John,
Thanks for the quick response.
> Not sure what Netscalar does, but it all should act the same. The host
> TCP stack would drop any attempted connection for which a session was
> not established regardless of what was upstream from it. Quick and
> dirty, you sould be able to fire up tcpdump and see the session
> initialization.
That's what I'm finding strange. After running a tcpdump capture on
the interface and analyzing it with Wireshark, I do not see any 3-way
handshakes for this particular web application. For any HTTP GET that
I see in Wireshark that pertains to this application, when I "Follow
TCP Stream", the first entry in Wireshark is always the GET message
itself. For all other applications on the network, doing the above
results in the first entry being the SYN.
I've generated a few dumps with the same results. I wonder if the
load balancer is somehow keeping a session active for very long
periods (if this even makes sense).
If you have any suggestions or thoughts, I'd be very interested.
Thanks,
Bill
On Sat, Feb 6, 2010 at 12:51 PM, John Hally <JHally(a)ebscohost.com> wrote:
> Hi Bill,
>
> I've run BRO in the past with load balancers (Arrowpoint/Cisco CSS) and
> was able to see all traffic. In our setup we had 2 segments; a VIP
> access link and a services trunk link where the real/origin servers
> lived. Both of these links had physical network taps and it was as
> simple as plugging in the Ethernet, flipping the interface to
> UP/PROMISC, and starting BRO.
>
> With the CSS, even though the unit would handle the initial connection,
> it would 'snap' that over to the origin server it picked during load
> balancing so you would still see the tcp setup.
>
> Not sure what Netscalar does, but it all should act the same. The host
> TCP stack would drop any attempted connection for which a session was
> not established regardless of what was upstream from it. Quick and
> dirty, you sould be able to fire up tcpdump and see the session
> initialization.
>
> Thoughts?
>
> Tahnks.
>
> John.
>
> -----Original Message-----
> From: bro-bounces(a)ICSI.Berkeley.EDU
> [mailto:bro-bounces@ICSI.Berkeley.EDU] On Behalf Of Bill Jones
> Sent: Saturday, February 06, 2010 10:22 AM
> To: bro(a)ICSI.Berkeley.EDU
> Subject: [Bro] Load Balancers
>
> Hi everyone,
>
> I was curious if anyone has any experience running bro between
> load-balancers (such as Netscaler) and web applications. We are
> currently trying to get HTTP logs generated for a web application. We
> couldn't figure out why bro was not triggering the HTTP analyzer, but
> I now believe that this is because it is never seeing the original SYN
> + SYN/ACK for the conversation. When viewing the conversations in
> Wireshark, I can see that all the TCP streams for this particular
> application begin with the GET and do not include the initial 3-way
> handshake.
>
> Here is an entry in the conn.log for this stream which shows the states:
>
> 1265389087.849048 ? 10.19.120.12 10.19.2.78 http 2232 80 tcp 14785
> 604140 OTH X DdAa
>
> Other web applications on the wire, which do have the 3-way handshake
> visible for all connections, seem to work just fine and I get http
> logs.
>
> My questions are:
>
> Am I correct in assuming that the lack of initial connection
> establishment is why the HTTP analysis is never occurring (and
> therefore I'm not getting entries in http.log)?
>
> Is there a way to force bro to analyze the traffic even though there
> is no proper 3-way handshake visible?
>
>
> Thanks for your time,
> Bill
> _______________________________________________
> Bro mailing list
> bro(a)bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
Hello,
I can`t understand scripts asynchronous call behavior. When I pointing 20
second in table`s data type attributes "&create_expire=20sec", I find
unpredictable behavior: the table`s item removed not in 20 seconds, it can
be removed after 25,30 etc seconds. As I found it is depending on how many
packets in the network: if there is no packets after timer value, my timer
will never expire. And when the first packet appear, the timer immediately
expire (but, for example, has been more than a few hours).
Why is this so?
Thank you for explanation.
Can anyone point me at documentation on Bro's builtin string/pattern
functions? The reference manual on the wiki points me at strings.bif.bro
which doesn't have a lot of documentation around it.
Does bro support back-references? I am trying to look for specific patterns
in a tcp stream and need to be able to log out said patterns to a file.
thanks,
Sridhar
yeah thanx i got that
root@raj-Satellite-L300:/path/to/bro/bin# broctl install
No command 'broctl' found, did you mean:
Command 'brctl' from package 'bridge-utils' (main)
broctl: command not found
can u tell me is this right path trying to install broctl or any other
mistake
Thaks & Regards
On Wed, Jan 19, 2011 at 8:17 PM, rmkml <rmkml(a)free.fr> wrote:
> use `sudo vi ...` for editing...
> Regards
> Rmkml
>
>
>
> On Wed, 19 Jan 2011, rajasekhar reddy wrote:
>
> i find them but i can't able to edit those r in read only mode..
>>
>> Y need them i cant able to run my bro ids which is already installed..
>>
>> I hope u understand my problem
>>
>> On Wed, Jan 19, 2011 at 7:04 PM, Seth Hall <seth(a)icir.org> wrote:
>>
>> On Jan 19, 2011, at 1:58 PM, rajasekhar reddy wrote:
>>
>> > • The installation installs three configuration files which
>> you should edit:
>> >
>> > • etc/broctl.cfg is the overall BroControl
>> configuration. Initially, you probably only need to edit the email address
>> for mails sent by the framework; that's the MailTo line.
>> >
>> > • In etc/nodes.cfg, you need to specify the network
>> interface Bro is to monitor; that's the interface line.
>> >
>> > • In etc/networks.cfg, list all the networks which
>> Bro should consider as local to the monitored enviroment.
>> >
>> > CAN U PLS TELL ME HOW TO DO ABOVE STEPS
>>
>> Those files should be in your directory where you installed Bro. You just
>> need to edit them to suit your environment. Looking at the format of those
>> files should be fairly obvious where and how to change them. Please ask
>> if you have specific questions about how those files should be configured.
>>
>> .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro-ids.org/
>>
>>
>>
>>
hi when i tried to run bro ids i am getting this error did i done any
mistake...
root@ubuntu:/usr/local/bro/
etc# bro.rc start
bro.rc: command not found
root@ubuntu:/usr/local/bro/etc#
Thanks & Regards
On Tue, Jan 18, 2011 at 10:55 AM, Vern Paxson <vern(a)icir.org> wrote:
> Could you clarify the error condition that you're encountering? It wasn't
> clear to me from your original post.
>
> Vern
>
Hey,
Can someone tell me how i can get an account on the tracker? I needed
to open a issue with partial connections.
I tried to send email to info(a)tracker.icir.org but haven't heard anything
back for a few days.
thanks,
Sridhar
Hi,
I'm curious if anyone has a patch which allows bro to essentially
ignore the 802.1Q header if present. Alternatively could someone point
me to where in the code I should look so that I can modify the code
myself?
Thanks in advance!
-Bryce Boe
---------- Forwarded message ----------
From: rajasekhar reddy <orsr88(a)gmail.com>
Date: Sun, Jan 16, 2011 at 9:25 AM
Subject: RE: problem installing bro on ubuntu 10.04
To: Bro(a)bro-ids.org
hi all
when iam trying to install bro 1.5.1 on ubuntu 10.04
i did
> ./configure --prefix=/path/to/bro
> make
here i got problems like..
raj/Desktop/libpcap-1.1.1 -lpcap -lssl -lcrypto -lresolv -ltermcap
-ltermcap -lm -L../aux/binpac/lib -lbinpac -lGeoIP -lmagic -lz -lpcap
-lpcap -L/home/raj/Desktop/libpcap-1.1.1 -lpcap -lssl -lcrypto
-lresolv -ltermcap -ltermcap
make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/src'
make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/src'
Making all in scripts
make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts'
Making all in s2b
make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b'
Making all in bro-include
make[4]: Entering directory
`/home/raj/Desktop/bro-1.5.1/scripts/s2b/bro-include'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bro-include'
Making all in example_bro_files
make[4]: Entering directory
`/home/raj/Desktop/bro-1.5.1/scripts/s2b/example_bro_files'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory
`/home/raj/Desktop/bro-1.5.1/scripts/s2b/example_bro_files'
Making all in etc
make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/etc'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/etc'
Making all in bin
make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bin'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bin'
Making all in pm
make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/pm'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/pm'
Making all in snort_rules2.2
make[4]: Entering directory
`/home/raj/Desktop/bro-1.5.1/scripts/s2b/snort_rules2.2'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory
`/home/raj/Desktop/bro-1.5.1/scripts/s2b/snort_rules2.2'
make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b'
make[4]: Nothing to be done for `all-am'.
make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b'
make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b'
make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts'
make[3]: Nothing to be done for `all-am'.
make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts'
make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts'
Making all in policy
make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy'
Making all in sigs
make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy/sigs'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy/sigs'
Making all in time-machine
make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy/time-machine'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy/time-machine'
make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy'
make[3]: Nothing to be done for `all-am'.
make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy'
make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy'
Making all in doc
make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc'
Making all in ref-manual
make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/ref-manual'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/ref-manual'
Making all in quick-start
make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/quick-start'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/quick-start'
Making all in user-manual
make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/user-manual'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/user-manual'
make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc'
make[3]: Nothing to be done for `all-am'.
make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc'
make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc'
make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1'
make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1'
make[1]: Leaving directory `/home/raj/Desktop/bro-1.5.1'
so waht i did wrong i installed all following
build essentialls
libncurser5
g++
bison
flex
libmagic-dev
libgeoip-dec
libssl-dev
python-dev
libpcap-dev..
i stuck here from lot of days
Thanks alot
Hello, everyone!
The question is about SMTP states in SMTP analyzer.
The state of SMTP analyzer becomes "SMTP_INITIATED" after SMTP command
"AUTH" and SMTP replay 235. And next command "MAIL TO" leads to event "SMTP
command unexpected", but as I know this is not right(They can perform
command "MAIL TO" right now after success authorization, and it is not
"unexpected").
As I found inside source code, it must be state "SMTP_READY" after SMTP
reply 235 for command "AUTH". Is it right?
I'm sorry if I'm wrong and something has not considered.
Is there anyone successfully using GeoIP support in 1.5 on linux that would be willing to share some pointers?
--
Michael Waite
Enterprise Security Analyst
Enterprise Information Privacy and Security Services (EIPSs)
Security Operations and Services (SOS)
Information Technology Services (ITS)
The Pennsylvania State University (PSU)
Direct Telephone: 814-865-2297
ITS-SOS Telephone: 814-863-9533
ITS-SOS E-Mail: security(a)psu.edu