Hi,
I'm currently researching SSL/TLS handshakes and want to process several
events Bro provides with the SSL plugin. I've installed Bro along with
broccoli and broccoli-python and the "broping" example (from the test
directory) is working just fine. For each "ping" event I sent to Bro, a
"pong" is received and processed in my Python script.
However, in case of the SSL my callbacks are never executed. The most
simplified version looks something like this:
> #! /usr/bin/env python
>
> from broccoli import *
>
> @event
> def ssl_established(c):
> print('established')
>
> bc = Connection("127.0.0.1:47760")
>
> while True:
> bc.processInput()
To my understanding I don't even have to load the SSL plugin, since it
resides within "base", but nevertheless my local.bro contains the following:
> @load broping
> @load base/protocols/ssl
When starting Bro and executing the Python script mentioned above,
nothing happens, even if SSL traffic is going through the interface
(and/or coming from a recorded pcap). I've also tried to register
callbacks for various other SSL related events (ssl_client_hello,
ssl_server_hello, etc.), but in no case were my callbacks invoked.
The only difference to the "broping.py" from the examples, is that I'm
not sending any events, but just want to receive them (hence I'm calling
processInput() regularly).
What am I missing here? Do I somehow need to enable the SSL
functionality within Bro? How can I further debug the problem?
Any help is very much appreciated, since I've spent a fair amount of
time on this already, with no real progress.
Thank you very much!
Best regards,
Karol Babioch
I’m creating a script that hooks Notice notice/policy and executes an ActiveHTTP call to submit specific notice events to a REST endpoint. In the submission I’d like to include the Notice::Info object as a JSON data field so tried:
to_json(n)
But it produces the following error:
1485869266.028563 error in /Users/dave/Projects/bro/share/bro/base/utils/json.bro, line 26: wrong port format, must be /[0-9]{1,5}\/(tcp|udp|icmp)/ (to_port(cat(v)))
Do I need to manually re-package all the fields the Notice::Info, and if so, has anyone already done this so I can borrow the code? :-)
This is the Notice::Info object I’m testing with:
[ts=1485872499.141021, uid=CSRU563utEL1B2yFl5, id=[orig_h=10.0.2.15, orig_p=1381/tcp, resp_h=199.192.156.134, resp_p=443/tcp], conn=<uninitialized>, iconn=<uninitialized>, f=<uninitialized>, fuid=<uninitialized>, file_mime_type=<uninitialized>, file_desc=<uninitialized>, proto=tcp, note=Signatures::Sensitive_Signature, msg=10.0.2.15: ATTACK-RESPONSES Microsoft cmd.exe banner (reverse-shell originator), sub=POST /bbs/info.asp HTTP/1.1\x0d\x0aHost: 199.192.156.134:443\x0d\x0aContent-Length: 165\x0d\x0aConnection: Keep-Alive\x0d\x0aCache-Control: no-cache\x0d\x0a\x0d\x0a3D333531501A..., src=10.0.2.15, dst=199.192.156.134, p=443/tcp, n=<uninitialized>, src_peer=[id=0, host=127.0.0.1, p=0/unknown, is_local=T, descr=bro, class=<uninitialized>], peer_descr=bro, actions={
Phantom::ACTION_PHANTOM,
Notice::ACTION_LOG
}, email_body_sections=[], email_delay_tokens={
}, identifier=<uninitialized>, suppress_for=1.0 hr, dropped=F, remote_location=<uninitialized>]
-Dave
TL;DR: It's possible that transparent huge pages and bro do not get along, try doing a
# on all nodes
echo never > /sys/kernel/mm/transparent_hugepage/enabled
# then
broctl restart
There are ways to make that permanent if it helps.
I've been doing some research to try to figure out why some people have more memory issues than others. I think the kernel feature Transparent Huge Pages (THP) and bro may not get along well. It's supposed to help performance for memory allocations, but many services recommend disabling it (mongodb, redis, mysql). For example:
> Transparent Huge Pages (THP) is a Linux memory management system that reduces the overhead of Translation Lookaside Buffer (TLB) lookups on machines with large amounts of memory by using larger memory pages.
>
> However, database workloads often perform poorly with THP, because they tend to have sparse rather than contiguous memory access patterns. You should disable THP on Linux machines to ensure best performance with MongoDB.
Bro memory allocations can best described as unpredictable, especially on 'custer in a box' deployments.
On our systems, disabling it drops bro worker memory usage by 20% and manager/logger usage by even more, but since we only have one of those it's harder to compare. For workers I disabled THP on half the nodes, and the post bro restart memory usage is consistently lower.
--
- Justin Azoff
Good afternoon,
What is the difference between the Bro Clustering method of creating
multiple workers and lb_procs? I see the same # of CPUs in-use regardless.
Sincerely,
Hi,
I need to add id [orig_h,orig_p, resp_h, resp_p] in
files.log , so i tried to
add the content into opt/bro/share/bro/base/frameworks/files/main.bro but
its not accepting.
I added below code into main.bro
id: conn_id &log;
and
function set_info(f: fa_file)
{
if ( ! f?$info )
{
local tmp: Info = Info($ts=f$last_active,$fuid=f$id,
$id=f$conns);
f$info = tmp;
print "test",f$conns;
}
any other way to do this , ??
Attention Bro4Pros attendees,
If you are unable to attend Bro4Pros on Thursday February 2nd, please cancel your registration so that we may open the spot to others.
For those of you attending Bro4Pros, see you in a couple weeks!
Thanks,
Jeannette Dopheide
------
Jeannette Dopheide
Training and Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
An odd request I'm sure....almost all other apps that I do the
./configure, make, sudo make install dance leave me with a config.log.
Bro does not. Can we get this please? Unless the information is
contained somewhere else of course...thank you.
James
> Thanks Jan, what version of Bro are you running and on which platform?
I am using Bro 2.5 on Fedora 23 (4.8 kernel).
> I have 'bro version 2.5-30’, compiled from Github master, on Debian 8.7 and macOS 10.12.2 and both hang until I ctrl-C, and neither enters the when{} block:
$ time bro --pseudo-realtime -r
Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap b.bro
[code=302, msg=Found\x0d, body=...]
1485807420.620682 received termination signal
real 1m0.583s
user 0m26.229s
sys 0m34.185s
Without "--pseudo-realtime" it seems to hang for me, too. Have you tried
using it?
Jan
I’m testing a new script in 2.5 that uses ActiveHTTP but I'm unable to retrieve the response. With a simple test script of:
when ( local resp = ActiveHTTP::request([$url="https://www.google.com/"]) )
{
print “Inside the Matrix."
}
I can see the ActiveHTTP request was successful based on the temporary files created:
-rw-r--r-- 1 dave wheel 162 Jan 27 23:43 /tmp/bro-activehttp-HJKhXt6UYXi_body
-rw-r--r-- 1 dave wheel 163 Jan 27 23:43 /tmp/bro-activehttp-HJKhXt6UYXi_headers
But the print statement within the when block never executes. Any ideas what I’m missing?
-Dave
Hi All,
Running Bro 2.5, everything is working except intel.log file stop getting
generated.
Last event in that file was around 12:45pm today, and after it got rotated,
I didn't see intel.log for 1pm hour and still no log for intel.log in the
current log dir.
Don't know why all of a sudden intel.log stopped geting generated.
I checked:
1. The conn.log, and seeing the connections from IPs listed as bad in intel
feed.
$ less bad-IP.intel | grep "61.240.xx.yy"
61.240.xx.yy Intel::ADDR scanner 85 csirtg.io
$ less conn.log | grep "61.240.144.65"
1485280794.930507 CzUCmv3TFKLcYxFps1 61.240.xx.yy 40805
128.4.107.206 8081 tcp - - - - S0 F
T 0 S 1 40 0 0 ( empty)
2. Permissions on the intel input files are fine,i.e bro readable.
3. No major activity related to Bro happened during 12:45ish, that can
impact any Bro processing.
Any leads/suggestions?
Thanks,
Fatema.