I just learned of a new "instagram for code" site here: http://instacode.linology.info/
The coolest part is that it seems to use pygments for syntax highlighting and therefore supports Bro! Here's a bit a code from the TimeMachine framework that I started working on yesterday:
http://instacode.linology.info/18637
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
Dear Bro Forum and developers,
I'm running a physical server with FreeBSD. Here is my output from command
"uname -a":
FreeBSD bigbro 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243826: Tue Dec 4
06:55:39 UTC 2012
I cloned Bro today from GIT repository : git://git.bro-ids.org/bro.git
<http://git.bro-ids.org/bro.git> (twice, same results)
I have the following software installed (from pkg_info command) :
autoconf-2.69 Automatically configure source code on many Un*x
platforms
autoconf-wrapper-20101119 Wrapper script for GNU autoconf
automake-1.12.6 GNU Standards-compliant Makefile generator
automake-wrapper-20101119 Wrapper script for GNU automake
bash-4.2.42 The GNU Project's Bourne Again SHell
bison-2.5.1,1 A parser generator from FSF, (mostly) compatible with
Yacc
ca_root_nss-3.14.1 The root certificate bundle from the Mozilla Project
cmake-2.8.9 A cross-platform Makefile generator
cmake-modules-2.8.9 Modules and Templates for CMake
curl-7.24.0_1 Non-interactive tool to get files from FTP, GOPHER,
HTTP(S)
cvsps-2.1_1 Create patchset information from CVS
db41-4.1.25_4 The Berkeley DB package, revision 4.1
expat-2.0.1_2 XML 1.0 parser written in C
flex-2.5.37 Fast lexical analyzer generator
gettext-0.18.1.1 GNU gettext package
git-1.8.1.1 Distributed source code management tool
gmake-3.82_1 GNU version of 'make' utility
help2man-1.40.13 Automatically generating simple manual pages from
program o
libbind-6.0_1 Standard C resolver library
libiconv-1.14 A character set conversion library
libpcap-1.3.0 Ubiquitous network traffic capture library
libtool-2.4.2 Generic shared library support script
libzip-0.10.1 C library for reading, creating, and modifying ZIP
archives
m4-1.4.16_1,1 GNU m4
makedepend-1.0.3,1 A dependency generator for makefiles
openssl-1.0.1_4 SSL and crypto library
p5-Error-0.17019 Perl module to provide Error/exception support for perl:
Er
p5-File-LibMagic-0.96 Nice wrapper for libmagic
p5-IO-Socket-IP-0.18 A drop-in replacement for IO::Socket::INET supporting
IPv4
p5-IO-Socket-SSL-1.81 Perl5 interface to SSL sockets
p5-Locale-gettext-1.05_3 Message handling functions
p5-Net-SMTP-SSL-1.01_1 An SMTP client supporting SSL
p5-Net-SSLeay-1.52 Perl5 interface to SSL
p5-Socket-2.007 Networking constants and support functions
pcre-8.32 Perl Compatible Regular Expressions library
perl-5.14.2_2 Practical Extraction and Report Language
pkgconf-0.8.9 Utility to help to configure compiler and linker flags
portupgrade-2.4.10.4,2 FreeBSD ports/packages administration and management
tool s
python27-2.7.3_6 An interpreted object-oriented programming language
ruby-1.8.7.371,1 An object-oriented interpreted scripting language
ruby18-bdb-0.6.6 Ruby interface to Sleepycat's Berkeley DB revision 2 or
lat
swig-2.0.8_1 Generate wrappers for calling C/C++ code from other
languag
xproto-7.0.22 X11 protocol headers
When I try to run the ./configure command - I get the following non
explaining output (at least for me):
[Thu Jan 24 23:10:11 root@bigbro:~/bro/bro ] # ./configure
Build Directory : build
Source Directory: /root/bro/bro
-- The C compiler identification is GNU 4.2.1
-- The CXX compiler identification is GNU 4.2.1
-- Check for working C compiler: /usr/bin/gcc
-- Check for working C compiler: /usr/bin/gcc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
CMake Error at CMakeLists.txt:3 (include):
include could not find load file:
cmake/CommonCMakeConfig.cmake
CMake Error at CMakeLists.txt:38 (include):
include could not find load file:
FindRequiredPackage
-- Found sed: /usr/bin/sed
CMake Error at CMakeLists.txt:50 (FindRequiredPackage):
Unknown CMake command "FindRequiredPackage".
-- Configuring incomplete, errors occurred!
Thank You - and sorry for the long email J
Best Regards,
Roger Larsen
/Writing about Bro in my master thesis/
All,
I'm a student at the university of Amsterdam currently working on a research project on deep packet inspection in high bandwidth networks (AMS-IX, DE-CIX LINX.).
In order to test my proof of concept I need to create Internet like traffic. To do this I need to know the traffic dispersion on protocol level (HTTP, DNS etc.) but I am also helped with transport layer information (TCP, UDP). Furthermore I would like to know the amount of packets per second and their size and the amount of events per n packets.
All information will be removed after research and only published with your approval. Needles to say that cooperation is greatly appreciated and mentioned in the paper.
kind regards,
Rawi Ramdan
Student at the University of Amsterdam
System and Network Engineering
Hi,
I have a question about notices in Bro.
We installed Bro cluster and we made signature file to detect sources that
their generated traffic matches the signature. Then we expect our
notice.log file (/bro/logs/current/notice.log) be filled all the
information about that sources. To do so, we created a bro file(located in /
bro/share/bro/site/ourfile.
bro) to redefine the notice. Now the only thing it does is printing the
information in our desired format in notice.log file.
Till now every thing goes well but we need to execute a shell script file
when ever the signature matches. So we thought maybe there is a way to
execute the script file in notice redefinition file. I used function
piped_exec. The problem is when I run the following command,
/usr/local/bro/bin/ ./bro -r pcapFile.pcap broFile.bro
every thing goes well with worker. The script will be run but in manager
side it does not execute the shell script file.
Do you think I should use different command for manager?
I've uploaded the files on github:
https://github.com/falizade/bro_scripts/blob/master/first_v0.bro
Best regards,
Fahimeh Alizadeh
The Bro Project has an opening for a three month summer internship. If
you are a student interested in helping us improve Bro and develop new
functionality, please apply!
http://www.bro-ids.org/intern.html
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
Hi All,
Im a student at the university of Amsterdam currently working on BRO in combination with SNORT.
I would like BRO to execute a script (create ACL or static route via ssh). If i'm correct BRO should first needs to notice the data and send it to the manager.
The following should log all data from 192.168.101.1 with TCP on port 0. And print it in a log file (which one?)
<code>
event new_connection(c: connection)
{
if (c$id$orig_h == 192.168.101.1 && c$id$resp_p == 0/tcp)
print fmt("New Connection => Source IP: %s, Source Port: %s, Destination IP: %s, Destination Port: %s", c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p);
}
</code>
When I run this on a worker it works fine:
bro@ubuntu:~$ /usr/local/bro/bin/bro -r testfile.pcap first.bro
New Connection => Source IP: 192.168.101.1, Source Port: 0/tcp, Destination IP: 192.168.103.1, Destination Port: 0/tcp
The script is located in site and I do a check install restart via the broctl. But when I send data to this worker I cant see any logs generated. I must do a lot of things wrong but I cant figure out what.
And where do I put the script to check the payload from this data and with that information execute a shell script via piped_exec(program: string, to_write: string): bool.
I'm sorry for my bad explanation I'm not a programmer but I would like to make this prove of concept.
Kind regards,
Rawi Ramdhan
Hi,
I'm trying to write a script to count how many ICMP Destination
Unreachable messages hosts receive. To do that, I'm thinking of using a
table like the below and incrementing the value for each destination
unreachable message.
global icmp_too_many_destination_unreachable_table: table[addr] of count = {}
&default=0
&create_expire=icmp_too_many_destination_unreachable_window
&synchronized
&mergeable;
I'm a bit unclear about exactly what &synchronized and &mergeable do
though:
Is increment a single atomic operation or is it implemented as multiple
atomic operations (fetch, locally add one, store, return)? I.e. if two
cluster nodes do ++icmp_too_many_destination_unreachable_table[host] at
the same time for the same host, is the value guaranteed to be
incremented twice? Is it guaranteed that the value returned by the two
increments will be different?
If increment is atomic, is it still atomic when incrementing a default
value? I.e., if a host isn't in the table when two nodes simultaneously
increment its count, is the count always properly set to two? If a host
is in the table and one node deletes it while another node increments
it, is the resulting value always either 0 or 1, or can the value be
old_value + 1? Does it matter if the delete is because of &create_expire
or because of an explicit delete?
Is &mergeable necessary in this case? I couldn't figure out from the
documentation if &mergeable applies to the outer table or to its values
if those values are container types.
I didn't see an exit anywhere in the cron script. Not being familiar with
python syntax, I checked on the web, but it seems one is not required.
The problem is, my crons sit around forever and never exit. I'm pretty
sure this is not normal behavior, but what could be wrong?
# ps -auxwwww | grep "broctl cron"
root 58597 0.0 0.1 48332 10900 ?? Is 9:10PM 0:00.17
/usr/local/bin/python2.7 /usr/local/bin/broctl cron
root 58621 0.0 0.1 48332 10900 ?? Is 9:15PM 0:00.12
/usr/local/bin/python2.7 /usr/local/bin/broctl cron
root 58633 0.0 0.1 48332 10900 ?? Is 9:20PM 0:00.17
/usr/local/bin/python2.7 /usr/local/bin/broctl cron
root 58657 0.0 0.1 48332 10900 ?? Is 9:25PM 0:00.15
/usr/local/bin/python2.7 /usr/local/bin/broctl cron
root 58669 0.0 0.1 48332 10900 ?? Is 9:30PM 0:00.17
/usr/local/bin/python2.7 /usr/local/bin/broctl cron
root 58693 0.0 0.1 48332 10900 ?? Is 9:35PM 0:00.12
/usr/local/bin/python2.7 /usr/local/bin/broctl cron
root 58705 0.0 0.1 48332 10900 ?? Is 9:40PM 0:00.17
/usr/local/bin/python2.7 /usr/local/bin/broctl cron
root 58729 0.0 0.1 48332 10900 ?? Is 9:45PM 0:00.17
/usr/local/bin/python2.7 /usr/local/bin/broctl cron
root 58741 0.0 0.1 48332 10900 ?? Is 9:50PM 0:00.12
/usr/local/bin/python2.7 /usr/local/bin/broctl cron
root 58768 0.0 0.1 48332 11052 ?? Is 9:55PM 0:00.12
/usr/local/bin/python2.7 /usr/local/bin/broctl cron
root 58797 0.0 0.1 48332 11052 ?? Is 10:00PM 0:00.13
/usr/local/bin/python2.7 /usr/local/bin/broctl cron
root 59888 0.0 0.1 48332 11052 ?? Is 10:05PM 0:00.17
/usr/local/bin/python2.7 /usr/local/bin/broctl cron
root 59988 0.0 0.1 48332 11052 ?? Is 10:10PM 0:00.17
/usr/local/bin/python2.7 /usr/local/bin/broctl cron
root 60013 0.0 0.1 48332 11052 ?? Is 10:15PM 0:00.12
/usr/local/bin/python2.7 /usr/local/bin/broctl cron
--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell
Dear Bro Community,
How is Bro handling so-called <slow port scanning> ?
I have not found any documentation regarding this issue in either Bro's web
site or Google search in general.
Thanks!
Best Regards,
Roger Larsen
InfoSec student @ www.hig.no
I obviously missed something during the install, because I'm getting these
errors:
Traceback (most recent call last):
File "/usr/local/bin/trace-summary", line 19, in <module>
import SubnetTree
ImportError: No module named SubnetTree
1.06 real 0.04 user 0.78 sys
I installed ipsumdump. What else should I have done? A configure option?
--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell