zeek April 2010

zeek@lists.zeek.org

20 participants
17 discussions

by Bill Jones

John, Thanks for the quick response. > Not sure what Netscalar does, but it all should act the same. The host > TCP stack would drop any attempted connection for which a session was > not established regardless of what was upstream from it. Quick and > dirty, you sould be able to fire up tcpdump and see the session > initialization. That's what I'm finding strange. After running a tcpdump capture on the interface and analyzing it with Wireshark, I do not see any 3-way handshakes for this particular web application. For any HTTP GET that I see in Wireshark that pertains to this application, when I "Follow TCP Stream", the first entry in Wireshark is always the GET message itself. For all other applications on the network, doing the above results in the first entry being the SYN. I've generated a few dumps with the same results. I wonder if the load balancer is somehow keeping a session active for very long periods (if this even makes sense). If you have any suggestions or thoughts, I'd be very interested. Thanks, Bill On Sat, Feb 6, 2010 at 12:51 PM, John Hally <JHally(a)ebscohost.com> wrote: > Hi Bill, > > I've run BRO in the past with load balancers (Arrowpoint/Cisco CSS) and > was able to see all traffic. In our setup we had 2 segments; a VIP > access link and a services trunk link where the real/origin servers > lived. Both of these links had physical network taps and it was as > simple as plugging in the Ethernet, flipping the interface to > UP/PROMISC, and starting BRO. > > With the CSS, even though the unit would handle the initial connection, > it would 'snap' that over to the origin server it picked during load > balancing so you would still see the tcp setup. > > Not sure what Netscalar does, but it all should act the same. The host > TCP stack would drop any attempted connection for which a session was > not established regardless of what was upstream from it. Quick and > dirty, you sould be able to fire up tcpdump and see the session > initialization. > > Thoughts? > > Tahnks. > > John. > > -----Original Message----- > From: bro-bounces(a)ICSI.Berkeley.EDU > [mailto:bro-bounces@ICSI.Berkeley.EDU] On Behalf Of Bill Jones > Sent: Saturday, February 06, 2010 10:22 AM > To: bro(a)ICSI.Berkeley.EDU > Subject: [Bro] Load Balancers > > Hi everyone, > > I was curious if anyone has any experience running bro between > load-balancers (such as Netscaler) and web applications. We are > currently trying to get HTTP logs generated for a web application. We > couldn't figure out why bro was not triggering the HTTP analyzer, but > I now believe that this is because it is never seeing the original SYN > + SYN/ACK for the conversation. When viewing the conversations in > Wireshark, I can see that all the TCP streams for this particular > application begin with the GET and do not include the initial 3-way > handshake. > > Here is an entry in the conn.log for this stream which shows the states: > > 1265389087.849048 ? 10.19.120.12 10.19.2.78 http 2232 80 tcp 14785 > 604140 OTH X DdAa > > Other web applications on the wire, which do have the 3-way handshake > visible for all connections, seem to work just fine and I get http > logs. > > My questions are: > > Am I correct in assuming that the lack of initial connection > establishment is why the HTTP analysis is never occurring (and > therefore I'm not getting entries in http.log)? > > Is there a way to force bro to analyze the traffic even though there > is no proper 3-way handshake visible? > > > Thanks for your time, > Bill > _______________________________________________ > Bro mailing list > bro(a)bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >

9 years, 11 months

[Bro] question about event http_stats

by Sen Yang

Hi All, I am writing some bro script to analysis http session, and I have some question about those events #global http_stats: event(c: connection, stats: http_stats_rec); the http_stats event, I think it is raised when one http session is done? But why the stats$num_requests can be 0? I noticed in the http.bro, there is one handler for this event but then annotated.

10 years, 11 months

[Bro] store all packet

by lzqsist

Hi,all.How to store all packet directly to the hard disk using bro-1.5 ?

10 years, 11 months

[Bro] Number of simultaneous pcap_open calls per interface

by Jason Chambers

Hello all, Can anyone explain the number of, and reasoning behind, multiple pcap_open calls to the same interface ? Is one used for each type of analyzer ? While experimenting with certain hardware I noticed a continuous stream of errors due to exclusive usage limitations of the capture card. (And if it's not too confusing I'd be interested to hear if and how the Zero-copy buffer mode detailed in bpf(4) on FreeBSD might be utilized within Bro). Regards, --Jason

10 years, 12 months

[Bro] Intel 1000/Pro PF Quad-port and I/OAT

by Jason Chambers

Hello all, If anyone is using the Intel 1000/Pro PF quad-port cards with Intel I/OAT please contact me on or off-list. Just a basic "how well is it performing @ what speed" type of inquiry. Thanks, --Jason

10 years, 12 months

[Bro] Time machine build.

by Blake Mattern

Greetings all, I have a question regarding Time machine. I would like to find out why, when I attempt to compile Time machine it refuses to see broccoli. Currently I have Bro running on a test instance (RHEL 5) and each time I compile Time machine I get this: Time machine Configuration Summary ========================================================== - Debugging enabled: no - broccoli support: no - Using ptmalloc: no With no errors. config.log: configure:7028: checking for main in -lbroccoli configure:7057: g++ -o conftest -g -O2 -O2 -g -Wall -I/usr/local/include -INONE/include -g -O2 -O2 -g -Wall -I/usr/local/include -INONE/include -INONE/include -L/usr/local/lib -LNONE/lib conftest.cpp -lbroccoli -lpcrecpp -lpcre -lpthread -lpcap >&5 /usr/bin/ld: cannot find -lbroccoli ac_cv_lib_broccoli_main=no I have a second instance of Bro (FreeBSD 8.0) in a virtual machine and I was able to compile and run Time machine without issue. I would be happy to supply more info or if anyone has direction to some documentation about Time machine. Thanks All, =-=Blake

10 years, 12 months

[Bro] Huge number of "Bad_IP_Checksum" warnings on FreeBSD8 captured traffic.

by Luca Renaud

I have not counted but nearly every packet captured through tcpdump on FreeBSD 8 i386 when analyzed by Bro generates a "Bad IP Checksum" weird warning.This only happens to me on FreeBSD and I run a lot of systems: Windows7,MacOSX,Linuxes,Solaris... So,how can I avoid this and filter only the normal warnings,because it seems very related to FreeBSD 8 network interfaces,tcpdump on FreeBSD 8 ,etc. Thanks.

10 years, 12 months

[Bro] Help:- can we read HDLC data link type?

by vijay khadse

I want to know that wheather Bro can read the HDLC data link .If not , Can we make bro to use the HDLC data like. Please suggest. Regards vijay M Khadse

11 years

[Bro] ignoring all weird?

by Tim Rupp

Is there a convenient way that I can suppress all weird messages that would otherwise bubble up to the weird log? I've done this redef notice_action_filters += { [[Weird::WeirdActivity, Weird::ContentGap, Weird::RetransmissionInconsistency, Weird::AckAboveHole]] = ignore_notice }; But I still get some weird messages that I need to suppress like this redef Weird::weird_action: table[string] of Weird::WeirdAction += { [["above_hole_data_without_any_acks", "bad_TCP_checksum", "unmatched_HTTP_reply", "connection_originator_SYN_ack", "window_recision", "unescaped_special_URI_char", "bad_UDP_checksum", "data_before_established", "inflate_failed", "line_terminated_with_single_CR" ]] = Weird::WEIRD_IGNORE }; Ideas? Thanks, -Tim

11 years

[Bro] HELP :Any default trace file that comes with bro?

by vijay khadse

Hi, Is there any default trace file that comes with bro1.5 ? If yes, what is it , and in which dir i can find, so that i can check whether bro is working properly or not . I have a trace file which has problem. thanks, vijay khadse

11 years

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek April 2010