Hi -
Our Medschool uses the IBM Qradar SIEM tool, and we have a project to expand it to cover the rest of the University. Since we have a SEIM now, I figured I might as well put the best logs I have in it - which include BRO logs: http, dns, conn, etc.
IBM is asking me the following question: Is BRO able to forward raw flow data that has not been normalized or altered?
I'm pretty sure the answer is no because I have worked with raw flow data with flow-tools a lot, but I wanted to post it here to make sure, plus see if anyone is using BRO with a SIEM and what those setups might look like.
Thanks,
-Brian
Brian Allen, CISSP
Information Security Manager
Washington University
brianallen(a)wustl.edu<mailto:brianallen@wustl.edu>
314-935-5380
Hi,
i have some questions about priority keyword: i'll try to explain with an
example.
If i make a script able to write a new log file
------snippet code.bro------
event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count)
&priority=5
{
if(c$id$orig_p == 138/udp)
{
...do something and write in my custom log file...
}
}
-------------------------------------
My custom event dns_message overrides the standard event?
The standard event is executed or not in this case?
Should i find the same packet logged in dns.log and in my custom log or not?
It depends on priority keyword? And what happens if i set priority = -5?
Thanks
Vito
Hi All,
Is anyone using the following attributes? How are you using them? I
believe some of these have been deprecated.
&rotate_interval
&rotate_size
&mergeable
&synchronize (I think there was a post earlier last month about this one)
&persistent
&group
&add_func
&delete_func
&encrypt (applying this to a file causes Bro to "elegantly terminate" for me)
bro -Ci eth0 -e 'global f1: file = open("f.out") &encrypt'
What is the purpose of the unknown port type? And why do they only
range from 0-255? Compare the results of the following commands.
bro -e 'print 0/unknown; print 255/unknown;'
bro -e 'print 0/unknown; print 255/unknown; print 256/unknown;'
How are ports flattened? See the results of the following command.
bro -e 'print 0/udp; print |0/udp|; print |32/tcp|; print |11/tcp|;
print |132/unknown|; print 132/unknown;'
Any insights are appreciated.
-AK
Hi,
we try to use the sqlite logger with a simple cluster configuration
(SecurityOnion with manager, proxy and one worker on the same machine).
We added a module to $PREFIX/share/bro containing just the example
script from bro.org [1]. After restarting bro (using broctl restart
--clean) the manager will crash on the next connection.
However if we start bro using standalone mode the script works as
intended. The database file is created and the connections are added.
Switching back to cluster mode everything works now.
Removing the database file and create an empty one using the schema
extracted previously will also crash the manager in cluster mode.
We are a little bit puzzeled what went wrong here and how to get the
sqlite logger working in cluster mode. Did we miss something or is this
a bug (or a feature)?
Best regards
Christian
[1] https://www.bro.org/sphinx-git/frameworks/logging-input-sqlite.html
Hi,
This there a way I can append additional -D args to the
CFLAGS and CXXFLAGS when I first ./configure bro to build ?
There is a comment in ./configure --help I don't understand:
Influential Environment Variables (only on first invocation
per build directory):
CC C compiler command
CFLAGS C compiler flags
CXX C++ compiler command
CXXFLAGS C++ compiler flags
Dear,
BroFile::Write() in src/File.cc,
len = fwrite(data, 1, len, f);
if ( len <=0 )
return false;
Maybe, the method to check the return value of fwrite is incorrect. We should call ferror to check file operation's result. The following is fixing.
len = fwrite(data, 1, len, f);
if ( ferror(f) ) {
clearerr(f);
return false;
}
Would you please verify this question?
Thanks!
<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
Hi,
i want to filter machine name registration on 137/udp port: as you know,
all traffic is based on NetBios protocol.
I've saw bro source code and seems that the traffic on this port is managed
by dns analyzer and not directly by Netbios analyzer.
How can i filter netbios name service registration?
Regards,
Vito
Hi every one
I like to know is there any way Bro could decrypt SSL session
If I have a private open keys from each side, Can I use this information
for decrypt SSL session and log it?
If bro can do it could you point me in the right direction.
I try to search bro.org and bro mailing list but cat't find any answer.
Thank you
Hi,
Do I need another package other than libmagic-dev ?
Linking CXX executable bro
CMakeFiles/bro.dir/util.cc.o: In function `bro_init_magic(magic_set**,
int)':
/work/jpd/dyn/src/dynect2/edge_processing/bro/src/util.cc:1705: undefined
reference to `magic_open'
/work/jpd/dyn/src/dynect2/edge_processing/bro/src/util.cc:1712: undefined
reference to `magic_error'
/work/jpd/dyn/src/dynect2/edge_processing/bro/src/util.cc:1717: undefined
reference to `magic_load'
/work/jpd/dyn/src/dynect2/edge_processing/bro/src/util.cc:1719: undefined
reference to `magic_error'
/work/jpd/dyn/src/dynect2/edge_processing/bro/src/util.cc:1722: undefined
reference to `magic_close'
CMakeFiles/bro.dir/util.cc.o: In function `bro_magic_buffer(magic_set*,
void const*, unsigned long)':
/work/jpd/dyn/src/dynect2/edge_processing/bro/src/util.cc:1729: undefined
reference to `magic_buffer'
/work/jpd/dyn/src/dynect2/edge_processing/bro/src/util.cc:1732: undefined
reference to `magic_error'