Hi all:
I'm in the process of processing our syslogs for apache logs (which
will allow us visibility into ssl sessions into our webservers), and
am at the point where I am able to import the data into bro using the
input framework. There's enough data to fill in most of a connection
record, and to fake other stuff. What would be really cool would be
to create a connection record, and have it go thru the normal
processing, feed the http data in for processing via the standard http
processes, and close down the connection. This would allow for
standard logging, and standard IDS processes to act upon this info.
Does anyone have suggestions on how to proceed with this?
Thanks in advance,
Jim Mellander
NERSC Cybersecurity
510-486-7204
Hi all,
Recently, I have installed bro 2.1 in a FreeBSD 9.1 amd64 host (compiled
from source). All work as expected except for "broctl cron" job ... I have
configured this job to run every 5 min (like Bro's documentation says), but
every time locks all bro processes:
41561 ?? I 0:00.01 bash /opt/bro/share/broctl/scripts/run-bro -i
em4 -U .status -p broctl -p broctl-live -p standalone -p local -p bro
local.bro broctl broctl/standalone broctl/auto
41572 ?? R 215:33.48 /opt/bro/bin/bro -i em4 -U .status -p broctl -p
broctl-live -p standalone -p local -p bro local.bro broctl
broctl/standalone broctl/auto
41590 ?? SN 0:48.43 /opt/bro/bin/bro -i em4 -U .status -p broctl -p
broctl-live -p standalone -p local -p bro local.bro broctl
broctl/standalone broctl/auto
41695 ?? I 0:00.00 cron: running job (cron)
41699 ?? Is 0:00.22 /usr/local/bin/python /usr/local/bin/broctl cron
(python2.7)
41731 ?? Is 0:00.01 sh
41745 ?? I 0:00.00 cron: running job (cron)
41748 ?? Is 0:00.17 /usr/local/bin/python /usr/local/bin/broctl cron
(python2.7)
41774 ?? Is 0:00.01 /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t
41775 ?? Is 0:00.01 sh
41777 ?? I 0:00.00 cron: running job (cron)
41780 ?? Is 0:00.20 /usr/local/bin/python /usr/local/bin/broctl cron
(python2.7)
41813 ?? Is 0:00.01 /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t
41814 ?? Is 0:00.01 sh
41828 ?? I 0:00.00 cron: running job (cron)
41831 ?? Is 0:00.19 /usr/local/bin/python /usr/local/bin/broctl cron
(python2.7)
41857 ?? Is 0:00.01 /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t
41858 ?? Is 0:00.01 sh
41862 ?? I 0:00.00 cron: running job (cron)
41866 ?? Is 0:00.19 /usr/local/bin/python /usr/local/bin/broctl cron
(python2.7)
41898 ?? Is 0:00.01 /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t
41899 ?? Is 0:00.01 sh
41901 ?? I 0:00.00 cron: running job (cron)
41905 ?? Is 0:00.19 /usr/local/bin/python /usr/local/bin/broctl cron
(python2.7)
41942 ?? Is 0:00.01 /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t
41943 ?? Is 0:00.01 sh
42935 ?? I 0:00.00 cron: running job (cron)
42939 ?? Is 0:00.15 /usr/local/bin/python /usr/local/bin/broctl cron
(python2.7)
43003 ?? Is 0:00.01 /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t
43004 ?? Is 0:00.01 sh
If I try to run any broctl command:
Welcome to BroControl 1.1
Type "help" for help.
[BroControl] > status
waiting for lock ..................................cannot get lock
How can I debug this?? Is it safe to run "kill -9" over these processes??
And how can I unlock using broctl command??
Thanks.
Hi, I want to know a communication interface which i can use to recieve
triggered messages from bro, bro has detected a malicious traffic and it
sends me information via some xml-rpc or other means and then i do action
of blocking the traffic.
please help,
Shabbir.
Hi Tracy,
Here's what my whitelisting looks like in Bro 2.1:
> # In my local.bro:
>
> const external_port_scanners_whitelist = { 8.8.8.8, 8.8.4.4, # Google example
> 1.2.3.4 # Another example
> };
>
> redef Notice::policy += {
> [$action = Notice::ACTION_EMAIL,
> $pred(n: Notice::Info) = { return n$note == Scan::Port_Scan && n?$src && !(n$src in external_port_scanners_whitelist); } ]
> };
It's a bit clunky, but it works. The n?$src clause is used to test whether the src field exists. The Bro Workshop has some great resources for learning about notice handling[1].
Just as a preview, this got cleaned up a bit for the upcoming Bro 2.2:
> const external_port_scanners_whitelist = { 8.8.8.8, 8.8.4.4 };
>
> hook Notice::policy(n: Notice::Info) &priority=10
> {
> if ( n$note == Scan::Port_Scan && n?$src && !(n$src in external_port_scanners_whitelist) )
> {
> add n$actions[Notice::ACTION_EMAIL];
> }
>
> }
The new notation might not look like a big benefit in this short example, but it comes in handy as your notice handling becomes more complex.
Hope this helps,
--Vlad
[1] - Exercise 3 at: <http://bro.org/bro-workshop-2011/index.html>.
On Apr 29, 2013, at 6:33 AM, Tracy Reed <treed(a)ultraviolet.org> wrote:
> Hello all,
>
> I am running Bro 2.1 in Security Onion 12.04 and I am very happy with it. This
> level of detail into what is happening on the network is just amazing! I'm
> beginning to wonder how I ever did without it for so long.
>
> I have an ssh that happens every 5 minutes which causes a lot of noise.
>
> I've gone through all of the docs on bro.org and done some googling but can't
> seem to figure out how to whitelist certain connections so they will not
> constantly appear in the bro alarm summaries. I did find this, which contains
> an example for watching ssh to particular hosts which seems related to what I
> am trying to do:
>
> http://www.bro.org/sphinx/quickstart.html#deployment-customization
>
> But what I want is somewhat the opposite: I want to ignore/whitelist
> connections to certain hosts, preferably from certain IP addresses.
>
> Can anyone suggest how this would be done?
>
> And while I'm writing (and related to another example in the above URL) I get
> alarms about SSL certs. I would like to add our in-house CA to the list of
> accepted certs. How can I do this?
>
> Thanks for a great tool!
>
> --
> Tracy Reed
> _______________________________________________
> Bro mailing list
> bro(a)bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
Hey Brian,
As Shane mentioned, bro-cut is one way to make better sense of your logs. There's some additional information about working with your logs available from the Bro Workshop, at: <http://www.bro.org/bro-workshop-2011/> (Exercise 2). If you're new to Bro, I'd definitely recommend checking out the Bro Workshop exercises. There are videos and a lot of hands-on questions and solutions for many day-to-day tasks with Bro.
Another way of converting timestamps is simply with the date command (I often resort to this when I just need a single timestamp):
> $ date -d @1367064229.605422
> Sat Apr 27 08:03:49 EDT 2013
Hope this helps,
--Vlad
On Apr 30, 2013, at 4:37 PM, "Castle, Shane" <scastle(a)bouldercounty.org> wrote:
> The Bro documentation area is strangely lacking in some respects. The command you are looking for is bro-cut, a powerful little script that can display a human-readable timestamp and also display only the fields of the log files that you are interested in, and rearrange them if you want. The main thing to remember is that it's a classic stdin->stdout command and does not operate on the filename:
> "bro-cut -d ts id.orig_h id.resp_h orig_bytes resp_bytes id.resp_p <conn.log" for example.
>
> Or, after the archiving has been done:
>
> ls -1 2013-03-27/conn.*gz | while read fn;do (export TZ=MST7MDT;zcat $fn | bro-cut -d );done | fgrep 192.168.131.135 | less
>
> This would be if, for instance, your system's clock was running in UTC (which mine is).
>
> --
> Shane Castle
> Data Security Mgr, Boulder County IT
>
> -----Original Message-----
> From: bro-bounces(a)bro.org [mailto:bro-bounces@bro.org] On Behalf Of Allen, Brian
> Sent: Tuesday, April 30, 2013 14:02
> To: bro(a)bro.org
> Subject: [Bro] quick question
>
> Hi, I installed Bro here and I can already tell it is extremely useful. I'm just learning how to use it so I have lots of questions. Here are a couple quick ones:
>
> When parsing through the bro log files, how do I turn the timestamp column into something human readable? Where would I go to find this answer on my own? Is there a newbie guide to bro I should be reading? I don't see how to search this mailing list's archives.
>
> Thanks,
> -Brian
>
> Brian Allen
> Network Security Analyst
> Washington University
>
> _______________________________________________
> Bro mailing list
> bro(a)bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
Hello all,
I am running Bro 2.1 in Security Onion 12.04 and I am very happy with it. This
level of detail into what is happening on the network is just amazing! I'm
beginning to wonder how I ever did without it for so long.
I have an ssh that happens every 5 minutes which causes a lot of noise.
I've gone through all of the docs on bro.org and done some googling but can't
seem to figure out how to whitelist certain connections so they will not
constantly appear in the bro alarm summaries. I did find this, which contains
an example for watching ssh to particular hosts which seems related to what I
am trying to do:
http://www.bro.org/sphinx/quickstart.html#deployment-customization
But what I want is somewhat the opposite: I want to ignore/whitelist
connections to certain hosts, preferably from certain IP addresses.
Can anyone suggest how this would be done?
And while I'm writing (and related to another example in the above URL) I get
alarms about SSL certs. I would like to add our in-house CA to the list of
accepted certs. How can I do this?
Thanks for a great tool!
--
Tracy Reed
How does the workaround I found in
http://tracker.bro.org/bro/ticket/980#comment:1 interact with
&synchronized? In the below case, can the last line undo the line before
it?
node-1> foo[0]$x += 42;
node-2> foo[0]$x += 42;
node-1> foo[0] = foo[0];
Alternatively, is there a better workaround or will that bug be fixed
soon?
--
David Eric Mandelberg / dseomn
http://david.mandelberg.org/
Hi.
How's the BRO real world performance? You know, 10Gbit links and up. How
many workers do I need for every 1Gbit of traffic (sure, it depends on
the rules heavily)?
Or just how much traffic can I expect a single worker to handle? How
about the memory?
That's what I have here:
Intel(R) Xeon(R) CPU E5-2620 @ 2.00GHz x 2 so it gives 24 threads with
HT enabled.
Also, I have 64GB of RAM in each NSM sensor. Expected traffc? A few
Gbit/sec, depending on a sensor location.
Do you have some real world examples, such as "we have server with <CPU>
and <mem> and it handles Gbit/sec of traffic on average/peak"
I know that's a lot of questions, but trying to establish a baseline and
do some capacity planning here :) And there's nothing in google, apart
from some (i guess old) statement, that a single bro process can handle
up to 80Mbit/sec.