I am getting a Dependency is not satisfiable: libc6(<2.12) error message.
[cid:image001.png@01CE5875.C815C190]
I have run the required dependency:
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev
But I have version 2.17
[cid:image002.png@01CE5875.C815C190]
Can someone assist me with this?
VR
Jerry Champion
Information Secuity Engineer
Synovus Financial Corp
706-644-4589
Bro,
I made a patch for the Ascii log writer to write the logs in JSON format.
This was thanks to the existing code from the ElasticSearch writer and
copy/paste skill.
But when I try to enable the writer at runtime there are errors. Why ?
See patch. ( cd bro-2.2; patch -p1 < bro--write_json.patch )
Thanks,
--TC
event bro_init()
{
LogAscii::write_json=T;
}
results in
# bin/broctl check
manager failed.
error in /usr/local/3rd-party/bro/share/bro/site/local.bro, line 7:
const is not a modifiable lvalue (LogAscii::write_json)
proxy-1 failed.
error in /usr/local/3rd-party/bro/share/bro/site/local.bro, line 7:
const is not a modifiable lvalue (LogAscii::write_json)
worker-1 failed.
error in /usr/local/3rd-party/bro/share/bro/site/local.bro, line 7:
const is not a modifiable lvalue (LogAscii::write_json)
worker-2 failed.
error in /usr/local/3rd-party/bro/share/bro/site/local.bro, line 7:
const is not a modifiable lvalue (LogAscii::write_json)
I'm trying to write a bro script that pulls out authoritative nameservers
and additional records from DNS.
I think I need the the dns_EDNS_addl event to get at that part of a DNS
reply, since the dns_edns_additional structure seems like it has the
information I'm looking for:
http://trac.bro-ids.org/sphinx-git/scripts/base/init-bare.html#type-dns_edn…
Unfortunately, it looks like dns_EDNS_addl isn't implemented yet:
# scripts/base/protocols/dns/main.bro
318 # TODO: figure out how to handle these
324 #event dns_EDNS_addl(c: connection, msg: dns_msg, ans:
dns_edns_additional)
Has anyone worked out a way to grab this information from a DNS reply?
If not, could anyone point me in the right direction so that I can roll my
own solution?
-Chris
Hello,
I'm using broccoli to receive bro (2.2-5) events and are having some problems. Consider the following.
The broccoli client is listening to 2 events.
bro_event_registry_add(m_bc, "file_new", (BroEventFunc)&Broccoli::newFile, this);
bro_event_registry_add(m_bc, "test_event", (BroEventFunc)&Broccoli::newFile, this);
The following bro script is used.
...
global test_event: event(f: fa_file);
event file_new(f: fa_file)
{
event test_event(f);
}
The file_new event is correctly received by my broccoli client however the test_event is not received. If I change the content of the test_event to something else it works.
...
global test_event: event(f: string);
event file_new(f: fa_file)
{
event test_event(f$mime_type);
}
So, is this expected and in that case why and what is the proposed way of solving the issue?
(Also noticed that the file_state_removed(f: fa_file) event is not received by the broccoli client.)
Thank you
/Björn
Björn Samvik
Software Developer
[NetClean]
NetClean Technologies Sweden AB
Första Långgatan 30 – SE-413 27 Göteborg – Sweden
Phone: +46 31 719 08 00 – Fax: +46 31 13 89 50
Direct: +46 31 719 08 22 – Mobile: +46 709 36 83 03
Bjorn.Samvik(a)netclean.com
<mailto:Bjorn.Samvik@netclean.com>www.netclean.com<http://www.netclean.com>
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
Hi.
I'm trying do integrate some DPI capabilities with iptables.
I've tried nDPI but it doesn't recognize the protocols most of the time.
I think that Bro could do that, but I found too few scrips to identify
applications like skype or tor.
Am I on the right direction?
Could someone point me to some repository with more scripts or, if you
think that Bro isn't the right tool to do that, give me some advice on
other tools?
Thanks
Edson Dino Salvati
Hi,
I regularly get this message from /opt/bro/bin/broctl cron
Any idea what might cause locks not to be removed? it is happening about half a dozen times a day.
Russell
I seen there is a way to send logs to bro with barnyard. Is there a way to have bro send the notice.log or any log for that matter to barnyard2 then have barnyard2 send them to a remote database server running something like snorby? Thanks as always.
I followed the examples step by step and I cannot get bro to like the text file or dat file from the documentation. I get errors in the reporter.log about not being able to find the requested field indicator.
The other error is "headers are incorrect". Any help would be appreciated. Thanks!
Try this:
cat conn.log | awk 'BEGIN{other=0;tcp=0;udp=0;icmp=0} {if($7 == "tcp")
tcp=tcp+1} {if($7 == "udp") udp=udp+1} {if($7 == "icmp") icmp=icmp+1}
{if($7 != "tcp" && $7 != "udp" && $7 != "icmp" ) other=other+1} END{
print "TCP: " tcp, "\nUDP: " udp, "\nICMP: " icmp, "\nOther: " other}'
| column -t
It will give you an overview of tcp/udp/icmp and 'other' connections.
What does it output for you? 99.9% of my traffic is one of these first 3.