zeek November 2012

zeek@lists.zeek.org

12 participants
9 discussions

by Jim Mellander

I wanted to share my experiences with bro and various malloc implementations. These are all running various versions of bro on SL 6.2 - a recompile of RedHat Enterprise Linux from Fermi Lab - https://www.scientificlinux.org/ 1. We are running a legacy Bro 1.5 installation currently supporting our old Instrumented SSHd infrastructure - http://code.google.com/p/auditing-sshd/ - we found that the standard malloc uses more memory than either of tcmalloc or jemalloc. I build bro with --enable-perftools to test tcmalloc, with a smaller memory footprint. To use jemalloc I just set LIBS=-ljemalloc - at this point we are using jemalloc, as it seems even a bit more memory thrifty than tcmalloc 2. As part of the Instrumented SSHd infrastructure, we also have a perl script (ssllogmux) that runs a select loop accepting connections from all the Instrumented SSHd clients - typically several thousand at once. This is also in the Instrumented SSHd distribution. Perl is compiled to not use its own malloc, but to use the system. However, using the system malloc, this program would freeze after a day or so of operation. By using LD_PRELOAD, we forced it to use alternate malloc libraries - under both tcmalloc and jemalloc, it runs reliably. 3. On another system, we ran Bro 2.0 (now running 2.1), and bro was (un)reliably freezing after a day or two - running but capturing no data when compiled with --enable-perftools - when compiled with --disable-perftools, it has been rock solid. I don't know enough yet about Cmake to have it use another malloc implementation easily - hopefully someone else knows how to do that - I want to test jemalloc So thats our current state of play - I would be interested in other folks experience.

8 years, 7 months

[Bro] Crash on SMB Analyzer - Tree Connect AndX

by Mike Kolkebeck

Bro (2.1) crashes when I attempt to store the path of event smb_com_tree_connect_andx, which is documented as a string variable, to the Info record's smb_share, which I declared as a string variable. The stderr.log included below seems to indicate that the SMB Analyzer is interpreting the path string as a record, not sure which kind. I've attempted to escape the string, but this doesn't seem to work. Is this a known bug? Does anyone know of another event that would be better suited for identifying the share name, or is there any other easy workaround for this event? Thanks! Mike Below is a sample of the stderr.log output: --------- 1354158536.204142 fatal error in <no location>: Val::CONVERTER (record/string) ([flags=8, password=P , path=\\myhostname\IPC$, service=?????]) Below is the code snippet: ---------- event smb_com_tree_connect_andx(c: connection, hdr: smb_hdr, path: string, service: string) &priority=5 { set_session(c,hdr); local path_name = escape_string(path); c$smb$smb_share = path_name; }

8 years, 7 months

[Bro] Bro and unusual http ports

by Castle, Shane

I have a device inside that communicates using a weird http port (3000/tcp). I have verified that it is not malicious but it annoys me, and I'd like to be able to track what it does using Bro. Unfortunately, Bro is not recognizing its traffic as http. I've tried adding the port to likely_server_ports but to no avail. The port definitions in the base http scripts are not redef-able, and I seem to have hit my limit in tweaking Bro to make it decode this traffic. What am I missing? BTW this is Bro 2.0 (yes I know, consider me chastised) but the scripts seem to be the same in 2.1. -- Shane Castle Data Security Mgr, Boulder County IT

8 years, 8 months

[Bro] SSH Login Notices - Filter out internal to internal connections

by Mike Kolkebeck

SSH::Login Notices for internal to internal connections can get fairly noisy. What is the most efficient way to filter out these notices for internal to internal without filtering for external connections? I was thinking of ignoring the SSH::Login notices altogether, but then I believe I need to add a new Notice Type and fire a new notice on event SSH::heuristic_successful_login. See example code below. Is there a more efficient way of doing this? I know editing the base ssh bro script is a big no-no. Thanks! Mike redef enum Notice::Type += { Login_Success }; # This is our list of internal addresses to exclude global ssh_ignore: set[subnet] = { 192.168.1.0/24, # internal 1 10.0.0.0/8, # internal 2 }; # Ignore SSH::Login Notice Type redef Notice::ignored_types += { SSH::Login }; # Add new Notice Type to successful login event SSH::heuristic_successful_login(c: connection) &priority=0 { if ( c$id$resp_h !in ssh_ignore ) { NOTICE([$note=Login_Success, $msg="Heuristically detected successful SSH login.", $conn=c]); } }

8 years, 8 months

[Bro] Hui Lin_Input framework to load data from files in remote machines

by Hui Lin (Hugo)

Hi, >From the documentation, input framework can input data from the formatted text file which is located in the same machine with the bro instance. I am wondering whether now we can directly use input framework to input data that is located in remote machines. Best, Hui Lin -- Hui Lin PhD Candidate, Research Assistant Electrical and Computer Engineering Department University of Illinois at Urbana-Champaign

8 years, 8 months

[Bro] Question about hourly reports sended by Bro-IDS

by C. L. Martinez

Hi all, Is it possible to change the hourly reports by daily reports? Thanks.

8 years, 8 months

[Bro] Graylog2

by Mike Sconzo

If anybody is using or looking at using Graylog2 for logging I've got some of the bro message types parsed out and would be happy to share. It's not directly related to Bro, but it could save somebody some time. -=Mike -- cat ~/.bash_history > documentation.txt

8 years, 8 months

[Bro] How can i find some fields?

by G-Mail

first of all, please understand my poor English. Because I'm not live in English-speaking country. I'm interested in Bro and Bro scripts nowadays. It's very flexible. But, I don't know how to create a module's fields. For example, DNS module in bro has some fields of "Info". ===================== base/protocols/dns/main.bro module DNS; export { ## The DNS logging stream identifier. redef enum Log::ID += { LOG }; ## The record type which contains the column fields of the DNS log. type Info: record { ## The earliest time at which a DNS protocol message over the ## associated connection is observed. ts: time &log; ## A unique identifier of the connection over which DNS messages ## are being transferred. uid: string &log; ## The connection's 4-tuple of endpoint addresses/ports. id: conn_id &log; ## The transport layer protocol of the connection. proto: transport_proto &log; ………..last part omitted………… ===================== I have tried 'SMB' module. But I didn't know where i can get fields. here is my question. 1. Can I get protocol fields? (such as DNS, HTTP, SSL module's Info fields) 2. Where I should to find the fields? (source code?) 3. If it is not possible, how can some people write a bro script? like these https://gist.github.com/maxfeldman14/brospects/tree/4f9aee880234bd27d9fcab8… https://github.com/sheharbano/scan/blob/master/scan.bro

8 years, 8 months

[Bro] What does it means this alert?

by C. L. Martinez

Hi all, I have installed bro-ids components on a CentOS 6.3 host. All works as expected but from time to time I am receiving alerts like this: nice: which:: No such file or directory -- [Automatically generated.] What does it means??

8 years, 8 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek November 2012