I am getting a Dependency is not satisfiable: libc6(<2.12) error message.
[cid:image001.png@01CE5875.C815C190]
I have run the required dependency:
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev
But I have version 2.17
[cid:image002.png@01CE5875.C815C190]
Can someone assist me with this?
VR
Jerry Champion
Information Secuity Engineer
Synovus Financial Corp
706-644-4589
Looking through the archives, it looks like this has come up, but I'll ask
it again since doesn't look like it's been asked recently. Does bro support
bitwise operations such as 'and', 'or', and 'xor' ?
all,
I will apologize up front for my lack of knowledge in this subject but after 3 weekends of 8 to 12 hours searching I have officially hit the end of the road so I am reaching out to the community hoping you all might have some answers. What I'm trying to do is simple in context I just don't know the language good enough to do it here is the logic.
if (http connection established and method is post)
check to see have we visited this site before (compare against master list (or table))
if visited this site before
------ignore connection
if site is newly visited
------add site to list or table, and alert
really simple in logic but for the life of me I cannot figure out how to add to a list or table after comparing to that table. Hopefully I explained this well enough, but if I didn't please let me know and I will try my best to explain it better.
thanks,
Brian,
So, according to the docs, Bro stores strings, internally, as a vector of
bytes (and a count). Is there anyway to actually get access to the bytes as
ints or counts in a bro script? Looking at the bro cheatsheet, I didn't see
any functions that could convert a string to any sort of integer related
format. The thing that came closest was bytestring_to_hexstring, but that
still returns a regular string (except with all bytes converted to string
hex). Is there any function I'm missing that converts a string to a vector
of count or something similar?
Hi
I've been playing with notice alerts and was wondering if it's possible to
get the alert below to show the unique hosts that it scanned. If not
possible via an alert, what would be the best way in Bro to find these
hosts? Thanks!
[Bro] Scan::Address_Scan
Message: 192.168.xxx.xxx scanned at least 27 unique hosts on port 80/tcp in
1m56s
Sub-message: local
Address: 192.168.xxx.xxx
Email Extensions
----------------
orig/src hostname: xxxxxxxxxxxxxxx
A beta version of Bro 2.3 is now available for testing and can be downloaded from:
https://bro.org/download/index.html
The NEWS/CHANGES files also linked on that page contain highlights/details.
Feel free to use this mailing list or the bug tracker (tracker.bro.org) to provide feedback or report problems.
- Jon
Hi
I went to look at the files.log today, I can't see the bro directory
xxxxxxx@xxxxxxx:/etc/nsm$ ls
administration.conf essorgso-eth2 pulledpork securityonion
sensortab templates
xxxxxx-eth1 ossec rules securityonion.conf servertab
xxxxxxx@xxxxxxxx:/etc/nsm$ cd bro
-bash: cd: bro: No such file or directory
xxxxxx@xxxxxxx:/etc/nsm$
But I can see the data is there:
xxxxxxx@xxxxxxxx:~$ sudo ls -lah /nsm/bro
total 44K
drwxr-xr-x 5 root root 4.0K Sep 4 2013 .
drwxr-xr-x 6 root root 4.0K May 16 21:10 ..
drwxr-xr-x 2 root root 28K May 21 22:22 extracted
drwxr-xr-x 9 root root 4.0K May 21 22:03 logs
drwxr-xr-x 22 root root 4.0K May 21 22:20 spool
xxxxxxxx@xxxxxxxxxxx:~$ sudo ls -lah /nsm/bro/logs
total 228K
drwxr-xr-x 9 root root 4.0K May 21 22:03 .
drwxr-xr-x 5 root root 4.0K Sep 4 2013 ..
drwxr-xr-x 2 root root 20K May 17 00:00 2014-05-16
drwxr-xr-x 2 root root 36K May 18 00:00 2014-05-17
drwxr-xr-x 2 root root 40K May 19 00:00 2014-05-18
drwxr-xr-x 2 root root 40K May 20 00:00 2014-05-19
drwxr-xr-x 2 root root 36K May 21 21:34 2014-05-20
drwxr-xr-x 2 root root 36K May 21 22:03 2014-05-21
lrwxrwxrwx 1 root root 22 May 21 22:03 current -> /nsm/bro/spool/manager
drwxr-xr-x 3 root root 4.0K May 16 21:10 stats
I've stopped bro, did broctl check, then install and then start with no
errors.
Anyone have any ideas? I haven't messed with permissions, but it
definitely seems to be a permission issue.
Thanks
Damon
Hi Everyone
I'm pretty new to BRO and have a quick question about setting up alerts
from Bro. Inside my Local.bro file I have the following what's below
(which works great). If I uncomment the emailed_types redef, Bro errors
out after running the following sudo broctl install && sudo broctl restart.
The error is: manager terminated immediately after starting; check output
with "diag"
Can you only have one redef statement in the local.bro file? Or did I make
a mistake somewhere?
hook Notice::policy(n: Notice::Info)
{
add n$actions[Notice::ACTION_EMAIL];
}
# redef Notice::emailed_types += {
HTTP::Incorrect_File_Type,
SSH::Interesting_Hostname_Login,
HTTP::Malware_Hash_Registry_Match,
APT1::Domain_Hit,
APT1::Certificate_Hit,
APT1::File_MD5_Hit,
};
redef Notice::ignored_types += { SSL::Invalid_Server_Cert };
Thanks!
Hello.
I am running Bro 2.2 from RPM downloaded from Bro.org and recently got interested in enabling the Intel Framework when I watched Liam Randalls talk : https://www.youtube.com/watch?v=8XqiQuy7nFQ
I have downloaded mal-dnssearch and mal-dns2bro scripts and have downloaded all of the feeds to /opt/bro/feeds and enabled the intel framework in /opt/bro/share/bro/site/local.bro:
# Load the Intel Framework to be used with mal-dnssearch for
# Threat Intelligence data analysis and correlation
# http://www.bro.org/sphinx-git/frameworks/intel.html
# http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html
#
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += {
"/opt/bro/feeds/alienvault.intel",
"/opt/bro/feeds/botcc.intel",
"/opt/bro/feeds/ciarmy.intel",
"/opt/bro/feeds/et_ips.intel",
"/opt/bro/feeds/malhosts.intel",
"/opt/bro/feeds/malips.intel",
"/opt/bro/feeds/mandiant.intel",
"/opt/bro/feeds/mayhemic.intel",
"/opt/bro/feeds/rbn.intel",
"/opt/bro/feeds/snort.intel",
"/opt/bro/feeds/tor.intel",
};
The various intel files follow the format and fields are separated by tabs and the files have been downloaded with mal-dnssearch and inte files created with mal-dns2bro scripts.
[root@bro-anal01 feeds]# head alienvault.intel
#fields indicator indicator_type meta.source meta.url meta.do_notice meta.if_in
119.60.12.102 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
37.205.198.162 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
182.131.22.235 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
58.250.71.43 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
211.160.19.250 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
176.215.86.120 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
203.121.165.16 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
211.151.57.196 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
108.59.1.5 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
I’ve restarted Bro and I am not seeing any Intel-events and the intel.log has not been created and no intel logs are logged in notice.log? I have created traffic towards some of the IP-addresses listed in the various i
[root@bro-anal01 logs]# ls -la current/intel.log
ls: cannot access current/intel.log: No such file or directory
[root@bro-anal01 logs]# cat current/notice.log |bro-cut -d note | sort -u
PacketFilter::Dropped_Packets
SSH::Password_Guessing
SSL::Invalid_Server_Cert
Scan::Address_Scan
[root@bro-anal01 bin]# ./bro -v
./bro version 2.2
What am I doing wrong? Am I running the wrong version(Bro 2.2 from RPM downloaded from bro.org) and Intel framework is only supported on the bleeding-edge Bro from github?
Kim Halavakoski - CISM
kim(a)blackcatsec.net
