Several of us in the Cyber Security group at BBN are beginning to explore Bro for use in one of our projects. Currently, we're thinking of using it to monitor ICMP traffic. I've noticed that in the reference manual there's a not-filled-in entry on an ICMP analyzer and in the source code there's an ICMP analysis script and what appears to be an analyzer in the source code. Is there active work going on in detecting ICMP irregularities using Bro? Is there any interest in contributions to Bro of some ICMP sensors we've begun working on?
Thanks,
Dan Wyschogrod
____________________
Dan Wyschogrod
Cyber Security
Raytheon/BBN Technologies
dwyschogrod(a)bbn.com
Hi all,
I'd like to understand to which degree folks are currently using Bro's
built-in support for doing Bro-to-Bro or Bro-to-Broccoli communication
via SSL.
My hunch is that not many installations are using this, though I know
a few that do (note that if you haven't configured SSL specifically,
you are not using it :-).
Those who do use SSL for Bro communication, would it be an option to
replace it with something externally like stunnel?
I'm asking because we're planing to rework the communication layer
quite a bit. Not only has supporting SSL directly been quite a pain in
the past, but we'd also be more flexbile in terms of leveraging
external libraries if SSL were not crucial.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
Thanks Scott! I forgot about the vlan part. So I added that policy to be
loaded, restarted bro, and it appears to be working. woo hoo!
I also had to make a couple additional mods to tunable kernel params:
# in /boot/loader.conf:
kern.ipc.nmbclusters="131072"
kern.ipc.nmbjumbo9="131072"
hw.igb.rxd="512"
# in /etc/sysctl.conf:
## Increase packet capture buffer sizes
net.bpf.maxbufsize=10485760
net.bpf.bufsize=10485760
## Increase socket buffer limits
kern.ipc.maxsockbuf=4194304
Which got rid of the "igb0: Could not setup receive structures" errors
at boot time (dmesg output). But I still have the "pcap bufsize = 0" in
each of the stderr.log log files.
I appreciate all the assistance folks!
-Chuck
On 6/17/11 1:00 PM, bro-request(a)bro-ids.org wrote:
> Today's Topics:
>
> 1. Re: Pcap Buffer = 0 (Scott Sakai)
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 16 Jun 2011 12:28:11 -0700
> From: Scott Sakai <ssakai(a)sdsc.edu>
> Subject: Re: [Bro] Pcap Buffer = 0
> To: bro(a)bro-ids.org
> Message-ID: <4DFA594B.9080509(a)sdsc.edu>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi Chuck,
>
> Just a thought: Is the traffic that you're (not) capturing vlan tagged?
>
> tcpdump with the '-e' argument and no filter will tell you for sure.
>
> If so, you need to load the vlan policy, otherwise libpcap will apply the
> filter rules to the wrong frame offsets.
>
>
> On 06/16/2011 10:08 AM, Chuck Little wrote:
>> Output:
>>
>> [rigel /raid/bro/bin]# ./broctl capstats
>>
>> Interface kpps mbps (10s average)
>> ------------------------------
>> rigel-igb0 0.0 0.0
>> rigel-igb1 39.7 147.0
>> rigel-igb2 19.2 96.7
>> rigel-igb3 24.1 137.3
>> rigel-igb4 0.0 0.0
>> rigel-igb5 0.0 0.0
>>
>> Total 83.0 381.0
>>
>>
>> -Chuck
>>
>> On 6/16/11 11:02 AM, Justin Azoff wrote:
>>> On Thu, Jun 16, 2011 at 12:26:24PM -0400, Chuck Little wrote:
>>>> I have a fresh Bro-IDS install (ver 1.5.3), but I'm not really capturing
>>>> traffic. I know I'm missing something (config setting, etc) but am
>>>> unsure what it is. I consulted teh Google but didn't have much luck.
>>>> Could someone provide some insight/advice? Thanks!
>>>>
>>>> -Chuck
>>>
We're happy to announce that Bro has a completely new web site that's
now online at the well-known location:
http://www.bro-ids.org
We now also have a Bro blog, http://blog.bro-ids.org; and if you like
you can follow us on Twitter @Bro_IDS.
The old web pages remain accessible for the time being at
www-old.bro-ids.org.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
Did you folks decide on when/where the Bro workshop will be held? I'm
prob the only one who chose Champaign/Urbana as the training location. lol
-Chuck
##### in reply to #####
------------------------------
Date: Thu, 21 Apr 2011 13:52:27 -0400
From: Seth Hall <seth(a)icir.org>
Subject: [Bro] Bro workshop survey
To: "Bro List" <bro(a)bro-ids.org>
Hi all,
I just posted a survey for us to get more comprehensive feedback
regarding the next Bro workshop. Please forward/retweet this survey to
anyone that you think might be interested.
The survey:
http://bit.ly/fMR9n2
My tweet about the survey:
https://twitter.com/remor/status/61124564507308032
Thanks!
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
Dear Bro Developer and contributer
I have been working on IDS and Data Mining .I would like to know the current
research in this area that IDS using Data Mining and what are the current
reseach areas and objectives where Data Mining can provide solutions to IDS?
--
Regards
SUMAN KUMAR NANDI
HOD-Computer Applications
Chitkara University, Punjab
India
Mobile:+919501105658
Have you always wanted to work on Bro and be paid for it? :-)
NCSA has an opening for a Senior Research Programmer:
https://jobs.illinois.edu/default.cfm?page=job&jobID=8847&returnPage=sear
This is a full-time position that focuses on Bro development in close
collaboration with our group here at ICSI.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org