zeek September 2012

zeek@lists.zeek.org

16 participants
16 discussions

by Dave Angelo

Hello, I am trying to add BRO the ability to ignore traffic from certain IP ranges dynamically. I have a DB with IP addresses (that chances once in a while) and I would like to write a BRO script that will query the DB once in a while, grab those IP addresses and drop new connections with these IP's. Question: 1. Is it possible to query a DB from BRO scripts? is there any examples? 2. Assuming yes, should i implement this logic at the 'new_connection' event? (I would like to drop connections from these IP's as soon as possible). Thank You Dave

8 years

[Bro] PPPoE support

by Will Havlovick

One of my sites is monitoring a link that has all PPPoE traffic on it. The Bro Sensor was not logging the traffic due to it being PPPoE. The bro version was 2.1 stable. I found this(thank you Seth for writing this) : https://github.com/bro-ids/bro/commit/908b1a17d1b08a8473695316e56eb98f7b005… and added it to the PktSrc.cc of the Bro2.1 Stable release source. Then recompiled and now my sensor seems to be logging the traffic properly. This is probably not the best way to do things. My question is: Will PPPoE support be in 2.2? Will

8 years, 1 month

[Bro] Troubleshooting crashes

by Tritium Cat

Hello all, What's the best way to disable Bro in a systematic way to isolate crashes ? I disabled all the protocols except SSH and a few default scripts that utilize it. After ~12 hours I returned to find many of the worker nodes had crashed. I forgot to look at the diag for the crashed workers before stopping the cluster. Suggestions greatly appreciated. Thanks, -TC local.bro configuration ======================================= bro@bc : [9:20pm] : bro : grep -v "^#" site/local.bro |grep "[a-z]" @load misc/loaded-scripts @load tuning/defaults @load protocols/ssh/software @load protocols/ssh/geo-data @load protocols/ssh/detect-bruteforcing @load protocols/ssh/interesting-hostnames base/init-default.bro configuration ======================================= bro@bc : [9:20pm] : bro : grep -v "^#" base/init-default.bro | grep "[a-z]" @load base/utils/site @load base/utils/addrs @load base/utils/conn-ids @load base/utils/directions-and-hosts @load base/utils/files @load base/utils/numbers @load base/utils/paths @load base/utils/patterns @load base/utils/strings @load base/utils/thresholds @load base/frameworks/notice @load base/frameworks/dpd @load base/frameworks/signatures @load base/frameworks/packet-filter @load base/frameworks/software @load base/frameworks/communication @load base/frameworks/control @load base/frameworks/cluster @load base/frameworks/metrics @load base/frameworks/intel @load base/frameworks/reporter @load base/frameworks/tunnels @load base/protocols/ssh Here's the PF_RING info: ======================================= PF_RING Version : 5.4.6 ($Revision: 5658$) Ring slots : 4096 Slot version : 14 Capture TX : No [RX only] IP Defragment : No Socket Mode : Standard Transparent mode : No (mode 2) Total rings : 10 Total plugins : 0 Here's a top from one of the physical servers running workers; all five servers have a similar profile. PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 15423 bro 20 0 1059m 957m 69m R 95 1.5 2:21.79 bro 15429 bro 20 0 1041m 939m 69m R 80 1.5 1:49.08 bro 15426 bro 20 0 1041m 939m 69m S 72 1.5 1:56.46 bro 15422 bro 20 0 1041m 939m 69m R 70 1.5 1:58.51 bro 15424 bro 20 0 1041m 939m 69m S 70 1.5 1:51.85 bro 15427 bro 20 0 1041m 939m 69m R 64 1.5 1:59.86 bro 15420 bro 20 0 1041m 939m 69m S 62 1.5 1:52.02 bro 15421 bro 20 0 1041m 939m 69m R 60 1.5 1:43.13 bro 15425 bro 20 0 1041m 939m 69m R 58 1.5 1:39.75 bro 15428 bro 20 0 1041m 939m 69m S 56 1.5 1:39.05 bro 15430 bro 25 5 186m 76m 64m S 19 0.1 0:28.42 bro 15437 bro 25 5 186m 76m 64m S 18 0.1 0:28.08 bro 15431 bro 25 5 186m 76m 64m S 14 0.1 0:27.35 bro 15432 bro 25 5 186m 76m 64m S 14 0.1 0:26.63 bro 15433 bro 25 5 186m 76m 64m S 14 0.1 0:26.72 bro 15436 bro 25 5 186m 76m 64m S 14 0.1 0:23.36 bro 15434 bro 25 5 186m 76m 64m S 12 0.1 0:25.94 bro 15438 bro 25 5 186m 76m 64m S 12 0.1 0:22.98 bro 15435 bro 25 5 186m 76m 64m S 10 0.1 0:20.59 bro 15439 bro 25 5 186m 76m 64m S 10 0.1 0:20.54 bro Here's a snapshot from the server running the manager, no problem here... PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 62903 bro 1 28 5 192M 20616K select 4 0:23 0.29% bro 62937 bro 1 28 5 188M 19916K select 0 0:24 0.20% bro Results in logs so far: ======================================= -rw-r--r-- 1 bro bro 1409892 Aug 30 21:27 communication.log -rw-r--r-- 1 bro bro 5611960 Aug 30 21:27 dpd.log -rw-r--r-- 1 bro bro 6844 Aug 30 21:12 loaded_scripts.log -rw-r--r-- 1 bro bro 214670 Aug 30 21:27 notice.log -rw-r--r-- 1 bro bro 1101 Aug 30 21:12 notice_policy.log -rw-r--r-- 1 bro bro 187 Aug 30 21:12 packet_filter.log -rw-r--r-- 1 bro bro 10323 Aug 30 21:15 reporter.log -rw-r--r-- 1 bro bro 115243 Aug 30 21:27 software.log -rw-r--r-- 1 bro bro 3640436 Aug 30 21:27 ssh.log -rw-r--r-- 1 bro bro 0 Aug 30 21:12 stderr.log -rw-r--r-- 1 bro bro 29 Aug 30 21:12 stdout.log -rw-r--r-- 1 bro bro 5575087 Aug 30 21:27 tunnel.log -rw-r--r-- 1 bro bro 52846117 Aug 30 21:27 weird.log + communication.log -- nothing but info on workers + dpd.log -- UDP 53 Teredo payload length messages + notice.log -- SSH messages and errors on workers. 1346362754.085749 - - - - - - PacketFilter::Dropped_Packets 876266 packets dropped after filtering, 876266 received - - - - -worker-3-1 Notice::ACTION_LOG 6 3600.000000 F - - - - - - - - 1346362752.730723 - - - - - - PacketFilter::Dropped_Packets 387600 packets dropped after filtering, 1248522 received, 860922 on link - -- - - worker-1-3 Notice::ACTION_LOG 6 3600.000000 F - - - - - - - - 1346362755.198122 - - - - - - PacketFilter::Dropped_Packets 958912 packets dropped after filtering, 958912 received - - - - -worker-2-6 Notice::ACTION_LOG 6 3600.000000 F - - - - - - - - worker 3-1 is PID 15278 >>> 10.1.1.1 (+) bro 15278 15189 59.4 1.6 1143708 1105120 ? R 14:12:52 00:16:29 bro (+) bro 15279 15188 40.5 1.6 1106704 1067676 ? S 14:12:52 00:11:15 bro Look at PF_RING for this PID: ==================================== user@bro_server:~$ cat /proc/net/pf_ring/15278-eth5.24 Bound Device(s) : eth5 Active : 1 Breed : Non-DNA Sampling Rate : 1 Capture Direction : RX+TX Socket Mode : RX+TX Appl. Name : <unknown> IP Defragment : No BPF Filtering : Enabled # Sw Filt. Rules : 0 # Hw Filt. Rules : 0 Poll Pkt Watermark : 1 Num Poll Calls : 13786320 Channel Id : -1 Cluster Id : 0 Slot Version : 14 [5.4.6] Min Num Slots : 8159 Bucket Len : 8192 Slot Len : 8224 [bucket+header] Tot Memory : 67108864 Tot Packets : 169050905 Tot Pkt Lost : 0 Tot Insert : 169050905 Tot Read : 169050895 Insert Offset : 24725033 Remove Offset : 24713556 TX: Send Ok : 0 TX: Send Errors : 0 Reflect: Fwd Ok : 0 Reflect: Fwd Errors: 0 Num Free Slots : 8150

8 years, 2 months

[Bro] Cookies

by Karl Kamin

Has anyone extended bro to retrieve the cookie name/value/attributes ? I have added the var-extraction-cookies.bro and see names in the bro logs, but would like to capture the value/attributes. Karl

8 years, 2 months

[Bro] URI decoding

by Seth Hall

We received a question privately about the HTTP logs and if there was a setting to stop URL decoding the "uri" field. It turns out there isn't a setting for this, but the base scripts have been designed in a way that makes this very easy to do. Here's the script to do it in case anyone else is interested… event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) { c$http$uri = original_URI; } What it's doing is overwriting the c$http$uri field with the original_URI value instead of the unescaped_URI value which the base script uses. It ends up being overwritten because the http_request handler in the base HTTP scripts is handled at a higher priority and is executed first, that way you are assured that your handler with no explicit priority (priority zero) will be executed second. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/

8 years, 2 months

Re: [Bro] what application layer protocols could Bro-2.1 identify using its default configuration?

by keqhe＠cs.wisc.edu

HI, Hui: Thank you very much for your information! > > On Wed, Sep 19, 2012 at 9:05 AM, Hui Lin (Hugo) <hlin33(a)illinois.edu> > wrote: > >> The answer to your question can be very complex. >> >> First, Bro's application layer analyzer can be written by binpac or >> directly by c++ (in src, *.pac codes are the binpac scripts, so you can >> know what analyzers are written by binpac). Most analyzer developed in >> the >> early stage is directly written by C++, for those codes, how they are >> enabled, I am not quite sure. For binpac analyzer, there are three ways >> of >> enabling a analyzer, which can be found in >> http://www.bro-ids.org/development/dpd.html (Determining Analyzer >> Activation ). >> >> Even if the binpac analyzer is always enabled, it may not be working if >> you don't define any event handler related to this analyzer. As a >> result, >> you have to check what policies are loaded by default, which can be >> found >> in /share/bro/base under bro's installation directory (not source code >> directory). >> >> >> On Thu, Sep 13, 2012 at 5:56 PM, keqhe(a)cs.wisc.edu >> <keqhe(a)cs.wisc.edu>wrote: >> >>> Hello Everyone: >>> >>> I set up Bro-2.1 and DataSeries to do trace analysis. I am not sure >>> whether Bro-2.1 can identify (using default configuration)application >>> layer protocols such as DEC_PRC, DNS, Finger, Gnutella, FTP, HTTP, >>> Ident, >>> IRC, NetbiosSSN, NCP, NFS, NTP, POP3, Portmapper, PRC, RSH, Rlogin, >>> SMB, >>> SSH, SSL, SMTP, Telnet as specified on Bro IDS' WIKI ? Or it can only >>> identify some of the listed protocols. >>> >>> Could you please help me? >>> Thank you! >>> >>> _______________________________________________ >>> Bro mailing list >>> bro(a)bro-ids.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>> >> >> >> >> -- >> Hui Lin >> PhD Candidate, Research Assistant >> Electrical and Computer Engineering Department >> University of Illinois at Urbana-Champaign >> >> > > > -- > Keqiang He > Dept. of Computer Sciences, University of Wisconsin-Madison > Madison, WI 53706 >

8 years, 2 months

Re: [Bro] what application layer protocols could Bro-2.1 identify using its default configuration?

by Hui Lin (Hugo)

The answer to your question can be very complex. First, Bro's application layer analyzer can be written by binpac or directly by c++ (in src, *.pac codes are the binpac scripts, so you can know what analyzers are written by binpac). Most analyzer developed in the early stage is directly written by C++, for those codes, how they are enabled, I am not quite sure. For binpac analyzer, there are three ways of enabling a analyzer, which can be found in http://www.bro-ids.org/development/dpd.html (Determining Analyzer Activation ). Even if the binpac analyzer is always enabled, it may not be working if you don't define any event handler related to this analyzer. As a result, you have to check what policies are loaded by default, which can be found in /share/bro/base under bro's installation directory (not source code directory). On Thu, Sep 13, 2012 at 5:56 PM, keqhe(a)cs.wisc.edu <keqhe(a)cs.wisc.edu>wrote: > Hello Everyone: > > I set up Bro-2.1 and DataSeries to do trace analysis. I am not sure > whether Bro-2.1 can identify (using default configuration)application > layer protocols such as DEC_PRC, DNS, Finger, Gnutella, FTP, HTTP, Ident, > IRC, NetbiosSSN, NCP, NFS, NTP, POP3, Portmapper, PRC, RSH, Rlogin, SMB, > SSH, SSL, SMTP, Telnet as specified on Bro IDS' WIKI ? Or it can only > identify some of the listed protocols. > > Could you please help me? > Thank you! > > _______________________________________________ > Bro mailing list > bro(a)bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Hui Lin PhD Candidate, Research Assistant Electrical and Computer Engineering Department University of Illinois at Urbana-Champaign

8 years, 2 months

[Bro] Trying to extract HTTP payload

by Abhishek Chanda

Hi, I am trying to extract HTTP payload and bro throws an error: achanda@achanda-OptiPlex-780:~/bro/scripts$ bro -i eth0 http-reply error in ./site, line 1: read failed with "Is a directory" achanda@achanda-OptiPlex-780:~/bro/scripts$ bro -i eth0 contents error in ./site, line 1: read failed with "Is a directory" achanda@achanda-OptiPlex-780:~/bro/scripts$ I tried to run bro from the top level installation directory but that failed since it could not find the scripts. What am I missing? Thanks

8 years, 2 months

Re: [Bro] compiling bro with tcmalloc

by Keith Lehigh

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Am I misunderstanding something about how Bro is compiling in/using tcmall > oc > > or Bro's configure output? > > Since 2.1, you need to explicitly pass --enable-perftools for Bro to > use tcmalloc. We changed this because non-Linux platforms have less > reliable tcmalloc support. > That did the trick. Might I ask what "less reliable tcmalloc support" entails? Anything specific or am I just in for random crashes, etc.? - - Keith -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlBTvoQACgkQW5AQrvjB4mckagCdEqb6nD7FXCono5aQvQ/EsB/c /YAAnjQqLfadje5olpjr5Bqayasc/XBY =luX/ -----END PGP SIGNATURE-----

8 years, 2 months

[Bro] compiling bro with tcmalloc

by Keith Lehigh

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, I'm taking a stab at using tcmalloc with Bro. I'm running FreeBSD-8.3. I'v e got tcmalloc built and installed from gperftools : $ file /usr/local/lib/libtcmalloc.so.5 /usr/local/lib/libtcmalloc.so.5: ELF 64-bit LSB shared object, x86-64, version 1 (FreeBSD), dynamically linked, not stripped When I run configure, Bro says it finds GooglePerfTools, but shows "false" fo r tcmalloc : - -- Found GooglePerftools: /usr/local/lib/libtcmalloc.so ... gperftools found: true tcmalloc: false debugging: false When I compile Bro and check to see if tcmalloc is there, ldd doesn't show i t in the shared libraries. Am I misunderstanding something about how Bro is compiling in/using tcmalloc or Bro's configure output? Thanks! - - Keith -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlBTsnUACgkQW5AQrvjB4meTVACfYoZk4Q1Be7V4PGdxfUg51TJW 3kYAniZGwCRnmadFCCLene/oP4VnKalg =3PF/ -----END PGP SIGNATURE-----

8 years, 2 months

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek September 2012