I am getting a Dependency is not satisfiable: libc6(<2.12) error message.
[cid:image001.png@01CE5875.C815C190]
I have run the required dependency:
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev
But I have version 2.17
[cid:image002.png@01CE5875.C815C190]
Can someone assist me with this?
VR
Jerry Champion
Information Secuity Engineer
Synovus Financial Corp
706-644-4589
After being asked if Bro could be used to gather passive intelligence on
OS usage I started investigating places to try to identify OS. I
initially was looking into p0f and Seth showed me a way to invoke the
existing p0f fingerprinting functionality within Bro, but also suggested
a slew of other data sources to look at. I wasn't terribly excited with
the p0f fingerprint output, and while browser user agents may not be the
best data source, I decided to start by looking at platform tokens and
reporting on those instead of the p0f data. This is my first-ish bro
script and it is by no means a complete script (it only matches a
handful of Windows OS). I'm wondering if folks see anything in the
attached that would misbehave badly if used on live traffic instead of
pcaps?
Regards,
--
Gary Faulkner
Bro,
I made a patch for the Ascii log writer to write the logs in JSON format.
This was thanks to the existing code from the ElasticSearch writer and
copy/paste skill.
But when I try to enable the writer at runtime there are errors. Why ?
See patch. ( cd bro-2.2; patch -p1 < bro--write_json.patch )
Thanks,
--TC
event bro_init()
{
LogAscii::write_json=T;
}
results in
# bin/broctl check
manager failed.
error in /usr/local/3rd-party/bro/share/bro/site/local.bro, line 7:
const is not a modifiable lvalue (LogAscii::write_json)
proxy-1 failed.
error in /usr/local/3rd-party/bro/share/bro/site/local.bro, line 7:
const is not a modifiable lvalue (LogAscii::write_json)
worker-1 failed.
error in /usr/local/3rd-party/bro/share/bro/site/local.bro, line 7:
const is not a modifiable lvalue (LogAscii::write_json)
worker-2 failed.
error in /usr/local/3rd-party/bro/share/bro/site/local.bro, line 7:
const is not a modifiable lvalue (LogAscii::write_json)
Hi Folks,
I'm trying to learn if Bro can detect UDP flood attacks. And found the
synflood script that was provided on previous versions of Bro. Wondering if
there's something similar on Bro 2.2 or if the 1.5.x version would still
work?
Noticed that this question was raised in the past by Alex (below). Does
anyone know how this could be done on 2.2 or have a working script to
detect flood attacks already?
Thanks,
Benson
Date: Mon, 11 Nov 2013 22:19:08 -0800 (PST)
From: Laleh Arshadi <la_arshadi(a)yahoo.com>
Subject: [Bro] Bro and flood protection - revisited
To: "bro(a)bro.org" <bro(a)bro.org>
Message-ID:
<1384237148.40495.YahooMailNeo(a)web140606.mail.bf1.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"
Dear All,
?
This message was sent a while ago but I see no one has replied to it. As I
have almost a similar question myself, I would be thankful if someone took
another look at the email and responded.
?
Regards
Laleh
______________________________
__
From: Alexander Frolkin <avf(a)eldamar.org.uk>
To: bro(a)bro.org
Sent: Thursday, November 7, 2013 3:05 PM
Subject: [Bro] Bro and flood protection
Hi,
I'm currently looking around for open-source IDSes.? What we'd like
is to have an IDS machine which monitors our Internet traffic and
responds to events by blocking the traffic using Flowspec.? This is easy
to do with Bro and ExaBGP using custom event handlers and/or hooks, and
piped_exec.
I'm currently trying to understand Bro's ability to detect floods, e.g.,
SYN flood, ACK flood, or any other kind of flood, for that matter.
The feeling I have so far is that Bro wasn't really designed for this
sort of thing, and that it's designed more for L7 stuff.
I'm playing with 2.2 beta, and I can't see anything built-in to detect
floods (although maybe I haven't looked hard enough).? In older
versions, though, there was a script called synflood.bro, but it seems
to have disappeared at some point.? Does anyone know what the history of
this is, and whether there is equivalent funtionality in the latest
version?
More generally, if I want to detect network floods, is Bro the right
thing to be using, or should I be looking elsewhere?
Thanks!
Alex
I'm trying to write a bro script that pulls out authoritative nameservers
and additional records from DNS.
I think I need the the dns_EDNS_addl event to get at that part of a DNS
reply, since the dns_edns_additional structure seems like it has the
information I'm looking for:
http://trac.bro-ids.org/sphinx-git/scripts/base/init-bare.html#type-dns_edn…
Unfortunately, it looks like dns_EDNS_addl isn't implemented yet:
# scripts/base/protocols/dns/main.bro
318 # TODO: figure out how to handle these
324 #event dns_EDNS_addl(c: connection, msg: dns_msg, ans:
dns_edns_additional)
Has anyone worked out a way to grab this information from a DNS reply?
If not, could anyone point me in the right direction so that I can roll my
own solution?
-Chris
On 31/01/2014, at 1:47 pm, Daniel Thayer <dnthayer(a)illinois.edu> wrote:
> Did you remember to do "broctl install" after you changed the
> value of LogExpireInterval ?
How did you guess ;) Looking at the command history I see I restarted rather than ‘install’ed
>From now on I will do the config changes via puppet the class has now been changed to do an ‘install’ if the bro.cfg ever changes.
Thanks!
R
Hi Folks
I have this in my broctl.cfg file:
# Location of the log directory. This is longer term storage for rotated logs.
LogDir = /home/sensors/data/test1/bro-logs
# Rotation interval in seconds for log files on manager/standalone node.
LogRotationInterval = 3600
# Expiration interval for log files in LogDir. Files older than this many days
# will be deleted upon running "broctl cron".
LogExpireInterval = 3
# Lower threshold for space available on the disk that holds SpoolDir. If less
# space is available, BroControl starts sending out warning emails.
MinDiskSpace = 5
but I have weeks of logs in the directory ??
rful011@secmontst01:~$ ls /home/sensors/data/test1/bro-logs
2014-01-01 2014-01-04 2014-01-07 2014-01-10 2014-01-13 2014-01-16 2014-01-19 2014-01-22 2014-01-25 2014-01-28 2014-01-31
2014-01-02 2014-01-05 2014-01-08 2014-01-11 2014-01-14 2014-01-17 2014-01-20 2014-01-23 2014-01-26 2014-01-29 current
2014-01-03 2014-01-06 2014-01-09 2014-01-12 2014-01-15 2014-01-18 2014-01-21 2014-01-24 2014-01-27 2014-01-30 stats
and I have to keep pruning it by hand when the system runs out of disk.
And yes I have checked the con logs to make sure broctl cron is getting run ;)
Any ideas how to figure out what is wrong?
Russell
Following directions, I did:
----
hook Notice::policy(n: Notice::Info)
{
if ( n$note == SSH::Password_Guessing )
add n$actions[Notice::ACTION_EMAIL];
}
----
and since we’ve got a very great many SSH servers exposed, I got a very great number of emails. Since I care more about outbound traffic, I did:
----
hook Notice::policy(n: Notice::Info)
{
if ( n$note == SSH::Password_Guessing && Site::is_local_addr(n$id$orig_h) )
add n$actions[Notice::ACTION_EMAIL];
}
----
and now I get no mails at all (despite the fact I know we had at least a couple outbound attacks since I set this).
I'd set a few networks in $PREFIX/bro/etc/networks.cfg, and “config” from broctl says:
localnetscfg = /usr/local/bro-2.2/etc/networks.cfg
However, if I write a test script:
----
@load base/utils/site
print Site::local_nets;
----
and run “bro test.bro” output is empty unless I first redef Site::local_nets += {}; with my ranges.
Obviously I’m doing something incorrect, but which is the most correct way to fix it? redef local_nets in my local.bro, or have I mistaken the format of the networks.cfg file? It contains:
----
129.97.0.0/16 Waterloo Public IPv4
2620:101:f000::/47 IPv6
----
I’m thinking my problem with the test script is simply that I’m not running it with broctl, although I do run my production instance with same so I’m still back to “why does my revised hook not work as expected?”
Output of the production broctl’s “scripts” command includes, among other things:
/usr/local/bro-2.2/share/bro/base/utils/site.bro
/usr/local/bro-2.2/spool/tmp/check-config-worker-8/local-networks.bro
/usr/local/bro-2.2/spool/tmp/check-config-worker-8/broctl-config.bro
so I believe it’s loading everything it needs.
Mike