Hello,
I am trying to add BRO the ability to ignore traffic from certain IP ranges
dynamically.
I have a DB with IP addresses (that chances once in a while) and I would
like to write a BRO script that will query the DB once in a while, grab
those IP addresses and drop new connections with these IP's.
Question:
1. Is it possible to query a DB from BRO scripts? is there any examples?
2. Assuming yes, should i implement this logic at the 'new_connection'
event? (I would like to drop connections from these IP's as soon as
possible).
Thank You
Dave
One of my sites is monitoring a link that has all PPPoE traffic on it. The Bro Sensor was not logging the traffic due to it being PPPoE. The bro version was 2.1 stable.
I found this(thank you Seth for writing this) :
https://github.com/bro-ids/bro/commit/908b1a17d1b08a8473695316e56eb98f7b005…
and added it to the PktSrc.cc of the Bro2.1 Stable release source. Then recompiled and now my sensor seems to be logging the traffic properly.
This is probably not the best way to do things.
My question is: Will PPPoE support be in 2.2?
Will
Has anyone extended bro to retrieve the cookie name/value/attributes ?
I have added the var-extraction-cookies.bro and see names in the bro logs, but would like to capture the value/attributes.
Karl
We received a question privately about the HTTP logs and if there was a setting to stop URL decoding the "uri" field. It turns out there isn't a setting for this, but the base scripts have been designed in a way that makes this very easy to do. Here's the script to do it in case anyone else is interested…
event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
{
c$http$uri = original_URI;
}
What it's doing is overwriting the c$http$uri field with the original_URI value instead of the unescaped_URI value which the base script uses. It ends up being overwritten because the http_request handler in the base HTTP scripts is handled at a higher priority and is executed first, that way you are assured that your handler with no explicit priority (priority zero) will be executed second.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
HI, Hui:
Thank you very much for your information!
>
> On Wed, Sep 19, 2012 at 9:05 AM, Hui Lin (Hugo) <hlin33(a)illinois.edu>
> wrote:
>
>> The answer to your question can be very complex.
>>
>> First, Bro's application layer analyzer can be written by binpac or
>> directly by c++ (in src, *.pac codes are the binpac scripts, so you can
>> know what analyzers are written by binpac). Most analyzer developed in
>> the
>> early stage is directly written by C++, for those codes, how they are
>> enabled, I am not quite sure. For binpac analyzer, there are three ways
>> of
>> enabling a analyzer, which can be found in
>> http://www.bro-ids.org/development/dpd.html (Determining Analyzer
>> Activation ).
>>
>> Even if the binpac analyzer is always enabled, it may not be working if
>> you don't define any event handler related to this analyzer. As a
>> result,
>> you have to check what policies are loaded by default, which can be
>> found
>> in /share/bro/base under bro's installation directory (not source code
>> directory).
>>
>>
>> On Thu, Sep 13, 2012 at 5:56 PM, keqhe(a)cs.wisc.edu
>> <keqhe(a)cs.wisc.edu>wrote:
>>
>>> Hello Everyone:
>>>
>>> I set up Bro-2.1 and DataSeries to do trace analysis. I am not sure
>>> whether Bro-2.1 can identify (using default configuration)application
>>> layer protocols such as DEC_PRC, DNS, Finger, Gnutella, FTP, HTTP,
>>> Ident,
>>> IRC, NetbiosSSN, NCP, NFS, NTP, POP3, Portmapper, PRC, RSH, Rlogin,
>>> SMB,
>>> SSH, SSL, SMTP, Telnet as specified on Bro IDS' WIKI ? Or it can only
>>> identify some of the listed protocols.
>>>
>>> Could you please help me?
>>> Thank you!
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro(a)bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>>
>>
>> --
>> Hui Lin
>> PhD Candidate, Research Assistant
>> Electrical and Computer Engineering Department
>> University of Illinois at Urbana-Champaign
>>
>>
>
>
> --
> Keqiang He
> Dept. of Computer Sciences, University of Wisconsin-Madison
> Madison, WI 53706
>
The answer to your question can be very complex.
First, Bro's application layer analyzer can be written by binpac or
directly by c++ (in src, *.pac codes are the binpac scripts, so you can
know what analyzers are written by binpac). Most analyzer developed in the
early stage is directly written by C++, for those codes, how they are
enabled, I am not quite sure. For binpac analyzer, there are three ways of
enabling a analyzer, which can be found in
http://www.bro-ids.org/development/dpd.html (Determining Analyzer
Activation ).
Even if the binpac analyzer is always enabled, it may not be working if you
don't define any event handler related to this analyzer. As a result, you
have to check what policies are loaded by default, which can be found
in /share/bro/base under bro's installation directory (not source code
directory).
On Thu, Sep 13, 2012 at 5:56 PM, keqhe(a)cs.wisc.edu <keqhe(a)cs.wisc.edu>wrote:
> Hello Everyone:
>
> I set up Bro-2.1 and DataSeries to do trace analysis. I am not sure
> whether Bro-2.1 can identify (using default configuration)application
> layer protocols such as DEC_PRC, DNS, Finger, Gnutella, FTP, HTTP, Ident,
> IRC, NetbiosSSN, NCP, NFS, NTP, POP3, Portmapper, PRC, RSH, Rlogin, SMB,
> SSH, SSL, SMTP, Telnet as specified on Bro IDS' WIKI ? Or it can only
> identify some of the listed protocols.
>
> Could you please help me?
> Thank you!
>
> _______________________________________________
> Bro mailing list
> bro(a)bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Hui Lin
PhD Candidate, Research Assistant
Electrical and Computer Engineering Department
University of Illinois at Urbana-Champaign
Hi,
I am trying to extract HTTP payload and bro throws an error:
achanda@achanda-OptiPlex-780:~/bro/scripts$ bro -i eth0 http-reply
error in ./site, line 1: read failed with "Is a directory"
achanda@achanda-OptiPlex-780:~/bro/scripts$ bro -i eth0 contents
error in ./site, line 1: read failed with "Is a directory"
achanda@achanda-OptiPlex-780:~/bro/scripts$
I tried to run bro from the top level installation directory but that
failed since it could not find the scripts. What am I missing?
Thanks
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> > Am I misunderstanding something about how Bro is compiling in/using tcmall
> oc
> > or Bro's configure output?
>
> Since 2.1, you need to explicitly pass --enable-perftools for Bro to
> use tcmalloc. We changed this because non-Linux platforms have less
> reliable tcmalloc support.
>
That did the trick.
Might I ask what "less reliable tcmalloc support" entails? Anything specific or am I just in for random crashes, etc.?
- - Keith
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAlBTvoQACgkQW5AQrvjB4mckagCdEqb6nD7FXCono5aQvQ/EsB/c
/YAAnjQqLfadje5olpjr5Bqayasc/XBY
=luX/
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
I'm taking a stab at using tcmalloc with Bro. I'm running FreeBSD-8.3. I'v
e got tcmalloc built and installed from gperftools :
$ file /usr/local/lib/libtcmalloc.so.5
/usr/local/lib/libtcmalloc.so.5: ELF 64-bit LSB shared object, x86-64, version
1 (FreeBSD), dynamically linked, not stripped
When I run configure, Bro says it finds GooglePerfTools, but shows "false" fo
r tcmalloc :
- -- Found GooglePerftools: /usr/local/lib/libtcmalloc.so
...
gperftools found: true
tcmalloc: false
debugging: false
When I compile Bro and check to see if tcmalloc is there, ldd doesn't show i
t in the shared libraries.
Am I misunderstanding something about how Bro is compiling in/using tcmalloc
or Bro's configure output?
Thanks!
- - Keith
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAlBTsnUACgkQW5AQrvjB4meTVACfYoZk4Q1Be7V4PGdxfUg51TJW
3kYAniZGwCRnmadFCCLene/oP4VnKalg
=3PF/
-----END PGP SIGNATURE-----