I was wondering if anyone can tell me why the sha256 hash functionality
isn't turned on by default for the files log.
I am working on something and needed to turn it on. I normally only use Bro
to process pcap files offline and have never used it on a live network.
Does it cause performance issues?
Thanks,
Shawn
Dear list,
I'm having trouble understanding some log entries from my conn.log. I
already learned from this mailing list that bro cannot surely detect who
initiated a connection if it does not see the initial connection setup,
which seems logical to me.
But if I look to my conn.log file, I find entries like these:
1446190221.687738 Cbu3fj3FYdODxvLF1h 87.152.221.xxx 50993
192.168.100.yyy 36709 tcp ssl 122.745965 1238 5340
S1 F T 0 ShAD
ad 20 2050 19 6112 (empty)
1446190138.746769 CykNrp4VEfzbrJ2vm6 87.152.221.xxx 50993
192.168.100.yyy 36679 tcp ssl 223.406750 1384 18908
S1 F T 0 ShAD ad 39 2956 36
20360 (empty)
It looks like our IMAP server (87.152.221.xxx running on port 50993)
initiated a connection to my notebook (192.168.100.yyy). That should not
be possible due to lack of port forwarding for this connection.
So my first guess is that bro didn't see the initial connection setup
(midstream traffic, OTH state). But I took a look into the documentation
on https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html
regarding the reported states (S1), which says:
S1 Connection established, not terminated.
This looks to me like bro saw the connection setup. Or did I get
something wrong here?
Oh and by the way: the next paragraph reads:
SF Normal establishment and termination. Note that this is the same
symbol as for state S1. You can tell the two apart because for S1 there
will not be any byte counts in the summary, while for SF there will be.
I don't understand this. Do S1 and SF really only differ in byte count
zero or non-zero? It seems to me that they also differ in "connection
still alive" and "connection was terminated".
Looking further trough the logs, I also find entries with "SF" flag in
whuch source and destination seem twisted:
1445338094.186121 C9uuKp4dE9nrHo46bd 87.152.220.xxx 50993
192.168.100.yyy 20108 tcp -462.348551 401 754 SF
F T 0 DdAfFa 13 921 12 1234 (empty)
Does anybody have a hint? Did I misunderstand something?
I'm running bro 2.4.1.
Thanks a lot!
Sven
As with every infrastructure I am plagued with people scanning my external
edge. I see little value in getting notices for scanning attempts and
password guessing attempts but I do see value in running monthly reports
and generating blocklists based on repeat offenders.
Is there a way to tell the notice framework to only create alarms (emails)
if it sees scans of any kind (address, port, password guessing, etc) if
they are from the IP's in my $HOME_NET defined in network.cfg?
Justification, If I
redef Notice::ignored_types += {
SSH::Password_Guessing,
Scan::Address_Scan,
Scan::Port_Scan,
HTTP::SQL_Injection_Attacker,
ShellShock::Scanner,
ScanUDP::Address_Scan,
ScanUDP::Port_Scan,
};
Then I get no logging of the events anywhere. Therefore I can't run
reports of offenders and build active blocklists or other intel gathering
activities.
If I:
# Set rule to only email specific notice types:
redef Notice::emailed_types += {
Weird::Activity,
Signatures::Sensitive_Signature,
Signatures::Multiple_Signatures,
Signatures::Multiple_Sig_Responders,
Signatures::Count_Signature,
Intel::Notice,
TeamCymruMalwareHashRegistry::Match,
Traceroute::Detected,
FTP::Bruteforcing,
FTP::Site_Exec_Success,
HTTP::SQL_Injection_Victim,
SMTP::Blocklist_Error_Message,
SMTP::Blocklist_Blocked_Host,
SMTP::Suspicious_Origination,
SSH::Login_By_Password_Guesser,
SSH::Interesting_Hostname_Login,
};
Then I get flooded with email from any of the guessing activity (Side note:
I find that the above logic doesn't restrict email notices to just those
listed in the defined email types above. I still get plenty of notices
about events not listed in the list above). If the redef
Notice::emailed_types worked it would be a start but I'd still like to get
emails about IP addresses in my internal net getting scanned by other IP's
in my internal net, that definitely an indicator of unwanted behavior.
Any assistance would be greatly appreciated. Just trying to tune things to
a manageable level.
Thanks
Tim
Hi all,
My goal is to integrate a new protocol analyzer in Bro. This protocol
(PROFINET dyscovery and Basic Configuration Protocol) is working on layer
2. My question is, are there special considerations to get at the data of
the layer 2? My colleague has tried creating an analyzer by following your
instructions for coding an analyzer by binpac. Before he went on vacation,
he told me, he could access data with binpac of layer 3 but not of layer
2? Is that correct? If so does it work with the new binpac ++? Any pieces
of advice or suggestions how to get started would be greatly appreciated.
Kind regards
Marcel Odenwald
Hello, I have a question about Bro Cluster architecture. By default, the
cluster architecture has a frontend listening to a high-speed link;
spliting traffic to each worker and to finally all workers information
be administered by a manager using a proxy, etc.
What we want to do is to have several workers analysing different
networks segments and that each of those workers communicate with a
manager, who will be responsible for managing all information and of
course, enabling a centralized administration of workers configuration.
Is it possible to do this?
Thanks and regards.
--
Cristian Daniel Barbaro
CERTUNLP
--
Hey all,
I have a question about how Bro handles Micorsoft BITS (Background
Intelligent Transfer Service) traffic since the file is only partially
downloaded in the session it's monitoring. We've seen some traffic and it
looks like Bro just shows as an incomplete file and doesn't carve it
properly.
Is there anything we can do to mitigate this?
--
Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
Hello,
I am trying to debug bro in Eclipse CDT .
At the following line in main.cc, I am getting an error as "function init
could not be resolved"
// Must come after hash initialization.
binpac::init();
I ran ./configure at home directory to generate makefile.
and then I have imported source folder in CDT.
Please direct my where I might be going wrong.
Thanks
Aniket Savanand
MS San Jose State University
--
*Regards, *
*Aniket Savanand,*
*MS Software Engineering 2016,*
*San Jose State University, CA*
*Email <aniket.savanand(a)sjsu.edu> **Cellphone- +1-669-226-8162*
Hi ,
I am running SO 14.04. This is just capturing DNS and DHCP traffic on a span port. Recently i ran soup and reboot the box. After that i have noticed no DHCP log is showing up in bro log. i can see known_services shows DHCP as service but there no dhcp.log file being generate. Any clue what went wrong?
I would appreciate any help
Thanks
Zafar
Good afternoon,
Is there a way to enable a "delay compress" type command (like in
logrotate) for bro/broctl cron? I want to post process log files and it
would be much more efficient if they were uncompressed.
=====================
Brandon Glaze
bglaze(a)gmail.com
"Lead me, follow me, or get the hell out of my way."
- General George Patton Jr
Hi Folks,
On later versions of Linux distros iproute2 replaces ifconfig with ip
Starting at line 601 at
https://github.com/bro/broctl/blob/master/BroControl/config.py
It looks like ifconfig is hard-written into the logic. Probably needs a
patch to check for the ip command.
Cheers,
Harry