I wanted to share my experiences with bro and various malloc
implementations. These are all running various versions of bro on SL 6.2 -
a recompile of RedHat Enterprise Linux from Fermi Lab -
https://www.scientificlinux.org/
1. We are running a legacy Bro 1.5 installation currently supporting our
old Instrumented SSHd infrastructure -
http://code.google.com/p/auditing-sshd/ - we found that the standard malloc
uses more memory than either of tcmalloc or jemalloc. I build bro with
--enable-perftools to test tcmalloc, with a smaller memory footprint. To
use jemalloc I just set LIBS=-ljemalloc - at this point we are using
jemalloc, as it seems even a bit more memory thrifty than tcmalloc
2. As part of the Instrumented SSHd infrastructure, we also have a perl
script (ssllogmux) that runs a select loop accepting connections from all
the Instrumented SSHd clients - typically several thousand at once. This
is also in the Instrumented SSHd distribution. Perl is compiled to not use
its own malloc, but to use the system. However, using the system malloc,
this program would freeze after a day or so of operation. By using
LD_PRELOAD, we forced it to use alternate malloc libraries - under both
tcmalloc and jemalloc, it runs reliably.
3. On another system, we ran Bro 2.0 (now running 2.1), and bro was
(un)reliably freezing after a day or two - running but capturing no data
when compiled with --enable-perftools - when compiled with
--disable-perftools, it has been rock solid. I don't know enough yet about
Cmake to have it use another malloc implementation easily - hopefully
someone else knows how to do that - I want to test jemalloc
So thats our current state of play - I would be interested in other folks
experience.
Bro (2.1) crashes when I attempt to store the path of event
smb_com_tree_connect_andx, which is documented as a string variable, to the
Info record's smb_share, which I declared as a string variable. The
stderr.log included below seems to indicate that the SMB Analyzer is
interpreting the path string as a record, not sure which kind. I've
attempted to escape the string, but this doesn't seem to work.
Is this a known bug? Does anyone know of another event that would be
better suited for identifying the share name, or is there any other easy
workaround for this event?
Thanks!
Mike
Below is a sample of the stderr.log output:
---------
1354158536.204142 fatal error in <no location>: Val::CONVERTER
(record/string) ([flags=8, password=P , path=\\myhostname\IPC$,
service=?????])
Below is the code snippet:
----------
event smb_com_tree_connect_andx(c: connection, hdr: smb_hdr, path: string,
service: string) &priority=5
{
set_session(c,hdr);
local path_name = escape_string(path);
c$smb$smb_share = path_name;
}
I have a device inside that communicates using a weird http port (3000/tcp). I have verified that it is not malicious but it annoys me, and I'd like to be able to track what it does using Bro. Unfortunately, Bro is not recognizing its traffic as http. I've tried adding the port to likely_server_ports but to no avail. The port definitions in the base http scripts are not redef-able, and I seem to have hit my limit in tweaking Bro to make it decode this traffic.
What am I missing?
BTW this is Bro 2.0 (yes I know, consider me chastised) but the scripts seem to be the same in 2.1.
--
Shane Castle
Data Security Mgr, Boulder County IT
SSH::Login Notices for internal to internal connections can get fairly
noisy.
What is the most efficient way to filter out these notices for internal to
internal without filtering for external connections?
I was thinking of ignoring the SSH::Login notices altogether, but then I
believe I need to add a new Notice Type and fire a new notice on event
SSH::heuristic_successful_login. See example code below.
Is there a more efficient way of doing this? I know editing the base ssh
bro script is a big no-no.
Thanks!
Mike
redef enum Notice::Type += {
Login_Success
};
# This is our list of internal addresses to exclude
global ssh_ignore: set[subnet] = {
192.168.1.0/24, # internal 1
10.0.0.0/8, # internal 2
};
# Ignore SSH::Login Notice Type
redef Notice::ignored_types += { SSH::Login };
# Add new Notice Type to successful login
event SSH::heuristic_successful_login(c: connection) &priority=0
{
if ( c$id$resp_h !in ssh_ignore ) {
NOTICE([$note=Login_Success,
$msg="Heuristically detected successful SSH login.",
$conn=c]);
}
}
Hi,
>From the documentation, input framework can input data from the formatted
text file which is located in the same machine with the bro instance.
I am wondering whether now we can directly use input framework to input
data that is located in remote machines.
Best,
Hui Lin
--
Hui Lin
PhD Candidate, Research Assistant
Electrical and Computer Engineering Department
University of Illinois at Urbana-Champaign
If anybody is using or looking at using Graylog2 for logging I've got some
of the bro message types parsed out and would be happy to share. It's not
directly related to Bro, but it could save somebody some time.
-=Mike
--
cat ~/.bash_history > documentation.txt
first of all, please understand my poor English. Because I'm not live in English-speaking country.
I'm interested in Bro and Bro scripts nowadays. It's very flexible.
But, I don't know how to create a module's fields. For example, DNS module in bro has some fields of "Info".
===================== base/protocols/dns/main.bro
module DNS;
export {
## The DNS logging stream identifier.
redef enum Log::ID += { LOG };
## The record type which contains the column fields of the DNS log.
type Info: record {
## The earliest time at which a DNS protocol message over the
## associated connection is observed.
ts: time &log;
## A unique identifier of the connection over which DNS messages
## are being transferred.
uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
## The transport layer protocol of the connection.
proto: transport_proto &log;
………..last part omitted…………
=====================
I have tried 'SMB' module. But I didn't know where i can get fields.
here is my question.
1. Can I get protocol fields? (such as DNS, HTTP, SSL module's Info fields)
2. Where I should to find the fields? (source code?)
3. If it is not possible, how can some people write a bro script?
like these
https://gist.github.com/maxfeldman14/brospects/tree/4f9aee880234bd27d9fcab8…https://github.com/sheharbano/scan/blob/master/scan.bro
Hi all,
I have installed bro-ids components on a CentOS 6.3 host. All works
as expected but from time to time I am receiving alerts like this:
nice: which:: No such file or directory
--
[Automatically generated.]
What does it means??