I am getting a Dependency is not satisfiable: libc6(<2.12) error message.
[cid:image001.png@01CE5875.C815C190]
I have run the required dependency:
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev
But I have version 2.17
[cid:image002.png@01CE5875.C815C190]
Can someone assist me with this?
VR
Jerry Champion
Information Secuity Engineer
Synovus Financial Corp
706-644-4589
After being asked if Bro could be used to gather passive intelligence on
OS usage I started investigating places to try to identify OS. I
initially was looking into p0f and Seth showed me a way to invoke the
existing p0f fingerprinting functionality within Bro, but also suggested
a slew of other data sources to look at. I wasn't terribly excited with
the p0f fingerprint output, and while browser user agents may not be the
best data source, I decided to start by looking at platform tokens and
reporting on those instead of the p0f data. This is my first-ish bro
script and it is by no means a complete script (it only matches a
handful of Windows OS). I'm wondering if folks see anything in the
attached that would misbehave badly if used on live traffic instead of
pcaps?
Regards,
--
Gary Faulkner
Hi all,
What can be the reason for smtp entities log file doesn't appears?
All works pretty well in my Bro cluster with this exception (all my
nodes are FreeBSD 10).
Inside worker.bro policy I have:
@load protocols/smtp/software
@load protocols/smtp/detect-suspicious-orig
@load protocols/smtp/entities-excerpt
entities-excerpt calls base/protocols/smtp/entities, correct??
Any idea??
If your organization would be interested in hosting our next Bro
Workshop/Exchange this August, please contact us at info(a)bro.org.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin
Quick question when implementing the Intel Framework based on this post:
http://blog.opensecurityresearch.com/2014/03/identifying-malware-traffic-wi…
Do you need to restart & reinstall BRO for it to grab a new feed? I am going to script up a weekly cif reload and want to make sure.
Thanks
- Tom
- "Life is too short to spend time with people who suck the happy out of you."
Hello,
I’m writing an analyzer for a few protocols which may or may not be layered. That is, a packet may be IP|TCP|ProtoA|ProtoB, or IP|TCP|ProtoC|ProtoB, or IP|TCP|ProtoB, and perhaps other variations. I envision writing separate protocol analyzers for each of those protocols instead of having to account for all the variations in one protocol analyzer. Does Bro/binPAC allow for this, and if so how? If it makes a difference, in this case most of the protocols cannot have useful DPD signatures.
--
Eric Thomas
edthoma(a)sandia.gov
I have, but it uses the connection_state_remove event, and the more I think about it, the more I think it wouldn't work.
If someone manages to gain access to our file server, zips up 10-20gb of our files and starts transferring this out, I dont think this event would fire until the connection closes, which would be too late, but here it is anyway:
@load base/frameworks/notice
module DataExfiltration;
export {
redef enum Notice::Type += {data_exfiltration_100mb};
}
event connection_state_remove(c: connection)
{
if (c$orig$num_bytes_ip > 102400000 && c$orig$num_pkts > 1000) {
#test for internal to external
direction
if(Site::is_local_addr(c$id$orig_h)){
if( ! Site::is_local_addr(c$id$resp_h)){
NOTICE([$note=data_exfiltration_100mb,
$msg="> 100mb of data sent out in a single connection",
$conn=c]);
}
}
}
}
And this in local.bro:
@load DataExfiltration
hook Notice::policy(n: Notice::Info) {
if ( n$note == DataExfiltration::data_exfiltration_100mb )
add n$actions[Notice::ACTION_EMAIL];
n$email_body_sections[|n$email_body_sections|] = fmt("Service:
%s\nData sent: %s\nData received: %s", join_string_set(n$conn$service,
","), n$conn$orig$size, n$conn$resp$size );
}
Hello, I’d like to write a protocol analyzer, but I don’t know where to begin. Is BinPAC the recommended method? The documentation for BinPAC describes mostly types, so it’s not enough to get me started. I looked at some of the protocols that have .pac files and it’s way over my head at this stage. I found the BinPAC Sample Analyzer, which appears might be applicable mostly to Bro 1.X. Any other resources that could help?
--
Eric Thomas
edthoma(a)sandia.gov
