test/broping.c in the bro_pong_compact() declaration: static void bro_pong_compact(BroConn *conn, void *data, BroEvMeta *meta) However signature in my version of the broping is: static void bro_pong_compact(BroConn *conn, void *data, int num_args, BroEvArg *args) I'm guessing that things have changed since the 1.3.2 release and that the python bindings are against the current code base. Is that true? Do I need to download the latest bro source tree via subversion to use the pythong bindings? Steve

13 years, 11 months

[Bro] many error with bro policy

by Paolo Tironi

Hi, I've some problems using bro (offline). When I set a policy on bro to scan a dump file it happens I have this warnings: /usr/local/bro/policy//scan.bro, line 92: warning: no such host: j5004.inktomisearch.com /usr/local/bro/policy//scan.bro, line 92: warning: no such host: j5005.inktomisearch.com /usr/local/bro/policy//scan.bro, line 93: warning: no such host: j5006.inktomisearch.com /usr/local/bro/policy//scan.bro, line 93: warning: no such host: j100.inktomi.com /usr/local/bro/policy//scan.bro, line 93: warning: no such host: j101.inktomi.com /usr/local/bro/policy//scan.bro, line 94: warning: no such host: j3002.inktomi.com /usr/local/bro/policy//scan.bro, line 94: warning: no such host: si3000.inktomi.com /usr/local/bro/policy//scan.bro, line 94: warning: no such host: si3001.inktomi.com /usr/local/bro/policy//scan.bro, line 95: warning: no such host: si3002.inktomi.com /usr/local/bro/policy//scan.bro, line 95: warning: no such host: si3003.inktomi.com /usr/local/bro/policy//scan.bro, line 95: warning: no such host: si4000.inktomi.com /usr/local/bro/policy//scan.bro, line 96: warning: no such host: si4001.inktomi.com /usr/local/bro/policy//scan.bro, line 96: warning: no such host: si4002.inktomi.com /usr/local/bro/policy//scan.bro, line 96: warning: no such host: wm3018.inktomi.com Everytime I have this warnings I have also some errors like: /usr/local/bro/policy//ftp.bro, line 48: run-time error: error compiling pattern /(^?.*(.*\.rhosts))|(^?.*(.*\.forward))/ and bro don't create any log or alarm. I don't understand this error. Can you help me?

13 years, 11 months

[Bro] Bro crash with "bro: out of memory in new"

by Gregory Brown

I am setting up a Bro IDS running on Freebsd6.3 AMD64 64 bit dual quad-core processors. Previous builds using ./configure This build using ./configure --enable-int64 --enable-shippedpcap I am getting crashes with the title "bro: out of memory in new". I am sending the debuger output for one of these crashes. Please advise any further information needed. <snip> #0 0x000000080131860c in kill () from /lib/libc.so.6 #1 0x000000080131749d in abort () from /lib/libc.so.6 #2 0x0000000000437302 in out_of_memory () at SSLInterpreter.cc:31 #3 0x0000000800fee45d in operator new () from /usr/lib/libstdc++.so.5 #4 0x000000000040e78c in std::vector<unsigned char, std::allocator<unsigned char> >::reserve (this=0x303d168, __n=18446744071662796800) at new_allocator.h:81 #5 0x0000000000429574 in binpac::SunRPC::RPC_Opaque::Parse (this=0x5449ca8, t_begin_of_data=0x801459a00 "", t_end_of_data=0x801459a14 "G\bí\231\021Æ{H", t_byteorder=20022828) at rpc_pac.cc:538 #6 0x0000000000429e77 in binpac::SunRPC::RPC_OpaqueAuth::Parse (this=0x5cd3eb8, t_begin_of_data=0x8014599fc "", t_end_of_data=0x801459a14 "G\bí\231\021Æ{H", t_byteorder=0) at rpc_pac.cc:611 #7 0x000000000042a103 in binpac::SunRPC::RPC_Call::Parse (this=0x5b9a0b8, t_begin_of_data=0x8014599e4 "", t_end_of_data=0x801459a14 "G\bí\231\021Æ{H", t_context=0x3d67838, t_byteorder=0) at rpc_pac.cc:188 #8 0x000000000042b073 in binpac::SunRPC::RPC_Message::Parse (this=0x552e040, t_begin_of_data=0x8014599dc "\v+4t", t_end_of_data=0x801459a14 "G\bí\231\021Æ{H", t_context=0x3d67838) at rpc_pac.h:155 #9 0x000000000042b1f4 in binpac::SunRPC::RPC_Flow::NewData (this=0x2f2f120, t_begin_of_data=0x8014599dc "\v+4t", t_end_of_data=0x801459a14 "G\bí\231\021Æ{H") at rpc_pac.cc:1009 #10 0x000000000051f69d in RPC_UDP_Analyzer_binpac::DeliverPacket (this=0x1772508, len=56, data=0x8014599dc "\v+4t", orig=44, seq=-2137894624, ip=0x7fffffffdf38, caplen=0) at RPC.cc:608 #11 0x0000000000450073 in Analyzer::ForwardPacket (this=0x548d050, len=56, data=0x8014599dc "\v+4t", is_orig=8, seq=-1, ip=0x7fffffffe480, caplen=64) at Analyzer.cc:363 #12 0x000000000057396d in UDP_Analyzer::DeliverPacket (this=0x548d050, len=56, data=0x8014599dc "\v+4t", is_orig=true, seq=-1, ip=0x7fffffffe480, caplen=64) at UDP.cc:179 #13 0x000000000045fdef in Connection::NextPacket (this=0x5ff39ec, t=3.8733205149138704e-317, is_orig=6, ip=0x2b0de40, len=64, caplen=-2137894624, data=@0x7fffffffe3f0, record_packet=@0x7fffffffe3f8, record_content=@0x7fffffffe3fc, hdr=0x80131862c, pkt=0x10d39 <Address 0x10d39 out of bounds>, hdr_size=0) at Conn.cc:241 #14 0x0000000000543a73 in NetSessions::DoNextPacket (this=0x133f7a8, t=1216071185.658416, hdr=0x133f498, ip_hdr=0x7fffffffe480, pkt=0x8014599b2 "", hdr_size=14) at Sessions.cc:603 #15 0x0000000000543fe4 in NetSessions::NextPacket (this=0x133f7a8, t=1216071185.658416, hdr=0x133f498, pkt=0x8014599b2 "", hdr_size=14, pkt_elem=0x0) at Sessions.cc:294 #16 0x000000000050565e in net_packet_dispatch (t=1216071185.658416, hdr=0x133f498, pkt=0x8014599b2 "", hdr_size=14, src_ps=0x133f458, pkt_elem=0x0) at Net.cc:402 #17 0x000000000051233d in PktSrc::Process (this=0x133f458) at PktSrc.cc:211 #18 0x0000000000505d7e in net_run () at Net.cc:492 #19 0x00000000004344b1 in main (argc=9307256, argv=0x0) at main.cc:1008 (gdb) <snip> Thanks Greg ______________________________________________________________________ Gregory Brown Fermi National Accelerator Laboratory

13 years, 11 months

[Bro] can't compile BRO policy

by Paolo Tironi

Hi, we are 3 students of University of Milan (DTI - Crema): Paolo Tironi, Paolo Bettini and Matteo Morato. We study for a project on Bro IDS. We install BRO only running ./configure and make, and then we setted $ pwd /home/christian/devel/bro $ echo $BROPATH /home/christian/devel/bro/policy:/home/christian/devel/bro/policy/sigs Next, we setted the BRO_DNS_FAKE environment variable. Finally we runned BRO: $ ./src/bro -r trace1.tcpdump tcp scan alarm weird. We have some problems: bt bin # bro -r trace1.tcpdump tcp scan alarm weird dns /usr/local/bro/policy/bro.init, line 1: warning: problem initializing NB-DNS: connect(200.3.200.5): Network is unreachable /usr/local/bro/policy/dns.bro, line 123: run-time error: error compiling pattern /^?.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.in-addr\.arpa)/ /usr/local/bro/policy/dns.bro, line 179: run-time error: error compiling pattern /^?.*(\.)/ /usr/local/bro/policy/dns.bro, line 557: run-time error: error compiling pattern /^?.*(\?(PTR|\*.*in-addr).*)/ /usr/local/bro/policy/dns.bro, line 571: run-time error: error compiling pattern /^?.*(\?(PTR|\*.*in-addr).*)/ line 1: warning: event handlers never invoked: line 1: warning: account_tried Is there anybody who can help me?

13 years, 11 months

[Bro] To convert l7-filter signatures to Bro signatures

by Chi-Jiun Su

Hi, Is there a script readily available to convert l7-filter signatures into Bro signatures? l7-filter (kernel version) said to use V8 regexps while Bro is said to follow flex regexp. Thanks. cj _________________________________________________________________ Need to know now? Get instant answers with Windows Live Messenger. http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_W…

13 years, 11 months

[Bro] Bro build failure. Help needed.

by Adayadil Thomas

Greetings. I have downloaded bro 1.3.2 version. I am getting these errors while building it. Any help is much appreciated. System Info: Linux 2.4.27 gcc version 2.95.4 g++ -v Reading specs from /usr/lib/gcc-lib/i386-linux/2.95.4/specs gcc version 2.95.4 20011002 (Debian prerelease) ./configure --disable-broccoli --enable-debug make Generating code for SMB_transaction Generating code for SMB_transaction_secondary Generating code for SMB_transaction_response Generating code for SMB_get_dfs_referral Generating code for SMB_MailSlot_message Generating code for SMB_MailSlot_command Generating code for SMB_MailSlot_host_announcement Generating code for SMB_MailSlot_announcement_request Generating code for SMB_MailSlot_request_election Generating code for SMB_MailSlot_get_backup_list_request Generating code for SMB_MailSlot_get_backup_list_response Generating code for SMB_MailSlot_domain_announcement Generating code for SMB_MailSlot_local_master_announcement Generating code for SMB_Pipe_message Generating code for SMB_RAP_message make all-am make[3]: Entering directory `/opt/src/DEV/athomas/IDS/bro/bro-1.3.2/src' source='DNS-binpac.cc' object='DNS-binpac.o' libtool=no \ depfile='.deps/DNS-binpac.Po' tmpdepfile='.deps/DNS-binpac.TPo' \ depmode=gcc /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -DDEBUG -g -c -o DNS-binpac.o `test -f 'DNS-binpac.cc' || echo './'`DNS-binpac.cc source='HTTP-binpac.cc' object='HTTP-binpac.o' libtool=no \ depfile='.deps/HTTP-binpac.Po' tmpdepfile='.deps/HTTP-binpac.TPo' \ depmode=gcc /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -DDEBUG -g -c -o HTTP-binpac.o `test -f 'HTTP-binpac.cc' || echo './'`HTTP-binpac.cc source='main.cc' object='main.o' libtool=no \ depfile='.deps/main.Po' tmpdepfile='.deps/main.TPo' \ depmode=gcc /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -DDEBUG -g -c -o main.o `test -f 'main.cc' || echo './'`main.cc source='net_util.cc' object='net_util.o' libtool=no \ depfile='.deps/net_util.Po' tmpdepfile='.deps/net_util.TPo' \ depmode=gcc /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -DDEBUG -g -c -o net_util.o `test -f 'net_util.cc' || echo './'`net_util.cc g++ -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -DLIBDEST=\"/usr/local/bro/lib/\" -c ./util.cc ./util.cc: In function `double calc_next_rotate(double, const char *)': ./util.cc:951: implicit declaration of function `int strptime(...)' make[3]: *** [util.o] Error 1 make[3]: Leaving directory `/opt/src/DEV/athomas/IDS/bro/bro-1.3.2/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/opt/src/DEV/athomas/IDS/bro/bro-1.3.2/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/src/DEV/athomas/IDS/bro/bro-1.3.2' make: *** [all] Error 2 After a make clean and make it stops at another point -- Generating code for SMB_transaction_secondary Generating code for SMB_transaction_response Generating code for SMB_get_dfs_referral Generating code for SMB_MailSlot_message Generating code for SMB_MailSlot_command Generating code for SMB_MailSlot_host_announcement Generating code for SMB_MailSlot_announcement_request Generating code for SMB_MailSlot_request_election Generating code for SMB_MailSlot_get_backup_list_request Generating code for SMB_MailSlot_get_backup_list_response Generating code for SMB_MailSlot_domain_announcement Generating code for SMB_MailSlot_local_master_announcement Generating code for SMB_Pipe_message Generating code for SMB_RAP_message make all-am make[3]: Entering directory `/opt/src/DEV/athomas/IDS/bro/bro-1.3.2/src' source='DNS-binpac.cc' object='DNS-binpac.o' libtool=no \ depfile='.deps/DNS-binpac.Po' tmpdepfile='.deps/DNS-binpac.TPo' \ depmode=gcc /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -DDEBUG -g -c -o DNS-binpac.o `test -f 'DNS-binpac.cc' || echo './'`DNS-binpac.cc source='HTTP-binpac.cc' object='HTTP-binpac.o' libtool=no \ depfile='.deps/HTTP-binpac.Po' tmpdepfile='.deps/HTTP-binpac.TPo' \ depmode=gcc /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -DDEBUG -g -c -o HTTP-binpac.o `test -f 'HTTP-binpac.cc' || echo './'`HTTP-binpac.cc source='main.cc' object='main.o' libtool=no \ depfile='.deps/main.Po' tmpdepfile='.deps/main.TPo' \ depmode=gcc /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -DDEBUG -g -c -o main.o `test -f 'main.cc' || echo './'`main.cc source='net_util.cc' object='net_util.o' libtool=no \ depfile='.deps/net_util.Po' tmpdepfile='.deps/net_util.TPo' \ depmode=gcc /bin/sh ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -DDEBUG -g -c -o net_util.o `test -f 'net_util.cc' || echo './'`net_util.cc g++ -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I/opt/src/DEV/athomas/IDS/bro/libpcap-0.9.8 -I../linux-include -g -DDEBUG -W -Wall -Wno-unused -DLIBDEST=\"/usr/local/bro/lib/\" -c ./util.cc ./util.cc: In function `double calc_next_rotate(double, const char *)': ./util.cc:951: implicit declaration of function `int strptime(...)' make[3]: *** [util.o] Error 1 make[3]: Leaving directory `/opt/src/DEV/athomas/IDS/bro/bro-1.3.2/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/opt/src/DEV/athomas/IDS/bro/bro-1.3.2/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/src/DEV/athomas/IDS/bro/bro-1.3.2' make: *** [all] Error 2

13 years, 11 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek July 2008