Hey guys,
I was just wondering if there was a way to log the SSL certificates from an
SSL handshake. I want to log these so that I can check the signer
specifically and check their authenticity. I have been working in Snort IDS
but I haven't been able to get this to work so I am going to try Bro if it
is possible here instead. The main problems I run into on Snort is the TCP
packets not reassembling and figuring out what content match to look for in
the rules (although I can look through Wireshark and pull something out to
try easily). Is this possible in Bro? Someone told me it would be available
out of box on Bro so I am seriously considering this.
Thanks in advance,
Alvin
I would like to announce that we are finally planning another Bro workshop!
It's going to be sometime in early November at the NCSA (National Center for Supercomputing Applications) located in Urbana-Champaign, Illinois. More details and registration will be coming soon.
Sorry to everyone who "voted" for Berkeley in that survey a while back. The Illinois votes won.
Thanks,
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
Thought this might be interesting for some here: There will be a panel
at RAID 2011 on open-source network intrusion detection systems with
representatives of the three major systems discussing the state of
their systems, including our own Seth Hall.
See http://www.raid2011.org/panel.shtml for more information.
Robin
----- Forwarded message from RAID 2011 <noreply-raid(a)cse.tamu.edu> -----
From: RAID 2011 <noreply-raid(a)cse.tamu.edu>
Subject: [RAID 2011] Call for Participation
14th International Symposium on Recent Advances in Intrusion Detection (RAID'2011)
September 20-21, 2011
SRI International, Menlo Park, CA
http://www.raid2011.org
Call for Participation
===========================================================
For the fourteenth year, the intrusion detection community will
converge at RAID'2011 to discuss cutting-edge research in malware,
application security, anomaly detection, special environments
and sandboxing, web security and social networks, and network
security. You are invited to join us at RAID for two days
this September at SRI International, Menlo Park, CA.
Register online at: http://www.raid2011.org/.
Kind reminder: early bird registration closes on August 1, 2011!
The annual symposium brings together leading researchers and
practitioners from academia, government, and industry to discuss
issues and technologies related to intrusion detection and
defense.
RAID 2011 features an exciting technical program, with
presentations addressing topics such as dynamic analysis of malicious
shellcode, world's fastest taint tracker, anomaly detection using
software defined networking, defending legacy embeded systems,
web and social network security, and cross-analysis of botnet victims.
A poster session during the symposium will provide lively
face-to-face discussions of work in progress.
This year we will have a great keynote presentation on "The
Cutting Edge of Medical Device Security and Privacy" by Dr. Kevin Fu!
We also have a special panel to discuss "State and Future of
Open-Source Network Intrusion Detection":
Panel Moderator:
- Ron Gula, Tenable Network Security
Panel participants:
- Seth Hall, International Computer Science Insitute
- Victor Julien, Open Infosec Foundation
- Martin Roesch, Sourcefire
The Open Information Security Foundation (OISF) is co-locating
a Suricata community meeting with RAID 2011.
Don't miss out this great fun event to socialize with your
colleagues at the heart of silicon valley!
----- End forwarded message -----
--
Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
Every year, at least once a year, I make an honest effort to implement
Bro and to start taking advantage of its advanced capabilities. Each
year, I spend a few hours on it and give up. I look through every doc
I can find on the Bro web site and in the tarball, but the lack of
sufficient examples and documentation always stifles any progress. I
want this year to be different. The purpose of this email is to find
out from you guys how to do the following (ideally in example form):
How do I write a policy to detect when an SSL connection has a
certificate which was created less than 30 days ago (not_valid_before
> 30 days ago)?
How do I send arbitrary connection data to an external program and
receive information back from it (and I need something more detailed
than "use broccoli")?
Thanks,
Martin
Hello list,
This is my first post - just another network monkey, been playing around
with bro for the last year or so, writing some custom policy files to try
and do some large scale analysis.
Can anyone tell me what the "cc=1" means at the end of a line for conn.log
output?
I'm getting output lines like this:
1307664147.729018 0.103712 1.2.3.4 5.6.7.8 https? 1839 443 tcp 1865279311 ?
RSTOS0 X cc=1
The 'sent bytes' is "1865279311", which seems awfully high, and received are
0. A quick survey looks like most entries that have a large byte count with
sent or received and 0 in the other direction have the state set to "RSTOS0"
and the flags set to "X cc=1".
I believe one of the main factors causing this is damaged PCAPs (limited
snaplength, possibly dropped packets). However if I can exclude the damaged
records, I can still carry on with some analysis.
Thanks,
-David
On Thu, Jul 07, 2011 at 19:30 +0200, you wrote:
> The tar files are those related to the output of bro with their according
> signature.
The matches reported in auto/signatures.log and auto/notices.log are
the same as far as I can see. And I don't see any reported in test/*.
So not sure what the problem is?
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
Hi,
Once a signature has been written, compiled and matched against a traffic. I
noticed that sometimes there are entries in signatures.log and notice.log,
sometimes there is only entries in notice.log.
I didn't change default settings for signatures.bro yet (no local site
configuration). I wonder when (cases) bro is told to write to
signatures.log.
Thanks.
Rodrigue
On Wed, Jul 6, 2011 at 9:00 PM, <bro-request(a)bro-ids.org> wrote:
> Send Bro mailing list submissions to
> bro(a)bro-ids.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
> bro-request(a)bro-ids.org
>
> You can reach the person managing the list at
> bro-owner(a)bro-ids.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
> Today's Topics:
>
> 1. Signature payload matching (Rodrigue ALAHASSA)
> 2. Re: Signature payload matching (Robin Sommer)
>
>
> ---------- Forwarded message ----------
> From: Rodrigue ALAHASSA <rodrigue.alahassa(a)gmail.com>
> To: bro(a)bro-ids.org
> Date: Tue, 5 Jul 2011 23:06:27 +0200
> Subject: [Bro] Signature payload matching
> Hi all,
>
> I'm working for automation of signature generation for Bro from pcap trace
> files.
> I would like to know if the matching of the payload as a condition is done
> against all the session data or more like per packet matching.
>
> Thanks
>
> --
> Rodrigue ALAHASSA
> Royal Military Academy, Brussels
>
>
> ---------- Forwarded message ----------
> From: Robin Sommer <robin(a)icir.org>
> To: Rodrigue ALAHASSA <rodrigue.alahassa(a)gmail.com>
> Date: Tue, 5 Jul 2011 14:55:02 -0700
> Subject: Re: [Bro] Signature payload matching
>
> On Tue, Jul 05, 2011 at 23:06 +0200, Rodrigue ALAHASSA wrote:
>
> > I would like to know if the matching of the payload as a condition is
> done
> > against all the session data or more like per packet matching.
>
> It's matched against the reassembled session payload. There's some
> more information on details of the matching process here:
>
> http://www.bro-ids.org/documentation/signatures.html
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
>
>
> _______________________________________________
> Bro mailing list
> Bro(a)bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
--
SLt COC ALAHASSA
161 POL
Professeur Georges LEMAITRE
Hi all,
I'm working for automation of signature generation for Bro from pcap trace
files.
I would like to know if the matching of the payload as a condition is done
against all the session data or more like per packet matching.
Thanks
--
Rodrigue ALAHASSA
Royal Military Academy, Brussels