I was wondering if anyone can tell me why the sha256 hash functionality
isn't turned on by default for the files log.
I am working on something and needed to turn it on. I normally only use Bro
to process pcap files offline and have never used it on a live network.
Does it cause performance issues?
Thanks,
Shawn
Hi All,
Has anyone encountered the assertion failure below with Bro 2.4.1? This is
happening with live traffic at least a couple times a day since upgrading
from Bro 2.3.2. I didn't see anything the bug tracker, so thought I'd float
it here first.
listening on zc:99@1, capture length 8192 bytes
1459786307.312525 processing suspended
1459786307.312525 processing continued
1459802619.911190 Failed to open GeoIP City database:
/usr/share/GeoIP/GeoIPCity.dat
1459802619.911190 Fell back to GeoIP Country database
1459802619.911190 Failed to open GeoIP Cityv6 database:
/usr/share/GeoIP/GeoIPCityv6.dat
bro: /home/mfry/dev/bro24/bro-2.4.1/src/Tag.cc:72: EnumVal*
Tag::AsEnumVal(EnumType*) const: Assertion `type == 0 && subtype == 0'
failed.
/opt/bro/share/broctl/scripts/run-bro: line 100: 11312 Aborted
(core dumped) nohup ${pin_command} $pin_cpu "$mybro" "$@"
Regards,
Michael
Would anyone happen to have documentation for configuring ZC and Bro? I have NTop's PF_RING and ixgbe driver packages installed, the proper license in /etc/pf_ring, and have compiled Bro with the NTop libraries but I'm seeing the kernel error below along with a ton of “split routing” messages in weird.conf, so I suspect the flows aren’t being load balanced correctly.
Jun 22 15:10:03 win-csignsm-01 kernel: [11060.244524] [PF_RING] Unable to activate two or more ZC sockets on the same interface eth6/link direction
The monitored NIC is an Intel X520-LR1.
Contents of /etc/pf_ring/zc/ixgbe/ixgbe.conf:
RSS=10 allow_unsupported_sfp=0
Contents of /etc/pf_ring/hugepages.conf
node=1 hugepages=1024
And Bro is configured as:
[MID_INT]
type=worker
host=10.20.30.123
interface=zc:eth6
lb_method=pf_ring
lb_procs=10
pin_cpus=10,11,12,13,14,15,16,17,18,19
Thanks!
-Dave
Hi everyone,
I am trying to find the number of connections having the same source ip and destination port in the last 100 connection using bro commands
I managed to get the number in all connections using:
bro-cut id.orig_h id.orgi_p < conn.log | sort| uniq -c| sort -rn
which is working fine but i need to modify this to include only the last 100 connections in the log file. is there a way to do that ?
thanks in advance
Hi everyone,
Is there a way to obtain the source and/or destination mac address from a connection record ?
I've been looking through the scripts roam.bro, known-devices.bro and known-devices-and-hostnames.bro, but I'am not sure how it works. I'm wondering it I missed something. I've this 2 files :
cat /opt/bro/logs/current/ known_devices.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path known_devices
#open 2016-06-30-09-08-33
#fields ts mac dhcp_host_name
#types time string string
1467260412.707446 00:11:22:33:44:55 android-684541321657432
1467260416.339490 00:11:22:33:44:66 android-213857946354179
1467260447.207524 00:11:22:33:44:77 iPhone-XXXX
1467261341.099450 00:11:22:33:44:88 iPhone -YYYY
1467271833.863474 00:11:22:33:44:99 iPhone -ZZZZ
1467272311.523445 00:11:22:33:44:00 bitcoin-computer
1467272443.463545 00:11:22:33:44:11 iPhone-UUUU
1467272517.623516 00:11:22:33:44:22 iPhone-TTTT
1467272692.387523 00:11:22:33:44:33 iPhone-VVVV
1467273783.775451 00:11:22:33:44:44 SDM-00239
1467273899.667460 00:11:22:33:33:55 iPhone-AAAA
AND
cat /opt/bro/logs/current/ dhcp.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dhcp
#open 2016-06-30-09-51-23
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p mac assigned_ip lease_time trans_id
#types time string addr port addr port string addr interval count
1467264083.815462 C4jfqvVzuapDS69dz 255.255.255.255 68 192.X.X.X 67 XX:XX:XX:XX:XX:XX 192.X.X.X 86400.000000 146703799
1467264083.815462 C4jfqvVzuapDS69dz 255.255.255.255 68 192.X.X.X 67 XX:XX:XX:XX:XX:XX 192.X.X.X 86400.000000 146703799
1467264083.815462 C4jfqvVzuapDS69dz 255.255.255.255 68 192.X.X.X 67 XX:XX:XX:XX:XX:XX 192.X.X.X 86400.000000 146703799
1467264083.815462 C4jfqvVzuapDS69dz 255.255.255.255 68 192.X.X.X 67 XX:XX:XX:XX:XX:XX 192.X.X.X 86400.000000 146703799
So what I want is a fusion between dhcp.log and know-devices.log to know to each devices their IP and MAC address.
I think bro must monitor ARP Request/Response to an output log file like this :
ts string (Mac Addr) string (hostname) string (IP Addr)
1467260401.707446 XX:XX:XX:XX:XX:XX Android-XXXXXXXXXXX X.X.X.X
Or maybe anyone has another solution ?
Thank you for your help.
Maxime Lambert
The NSF-funded LIGO project, responsible for the recent breakthrough discovery of gravitational waves that validate Einstein's theory, has posted an opening for a Cybersecurity Officer. This represents an opportunity to undertake cybersecurity in the support of scientific research with one of NSF's largest projects.
CTSC and NCSA are working with LIGO to help advertise the position. Please see the LIGO posting for more information and details on how to apply: https://jobs.caltech.edu/postings/4919
------
Adam J. Slagell
Chief Information Security Officer
Director, Cybersecurity Division
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
www.slagell.info
"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."
CENIC (one of the largest and most important public networks in the work)
is recruiting an experienced security engineer - with Bro skills - to lead
a new security group:
http://cenic.org/about/career-detail/SeniorInformationSecurityAnalyst_Engin…
Please forward to anyone you think might be interested. The initial job
location is LA, but moving to the CENIC office in Berkeley might be
possible in time.
I'm on the CENIC board, and it's a great organization. Louis Fox (the CEO)
is a very gifted leader. This network serves 20 million people, and
interconnects most universities, colleges, K-12s, and libraries in
California.
- Greg
--
Gregory Bell, PhD
CEO - Broala
www.broala.com
Call suspend_processing() from scriptland until your table is ready. Here's
an example:
https://github.com/anthonykasza/scratch_pad/tree/master/input_for_pcaps
-AK
On Jun 28, 2016 7:40 PM, "Dk Jack" <dnj0496(a)gmail.com> wrote:
Hi,
I am trying to run in batch mode i.e. using '-r' option. In my script, I am
trying read some data into
bro from text file. As per the input framework documentation, reading data
from file is an
asynchronous event, my packet processing is completing before I receive the
Input::end_of_data
event. Is there a way to delay packet processing till file read is complete?
Thanks,
Dk
_______________________________________________
Bro mailing list
bro(a)bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
Hi,
I am trying to run in batch mode i.e. using '-r' option. In my script, I am
trying read some data into
bro from text file. As per the input framework documentation, reading data
from file is an
asynchronous event, my packet processing is completing before I receive the
Input::end_of_data
event. Is there a way to delay packet processing till file read is complete?
Thanks,
Dk
Hi All
I use Bro for my PhD research, I add scripts in Bro and then see the CPU
and packet drop rate, using @load stats.bro. I'm using Bro 2.3 with
standard libcap.
I use tcpreplay from Machine A to replay the pre-captured traffic into Bro
multi-core machine B through port mirror switch. I replay the traffic from
100 to 1000 Mbps , When reach 200 Mbps and onward, packet start drop and
increases. Surprisingly, the CPU is not fully utilized, CPU still 40%
usage. What we know is that drop packet resulted from CPU full load, but in
our case CPU still less than 50%, so My question, what is the cause of
this packet drop? Is it normal?
Best regards
Aidaros