It may be just me but I'm getting a connection refused at www.bro-ids.org. Are others seeing this? Its Sunday, maybe there is some schedule maintenance?
Tom MK
-----
Tom M. Kroeger
Systems & Security Research
Sandia National Labs
Yes. My bad. I still have some 1.5 scripts left there. I delete them and it
is working fine now.
On Fri, Jan 13, 2012 at 11:23 PM, Seth Hall <seth(a)icir.org> wrote:
>
> On Jan 13, 2012, at 11:34 PM, Hui Lin (Hugo) wrote:
>
> > redef enum Notice += {
> > CriState, # notice for my semantic signature matching;
> critical state
> > };
>
> Are you working with something close to 2.0? In 2.0 that enum is named
> Notice::Type. Where you call the NOTICE function looks ok.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
--
Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33(a)illinois.edu
Well this is what my codes look like. I just call NOTICE function within
one of my event handler.
@load notice
@load /home/hugo/experiment/dnp3/policy/dnp3headers_sl.bro
redef enum Notice += {
CriState, # notice for my semantic signature matching; critical
state
};
......
event dnp3_crob(c: connection, is_orig: bool, control_code: count, count8:
count, on_time: count, off_time: count, status_code: count)
{
.....
NOTICE([$note=CriState,
$msg="Test CriState is recoreded",
$conn=c]);
.....
}
On Fri, Jan 13, 2012 at 10:27 PM, Seth Hall <seth(a)icir.org> wrote:
>
> On Jan 13, 2012, at 11:18 PM, Hui Lin (Hugo) wrote:
>
> > When I load notice and use NOTICE function in my script, there is a
> error message
> >
> > error in /usr/local/bro/share/bro/base/frameworks/notice/./main.bro,
> line 569: already defined (NOTICE)
>
> You're going to need to show a snippet of code that causes this error. :)
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
--
Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33(a)illinois.edu
Being stupid again.
It is again the version mix up of the policy files. Discussed this with
Robin before. I delete many old script and now it seems to be fine now.
Best,
Hui
On Fri, Jan 13, 2012 at 10:34 PM, Lin, Hui <hlin33(a)illinois.edu> wrote:
> Well this is what my codes look like. I just call NOTICE function within
> one of my event handler.
>
> @load notice
> @load /home/hugo/experiment/dnp3/policy/dnp3headers_sl.bro
>
> redef enum Notice += {
> CriState, # notice for my semantic signature matching; critical
> state
> };
>
> ......
>
> event dnp3_crob(c: connection, is_orig: bool, control_code: count, count8:
> count, on_time: count, off_time: count, status_code: count)
> {
> .....
> NOTICE([$note=CriState,
> $msg="Test CriState is recoreded",
> $conn=c]);
> .....
> }
>
> On Fri, Jan 13, 2012 at 10:27 PM, Seth Hall <seth(a)icir.org> wrote:
>
>>
>> On Jan 13, 2012, at 11:18 PM, Hui Lin (Hugo) wrote:
>>
>> > When I load notice and use NOTICE function in my script, there is a
>> error message
>> >
>> > error in /usr/local/bro/share/bro/base/frameworks/notice/./main.bro,
>> line 569: already defined (NOTICE)
>>
>> You're going to need to show a snippet of code that causes this error. :)
>>
>> .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro-ids.org/
>>
>>
>
>
> --
> Hui Lin
> Research Assistant
> DEPEND Research Group, ECE Department
> University of Illinois at Urbana-Champaign
> hlin33(a)illinois.edu
>
--
Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33(a)illinois.edu
Hi,
When I load notice and use NOTICE function in my script, there is a error
message
error in /usr/local/bro/share/bro/base/frameworks/notice/./main.bro, line
569: already defined (NOTICE)
According to the error message, I found that two NOTICE functions are
defined in this /notice/main.bro and also in notice.bro. So what is the
correct way to use NOTICE function?
Best,
Hui
--
Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33(a)illinois.edu
Thanks.
At first, I am thinking about using in this way. However, then I found that
Seth's way is probably more convenient in Bro.
I think I am starting to get the concept of "redef" and "load" now.
Best,
Hui
On Fri, Jan 13, 2012 at 9:27 PM, Aashish SHARMA <init.conf(a)gmail.com> wrote:
>
> On Jan 13, 2012, at 6:23 PM, Seth Hall wrote:
>
> >
> > On Jan 13, 2012, at 5:42 PM, Hui Lin (Hugo) wrote:
> >
> >> I am wondering whether it is possible to use a global variable that is
> defined in other policy script?
> >
> > That's basically the definition of a global. It's just a runtime
> modifiable variable that can exist outside of a particular scope. You just
> need to make sure that the script that defines the variable is loaded prior
> to the script that uses it. Bro's parser will tell you if the variable
> isn't available yet which would mean you probably loaded the scripts in the
> wrong order.
> >
> >> I found that in some scripts, "export" are used. Does this achieve
> similar function?
> >
> > The export keyword is only to making variables and types available
> outside of a module's namespace. If variables are defined within a module
> but not in the export section then you will only have access to those from
> code within that module.
> >
>
> If you want to access table drop_info from drop.bro into http.bro you can
> say:
>
> DROP::drop_info += { …..
>
>
> basically create a "module"
>
> example hui.bro:
>
> Module hui
>
> export {
>
> global a_var;
> };
>
>
> file: a.bro
>
> hui::a_var = abc
>
>
>
> Hope this helps.
> Aashish
>
>
>
--
Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33(a)illinois.edu
Hi,
I am wondering whether it is possible to use a global variable that is
defined in other policy script? In other words, do Bro script have a
equivalence of "extern" in C?
I found that in some scripts, "export" are used. Does this achieve similar
function?
Best,
Hui
--
Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33(a)illinois.edu
Just wondering what the final decision was for snaplen in 2.0?
I did notice that broargs looks to have been deprecated.
-will
---------- Forwarded message ----------
From: "Robin Sommer" <robin(a)icir.org>
Date: Nov 18, 2011 2:08 PM
Subject: Re: [Bro-Dev] Bro's snap length
To: "Seth Hall" <seth(a)icir.org>
Cc: "bro-dev(a)bro-ids.org Dev" <bro-dev(a)bro-ids.org>
On Fri, Nov 18, 2011 at 14:34 -0500, you wrote:
> We're going to need to change Bro's default snap length before the 2.0
> final release or at least do something.
I think we should add a script-level option snaplen and set it to a
much smaller default, like 8K or 4K. Plus a FAQ entry, linked from the
Quickstart guide, explaining what's going on and what to do.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
_______________________________________________
bro-dev mailing list
bro-dev(a)bro-ids.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Hi All,
I was wondering if anyone has set anything up in Bro to monitor their web
servers for this style of attack. They recommend or caution against the use
of IPS' for blocking this attack as the false positive rate can be fairly
high for users with on a slow connection. Being that Bro can monitor and
maintain the state of a connection for a long time, I imagine it would be
perfect for this. Looking for lengthy connections with abnormally small
header request sizes sounds like it might be the best way to detect these.
Of course, there are likely outliers, but I imagine legitimate use could be
identified and whitelisted fairly easily.
http://arstechnica.com/business/news/2012/01/new-slow-motion-dos-attack-jus…https://community.qualys.com/blogs/securitylabs/2011/07/07/identifying-slow…https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-a…
Thanks in advance for any feedback!
-Will