zeek January 2012

zeek@lists.zeek.org

23 participants
29 discussions

by Kroeger, Thomas M

It may be just me but I'm getting a connection refused at www.bro-ids.org. Are others seeing this? Its Sunday, maybe there is some schedule maintenance? Tom MK ----- Tom M. Kroeger Systems & Security Research Sandia National Labs

10 years, 4 months

Re: [Bro] Hui Lin_NOTICE function redefinition error

by Hui Lin (Hugo)

Yes. My bad. I still have some 1.5 scripts left there. I delete them and it is working fine now. On Fri, Jan 13, 2012 at 11:23 PM, Seth Hall <seth(a)icir.org> wrote: > > On Jan 13, 2012, at 11:34 PM, Hui Lin (Hugo) wrote: > > > redef enum Notice += { > > CriState, # notice for my semantic signature matching; > critical state > > }; > > Are you working with something close to 2.0? In 2.0 that enum is named > Notice::Type. Where you call the NOTICE function looks ok. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -- Hui Lin Research Assistant DEPEND Research Group, ECE Department University of Illinois at Urbana-Champaign hlin33(a)illinois.edu

10 years, 4 months

Re: [Bro] Hui Lin_NOTICE function redefinition error

by Hui Lin (Hugo)

Well this is what my codes look like. I just call NOTICE function within one of my event handler. @load notice @load /home/hugo/experiment/dnp3/policy/dnp3headers_sl.bro redef enum Notice += { CriState, # notice for my semantic signature matching; critical state }; ...... event dnp3_crob(c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count) { ..... NOTICE([$note=CriState, $msg="Test CriState is recoreded", $conn=c]); ..... } On Fri, Jan 13, 2012 at 10:27 PM, Seth Hall <seth(a)icir.org> wrote: > > On Jan 13, 2012, at 11:18 PM, Hui Lin (Hugo) wrote: > > > When I load notice and use NOTICE function in my script, there is a > error message > > > > error in /usr/local/bro/share/bro/base/frameworks/notice/./main.bro, > line 569: already defined (NOTICE) > > You're going to need to show a snippet of code that causes this error. :) > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -- Hui Lin Research Assistant DEPEND Research Group, ECE Department University of Illinois at Urbana-Champaign hlin33(a)illinois.edu

10 years, 4 months

Re: [Bro] Hui Lin_NOTICE function redefinition error

by Hui Lin (Hugo)

Being stupid again. It is again the version mix up of the policy files. Discussed this with Robin before. I delete many old script and now it seems to be fine now. Best, Hui On Fri, Jan 13, 2012 at 10:34 PM, Lin, Hui <hlin33(a)illinois.edu> wrote: > Well this is what my codes look like. I just call NOTICE function within > one of my event handler. > > @load notice > @load /home/hugo/experiment/dnp3/policy/dnp3headers_sl.bro > > redef enum Notice += { > CriState, # notice for my semantic signature matching; critical > state > }; > > ...... > > event dnp3_crob(c: connection, is_orig: bool, control_code: count, count8: > count, on_time: count, off_time: count, status_code: count) > { > ..... > NOTICE([$note=CriState, > $msg="Test CriState is recoreded", > $conn=c]); > ..... > } > > On Fri, Jan 13, 2012 at 10:27 PM, Seth Hall <seth(a)icir.org> wrote: > >> >> On Jan 13, 2012, at 11:18 PM, Hui Lin (Hugo) wrote: >> >> > When I load notice and use NOTICE function in my script, there is a >> error message >> > >> > error in /usr/local/bro/share/bro/base/frameworks/notice/./main.bro, >> line 569: already defined (NOTICE) >> >> You're going to need to show a snippet of code that causes this error. :) >> >> .Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro-ids.org/ >> >> > > > -- > Hui Lin > Research Assistant > DEPEND Research Group, ECE Department > University of Illinois at Urbana-Champaign > hlin33(a)illinois.edu > -- Hui Lin Research Assistant DEPEND Research Group, ECE Department University of Illinois at Urbana-Champaign hlin33(a)illinois.edu

10 years, 4 months

[Bro] Hui Lin_NOTICE function redefinition error

by Hui Lin (Hugo)

Hi, When I load notice and use NOTICE function in my script, there is a error message error in /usr/local/bro/share/bro/base/frameworks/notice/./main.bro, line 569: already defined (NOTICE) According to the error message, I found that two NOTICE functions are defined in this /notice/main.bro and also in notice.bro. So what is the correct way to use NOTICE function? Best, Hui -- Hui Lin Research Assistant DEPEND Research Group, ECE Department University of Illinois at Urbana-Champaign hlin33(a)illinois.edu

10 years, 4 months

Re: [Bro] is that possible to use a global variable defined in other policy script?

by Hui Lin (Hugo)

Thanks. At first, I am thinking about using in this way. However, then I found that Seth's way is probably more convenient in Bro. I think I am starting to get the concept of "redef" and "load" now. Best, Hui On Fri, Jan 13, 2012 at 9:27 PM, Aashish SHARMA <init.conf(a)gmail.com> wrote: > > On Jan 13, 2012, at 6:23 PM, Seth Hall wrote: > > > > > On Jan 13, 2012, at 5:42 PM, Hui Lin (Hugo) wrote: > > > >> I am wondering whether it is possible to use a global variable that is > defined in other policy script? > > > > That's basically the definition of a global. It's just a runtime > modifiable variable that can exist outside of a particular scope. You just > need to make sure that the script that defines the variable is loaded prior > to the script that uses it. Bro's parser will tell you if the variable > isn't available yet which would mean you probably loaded the scripts in the > wrong order. > > > >> I found that in some scripts, "export" are used. Does this achieve > similar function? > > > > The export keyword is only to making variables and types available > outside of a module's namespace. If variables are defined within a module > but not in the export section then you will only have access to those from > code within that module. > > > > If you want to access table drop_info from drop.bro into http.bro you can > say: > > DROP::drop_info += { ….. > > > basically create a "module" > > example hui.bro: > > Module hui > > export { > > global a_var; > }; > > > file: a.bro > > hui::a_var = abc > > > > Hope this helps. > Aashish > > > -- Hui Lin Research Assistant DEPEND Research Group, ECE Department University of Illinois at Urbana-Champaign hlin33(a)illinois.edu

10 years, 4 months

[Bro] is that possible to use a global variable defined in other policy script?

by Hui Lin (Hugo)

Hi, I am wondering whether it is possible to use a global variable that is defined in other policy script? In other words, do Bro script have a equivalence of "extern" in C? I found that in some scripts, "export" are used. Does this achieve similar function? Best, Hui -- Hui Lin Research Assistant DEPEND Research Group, ECE Department University of Illinois at Urbana-Champaign hlin33(a)illinois.edu

10 years, 4 months

[Bro] Fwd: Bro's snap length

by Will

Just wondering what the final decision was for snaplen in 2.0? I did notice that broargs looks to have been deprecated. -will ---------- Forwarded message ---------- From: "Robin Sommer" <robin(a)icir.org> Date: Nov 18, 2011 2:08 PM Subject: Re: [Bro-Dev] Bro's snap length To: "Seth Hall" <seth(a)icir.org> Cc: "bro-dev(a)bro-ids.org Dev" <bro-dev(a)bro-ids.org> On Fri, Nov 18, 2011 at 14:34 -0500, you wrote: > We're going to need to change Bro's default snap length before the 2.0 > final release or at least do something. I think we should add a script-level option snaplen and set it to a much smaller default, like 8K or 4K. Plus a FAQ entry, linked from the Quickstart guide, explaining what's going on and what to do. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org _______________________________________________ bro-dev mailing list bro-dev(a)bro-ids.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

10 years, 4 months

[Bro] Bro 2.0 is out!

by Robin Sommer

We're excited to announce that Bro 2.0 Final is now available at http://www.bro-ids.org/download/index.html. See http://blog.bro-ids.org/2012/01/its-bro-version-20-released.html for a bit more background. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org

10 years, 4 months

[Bro] Slow-motion DoS attack

by Will

Hi All, I was wondering if anyone has set anything up in Bro to monitor their web servers for this style of attack. They recommend or caution against the use of IPS' for blocking this attack as the false positive rate can be fairly high for users with on a slow connection. Being that Bro can monitor and maintain the state of a connection for a long time, I imagine it would be perfect for this. Looking for lengthy connections with abnormally small header request sizes sounds like it might be the best way to detect these. Of course, there are likely outliers, but I imagine legitimate use could be identified and whitelisted fairly easily. http://arstechnica.com/business/news/2012/01/new-slow-motion-dos-attack-jus… https://community.qualys.com/blogs/securitylabs/2011/07/07/identifying-slow… https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-a… Thanks in advance for any feedback! -Will

10 years, 4 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek January 2012