zeek September 2013

zeek@lists.zeek.org

43 participants
41 discussions

by Champion,Jerry

I am getting a Dependency is not satisfiable: libc6(<2.12) error message. [cid:image001.png@01CE5875.C815C190] I have run the required dependency: sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev But I have version 2.17 [cid:image002.png@01CE5875.C815C190] Can someone assist me with this? VR Jerry Champion Information Secuity Engineer Synovus Financial Corp 706-644-4589

7 years

[Bro] Bro problem - no software.log written

by עומר עומר

7 years, 4 months

[Bro] Additional Records in DNS

by Chris Crawford

I'm trying to write a bro script that pulls out authoritative nameservers and additional records from DNS. I think I need the the dns_EDNS_addl event to get at that part of a DNS reply, since the dns_edns_additional structure seems like it has the information I'm looking for: http://trac.bro-ids.org/sphinx-git/scripts/base/init-bare.html#type-dns_edn… Unfortunately, it looks like dns_EDNS_addl isn't implemented yet: # scripts/base/protocols/dns/main.bro 318 # TODO: figure out how to handle these 324 #event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional) Has anyone worked out a way to grab this information from a DNS reply? If not, could anyone point me in the right direction so that I can roll my own solution? -Chris

7 years, 5 months

[Bro] Trouble building Bro 2.2 on ARMv6 (Raspberry Pi / Wheezy)

by Jonathan Ness

Hi, I have been using Bro 2.1 on my Raspberry Pi device. It worked mostly out of the box. (There was a small configuration change due to RPI's missing realtime clock but otherwise, worked fine.) However, Bro 2.2 does not build on the same device. It builds fine on the same configuration of Linux (Debian Wheezy) under Hyper-V on x64 so I suspect the ARM aspect of the RPI. I haven't used cmake before so really I'm not even sure how to debug the build issue but here's stdout: [ 8%] [BIFCL] Processing top-k.bif usage: bifcl [-p] *.bif make[3]: *** [scripts/base/bif/top-k.bif.bro] Error 1 make[3]: Leaving directory `/home/pi/bro/build' make[2]: *** [src/probabilistic/CMakeFiles/bif-alt-probabilistic-top-k.bif.dir/all] Error 2 make[2]: Leaving directory `/home/pi/bro/build' make[1]: *** [all] Error 2 make[1]: Leaving directory `/home/pi/bro/build' make: *** [all] Error 2 I assume it's a problem with bifcl so I tried replacing the Bro 2.2 build tree bifcl with the one from the Bro 2.1 build tree but that didn't work either. (different error when doing that: "Error: cannot open file: -s") Maybe it's an option mismatch...? Has anyone gotten Bro 2.2 to build on ARMv6? Any tricks / tweaks needed? Thanks! Jonathan P.S. The new work on file carving is fantastic! Enables all kinds of interesting new scenarios!

7 years, 9 months

[Bro] Log::add_filter with mime_type or filename predicate

by Thomas, Eric D

I'm looking for the new way (in 2.2) for filtering HTTP::LOG logging based upon mime_type or filename. It seems with the new file analysis framework the filename and mime_type of an HTTP connection are set in HTTP::Info in base/protocols/http/entities.bro inside the file_over_new_connection event. However I'm thinking at this point that that event is triggered only AFTER the HTTP::LOG filter predicates are processed, since all of the new entities fields in the HTTP::Info record are "<uninitialized>" when printed from the predicate function. Here is a possibly helpful code snippet that goes inside bro_init() (Excuse the formatting, not much I can do.) Log::add_filter(HTTP::LOG, [$name = "http-executables", $path = "http_exe", $pred(rec: HTTP::Info) = { print "file:", rec; return 1==1; }, # This line was in the predicate function, but it no longer works # return rec?$mime_type && rec$mime_type == "application/x-dosexec"; }, $include=set("ts","id.orig_h","id.orig_p","id.resp_h","id.resp_p","method" ,"host","uri","referrer","user_agent","request_body_len","response_body_len ","status_code","info_msg","contenttype","filename","mime_type") ]); Thoughts? -- Eric Thomas edthoma(a)sandia.gov

7 years, 9 months

[Bro] suggestion request

by Oğuz Yarımtepe

Hi, For the ones dealing with machine learning KDD Cup 99 dataset is used widely for testing the algorithm proposed. ( http://kdd.ics.uci.edu/databases/kddcup99/task.html) The data set is created with some features defined at Table 1, Table 2 and Table 3. Now i would like to test my algorithm with the real data so i will collect traffic and convert it to KDD Cup 99 format. I am searching a method. How can i gather or calculate the properties at Table2? The properties are number of ``hot'' indicators: meaning hidden directory creation number of failed login attempts 1 if successfully logged in; 0 otherwise number of ``compromised''continuous 1 if root shell is obtained; 0 otherwise 1 if ``su root'' command attempted; 0 otherwise number of ``root'' accesses number of file creation operations number of shell prompts number of operations on access control files number of outbound commands in an ftp session So it seems payload analysis is required? Anybody who had experience with such thing or any suggestion? I will be listening a mirrored port and saving the traffic data to db. Can Bro Time Machine help me on this issue? Cheers. -- Oğuz Yarımtepe http://about.me/oguzy

7 years, 9 months

[Bro] TCP connection summaries

by Laleh Arshadi

Hi all I see that you can get a connection summary log of an offline pcap traffic file by running bro with a simple command line as: bro -r traffic_file_name I have tested this command and it works well. But I am only interested in TCP connection summaries so I tried: bro -r traffic_file_name tcp But I get an error indication 'tcp' as unkown. What have I missed here? Regards L. Arshadi

7 years, 9 months

[Bro] Bond

by Panaman

I bond my interfaces together and have bro listen on the bond On Friday, September 27, 2013, wrote: > Send Bro mailing list submissions to > bro(a)bro.org <javascript:;> > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > or, via email, send a message with subject or body 'help' to > bro-request(a)bro.org <javascript:;> > > You can reach the person managing the list at > bro-owner(a)bro.org <javascript:;> > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Bro digest..." > > > Today's Topics: > > 1. Re: [EXTERNAL] Re: Multiple interfaces on 2.2-beta-4 > (Thomas, Eric D) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 27 Sep 2013 13:55:21 +0000 > From: "Thomas, Eric D" <edthoma(a)sandia.gov <javascript:;>> > Subject: Re: [Bro] [EXTERNAL] Re: Multiple interfaces on 2.2-beta-4 > To: Justin Azoff <JAzoff(a)albany.edu <javascript:;>> > Cc: "bro(a)bro.org <javascript:;>" <bro(a)bro.org <javascript:;>> > Message-ID: <CE6ADC36.21B23%edthoma(a)sandia.gov <javascript:;>> > Content-Type: text/plain; charset="us-ascii" > > Thanks all for the replies. I'll try them all, starting with the easiest. > For the record, the interfaces are both half streams, so I don't think the > cluster method will work. > > -- > Eric Thomas > > edthoma(a)sandia.gov <javascript:;> > > > > > On 9/26/13 7:37 PM, "Justin Azoff" <JAzoff(a)albany.edu <javascript:;>> > wrote: > > >On Thu, Sep 26, 2013 at 10:27:29PM -0400, Seth Hall wrote: > >> I guess I don't really know what to say, sniffing multiple interfaces > >>was never something we actually supported when you run Bro with broctl > >>and we continue not to support it. Generally we recommend merging > >>multiple streams of traffic upstream of where Bro receives the packets. > > > >What about with something like: > > > >[worker-1] > >type=worker > >host=localhost > >interface=eth0 > > > >[worker-2] > >type=worker > >host=localhost > >interface=eth1 > > > >as long as those aren't half streams from a tap, that should work, > >right? > > > >-- > >-- Justin Azoff > >-- Network Security & Performance Analyst > > > > > ------------------------------ > > _______________________________________________ > Bro mailing list > Bro(a)bro.org <javascript:;> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > End of Bro Digest, Vol 89, Issue 34 > *********************************** >

7 years, 9 months

[Bro] Multiple interfaces on 2.2-beta-4

by Thomas, Eric D

I'm not sure this is a bug, which is why I didn't post it on the tracker. In 2.1 one could do this in node.cfg: interface=eth2 -i eth3 And bro would open both interfaces. In 2.2-beta-4 specifying two -i's while manually running bro works, but trying to do the above with the "interface" specification doesn't, giving this error: fatal error: /usr/local/bro/bin/bro: problem with interface eth2 -i eth3 - pcap_open_live: eth2 -i eth3: No such device exists (SIOCGIFHWADDR: No such device) Looks like it's not parsing things the same way. In 2.2 will there be a new way to specify multiple interfaces? -- Eric Thomas edthoma(a)sandia.gov

7 years, 9 months

[Bro] any interest in crash reports?

by Russell Fulton

I had a worker crash and then the manager — is anyone interested in reports? Russell

7 years, 10 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek September 2013