I am trying to add BRO the ability to ignore traffic from certain IP ranges
I have a DB with IP addresses (that chances once in a while) and I would
like to write a BRO script that will query the DB once in a while, grab
those IP addresses and drop new connections with these IP's.
1. Is it possible to query a DB from BRO scripts? is there any examples?
2. Assuming yes, should i implement this logic at the 'new_connection'
event? (I would like to drop connections from these IP's as soon as
I recently upgraded 3 standalone Bro nodes. 2 of them are Ubuntu and one of them is CentOS 6.2.
On the 2 Ubuntu 11.10 boxes I have a lot of dropped packets in the notice.log
PacketFilter::Dropped_Packets 476 packets dropped after filtering, 52258 received, 52258 on link
PacketFilter::Dropped_Packets 4914 packets dropped after filtering, 52785 received, 52785 on link
PacketFilter::Dropped_Packets 3061 packets dropped after filtering, 35701 received, 35702 on link
PacketFilter::Dropped_Packets 3371 packets dropped after filtering, 30573 received, 30591 on link
bro: 1326394056.309957 recvd=958721774 dropped=67351350 link=1026073125
I then tried to add this line to the broctl.cfg from http://comments.gmane.org/gmane.comp.security.detection.bro/4146
broargs = -l 9800
Which does not appear to be part of the final release and did not work.
The CentOS box is dropping packets, but not the amounts that the 2 Ubuntu boxes are.
Is there a way to reduce the amount of dropped packets?
Also, I can provide more data if necessary.
Thank you in advance,
Hi! I've been testing the 2.0 beta (kudos, btw). My alarm files is
getting tons of SSL::Invalid_Server_Cert from our own local certs,
doegrid certs, cern.ch, fnal.gov, presumably because the root CA cert
for those is not included with either Bro or the OS.
I see share/bro/base/protocols/ssl/mozilla-ca-list has a bundle of root
CA certs. Is there a way to add our own to that or to a separate file?
How is that file generated? Thanks.
Was wondering if anyone has some recommendations on hardware and
configuration for building BroNSM fly-away or incident response kits.
Whether this be laptops with multiple NIC's, external HD's, and high
horsepower or mini-tower's that can be pre-built and deployed quickly. In
addition to hardware, I am interested in OS and cluster configuration ideas
that might focus on IR vs. a "log the world" approach. Anyhow, thanks in
advance for any advice or recommendations.
I want to extract the IP identification field from tcpdump dataset. I have
> attached the script which I have got. I am new to BRO IDS. Please, tell me
> how to extract the IP identification field from tcpdump file using this
> script. Actually, I was extracting the 41 features from the tcpdump
> dataset. Thanks in advance.
> Best regards
> Rishikesh Sahay
I'm still trying to get a handle on script writing, but I have a
question on one of the events.
http_all_headers I've got a script that _should_ be processing the headers
for (i in hlist )
local hdr = hlist[i];
I've tried using both the NOTICE facility and creating my own log to
at least log to see if any header values are getting processed. I'm
not sure if I'm doing it wrong or if http_all_headers doesn't do what
I think it should when I think it should. I can attach the script if
necessary, but I'm curious how I can get more information or even a
basic way to verify that one of these events is even happening.
On the upside a broctl check returns ok when I have my script loaded,
but just because there aren't any errors doesn't mean I did it right.
Thanks for any input.
cat ~/.bash_history > documentation.txt
I want to extract the IP identification field from the tcpdump file. I
have extracted header information from the packet in the tcpdump file using
conn.bro script. But IP identification field has not been extracted. Is
there any script available to extract the IP identification field. I am
using BRO IDS 1.5.3. Please, help me in this regard. Thanks in advance.
I have enabled the conn.log and http.log in Bro.
I am seeing TCP events in dst_port==80 that do not generate events for http.log.
No Event in HTTP: http 2120 80 tcp 368 1414142 SF X
Event %1 in HTTP: http 59637 80 tcp 1495 1244 SF X %1
The SF flag indicates Normal Establishment and Termination. Why would Bro record one event in http.log, and not the other one?
Note that both of them are actual HTTP traffic.
No event in HTTP: http 49971 80 tcp 0 924818 SH X
I am guessing in the last one, since there are 0 bytes from the originator, it would not generate an event for http.log.
My question is more general: In which occasions of dst_port==80, an http.log event is being recorded?