Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
Hello,
I was just wondering if it was possible to lookup fa_file or Files::Info records given a FUID. I have been looking through the built in functions but have not seen anything.
Best,
Jereme Lamps
Hi all,
I'd like to ask guidance on how to contribute to BRO by proposing
extensions to existing protocol analyzers.
For instance, suppose that I realize a patch to the DHCP analyzer that
includes new unsupported options. Such patch would impact on multiple
files like those in src/analyzer/protocol/dhcp,
scripts/base/protocols/dhcp as well as new types to be included in
init-bare.bro.
What would be the best procedure (and format) to submit such a patch?
best,
Valerio
We announce the release of Bro v2.5.2. The new version is now available for
download at:
https://bro.org/download/index.html
or directly at:
https://www.bro.org/downloads/bro-2.5.2.tar.gz
Binary packages for the new version are currently building and will be available
in the next hours at:
https://bro.org/download/packages.html
This is a security release that fixes an out-of-bound write in the ContentLine
analyzer. This issue can be used by remote attackers to crash Bro (i.e. a DoS
attack). There also is a possibility this can be exploited in other ways.
This bug was found by Frank Meier. A CVE has been requested for this bug.
Bro 2.5.2 does not contain any other changes. We urge everyone to update their
installation as quickly as possible.
Due to the potential severity of this bug we also provide a patched version of
Bro v2.4.2. The only difference to version v2.4.1 is this bugfix. Please note
that we encourage users to use version 2.5.2 instead; we do generally not
provide security updates for old releases; version 2.4.2 is missing a number of
other bugfixes that were applied to v2.5.2.
Version 2.4.2 is available for download at:
https://www.bro.org/downloads/bro-2.4.2.tar.gz
Johanna
Hi,
Is there a way to view which host were scanned when receiving a notice for the scan.bro script? We have been receiving a lot of notices lately for “x.x.x.x scanned at least X unique hosts on port X in Xtime”. I cannot seem to find a good way to determine which host were scanned by the host machine.
Thanks,
Hello,
Just wondering if anyone has tryed to use Bro on an openflow-based
network using mininet?
Kind regards
Daniel
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Hi,
So I am using the SMB plugin for Bro by loading in local.bro but it seems to be very inconsistent.
Often times when I am copying files between two windows machines over the domain there is no corresponding file in the files.log.
The smb_files.log itself seems to filled up with a lot of .ini files as well and they all seem to have the “SMB::FILE_OPEN” action even when I haven’t opened any of them.
I thought I would use files showing source as SMB in files.log to differentiate when files are actually copied over the network but often times Bro does not detect the same.
Is there any particular way I need to share the files in windows to get the copied files to show up consistently in bro?
Regards
Vikram Basu
Hi,
I have this simple script :
event bro_init()
{
local a=-3.019159e-8;
print "a",a;
local s=fmt("%e",a);
print "s",s;
}
results :
a, -0
s, -3.019159e-08
the printing of variable a is important because its -0 once written in a
log file.
is there anyway of printing\writing large doubles ?
Thanks
B
Hi all,
I am trying to read a csv file that has regex patterns in it.
it seems that bro does not like reading a column into a regex type.
anyway to accomplish that ? is there any function that converts string to
regex ?
Thanks a lot,
B