John,
Thanks for the quick response.
> Not sure what Netscalar does, but it all should act the same. The host
> TCP stack would drop any attempted connection for which a session was
> not established regardless of what was upstream from it. Quick and
> dirty, you sould be able to fire up tcpdump and see the session
> initialization.
That's what I'm finding strange. After running a tcpdump capture on
the interface and analyzing it with Wireshark, I do not see any 3-way
handshakes for this particular web application. For any HTTP GET that
I see in Wireshark that pertains to this application, when I "Follow
TCP Stream", the first entry in Wireshark is always the GET message
itself. For all other applications on the network, doing the above
results in the first entry being the SYN.
I've generated a few dumps with the same results. I wonder if the
load balancer is somehow keeping a session active for very long
periods (if this even makes sense).
If you have any suggestions or thoughts, I'd be very interested.
Thanks,
Bill
On Sat, Feb 6, 2010 at 12:51 PM, John Hally <JHally(a)ebscohost.com> wrote:
> Hi Bill,
>
> I've run BRO in the past with load balancers (Arrowpoint/Cisco CSS) and
> was able to see all traffic. In our setup we had 2 segments; a VIP
> access link and a services trunk link where the real/origin servers
> lived. Both of these links had physical network taps and it was as
> simple as plugging in the Ethernet, flipping the interface to
> UP/PROMISC, and starting BRO.
>
> With the CSS, even though the unit would handle the initial connection,
> it would 'snap' that over to the origin server it picked during load
> balancing so you would still see the tcp setup.
>
> Not sure what Netscalar does, but it all should act the same. The host
> TCP stack would drop any attempted connection for which a session was
> not established regardless of what was upstream from it. Quick and
> dirty, you sould be able to fire up tcpdump and see the session
> initialization.
>
> Thoughts?
>
> Tahnks.
>
> John.
>
> -----Original Message-----
> From: bro-bounces(a)ICSI.Berkeley.EDU
> [mailto:bro-bounces@ICSI.Berkeley.EDU] On Behalf Of Bill Jones
> Sent: Saturday, February 06, 2010 10:22 AM
> To: bro(a)ICSI.Berkeley.EDU
> Subject: [Bro] Load Balancers
>
> Hi everyone,
>
> I was curious if anyone has any experience running bro between
> load-balancers (such as Netscaler) and web applications. We are
> currently trying to get HTTP logs generated for a web application. We
> couldn't figure out why bro was not triggering the HTTP analyzer, but
> I now believe that this is because it is never seeing the original SYN
> + SYN/ACK for the conversation. When viewing the conversations in
> Wireshark, I can see that all the TCP streams for this particular
> application begin with the GET and do not include the initial 3-way
> handshake.
>
> Here is an entry in the conn.log for this stream which shows the states:
>
> 1265389087.849048 ? 10.19.120.12 10.19.2.78 http 2232 80 tcp 14785
> 604140 OTH X DdAa
>
> Other web applications on the wire, which do have the 3-way handshake
> visible for all connections, seem to work just fine and I get http
> logs.
>
> My questions are:
>
> Am I correct in assuming that the lack of initial connection
> establishment is why the HTTP analysis is never occurring (and
> therefore I'm not getting entries in http.log)?
>
> Is there a way to force bro to analyze the traffic even though there
> is no proper 3-way handshake visible?
>
>
> Thanks for your time,
> Bill
> _______________________________________________
> Bro mailing list
> bro(a)bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
Is there a convenient way that I can suppress all weird messages that
would otherwise bubble up to the weird log?
I've done this
redef notice_action_filters += {
[[Weird::WeirdActivity,
Weird::ContentGap,
Weird::RetransmissionInconsistency,
Weird::AckAboveHole]] = ignore_notice
};
But I still get some weird messages that I need to suppress like this
redef Weird::weird_action: table[string] of Weird::WeirdAction += {
[["above_hole_data_without_any_acks",
"bad_TCP_checksum",
"unmatched_HTTP_reply",
"connection_originator_SYN_ack",
"window_recision",
"unescaped_special_URI_char",
"bad_UDP_checksum",
"data_before_established",
"inflate_failed",
"line_terminated_with_single_CR"
]] = Weird::WEIRD_IGNORE
};
Ideas?
Thanks,
-Tim
Hello all,
I am going to install bro in my system but i get the following error when making:
FlowSrc.cc: In constructor `FlowSocketSrc::FlowSocketSrc(const char*)':
FlowSrc.cc:142: error: `errno' was not declared in this scope
FlowSrc.cc:150: error: `errno' was not declared in this scope
FlowSrc.cc: In member function `virtual int FlowFileSrc::ExtractNextPDU()':
FlowSrc.cc:171: error: `errno' was not declared in this scope
FlowSrc.cc:179: error: `errno' was not declared in this scope
FlowSrc.cc:185: error: `errno' was not declared in this scope
FlowSrc.cc: In constructor `FlowFileSrc::FlowFileSrc(const char*)':
FlowSrc.cc:217: error: `errno' was not declared in this scope
make[3]: *** [FlowSrc.o] Error 1
make[3]: Leaving directory `/root/Desktop/bro-1.4/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/root/Desktop/bro-1.4/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/Desktop/bro-1.4'
make: *** [all] Error 2
Would you please help me if you know what is the problem?
Regards,
Raoufeh
Can we use BRO to detect DDOS ( SYN Flodding attack) at a router. If yes
how? I had a internet trace obtained from CAIDA ISP-A . I have to detect
SYN flodding attacks in that trace. It is a PCAP file of 2GB. Please help me
.I have tried it with snort but was not succesful.
Please Help me. Thank you .
Regards,
Vijay M Khadse
Bro Gurus,
I am having an issue with Bro and memory exhaustion. Currently I'm using click on a system with 8 x CPU cores to break up a network tap into three virtual interfaces (tap0, tap1 and tap2). I'm then running my Bro cluster on the same machine with a three workers operating on different CPU cores and virtual interfaces. The system has 16G of physical RAM. After running for about 24 hours or so all of the physical RAM is exhausted and Bro being to go after swap. I increased swap to 8GB but this is a never ending battle as Bro will eventually eat everything it can find and crash the system.
How do I go about diagnosing which scripts/policies are causing this, or if it is an internal memory leak somewhere? I have seen references to reduce-memory.bro and profile.bro in some of the Wiki and or mailing list searches but these don't appear to be in the current 1.5.1 release.
I am running a large number of scripts from Seth Hall's script repository in addition to the ones that are enabled by default. Below are the policies I'm loading in local.bro:
@load alarm
@load notice
@load weird
@load dpd
@load detect-protocols
@load detect-protocols-http
@load dyn-disable
@load inactivity
@load dns
@load dns-lookup
@load finger
@load frag
@load ftp
@load icmp
@load hot
@load http-request
#@load http-reply
@load ident
@load irc
@load irc-bot
@load login
@load ntp
@load pop3
@load portmapper
@load scan
@load smtp
@load ssh
@load ssl
@load synflood
@load tcp
@load tftp
@load udp
@load worm
# Seth Hall Scripts
@load dns-passive-replication
@load http-identified-files
redef HTTP::ignored_urls = /^http:\/\/(www\.download\.windowsupdate\.com)|(download\.windowsupdate\.com)|(au\.download\.windowsupdate\.com)|(download\.microsoft\.com)|(office\.microsoft\.com)\//;
@load known-hosts
@load known-services
@load logging.dns-ext
@load logging.ftp-ext
@load logging.http-ext
@load logging.smtp-ext
@load logging.ssh-ext
@load smtp-ext-count-rejects
@load ssh-ext
@load ssl-ext
redef SSH::authentication_data_size = 4000;
Thanks,
Scott Powell
Unix Systems Engineer / Information Security Analyst
Office of the CIO - Information Systems (OCIO-IS)
Medical University of South Carolina
powellsm(a)musc.edu
(843) 792-6651
Hello everyone,
I ask this topic again trying to clarify my questions (and my English). I
want to associate a summary of wrong fragments to the corresponding line in
the connection summary.
I made a script to count the different fragment problems trigger by
flow_weird event.
How can I know which connection has generated that wrong fragment event? The
wrong fragment event only logs src, dst and network_time. This is not enough
to link the fragment to a connection inside connection summary.
1247652196.907274 src_ip -> dst_ip: fragment_with_DF
By the way, I read about active and passive timeouts on connections
("Flow-based TCP Connection Analysis" by Limmer and Dressler).
I don´t understand how this topic is treated in BRO. I found only one type
of timeout (TCP_inactivity_timeout). Is this timeout the active timeout? Can
I tune a passive timeout? Maybe I am missing others user tunable timeouts
that can affect my results.
Maybe I am getting into the details of bro design, I want to understand what
I am doing, and what I shouldn´t do to get the wrong fragment count inside
the conn.bro file.
Veronica Estrada
Nakao Laboratory
The University of Tokyo
Sorry, I couldn't make it work.
ipsumdump --collate -w *.pcap | $BROHOME/bin/bro -r - brolite mysite
/usr/local/bro-1.5-dep/bin/bro: problem with trace file - - truncated dump
file; tried to read 24 file header bytes, only got 0
Veronica
On Thu, Mar 11, 2010 at 3:14 AM, Matthias Vallentin <vallentin(a)icir.org>wrote:
> On Wed, Mar 10, 2010 at 08:30:56AM -0800, Robin Sommer wrote:
> > That's probably the best solution and you can do it on the fly: have
> > your merge tool (e.g., tcpslice) write to stdout and Bro read from
> > stdin with "-r -". The effect on memory will indeed be that of one
> > large pcap file but if that causes trouble, you should to tweak the
> > Bro configuration.
>
> Yet another tool:
>
> % ipsumdump --collate -w - *.pcap | bro -r - http-request etc
>
> The switch --collate ensures monotone timestamps.
>
> Matthias
> --
> Matthias Vallentin
> vallentin(a)icir.org
> http://www.icir.org/matthias
>
Hello,
I am processing several hours of captured traffic split into pcap files that
covers 1 minute traffic each. Actually I am having this basic script to do
that.
#!/bin/bash
path=("$@")
for f in $(ls $path);do
export BRO_LOG_SUFFIX=$f;
/usr/local/bro/bin/bro -r $path/$f brolite mysite
done
But my goal is that bro recognize connections that could be split in several
files. I am thinking that one solution is to modified some variables and
make them "persistent". Is it correct? Which variables should I modified?
The other solution. I know that split pcap files can be merged in one bigger
file, but I will have problems with memory, and bro may crash if it has a
limitation for processing big size pcap file. So I am not considering this
option.
Best regards!
Veronica Estrada
Nakao Laboratory
The University of Tokyo
Hi,
I would like to run Bro 1.5.1. with lookups to the MHR,
since the 1.5 code allready contains the MD5 functions (?),
i assumed i only needed the:
http-cymru-malware-hash.bro
which i loaded into my site/local.bro
@load http-cymru-malware-hash.bro
and verified to be present through:
# broctl scripts | & grep cymru
http-cymru-malware-hash.bro
But i don't see any related logging, so i'm afraid of being
a little naive in my approach. Since i am totally new
at bro, i don't have a clue at how to debug the script.
thanks in advance for any help.
Ewald...
BTW i really like the functionality in Bro, it helped me discover bot
IRC traffic on port 80 and inst_n105.exe trojan dropper downloads from a
server in Russia.
I have been seeing several crashes per day due to 'internal error:
unknown msg type 101 in Poll()' in the manager process of a bro cluster
handling ~2.5 Gb/s of traffic. Here is a typical stack trace:
> Program terminated with signal 6, Aborted.
> #0 0x000000080158ef6c in kill () from /lib/libc.so.6
> #0 0x000000080158ef6c in kill () from /lib/libc.so.6
> #1 0x000000080158ddfd in abort () from /lib/libc.so.6
> #2 0x000000000040b329 in internal_error () at SSLInterpreter.cc:31
> #3 0x000000000050efde in RemoteSerializer::InternalCommError (this=0x8fd3,
> msg=0x8fd3 <Address 0x8fd3 out of bounds>) at RemoteSerializer.cc:2714
> #4 0x000000000051668b in RemoteSerializer::Poll (this=0x7cb7e0,
> may_block=false) at RemoteSerializer.cc:1477
> #5 0x0000000000516c83 in RemoteSerializer::NextTimestamp (this=0x7cb7e0,
> local_network_time=0x7fffffffe330) at RemoteSerializer.cc:1294
> #6 0x00000000004d6575 in IOSourceRegistry::FindSoonest (this=0x79a310,
> ts=0x7fffffffe518) at stl_list.h:131
> #7 0x00000000004f2df3 in net_run () at Net.cc:509
> #8 0x0000000000408938 in main (argc=36152552, argv=0x0) at main.cc:999
This seems to be the same problem as ticket #203. Robin's comment (see
<http://tracker.icir.org/bro/ticket/203#comment:1> suggests this may be
caused by high system load, but that doesn't seem to be the case.
To check this, I have set up two clusters fed by the same input traffic.
The first is a cluster of seven machines with a single bro instance
running on each. The cluster has four workers, two proxies, and the
manager node. In broctl, 'top' rarely reports CPU utilization over 10%
for any node, and memory consumption is typically < 250 MB per process.
The manager process in this cluster crashes several times per day.
The second cluster is just one machine: a dual quad-core Xeon system
with 16 GB of RAM. It is running six instances of bro: four workers
each listening to a different network interface, one proxy, and one
manager. CPU utilization is often ~50% on the workers, and as high as
20% on the manager. Although 'netstats' reports more packet loss for
this cluster, the manager does not crash.
Is there some other line of investigation I should pursue? A
single-machine Bro cluster won't handle much more traffic, so this isn't
a useful workaround for the long term.