In order to really drill down on some SSL stuff, I decided it was time
to finally put a lightweight web framework on top of my Bro logs. So,
unless the server shoots it down, attached is a tarball that contains
an alpha-quality framework for reading Bro logs and writing them to
syslog or a database or both. If written to a database, they can be
accessed through a very light web frontend included which can be run
right from the Bro server, or from a traditional web server, if you
prefer. The web frontend solely consists of a query bar for searching
on terms contained in the tab separated Bro logs. So you can do
things like this:
subject:CN=mail.google.com* -validation_status:ok
This would look for any connections to Gmail with an invalid certificate.
Or you could do
id.resp_h:74.125.*
Which would find any traffic destined for Google's 74.125/16, or just
74.125.*
which would do the same thing, but for either originator or responder.
At this point, there's not much else you can do, as I mainly wanted to
get a quick web frontend up so I could more easily explore the data
that Bro outputs. The key part of the framework is that it doesn't
care what the fields are. It will take whatever is at the top of the
log files and use that as the field names. If it can't find the field
list, then it won't use the file. The database doesn't have a
standard table structure, rather it uses a key-value store, so the
schema is very flexible. It's been tested on MySQL, but it should
work on almost any database. It would be very easy to create entirely
ad-hoc reporting using this structure.
Aside from cosmetics, the big to-do is database table rollover, but if
you just want syslog output from Bro, this will get you going very
quickly. See the INSTALL doc for a quick how-to, or email if you have
any questions; feedback is appreciated! If there is any interest, I
will create a project page for the files for future downloading.
Thanks,
Martin
Hi,
1 - What's the difference between these type of signature ?
What I'm trying to understand is when it could become handy to split the
payload over many regular expressions.
signature sid-542{
ip-proto = tcp
payload /.* EHLO *. MAIL FROM *./
event sid-542
}
signature sid-543{
ip-proto = tcp
payload /*.EHLO*./
payload /*. MAIL FROM *./
event sid-543
}
Is the order of appearance of signature attributes important for bro to
trigger an alert ?
Thanks for your help.
--
SLt COC ALAHASSA
161 POL
Professeur Georges LEMAITRE
Lawrence Berkeley National Lab has an immediate opening for a cyber
security engineer.
http:/go.lbl.gov/cyber-position
A few reasons why it's awesome to work at Berkeley Lab.
- Mission - Protect Science http://go.lbl.gov/mission (pdf)
- Smart colleagues - You will teach and learn
- Location - Famous California Bay Area weather, activities, and food
- Work Environment - Science driven environment, less politics than usual
- Benefits - Excellent benefits and retirement
-Jay
--
Jack (Jay) E. Krous III
Cyber Security, Information Technology Division
Lawrence Berkeley National Laboratory
http://www.lbl.gov/cyber/pgp-krous.txt
(510) 495-2522
FYI, I've put up a very short quickstart on my blog
(http://ossectools.blogspot.com/2011/08/monitoring-ssl-connections-with-bro.…)
on getting Bro up and running for monitoring SSL connections. The
write-up is for Ubuntu, but it should be helpful for anyone just
starting with Bro. I will have follow-up posts on dealing with Bro
output, but this should be enough to get anyone just starting out
something to play with. Thanks again to Seth for all of the help!
Thanks,
Martin
Are there any Bro installations out there that have done any work
with Shibboleth?
We put Shibboleth into production here a couple of months back, and
I'd like to start getting some basic Bro visibility into Shib traffic.
The most basic level I wanted to get working was to generate Bro
events when it looks like the Shibboleth server is being pounded on
with dictionary attacks.
Has anyone out there done any other Shib/Bro work? I'd like to get
in touch and trade notes/code/brainstorming.
Steve
Is there a way use regex to extract portions of a string? I'm trying to
write a function that accepts a path and breaks it into a directory and
filename (/tmp/file.txt => [ /tmp, file.txt ]). I would like to do
something as easy as /(\/.+)/([^\/]+)$/, but am not sure it's possible
with bro (I wrote the expr quick so there are probably typos).
Right now I have the following, but wondering if there is a better way:
function path_split(path: string): string_array {
local cpath = split(path, /\//);
local ret_val: string_array;
ret_val[2] = cpath[length(cpath)];
delete cpath[length(cpath)];
ret_val[1] = join_string_array("/", cpath);
return ret_val;
}
The reason I ask is I'm looking to modify the http/file-extract.bro
script so that the http responses are saved into a directory structure
based on the src and dst ip addresses (e.g. http-items/src_ip/dst_ip).
I plan to modify the generate_extraction_filename to create this path
and then send the filename to a function to create the directory
structure. (I know that modifying generate_extraction_filename will have
adverse affects on other scripts, but I plan to update those as well.)
If anyone cares, here is the function I wrote to recursively create the
directory structure.
function mkdirs(dir: string): bool {
local path_split = split1(dir, /\/[^\/]*$/);
local parent = path_split[1];
if ( parent == "" || length(path_split) == 1 )
return mkdir(dir);
else {
if ( ! mkdirs(parent) )
return F;
return mkdir(dir);
}
return T;
}
Thanks in advance.
--
Peter Erickson
redlamb19 _at_ gmail _dot_ com
Hi all,
We just got a hotel group rate established for the upcoming workshop. It's going to be $109+tax/night.
More information can be found on the workshop page on our website:
http://www.bro-ids.org/community/workshop2011.html
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
OK, this is possibly a dumb question, but I can't find it in
documentation or existing scripts. How can I grab a few specific
bytes from a connection? E.g., if I want to look for successful X11
connections, I expect to see the following immediately after the TCP
header: 0100 0b00 0000. How do I write something like:
if (c$id$resp_p == 6000)
if (first_6_bytes_after_tcp_header == 01000b000000)
do something
?
Thanks. Sorry for the noob questions.
Dan
--
Dan Klinedinst
Lawrence Berkeley National Laboratory
510.486.4219
dklinedinst(a)lbl.gov
Hey everyone,
This is my first time using Linux as well as using Bro so it has taken a
while for me to get it installed and up and running, but finally I think I
have it. I am running Bro 1.5.3 on Ubuntu and I have gotten BroCtl to start
but I have a couple questions:
1. Where are the rules written that Bro is supposed to alert on? I came from
Snort so I know a bit about IDS but I don't know how Bro is set up.
2. Where are the logs produced? /spool/broctl.dt?
What I really want to do is to log the packet(s) from an SSL handshake that
contain a certificate. I was sort of able to do this in Snort. Snort gave me
the right packets but the wrong data. I got the TCP Segment Data rather than
the reassembled TCP packet of the whole certificate itself. I was told Bro
could do this out of the box so hopefully this will work here.
Is this possible? How should I go about doing this. I am a true beginner
with Linux and I am having some trouble understanding what is going on.
Thanks in advance
Alvin
Hey guys
Thanks a lot for the previous help. I think I am almost there, but when I
run bro_config there seems to be a few errors. I 've managed to edit the
.cfg manually but the programs keeps mailing me about a subnettree (see
capture2.png)). Does this has a connection? Do I miss a port?
I have captured my errors from bro_config to in capture.png
Kinds Regards,
Jeffrey Everling
-----Original Message-----
From: bro-bounces(a)bro-ids.org [mailto:bro-bounces@bro-ids.org] On Behalf Of
Jeffrey Everling
Sent: maandag 8 augustus 2011 22:57
To: 'Gilbert Clark'
Cc: bro(a)bro-ids.org
Subject: Re: [Bro] Wrapper Error with compiling
Ok managed to get past the install by doing a ./configure in the install
folder. They didnt mention it in the tutorial i was reading. It's hard
finding decent tutorials for this software. I'm trying to configure it now
but to be honost, I don't know if I'm doing it right.
Thanks for your help again guys :)
-----Oorspronkelijk bericht-----
Van: bro-bounces(a)bro-ids.org [mailto:bro-bounces@bro-ids.org] Namens Gilbert
Clark
Verzonden: maandag 8 augustus 2011 18:11
Aan: bro(a)bro-ids.org
Onderwerp: Re: [Bro] Wrapper Error with compiling
Hmm, it seems like it's looking for the binary itself and can't find it.
Have you tried adding /usr/local/bro/bin (or whichever folder into which the
bro binary is being installed) to your $PATH?
--Gilbert
On 8/8/2011 11:31 AM, Jeffrey Everling wrote:
> Nope that wasn't the solution. I tried it without and with a reboot.
> Still the same error. Can it be something with my dirnames from my
> installfolder or so?
>
> -----Original Message-----
> From: Seth Hall [mailto:seth@icir.org]
> Sent: maandag 8 augustus 2011 17:01
> To: Jeffrey Everling
> Cc: bro(a)bro-ids.org
> Subject: Re: [Bro] Wrapper Error with compiling
>
>
> On Aug 8, 2011, at 10:51 AM, Jeffrey Everling wrote:
>
>> Thanks a lot. It turned out I needed to install Bash. But now I am
>> stuck up with another error. For some reason I guess he can't find
>> the version file in my install folder?
>>
>> Got any ideas for this one?
>
> It looks like you might want to try doing "make clean" and then
> starting over.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
> _______________________________________________
> Bro mailing list
> bro(a)bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
_______________________________________________
Bro mailing list
bro(a)bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
_______________________________________________
Bro mailing list
bro(a)bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
