I am getting a Dependency is not satisfiable: libc6(<2.12) error message.
[cid:image001.png@01CE5875.C815C190]
I have run the required dependency:
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev
But I have version 2.17
[cid:image002.png@01CE5875.C815C190]
Can someone assist me with this?
VR
Jerry Champion
Information Secuity Engineer
Synovus Financial Corp
706-644-4589
I'm trying to write a bro script that pulls out authoritative nameservers
and additional records from DNS.
I think I need the the dns_EDNS_addl event to get at that part of a DNS
reply, since the dns_edns_additional structure seems like it has the
information I'm looking for:
http://trac.bro-ids.org/sphinx-git/scripts/base/init-bare.html#type-dns_edn…
Unfortunately, it looks like dns_EDNS_addl isn't implemented yet:
# scripts/base/protocols/dns/main.bro
318 # TODO: figure out how to handle these
324 #event dns_EDNS_addl(c: connection, msg: dns_msg, ans:
dns_edns_additional)
Has anyone worked out a way to grab this information from a DNS reply?
If not, could anyone point me in the right direction so that I can roll my
own solution?
-Chris
Hi, I have been using Bro 2.1 on my Raspberry Pi device. It worked mostly out of the box. (There was a small configuration change due to RPI's missing realtime clock but otherwise, worked fine.) However, Bro 2.2 does not build on the same device. It builds fine on the same configuration of Linux (Debian Wheezy) under Hyper-V on x64 so I suspect the ARM aspect of the RPI. I haven't used cmake before so really I'm not even sure how to debug the build issue but here's stdout:
[ 8%] [BIFCL] Processing top-k.bif
usage: bifcl [-p] *.bif
make[3]: *** [scripts/base/bif/top-k.bif.bro] Error 1
make[3]: Leaving directory `/home/pi/bro/build'
make[2]: *** [src/probabilistic/CMakeFiles/bif-alt-probabilistic-top-k.bif.dir/all] Error 2
make[2]: Leaving directory `/home/pi/bro/build'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/home/pi/bro/build'
make: *** [all] Error 2
I assume it's a problem with bifcl so I tried replacing the Bro 2.2 build tree bifcl with the one from the Bro 2.1 build tree but that didn't work either. (different error when doing that: "Error: cannot open file: -s") Maybe it's an option mismatch...?
Has anyone gotten Bro 2.2 to build on ARMv6? Any tricks / tweaks needed? Thanks!
Jonathan
P.S. The new work on file carving is fantastic! Enables all kinds of interesting new scenarios!
I'm looking for the new way (in 2.2) for filtering HTTP::LOG logging based
upon mime_type or filename. It seems with the new file analysis framework
the filename and mime_type of an HTTP connection are set in HTTP::Info in
base/protocols/http/entities.bro inside the file_over_new_connection
event. However I'm thinking at this point that that event is triggered
only AFTER the HTTP::LOG filter predicates are processed, since all of the
new entities fields in the HTTP::Info record are "<uninitialized>" when
printed from the predicate function. Here is a possibly helpful code
snippet that goes inside bro_init() (Excuse the formatting, not much I can
do.)
Log::add_filter(HTTP::LOG, [$name = "http-executables",
$path = "http_exe",
$pred(rec: HTTP::Info) =
{
print "file:", rec;
return 1==1;
},
# This line was in the predicate function, but it no longer works
# return rec?$mime_type && rec$mime_type == "application/x-dosexec"; },
$include=set("ts","id.orig_h","id.orig_p","id.resp_h","id.resp_p","method"
,"host","uri","referrer","user_agent","request_body_len","response_body_len
","status_code","info_msg","contenttype","filename","mime_type")
]);
Thoughts?
--
Eric Thomas
edthoma(a)sandia.gov
Hi,
For the ones dealing with machine learning KDD Cup 99 dataset is used
widely for testing the algorithm proposed. (
http://kdd.ics.uci.edu/databases/kddcup99/task.html)
The data set is created with some features defined at Table 1, Table 2 and
Table 3. Now i would like to test my algorithm with the real data so i will
collect traffic and convert it to KDD Cup 99 format. I am searching a
method.
How can i gather or calculate the properties at Table2? The properties are
number of ``hot'' indicators: meaning hidden directory creation
number of failed login attempts
1 if successfully logged in; 0 otherwise
number of ``compromised''continuous
1 if root shell is obtained; 0 otherwise
1 if ``su root'' command attempted; 0 otherwise
number of ``root'' accesses
number of file creation operations
number of shell prompts
number of operations on access control files
number of outbound commands in an ftp session
So it seems payload analysis is required? Anybody who had experience with
such thing or any suggestion? I will be listening a mirrored port and
saving the traffic data to db. Can Bro Time Machine help me on this issue?
Cheers.
--
Oğuz Yarımtepe
http://about.me/oguzy
Hi all
I see that you can get a connection summary log of an offline pcap traffic file by running bro with a simple command line as:
bro -r traffic_file_name
I have tested this command and it works well. But I am only interested in TCP connection summaries so I tried:
bro -r traffic_file_name tcp
But I get an error indication 'tcp' as unkown. What have I missed here?
Regards
L. Arshadi
I bond my interfaces together and have bro listen on the bond
On Friday, September 27, 2013, wrote:
> Send Bro mailing list submissions to
> bro(a)bro.org <javascript:;>
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
> bro-request(a)bro.org <javascript:;>
>
> You can reach the person managing the list at
> bro-owner(a)bro.org <javascript:;>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
> 1. Re: [EXTERNAL] Re: Multiple interfaces on 2.2-beta-4
> (Thomas, Eric D)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 27 Sep 2013 13:55:21 +0000
> From: "Thomas, Eric D" <edthoma(a)sandia.gov <javascript:;>>
> Subject: Re: [Bro] [EXTERNAL] Re: Multiple interfaces on 2.2-beta-4
> To: Justin Azoff <JAzoff(a)albany.edu <javascript:;>>
> Cc: "bro(a)bro.org <javascript:;>" <bro(a)bro.org <javascript:;>>
> Message-ID: <CE6ADC36.21B23%edthoma(a)sandia.gov <javascript:;>>
> Content-Type: text/plain; charset="us-ascii"
>
> Thanks all for the replies. I'll try them all, starting with the easiest.
> For the record, the interfaces are both half streams, so I don't think the
> cluster method will work.
>
> --
> Eric Thomas
>
> edthoma(a)sandia.gov <javascript:;>
>
>
>
>
> On 9/26/13 7:37 PM, "Justin Azoff" <JAzoff(a)albany.edu <javascript:;>>
> wrote:
>
> >On Thu, Sep 26, 2013 at 10:27:29PM -0400, Seth Hall wrote:
> >> I guess I don't really know what to say, sniffing multiple interfaces
> >>was never something we actually supported when you run Bro with broctl
> >>and we continue not to support it. Generally we recommend merging
> >>multiple streams of traffic upstream of where Bro receives the packets.
> >
> >What about with something like:
> >
> >[worker-1]
> >type=worker
> >host=localhost
> >interface=eth0
> >
> >[worker-2]
> >type=worker
> >host=localhost
> >interface=eth1
> >
> >as long as those aren't half streams from a tap, that should work,
> >right?
> >
> >--
> >-- Justin Azoff
> >-- Network Security & Performance Analyst
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro(a)bro.org <javascript:;>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 89, Issue 34
> ***********************************
>
I'm not sure this is a bug, which is why I didn't post it on the tracker. In 2.1 one could do this in node.cfg:
interface=eth2 -i eth3
And bro would open both interfaces. In 2.2-beta-4 specifying two -i's while manually running bro works, but trying to do the above with the "interface" specification doesn't, giving this error:
fatal error: /usr/local/bro/bin/bro: problem with interface eth2 -i eth3 - pcap_open_live: eth2 -i eth3: No such device exists (SIOCGIFHWADDR: No such device)
Looks like it's not parsing things the same way. In 2.2 will there be a new way to specify multiple interfaces?
--
Eric Thomas
edthoma(a)sandia.gov
