zeek June 2011

zeek@lists.zeek.org

8 participants
8 discussions

by Dan Wyschogrod

Several of us in the Cyber Security group at BBN are beginning to explore Bro for use in one of our projects. Currently, we're thinking of using it to monitor ICMP traffic. I've noticed that in the reference manual there's a not-filled-in entry on an ICMP analyzer and in the source code there's an ICMP analysis script and what appears to be an analyzer in the source code. Is there active work going on in detecting ICMP irregularities using Bro? Is there any interest in contributions to Bro of some ICMP sensors we've begun working on? Thanks, Dan Wyschogrod ____________________ Dan Wyschogrod Cyber Security Raytheon/BBN Technologies dwyschogrod(a)bbn.com

10 years, 7 months

[Bro] Bro communication via SSL

by Robin Sommer

Hi all, I'd like to understand to which degree folks are currently using Bro's built-in support for doing Bro-to-Bro or Bro-to-Broccoli communication via SSL. My hunch is that not many installations are using this, though I know a few that do (note that if you haven't configured SSL specifically, you are not using it :-). Those who do use SSL for Bro communication, would it be an option to replace it with something externally like stunnel? I'm asking because we're planing to rework the communication layer quite a bit. Not only has supporting SSL directly been quite a pain in the past, but we'd also be more flexbile in terms of leveraging external libraries if SSL were not crucial. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org

10 years, 7 months

Re: [Bro] Bro Digest, Vol 62, Issue 3

by Chuck Little

Thanks Scott! I forgot about the vlan part. So I added that policy to be loaded, restarted bro, and it appears to be working. woo hoo! I also had to make a couple additional mods to tunable kernel params: # in /boot/loader.conf: kern.ipc.nmbclusters="131072" kern.ipc.nmbjumbo9="131072" hw.igb.rxd="512" # in /etc/sysctl.conf: ## Increase packet capture buffer sizes net.bpf.maxbufsize=10485760 net.bpf.bufsize=10485760 ## Increase socket buffer limits kern.ipc.maxsockbuf=4194304 Which got rid of the "igb0: Could not setup receive structures" errors at boot time (dmesg output). But I still have the "pcap bufsize = 0" in each of the stderr.log log files. I appreciate all the assistance folks! -Chuck On 6/17/11 1:00 PM, bro-request(a)bro-ids.org wrote: > Today's Topics: > > 1. Re: Pcap Buffer = 0 (Scott Sakai) > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 16 Jun 2011 12:28:11 -0700 > From: Scott Sakai <ssakai(a)sdsc.edu> > Subject: Re: [Bro] Pcap Buffer = 0 > To: bro(a)bro-ids.org > Message-ID: <4DFA594B.9080509(a)sdsc.edu> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi Chuck, > > Just a thought: Is the traffic that you're (not) capturing vlan tagged? > > tcpdump with the '-e' argument and no filter will tell you for sure. > > If so, you need to load the vlan policy, otherwise libpcap will apply the > filter rules to the wrong frame offsets. > > > On 06/16/2011 10:08 AM, Chuck Little wrote: >> Output: >> >> [rigel /raid/bro/bin]# ./broctl capstats >> >> Interface kpps mbps (10s average) >> ------------------------------ >> rigel-igb0 0.0 0.0 >> rigel-igb1 39.7 147.0 >> rigel-igb2 19.2 96.7 >> rigel-igb3 24.1 137.3 >> rigel-igb4 0.0 0.0 >> rigel-igb5 0.0 0.0 >> >> Total 83.0 381.0 >> >> >> -Chuck >> >> On 6/16/11 11:02 AM, Justin Azoff wrote: >>> On Thu, Jun 16, 2011 at 12:26:24PM -0400, Chuck Little wrote: >>>> I have a fresh Bro-IDS install (ver 1.5.3), but I'm not really capturing >>>> traffic. I know I'm missing something (config setting, etc) but am >>>> unsure what it is. I consulted teh Google but didn't have much luck. >>>> Could someone provide some insight/advice? Thanks! >>>> >>>> -Chuck >>>

10 years, 7 months

[Bro] New Bro web site and blog

by Robin Sommer

We're happy to announce that Bro has a completely new web site that's now online at the well-known location: http://www.bro-ids.org We now also have a Bro blog, http://blog.bro-ids.org; and if you like you can follow us on Twitter @Bro_IDS. The old web pages remain accessible for the time being at www-old.bro-ids.org. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org

10 years, 7 months

[Bro] Pcap Buffer = 0

by Chuck Little

I have a fresh Bro-IDS install (ver 1.5.3), but I'm not really capturing traffic. I know I'm missing something (config setting, etc) but am unsure what it is. I consulted teh Google but didn't have much luck. Could someone provide some insight/advice? Thanks! -Chuck Here are the particulars: Possible symptom is that the pcap buffer = 0 (e.g. in /raid/bro/spool/rigel-igb0/stderr.log). Bro-IDS v1.5.3 FreeBSD v8.2-RELEASE in /etc/rc.conf: ifconfig_igb0="mtu 9000 promisc -arp up" ifconfig_igb1="mtu 9000 promisc -arp up" ifconfig_igb2="mtu 9000 promisc -arp up" ifconfig_igb3="mtu 9000 promisc -arp up" ifconfig_igb4="mtu 9000 promisc -arp up" ifconfig_igb5="mtu 9000 promisc -arp up" in /etc/sysctl.conf: ## Increase packet capture buffer sizes net.bpf.maxbufsize=10485760 net.bpf.bufsize=10485760 ## Increase socket buffer limits kern.ipc.maxsockbuf=4194304 in /boot/loader.conf: kern.ipc.nmbclusters="131072" kern.ipc.nmbjumbo9="65536" Output of `broctl config`: [BroControl] > config analysis-dns = 0 analysiscfg = /raid/bro/etc/analysis.dat auxpostprocessors = auxscriptsmanager = auxscriptsstandalone = auxscriptsworker = bindir = /raid/bro/bin bro = /raid/bro/bin/bro broargs = brobase = /raid/bro broversion = 1.5.3 capstats = /raid/bro/bin/capstats cfgdir = /raid/bro/etc cflowaddr = cflowpassword = cflowuser = cron = 0 cron-enabled = 1 croncmd = cronenabled = 1 custominstallbin = debug = 1 debuglog = /raid/bro/spool/debug.log defsitepolicypath = /raid/bro/share/bro/site devmode = 0 distdir = /root/WORKING/bro-1.5.3 havebroccoli = havenfs = 0 helperdir = /raid/bro/share/broctl/scripts/helpers home = /root libdir = /raid/bro/lib libdirinternal = /raid/bro/lib/broctl localnetscfg = /raid/bro/etc/networks.cfg lockfile = /raid/bro/spool/lock logdir = /raid/bro/logs logexpireinterval = 30 mailalarmprefix = ALERT: mailalarms = 1 mailalarmsto = root@localhost mailfrom = Big Brother <bro(a)rigel.nwsc.ucar.edu> mailreplyto = mailsubjectprefix = [Bro] mailto = root@localhost makearchivename = /raid/bro/share/broctl/scripts/make-archive-name memlimit = unlimited mindiskspace = 5 nodecfg = /raid/bro/etc/node.cfg os = freebsd policydir = /raid/bro/share/bro policydirbroctl = /raid/bro/share/bro/broctl policydirsiteinstall = /raid/bro/share/bro/.site policydirsiteinstallauto = /raid/bro/share/bro/.site/auto postprocdir = /raid/bro/share/broctl/scripts/postprocessors prefixes = local rigel-crashed = 0 rigel-igb0-crashed = 0 rigel-igb0-pid = 2543 rigel-igb0-port = 47762 rigel-igb1-crashed = 0 rigel-igb1-pid = 2544 rigel-igb1-port = 47763 rigel-igb2-crashed = 0 rigel-igb2-pid = 2545 rigel-igb2-port = 47764 rigel-igb3-crashed = 0 rigel-igb3-pid = 2542 rigel-igb3-port = 47765 rigel-igb4-crashed = 0 rigel-igb4-pid = 2541 rigel-igb4-port = 47766 rigel-igb5-crashed = 0 rigel-igb5-pid = 2546 rigel-igb5-port = 47767 rigel-p1-crashed = 0 rigel-p1-pid = 2426 rigel-p1-port = 47761 rigel-pid = 1967 rigel-port = 47760 savetraces = 0 scripts-manager = cluster-manager scripts-proxy = cluster-proxy scripts-standalone = standalone scripts-worker = cluster-worker scriptsdir = /raid/bro/share/broctl/scripts sendmail = 1 sigint = 0 sitepolicymanager = local-manager sitepolicypath = /raid/bro/share/bro/site sitepolicystandalone = local.bro sitepolicyworker = local-worker spooldir = /raid/bro/spool standalone = 0 statefile = /raid/bro/spool/broctl.dat staticdir = /raid/bro/share/broctl statsdir = /raid/bro/logs/stats statslog = /raid/bro/spool/stats.log templatedir = /raid/bro/share/broctl/templates time = /usr/bin/time timefmt = %d %b %H:%M:%S timemachinehost = timemachineport = 47757/tcp tmpdir = /raid/bro/spool/tmp tmpexecdir = /raid/bro/spool/tmp tracesummary = /raid/bro/bin/trace-summary version = 0.3

10 years, 7 months

Re: [Bro] Bro workshop survey

by Chuck Little

Did you folks decide on when/where the Bro workshop will be held? I'm prob the only one who chose Champaign/Urbana as the training location. lol -Chuck ##### in reply to ##### ------------------------------ Date: Thu, 21 Apr 2011 13:52:27 -0400 From: Seth Hall <seth(a)icir.org> Subject: [Bro] Bro workshop survey To: "Bro List" <bro(a)bro-ids.org> Hi all, I just posted a survey for us to get more comprehensive feedback regarding the next Bro workshop. Please forward/retweet this survey to anyone that you think might be interested. The survey: http://bit.ly/fMR9n2 My tweet about the survey: https://twitter.com/remor/status/61124564507308032 Thanks! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/

10 years, 7 months

[Bro] Current IDS and Data Mining research

by Suman Nandi

Dear Bro Developer and contributer I have been working on IDS and Data Mining .I would like to know the current research in this area that IDS using Data Mining and what are the current reseach areas and objectives where Data Mining can provide solutions to IDS? -- Regards SUMAN KUMAR NANDI HOD-Computer Applications Chitkara University, Punjab India Mobile:+919501105658

10 years, 7 months

[Bro] Open Position at NCSA

by Robin Sommer

Have you always wanted to work on Bro and be paid for it? :-) NCSA has an opening for a Senior Research Programmer: https://jobs.illinois.edu/default.cfm?page=job&jobID=8847&returnPage=sear This is a full-time position that focuses on Bro development in close collaboration with our group here at ICSI. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org

10 years, 8 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek June 2011