Hello,
I am trying to add BRO the ability to ignore traffic from certain IP ranges
dynamically.
I have a DB with IP addresses (that chances once in a while) and I would
like to write a BRO script that will query the DB once in a while, grab
those IP addresses and drop new connections with these IP's.
Question:
1. Is it possible to query a DB from BRO scripts? is there any examples?
2. Assuming yes, should i implement this logic at the 'new_connection'
event? (I would like to drop connections from these IP's as soon as
possible).
Thank You
Dave
Hi all,
I recently upgraded 3 standalone Bro nodes. 2 of them are Ubuntu and one of them is CentOS 6.2.
On the 2 Ubuntu 11.10 boxes I have a lot of dropped packets in the notice.log
---
PacketFilter::Dropped_Packets 476 packets dropped after filtering, 52258 received, 52258 on link
PacketFilter::Dropped_Packets 4914 packets dropped after filtering, 52785 received, 52785 on link
PacketFilter::Dropped_Packets 3061 packets dropped after filtering, 35701 received, 35702 on link
PacketFilter::Dropped_Packets 3371 packets dropped after filtering, 30573 received, 30591 on link
---
broctl netstats
bro: 1326394056.309957 recvd=958721774 dropped=67351350 link=1026073125
I then tried to add this line to the broctl.cfg from http://comments.gmane.org/gmane.comp.security.detection.bro/4146
broargs = -l 9800
Which does not appear to be part of the final release and did not work.
The CentOS box is dropping packets, but not the amounts that the 2 Ubuntu boxes are.
Is there a way to reduce the amount of dropped packets?
Also, I can provide more data if necessary.
Thank you in advance,
Will
Greetings all.
I was wondering if anyone had a script (or documentation) that logs SMB
traffic and activities including file names and folders being read,
written, connections, etc.
The only information I found regarding this is from the event.bif.bro which
ships with Bro 2.0.
## .. todo:: Bro's current default configuration does not activate the
protocol
## analyzer that generates this event; the corresponding script has not
yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## corresponding entry to :bro:see:`dpd_config` or a DPD payload
signature.
Thank you!
Hello,
First of all, I am very new to bro, excuse me if I am missing something
obvious!
Anyway: I have been playing around with bro analyzing a pcap which among
other things includes an FTP transaction. I noticed that the FTP
password field was set to <hidden>.
I mananged to find the very nice documentation over at
http://www.bro-ids.org/documentation/scripts/base/protocols/ftp/main.html
which made me tweak the default_capture_password variable to "T". This
however did not seem to change the password field.
I then noticed that there was a specific check for known anonymous users
which would make sense to not store a password for, but the user in my case,
"ftpuser", was not in the list. Looking at the script it seemed to me the
test case was reversed, actually changing the password to <hidden> if
the user was _not_ in the anonymous list so i simply changed it. This
made the password visible.
I then tested changing the default_capture_password variable back and
forth but it didnt seem to make a difference: the password was shown
either way. Based on this i grepped around somewhat in the other
scripts and found that the HTTP script did a similiar thing with a
default_capture_password variable.
The actual use of the variable seemed to be missing from the FTP script,
so i added that as well based on the HTTP example.
Since i guess code says more than words, I created a git patch just to
show what was done, it can be fetched here:
http://dump.komsi.se/bro/0001-Fix-FTP-script-password-saving.patch
Finally, i might have missed it in the docs, but what would be the
preferable way to enable password capture? I'm guessing it belongs in
bro/site/local.bro but i'm not sure about the syntax to describe (in
this case) if the setting relates to HTTP or FTP etc.
Thanks for this great framework, it sure looks very interesting!
Regards,
Patrik Lundin
Dear Bro Community,
I am graduate student at Gjøvik University College in Norway.
I was hoping to compare the detection rate in Bro and Snort regarding some
network attacks (using NMAP).
I'm not so familiar with Bro and after some hours of work I still have not
found any log file telling me that Bro have detected an attack...
I have read a lot of the documentation on Your web page.
My questions are the following;
#1 - How much can Bro's default base installation tell me regarding attack
events (notifications)? (I use the fresh Bro 2.0)
#2 - Can I easily get more notification LOG's from attack events?
Thank You!
Best Regards,
Roger Larsen
master IS student
Hi guys,
I don't know how to pass an array to binpac function and then to BifEvent.
Here is my type definition:
type X(len: uint16) = record {
byteCount: uint8;
registers: uint16[registerCount] &length = byteCount;
here is the function I want to call:
function something( r: X): bool
%{
// here get a pointer to registers and value to byteCount ???
if ( ::some_event )
{
BifEvent::generate_some_event(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),bCount,reg);
}
return true;
%}
If BifEvent passes a pointer to the array, then in bro script I can use
vector type to print those values?
Thanks,
dina
I've been wrestling with how to go about learning the Bro scripting language and tried my best to document the process I'm using while trying to solve a Network Forensics Challenge using Bro.
http://ryesecurity.blogspot.com/2012/04/solving-network-forensic-challenges…
I'm hoping to make it a series of posts to help people new to the scripting language (myself included) who might have the same questions.
I'd welcome any comments or critiques.
Thanks,
Scott
Hi,
I installed Bro 2.0 and tried to use its dpd functionality to detect application level protocols. I uploaded two pcap files for testing: http://www.loopbacking.info/dosya/
Running bro for test-http.pcap results in http detection at the conn.log
# bro -p broctl -p broctl-live -p standalone -p local -p bro -r webdav.pcap
# bro-cut service < conn.log
conn.log
http
Then i wrote a script to extract TCP flows and save them as different pcap files. The idea is to keep the packets with the same source ip, source port, destination ip, destination port (on direction) or another direction in the same pcap file.
One of the pcap that has a http flow in it is 213.pcap. When i try it with bro i don't see and application level information.
# bro -p broctl -p broctl-live -p standalone -p local -p bro -r 213.pcap
# bro-cut service < conn.log
-
-
But when i try it via tshark i can get the protocol information
# tshark -q -z io,phs -r 213.pcap
tshark: Lua: Error during loading:
[string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.
===================================================================
Protocol Hierarchy Statistics
Filter:
eth frames:74 bytes:207091
ip frames:74 bytes:207091
tcp frames:74 bytes:207091
http frames:1 bytes:865
Any idea what the reason is?
Am i running the right paramater for bro to detect the application level protocol (dpd)?
--
Oguz Yarimtepe <oguzyarimtepe(a)gmail.com>
http://about.me/oguzy
Hi,
I installed Bro 2.0 and tried to use its dpd functionality to detect application level protocols. I attacted two pcap.
Running bro for test-http.pcap results in http detection at the conn.log
# bro -p broctl -p broctl-live -p standalone -p local -p bro -r webdav.pcap
# bro-cut service < conn.log
conn.log
http
Then i wrote a script to extract TCP flows and save them as different pcap files. The idea is to keep the packets with the same source ip, source port, destination ip, destination port (on direction) or another direction in the same pcap file.
One of the pcap that has a http flow in it is 213.pcap. When i try it with bro i don't see and application level information.
# bro -p broctl -p broctl-live -p standalone -p local -p bro -r 213.pcap
# bro-cut service < conn.log
-
-
But when i try it via tshark i can get the protocol information
# tshark -q -z io,phs -r 213.pcap
tshark: Lua: Error during loading:
[string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.
===================================================================
Protocol Hierarchy Statistics
Filter:
eth frames:74 bytes:207091
ip frames:74 bytes:207091
tcp frames:74 bytes:207091
http frames:1 bytes:865
Any idea what the reason is?
Am i running the right paramater for bro to detect the application level protocol (dpd)?
--
Oguz Yarimtepe <oguzyarimtepe(a)gmail.com>
http://about.me/oguzy