I was wondering if anyone can tell me why the sha256 hash functionality
isn't turned on by default for the files log.
I am working on something and needed to turn it on. I normally only use Bro
to process pcap files offline and have never used it on a live network.
Does it cause performance issues?
Thanks,
Shawn
Hi All,
Has anyone encountered the assertion failure below with Bro 2.4.1? This is
happening with live traffic at least a couple times a day since upgrading
from Bro 2.3.2. I didn't see anything the bug tracker, so thought I'd float
it here first.
listening on zc:99@1, capture length 8192 bytes
1459786307.312525 processing suspended
1459786307.312525 processing continued
1459802619.911190 Failed to open GeoIP City database:
/usr/share/GeoIP/GeoIPCity.dat
1459802619.911190 Fell back to GeoIP Country database
1459802619.911190 Failed to open GeoIP Cityv6 database:
/usr/share/GeoIP/GeoIPCityv6.dat
bro: /home/mfry/dev/bro24/bro-2.4.1/src/Tag.cc:72: EnumVal*
Tag::AsEnumVal(EnumType*) const: Assertion `type == 0 && subtype == 0'
failed.
/opt/bro/share/broctl/scripts/run-bro: line 100: 11312 Aborted
(core dumped) nohup ${pin_command} $pin_cpu "$mybro" "$@"
Regards,
Michael
Hello,
I’m wondering what people are using for network cards in their bro clusters that are not using the Myricom Network Cards. We don’t have a $1,000 dollars per a card + license to spend on the cards. Is anyone using Intel or other brands that aren’t as expensive to capture their traffic? We are looking at doing all 10 Gig connections into the Bro Cluster.
Thanks for all your answers.
--
Richard Giesige
IT Security Analyst
Office of Information Security
Oregon State University
"OSU staff will NEVER ask for you password.
Never email or share your password with anyone."
Dear list,
I'd like to operate 3 workers in different subnets. Unluckily, the
network connection between manager/proxy and these subnets is really
slow (around 500 kBit/s) and has frequent outages.
Is there a possibility to synchronize the nodes without the necessity to
use SSH? Perhaps by a frequent file transfer using rsync?
Thanks and best regards,
Sven
Dear list,
I'm having trouble understanding some log entries from my conn.log. I
already learned from this mailing list that bro cannot surely detect who
initiated a connection if it does not see the initial connection setup,
which seems logical to me.
But if I look to my conn.log file, I find entries like these:
1446190221.687738 Cbu3fj3FYdODxvLF1h 87.152.221.xxx 50993
192.168.100.yyy 36709 tcp ssl 122.745965 1238 5340
S1 F T 0 ShAD
ad 20 2050 19 6112 (empty)
1446190138.746769 CykNrp4VEfzbrJ2vm6 87.152.221.xxx 50993
192.168.100.yyy 36679 tcp ssl 223.406750 1384 18908
S1 F T 0 ShAD ad 39 2956 36
20360 (empty)
It looks like our IMAP server (87.152.221.xxx running on port 50993)
initiated a connection to my notebook (192.168.100.yyy). That should not
be possible due to lack of port forwarding for this connection.
So my first guess is that bro didn't see the initial connection setup
(midstream traffic, OTH state). But I took a look into the documentation
on https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html
regarding the reported states (S1), which says:
S1 Connection established, not terminated.
This looks to me like bro saw the connection setup. Or did I get
something wrong here?
Oh and by the way: the next paragraph reads:
SF Normal establishment and termination. Note that this is the same
symbol as for state S1. You can tell the two apart because for S1 there
will not be any byte counts in the summary, while for SF there will be.
I don't understand this. Do S1 and SF really only differ in byte count
zero or non-zero? It seems to me that they also differ in "connection
still alive" and "connection was terminated".
Looking further trough the logs, I also find entries with "SF" flag in
whuch source and destination seem twisted:
1445338094.186121 C9uuKp4dE9nrHo46bd 87.152.220.xxx 50993
192.168.100.yyy 20108 tcp -462.348551 401 754 SF
F T 0 DdAfFa 13 921 12 1234 (empty)
Does anybody have a hint? Did I misunderstand something?
I'm running bro 2.4.1.
Thanks a lot!
Sven
Hi,
I'm trying to develop an application level analyzer.
My protocol has a request/response architectutrte, and the request/response
message structure depends on a Function Code.
This Function Code is sent in the request message, but NOT in the response
message.
So, when I receive a response I don't know if it belongs to the request A
or the request B.
The only way to know that is checking the transport level ID.
So, I need to maintain any kind of array that relate transport id values
and function codes.
My question is how to do that.
I need to read and write that global value in the MyProt-protocol.pac file.
But I don't know how to maintain a global variable in binpac.
I've been trying to do it within the $context, but I don't know how to
write a value in a type added to the context.
Any idea?
Thank you!
Hi There.
Hope this is ok to ask this here...?
SSLv3 Installation errors installing bro on Raspberry Pi 2 running Arch
Linux
Versions:
Archlinux: 4.4.8-2-ARCH (latest 11:04:2016)
Bro: Both 2.4.1 and 2.3.2 tested
Broccoli: 1.97 packaged with Bro 2.4.1
When running the following order of install commands for Bro
./configure
make
*First Error: *Which I seem to get past
...but not sure if it contribute to the second error.
/home/bro/bro-2.3.2/src/ChunkedIO.cc:692:34: error: 'SSLv3_method' was not
declared in this scope.
*Workaround:*
Editing using nano the file ChunkedIO.cc, I am able to change the SSL
version from 3 to 23 and rerun make and it will continue past this section.
*Second Error:*
It then fails at
[ 95%] Linking C executable brohose
../src/libbroccoli.so.5.1.0: undefined reference to `SSLv3_method'
collect2: error: ld returned 1 exit status
aux/broccoli/test/CMakeFiles/brohose.dir/build.make:98: recipe for target
'aux/broccoli/test/brohose' failed
This looks more like a compiled file than a script and if I edit it the
MAKE the process fails to read the file.
I do see at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804104 there
is a bug reported fixed:
Found in version broccoli/1.97-2
Fixed in version broccoli/1.97-3
I've found broccoli folder with 1.97-3 downloads for Ubuntu but not sue if
and how it can be incorporated to the MAKE process.
http://www10.frugalware.org/pub/linux/ftp.ubuntu.com/ubuntu/pool/universe/b…
Looking for advice
Kind Regards
Damian Barlow
We're in the process (re)evaluating our team/dev communication and would
like to loop you, the community, in to this process. We just started
trying out Gitter:
- https://gitter.im/bro/bro (general Bro discussion)
- https://gitter.im/bro/broker (Broker-specific discussion)
In addition to the web interface, Gitter has an IRC bridge and native
clients. We do not want to compromise our current IRC outlet, #bro on
Freenode. Rather, we see our Gitter test drive as a complimentary
experiment to allow a broader audience to tune in, and everything that
develops from there we just take organically.
Feel free to swing by and let us know what you think,
Matthias
Hello all,
This afternoon recursively cloning Bro was successful. A couple of hours
later, cloning does not successfully complete at the "aux" submodule. Hence
dependencies are not met. This occurs on both Bro' git and github. Below is
a snippet of the errors:
$ git clone --recursive git://git.bro.org/bro
...
fatal: reference is not a tree: edbbe445d92cc6a5c2557661195f486b784769db
...
fatal: reference is not a tree: cb771a3cf592d46643eea35d206b9f3e1a0758f7
...
...
Unable to checkout 'edbbe445d92cc6a5c2557661195f486b784769db' in submodule
path 'aux/binpac'
Unable to checkout 'cb771a3cf592d46643eea35d206b9f3e1a0758f7' in submodule
path 'aux/bro-aux'
Unable to checkout 'b4d1686cdd3f5505e405667b1083e8335cae6928' in submodule
path 'aux/broccoli'
Unable to checkout '6583b0a84b59a90e671d6405613c35f8502ce023' in submodule
path 'aux/broctl'
Unable to checkout 'bb3f55f198f9cfd5e545345dd6425dd08ca1d45e' in submodule
path 'aux/broker'
I'm not sure if it's just me or if there is generic issue somewhere.
MP
Have you tried a pre-deploy plugin (i.e., cmd_deploy_pre)?
That might be a better fit for what you're trying to accomplish,
unless there's some reason why you would prefer to not use the
deploy command.
On 04/27/2016 01:45 AM, Knick, Scott E CTR (US) wrote:
> CLASSIFICATION: UNCLASSIFIED
>
> CLASSIFICATION: UNCLASSIFIED
>
> Thanks. This seems non-intuitive, but regardless, can anyone offer any suggestions to implement what I'm describing using a BroCtl plugin, or am I purely barking up the wrong tree? Thanks.
>