Hi all,
I have installed bro-ids components on a CentOS 6.3 host. All works
as expected but from time to time I am receiving alerts like this:
nice: which:: No such file or directory
--
[Automatically generated.]
What does it means??
Check broctl-config.sh. I ran into this error when I didn't have the
"time" command at the time of bro install. I had done a CentOS minimal
install, and /usr/bin/time was not installed.
Once I installed the time*.rpm, and edited broctl-config.sh to provide
the correct path to the executable, all was well. Example:
time="nice: which:: No such file or directory"
I'd check look for that text in the broctl-config.sh file.
#-----------------------------------------------
Chuck Little
Information Security Professional
GPG key: F14EAD4C
GPG fprint: AE4D 367F C946 919B CB8C
5BD0 490D 8B9F F14E AD4C
e: mdmonk(a)gmail.com
#-----------------------------------------------
On 10/31/12 1:00 PM, bro-request(a)bro-ids.org wrote:
<SNIP>
> Message: 4
> Date: Wed, 31 Oct 2012 14:28:43 -0400
> From: Seth Hall <seth(a)icir.org>
> Subject: Re: [Bro] What does it means this alert
>
>
> On Oct 31, 2012, at 2:11 PM, C. L. Martinez <carlopmart(a)gmail.com> wrote:
>
>> Yes, it is under /usr/bin.
>
> I think the problem is the nice command. Is that in your path?
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
Good day all!
I am having fits trying to get Sendmail to get BRO alerts to my inbox of my
gmail account. They all dump into my spam folder. The Bro instance is at
my home location on my internal network. Do I need to do anything special
in the /etc/host or the /etc/resolv.conf to make this all work?
Thanks for any help!
Tom
--
Tom O'Brion
Twitter: @tobrion
Skype: TomOBrion
"Life is too short to spend time with people who suck the happy out of you."
Hello,
I am trying to add BRO the ability to ignore traffic from certain IP ranges
dynamically.
I have a DB with IP addresses (that chances once in a while) and I would
like to write a BRO script that will query the DB once in a while, grab
those IP addresses and drop new connections with these IP's.
Question:
1. Is it possible to query a DB from BRO scripts? is there any examples?
2. Assuming yes, should i implement this logic at the 'new_connection'
event? (I would like to drop connections from these IP's as soon as
possible).
Thank You
Dave
We received a question off-list recently about extracting files and I wanted to put this script out there for more people than the one person I wrote it for. It's for extracting files from HTTP transfers by host address. I think it's a good example of how many of the base scripts were written to be extended.
I'll include a little example of how to use it here:
@load http-extract-files-from-addrs
redef HTTP::extract_files_from += { 1.2.3.4 };
Have fun!
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
One of my sites is monitoring a link that has all PPPoE traffic on it. The Bro Sensor was not logging the traffic due to it being PPPoE. The bro version was 2.1 stable.
I found this(thank you Seth for writing this) :
https://github.com/bro-ids/bro/commit/908b1a17d1b08a8473695316e56eb98f7b005…
and added it to the PktSrc.cc of the Bro2.1 Stable release source. Then recompiled and now my sensor seems to be logging the traffic properly.
This is probably not the best way to do things.
My question is: Will PPPoE support be in 2.2?
Will
Occasionally one of my workers will die with an error message of:
fatal error in /usr/local/share/bro/site/httpanalysis.bro, line 130:
Val::CONST_ACCESSOR (bool/string) (T)
I have no idea what this means or even where to start debugging it.
The line in question from the .bro file (if the 130 referrers to the
line of httpanalysis.bro) looks like:
129 if ( hlist[i]$name == "ACCEPT-ENCODING" )
130 acceptencoding = T;
where acceptencoding is defined as:
local acceptencoding: bool = F;
Any thoughts/assistance would be appreciated.
Thanks!
-=Mike
--
cat ~/.bash_history > documentation.txt
Dear all,
Recently, we analyze the content types of the HTTP responses
in some traces. We find some content types are not accurately recorded
in the http.log. The attached PCAP file is an example. In the file, the
content type of the second response is "application/x-javascript," but
Bro (ver. 2.1) simply records "text/plain" for the response in the http.log.
Please suggest how we can make Bro record the accurate content type in
the log. Many thanks.
Po-Ching
I don't see any obvious errors in that snippet, but I can't really help unless I see the entire script. Usually, that error refers to a type mismatch.
--Vlad
On Oct 19, 2012, at 4:41 PM, Mike Sconzo <sconzo(a)visiblerisk.com>
wrote:
> Occasionally one of my workers will die with an error message of:
> fatal error in /usr/local/share/bro/site/httpanalysis.bro, line 130:
> Val::CONST_ACCESSOR (bool/string) (T)
>
> I have no idea what this means or even where to start debugging it.
>
> The line in question from the .bro file (if the 130 referrers to the
> line of httpanalysis.bro) looks like:
> 129 if ( hlist[i]$name == "ACCEPT-ENCODING" )
> 130 acceptencoding = T;
>
>
> where acceptencoding is defined as:
> local acceptencoding: bool = F;
>
> Any thoughts/assistance would be appreciated.
> Thanks!
> -=Mike
>
> --
> cat ~/.bash_history > documentation.txt
> _______________________________________________
> Bro mailing list
> bro(a)bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
