John,
Thanks for the quick response.
> Not sure what Netscalar does, but it all should act the same. The host
> TCP stack would drop any attempted connection for which a session was
> not established regardless of what was upstream from it. Quick and
> dirty, you sould be able to fire up tcpdump and see the session
> initialization.
That's what I'm finding strange. After running a tcpdump capture on
the interface and analyzing it with Wireshark, I do not see any 3-way
handshakes for this particular web application. For any HTTP GET that
I see in Wireshark that pertains to this application, when I "Follow
TCP Stream", the first entry in Wireshark is always the GET message
itself. For all other applications on the network, doing the above
results in the first entry being the SYN.
I've generated a few dumps with the same results. I wonder if the
load balancer is somehow keeping a session active for very long
periods (if this even makes sense).
If you have any suggestions or thoughts, I'd be very interested.
Thanks,
Bill
On Sat, Feb 6, 2010 at 12:51 PM, John Hally <JHally(a)ebscohost.com> wrote:
> Hi Bill,
>
> I've run BRO in the past with load balancers (Arrowpoint/Cisco CSS) and
> was able to see all traffic. In our setup we had 2 segments; a VIP
> access link and a services trunk link where the real/origin servers
> lived. Both of these links had physical network taps and it was as
> simple as plugging in the Ethernet, flipping the interface to
> UP/PROMISC, and starting BRO.
>
> With the CSS, even though the unit would handle the initial connection,
> it would 'snap' that over to the origin server it picked during load
> balancing so you would still see the tcp setup.
>
> Not sure what Netscalar does, but it all should act the same. The host
> TCP stack would drop any attempted connection for which a session was
> not established regardless of what was upstream from it. Quick and
> dirty, you sould be able to fire up tcpdump and see the session
> initialization.
>
> Thoughts?
>
> Tahnks.
>
> John.
>
> -----Original Message-----
> From: bro-bounces(a)ICSI.Berkeley.EDU
> [mailto:bro-bounces@ICSI.Berkeley.EDU] On Behalf Of Bill Jones
> Sent: Saturday, February 06, 2010 10:22 AM
> To: bro(a)ICSI.Berkeley.EDU
> Subject: [Bro] Load Balancers
>
> Hi everyone,
>
> I was curious if anyone has any experience running bro between
> load-balancers (such as Netscaler) and web applications. We are
> currently trying to get HTTP logs generated for a web application. We
> couldn't figure out why bro was not triggering the HTTP analyzer, but
> I now believe that this is because it is never seeing the original SYN
> + SYN/ACK for the conversation. When viewing the conversations in
> Wireshark, I can see that all the TCP streams for this particular
> application begin with the GET and do not include the initial 3-way
> handshake.
>
> Here is an entry in the conn.log for this stream which shows the states:
>
> 1265389087.849048 ? 10.19.120.12 10.19.2.78 http 2232 80 tcp 14785
> 604140 OTH X DdAa
>
> Other web applications on the wire, which do have the 3-way handshake
> visible for all connections, seem to work just fine and I get http
> logs.
>
> My questions are:
>
> Am I correct in assuming that the lack of initial connection
> establishment is why the HTTP analysis is never occurring (and
> therefore I'm not getting entries in http.log)?
>
> Is there a way to force bro to analyze the traffic even though there
> is no proper 3-way handshake visible?
>
>
> Thanks for your time,
> Bill
> _______________________________________________
> Bro mailing list
> bro(a)bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
Some of you folks may remember that back in January we did a survey
soliciting input on operational Bro deployments in the hope of
attracting funding for Bro. Today, the Bro team is jazzed to
announce that the National Science Foundation has awarded a grant of
almost $3M to the International Computer Science Institute (ICSI)
and the National Center for Supercomputing Applications (NCSA) for
extensive Bro development.
The funded project aims specifically at addressing much of the
feedback that we have received from Bro users over the years. It
will enable us to refine many of the rough edges that the system has
accumulated over time[*], improve Bro's performance significantly,
and also make it much easier for the community to contribute to the
project.
For further information, see the joint ICSI/NCSA press release at:
http://www.ncsa.illinois.edu/News/10/0824NSFawards.html
While we are still in process of planning our next steps, we'd
already like to encourage you folks to take an active role in
shaping the course of Bro's future development. In response to our
earlier survey, many of you have already sent in ideas on what kind
of improvements and new functionality you would like to see. If you
have further thoughts, feel free to send them either to the list or
to Robin personally. Now is also the time to file your favorite Bro
quirk with our tracker at http://tracker.icir.org/bro ...
Thanks to everybody who helped make this happen!
The Bro Team
[*] Yes, that includes documentation!
--
Robin Sommer * Phone +1 (510) 666-2886 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
Hello,
I am a beginner to BRO IDS and am currently using it for monitoring one
interface of a FreeBSD machine over an experiment network.
Part of my project now requires to also capture the network bandwidth being
utilized by a flow that passes thorough the BRO monitored interface. By
flow we mean, a source-destination IP pair.
Is this kind of measurement possible in BRO? If not, is there any add-on
which can be used to accomplish the same task using BRO?
Kindly suggest and thanks in advance.
Regards,
Harkeerat Bedi
I am not seeing any of the logs from the worker nodes on the manger node in the Log dir.
Is there some setting that I am missing? Using broctl I can see the worker nodes are working, and if I ssh to the worker nodes I can see the log in the spool dir, they just never seem to make it back to the manager.
This is a new setup from SVN running on RHEL 5.5 64 bit and my first attempt at Bro, so please be gentle.
--
Michael Waite
Enterprise Security Analyst
Enterprise Information Privacy and Security Services (EIPSs)
Security Operations and Services (SOS)
Information Technology Services (ITS)
The Pennsylvania State University (PSU)
Direct Telephone: 814-865-2297
ITS-SOS Telephone: 814-863-9533
ITS-SOS E-Mail: security(a)psu.edu
Greetings group,
I'm having an issue with Bro and clustering. I keep getting this error:
[BroControl] > install
removing old policies in /usr/local/bro/share/bro/.site ... done.
creating policy directories ... done.
installing site policies ... done.
generating broctl-layout.bro ... done.
generating analysis-policy.bro ... done.
generating local-networks.bro ... done.
updating nodes ... Permission denied (publickey,keyboard-interactive).
warning: connection to 10.10.2.13 broke
Permission denied (publickey,keyboard-interactive).
warning: connection to 10.10.2.14 broke
warning: connection to 10.10.2.13 broke
warning: connection to 10.10.2.14 broke
warning: connection to 10.10.2.13 broke
warning: connection to 10.10.2.14 broke
warning: connection to 10.10.2.13 broke
warning: connection to 10.10.2.14 broke
warning: cannot create directory /usr/local/bro/spool/tmp on worker-1
warning: cannot create directory /usr/local/bro/spool/tmp on worker-2
warning: cannot create directory /usr/local/bro/spool/tmp on worker-1
warning: cannot create directory /usr/local/bro/spool/tmp on worker-2
warning: cannot create directory /usr/local/bro/spool/tmp on worker-1
warning: cannot create directory /usr/local/bro/spool/tmp on worker-2
warning: cannot create directory /usr/local/bro/spool/tmp on worker-1
warning: cannot create directory /usr/local/bro/spool/tmp on worker-2
warning: error rsyncing to 10.10.2.13: ['Permission denied (publickey,keyboard-interactive).\r', 'rsync: connection unexpectedly closed (0 bytes received so far) [sender]', 'rsync error: unexplained error (code 255) at io.c(600) [sender=3.0.6]']
warning: error rsyncing to 10.10.2.14: ['Permission denied (publickey,keyboard-interactive).\r', 'rsync: connection unexpectedly closed (0 bytes received so far) [sender]', 'rsync error: unexplained error (code 255) at io.c(600) [sender=3.0.6]']
done.
I thought I had all my permissions correct but I guess not. I know rsync works and ssh (with out a password).
Any thoughts?
Thanks,
--John
Greetings All,
I'm having an issue with compiling Bro with IPv6 and Cluster support. The base OS is FreeBSD 8.1 i368. Here is the error I'm getting:
building '_broccoli_intern' extension
creating /usr/home/user/bro/bro-1.5.1/aux/broctl/.python-build/temp.freebsd-8.1-RELEASE-i386-2.6
cc -DNDEBUG -O2 -pipe -D__wchar_t=wchar_t -DTHREAD_STACK_SIZE=0x100000 -fno-strict-aliasing -I/usr/home/user/bro/bro-1.5.1/aux/broccoli/src -fPIC -I../../src -I/usr/local/include/python2.6 -c broccoli_intern_wrap.c -o /usr/home/user/bro/bro-1.5.1/aux/broctl/.python-build/temp.freebsd-8.1-RELEASE-i386-2.6/broccoli_intern_wrap.o
In file included from broccoli_intern_wrap.c:118:
/usr/local/include/python2.6/Python.h:168:17: error: pth.h: No such file or directory
broccoli_intern_wrap.c: In function '_wrap_bro_event_add_val':
broccoli_intern_wrap.c:5585: warning: assignment discards qualifiers from pointer target type
broccoli_intern_wrap.c: In function '_wrap_bro_event_set_val':
broccoli_intern_wrap.c:5655: warning: assignment discards qualifiers from pointer target type
broccoli_intern_wrap.c: In function '_wrap_bro_record_add_val':
broccoli_intern_wrap.c:6810: warning: assignment discards qualifiers from pointer target type
broccoli_intern_wrap.c: In function '_wrap_bro_record_set_nth_val':
broccoli_intern_wrap.c:6996: warning: assignment discards qualifiers from pointer target type
broccoli_intern_wrap.c: In function '_wrap_bro_record_set_named_val':
broccoli_intern_wrap.c:7067: warning: assignment discards qualifiers from pointer target type
error: command 'cc' failed with exit status 1
*** Error code 1
Stop in /usr/home/user/bro/bro-1.5.1/aux/broctl.
*** Error code 1
The problem looks to be in the compiling of broccoli. It states that pth.h is not in /usr/local/include/python2.6/
Although I checked and its there.
Any ideas.
Thanks,
=-=Blake
Hello,
I installed Linux Fedora 5 as Virtual PC on my laptop (main operating system is Windows vista).
I tried to install Bro according to instructions:
1- ./configure
2- make
3- make install
but this didn't work :(
I don't want to work on live network, I just want to read a pcap file and then to verify if the alarm is generated
So can somebody help me??
Nour
Just last weekend, our Bro cluster started randomly skipping emailed
reports. No change has been made to the Postfix configuration or the Bro
configuration. There seems to be no pattern to the missed reports, which
are supposed to be sent out every 2 hours. Sometimes they are sent,
sometimes not. The logs show nothing at all, not even an attempted send for
the missing reports, the report simply isn't there.
Is it possible to reassemble TCP and UDP streams while Bro inspects a
captured tracefile from a different machine? I have several pcap files
that contain approx 6 hrs worth of traffic. I would like to have Bro
analyze the data, but I also need the streams (both tcp and udp)
reassembled and stored on the hard drive for use with custom python
scripts. I've noticed that the contents.bro script will reassemble TCP
streams, but it doesn't appear to assemble UDP as well.
Any help with this would be greatly appreciated. I have read through
the quick start, wiki, and list archives with no luck. I am new to Bro
so sorry if this is a basic question.
Thanks in advance... I'm running Bro 1.5
--
Peter Erickson
redlamb19 _at_ gmail _dot_ com
I have Bro 1.4 configured and running fine, however, it does not appear to
be generating any summary reports. I ran bro_config and edited bro.cfg with
settings for my setup, but I am not receiving any summary report at the
address specified in bro.cfg, nor is it generating any summary report file.
Any ideas on what could be causing the problem?
Also, is the summary report written to a file in /usr/local/bro/reports or
is it only emailed?
Thanks.