I am getting a Dependency is not satisfiable: libc6(<2.12) error message.
[cid:image001.png@01CE5875.C815C190]
I have run the required dependency:
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev
But I have version 2.17
[cid:image002.png@01CE5875.C815C190]
Can someone assist me with this?
VR
Jerry Champion
Information Secuity Engineer
Synovus Financial Corp
706-644-4589
I'm trying to write a bro script that pulls out authoritative nameservers
and additional records from DNS.
I think I need the the dns_EDNS_addl event to get at that part of a DNS
reply, since the dns_edns_additional structure seems like it has the
information I'm looking for:
http://trac.bro-ids.org/sphinx-git/scripts/base/init-bare.html#type-dns_edn…
Unfortunately, it looks like dns_EDNS_addl isn't implemented yet:
# scripts/base/protocols/dns/main.bro
318 # TODO: figure out how to handle these
324 #event dns_EDNS_addl(c: connection, msg: dns_msg, ans:
dns_edns_additional)
Has anyone worked out a way to grab this information from a DNS reply?
If not, could anyone point me in the right direction so that I can roll my
own solution?
-Chris
Greetings,
CMake 2.8.10.2
Perl 5.12.2
libmagic 5.11
SWIG 1.3.36
Bison 2.3
Flex 2.5.4
Bash 4.2.42
Got stumped trying to build Bro on OpenBSD 5.3 i386 related to finding
BIND8 headers/libs.
I see a few past similar issues, notably:
http://marc.info/?l=bro&m=132806089033571
Installing Bro 2.1.
$ ./configure
Build Directory : build
Source Directory: /home/dspruell/downloads/bro-2.1
-- The C compiler identification is GNU 4.2.1
-- The CXX compiler identification is GNU 4.2.1
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Found sed: /usr/bin/sed
-- Found Perl: /usr/bin/perl (found version "5.12.2")
-- Found FLEX: /usr/bin/flex version 2.5.4
-- Found BISON: /usr/local/bin/bison
-- Found PCAP: /usr/lib/libpcap.so.7.0
-- Performing Test PCAP_LINKS_SOLO
-- Performing Test PCAP_LINKS_SOLO - Success
-- Looking for pcap_get_pfring_id
-- Looking for pcap_get_pfring_id - not found
-- Found OpenSSL: /usr/lib/libssl.so.19.0;/usr/lib/libcrypto.so.22.0
-- Performing Test ns_initparse_works_none
-- Performing Test ns_initparse_works_none - Failed
-- Performing Test res_mkquery_works_none
-- Performing Test res_mkquery_works_none - Success
-- Performing Test ns_initparse_works_resolv
-- Performing Test ns_initparse_works_resolv - Failed
-- Performing Test res_mkquery_works_resolv
-- Performing Test res_mkquery_works_resolv - Success
-- Performing Test ns_initparse_works_bind
-- Performing Test ns_initparse_works_bind - Failed
-- Performing Test res_mkquery_works_bind
-- Performing Test res_mkquery_works_bind - Success
-- Could NOT find BIND (missing: BIND_LIBRARY)
-- Found LibMagic: /usr/local/lib/libmagic.so.3.0
-- Found ZLIB: /usr/lib/libz.so.4.1 (found version "1.2.3")
CMake Error at aux/binpac/CMakeLists.txt:17 (message):
Could not find prerequisite package 'BIND'
CMake Error at aux/binpac/CMakeLists.txt:19 (message):
Configuration aborted due to missing prerequisites
-- Configuring incomplete, errors occurred!
I'm hung up trying to figure out where the necessary
routines/libraries would be. OpenBSD ships with BIND 9 by default, and
has res_* functions in libc (there is no libresolv.a, etc.; libresolv
was removed ~2005). The previously referenced thread mentions libbind
package; this doesn't seem to exist any more, although there is an an
upstream ISC BIND 9 package (isc-bind 9.9.2-P2). When this package is
installed, I can see the following library:
$ ldconfig -r |egrep 'bind'
398:-lbind9.0.0 => /usr/local/lib/libbind9.so.0.0
...but the library does not provide ns_* symbols and the error at
configure is still the same (maybe because of BIND 9 vs. BIND 8?):
-- Performing Test ns_initparse_works_none
-- Performing Test ns_initparse_works_none - Failed
-- Performing Test res_mkquery_works_none
-- Performing Test res_mkquery_works_none - Success
-- Performing Test ns_initparse_works_resolv
-- Performing Test ns_initparse_works_resolv - Failed
-- Performing Test res_mkquery_works_resolv
-- Performing Test res_mkquery_works_resolv - Success
-- Performing Test ns_initparse_works_bind
-- Performing Test ns_initparse_works_bind - Failed
-- Performing Test res_mkquery_works_bind
-- Performing Test res_mkquery_works_bind - Success
-- Could NOT find BIND (missing: BIND_LIBRARY)
CMake Error at aux/binpac/CMakeLists.txt:17 (message):
Could not find prerequisite package 'BIND'
It looks to me that OpenBSD doesn't include the ns_* routines; this
discussion might support that:
http://bugs.bitlbee.org/bitlbee/ticket/421
Wondering if I'm at a dead end on this. Any ideas?
--
Darren Spruell
phatbuckett(a)gmail.com
I'm a new bro user and have tried to find the answer to this, but
have had no luck. I've got version 2.1 installed. I can run bro in
standalone mode with no problem, but I've tried to install a bro
cluster with worker-1 on a remote host/VM with the same problem.
Here is what I've tried to do:
created user jesse on both manager/proxy - 192.168.43.1
o configured node.cfg for manager and proxy to be 192.168.43.1
o configured node.cfg for worker-1 to be 192.168.43.130
o performed ssh-keygen as user jesse
o copied .ssh/rsa_id.pub to 192.168.43.130
/home/jesse/.ssh/authorized_keys
o able to ssh as jesse from 192.168.43.1 to 192.168.43.130 with no
required password/passphrase
o added jesse to /etc/sudoers to do everything root can
created user jesse on worker-1 192.168.43.130 (VM)
o changed owner of /usr/local/bro to jesse
o added jesse to /etc/sudoers to do everything root can
as user jesse on manager/proxy > sudo broctl
[BroControl] > install
removing old policies in
/usr/local/bro/spool/installed-scripts-do-not-touch/site ... done.
removing old policies in
/usr/local/bro/spool/installed-scripts-do-not-touch/auto ... done.
creating policy directories ... done.
installing site policies ... done.
generating cluster-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... warning: host 192.168.43.130 is not alive install
waiting for lock ..... ok
removing old policies in
/usr/local/bro/spool/installed-scripts-do-not-touch/site ... done.
removing old policies in
/usr/local/bro/spool/installed-scripts-do-not-touch/auto ... done.
creating policy directories ... done.
installing site policies ... done.
generating cluster-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
diag worker-1
[worker-1]
No work dir found
[BroControl] > start
starting manager ...
starting proxy-1 ...
starting worker-1 ...
cannot create working directory for worker-1
I clone the master this morning,
I install it with:
./configure --disable-auxtools --disable-broccoli --disable-broctl
make
make install
and then I had an error at the execution :
"internal error in [mypath]/bro/base/init-bar.bro, line 3098:internal
type Files::AnalyzerArgs missing
Abandon"
Is there a @load missing in the init-bare.bro file?
Hello,
I've used Bro on and off for a couple years and love its unix-ness and
application-layer smarts. I use it to augment my NetFlow and SNMP data,
and it gives me just enough information to complement those logs. I
haven't dug into the scripting and IDS aspects yet, but I hope to soon.
I have an issue with the connection summary email. Aside from the fact
that I could do without it altogether, because it doesn't really tell me
anything that NetFlow can't, I'm confused by how inaccurate the
information in the email seems to be.
To take the example that always jumps out at me, here are the incoming
port statistics from this morning's email.
>== Incoming === 2013-08-25-23-50-18 - 2013-08-26-23-19-23
- Connections 306.0 - Payload 137.0m -
Ports |
9997 78.1% |
3 9.2% |
514 5.2% |
50664 3.6% |
22 1.3% |
52145 0.7% |
51222 0.7% |
52140 0.3% |
51735 0.3% |
51724 0.3% |
The reason I know something is strange about this is that I get NetFlow
data around the clock from three different sites on ports 9997, 9998,
and 9999. How could it be that one site accounts for 78.1% of all of my
incoming traffic and the other two are nowhere to be seen? Also, the
number of connections and payload information is way off. Here is the
same information queried from NetFlow:
Port Flows(%)
0 4831(13.0)
9999 1985( 5.3)
9997 1797( 4.8)
9998 1510( 4.1)
22 559( 1.5)
123 398( 1.1)
64115 349( 0.9)
65138 162( 0.4)
40767 135( 0.4)
13496 120( 0.3)
Summary: total flows: 37254, total bytes: 2.1 G, total packets: 1.7 M,
avg bps: 194612, avg pps: 19, avg bpp: 1237
Time window: 2013-08-25 23:49:42 - 2013-08-26 23:24:49
Total flows processed: 102134, Blocks skipped: 0, Bytes read: 5318892
Netstat doesn't indicate any dropped packets, and conn.log doesn't
indicate any missed_bytes. Can anyone shed some light on why bro could
be so wrong about these statistics? Would it matter that I am using a
single instance of bro to monitor two interfaces (bro -i em0 -i em1)?
Thanks for any help you can provide...
Best,
Chris
Hi,
I'm trying to set up another Bro cluster, and I'm getting this error on
the worker nodes:
error in
/usr/local/bro/spool/installed-scripts-do-not-touch/auto/local-networks.bro,
line 3: syntax error, at or near "redef"
This is the file:
# Automatically generated. Do not edit.
redef Site::local_nets = {
10.0.0.0/8, # Private IP space
192.168.0.0/16, # Private IP space
};
I don't see a syntax error. Has anybody seen anything like this before?
I'm running from git master, commit 927f534.
--
David Eric Mandelberg / dseomn
http://david.mandelberg.org/
Hello all. I am trying to extract cookie key/value pairs with bro. Bro 2.1
out of the box comes with
/usr/local/bro/share/bro/policy/protocols/http/var-extraction-cookies.bro
that extracts only the keys. Below is the baked in way of keys and I'm
looking for something similar for the values. I would rather use something
that is already there if it exists but cannot find it.
If it does not exist, what would be the recommendation for creating it? My
understanding is that modifying anything outside of
/usr/local/bro/share/bro/site can get overwritten with updates. Should I
create a whole new protocols/http directory structure under
/usr/local/bro/share/bro/site and keep the configuration of cookies
separate?
###################################################################
/usr/local/bro/share/bro/policy/protocols/http/var-extraction-cookies.bro
##! Extracts and logs variables names from cookies sent by clients.
@load base/protocols/http/main
@load base/protocols/http/utils
module HTTP;
redef record Info += {
## Variable names extracted from all cookies.
cookie_vars: vector of string &optional &log;
};
event http_header(c: connection, is_orig: bool, name: string, value: string)
&priority=2
{
if ( is_orig && name == "COOKIE" )
c$http$cookie_vars = extract_keys(value, /;[[:blank:]]*/);
}
###################################################################
function extract_keys from
/usr/local/bro/share/bro/base/protocols/http/utils.bro
###################################################################
function extract_keys(data: string, kv_splitter: pattern): string_vec
{
local key_vec: vector of string = vector();
local parts = split(data, kv_splitter);
for ( part_index in parts )
{
local key_val = split1(parts[part_index], /=/);
if ( 1 in key_val )
key_vec[|key_vec|] = key_val[1];
}
return key_vec;
}
Thanks,
Patrick Powell
