Hello,
I am trying to add BRO the ability to ignore traffic from certain IP ranges
dynamically.
I have a DB with IP addresses (that chances once in a while) and I would
like to write a BRO script that will query the DB once in a while, grab
those IP addresses and drop new connections with these IP's.
Question:
1. Is it possible to query a DB from BRO scripts? is there any examples?
2. Assuming yes, should i implement this logic at the 'new_connection'
event? (I would like to drop connections from these IP's as soon as
possible).
Thank You
Dave
I like that broctl will roll logs over every hour. My default
broctl.cfg file includes:
# Rotation interval in seconds for log files on manager/standalone node.
LogRotationInterval = 3600
I don't like getting an email from broctl every hour, though. Is
there a way to get a daily report, instead of an hourly report?
Related --
The Bro README [1] claims:
"BroControl sends four types of mails to the address given in MailTo:
1. When logs are rotated (per default once a day), a list of all
alarms during the last rotation interval is sent. This can be disabled
by setting MailAlarms=0."
But elsewhere in the README:
"LogRotationInterval (int, default 3600)
The frequency of log rotation in seconds for the manager/standalone node."
This is confusing to me -- maybe someone can help me understand. Are
they talking about two different things?
[1] http://www.bro-ids.org/documentation/components/broctl/README.html
Bro 2 has been crashing for me regularly and frequently for several
months. [ http://bit.ly/JJQVVf ]
Although I configured Bro in a way that works for me, it would still
be nice to use it as it is intended to be used.
I studied a number of crash dumps, and have looked through the code.
I was seeing crashes with the Bro 2.0 release, but I am now using a
version of Bro 2.0 from the git repositories that I checked out on
April 30. I saw very similar crashes in both versions.
Line 78 in PktSrc.cc is consistently related to issues in the
backtraces I'm getting from bro core dumps. I really haven't written
much code with libpcap, so there's probably a good reason to use
pcap_next() there. I'm just wondering, why not use pcap_next_ex()
there and do a bit of error checking before passing packet data along?
The way it is right now, it looks like the code just trusts that
pcap_next() read a packet successfully and then hands it off.
I think that in my case, something is going wrong with the call to
pcap_next() -- it's returning a pointer that doesn't make any sense.
If there was a little error checking around pcap_next() by using
pcap_next_ex() instead, maybe that would prevent the crash I'm seeing.
On the other hand, maybe there is some code that does some error
checking on if the value returned by pcap_next() makes sense and I'm
just not finding it.
Can anyone help me understand the choice to use pcap_next() vs pcap_next_ext()?
Hi,
I want to test if a table that holds data from an input source file with
the automatic refresh mode "REREAD" reflects changes applied to the source
file. This is what my file looks like
-----------------------------config.bro---------------------------------
module Config;
type Idx: record {
parameter: string;
};
type Val: record {
value: string;
};
export {
global table_config: table[string] of Val;
}
global config_filename = "/usr/local/bro/share/bro/site/botflex/config.txt";
event bro_init() &priority=20
{
Input::add_table([$source=config_filename, $name="config_stream",
$idx=Idx,
$val=Val, $destination=table_config, $mode=Input::REREAD]);
Input::remove("config_stream");
}
event Input::update_finished(name: string, source: string)
{
# now all data is in the table
print "Updated";
print table_config;
}
event bro_done()
{
print "Ending";
print table_config;
}
-------------------------------------------------------------------------------------------------------
I do bro -i eth0 config.bro. The first time, the event
Input::update_finished is triggered with the values/indices defined in
config.txt.
Then i manually make some changes in config.txt and save the changes but
Input::update_finished is not triggered. After waiting for several minutes,
i ctrl+c Bro hoping to see the modification in table_config, still it shows
the old values. There is nothing interesting in reporter.log either. What
am i doing wrong?
Thanks.
--
Sheharbano Khattak
http://etheryell.com
Hi,
I recently finished reading about the new input framework
http://www.icsi.berkeley.edu/~bernhard/papers/loneWolf.pdf and found it
very interesting. As a first step, i tried implementing the example about
reading data into tables mentioned here
http://blog.bro-ids.org/2012/06/upcoming-loading-data-into-bro-with.html.
My bro and source blacklist file look like this:
---------------------------------try.bro----------------------------------------------
module Try;
type Idx: record {
ip: addr;
};
type Val: record {
timestamp: time;
reason: string;
};
global blacklist: table[addr] of Val = table();
event bro_init()
{
print "hello";
Input::add_table([$source="bl.txt", $name="bl_stream", $idx=Idx,
$val=Val, $destination=Try::blacklist]);
Input::remove("bl_stream");
print "bye";
}
event Input::update_finished(name: string, source: string)
{
# now all data is in the table
print "Updated";
print Try::blacklist;
}
----------------------------bl.txt---------------------------------------------
#fields ip timestamp reason
#types addr time string
192.168.17.1 1333252748 Malware host
192.168.27.2 1330235733 Botnet server
192.168.250.3 1333145108 Virus detected
---------------------------------------------------------------------------------
Initially, i tried "bro -r file.pcap try.bro" but it didn't work. To
provide ample time for reading in the blacklist, i tried "bro -i eth0
try.bro". The output displays hello and bye but the blacklist wasn't
printed even after 5 minutes. I tried giving the absolute source path i.e.
"/home/myname/bl.txt" but to no avail.
Moreover, i purposely gave a wrong input source file and no error was
displayed. I feel an appropriate error message will be helpful if someone
has mistyped the source file name or if it doesn't exist.
Regards,
--
Sheharbano Khattak
http://etheryell.com
Hi,
I want to capture DNS queries of a pcap but there is an issue with DNS
events. The DNS state in the connection record remains uninitialized for my
DNS queries.
Here's how I'm looking at the DNS state information:
event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count)
{
print c;
}
pcap: http://www.sysnet.org.pk/needo/mix1.pcap
bro-output: http://www.sysnet.org.pk/needo/bro.log
--
Regards,
Naveed Anwar Bhatti
MS(CS) - FAST NU islamabd
I have an install using 8 nodes and a master on a single host. I'm
monitoring ~2,000 hosts across a split core and would like to add a global
ignore for a handfull of noisy hosts.
What's the best approach to handle this?
Thanks in advance
--
-j
Hi,
I am using Bro bare mode to test my own policy script.
I also like to use a Syslog analyzer to analyze *syslog_message* event. I
define *syslog_message* event in my own script, but this event handler is
not executed under bare mode? I am wondering what scripts should be loaded
to enable Syslog analyzer.
Best,
Actually it is quite simple. This is my syslog_message event handler.
@load frameworks/communication/listen
....
event syslog_message(c: connection, facility: count, severity: count, msg:
string)
{
gUsrID = facility;
print fmt("syslog %d", facility);
findSyslog = T ;
}
gUsrID and findSyslog are two global variables.
I am not sure why it is not executing. I did not see any print on the
console.
Best,
Hui
On Mon, Jun 25, 2012 at 3:39 PM, Seth Hall <seth(a)icir.org> wrote:
>
> On Jun 25, 2012, at 4:34 PM, Hui Lin (Hugo) wrote:
>
> > I also like to use a Syslog analyzer to analyze syslog_message event. I
> define syslog_message event in my own script, but this event handler is not
> executed under bare mode? I am wondering what scripts should be loaded to
> enable Syslog analyzer.
>
> It's enabled by default. Can you show the code you are using that isn't
> working?
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
Hi,
In order to disable default logs, I follow the documentation and define
bro_init as follows:
event bro_init() &priority = 5
{
Log::disable_stream(Conn::LOG);
Log::disable_stream(Notice::POLICY_LOG);
Log::disable_stream(PacketFilter::LOG);
Log::disable_stream(Syslog::LOG);
}
But, all logs are generated as usual, any comment?
Best,
Hui