HI ALL,
I wrote a simple Bro policy file test.bro to load signatures in
snort-default.sig file by redef "signature_files".
However, when Bro loaded test.bro, many errors like
"smtp_servers(http_servers ...) didn't defined".
Should I define these variables in my test.bro file?
Or is there any common configure file to defined them?
Thanks in advance
Quan
On Oct 31, 2011, at 10:15 AM, Tomer Teller wrote:
> However, I can't surround it with an if statement so I cannot check peer_description.
>
> Any suggestions?
Sorry about that...
event bro_init()
{
if ( peer_description == "worker-1" )
restrict_filters += table(["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 0");
if ( peer_description == "worker-2" )
restrict_filters += table(["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 1");
}
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
Hey all,
I am testing Bro's performance using tcpreplay for some project of mine.
I am using a packet capture of 680000 packets using different rates to
check for packet loss.
tcpreplay -i eth0 --mbps=X 680000.pcap (where X = 1000,500,100,10)
I am registered on the new_packet event in order to count packets like so:
global ctr = 0;
event new_packet (c: connection,p: pkt_hdr)
{
ctr = ctr + 1;
...
}
I write to log every time ctr % 100,000 = 0 to avoid unnecessary I/O to
disk.
On the sender side i see that all packet was transmitted successfully as
well as on the receiver side (using tcpdump), i.e. it is not libpcap issue.
Bro on the other hand, doesn't see all 680000, he sees around 540,000.
I also used smaller packet captures (10/30/100 packets), again, bro does
not see all packets.
Note! Packet captures are valid (checksum) HTTP connections that i recorded
for testing.
I tried removing some analyzers using broctl as well as modifying local.bro.
Also followed the Bro performance tuning.
Nothing helps, Bro does not see all the packets.
Any ideas what is the problem?
We are very excited to announce a public beta of Bro 2.0! Please give
it a try and let us know what you think. More information here:
http://blog.bro-ids.org/2011/10/public-beta-of-bro-20-released.html
Thanks to everybody who worked on this, it shaped up really nicely I
think!
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
On Oct 31, 2011, at 8:51 AM, Tomer Teller wrote:
> I want to load balance my traffic between 2 cores using the mentioned restrict filter (due to NAT, maybe it will be wise to filter by Source port, even -> worker-1, odd -> worker-2)
Use this....
event bro_init()
{
if ( peer_description == "worker-1" )
restrict_filters += { ["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 0" };
if ( peer_description == "worker-2" )
restrict_filters += { ["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 1" };
}
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
Hello,
I'm new to the world of Bro but I'm attempting to complete a small
project for a graduate level class at the University of Illinois. The
concept of the project is to define a set of policy files for a few core
host services (SMTP, DNS, WEB SERVER). Each service specific policy
file would ensure that only allowed hosts are running that service. The
policy file would also ensure that each allowed host is only running a
specified set of services. With that said, I started writing the policy
files but had a few questions.
From what I can gather is seems like the new_connection event would be
an obvious place to perform my checks since it is called for inbound and
outbound connections. Does this sound like the correct approach? Also,
is there a simple way to determine what service(s) a host is running
(smtp, ssh, etc)? In other words, if a host is making an outbound
connection is there any easy way to tie the traffic to a specific
service? Right now I'm just logging connections but I'm wondering if
there is an easier way to determine the service other then trying to tie
port traffic to a potential service.
I would appreciate any suggestions or advice you could send my way.
Thanks in advance - William Seemann
Hi,
I get a little confused about content conditions for Bro signature. I'm
working to automate generation of signature compliant with Bro.
I would like to know how Bro behaves in two cases. I tried to provide many
content-conditions for one signature. Let's say that I want to detect the
following patterns in a stream (just some examples):
1- common
2- attack
3- vulnerabilities
If i use the following condition, it will detect all occurrences of common
followed by attack and vulnerabilities,
payload /.*common.*attack.*vulnerabilities.*/
What if I use a combination of those expressions:
payload /*common.*attack.*/
payload /*vulnerabilities*/
I looked around, but did not find anything to help me understand how the
signature engine will behave in these cases.
Thanks in advance for your help.
R. ALAHASSA
--
SLt COC ALAHASSA
161 POL
Professeur Georges LEMAITRE
On Tue, Oct 11, 2011 at 12:37 AM, James J. Barlow <jbarlow(a)ncsa.illinois.edu
> wrote:
> On Tue, Oct 11, 2011 at 12:18:53AM -0500, Will wrote:
> >
> > Is/has anyone run a bro cluster on RHEL Server 5 or 6? Successfully?
> > Are there any issues, concerns or significant performance differences
> to be
> > aware of?
> > Thanks!
>
> We have a 15 node cluster running on RHEL 6, as well as another standalone
> RHEL 6 box. Have not seemed to experience any problems with the OS or
> install, and we are also running PF_RING on those hosts to optimize
> for the multi-cores. I just wish I could say that our network
> aggregator/balancer hardware that we purchased worked as well. :/
>
> Thanks for the info! Is your aggregator/balancer appliance designed to do
load balancing based on session hashing and MAC re-writing? Or are you load
balancing based on protocol, etc. and using PF_RING to load balance among
nodes?
Will
>
> --
> James J. Barlow <jbarlow(a)ncsa.illinois.edu>
> Head of Security Operations and Incident Response
> National Center for Supercomputing Applications Office : (217)244-6403
> 1205 West Clark Street, Urbana, IL 61801 Cell : (217)840-0601
> http://www.ncsa.illinois.edu/~jbarlow Fax : (217)244-1987
>
Is/has anyone run a bro cluster on RHEL Server 5 or 6? Successfully?
Are there any issues, concerns or significant performance differences to be
aware of?
Thanks!
Will
Hi all,
I have configured a pcap output filter on my snort sensor. Can I use
bro-ids as realtime correlator using this configuration?? Some sample
how can I do this??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com