Hey All,
So I run bro instead of broctl. Currently, if I stop a running bro,
and start it again, bro overwrites any previous log files...is there a
way to change this behavior? Thank you.
James
Ok actually two questions:
1) I'm not able to get this to load with either:
@policy/integration/barnyard2
@integration/barnyard2
And from barnyard2 docs:
alert_bro
----------------------------------------------------------------------------
Purpose: Send alerts to a Bro-IDS instance.
Arguments: hostname:port
Examples:
output alert_bro: 127.0.0.1:47757
How do I set the port that bro listens to? Thank you.
James
Hello I'm try to sniff http requests, but I don't want to see any kind of pictures like gif, jpg ,png ...
What is the earliest stage that I can block those file extensions ? the pcapfilter?
I have two questions on the file extraction framework:
1) If I only want to capture files from a specific worker or ip ranges, what is the best/simplest way to ensure that this happens?
-I've tried using f$info$tx_hosts with event file_new, but this seems inconsistently populated, and using f$conns with event file_new seems consistent, but I don't know if it's the best/simplest way.
2) If missing_bytes > 0, what is the best/simplest way to remove the file (and possibly clear it from logging a successful extract in the files.log file)?
-I've tested using event file_state_remove, and I can use system to rm the file, but again I'm not sure this is the best/simplest way, and the files.log continues to show this as extracted.
Hey all,
So I run bro with:
/usr/local/bin/bro --no-checksums -i eth0 -i ppp0 local
"Site::local_nets += { x.x.x.x/32,192.168.1.0/24 }" &
Is there something I can do to add a field that would let me know which
interface the traffic came in on? Obviously in this example it's pretty
simple...private IP space will be on eth0 whereas public will be on
ppp0. I am thinking of scenarios where there might be the same IP space
on several interfaces. Thanks for any guidance.
James
Hello all:
I wanted to poke the hive mind to see if anyone has considered, or is
actively pursuing integrating Yara into a Bro script?
An idea for a script I would like to write is to simply take any file from
a 'file_new' event. Then add something like Files::ANALYZER_YARA that would
do the heavy lifting and take a user defined path to a master Yara file,
scan the file, append the results to either files.log or notice.log, and
finally, extract any file that hit on a signature (for further analysis).
Interested if this is something that has been considered previously? If so,
what were the results? If not, I'm happy to spin off an effort of my own.
Either way I see it as a good project to get into Bro scripting at a deeper
level.
Thanks,
Jason
Hi everyone,
I want to extract the whole data to a eml file from smtp traffic. And the system event - file_new() only save every mime entity of an email as a file instead of the whole email. This is not I want.
I try to add an event in ./share/bro/base/protocols/smtp/file.bro.
event smtp_data(c: connection, is_orig:bool, data:string)
{
print fmt("DATA %d", |data|);
}
I print size of every data. The amount of every data size is always less than actually size the eml file ( 23137 Byte < 23831 Byte). So what I miss? And how to save data to file in smtp_data event?
Please help me about the above question if you are free. Thank you a lot!
BR
Robert Yang
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
Had some questions about the signature framework for detecting an
application protocol.
Is it possible to manipulate bytes for endianness or will they always come
in little endian?
Is it possible to perform bitwise opperations on payload bytes so that you
may perform checks against subsets of bits within the byte?
For example I have to look at the first 4 bits of a bigendian defined
application layer protocol. For my test cases I can match signatures
against a known 8 bit little endian regex but not sure how to get to 4 bits
because the next 4 bits will change in an operational environment.
If not Im guessing I would have to pump all traffic through my binpac
analyzer and do the detection there?
Thanks,
James
Hey all,
A few questions:
1. Is there a proper way to set which logs to send to elasticsearch
that I can use in local.bro instead of modifying
logs-to-elasticsearch.bro? I am assuming that logs-to-elasticsearch.bro
might change in future versions of bro.
2. The docs say to add @load tuning/logs-to-elasticsearch in
local.bro...how can I send bro data to a remote elasticsearch server
instead?
3. And lastly, as I look at the Brownian demo, I see that all the
fields are correctly laid out..was this down with Brownian, or with
elasticsearch itself?
I'm trying to get bro data into logstash direct, instead of using log
files. Thanks for any insight.
James