Dear Mr. Paxton/Bro contributors,
My name is Daniela Miao, and I am currently a 3rd year Computer
Engineering Student at the University of Toronto. I have a couple of
questions regarding bro's current DNS parser, I hope this will not
take up too much of your time.
Being currently involved in a Bell Canada research project, I am
responsible for analyzing some DNS data traffic, captured in a pcap
file. I discovered Bro's DNS parser, which is rather robust, and
performs the exact operations that I need. However, I've run into some
problems with certain packets that contain DNS responses with errors.
I'm not sure what the exact problem is, but it seems that the bro
parser is having trouble recognizing all the returned error codes
(indicating "malformed packets", "no such name exists", "server
failure" etc.) I have attached a fragment of the log file to
illustrate my point, as you can see, all the responses containing
errors simply turn into "A requested domain name")
I suspect that I have to customize the parser a bit, so that it can
recognize all the error codes. However, since I'm not familiar with
the source code, I wanted to get some advice from you regarding this
problem, before I blindly dive in.
I apologize if you are not the correct person I should be contacting.
If you could provide some resources/other contacts from whom I can
gain some direction, or advice, I would be very thankful.
Thank you for your time. I hope you have a nice day.
Sincerely,
Daniela
Bro Community,
We have begun looking at the Bro NIDS here at MUSC so I have been working on setting up a cluster on some new security infrastructure equipment. We're running on RedHat Enterprise Linux 5.4, 64-bit with Bro 1.5.1 (latest current release on the bro-ids.org download page).
I compiled and setup the cluster and then started it up with "broctl start". My workers fired up and began collecting data from our network TAP. However, the worker with the TAP (worker-4) continues to "crash" repeatedly. If I issue a "broctl diag" it reveals a core dump.
I ran a gdb on the core file that was produced and got the same results as the diag output below.
Any ideas?
[BroControl] > status
Name Type Host Status Pid Peers Started
worker-4 worker zoyd4 crashed
manager manager bombe4 running 3693 4 26 Jan 15:35:54
proxy-1 proxy bombe4 running 3729 4 26 Jan 15:35:57
worker-1 worker sigma4 running 10799 2 26 Jan 15:35:59
worker-2 worker forensics4 running 21174 2 26 Jan 15:35:59
worker-3 worker reaper4 running 8954 2 26 Jan 15:35:59
[BroControl] > diag worker-4
[worker-4]
==== stderr.log
pcap bufsize = 8256
listening on eth1
/var/local/bro/share/broctl/scripts/run-bro: line 73: 2837 Segmentation fault (core dumped) nohup $tmpbro $@
==== stdout.log
==== .status
RUNNING [net_run]
==== No prof.log.
core.2837
Core was generated by `/var/local/bro/spool/tmp/bro -i eth1 -U .status -p broctl -p cluster -p local -'.
Program terminated with signal 11, Segmentation fault.
[New process 2837]
#0 FragReassembler::DeleteTimer (this=0x23219450) at Frag.h:62
62 void ClearReassembler() { f = 0; }
Thanks,
Scott Powell
Unix Systems Engineer / Information Security Analyst
Office of the CIO - Information Systems (OCIO-IS)
Medical University of South Carolina
powellsm(a)musc.edu
Hello Sites Using Bro,
We'd like to ask for your help. We're in the process of preparing a
major funding proposal for improving Bro, focused on: improving the
end-user experience (things like comprehensive documentation,
polishing rough edges, fixing bugs); and improving performance.
This looks like a potentially excellent opportunity. However, a
major element of winning the funding is convincingly demonstrating
to the funders that Bro is already well-established across a large &
diverse user community.
To develop that framing, we'd like to ask as many of you folks as
possible to fill out the small questionaire below. Please send the
replies to Robin personally, not to the list (just replying to this
mail should do the right thing). Assuming sufficient feedback, we'll
post an anonymized summary to the list.
(Of course we already know about many of you, but collecting this
information more systematically will allow us to put together a
better overall view of the Bro community.)
Thanks a lot in advance,
Vern and Robin
--------- Please send to robin(a)icir.org -----------------------------
1. Name of deployment site [optional]:
2. We are using Bro
[ ] not yet, but we plan to
[ ] experimentally
[ ] operationally
3. We have done so for about _N_ years.
4. Our site is best described as
[ ] Academia
[ ] Research Lab
[ ] Government
[ ] Industry
[ ] Other (please explain)
5. In its current use, Bro monitors about _N_ systems.
6. Would you be fine with us listing your site by name as a Bro user?
[ ] Yes, however you wish.
[ ] Yes in private to the funders in your grant application, but not publicly.
[ ] No, please use this information only in an anonymized form.
7. Optionally, list up to three improvements you would like to see
in the "Bro world":
Hi Folks,
In BRO reports, if a hostname (PTR lookup) exceeds a certain amount of
characters, it gets truncated. Is there an option to turn the PTR
lookup off?
I have looked at the documentation and even the code and I am stumped.
Thanks for any pointers ;)
Greetings
>>> 1. Name of deployment site [optional]: Soleil IT Services, Inc.
>>>
>>> 2. We are using Bro
>>>
>>> [ ] not yet, but we plan to
>>> [X] experimentally
>>> [X] operationally
>>>
>>> 3. We have done so for about _6_ months.
>>>
>>> 4. Our site is best described as
>>>
>>> [ ] Academia
>>> [ ] Research Lab
>>> [ ] Government
>>> [X] Industry
>>> [X] Other (please explain) Federal agency in planning stage
>>>
>>> 5. In its current use, Bro monitors about _10_ systems along with
Sourcefire/SNORT.
>>>
>>> 6. Would you be fine with us listing your site by name as a Bro
user?
>>>
>>> [x] Yes, however you wish.
>>> [ ]] Yes in private to the funders in your grant application,
but not publicly.
>>> [ ] No, please use this information only in an anonymized form.
>>>
>>> 7. Optionally, list up to three improvements you would like to see
>>> in the "Bro world":
>> 1) Better documentation
>> 2) Guidance on best practices
>> 3) Better Support for LINUX/OpenBSD
---
Very best regards,
---
Mr. Thuan V. Truong
Soleil IT Services, Inc
1568 Spring Hill Rd, Suite 201, McLean, VA 22102
Direct: (703) 861 1610, Fax: (703) 917 8881
Web: http://SOLEILit.com/
bro-request(a)ICSI.Berkeley.EDU wrote:
> Send Bro mailing list submissions to
> bro(a)ICSI.Berkeley.EDU
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
> bro-request(a)ICSI.Berkeley.EDU
>
> You can reach the person managing the list at
> bro-owner(a)ICSI.Berkeley.EDU
>
> When replying, please edit your Subject line so it is more specific than
"Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
> 1. Re: Poll: Bro deployments (Kevin Lo)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 23 Jan 2010 18:16:41 +0800
> From: Kevin Lo <kevlo(a)kevlo.org>
> Subject: Re: [Bro] Poll: Bro deployments
> To: vsankar(a)foretell.ca
> Cc: bro(a)bro-ids.org, Vern Paxson <vern(a)icir.org>, Robin Sommer
> <robin(a)icir.org>
> Message-ID: <1264241801.23180.11.camel(a)srg.kevlo.org>
> Content-Type: text/plain; charset="us-ascii"
>
> On Tue, 2010-01-19 at 15:51 -0600, Vijay Sankar wrote:
>> Robin Sommer wrote:
>>> Hello Sites Using Bro,
>>> We'd like to ask for your help. We're in the process of preparing a
major funding proposal for improving Bro, focused on: improving the
end-user experience (things like comprehensive documentation,
>>> polishing rough edges, fixing bugs); and improving performance. This
looks like a potentially excellent opportunity. However, a major
element of winning the funding is convincingly demonstrating to the
funders that Bro is already well-established across a large & diverse
user community.
>>> To develop that framing, we'd like to ask as many of you folks as
possible to fill out the small questionaire below. Please send the
replies to Robin personally, not to the list (just replying to this
mail should do the right thing). Assuming sufficient feedback, we'll
post an anonymized summary to the list.
>>> (Of course we already know about many of you, but collecting this
information more systematically will allow us to put together a better
overall view of the Bro community.)
>>> Thanks a lot in advance,
>>> Vern and Robin
>>> --------- Please send to robin(a)icir.org -----------------------------
1. Name of deployment site [optional]: ForeTell Technologies Limited
and two customer sites
>>> 2. We are using Bro
>>> [ ] not yet, but we plan to
>>> [X] experimentally
>>> [X] operationally
>>> 3. We have done so for about _3_ years.
>>> 4. Our site is best described as
>>> [ ] Academia
>>> [ ] Research Lab
>>> [ ] Government
>>> [X] Industry
>>> [X] Other (please explain) Customer Sites
>>> 5. In its current use, Bro monitors about _600_ systems.
>>> 6. Would you be fine with us listing your site by name as a Bro user?
>>> [ ] Yes, however you wish.
>>> [ ]] Yes in private to the funders in your grant application, but
not publicly.
>>> [X] No, please use this information only in an anonymized form.
>>> 7. Optionally, list up to three improvements you would like to see
>>> in the "Bro world":
>> 1) Better documentation
>> 2) Guidance on best practices
>> 3) Better Support for OpenBSD
>
> Bro runs fine on OpenBSD. If you want to help, please test an updated
diff of bro that I sent on ports@ and feedback to me, thanks!
>
> http://marc.info/?l=openbsd-ports&m=126295957409387&w=2
>
> Kevin
>
>
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro(a)ICSI.Berkeley.EDU
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 45, Issue 7
> **********************************
I have a fresh installation of Bro 1.5.1, and I am encountering an error when running 'broctl cron'. It appears that when broctl attempts to do a df, the % symbol is not stripped before python tries to convert it to a float. This throws a python error, as you can see below.
I made the error disappear by changing avail=float(df[3]) to avail=float(df[3].strip("%"))
Thanks,
Nick Jones
# broctl cron
warning: removing stale lock
Traceback (most recent call last):
File "/usr/local/bro/bin/broctl", line 726, in ?
loop.onecmd(line)
File "/usr/lib64/python2.4/cmd.py", line 219, in onecmd
return func(arg)
File "/usr/local/bro/bin/broctl", line 341, in do_cron
cron.doCron()
File "/usr/local/bro/lib/broctl/BroControl/cron.py", line 41, in doCron
_checkDiskSpace()
File "/usr/local/bro/lib/broctl/BroControl/cron.py", line 150, in _checkDiskSpace
avail = float(df[3])
ValueError: invalid literal for float(): 2%
Hi all,
Has anyone out there written a generic xml and/or json parser for
Bro? I didn't see anything like that in the base or contributed
scripts.
Thanks!
Dan
Maybe this is fixed in SVN so I'll keep it short. The configure check
for bro1.5 doesn't verify that the python development libraries are
installed. I am running Ubuntu 9.10 x64. When running ./configure &&
make the following error pops up.
broccoli_intern_wrap.c:118:20: error: Python.h: No such file or directory
Installing the python-dev package on ubuntu allows me to compile but I
figure it'd be nice to add that check in the autoconf. Unfortunately I
don't know autoconf at all so I can't provide a patch which does that.
-Bryce
Hello,
I have looked at the documentation, wiki, and archive from the mailing
list, and some of the code, but I can't seem (perhaps overlooked) to
figure out how to disable PTR resolution in the site reports.
Depending on the category (bytes trans, top dest, etc) it has a
different "buffer" for each hostname and, in most cases, the PTR
record exceeds the buffer so you end up with an entry that is very
difficult to tie to an ip address for further investigation.
I am hoping some one has shared this same frustration and there is a
solution available.
Thanks for any insight!
Hi,
I downloaded the latest version of bro 1.5. On installation following
./configure --prefix=/usr/local/bro
make
sudo make install
sudo make install-brolite
towards the end of make install-brolite I got this
make[1]: Leaving directory `/root/products/bro-1.5.1/aux'
/bin/chown -R `cat scripts/bro_user_id` /usr/local/bro/
cat: scripts/bro_user_id: No such file or directory
/bin/chown: missing operand after `/usr/local/bro/'
Try `/bin/chown --help' for more information.
make: [install-brolite] Error 1 (ignored)
*********************************************************
Please run "/usr/local/bro/etc/bro.rc --start" to start bro
*********************************************************
Now I see that there is no file /usr/local/bro/etc/bro.rc on searching the archives I see that other users have got the same problem and
that there is a patch file for an earlier version.
I am installing this on an Ubuntu installation version 8.10. Am I missing some thing here to solve this issue ?
Thanks and Regards,
P Roy
--
Netzary InfoDynamics
"Making IT to Work for You"
website : http://www.netzary.com
hand Phone : +91 8088503811
telephone : +91 80 41738665
fax : +91 80 22075212
