Bro Community,
A friendly reminder that BroCon’s early bird registration expires on Monday August 1st. Save yourself $50 and register now!
https://www.bro.org/community/brocon2016.html#registration
See you in September,
The Bro Team
------
Jeannette Dopheide
Training and Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
Hi,
I have bro and proftpd server installed on linux. I tried to connect with this server through a intentionally brute force attack with random usernames and passwords thinking ftp.log will record these attempts but it didn't. Instead ftp.log I am getting these requests logged in weird.log file.
I did same with ssh service but i logged all requests and related information in ssh.log file.How come I can make ftp.log file to log all ftp related information which I genuinely think should be a default setting. Isn't so?
Regards, Aneela Safdar
Is there any reason to expect Bro to give inconsistent output when
running a script on trace files? I have a script that uses SumStats to
fire off an observation in the tcp_packet event to save the payload for
later analysis. I seem to be running into an issue where I count a
smaller number of observed tcp_packet events than I should actually be
seeing.
--
Ben
Hi,
I need to know where I can specified the time interval to move log files of bro from current folder to the respected day date named folder? Can I change it? Regards, Aneela Safdar
Hi all,
My team is looking into using the Bro IDS for monitoring of a science DMZ with a 100 Gbps network. I was wondering how to choose which network tap(s) is necessary for this type of connection and if you have any recommendations/methods for setting up the hardware for Bro. I have been looking at the passive Ixia Flex taps, but after reading the paper on bro.org about the 100G connection in Berkeley Labs, I'm not so sure this is the right direction.
Thanks for the help,
Daniel Manzo
Hi all!
I'm posting from my Broala address this time because I wanted to let everyone know that we have a couple of job openings at Broala. If anyone is interested in working with us as we develop the BroBox platform, please reach out, we'd love to hear from you!
Here are the links to the job postings:
https://www.broala.com/platform-engineer.htmlhttps://www.broala.com/platform-quality-engineer.html
Thanks,
.Seth
--
Seth Hall * Broala * seth(a)broala.com * www.broala.com
Bro Community
I have been seeing A LOT of SYN/ACK attacks lately on my net and it seems
that every time Bro is switching the orig and resp IP's. Luckily the
history column has helped me determine which IP is the true src.
Also, I have SiLK running on my bro sensors and the netflow traffic I get
from SiLK is identifying the true src and resp IP addresses but Bro seems
to switch the IP addresses. Is this because Bro thinks it missed the SYN
packet so it switches the IP's? Should it be doing this?
Hi,
I have been trying to find trace a bug in my code. I put print
statements in several events including connection_SYN_packet. I am
seeing this event getting fired off twice for every SYN packet seen on
the wire. When I inspect the pcap with wireshark however, I have only
found a single SYN packet. So I am wondering if there is something
special happening in the event engine when using low level functions
like connect_SYN_packet, that might cause this behavior.
--
Ben
Hi All,
Has anyone encountered the assertion failure below with Bro 2.4.1? This is
happening with live traffic at least a couple times a day since upgrading
from Bro 2.3.2. I didn't see anything the bug tracker, so thought I'd float
it here first.
listening on zc:99@1, capture length 8192 bytes
1459786307.312525 processing suspended
1459786307.312525 processing continued
1459802619.911190 Failed to open GeoIP City database:
/usr/share/GeoIP/GeoIPCity.dat
1459802619.911190 Fell back to GeoIP Country database
1459802619.911190 Failed to open GeoIP Cityv6 database:
/usr/share/GeoIP/GeoIPCityv6.dat
bro: /home/mfry/dev/bro24/bro-2.4.1/src/Tag.cc:72: EnumVal*
Tag::AsEnumVal(EnumType*) const: Assertion `type == 0 && subtype == 0'
failed.
/opt/bro/share/broctl/scripts/run-bro: line 100: 11312 Aborted
(core dumped) nohup ${pin_command} $pin_cpu "$mybro" "$@"
Regards,
Michael
Hi,
I am trying to build a 2D histogram based byte values in a tcp payload.
I look at each byte independently. So I get 2^8 possible byte values
which I use as a row index. the first 256 or so bytes of the payload as
passed from the tcp_packet function are where I get this, and the
specific byte position in the payload is suppose to give me the column
index. I initially was trying the following using the with and without
the SumStats framwork. The code below is with SumStats:
module BytePatterns;
export {
global other_counts: vector of table[string] of count;
}
<Stuff>
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
{
local tmp: table[string] of count;
if ("prefix" in result)
{
local i = 0;
local payload = SumStats::key2str(key);
for (bytei in payload)
{
bytei = string_to_ascii_hex(bytei);
if (i !in BytePatterns::other_counts)
{
BytePatterns::other_counts[i] = tmp;
}
if (bytei !in BytePatterns::other_counts[i])
{
BytePatterns::other_counts[i][bytei] = 0;
}
BytePatterns::other_counts[i][bytei] += 1;
i += 1;
}
}
<Stuff>
event tcp_packet(c: connection , is_orig: bool , flags: string , seq:
count , ack: count , len: count , payload: string )
{
if (is_orig)
{
if (c$seen_syn == T)
{
c$acks += 1;
if (c$acks == 2 && len > 0)
{
print fmt("%s", BytePatterns::eseen);
SumStats::observe("prefix",[$str=payload], [$str=payload]);
}
}
}
}
Based on other state, this event should only be getting 3 payloads with
a trace file I made for testing. The column sum should therefore be 3
for all columns, however, when I run this code, I am getting
significantly larger counts.
I am wondering if the way I am adding tables to the other_counts, data
structure is somehow causing this behavior. Or possibly something with
the way I am using SumStats and it is not doing what I think it is.
Thank you in advance.
--
Ben