I was wondering if anyone can tell me why the sha256 hash functionality
isn't turned on by default for the files log.
I am working on something and needed to turn it on. I normally only use Bro
to process pcap files offline and have never used it on a live network.
Does it cause performance issues?
Thanks,
Shawn
Hi All,
Has anyone encountered the assertion failure below with Bro 2.4.1? This is
happening with live traffic at least a couple times a day since upgrading
from Bro 2.3.2. I didn't see anything the bug tracker, so thought I'd float
it here first.
listening on zc:99@1, capture length 8192 bytes
1459786307.312525 processing suspended
1459786307.312525 processing continued
1459802619.911190 Failed to open GeoIP City database:
/usr/share/GeoIP/GeoIPCity.dat
1459802619.911190 Fell back to GeoIP Country database
1459802619.911190 Failed to open GeoIP Cityv6 database:
/usr/share/GeoIP/GeoIPCityv6.dat
bro: /home/mfry/dev/bro24/bro-2.4.1/src/Tag.cc:72: EnumVal*
Tag::AsEnumVal(EnumType*) const: Assertion `type == 0 && subtype == 0'
failed.
/opt/bro/share/broctl/scripts/run-bro: line 100: 11312 Aborted
(core dumped) nohup ${pin_command} $pin_cpu "$mybro" "$@"
Regards,
Michael
Hello,
I’m wondering what people are using for network cards in their bro clusters that are not using the Myricom Network Cards. We don’t have a $1,000 dollars per a card + license to spend on the cards. Is anyone using Intel or other brands that aren’t as expensive to capture their traffic? We are looking at doing all 10 Gig connections into the Bro Cluster.
Thanks for all your answers.
--
Richard Giesige
IT Security Analyst
Office of Information Security
Oregon State University
"OSU staff will NEVER ask for you password.
Never email or share your password with anyone."
Hi.
I configured the Brownian based on your instructions and the following link:
http://www.hyperionavenue.com/?p=692
My configurations are:
Elasticsearch 2.3.3
Bro 2.4.1
Ubuntu 16.04 LTS
I followed the procedure and it works on Ubuntu 14.04.
I wondering why it is not working in the new version of Ubuntu.
I did this for testing the elasticsearch.
curl 'localhost:9200/_cat/indices?v' | grep bro
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 270 100 270 0 0 4302 0 --:--:-- --:--:-- --:--:-- 4354
yellow open @bro-meta 5 1 1 11 4.8kb 4.8kb
yellow open bro-201605312100 5 1 0 0 795b 795b
But it looks that elasticsearch is working fine.
But the brownian show this error:
Error! Could not connect to server - please check ELASTICSEARCH_SERVER in
settings.py
Could you please help me to solve this problem?
Thanks.
I'm about to build a couple more worker nodes and it got me wondering
whether I should migrate to a newer Linux distro. My current cluster is
running on RHEL 6.x, but over the past couple years I've noticed changes
to Bro that temporarily required installing newer versions of CMake than
RHEL 6.x originally supported. RHEL 6.x eventually broke the mold of not
breaking binary compatibility around RHEL 6.6 and moved to a newer CMake
which made the RHEL packaged CMake Bro compatible once again. As such
I'm wondering if there is anything in the pipeline that would break
compatibility a properly updated RHEL 6.x/Centos6.x. I'd rather not
maintain separate versions of libraries to build Bro if possible. We're
technically a RHEL shop, so I'd probably be looking at RHEL7.x, but I
could look at another distro that is more aggressive with running newer
kernels and software libraries if necessary. Thoughts?
~Gary
Bro 2.5 is not far away, but in the meantime you should upgrade to Bro
2.4.1. This is the latest stable release. If you are running 2.4 the
upgrade to 2.4.1 won't break your config. This release contains
important fixes without changing Bro's functionality.
Check the change log here: https://www.bro.org/download/CHANGES.bro.txt.
- the Bro team
--
Doris Schioberg
Bro Outreach, Training, and Education Coordinator
International Computer Science Institute (ICSI Berkeley)
Phone: +1 (510) 289-8406 * doris(a)bro.org
Hello,
I have a fairly simple use case. I have a database of devices, which contains a device name, manufacturer, IP addresses, and MAC address. I want to be able to take a device from that database, retrieve the MAC address, and use that to query data that has been generated by BRO.
I have successfully gotten MAC address information into the conn.log by using the roam.bro script linked from another message in this chain and extending the conn.log functionality. But, this is getting the MAC address from the DHCP table. I was hoping to get the MAC address directly from the PCAP file from which the connection object is being generated (at least that is my assumption).
My first thoughts were that the connection object that is being passed into many of these methods would get its information from the PCAP file and I could expand that functionality, but this has been a dead end for me.
Does anyone have advice for getting MAC address from a PCAP file that was used to generate different logs in BRO?
Thanks!
William Baker | Software Developer
Tietronix Software Inc. | 1331 Gemini Ave. STE 300 | Houston, TX 77058
+1 (281) 404-7253 | wbaker(a)tietronix.com<mailto:victor.tang@tietronix.com> | www.tietronix.com<http://www.tietronix.com/>
I am sorry for the disturbance. This must be a noob question :P
And I am new to this, so please help me out
My BRO script starts is as follows :
@load weird
@load alarm
@load tcp
event tcp_packet(c: connection, is_orig: bool, flags: string, seq: count,
ack: count, len: count, payload: string)
{
print fmt("IP : %s WITH PORT NO.: %s IS TRYING TO ACCESS TCP PACKETS",
c$id$orig_h, c$id$orig_p);
}
error :
cant find weird
Even if i remove the first line
the same error keeps popping up for alarm and tcp
It has to be something about the path from which the scripts are being
loaded
But wasn't able to get a solution
Please do help
Thank You
Hi everyone,
I wrote a few Bro scripts to cut my teeth on the language if you all would
like to check them out:
https://github.com/joshuaguild/bro_scripts
Network Visibility will allow you to confirm that the traffic that should
be flowing to your sensor actually is. You can populate what subnets you
should be seeing and it will dump a log to confirm if it sees a host in
that subnet.
RDP Layout just checks the keyboard_layout field in the rdp.log against a
whitelist (or you can make it a black list by changing the !in to in). Good
for monitoring for lateral movement or connections to your DMZ.
Comments/criticism are welcome! (I'm a network guy, not a programmer so...)
--
Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
Hi were are using Dell R230's with an additional quad port card for network
captures, streaming in traffic from our NetOptics Taps. On bro 2.4.1 what
is the best way to configure it to listed on all 4 interfaces? Would we set
that up in node.cfg and create 4 worker processes so that we can use
broctl? Or can we specify it in BRO_CAPTURE_INTERFACE=" eth2 eth3 eth4
eth5". Or is there a command line bro with options?
Is PF_RING needed?