zeek November 2011

zeek@lists.zeek.org

21 participants
23 discussions

by Mathew Binkley

Hi! I've been testing the 2.0 beta (kudos, btw). My alarm files is getting tons of SSL::Invalid_Server_Cert from our own local certs, doegrid certs, cern.ch, fnal.gov, presumably because the root CA cert for those is not included with either Bro or the OS. I see share/bro/base/protocols/ssl/mozilla-ca-list has a bundle of root CA certs. Is there a way to add our own to that or to a separate file? How is that file generated? Thanks. Mat

9 years, 2 months

[Bro] broccoli/swig issue with 2.0-beta

by Justin Azoff

10073 ~ % sudo /spare/tmp/bro/bin/broctl status warning: removing stale lock Name Type Host Status Pid Peers Started Traceback (most recent call last): File "/spare/tmp/bro/bin/broctl", line 888, in <module> loop.onecmd(line) File "/usr/lib/python2.5/cmd.py", line 219, in onecmd return func(arg) File "/spare/tmp/bro/bin/broctl", line 280, in do_status control.status(nodes) File "/spare/tmp/bro/lib/broctl/BroControl/control.py", line 495, in status for (node, success, args) in _queryPeerStatus(nodes): File "/spare/tmp/bro/lib/broctl/BroControl/control.py", line 1049, in _queryPeerStatus return execute.sendEventsParallel(events) File "/spare/tmp/bro/lib/broctl/BroControl/execute.py", line 513, in sendEventsParallel (success, bc) = _sendEventInit(node, event, args, result_event) File "/spare/tmp/bro/lib/broctl/BroControl/execute.py", line 529, in _sendEventInit flags=broccoli.BRO_CFLAG_ALWAYS_QUEUE, connect=False) File "/spare/tmp/bro/lib/broctl/broccoli.py", line 14, in __init__ self.bc = bro_conn_new_str(destination, flags) TypeError: in method 'bro_conn_new_str', argument 1 of type 'char const *' abnormal termination, saving state ... I verified that 'destination' is a string containing host:port. -- -- Justin Azoff -- Network Security & Performance Analyst

9 years, 5 months

[Bro] Workshop materials

by Seth Hall

We have slides, videos, exercises, and exercise solutions posted on our website now from the recent workshop. There's lots of material there to look through, please let us know if you encounter any problems with it. http://www.bro-ids.org/bro-workshop-2011/index.html .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/

9 years, 5 months

[Bro] BRO 2.0 - SMTP - Saving file attachments causing many packet Drops

by John Merit

Hello, I moved to BRO 2.0 few days ago, so far it works great. I am testing the SMTP write file to disk feature (entities.bro) which also works great on file attachments. Due to load on my machine (60mbps) there are packet drops which causes the file assembly to be corrupted (BRO is running on tap and not in-line). I suspect that the drops are caused by the excessive I/O when writing these attachments to disk. I decided to optimize bro to get rid of the drops: - I disabled all the scripts in init-default.bro (beside smtp) and also logging capabilities. - Increased the system allocated buffer size in setvbuf() (BroFile::SetBuf - File.cc) - Writing the file into tmpfs instead of the local directory I am still suffering drops. Am i doing something wrong? is there anyway to optimize it even better to get rid of the drops? Thank You, JD

9 years, 5 months

[Bro] Netflow and Bro

by Harish kanakaraju

Hi, I am new to Bro IDS, I wanted to know if Bro can be used to detect portscan or Denial of service using the netflow data collected from a router. If yes, I am able to use bro as netflow collector now but i am unable to proceed after this point. Should I use the existing scripts on the netflow data to detect the the threats ? or should i write my own scripts? Regards, Harish

9 years, 5 months

[Bro] Build Fail on OS X Lion

by Chucky

I'm having some difficulties building the latest Bro 2.0beta on OS X Lion. Bro = v 2.0-beta-47 OS = OS X 10.7.2 Gcc = v i686-apple-darwin11-llvm-gcc-4.2 (GCC) 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2335.15.00) Cmake = 2.8.6 It fails when building netflow_pac.cc.o . Log snippet below. I can provide the full screen output/log if necessary. Any ideas/recommendations are welcome. :) #### Log #### <SNIP> ====================| Bro Build Summary |===================== Install prefix: /usr/local/bro.git Bro Script Path: /usr/local/bro.git/share/bro Debug mode: false CC: /usr/bin/gcc CFLAGS: -Wall -Wno-unused -O2 -g CXX: /usr/bin/c++ CXXFLAGS: -Wall -Wno-unused -O2 -g CPP: /usr/bin/c++ Broccoli: true Broctl: true Aux. Tools: true GeoIP: false Google perftools: false ================================================================ <SNIP> Scanning dependencies of target bro <SNIP> [ 29%] Building CXX object src/CMakeFiles/bro.dir/netflow_pac.cc.o In file included from /DG/BUILD/bro/build/src/netflow_pac.cc:3: /DG/BUILD/bro/build/src/netflow_pac.h:13: error: expected initializer before ‘*’ token /DG/BUILD/bro/build/src/netflow_pac.cc: In member function ‘bool binpac::NetFlow::NetFlow_Flow::deliver_v5_header(binpac::uint16, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint8, binpac::uint8, binpac::uint16)’: /DG/BUILD/bro/build/src/netflow_pac.cc:158: error: ‘mgr’ was not declared in this scope /DG/BUILD/bro/build/src/netflow_pac.cc: In member function ‘bool binpac::NetFlow::NetFlow_Flow::deliver_v5_record(binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint16, binpac::uint16, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint32, binpac::uint16, binpac::uint16, binpac::uint8, binpac::uint8, binpac::uint8, binpac::uint16, binpac::uint16, binpac::uint8, binpac::uint8)’: /DG/BUILD/bro/build/src/netflow_pac.cc:225: error: ‘mgr’ was not declared in this scope make[3]: *** [src/CMakeFiles/bro.dir/netflow_pac.cc.o] Error 1 make[2]: *** [src/CMakeFiles/bro.dir/all] Error 2 make[1]: *** [all] Error 2 make: *** [all] Error 2 #----------------------------------------------- Chuck Little Security Engineer, Geek GPG key: F14EAD4C GPG fprint: AE4D 367F C946 919B CB8C 5BD0 490D 8B9F F14E AD4C #-----------------------------------------------

9 years, 5 months

[Bro] Enterprise Log Search and Archive (ELSA) Beta Available

by Martin Holste

The new auto-installer script is working well enough that I think most people should be able to get the beta of ELSA installed now. I put up a short post with the details and screenshots on my blog here: http://ossectools.blogspot.com/2011/11/elsa-beta-available.html . From the project page (http://code.google.com/p/enterprise-log-search-and-archive/): Features: * High-volume receiving/indexing (a single node can receive > 30k logs/sec, sustained) * Full Active Directory/LDAP integration for authentication, authorization, email settings * Instant ad-hoc reports/graphs on arbitrary queries even on enormous data sets * Email alerting, scheduled reports * Plugin architecture for web interface * Distributed architecture for clusters * Ships with normalization for some Cisco logs, Snort/Suricata, Bro, and Windows via Eventlog-to-Syslog or Snare As shown at the workshop, if you install StreamDB (streamdb.googlecode.com) and note its URL in the web config, you can get instant access to any traffic referred to in a Bro log in two clicks via the "Info" link next to each log entry displayed in a search. There is also a command-line version which outputs tab-delimited lines that you can pipe to other programs, similar to bro-cut. Please let me know if you run into issues installing. Ubuntu, openSUSE, and CentOS have been tested, but variations of those distros should work fine. *BSD is also theoretically possible as all of the underlying components can be compiled on *BSD, but it has not been tested. If you try, let me know how it goes!

9 years, 5 months

[Bro] Arp Traffic Script

by Peter Erickson

I'm not sure if this of value to anyone, but I thought I'd pass it on. I recently had a need to review arp traffic and re-wrote the old arp.bro policy script to use the new Logging framework in 2.0-beta. I made a few additional changes as well with how the state information is stored.

9 years, 5 months

[Bro] CMake/Google Perftools CPUProfiler

by James Swaro

The Google Perftools CPUProfiler (lprofiler) does not seem to be linked into bro when perftools is enabled. Is this an error or is it intentional? Is there an alternate flag available to include the CPU Profiler? configured with --enable-perftools option, rebuilt and installed, no lprofiler exists. $ ldd /usr/local/bro/bin/bro linux-gate.so.1 => (0xb77bf000) libpcap.so.0.8 => /usr/lib/i386-linux-gnu/libpcap.so.0.8 (0xb7770000) libssl.so.1.0.0 => /usr/lib/i686/cmov/libssl.so.1.0.0 (0xb7723000) libcrypto.so.1.0.0 => /usr/lib/i686/cmov/libcrypto.so.1.0.0 (0xb7574000) libz.so.1 => /usr/lib/libz.so.1 (0xb7560000) libtcmalloc.so.0 => /usr/local/lib/libtcmalloc.so.0 (0xb74dc000) libstdc++.so.6 => /usr/lib/i386-linux-gnu/libstdc++.so.6 (0xb73ee000) libm.so.6 => /lib/i386-linux-gnu/i686/cmov/libm.so.6 (0xb73c8000) libgcc_s.so.1 => /lib/i386-linux-gnu/libgcc_s.so.1 (0xb73aa000) libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xb7250000) libpthread.so.0 => /lib/i386-linux-gnu/i686/cmov/libpthread.so.0 (0xb7237000) libdl.so.2 => /lib/i386-linux-gnu/i686/cmov/libdl.so.2 (0xb7233000) /lib/ld-linux.so.2 (0xb77c0000) Thoughts? Thanks! -- *- *James Swaro * *

9 years, 5 months

[Bro] Question about port scan detection and raising alarms

by George Noseevich

Hello! I wonder, is the port scan detection functionality present in bro 2.0, and if it is, how to enable it? I am starting bro with scripts/test-all-policy.bro, which should (I suppose) enable all built-in analyzers, then perform a standart nmap SYN scan of the host running bro. After that, I shutdown bro and examine the results. However, nothing related to scanning is shown in notice.log, and the alarm.log even doesn't get created. Am I missing some important steps here? I'm running bro directly via cli: bro -i eth0 scripts/test-all-policy.bro As a side question: what is the easiest way to test bro's alarm-triggering? What I need is a sample pcap file (or some kind of instructions), which will trigger alarms in a default bro configuration (freshly-build bro run with scripts that are distributed with bro itself). Thanks

9 years, 5 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek November 2011