Hello,
I was just wondering if it was possible to lookup fa_file or Files::Info records given a FUID. I have been looking through the built in functions but have not seen anything.
Best,
Jereme Lamps
Hi all,
I'd like to ask guidance on how to contribute to BRO by proposing
extensions to existing protocol analyzers.
For instance, suppose that I realize a patch to the DHCP analyzer that
includes new unsupported options. Such patch would impact on multiple
files like those in src/analyzer/protocol/dhcp,
scripts/base/protocols/dhcp as well as new types to be included in
init-bare.bro.
What would be the best procedure (and format) to submit such a patch?
best,
Valerio
We announce the release of Bro v2.5.2. The new version is now available for
download at:
https://bro.org/download/index.html
or directly at:
https://www.bro.org/downloads/bro-2.5.2.tar.gz
Binary packages for the new version are currently building and will be available
in the next hours at:
https://bro.org/download/packages.html
This is a security release that fixes an out-of-bound write in the ContentLine
analyzer. This issue can be used by remote attackers to crash Bro (i.e. a DoS
attack). There also is a possibility this can be exploited in other ways.
This bug was found by Frank Meier. A CVE has been requested for this bug.
Bro 2.5.2 does not contain any other changes. We urge everyone to update their
installation as quickly as possible.
Due to the potential severity of this bug we also provide a patched version of
Bro v2.4.2. The only difference to version v2.4.1 is this bugfix. Please note
that we encourage users to use version 2.5.2 instead; we do generally not
provide security updates for old releases; version 2.4.2 is missing a number of
other bugfixes that were applied to v2.5.2.
Version 2.4.2 is available for download at:
https://www.bro.org/downloads/bro-2.4.2.tar.gz
Johanna
Hi everyone,
I'm looking to build a Bro architecture with several Tap components (I
mean the tcpdump stuff), all separated from the core.
I've seen the "cluster" architecture
(https://www.bro.org/sphinx/cluster/index.html), but as I said I want to
split out the capture work, not the protocol analysis stuff.
My situation is the following : I have several "boxes" (with not enough
power to do the protocol analysis work, that's the point) in different
networks, all connected to one single "core" component. I would like to
deploy network capture (Tap) instances on all those boxes, and let the
core component do all the hard stuff (I can potentially install a
front-end on this core component to set up many "workers" behind it).
Is there any way to do this ? Any documentation ? Does anyone have any
clue about how to set it up that way ?
Thanks a lot,
Pierre
Hi,
Is there a way to view which host were scanned when receiving a notice for the scan.bro script? We have been receiving a lot of notices lately for “x.x.x.x scanned at least X unique hosts on port X in Xtime”. I cannot seem to find a good way to determine which host were scanned by the host machine.
Thanks,
Hi all,
I wonder if anyone had a chance of somehow incorporate a FPGA NIC \ Smart
NIC \ Napatech \ PF_RING with Bro ?
I would like to scale my Bro cluster and process higher volumes of traffic
(5-10Gbps). Currently I use PF_RING supported nic (intel X710) to LB the
traffic to multiple workers - this environment cannot handle the above
traffic load.
I could always beef up my server but that does not seem like an elegant
solution.
Could there be any benefits for moving to Napatech NIC or FPGA supported
NIC ?
In what scenario an FPGA card can be integrated with Bro to offload some of
its more tedious tasks to the smart nic ?
Any ideas would be appreciated
Thanks
B
hi,
I have this code:
event connection_established(c: connection) {
local orig_file = generate_extraction_filename(extrac_prefix, c,
"orig.dat");
local orig_f = open(orig_file);
set_contents_file(c$id, CONTENTS_ORIG, orig_f);
local resp_file = generate_extraction_filename(extrac_prefix, c,
"resp.dat");
local resp_f = open(resp_file);
set_contents_file(c$id, CONTENTS_RESP, resp_f);
}
and I would like set a maximum size, I think that I have two options,
1. set a maximum size file
2. control the data so that it does not exceed the size
How can I do this?
thanks
Hello,
Just wondering if anyone has tryed to use Bro on an openflow-based
network using mininet?
Kind regards
Daniel
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Hi, all
Is there some way that convert name field of smb_files.log to "readable"?
I got name value like "\u00ec\u0099\u0084"
It seems like unicode and I read weird string(e.g. ê¸°íš íŒ€) when I send
to ELK(characterset: utf-8).
I might need to convert it.
Any comments would be appreciated!
Thanks!