Hi! I've been testing the 2.0 beta (kudos, btw). My alarm files is
getting tons of SSL::Invalid_Server_Cert from our own local certs,
doegrid certs, cern.ch, fnal.gov, presumably because the root CA cert
for those is not included with either Bro or the OS.
I see share/bro/base/protocols/ssl/mozilla-ca-list has a bundle of root
CA certs. Is there a way to add our own to that or to a separate file?
How is that file generated? Thanks.
10073 ~ % sudo /spare/tmp/bro/bin/broctl status
warning: removing stale lock
Name Type Host Status Pid Peers Started
Traceback (most recent call last):
File "/spare/tmp/bro/bin/broctl", line 888, in <module>
File "/usr/lib/python2.5/cmd.py", line 219, in onecmd
File "/spare/tmp/bro/bin/broctl", line 280, in do_status
File "/spare/tmp/bro/lib/broctl/BroControl/control.py", line 495, in status
for (node, success, args) in _queryPeerStatus(nodes):
File "/spare/tmp/bro/lib/broctl/BroControl/control.py", line 1049, in _queryPeerStatus
File "/spare/tmp/bro/lib/broctl/BroControl/execute.py", line 513, in sendEventsParallel
(success, bc) = _sendEventInit(node, event, args, result_event)
File "/spare/tmp/bro/lib/broctl/BroControl/execute.py", line 529, in _sendEventInit
File "/spare/tmp/bro/lib/broctl/broccoli.py", line 14, in __init__
self.bc = bro_conn_new_str(destination, flags)
TypeError: in method 'bro_conn_new_str', argument 1 of type 'char const *'
abnormal termination, saving state ...
I verified that 'destination' is a string containing host:port.
-- Justin Azoff
-- Network Security & Performance Analyst
We have slides, videos, exercises, and exercise solutions posted on our website now from the recent workshop. There's lots of material there to look through, please let us know if you encounter any problems with it.
International Computer Science Institute
(Bro) because everyone has a network
I moved to BRO 2.0 few days ago, so far it works great.
I am testing the SMTP write file to disk feature (entities.bro) which also
works great on file attachments.
Due to load on my machine (60mbps) there are packet drops which causes the
file assembly to be corrupted (BRO is running on tap and not in-line).
I suspect that the drops are caused by the excessive I/O when writing these
attachments to disk.
I decided to optimize bro to get rid of the drops:
- I disabled all the scripts in init-default.bro (beside smtp) and also
- Increased the system allocated buffer size in setvbuf() (BroFile::SetBuf
- Writing the file into tmpfs instead of the local directory
I am still suffering drops.
Am i doing something wrong? is there anyway to optimize it even better to
get rid of the drops?
I am new to Bro IDS, I wanted to know if Bro can be used to detect portscan or Denial of service using the netflow data collected from a router.
If yes, I am able to use bro as netflow collector now but i am unable to proceed after this point. Should I use the existing scripts on the netflow data to detect the the threats ? or should i write my own scripts?
I'm having some difficulties building the latest Bro 2.0beta on OS X Lion.
Bro = v 2.0-beta-47
OS = OS X 10.7.2
Gcc = v i686-apple-darwin11-llvm-gcc-4.2 (GCC) 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2335.15.00)
Cmake = 2.8.6
It fails when building netflow_pac.cc.o . Log snippet below. I can provide the full screen output/log if necessary.
Any ideas/recommendations are welcome. :)
#### Log ####
====================| Bro Build Summary |=====================
Install prefix: /usr/local/bro.git
Bro Script Path: /usr/local/bro.git/share/bro
Debug mode: false
CFLAGS: -Wall -Wno-unused -O2 -g
CXXFLAGS: -Wall -Wno-unused -O2 -g
Aux. Tools: true
Google perftools: false
Scanning dependencies of target bro
[ 29%] Building CXX object src/CMakeFiles/bro.dir/netflow_pac.cc.o
In file included from /DG/BUILD/bro/build/src/netflow_pac.cc:3:
/DG/BUILD/bro/build/src/netflow_pac.h:13: error: expected initializer before ‘*’ token
/DG/BUILD/bro/build/src/netflow_pac.cc: In member function ‘bool binpac::NetFlow::NetFlow_Flow::deliver_v5_header(binpac::uint16, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint8, binpac::uint8, binpac::uint16)’:
/DG/BUILD/bro/build/src/netflow_pac.cc:158: error: ‘mgr’ was not declared in this scope
/DG/BUILD/bro/build/src/netflow_pac.cc: In member function ‘bool binpac::NetFlow::NetFlow_Flow::deliver_v5_record(binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint16, binpac::uint16, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint16, binpac::uint16, binpac::uint8, binpac::uint8, binpac::uint8, binpac::uint16, binpac::uint16, binpac::uint8, binpac::uint8)’:
/DG/BUILD/bro/build/src/netflow_pac.cc:225: error: ‘mgr’ was not declared in this scope
make: *** [src/CMakeFiles/bro.dir/netflow_pac.cc.o] Error 1
make: *** [src/CMakeFiles/bro.dir/all] Error 2
make: *** [all] Error 2
make: *** [all] Error 2
Security Engineer, Geek
GPG key: F14EAD4C
GPG fprint: AE4D 367F C946 919B CB8C
5BD0 490D 8B9F F14E AD4C
The new auto-installer script is working well enough that I think most
people should be able to get the beta of ELSA installed now. I put up
a short post with the details and screenshots on my blog here:
http://ossectools.blogspot.com/2011/11/elsa-beta-available.html . From
the project page
* High-volume receiving/indexing (a single node can receive > 30k
* Full Active Directory/LDAP integration for authentication,
authorization, email settings
* Instant ad-hoc reports/graphs on arbitrary queries even on enormous data sets
* Email alerting, scheduled reports
* Plugin architecture for web interface
* Distributed architecture for clusters
* Ships with normalization for some Cisco logs, Snort/Suricata, Bro,
and Windows via Eventlog-to-Syslog or Snare
As shown at the workshop, if you install StreamDB
(streamdb.googlecode.com) and note its URL in the web config, you can
get instant access to any traffic referred to in a Bro log in two
clicks via the "Info" link next to each log entry displayed in a
There is also a command-line version which outputs tab-delimited lines
that you can pipe to other programs, similar to bro-cut.
Please let me know if you run into issues installing. Ubuntu,
openSUSE, and CentOS have been tested, but variations of those distros
should work fine. *BSD is also theoretically possible as all of the
underlying components can be compiled on *BSD, but it has not been
tested. If you try, let me know how it goes!
I'm not sure if this of value to anyone, but I thought I'd pass it on. I
recently had a need to review arp traffic and re-wrote the old arp.bro
policy script to use the new Logging framework in 2.0-beta. I made a few
additional changes as well with how the state information is stored.
The Google Perftools CPUProfiler (lprofiler) does not seem to be linked
into bro when perftools is enabled. Is this an error or is it intentional?
Is there an alternate flag available to include the CPU Profiler?
configured with --enable-perftools option, rebuilt and installed, no
$ ldd /usr/local/bro/bin/bro
linux-gate.so.1 => (0xb77bf000)
libpcap.so.0.8 => /usr/lib/i386-linux-gnu/libpcap.so.0.8 (0xb7770000)
libssl.so.1.0.0 => /usr/lib/i686/cmov/libssl.so.1.0.0 (0xb7723000)
libcrypto.so.1.0.0 => /usr/lib/i686/cmov/libcrypto.so.1.0.0 (0xb7574000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7560000)
libtcmalloc.so.0 => /usr/local/lib/libtcmalloc.so.0 (0xb74dc000)
libstdc++.so.6 => /usr/lib/i386-linux-gnu/libstdc++.so.6 (0xb73ee000)
libm.so.6 => /lib/i386-linux-gnu/i686/cmov/libm.so.6 (0xb73c8000)
libgcc_s.so.1 => /lib/i386-linux-gnu/libgcc_s.so.1 (0xb73aa000)
libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xb7250000)
libpthread.so.0 => /lib/i386-linux-gnu/i686/cmov/libpthread.so.0
libdl.so.2 => /lib/i386-linux-gnu/i686/cmov/libdl.so.2 (0xb7233000)
*- *James Swaro *
I wonder, is the port scan detection functionality present in bro 2.0,
and if it is, how to enable it?
I am starting bro with scripts/test-all-policy.bro, which should (I
suppose) enable all built-in analyzers, then perform a standart nmap SYN
scan of the host running bro. After that, I shutdown bro and examine the
However, nothing related to scanning is shown in notice.log, and the
alarm.log even doesn't get created. Am I missing some important steps here?
I'm running bro directly via cli: bro -i eth0 scripts/test-all-policy.bro
As a side question: what is the easiest way to test bro's
alarm-triggering? What I need is a sample pcap file (or some kind of
instructions), which will trigger alarms in a default bro configuration
(freshly-build bro run with scripts that are distributed with bro itself).