I am getting a Dependency is not satisfiable: libc6(<2.12) error message.
[cid:image001.png@01CE5875.C815C190]
I have run the required dependency:
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev
But I have version 2.17
[cid:image002.png@01CE5875.C815C190]
Can someone assist me with this?
VR
Jerry Champion
Information Secuity Engineer
Synovus Financial Corp
706-644-4589
I'm trying to write a bro script that pulls out authoritative nameservers
and additional records from DNS.
I think I need the the dns_EDNS_addl event to get at that part of a DNS
reply, since the dns_edns_additional structure seems like it has the
information I'm looking for:
http://trac.bro-ids.org/sphinx-git/scripts/base/init-bare.html#type-dns_edn…
Unfortunately, it looks like dns_EDNS_addl isn't implemented yet:
# scripts/base/protocols/dns/main.bro
318 # TODO: figure out how to handle these
324 #event dns_EDNS_addl(c: connection, msg: dns_msg, ans:
dns_edns_additional)
Has anyone worked out a way to grab this information from a DNS reply?
If not, could anyone point me in the right direction so that I can roll my
own solution?
-Chris
I was trying out BRO and was using a span port from the inside interface of our firewall. I was wondering about if there is any feature in BRO that you can use to understand all the redirection that happens because of our new Cisco WSA. BRO is going bonkers with all the half-open sessions, etc that the WCCP redirects from the firewall to the WSA cause. I am thinking that I will have to better engineer where I am looking at traffic, but I thought I would ask first. Thanks for any insight you can provide.
Chris Bennett, CISSP, GSNA
Dir. of Information Security and Infrastructure Support
Lansing Community College
517-483-5264
On Jul 29, 2013, at 1:23 PM, Bob Probert <bruisebrotherprobert(a)gmail.com> wrote:
> Seth,
>
> I read on the security-onion list that Bro's Elastic Search writer doesn't write the correct metadata indexes for use with Kibana. Can you elaborate?
>
> https://groups.google.com/forum/#!topic/security-onion/mmxZfVfO0D0
Previous versions of Kibana were designed to only work with Logstash data, which introduces certain assumptions about the way the data is stored. At one point, I had a fork of Kibana that worked with Bro, because it allowed extra configuration. I haven't updated it with the release of Kibana3, and don't intend to. Kibana3 might be flexible enough to support Bro's data, but I haven't checked yet.
If you are interested in using Kibana, I would advise you to be *very* careful about the risks introduced by allowing a user's browser to directly query ElasticSearch. ElasticSearch has no security protections, and all it takes is a curl -XDELETE es.local:9200 to delete all your log data. Kibana does come with a sample nginx config, so I would definitely look at that at least.
> Also, I read in the comments of "elasticsearch.bro" that there is some sort of memory leak either in the elastic search writer or elastic search itself? Can you also elaborate on this?
>
> http://www.bro-project.org/sphinx-git/_downloads/elasticsearch.bro
Bro queues undelivered log messages in memory. If Bro is logging faster than ElasticSearch can accept logs, more and more memory is used. There's no memory leak - if your ElasticSearch server can't keep up, the logs simply have nowhere to go, and instead of being dropped, they just queue up on the manager.
--Vlad
> fatal error in /opt/bro/share/bro/policy/frameworks/software/vulnerable.bro, line 41: BroType::AsRecordType (table/record) (set[record { min:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; max:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; }])
Not trying to hijack the thread, but ditto for me on the above message. I just updated to git master today after running an old version for a long time. Commenting out f/s/vulnerable in local.bro bypasses error.
Is it safe to assume accounts didn't get ported over to the new Tracker?
Tyler
On Jul 27, 2013, at 7:00 PM, Tyler T. Schoenke <tyler.schoenke(a)colorado.edu> wrote:
>> fatal error in /opt/bro/share/bro/policy/frameworks/software/vulnerable.bro, line 41: BroType::AsRecordType (table/record) (set[record { min:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; max:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; }])
>
> Not trying to hijack the thread, but ditto for me on the above message. I just updated to git master today after running an old version for a long time. Commenting out f/s/vulnerable in local.bro bypasses error.
The way vulnerable software is specified has changed to allow for more flexibility. Here's what my local.bro has, for example:
> global java_1_6_vuln: Software::VulnerableVersionRange = [$max=[$major=1,$minor=6,$minor2=0,$minor3=44]];
> global java_1_7_vuln: Software::VulnerableVersionRange = [$min=[$major=1,$minor=7], $max=[$major=1,$minor=7,$minor2=0,$minor3=20]];
>
> redef Software::vulnerable_versions += {
> ["Java"] = set(java_1_6_vuln, java_1_7_vuln)
> };
This defines any Java <= 1.6.0.44 and any Java >= 1.7 and <= 1.7.0.20 as vulnerable.
>From CHANGES:
> 2.1-366 | 2013-03-17 12:35:59 -0700
>
> * Improvements to vulnerable software detection. (Seth Hall)
>
> - Add a DNS based updating method. This needs to be tested
> still.
>
> - Vulnerable version ranges are used now instead of only single
> versions. This can deal with software with multiple stable
> major versions.
>
> * Update software version parsing and comparison to account for a
> third numeric subversion. Also, $addl is now compared numerically
> if the value is actually numeric. (Seth Hall)
> Is it safe to assume accounts didn't get ported over to the new Tracker?
See: <http://blog.bro.org/2013/07/bug-tracker-migration.html>, specifically:
> The most significant thing users should note is that as part of the import in to JIRA, accounts have been created with the same usernames as were in Trac, however password resets need to be requested before they can be used to log in. This can be done by selecting the "Unable to access your account?" link from the log in screen to request password reset instructions via email.
Hope this helps,
--Vlad
Hey Bro,
I'm wondering if any examples or walk-throughs exist for extending
Bro's set of built in functions. Perhaps some dumby C++ code that I
could play around with that outlines some basics, similar to what
example.bro (http://bro.org/sphinx/_downloads/example.bro) does for
script land. Does anyone have any suggestions or starting points?
Thanks all,
-AK
Hi,
I am trying parse BER with binpac, but I have some difficulties, and I
wonder if there is a clean way to implement the protocol.
-First, is it possible to use recursive code in binpac?
type A = record {
field1 : uint8;
field2 : case field1 of{
[...]
0x10 -> value : B;
[...]
};
};
type B = record {
[...]
field1 : A;
}
This kind of dependency give me "error 139" at compilation time.
(Sorry for writing code in a email..)
-Secondly, I need to do some computations on the current byte to know
how to parse the next ones.
I can sum up the problem, for instance, with the length field. Due to
the X.690 documentation (https://www.itu.int/rec/T-REC-X.690-200811-I),
the algorithm is :
-if the lead bit of the first byte is 0, then the byte is the packet length.
ex : 0x20 0x02 0x01 0x..
^ | ---- -- -- -- ... |other fields
|
| length
-else , the 7 other bits of the first byte give then number of byte to
parse in order to retrieve the packet length.
ex : 0x84 0x00 0x00 0x00 0x41 0x..
^ ^ | -- ... |other fields
|-- -- -- -- -- -- -- --|
length
In my binpac I have tried something with &let and &if, but it was not
working. Is there a way to do it in full binpac code? (otherwise I will
write it in C++).
Thanks for your help !
Nicolas