(sry for the top posting)
I'd be interested in trying out the script as well.
Sent from my iPwn
On Jan 8, 2012, at 1:00 PM, bro-request(a)bro-ids.org wrote:
> On Jan 7, 2012, at 5:00 PM, Will wrote:
>> I was wondering if anyone has set anything up in Bro to monitor their web servers for this style of attack.
> I have a script. :)
> I've been working on this for a little while already, but I'm still expanding it to work against some of the newer attacks like the one that takes advantage of TCP window sizes to execute a slow read attack. The script still kind of sucks and has false positives in a few cases (and I'm sure false negatives as well), but I'm slowly working on getting those ironed out.
> If you'd like a copy of my script to try, let me know and I can get it over to you.
A little OT but maybe someone can prod me in the right direction.
I am trying to build bro on FreeBSD 8.1. I get the following error:
Found swig version:
Found python version: 2.6
CMake Error at aux/broctl/aux/pysubnettree/CMakeLists.txt:26 (message):
Swig versions less that 1.3.30 are incompatible with Python versions
greater than or equal to 2.5, upgrading your swig installation is
Easy enough. I grabbed the latest version of swig (2.0.4) put I can't
seem to get around a pcre include error. I found a few threads online
but I am having no success.
This is the config error:
Swig/misc.c:1119:18: error: pcre.h: No such file or directory
which is sitting in /usr/local/include
so I tried:
~# ./configure --with-pcre-prefix=/usr/local/include
to no avail.
There is a .sh in the tools dir for swig that is supposed to do a
static link. So I grabbed the most recent pcre tarball and tried this.
It goes through the motions yet when I run configure again I get the
I am probably missing something obvious here. Help!
The Information Security Centre of Excellence (ISCX) 2012 intrusion
detection evaluation dataset consists of labeled network traces, including full
packet payloads, which along with the relevant profiles are publicly
available to researchers by applying at http://iscx.ca/dataset-request-form.
A full description of the evaluation dataset can also be found at
Network Security Researcher
University of New Brunswick
I'm trying to build a copy of Bro 2.0 beta on an OpenBSD 5.0 box.
According to the documentation, the requirements are as follows:
A number of these are installed by default, and I've added the
packages containing the others:
GeoIP-1.4.7 find the country where IP address/hostname originates from
bison-2.3 GNU parser generator
cmake-2.8.4p3 portable build system
flex-2.5.35 fast lexical analyzer generator
libbind-9.4.2 BIND 8 compatible stub resolver library
libmagic-5.00 library to determine file type
$ ls -l /usr/lib/*pcap*
-r--r--r-- 1 root bin 351100 Aug 17 08:52 /usr/lib/libpcap.a
-r--r--r-- 1 root bin 274937 Aug 17 08:52 /usr/lib/libpcap.so.6.0
-r--r--r-- 1 root bin 356228 Aug 17 08:52 /usr/lib/libpcap_p.a
-r--r--r-- 1 root bin 363806 Aug 17 08:52 /usr/lib/libpcap_pic.a
$ ls -l /usr/lib/*ssl*
-r--r--r-- 1 root bin 2338032 Aug 17 08:52 /usr/lib/libssl.a
-r--r--r-- 1 root bin 1488178 Aug 17 08:52 /usr/lib/libssl.so.16.0
-r--r--r-- 1 root bin 2349534 Aug 17 08:52 /usr/lib/libssl_p.a
-r--r--r-- 1 root bin 2380520 Aug 17 08:52 /usr/lib/libssl_pic.a
$ ls -l /usr/lib/*z*
-r--r--r-- 1 root bin 195380 Aug 17 08:52 /usr/lib/libz.a
-r--r--r-- 1 root bin 163273 Aug 17 08:52 /usr/lib/libz.so.4.1
-r--r--r-- 1 root bin 199148 Aug 17 08:52 /usr/lib/libz_p.a
-r--r--r-- 1 root bin 202254 Aug 17 08:52 /usr/lib/libz_pic.a
Now configure seems to be happy with everything except BIND:
Build Directory : build
Source Directory: /home/larry/projects/bro
-- The C compiler identification is GNU
-- The CXX compiler identification is GNU
-- Check for working C compiler: /usr/bin/gcc
-- Check for working C compiler: /usr/bin/gcc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Found sed: /usr/bin/sed
-- Found Perl: /usr/bin/perl
-- Found FLEX: /usr/bin/flex version 2.5.4
-- Found BISON: /usr/local/bin/bison
-- Found PCAP: /usr/lib/libpcap.so.6.0
-- Performing Test PCAP_LINKS_SOLO
-- Performing Test PCAP_LINKS_SOLO - Success
-- Looking for pcap_get_pfring_id
-- Looking for pcap_get_pfring_id - not found
-- Found OpenSSL: /usr/lib/libssl.so.16.0;/usr/lib/libcrypto.so.19.0
-- Performing Test ns_initparse_works_none
-- Performing Test ns_initparse_works_none - Failed
-- Performing Test res_mkquery_works_none
-- Performing Test res_mkquery_works_none - Success
-- Performing Test ns_initparse_works_resolv
-- Performing Test ns_initparse_works_resolv - Failed
-- Performing Test res_mkquery_works_resolv
-- Performing Test res_mkquery_works_resolv - Success
-- Performing Test ns_initparse_works_bind
-- Performing Test ns_initparse_works_bind - Failed
-- Performing Test res_mkquery_works_bind
-- Performing Test res_mkquery_works_bind - Success
-- Could NOT find BIND (missing: BIND_LIBRARY)
-- Found LibMagic: /usr/local/lib/libmagic.so.2.0
-- Found ZLIB: /usr/include (found version "1.2.3")
CMake Error at aux/binpac/CMakeLists.txt:17 (message):
Could not find prerequisite package 'BIND'
CMake Error at aux/binpac/CMakeLists.txt:19 (message):
Configuration aborted due to missing prerequisites
-- Configuring incomplete, errors occurred!
I see that a BIND8 compatibility library is installed:
$ ls -l /usr/local/lib/*bind*
-rw-r--r-- 1 root bin 426340 Aug 16 14:04 /usr/local/lib/libbind.a
-rw-r--r-- 1 root bin 715 Aug 16 14:04 /usr/local/lib/libbind.la
-rw-r--r-- 1 root bin 324683 Aug 16 14:04 /usr/local/lib/libbind.so.2.0
The two questions that come to mind are: Do I need a _real_ BIND8
installation (not included in OpenBSD) or will the provided
libbind-9.4.2 package work?
If so, what does BIND_LIBRARY need to be configured to point at?
Larry Gadallah, VE6VQ/W7 lgadallah AT gmail DOT com
PGP Sig: B5F9 C4A8 8517 82AC 16B6 02B6 0645 69F0 1F29 A512
During a fresh install of Bro I had the following issues and was curious to know if others have seen similar.
Bro compiled and ran just fine. But cron job that called "broctl cron" would never complete and just kept creating new processes. The result was when I wasn't looking it eventually crashed the box with too many processes.
After a morning of using Bro's debug output, I was able to trace it down to a confluence of a few issues:
1- FreeBSD doesn't have bash in the path on a default install
2- The python subprocess.poll() function would always return none and failed to fail to indicate the subprocess had died.
The result of these two items was that when broctl called the helper function check-pid it would fail with "env: bash: No such file or directory" but because python's poll() was only returning a None the help code would block on the readline() and leave the "broctl cron" process hung. I'm running FreeBSD 8.0 and python 2.7.2
Also is there a way to search the mailing list. I tried to search to see if this issue had been seen by others but I wasn't able to search the mailing list.
In any case, many thanks for the tool and any help working with it.
Tom M. Kroeger
Systems & Security Research
Sandia National Labs
I am Rishikesh Sahay. I am working on the intrusion Detection system. I
would like to extract the 41 features based on the DARPA 1999 data set like
KDD Cup 1999 data set. I would like to know that is it possible to extract
the 41 features from the tcpdump file using BRO IDS 1.5.3. Please,help me
in this regard. I will be highly obliged to you for this.
Indian Institute of Technology Patna
After Seth has explained the difference between Event Engine in Bro and
pre-processor in Snort, I am still quite confuse about the Event Engine
I think the Event Engine is like the decode layer, the user can write their
own program to indicate which protocol that incoming packet has been used
and which handle we should use, then pass to the Policy Script Interpreter
layer, this layer will check the payload part, and using the signature
matching to check either the incoming packet with the unknown behaviour or
So can I think that Event Engine use to indicate which event handle will be
used, and the policy script layer will choose the particular script from
the particular handle??
Thanks for your help.
I am using Bro in my research work. My problem is that I am trying to
write a Bro script that fires alarms based on TCP packet delays. I
didn’t find any Bro event that could be handled at every received
packet. I tried the tcp_packet and new_packet events but it seems that
they are not fired at every received packet. Even I tried to write a
signature that could be hit at every tcp packet but I found that
unfortunately tcp signatures could be hit only once at the receiving
of the first tcp packet.
Please help I am really tired…
Happy New Year, all!
I have a situation where Bro misidentifies the source and destination
of some connections - this occurs during packet loss situations, where
the SYN and SYN/ACK packets are not seen by Bro. Is there a way to
hook into the heuristic for establishing the source/destination of the
connection, so that we can employ local site knowledge of the
connection in order to accurately characterize the connection
(hopefully at the scripting level)? Can I hook into the
connection_established event, and switch source/destination in the
connection record, or are bad things likely to happen as a
Thanks in advance,