zeek January 2013

zeek@lists.zeek.org

16 participants
16 discussions

by Seth Hall

I just learned of a new "instagram for code" site here: http://instacode.linology.info/ The coolest part is that it seems to use pygments for syntax highlighting and therefore supports Bro! Here's a bit a code from the TimeMachine framework that I started working on yesterday: http://instacode.linology.info/18637 .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/

7 years, 10 months

[Bro] Error in ./configure process in fresh Bro 2.1 GIT with requirements in order ( I think)

by Roger Larsen

Dear Bro Forum and developers, I'm running a physical server with FreeBSD. Here is my output from command "uname -a": FreeBSD bigbro 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243826: Tue Dec 4 06:55:39 UTC 2012 I cloned Bro today from GIT repository : git://git.bro-ids.org/bro.git <http://git.bro-ids.org/bro.git> (twice, same results) I have the following software installed (from pkg_info command) : autoconf-2.69 Automatically configure source code on many Un*x platforms autoconf-wrapper-20101119 Wrapper script for GNU autoconf automake-1.12.6 GNU Standards-compliant Makefile generator automake-wrapper-20101119 Wrapper script for GNU automake bash-4.2.42 The GNU Project's Bourne Again SHell bison-2.5.1,1 A parser generator from FSF, (mostly) compatible with Yacc ca_root_nss-3.14.1 The root certificate bundle from the Mozilla Project cmake-2.8.9 A cross-platform Makefile generator cmake-modules-2.8.9 Modules and Templates for CMake curl-7.24.0_1 Non-interactive tool to get files from FTP, GOPHER, HTTP(S) cvsps-2.1_1 Create patchset information from CVS db41-4.1.25_4 The Berkeley DB package, revision 4.1 expat-2.0.1_2 XML 1.0 parser written in C flex-2.5.37 Fast lexical analyzer generator gettext-0.18.1.1 GNU gettext package git-1.8.1.1 Distributed source code management tool gmake-3.82_1 GNU version of 'make' utility help2man-1.40.13 Automatically generating simple manual pages from program o libbind-6.0_1 Standard C resolver library libiconv-1.14 A character set conversion library libpcap-1.3.0 Ubiquitous network traffic capture library libtool-2.4.2 Generic shared library support script libzip-0.10.1 C library for reading, creating, and modifying ZIP archives m4-1.4.16_1,1 GNU m4 makedepend-1.0.3,1 A dependency generator for makefiles openssl-1.0.1_4 SSL and crypto library p5-Error-0.17019 Perl module to provide Error/exception support for perl: Er p5-File-LibMagic-0.96 Nice wrapper for libmagic p5-IO-Socket-IP-0.18 A drop-in replacement for IO::Socket::INET supporting IPv4 p5-IO-Socket-SSL-1.81 Perl5 interface to SSL sockets p5-Locale-gettext-1.05_3 Message handling functions p5-Net-SMTP-SSL-1.01_1 An SMTP client supporting SSL p5-Net-SSLeay-1.52 Perl5 interface to SSL p5-Socket-2.007 Networking constants and support functions pcre-8.32 Perl Compatible Regular Expressions library perl-5.14.2_2 Practical Extraction and Report Language pkgconf-0.8.9 Utility to help to configure compiler and linker flags portupgrade-2.4.10.4,2 FreeBSD ports/packages administration and management tool s python27-2.7.3_6 An interpreted object-oriented programming language ruby-1.8.7.371,1 An object-oriented interpreted scripting language ruby18-bdb-0.6.6 Ruby interface to Sleepycat's Berkeley DB revision 2 or lat swig-2.0.8_1 Generate wrappers for calling C/C++ code from other languag xproto-7.0.22 X11 protocol headers When I try to run the ./configure command - I get the following non explaining output (at least for me): [Thu Jan 24 23:10:11 root@bigbro:~/bro/bro ] # ./configure Build Directory : build Source Directory: /root/bro/bro -- The C compiler identification is GNU 4.2.1 -- The CXX compiler identification is GNU 4.2.1 -- Check for working C compiler: /usr/bin/gcc -- Check for working C compiler: /usr/bin/gcc -- works -- Detecting C compiler ABI info -- Detecting C compiler ABI info - done -- Check for working CXX compiler: /usr/bin/c++ -- Check for working CXX compiler: /usr/bin/c++ -- works -- Detecting CXX compiler ABI info -- Detecting CXX compiler ABI info - done CMake Error at CMakeLists.txt:3 (include): include could not find load file: cmake/CommonCMakeConfig.cmake CMake Error at CMakeLists.txt:38 (include): include could not find load file: FindRequiredPackage -- Found sed: /usr/bin/sed CMake Error at CMakeLists.txt:50 (FindRequiredPackage): Unknown CMake command "FindRequiredPackage". -- Configuring incomplete, errors occurred! Thank You - and sorry for the long email J Best Regards, Roger Larsen /Writing about Bro in my master thesis/

7 years, 10 months

[Bro] Traffic type dispersion

by Rawi Ramdhan

All, I'm a student at the university of Amsterdam currently working on a research project on deep packet inspection in high bandwidth networks (AMS-IX, DE-CIX LINX.). In order to test my proof of concept I need to create Internet like traffic. To do this I need to know the traffic dispersion on protocol level (HTTP, DNS etc.) but I am also helped with transport layer information (TCP, UDP). Furthermore I would like to know the amount of packets per second and their size and the amount of events per n packets. All information will be removed after research and only published with your approval. Needles to say that cooperation is greatly appreciated and mentioned in the paper. kind regards, Rawi Ramdan Student at the University of Amsterdam System and Network Engineering

7 years, 10 months

[Bro] piped_exec

by Fahime Alizade

Hi, I have a question about notices in Bro. We installed Bro cluster and we made signature file to detect sources that their generated traffic matches the signature. Then we expect our notice.log file (/bro/logs/current/notice.log) be filled all the information about that sources. To do so, we created a bro file(located in / bro/share/bro/site/ourfile. bro) to redefine the notice. Now the only thing it does is printing the information in our desired format in notice.log file. Till now every thing goes well but we need to execute a shell script file when ever the signature matches. So we thought maybe there is a way to execute the script file in notice redefinition file. I used function piped_exec. The problem is when I run the following command, /usr/local/bro/bin/ ./bro -r pcapFile.pcap broFile.bro every thing goes well with worker. The script will be run but in manager side it does not execute the shell script file. Do you think I should use different command for manager? I've uploaded the files on github: https://github.com/falizade/bro_scripts/blob/master/first_v0.bro Best regards, Fahimeh Alizadeh

7 years, 10 months

[Bro] Summer internship

by Robin Sommer

The Bro Project has an opening for a three month summer internship. If you are a student interested in helping us improve Bro and develop new functionality, please apply! http://www.bro-ids.org/intern.html Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org

7 years, 10 months

[Bro] Bro programming question

by Rawi Ramdhan

Hi All, Im a student at the university of Amsterdam currently working on BRO in combination with SNORT. I would like BRO to execute a script (create ACL or static route via ssh). If i'm correct BRO should first needs to notice the data and send it to the manager. The following should log all data from 192.168.101.1 with TCP on port 0. And print it in a log file (which one?) <code> event new_connection(c: connection) { if (c$id$orig_h == 192.168.101.1 && c$id$resp_p == 0/tcp) print fmt("New Connection => Source IP: %s, Source Port: %s, Destination IP: %s, Destination Port: %s", c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p); } </code> When I run this on a worker it works fine: bro@ubuntu:~$ /usr/local/bro/bin/bro -r testfile.pcap first.bro New Connection => Source IP: 192.168.101.1, Source Port: 0/tcp, Destination IP: 192.168.103.1, Destination Port: 0/tcp The script is located in site and I do a check install restart via the broctl. But when I send data to this worker I cant see any logs generated. I must do a lot of things wrong but I cant figure out what. And where do I put the script to check the payload from this data and with that information execute a shell script via piped_exec(program: string, to_write: string): bool. I'm sorry for my bad explanation I'm not a programmer but I would like to make this prove of concept. Kind regards, Rawi Ramdhan

7 years, 10 months

[Bro] effects of &synchronized and &mergeable

by David Mandelberg

Hi, I'm trying to write a script to count how many ICMP Destination Unreachable messages hosts receive. To do that, I'm thinking of using a table like the below and incrementing the value for each destination unreachable message. global icmp_too_many_destination_unreachable_table: table[addr] of count = {} &default=0 &create_expire=icmp_too_many_destination_unreachable_window &synchronized &mergeable; I'm a bit unclear about exactly what &synchronized and &mergeable do though: Is increment a single atomic operation or is it implemented as multiple atomic operations (fetch, locally add one, store, return)? I.e. if two cluster nodes do ++icmp_too_many_destination_unreachable_table[host] at the same time for the same host, is the value guaranteed to be incremented twice? Is it guaranteed that the value returned by the two increments will be different? If increment is atomic, is it still atomic when incrementing a default value? I.e., if a host isn't in the table when two nodes simultaneously increment its count, is the count always properly set to two? If a host is in the table and one node deletes it while another node increments it, is the resulting value always either 0 or 1, or can the value be old_value + 1? Does it matter if the delete is because of &create_expire or because of an explicit delete? Is &mergeable necessary in this case? I couldn't figure out from the documentation if &mergeable applies to the outer table or to its values if those values are container types.

7 years, 10 months

[Bro] Cron

by Paul Schmehl

I didn't see an exit anywhere in the cron script. Not being familiar with python syntax, I checked on the web, but it seems one is not required. The problem is, my crons sit around forever and never exit. I'm pretty sure this is not normal behavior, but what could be wrong? # ps -auxwwww | grep "broctl cron" root 58597 0.0 0.1 48332 10900 ?? Is 9:10PM 0:00.17 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58621 0.0 0.1 48332 10900 ?? Is 9:15PM 0:00.12 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58633 0.0 0.1 48332 10900 ?? Is 9:20PM 0:00.17 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58657 0.0 0.1 48332 10900 ?? Is 9:25PM 0:00.15 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58669 0.0 0.1 48332 10900 ?? Is 9:30PM 0:00.17 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58693 0.0 0.1 48332 10900 ?? Is 9:35PM 0:00.12 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58705 0.0 0.1 48332 10900 ?? Is 9:40PM 0:00.17 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58729 0.0 0.1 48332 10900 ?? Is 9:45PM 0:00.17 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58741 0.0 0.1 48332 10900 ?? Is 9:50PM 0:00.12 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58768 0.0 0.1 48332 11052 ?? Is 9:55PM 0:00.12 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 58797 0.0 0.1 48332 11052 ?? Is 10:00PM 0:00.13 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 59888 0.0 0.1 48332 11052 ?? Is 10:05PM 0:00.17 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 59988 0.0 0.1 48332 11052 ?? Is 10:10PM 0:00.17 /usr/local/bin/python2.7 /usr/local/bin/broctl cron root 60013 0.0 0.1 48332 11052 ?? Is 10:15PM 0:00.12 /usr/local/bin/python2.7 /usr/local/bin/broctl cron -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell

7 years, 10 months

[Bro] Slow Port Scanning and Bro?

by Roger Larsen

Dear Bro Community, How is Bro handling so-called <slow port scanning> ? I have not found any documentation regarding this issue in either Bro's web site or Google search in general. Thanks! Best Regards, Roger Larsen InfoSec student @ www.hig.no

7 years, 10 months

[Bro] Errors from trace-summary

by Paul Schmehl

I obviously missed something during the install, because I'm getting these errors: Traceback (most recent call last): File "/usr/local/bin/trace-summary", line 19, in <module> import SubnetTree ImportError: No module named SubnetTree 1.06 real 0.04 user 0.78 sys I installed ipsumdump. What else should I have done? A configure option? -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell

7 years, 10 months

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek January 2013