We are just about ready to release Bro version 1.4. Prior to doing so,
wed like to have some folks volunteer to try out a pre-release to catch
any lingering problems. If you're interested in doing so, reply privately
to me *and Robin Sommer (cc'd)* and we'll point you at the distribution.
Vern
(Note, I'm out of the office for several weeks, with limited email access,
which is why you should be sure to include Robin.)
I am trying to use ssl.bro, but every time I try to start bro I get the
following errors:
/usr/local/bro/etc/bro.rc --start
bro.rc: Starting .bro.rc: Failed to start Bro
listening on eth2
listening on eth3
line 1: warning: event handlers never invoked:
line 1: warning: account_tried
1222451479.369347 <no location>
(3F:A4:71:FE:35:57:6C:5B:DD:01:39:99:92:30:84:2C:FF:3B:DB:6A:42:BB:33:88:3E:F7:8E:7F:F1:70:5D:55):
bad tag in Val::CONVERTER (string/table)
............ FAILED
/usr/local/bro/etc/bro.rc --start
bro.rc: Starting .bro.rc: Failed to start Bro
listening on eth2
listening on eth3
line 1: warning: event handlers never invoked:
line 1: warning: account_tried
1222451520.898128 <no location>
(74:92:51:04:2D:F2:72:40:9F:44:10:98:46:B9:29:6F:58:2F:94:64:1D:80:86:16:CB:0D:3B:3C:EE:9A:8D:F5):
bad tag in Val::CONVERTER (string/table)
............ FAILED
Any ideas? I am using bro 1.3.2
Thanks
I have read the whole Bro Reference Manual and others in www.bro-ids.org.
The bro is running normally when using policy. I know how to write a
signature, but these signatures had never been matched. I have used the
local.lite.bro to activate Signature Engine, and the signature.log is
nothing even using the simplest signature. I didn't find the reason.
Someone can help me!
Thanks!
eyoung
I ran the two bro versions with 6 tcpdump files and registered the
differences
on the following table:
tcpdumpfile1,tcpdumpfile2,tcpdumpfile3,...,tcpdumpfile6
1.2-1.4,1.2-1.4,1.2-1.4,1.2-1.4,...,1.2-1.4
spontaneous_RST 15-1,4-3,4-1,11-19,32-1,56-1
spontaneous_FIN 10-1,8-0,9-0,85-55,25-2,71-1
window_recision
26-26,29-29,0-0,48-48,0-0,52-52
SYN_seq_jump 1-1,0-0,0-0,1-1,0-0,0-0
SYN_inside_connection 1-1,0-0,0-0,0-0,0-0,0-0
active_connection_reuse 1-0,0-0,0-0,0-0,0-0,0-0
unsolicited_SYN_response 1-0,7-7,0-0,1-1,0-0,0-0
SYN_after_close 0-1,0-0,0-0,0-0,0-0,0-0
above_hole_data_without_any_acks 0-0,1-1,0-0,0-0,0-0,0-0
data_before_established 0-0,0-0,0-0,1-1,0-0,0-0
So,the difference is essentially around spontaneous_RST and spontaneous_FIN
weird events.The dump files are for webbrowsing only traffic.I don't know if
this has any practical interest but that's what I get using
bro-1.4prerelease,for
this very small sample and very limited network protocols.
The command line I use:
export BROPATH=/usr/local/bro-1.2.1/policy:/usr/local/bro-1.2.1/site
/usr/local/bro-1.2.1/bin/bro -r tcpdumpfile
The same for bro-1.4prerelease,but here the bro environment is set up for
the
directories where the policy and sig files are:
/usr/local/bro1.4prerelease/share/bro:/usr/local/bro1.4prerelease/share/bro/sigs
hi all!
When I used Dynamic Protocol Detection, I found can't activate event handler
http_request. If commentted use_dpd, the event can be activated.
The next is my process in detail.The bro version is 1.2.1-stable.
The cmd line is : src/bro -d -r (pcap) http_lite.bro
case 1:
comment const use_dpd = T in http_lite.bro
Policy file debugging ON.
set breakpoint at http-request.bro:http_request
Then input c cmd, bro can hit breakpoint http_request.
case 2:
uncomment const use_dpd = T in http_lite.bro
set breakpoint at http-request.bro:http_request and
detect-protocols-http.bro:http_request.
Then input c cmd, bro hit neither and finish.
Could someone can tell the reason?
Thanks very much!
Regards
eyoung
hi, all:
I'm a new comer. I have read the documents about bro. I want to performs
off-line analysis using -r ,but i don't know how to activate signature
engine.
Could sonmebody tell me how to use signature engine in bro?
Thanks very much!
eyoung
Some facts derived from the testing of bro-1.4prerelease:
First,I run bro on a DebianLinuxPPC workstation,which I use for
webbrowsing(ADSL connection) and offline use(for several purposes).
I capture the traffic with tcpdump and bro does the analysis of the
captured traffic.As only the related http traffic services/ports
are enabled it's not a specially rich testing.Anyway,I get a much
less number of weird events(I have never had more troublesome notices)
than when I do the analysis of the same files with bro-1.2.1.
As weird events are generally considered traffic that "should never
happen",shouldn't both versions signal approximately the same number
of weird events?
The compiling of bro-1.4prerelease on the above system(Debian testing)
was done normally,I got some compiler warnings but at first sight
the usual harmless ones.
As I run both bro versions on the same files I got warnings like that:
line 1: run-time error: wrong data format, expected version 13 but got
version 18
(running bro-1.2.1)
line 1: run-time error: wrong data format, expected version 18 but got
version 13
(running bro-1.4prerelease)
It seems related to the use of both versions of bro in the same
computer session.
When I do bro -r tcpdumpcapturefile backdoor.bro I get:
(using 1.4release)
line 1: warning: event handlers never invoked:
line 1: warning: Drop::restore_dropped_address
When I do bro -r tcpdumpcapturefile I don't get the 2 above lines.
(using 1.4release).
I am trying to install BRO-1.3.2 and I get the following error when I run
./configure:
checking for union semun... no
checking for struct sembuf... yes
checking for struct sockaddr_in.sin_len... no
checking for long long... yes
checking size of long long... configure: error: cannot compute sizeof (long
long), 77
I can install version 1.2 without problems. Does anyone know how to solve
this error? The error also happens
with 1.4
Thanks,
Jimbo