Hi,
I just started using bro for offline traffic analysis. i don't know which
timers to tune to make the analysis of traces go faster. On some of traces,
the analysis never finishes and it is like bro is waiting for some timer to
expire.
any help?
kevin
Good Day,
My empty reports problem as been resolved, however, I am drying to dig
a bit deeper into the site-report script error. An error is thrown if
the script is run with summary_only variable is set to 1 (default.)
There error says there is an undefined value as a SCALAR reference.
While the error can be avoided by setting the summary-only variable to
0, you then will not get full reports generated.
The error seems to be that several variables containing the reportable
data are not set due to the if-statement on line 492. This if
statement sets variables (header, incident_summ, incident_details,
system_summ, scan_summ, signature_distribtution) only if summary_only
is set to 0. I do not see any reason for this if statement and upon
removing it, I am able to get full reports rather than just the
summary. Does anyone who is more familiar with this script know why
that if-statement is there and if removing it will have any negative
consequences?
Cheers,
Edward
Good Day!
Setting up bro on freebsd and noticing that the script to create
reports (/usr/local/scripts/site-report.pl) is generating empty
reports. The reports contain the expected formatting but no actual
data.
Not sure if this is relavent but to run the script, I did have to make
the change to the "summary_only" variable as suggested here:
http://tracker.icir.org/bro/ticket/54
Here is an example of the script's debug feedback:
hosta# /usr/local/scripts/site-report.pl -r 36 -d 3
report-start time: Thu Sep 24 00:00:30 2009 (1253750430)
report-end time: Fri Sep 25 12:00:30 2009 (1253880030)
Starting search for alarm files
List of alarm files which are within the time range ->
/nsm/bro/logs/alarm.hosta.09-09-25_15.58.20
Finished search for alarm files
Starting search for notice files
List of notice files which are within the time range ->
/nsm/bro/logs/notice.hosta.09-09-25_15.41.47
Finished search for notice files
Starting search for conn files
List of connection files which are within the time range ->
/nsm/bro/logs/conn.hosta.09-09-25_15.58.20-09-09-25_15.58.20
Finshed search for conn files
Starting processing of alarm files
Finished processing alarm files
Starting processing of conn file
/nsm/bro/logs/conn.hosta.09-09-25_15.58.20-09-09-25_15.58.20
Finished processing conn file
Generating report file: /nsm/bro/reports/my.domain.1253902342.90655.rpt
Any suggestions would be much appreciated.
Cheers!
E
Hi,
I get the following error when compiling bro:
$make$g++ -fPIC -I/usr/include/python2.5 -c -I/usr/include/python2.5 -c patricia.c -o /traces/bro/aux/broctl/.python-build/temp.linux-x86_64-2.5/patricia.opatricia.c: In function 'prefix_t* New_Prefix2(int, void*, int, prefix_t*)':patricia.c:273: error: invalid conversion from 'void*' to 'prefix_t*'patricia.c: In function 'patricia_tree_t* New_Patricia(int)':patricia.c:417: error: invalid conversion from 'void*' to 'patricia_tree_t*'patricia.c: In function 'void Clear_Patricia(patricia_tree_t*, void (*)())':patricia.c:450: error: too many arguments to functionpatricia.c: In function 'void patricia_process(patricia_tree_t*, void (*)())':patricia.c:497: error: too many arguments to functionpatricia.c: In function 'patricia_node_t* patricia_lookup(patricia_tree_t*, prefix_t*)':patricia.c:686: error: invalid conversion from 'void*' to 'patricia_node_t*'patricia.c:797: error: invalid conversion from 'void*' to 'patricia_node_t*'patricia.c:849: error: invalid conversion from 'void*' to 'patricia_node_t*'error: command 'g++' failed with exit status 1
How can i fix this?
diana
_________________________________________________________________
Windows Live™: Keep your life in sync. Check it out!
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009
Dear All
I am just a beginner working with Bro IDS. This is a sample line of the conn.log file I have got as a result of running Bro on my capture file:
1235293253.403384 0.062331 79.127.0.27 81.31.174.213 http 51271 80 tcp ? 144 SHR X cc=1
The problem is I cannot interpret the time record (1235293253.403384). Can you please help me?
Best Regards
Laleh Arshadi
A quick heads-up for folks interested in learning more about using
Bro effectively: in addition to the Bro workshop next month, Vern
and I will also be giving a one-day Bro tutorial at this year's
ACSAC conference in Honolulu:
http://www.acsac.org/2009/program/tutorials/view.php?t=3
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
Dear Members,
Is it possible to apply Bro on offline traffic? I have already some network traffic captured by tcpdump, can I feed this data to Bro & find the possible intrusions in that data? To be precise I must note that the captured traffic has been collected from an Ethernet network and consists of the packet headers & the whole payload.
I thank you in advance for your help & appreciate your prompt reply.
Best Regards
Laleh Arshadi
Dear Members,
Is it possible to apply Bro on offline traffic? I have already some network traffic captured by tcpdump, can I feed this data to Bro & find the possible intrusions in that data? To be precise I must note that the captured traffic has been collected from an Ethernet network and consists of the packet headers & the whole payload.
I thank you in advance for your help & appreciate your prompt reply.
Best Regards
Laleh Arshadi
Bro Workshop 2009, the 2nd.
===========================
The Bro team and the Lawrence Berkeley National Lab are pleased to
announce a further "Bro Workshop", a 2.5-day Bro training event that
will take place in Berkeley, CA, on October 13-15, 2009.
The workshop is primarily targeted at site security personnel
wishing to learn more about how Bro works, how to use its scripting
language and how to generally customize the system based on a site's
local policy.
Similar to previous workshops, the agenda will be an informal mix of
tutorial-style presentations and hands-on lab sessions. No prior
knowledge about using Bro is assumed though attendees should be
familiar with Unix shell usage as well as with typical networking
tools like tcpdump and Wireshark.
All participants are expected to bring a Unix-based (Linux, Mac OS X,
FreeBSD) laptop with a working Bro configuration. We will provide
sample trace files to work with.
This workshop will again be hosted by the Lawrence Berkeley National
Lab, and it will be located at the Hotel Durant in Berkeley. We will
soon provide a web site with more detailed registration and location
information. To facilitate a productive lab environment, the number
of attendees will be limited to 30 people. A registration fee of
$125 will be charged.
We also expect to have time for 2-3 case-study presentations from
people using Bro in their environments. If you have something you
would like to talk about, please send me a mail.
Looking forward to a great workshop,
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
LinkedIn
------------
I'd like to add you to my professional network on LinkedIn.
- Nikhil
Accept Nikhil Agrawal's invite:
https://www.linkedin.com/e/isd/720314348/XrVN2TEj/
------
(c) 2009, LinkedIn Corporation
