Hello, all,
I have a question about the intel framework: if a flow matches both an
Intel::ADDR and Intel::CERT_HASH (for example), will the intel framework
generate notice logs for both matches, or just one?
Right now it looks like it's just flagging on one, but I'd like to make
sure I haven't done something wrong.
Thanks.
aaron
Hi everyone, I'm trying to get the ShellShock Detector for Bro (
https://github.com/broala/bro-shellshock) installed. Currently I have the
files on my Bro box and the config updated. But when I try to check the
script I get an error with an unrelated library, see below:
$ ./broctl check
manager failed.
error in /.../bro/share/bro/base/frameworks/sumstats/./main.bro, line
191 and
/.../bro/share/bro/base/frameworks/sumstats/./plugins/./average.bro, line
17: incompatible types (hook(r:record { stream:string; apply:set[enum];
pred:function(key:record { str:string; host:addr; }; obs:record {
num:count; dbl:double; str:string; };) : bool;
normalize_key:function(key:record { str:string; host:addr; };) : record {
str:string; host:addr; }; sid:string; }; val:double; data:record {
num:count; dbl:double; str:string; }; rv:record { begin:time; end:time;
num:count; average:double; };) : bool and hook(r:record { stream:string;
apply:set[enum]; pred:function(key:record { str:string; host:addr; };
obs:record { num:count; dbl:double; str:string; };) : bool;
normalize_key:function(key:record { str:string; host:addr; };) : record {
str:string; host:addr; }; sid:string; }; val:double; obs:record {
num:count; dbl:double; str:string; }; rv:record { begin:time; end:time;
num:count; average:double; };) : bool)
proxy-1 failed.
I'm stuck at this point, so any help is appreciated.
Thanks!
- Alec
I'm trying to collect HTTP events of the same request/response into a
single structure (much like wireshark does) and extract it to an outside
source like a message queue.
What's is the best way to approach this problem?
Much Thanks
Hello,
I have a C program which works fine with the broccoli library when the bro have the standalone configuration.
When I'm trying to activate bro with the manager, proxy and 2 workers configuration broccoli does not get any events.
Which port the broccoli should listen(manager, proxy ,workers) ?
Most of the time I use bro-cut, I just want to convert the date to human readable format. Usually I want to do it after I've grepped out logs and left out the bro log headers. How do I get the basic cf functionality back?
--
Eric Thomas
edthoma(a)sandia.gov
Hello all,
I am setting up a service that uses bro to simply extract exe files for a network stream for sandbox analysis. Currently, everything in my test environment is local.
I have an apache web server that is serving up a few exe files. On the same server, I have bro 2.3.1 running the attached file extraction script below.
The problem is that the file extracted never exactly match the downloaded file and the behavior is very inconsistent, i.e. sometimes the file would be extracted and most times, the file would not even show up in the file.log log.
I suspect that I need to do something to check for file write completion but don't know how to go about doing it as there is not a file_done event. There is,however, a file_gap event that I read about.
Has anyone successfully done this?
I am using the loopback device on a linux server.
sudo bro -i lo extract.bro
wget http://localhost/test.exe
================extract.bro=======================================
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
} &default ="";
event file_new(f: fa_file)
{
if ( ! f?$mime_type || ext_map[f$mime_type] == "" )
return;
local ext = "";
ext = ext_map[f$mime_type];
local fname = fmt("%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}
=======================================
Thanks,
Ken
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I just posted a quick policy file which should look at header fields
and examine the data section for the telltale formatting of a bash
function.
I have *not* tested this extensively, so please test before deploying.
Happy to update with better regex etc...
https://github.com/set-element/misc-scripts/blob/master/header-test.bro
cheers,
scott
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAlQjg70ACgkQK2Plq8B7ZByhoACgzW+/Ks+8LzNErWW+TiVOnn8C
T+kAnjmS6ilxS6NbxFkybu8iI53NAq3Y
=d76q
-----END PGP SIGNATURE-----
I just pushed out an expanded take on a ShellShock detector that watches for successful exploitation.
https://github.com/broala/bro-shellshock
It logs all of the possible attacks over HTTP in http.log too.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
All:
I'm having an issue with the proxy service crashing. I was having it on
2.3 and I'm having it on 2.3.1 too. It generally occurs a few minutes
after restarting. I have a _little_ evidence that suggests that it's
stable at lower traffic rates. This is a single node cluster with 16 cores
(32 counting hyper threading). Below is some hopefully relevant
information. Can anyone provide some tips at what to look at next to
correct the issue?
Thanks
--------------------------------------------------
[e@b3 ~]$ sudo broctl status proxy-3
Name Type Host Status Pid Peers Started
proxy-3 proxy biggsanalyzer3 running 1810 ??? 25 Sep
13:09:07
[e@b3 ~]$ sudo broctl status proxy-3
[sudo] password for eric:
Name Type Host Status Pid Peers Started
proxy-3 proxy biggsanalyzer3 crashed
[e@b3 ~]$ sudo broctl netstats
worker-3-1: 1411666855.350645 recvd=23952666 dropped=0 link=23952666
worker-3-10: 1411666855.550643 recvd=26529426 dropped=0 link=26529426
worker-3-11: 1411666855.750069 recvd=25799879 dropped=0 link=25799879
worker-3-12: 1411666855.952250 recvd=27786138 dropped=0 link=27786138
worker-3-13: 1411666856.152395 recvd=33072225 dropped=0 link=33072225
worker-3-14: 1411666856.352869 recvd=26334798 dropped=0 link=26334798
worker-3-2: 1411666856.554573 recvd=26726716 dropped=0 link=26726716
worker-3-3: 1411666856.754446 recvd=32427073 dropped=0 link=32427073
worker-3-4: 1411666856.955059 recvd=26646497 dropped=0 link=26646497
worker-3-5: 1411666857.156298 recvd=27240324 dropped=0 link=27240324
worker-3-6: 1411666857.356603 recvd=24139487 dropped=0 link=24139487
worker-3-7: 1411666857.555774 recvd=28722053 dropped=0 link=28722053
worker-3-8: 1411666857.757538 recvd=27019501 dropped=0 link=27019501
worker-3-9: 1411666857.126295 recvd=25049180 dropped=0 link=25049180
[e@b3 ~]$ sudo broctl capstats
Interface kpps mbps (10s average)
----------------------------------------
b3/em1 331.7 1146.1
Total 331.7 1146.1
[e@b3 ~]$ sudo broctl diag proxy-3
[proxy-3]
Bro 2.3.1
Linux 3.10.0-123.6.3.el7.x86_64
core.1810
[New LWP 1810]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/local/bro/bin/bro -U .status -p broctl -p
broctl-live -p local -p proxy-3'.
Program terminated with signal 6, Aborted.
#0 0x00007fce6a5015c9 in raise () from /lib64/libc.so.6
Thread 1 (Thread 0x7fce6c86c840 (LWP 1810)):
#0 0x00007fce6a5015c9 in raise () from /lib64/libc.so.6
#1 0x00007fce6a502cd8 in abort () from /lib64/libc.so.6
#2 0x000000000059dae1 in Reporter::InternalError (this=<optimized out>,
fmt=fmt@entry=0x7f209b "%s") at /home/e/bro-2.3.1/src/Reporter.cc:137
#3 0x00000000005bc85a in InternalCommError (msg=<optimized out>,
this=0x1915530) at /home/e/bro-2.3.1/src/RemoteSerializer.cc:3231
#4 RemoteSerializer::Poll (this=0x1915530, may_block=may_block@entry=false)
at /home/e/bro-2.3.1/src/RemoteSerializer.cc:1576
#5 0x00000000005bc9df in Poll (may_block=false, this=0x1915530) at
/home/e/bro-2.3.1/src/RemoteSerializer.cc:1413
#6 RemoteSerializer::NextTimestamp (this=0x1915530,
local_network_time=0x7fffa1562040) at
/home/e/bro-2.3.1/src/RemoteSerializer.cc:1380
#7 0x00000000005965fb in IOSourceRegistry::FindSoonest (this=0xaea0d0
<io_sources>, ts=ts@entry=0x7fffa1562108) at
/home/e/bro-2.3.1/src/IOSource.cc:61
#8 0x000000000059fd82 in net_run () at /home/e/bro-2.3.1/src/Net.cc:370
#9 0x0000000000503df8 in main (argc=<optimized out>, argv=<optimized out>)
at /home/e/bro-2.3.1/src/main.cc:1165
==== No reporter.log
==== stderr.log
internal error: unknown msg type 115 in Poll()
/usr/local/bro/share/broctl/scripts/run-bro: line 85: 1810 Aborted
(core dumped) nohup $mybro "$@"
==== stdout.log
max memory size (kbytes, -m) unlimited
data seg size (kbytes, -d) unlimited
virtual memory (kbytes, -v) unlimited
core file size (blocks, -c) unlimited
==== .cmdline
-U .status -p broctl -p broctl-live -p local -p proxy-3 local.bro broctl
base/frameworks/cluster local-proxy broctl/auto
==== .env_vars
PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/home/e/perl5/bin:/usr/local/bro/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/e/.local/bin:/home/e/bin
BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
CLUSTER_NODE=proxy-3
==== .status
TERMINATED [internal_error]
==== No prof.log
==== No packet_filter.log
==== No loaded_scripts.log
[e@b3 ~]$ cat /usr/local/bro/etc/node.cfg
# Example BroControl node configuration.
#
# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly
changing
# the sniffing interface.
# This is a complete standalone configuration. Most likely you will
# only need to change the interface.
#[bro]
#type=standalone
#host=localhost
#interface=eth0
## Below is an example clustered configuration. If you use this,
## remove the [bro] node above.
[manager]
type=manager
host=b3
[proxy-3]
type=proxy
host=b3
[worker-3]
type=worker
host=b3
interface=em1
lb_method=pf_ring
lb_procs=14
#pin_cpus=4,6,8,10,12,14,16,18,20,22,24,26,28,30