Folks,
Fairly new bro user, still figuring things out.
I recent changed my local.bro file to call hash-all-files, viz.:
======
#### Network File Handling ####
# Enable MD5 and SHA1 hashing for all files.
@load frameworks/files/hash-all-files
======
, and I've confirmed that it seems to be loading - "broctl check" seems to
return OK, and errors out if I tweak the path so it's invalid. However,
I'm not seeing any checksums in the logs/YYYY-MM-DD/file.* files or
anywhere else.
Is there another piece I need configure? Might I be looking in the wrong
place? Is there any telemmetry I can bring to bear to debug this?
Thanks for any info or assistance,
--
Glenn Forbes Fleming Larratt
Cornell University IT Security Office
Hi all
I am running bro 2.3.1 with bro cron enabled + pfring + broctl
bro is running fine.
in the logs/stats/www/ directory I get
591144 Nov 28 14:30 manager.cpu.csv
15 Jul 18 11:07 manager.in.csv
15 Jul 18 11:07 manager.mbps.csv
856410 Nov 28 14:30 manager.mem.csv
24 Jul 18 11:07 manager.pkts.csv
these files
I only get data for manager.cpu.csv and manager.mem.csv.
rest of other files has only header
if I want to populate rest of files, do I have to setup something?
Thank you
Hi.
A script that is a slightly modified version of what's shipped with Bro,
gives me interesting results
The script source
http://michal.pastebin.mozilla.org/7542181
Take a look at lines
1. local key_length = cert$key_length;
2.
3. if ( key_length < notify_minimal_key_length )
4. NOTICE([$note=Weak_Key,
I can see (in notice.log) warnings about host using 1024 bit certificate.
Well, the minimal acceptable length is set to 1024 so I should not get any
warnings.
notice.log
1416937779.196106 CoZK6Z1Y61rsevYSCd 63.245.221.32 34715 10.22.72.139 13000
- - - tcp SSL::Weak_Key Host uses weak certificate with 1024 bit key -
63.245.221.32 10.22.72.139 13000 - nsm7-eth4-6 Notice::ACTION_LOG
86400.000000 F
The ssl.log and x509.log show that the connection was over SSL, and the
certificate is 1024 bit.
Hi all
I'm working on some Bro scripts to log events directly to graphite and/or
statsd. I have a working setup which builds a command string to be passed
to Exec::run (or just plain old system()) that looks something like:
echo 'some.graphite.metric 123' | nc -u -w 1 graphitehost port
echo 'some.statsd.metric:123|c' | nc -u w 1 statsdhost port
So this has to go to the shell every time, and it depends on netcat.
I'm looking for a more elegant way to send UDP packets directly from Bro
scripts, but can't find anything so far. Any ideas?
Thanks
Wouter
Lo All,
Is there a way to extend Bro to add a "worker" field in the files.log? I'd
like to know where the packets are being processed.
I'm doing file carving and the carved files are stored locally to each
respective worker. Finding the interface the files crossed is pretty
difficult in a large network.
Also, it would be nice to extend other logs to see what traffic is crossing
what workers in order to map the network.
Maybe this is already possible, but i couldn't find much, and I'm pretty
new at brogramming.
--
Regards,
Matt Clemons
Hi All,
I am running the latest version of Bro and I would like to exclude (not at all log) events from specific IPs.
Can someone provide me with a link/info on how to do this?
Thnx for your time.
Regards
Ioannis
Hi
I have exclude IP using these command
local.bro:
redef PacketFilter::enable_auto_protocol_capture_filters = F;
redef capture_filters = { ["all"] = "ip or not ip" };
local-worker.bro:
redef restrict_filters = { ["not-hosts"] = "not host X.X.X.X" };
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
A few days late: Bro Monthly #3 is here and covers
Bro Meet-ups, a new category to inform you about Bro related gatherings,
news on ISLET, two new Bro publications, and more.
http://blog.bro.org/2014/11/bro-monthly-3.html
- - The Bro Team
- --
Doris Schioberg
Bro Outreach, Training, and Education Coordinator
International Computer Science Institute (ICSI Berkeley)
Phone: +1 (510) 289-8406 * doris(a)bro.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJUbn8uAAoJEFIoZlhdVQyUb2QP/j+jLW+4ljI5n4oSw+fOZj7w
N1oG1kzjezoCDsEEAZIfqdWyr1U5d1hFcjqqYHt9d0xYk5bsHNdVx/jmTYNn5j4N
HkenLxbE1H32hrWs9LLWCND8TLikpDNrdsXCMewqIQZ2YVZ26ObrYjJoc4HAzy5w
g8LzwNIVmlg9f5/uVz09ujNByCM2Bilygb5kLe6RfzLhzbulhwCiYQ6v8K6slEKs
DC9Pn3npqculmG1ND6sa2tVDYO3Nni2qo1J0MuTR6+LMmd7CTghwFKfnApSQfHoO
2PMrRo82VLV76FFCUsXuMafpVhjsqeJJ2tO2SuytbBtWvobSd9XfbD29+yKAgTmN
TyosKU3XKLCKI4VFEu8+msIzs6VTHwOv8daYNjF6d2kD9fDP7Zg7qjboN1FK6cHc
xxdWbnO/XhugQZ9+d4ImQU46j/wzpyogwGTEsdDcnrD2Kbb7SJ/3F9YpbMfGb9Od
EY8CUnkAL9ukQEV4MBI9DOHqoJmM/9eff/f7s4CXv8NkpyDTJ5HcOcxyIYeWbNMn
vcq9er+FFomuC72uRFlyex8iiSlN7oDPhF8IH/1uZtevQNNZL4HvJBzbK6T116LB
3QThSrNgQ52KWPdQ5iGGxsjihmSkSoaTkucTiThrRfjeq16xobORatlMtx+alJx8
XcIktIaAYmk0/SfHBSq6
=p8zV
-----END PGP SIGNATURE-----
Folks,
1. Is this list archived?
2. Is there a FAQ/etiquette guide/standards guide for this list?
Thanks,
--
Glenn Forbes Fleming Larratt
Cornell University IT Security Office