I was seeing 60% packet loss rate. After some aggressive BPF filtering, it
went down to about 15%-20%.
Are you using a big box? Mine is 24 core CPU with 64GB mem. There is an
email thread about Bro with 10G card and many people also see pretty
significant packet loss.
It would be great if you can share your configs and also your traffic
On Tue, Jan 27, 2015 at 1:35 PM, Greg Williams <gwillia5(a)uccs.edu> wrote:
> Why do you want to use it? I’m using security onion with Bro and 2x2
> Intel x520 10Gb cards and have no packet loss with the base SO
> Greg Williams, M.E., ISA, GPEN, GCFE
> Director of Networks and Infrastructure
> Interim IT Security Manager/Information Security Officer/HIPAA Security
> University of Colorado Colorado Springs - Department of Information
> Phone: 719-255-3211
> *From:* bro-bounces(a)bro.org [mailto:email@example.com] *On Behalf Of *Clement
> *Sent:* Tuesday, January 27, 2015 2:22 PM
> *To:* bro(a)bro.org
> *Subject:* [Bro] Use PFRING_ZC for Bro
> Hi all,
> I am trying to use PFRING_ZC for Bro in my security onion box. I got the
> license from ntop but there was little document on how to enable this.
> Would appreciate any help/pointer to docs. I will compile a step-by-step
> instructions if I get this working.
> I have the Intel 82599EB 10G card and the ixgbe-zc driver installed.
> #dkms status
> ixgbe-zc, 3.22.3, 3.13.0-44-generic, x86_64: installed
> pf_ring, 6, 3.13.0-35-generic, x86_64: installed
> pf_ring, 6, 3.13.0-44-generic, x86_64: installed (WARNING! Diff between
> built and installed module!)
> pfring, 6.0.3, 3.13.0-44-generic, x86_64: installed
> not sure what to do next and how to enable it for Bro.
I posted about this last August here:
I also noticed someone have a disappearing log event which I have seen
before as well here:
I documented my process on installing bro on Ubuntu 14.04 using just log
sudo apt-get -y install cmake
sudo apt-get -y install python-dev
sudo apt-get -y install swig
cp /opt/bin/startbro <- command line bro with long --filter line
cp /opt/bin/startbro to /etc/rc.local
sudo ln -s /usr/local/bro/bin/bro /usr/local/bin/
sudo ln -s /usr/local/bro/bin/bro-cut /usr/local/bin/
sudo ln -s /usr/local/bro/bin/broctl /usr/local/bin/
-s /usr/local/bro/share/broctl/scripts/archive-log /usr/local/bin/
-s /usr/local/bro/share/broctl/scripts/broctl-config.sh /usr/local/bin/
-s /usr/local/bro/share/broctl/scripts/create-link-for-log /usr/local/bin/
-s /usr/local/bro/share/broctl/scripts/make-archive-name /usr/local/bin/
git clone https://github.com/jonschipp/mal-dnssearch.git
sudo make install
specifics on log rotate only:
add the below to local.bro
redef Log::default_rotation_interval = 86400 secs;
redef Log::default_rotation_postprocessor_cmd = "archive-log";
edit the below in broctl.cfg
MailTo = jlay(a)slave-tothe-box.net
LogRotationInterval = 86400
sudo /usr/local/bro/bin/broctl install
Besides the edits to broctl.cfg, file locations are the default. The
above works well usually...it's after a reboot I have found things go
bad. Usually logs get rotated at midnight and I get an email with
statistics, just what I need. I rebooted the machine on the 13, and
that's the last email or log rotation I got....this morning I see
current has files and my logstash instance has data so I believe the
rotation got..."stuck". I'm kicking myself for not heading/tailing the
files first, but after issuing a "sudo killall bro", those file in
current vanished, no directory was created, and I received no email,
that data is now gone (no big deal as this is at home). I decided to
run broctl install again, then start and kill bro one more time. At
that point, I got a new directory with log rotation and an email with
minutes or so of stats. Please let me know if there's something I can
do on my end to trouble shoot. Thank you.
I'm working in a project to develop a Network Security Early Warning
We need correlate events but we can't capture network traffic because
I think we can insert events into bro with broccoli and use it to
I would like to know if anyone have made something similar or have some
suggestions of how to do this.
I'm interested in dumping my bro logs into an elastic search instance and,
based on what I was able to learn thus far, it seems I have two different
- use the elasticsearch writer (which the documentation says should not be
used in production as it doesn't have any error checking)
- or use logstash to read info directly from the bro logs and externally
dump it into elasticsearch
It seems to me the logstash route is better, given that I should be able to
massage the data into more "user friendly" fields that can be easily
queried with elasticsearch.
So my question is, based on your experience, what is the best option? And,
if you do use logstash, can you share your logstash config?
Thanks in advance,
As I was looking at the bro cluster documentation
<https://www.bro.org/sphinx/cluster/index.html>, I noticed there wasn't any
information / configuration parameters to authenticate / authorize the
communication between the manager, worker and proxy components.
How do we protect against malicious processes from impersonating real
Hi all ,
I am facing an issue when trying to get BRO intel working . The matter is
that I cannot get meta data from Intel::MetaData.
The Bro intelligence itself is working fine. Here is my intel.dat file:
#fields indicator indicator_type meta.desc meta.cif_confidence meta.source
honargah.ir/images/sampledata/2013gdoc Intel::URL phishing 85 phishtank.com
and intel.log output:
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type
file_desc seen.indicator seen.indicator_type seen.where sources
#types time string addr port addr port string string string string enum enum
1421919403.137259 Cz3Nvm4BHmAtqNxKHa 10.3.2.2 63982 22.214.171.124 80 - --
buy-pokerist-chips.com/wealth/t/ Intel::URL HTTP::IN_URL phishtank.com
So as you can see there are any meta data fields on intel.log output.
Please shed some light on this , Where should I look for troubleshooting ?
I have these scripts loaded :
A colleague of mine (not on this list) is trying to write logs to SQLite. The entries below were added to the bro_init event. The system creates bot h of these tables, but only writes records to one of the tables. The indication was that it seems to only write to whichever table is written to first. Does anyone know why this might be, or have any similar experiences? (The colleague did confirm that there should have been multiple entries in each of the logs – and initially had SQLite entries for all of the standard logs.)
local connFilter: Log::Filter = [
$config=table(["tablename"] = "conn"),
local weirdFilter: Log::Filter = [
$config=table(["tablename"] = "weird"),
is it possible to remove or redefine an existing field in a log?
For example, if i want to remove only the field
local_orig: bool &log &optional;
in conn.log, how can i do it?
And if i want to redefine it in this way:
local_orig: string &optional &log;
I was reading a paper A High-level Programming Environment for Packet Trace
Anonymization and Transformation by Ruoming Pang and Vern Paxson, which
talks about anonymizing network data using Bro. It was mentioned that it
was developed as an extension to Bro.
Could you please let me know where I can find the source code of the
mentioned extension so that I can implement scripts to anonymize network