Hi! I've been testing the 2.0 beta (kudos, btw). My alarm files is
getting tons of SSL::Invalid_Server_Cert from our own local certs,
doegrid certs, cern.ch, fnal.gov, presumably because the root CA cert
for those is not included with either Bro or the OS.
I see share/bro/base/protocols/ssl/mozilla-ca-list has a bundle of root
CA certs. Is there a way to add our own to that or to a separate file?
How is that file generated? Thanks.
I am using Bro in my research work. My problem is that I am trying to
write a Bro script that fires alarms based on TCP packet delays. I
didn’t find any Bro event that could be handled at every received
packet. I tried the tcp_packet and new_packet events but it seems that
they are not fired at every received packet. Even I tried to write a
signature that could be hit at every tcp packet but I found that
unfortunately tcp signatures could be hit only once at the receiving
of the first tcp packet.
Please help I am really tired…
Just to clarify something that I couldn't find in the documentation.
Optional Internal values can be set as arguments,
Ex. bro -Cr somefile.trace some/policy/here myvar=somevalue
as well as at the script level,
Ex. redef myvar = somevalue;
It seems I cannot get the script level value to set, but the command line
argument is correctly set.
10073 ~ % sudo /spare/tmp/bro/bin/broctl status
warning: removing stale lock
Name Type Host Status Pid Peers Started
Traceback (most recent call last):
File "/spare/tmp/bro/bin/broctl", line 888, in <module>
File "/usr/lib/python2.5/cmd.py", line 219, in onecmd
File "/spare/tmp/bro/bin/broctl", line 280, in do_status
File "/spare/tmp/bro/lib/broctl/BroControl/control.py", line 495, in status
for (node, success, args) in _queryPeerStatus(nodes):
File "/spare/tmp/bro/lib/broctl/BroControl/control.py", line 1049, in _queryPeerStatus
File "/spare/tmp/bro/lib/broctl/BroControl/execute.py", line 513, in sendEventsParallel
(success, bc) = _sendEventInit(node, event, args, result_event)
File "/spare/tmp/bro/lib/broctl/BroControl/execute.py", line 529, in _sendEventInit
File "/spare/tmp/bro/lib/broctl/broccoli.py", line 14, in __init__
self.bc = bro_conn_new_str(destination, flags)
TypeError: in method 'bro_conn_new_str', argument 1 of type 'char const *'
abnormal termination, saving state ...
I verified that 'destination' is a string containing host:port.
-- Justin Azoff
-- Network Security & Performance Analyst
I was searching for a long time to find a framework can support fast & custom network traffic analysis.
some specific features of traffic data from monitor, such as interval of SYN and SYN-ACK, should be extracted and grouped by host.
i find Bro is so widely used, which seems can fulfill the requirement.
Can i disable other functions embedded in Bro, and add a plugin myself?
What is the point to archieve this, modify the core .cpp source file or add a .bro file?
I want to analysis traffic in/out specific host (identified by ip) in trace file,
where processing for in/out streams are different. So i would be a problem to
notify the script what is my target host. A python script was used to generate
the command lines, such as
bro -r xxx.pcap yyyy.bro.
But here the bro script can't get the target ip through this kind of command.
Is there any mechanism in bro to fulfull this requirement?
There is a way to config ip in files, but i think that would meet its limited
on multi-thread processing.
or broccoli-python suit for me? how would it communicate with a trace file based bro server?
contents.bro performs session reconstruction of IPv4 traffic, but when
running Bro 1.5 contents.bro against an IPv6 packet trace, it creates
0-length files, but doesn't extract the session contents to those
files. Is this in the works?
Thanks in advance
Just a quick note for those of you using or interested in ELSA, I
created a Google Group for it at
Still feel free to email me directly for help, but I created the group
so that the questions and answers might be visible to others searching
on Google for help.