zeek June 2012

zeek@lists.zeek.org

20 participants
17 discussions

by Dave Angelo

Hello, I am trying to add BRO the ability to ignore traffic from certain IP ranges dynamically. I have a DB with IP addresses (that chances once in a while) and I would like to write a BRO script that will query the DB once in a while, grab those IP addresses and drop new connections with these IP's. Question: 1. Is it possible to query a DB from BRO scripts? is there any examples? 2. Assuming yes, should i implement this logic at the 'new_connection' event? (I would like to drop connections from these IP's as soon as possible). Thank You Dave

9 years, 7 months

[Bro] broctl Email Reports

by Chris Crawford

I like that broctl will roll logs over every hour. My default broctl.cfg file includes: # Rotation interval in seconds for log files on manager/standalone node. LogRotationInterval = 3600 I don't like getting an email from broctl every hour, though. Is there a way to get a daily report, instead of an hourly report? Related -- The Bro README [1] claims: "BroControl sends four types of mails to the address given in MailTo: 1. When logs are rotated (per default once a day), a list of all alarms during the last rotation interval is sent. This can be disabled by setting MailAlarms=0." But elsewhere in the README: "LogRotationInterval (int, default 3600) The frequency of log rotation in seconds for the manager/standalone node." This is confusing to me -- maybe someone can help me understand. Are they talking about two different things? [1] http://www.bro-ids.org/documentation/components/broctl/README.html

9 years, 9 months

[Bro] pcap_next Question

by Chris Crawford

Bro 2 has been crashing for me regularly and frequently for several months. [ http://bit.ly/JJQVVf ] Although I configured Bro in a way that works for me, it would still be nice to use it as it is intended to be used. I studied a number of crash dumps, and have looked through the code. I was seeing crashes with the Bro 2.0 release, but I am now using a version of Bro 2.0 from the git repositories that I checked out on April 30. I saw very similar crashes in both versions. Line 78 in PktSrc.cc is consistently related to issues in the backtraces I'm getting from bro core dumps. I really haven't written much code with libpcap, so there's probably a good reason to use pcap_next() there. I'm just wondering, why not use pcap_next_ex() there and do a bit of error checking before passing packet data along? The way it is right now, it looks like the code just trusts that pcap_next() read a packet successfully and then hands it off. I think that in my case, something is going wrong with the call to pcap_next() -- it's returning a pointer that doesn't make any sense. If there was a little error checking around pcap_next() by using pcap_next_ex() instead, maybe that would prevent the crash I'm seeing. On the other hand, maybe there is some code that does some error checking on if the value returned by pcap_next() makes sense and I'm just not finding it. Can anyone help me understand the choice to use pcap_next() vs pcap_next_ext()?

9 years, 10 months

[Bro] Re-reading data in the input framework

by Sheharbano Khattak

Hi, I want to test if a table that holds data from an input source file with the automatic refresh mode "REREAD" reflects changes applied to the source file. This is what my file looks like -----------------------------config.bro--------------------------------- module Config; type Idx: record { parameter: string; }; type Val: record { value: string; }; export { global table_config: table[string] of Val; } global config_filename = "/usr/local/bro/share/bro/site/botflex/config.txt"; event bro_init() &priority=20 { Input::add_table([$source=config_filename, $name="config_stream", $idx=Idx, $val=Val, $destination=table_config, $mode=Input::REREAD]); Input::remove("config_stream"); } event Input::update_finished(name: string, source: string) { # now all data is in the table print "Updated"; print table_config; } event bro_done() { print "Ending"; print table_config; } ------------------------------------------------------------------------------------------------------- I do bro -i eth0 config.bro. The first time, the event Input::update_finished is triggered with the values/indices defined in config.txt. Then i manually make some changes in config.txt and save the changes but Input::update_finished is not triggered. After waiting for several minutes, i ctrl+c Bro hoping to see the modification in table_config, still it shows the old values. There is nothing interesting in reporter.log either. What am i doing wrong? Thanks. -- Sheharbano Khattak http://etheryell.com

9 years, 12 months

[Bro] Playing with the input framework

by Sheharbano Khattak

Hi, I recently finished reading about the new input framework http://www.icsi.berkeley.edu/~bernhard/papers/loneWolf.pdf and found it very interesting. As a first step, i tried implementing the example about reading data into tables mentioned here http://blog.bro-ids.org/2012/06/upcoming-loading-data-into-bro-with.html. My bro and source blacklist file look like this: ---------------------------------try.bro---------------------------------------------- module Try; type Idx: record { ip: addr; }; type Val: record { timestamp: time; reason: string; }; global blacklist: table[addr] of Val = table(); event bro_init() { print "hello"; Input::add_table([$source="bl.txt", $name="bl_stream", $idx=Idx, $val=Val, $destination=Try::blacklist]); Input::remove("bl_stream"); print "bye"; } event Input::update_finished(name: string, source: string) { # now all data is in the table print "Updated"; print Try::blacklist; } ----------------------------bl.txt--------------------------------------------- #fields ip timestamp reason #types addr time string 192.168.17.1 1333252748 Malware host 192.168.27.2 1330235733 Botnet server 192.168.250.3 1333145108 Virus detected --------------------------------------------------------------------------------- Initially, i tried "bro -r file.pcap try.bro" but it didn't work. To provide ample time for reading in the blacklist, i tried "bro -i eth0 try.bro". The output displays hello and bye but the blacklist wasn't printed even after 5 minutes. I tried giving the absolute source path i.e. "/home/myname/bl.txt" but to no avail. Moreover, i purposely gave a wrong input source file and no error was displayed. I feel an appropriate error message will be helpful if someone has mistyped the source file name or if it doesn't exist. Regards, -- Sheharbano Khattak http://etheryell.com

9 years, 12 months

[Bro] DNS state remains uninitialized in dns_message event

by Naveed Anwar

Hi, I want to capture DNS queries of a pcap but there is an issue with DNS events. The DNS state in the connection record remains uninitialized for my DNS queries. Here's how I'm looking at the DNS state information: event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) { print c; } pcap: http://www.sysnet.org.pk/needo/mix1.pcap bro-output: http://www.sysnet.org.pk/needo/bro.log -- Regards, Naveed Anwar Bhatti MS(CS) - FAST NU islamabd

9 years, 12 months

[Bro] Global IP host ignore

by Jake Middleton

I have an install using 8 nodes and a master on a single host. I'm monitoring ~2,000 hosts across a split core and would like to add a global ignore for a handfull of noisy hosts. What's the best approach to handle this? Thanks in advance -- -j

9 years, 12 months

[Bro] Hui Lin_Enable Protocol Analyzer in Bro bare mode

by Hui Lin (Hugo)

Hi, I am using Bro bare mode to test my own policy script. I also like to use a Syslog analyzer to analyze *syslog_message* event. I define *syslog_message* event in my own script, but this event handler is not executed under bare mode? I am wondering what scripts should be loaded to enable Syslog analyzer. Best,

9 years, 12 months

Re: [Bro] Hui Lin_Enable Protocol Analyzer in Bro bare mode

by Hui Lin (Hugo)

Actually it is quite simple. This is my syslog_message event handler. @load frameworks/communication/listen .... event syslog_message(c: connection, facility: count, severity: count, msg: string) { gUsrID = facility; print fmt("syslog %d", facility); findSyslog = T ; } gUsrID and findSyslog are two global variables. I am not sure why it is not executing. I did not see any print on the console. Best, Hui On Mon, Jun 25, 2012 at 3:39 PM, Seth Hall <seth(a)icir.org> wrote: > > On Jun 25, 2012, at 4:34 PM, Hui Lin (Hugo) wrote: > > > I also like to use a Syslog analyzer to analyze syslog_message event. I > define syslog_message event in my own script, but this event handler is not > executed under bare mode? I am wondering what scripts should be loaded to > enable Syslog analyzer. > > It's enabled by default. Can you show the code you are using that isn't > working? > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > >

9 years, 12 months

[Bro] Hui Lin_Bro disable log stream is not working?

by Hui Lin (Hugo)

Hi, In order to disable default logs, I follow the documentation and define bro_init as follows: event bro_init() &priority = 5 { Log::disable_stream(Conn::LOG); Log::disable_stream(Notice::POLICY_LOG); Log::disable_stream(PacketFilter::LOG); Log::disable_stream(Syslog::LOG); } But, all logs are generated as usual, any comment? Best, Hui

9 years, 12 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek June 2012