Hi all,
I am using Bro 1.4 stable on Linux and I'm having problems with
Broccoli. On one machine with Ubuntu, everything works fine. But on
another machine with a custom Linux distribution, I have problems to
connect to Bro. The behaviour is not very consistent.
My configure options are --without-openssl --disable-select-loop and
--enable-debug.
After compilation, I run in one terminal:
$ src/bro -i eth0 -C aux/broccoli/test/broping.bro
And in a second terminal:
$ aux/broccoli/test/broping -c 1
Most of the time, this fails and the error message is:
"Could not connect to Bro at 127.0.0.1:47758."
The TCP connection however, is fully established, as I can verify with
Tcpdump. The client is the one who sends the first FIN to tear the
connection down.
Some times, the connection can be established. Attached you find the
remote.log of a successful (first) and an unsuccessful attempt. It looks
like the handshake could not be completed.
I further tried to debug by running
$ aux/broccoli/test/broping -d -c 1
or
$ strace aux/broccoli/test/broping -c 1
but in both cases, it was not possible to reproduce the error.
It looks like some kind of race condition. Does anyone have an
explanation for this behaviour or a clue about what the cause could be?
In case you need more information, just let me know.
Regards,
Fabian
libc 2.9
libm 2.9
Linux 2.6.26
i686
Hi everyone
I am new to Bro IDS 1.4, I have tried to install it on CentOs platform. well, at the beginning It was difficul, however I manage to install it with the same instructions
./configure
make
make install
make install-brolite
bro-lite did a very well job. It created all the directories in bro home directory /usr/local/bro
[bro@localhost bro]$ ls
archive bin etc include lib logs reports scripts share site var
the problem I am facing is that when I try to start bro using bro.rc file with this {BROHOME}/etc/bro.rc start it fails and gives me this erro
[bro@localhost ~]$ /usr/local/bro/etc/bro.rc start
bro.rc: Starting ..........bro.rc: Failed to start Bro
line 1: error: can't open localhost.localdomain.bro
... FAILED
Note: i have tried to change my host name to localhost.localdomain.bro
Any ideas please.. help
Trying to compile Bro-1.4 on OpenSolaris062009 I get:
-from the the configure script:
checking term.h presence... yes
configure: WARNING: term.h: present but cannot be compiled
configure: WARNING: term.h: check for missing prerequisite headers?
configure: WARNING: term.h: see the Autoconf documentation
configure: WARNING: term.h: section "Present But Cannot Be Compiled"
configure: WARNING: term.h: proceeding with the preprocessor's result
configure: WARNING: term.h: in the future, the compiler will take precedence
configure: WARNING: ## ------------------------------------------ ##
configure: WARNING: ## Report this to the AC_PACKAGE_NAME lists. ##
configure: WARNING: ## ------------------------------------------ ##
checking for term.h... yes
from make:
gcc -g -O2 -I/usr/lib/include -I/usr/include -L/usr/lib/lib -o hf hf.o
setsignal.o version.o -lz -lpcap -lpcap -lssl -lcrypto -lnsl -lsocket
-lpcap -ltermcap
Undefined first referenced
symbol in file
_res hf.o (symbol belongs to implicit
dependency /lib/libresolv.so.2)
ld: fatal: symbol referencing errors. No output written to hf
collect2: ld returned 1 exit status
make[4]: *** [hf] Error 1
make[4]: Leaving directory `/export/home/luca/Downloads/bro-1.4/aux/hf'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/export/home/luca/Downloads/bro-1.4/aux'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/export/home/luca/Downloads/bro-1.4/aux'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/export/home/luca/Downloads/bro-1.4'
make: *** [all] Error 2
Have anyone tried to compile Bro on the same platform and got
the same issue?How to get over this? I have libncurses
from sunfreeware.com
P.S. Is it possible to convert Sun snoop dump files to libpcap format?
I tried with wireshark on Linux but there seems to have some
incompatibility between network interfaces(eth0 on Linux,rge0 on Solaris)
and wireshark refuses to convert.
Is there other way to analyze snoop format files through Bro?
Thanks.
Prior to using broctl I was using a setup like this:
const phish_log = open_log_file("phish") &raw_output;
event bro_init()
{
print phish_log, cat_sep("\t", "\\N", "start", "orig_h", "mailfrom", "replyto", "subject");
}
Now that I'm using broctl, it rotates the logs once a day to their new locations. My problem is that
when the file is rotated nothing re-adds the header.
I'm not sure what the best way to fix this is. I know I could disable the
rotate interval and go back to restarting bro everyday at midnight. Could
something like this work?
event rotate_interval(f: file) &priority=10
{
if (f$name == "phish.log"){
print f, cat_sep("\t", "\\N", "start", "orig_h", "mailfrom", "replyto", "subject");
}
}
I'm thinking that if there was a file_opened event then that could be used
to handle both cases.
--
-- Justin Azoff
-- Network Performance Analyst
Are there any benefits or issues with running a bro cluster on a single machine
instead of in standalone mode? I'm thinking that running it in cluster mode
from the start may make it easier to move to a cluster configuration in the
future, but I'm concerned that it might add unnecessary overhead in the mean
time.
--
-- Justin Azoff
-- Network Performance Analyst
I'm a new learner of bro,so I haven't known it well.My question is that the policy script is used to decide what kind of behavior is intusion but what principle should i base on to judge? If the answer is that bro only provides a platform for the users to detect intrusion according to their own philosophy how does bro do that in its original policy scripts?
Thanks a lot for your answer!
Can bro's mechanism of package capture deals well with a 300Mbps network?
We are going to use bro at the gateway of our campus network but we have only one pc with common performance,so we want to know whether the way bro uses on package capture be efficient in our case.
The traffic of network is about 300Mbps.We don't know how many packages go through it per second yet,so it's better someone tell me the best bro can do on a single pc.
thanks a lot!
Has anyone worked on a policy for generating black-hole routes? I'd
like to set up an automatic process for feeding host routes directly
from bro into my quagga route server. I'm thinking a simple broccoli
script would do the trick, with some judicious use of expect to talk to
the quagga bgpd CLI. However, I'd like to build on others' experience,
and perhaps build something more generic we can all use.
Hi,
When Im start bro v1.5 pre-release svn 10oct2009:
bro -r hacklu2009_jubrowska_capture1.pcap all
...
[sshd_conn_new] = 56,
[rewrite_dns_TXT_reply] = 56,
[NetFlow::flows] = 384,
[disable_event_group] = 56
}
Erreur de segmentation
bro is compiled with ipv6 (no other flags).
linux fedora core 7 i386 2.6.23.17-88.fc7 (SMP)
version gcc 4.1.2 20070925 (Red Hat 4.1.2-27)
Do you need more information ?
Regards
Rmkml
Crusoe-Researches.com
I have an application from which I invoke bro with libcap input
expected on stdin (using "-r -"). I then pipe pckets to stdin of
this process. It works well for small files.
For large files something goes wrong (looks like the pipe going to
bro stdin backs up, or something).
I used to have problems on bro not flusing to stdout, so I used
flush_all() after print statements in my bro script and that seemed to work.
Is there a similar command to force bro to read data in stdin?
Thank you
Greg Kosinovsky