Hello,
I am trying to add BRO the ability to ignore traffic from certain IP ranges
dynamically.
I have a DB with IP addresses (that chances once in a while) and I would
like to write a BRO script that will query the DB once in a while, grab
those IP addresses and drop new connections with these IP's.
Question:
1. Is it possible to query a DB from BRO scripts? is there any examples?
2. Assuming yes, should i implement this logic at the 'new_connection'
event? (I would like to drop connections from these IP's as soon as
possible).
Thank You
Dave
I like that broctl will roll logs over every hour. My default
broctl.cfg file includes:
# Rotation interval in seconds for log files on manager/standalone node.
LogRotationInterval = 3600
I don't like getting an email from broctl every hour, though. Is
there a way to get a daily report, instead of an hourly report?
Related --
The Bro README [1] claims:
"BroControl sends four types of mails to the address given in MailTo:
1. When logs are rotated (per default once a day), a list of all
alarms during the last rotation interval is sent. This can be disabled
by setting MailAlarms=0."
But elsewhere in the README:
"LogRotationInterval (int, default 3600)
The frequency of log rotation in seconds for the manager/standalone node."
This is confusing to me -- maybe someone can help me understand. Are
they talking about two different things?
[1] http://www.bro-ids.org/documentation/components/broctl/README.html
Bro 2 has been crashing for me regularly and frequently for several
months. [ http://bit.ly/JJQVVf ]
Although I configured Bro in a way that works for me, it would still
be nice to use it as it is intended to be used.
I studied a number of crash dumps, and have looked through the code.
I was seeing crashes with the Bro 2.0 release, but I am now using a
version of Bro 2.0 from the git repositories that I checked out on
April 30. I saw very similar crashes in both versions.
Line 78 in PktSrc.cc is consistently related to issues in the
backtraces I'm getting from bro core dumps. I really haven't written
much code with libpcap, so there's probably a good reason to use
pcap_next() there. I'm just wondering, why not use pcap_next_ex()
there and do a bit of error checking before passing packet data along?
The way it is right now, it looks like the code just trusts that
pcap_next() read a packet successfully and then hands it off.
I think that in my case, something is going wrong with the call to
pcap_next() -- it's returning a pointer that doesn't make any sense.
If there was a little error checking around pcap_next() by using
pcap_next_ex() instead, maybe that would prevent the crash I'm seeing.
On the other hand, maybe there is some code that does some error
checking on if the value returned by pcap_next() makes sense and I'm
just not finding it.
Can anyone help me understand the choice to use pcap_next() vs pcap_next_ext()?
Hi all,
I recently upgraded 3 standalone Bro nodes. 2 of them are Ubuntu and one of them is CentOS 6.2.
On the 2 Ubuntu 11.10 boxes I have a lot of dropped packets in the notice.log
---
PacketFilter::Dropped_Packets 476 packets dropped after filtering, 52258 received, 52258 on link
PacketFilter::Dropped_Packets 4914 packets dropped after filtering, 52785 received, 52785 on link
PacketFilter::Dropped_Packets 3061 packets dropped after filtering, 35701 received, 35702 on link
PacketFilter::Dropped_Packets 3371 packets dropped after filtering, 30573 received, 30591 on link
---
broctl netstats
bro: 1326394056.309957 recvd=958721774 dropped=67351350 link=1026073125
I then tried to add this line to the broctl.cfg from http://comments.gmane.org/gmane.comp.security.detection.bro/4146
broargs = -l 9800
Which does not appear to be part of the final release and did not work.
The CentOS box is dropping packets, but not the amounts that the 2 Ubuntu boxes are.
Is there a way to reduce the amount of dropped packets?
Also, I can provide more data if necessary.
Thank you in advance,
Will
Hello,
If I have a table of set, it's pretty straight-forward to add expiring
timers for the parent table:
--
global test_table: table[count] of set[string]
&read_expire = 1 day &expire_func = test_expire;
--
However, I can't figure out a way to define {read,write,create}_expire
attributes for the *child*, i.e., set[string].
I have tried defining the timers when adding the table entry:
--
test_table[0] = set("Hello", "World") &create_expire = 1 usec;
--
But the string entries do not expire 1 usec after creation. Any ideas on
how to accomplish this?
Regards,
--
Kamran Riaz Khan.
http://inspirated.com/
Hi,
I want to identify hosts within our monitored network that reply to certain
external IP addresses. The reply could be as short as a syn-ack. The event
connection_established is too late as it doesn't matter whether the
connection was established. All that matters is whether any of our hosts
replied to the external IP even if that means a single syn-ack packet. Do
we have an event that could be used to capture this information?
Regards,
--
Sheharbano Khattak
http://etheryell.com
On May 16, 2012, at 4:56 PM, Dalton Porter wrote:
> One of the requirements for my project is to measure the bytes sent and received on the wire. I'm thinking there must be a counter - maybe in conn that could be used for this.resp_ip_bytes looks promising, but I have not figured out how to use it yet.
Ah! Ok, that's available but you have to be aware of what you are measuring. In your conn.log there are several fields that represent the data you're looking for.
orig_bytes, resp_bytes
These are payload bytes for data sent by the originator and responder.
orig_ip_bytes, resp_ip_bytes
These are byte counts including the IP header. If you are looking for the total amount of data being sent across your border to the "internet", then this is likely the measurement you want.
These fields available several ways, one easy way that is a nice analog to log processing is to access it through the logging framework event as the data is being logged.
event Conn::log_conn(rec: Conn::Info)
{
print rec$orig_ip_bytes + rec$resp_ip_bytes;
}
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
Hi,
I set the default_extract variable as
const default_extract = T &redef;
at the contents.bro script to get the dat files including tcp reassembly contents. Is there a way at the Python binding side so that i can save the binaries as seperate files in the created files? The dat files include many responses. I can read the file and try to parse the content out of by looking at the orig file. But maybe there is a better way at the binding side
Cheers.
--
Oguz Yarimtepe <oguzyarimtepe(a)gmail.com>
http://about.me/oguzy