Bro Workshop 2009, the 2nd.
===========================
The Bro team and the Lawrence Berkeley National Lab are pleased to
announce a further "Bro Workshop", a 2.5-day Bro training event that
will take place in Berkeley, CA, on October 13-15, 2009.
The workshop is primarily targeted at site security personnel
wishing to learn more about how Bro works, how to use its scripting
language and how to generally customize the system based on a site's
local policy.
Similar to previous workshops, the agenda will be an informal mix of
tutorial-style presentations and hands-on lab sessions. No prior
knowledge about using Bro is assumed though attendees should be
familiar with Unix shell usage as well as with typical networking
tools like tcpdump and Wireshark.
All participants are expected to bring a Unix-based (Linux, Mac OS X,
FreeBSD) laptop with a working Bro configuration. We will provide
sample trace files to work with.
This workshop will again be hosted by the Lawrence Berkeley National
Lab, and it will be located at the Hotel Durant in Berkeley. We will
soon provide a web site with more detailed registration and location
information. To facilitate a productive lab environment, the number
of attendees will be limited to 30 people. A registration fee of
$125 will be charged.
We also expect to have time for 2-3 case-study presentations from
people using Bro in their environments. If you have something you
would like to talk about, please send me a mail.
Looking forward to a great workshop,
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
I am trying to get my first results with BRO. I am just running
mt.bro on an existing tcpdump file (containing some DNS data). My
exact command is "bin/bro -r dns.cap share/bro/mt.bro"
This command run to completion without error and creates empty log
files for a number of policies loaded inside mt.bro. Also, if I put a
print statement inside mt.bro, I can see the output. However, If I
put print statements inside any of the functions defined in policies
loaded by mt.bro ("dns-lookup", "weird", etc.,) I cannot see any
results -- presumably these policies have to be invoked. The scripts
I am modifying to try to see these results are in share/bro
(share/bro/weird.bro, share/bro/dns-lookup.bro, etc.).
It appears to be straightforward, but I must be missing something conceptually.
Thank you,
Greg
Hi,
I'm debugging a custom policy script that was causing Bro to use too
much memory. The script has been stripped down just to do some
logging and nothing more, but the memory usage is still pretty "high"
i.e., WAY higher then with compared to having conn.bro loaded, for
instance.
The only particular thing the script is currently doing is just to
return local variables. Basically, I'm considering them similar to
ptr in C (but I might have misunderstood their semantic, tho). For
instance, I've something like the following:
type custom_conn_t: record {
id: conn_id;
# custom type involved here!
...
};
function conn_init(c: connection)
{
local __c: custom_conn_t;
__c$id = c$id;
# assign other __c's fields from c
return __c;
}
function foobar(c: connection)
{
local __c: custom_conn_t;
__c = conn_init(c);
do_log(__c);
}
event X(c: connection)
{
foobar(c);
}
I'm monitoring live-traffic so it's pretty hard to provide a
representative trace. However, conn.bro produces a low memory
footprint (~50MB over 3/4 hrs) and it gets stable pretty soon. The
aforementioned script reached 200MB in less time and it keeps
growing.
I'm just wondering what it happens when I return __c in conn_init().
I'm expecting a new object to be created and the local one declared
in conn_init to be destroyed. Then, eventually, whenever the newly
created __c is not needed anymore (say, after do_log, or, however,
after event X returns), I'd expect it to be free'd by the garbage
collector.
Or, is the object the same and just internal refcnt are increased or
decreased? If so, it shouldn't really make any difference as refcnt
should be going to 0 after X finishes.
However, I'm experiencing and (almost linear) increasing memory
consumption, and that's weird (bug?). Any idea?
TIA, bye
Lorenzo
--
Lorenzo `Gigi Sullivan' Cavallaro <sullivan(a)cs.ucsb.edu>
GPG key at http://www.cs.ucsb.edu/~sullivan/sullivan.asc
Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)
See the reality in your eyes, when the hate makes you blind. (A.H.X)
Dear Bro Developers:
I'm a student from Sun Yet-sen Uinversity in China. I'm mailing you for some questions about using bro.
I'm now using bro to analyze UDP network traffic flows. I've got to know that bro can trace TCP connections and have the event "tcp_packet" to get the tcp payload. However, it seems that bro doesn't handle UDP flows well. (1)Is there some different definitions between TCP and UDP connection? And (2)how to get the payload of an UDP packet? I have noticed that the event "udp_content" maybe the handler, but (3)I don't know how to ivoke it.
Since UDP flows continue to increase on the Internet, I'm doing some analyze on it and need tools to handle it. And I think Bro should be a good one.
Looking forward to you reply.
Best Regards.
Sincerely Yours
Jasstin
16th, July
200万种商品,最低价格,疯狂诱惑你
