Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
Hi All,
(1) I wonder that what's the rationales of removing the binpac files for
some common protocols (e.g., HTTP, DNS, et al.)? Does current bro
distribution only include the handwritten protocol parsers for those
protocols?
I can find the http-{protocol, analyzer}.pac files have been removed since
bro-2.2. I checked the CHANGE log but cannot find the explanation.
(2) We create a "general" analytic module that includes APIs (e.g., passing
a key/value pair) can be called by multiple protocol parsers such as HTTP
and DNS (essentially we only want the "parser" instead of the whole
"analyzer" part; that's the reason we are looking for the
http-protocol.pac).
We develop such module as a plugin, say "Sample::Test" which includes a
function test_func(...). We have another sample protocol parser including
following code:
> type myPDU() = record {
> data: bytestring &restofflow;
> } &byteorder = bigendian & let{
> deliver: bool = $context.flow.myFUNC();
>};
> flow myFLOW() {
> flowunit = myPDU(...);
>
> function myFUNC() {
> Sample::test_func(...);
> }
That is, in current sample module we want the external function being
called when receiving a protocol flow PDU (in &let {...}). So how we can
get the binpac (protocol parser) recognize the function Sample::test_func()
written in another plugin Sample::Test? I can see in
/src/analyzer/protocols, the analyzers can include the functionality from
another analyzer by including the headers such as #include
"analyzer/protocols/tcp/...". But when writing the plugins in
/aux/bro-aux/plugin-support, how can we do that?
Thanks very much!
Hi Bro'ers
I have a problem to get generated a notice.log file with it's DEFAULT path.
Short description of my problem:
* whenever I start Bro to do sth., I get generated some log-files
(e.g. communication, http, ...) in a folder named /var/log/bro
* however (also after a "deploy" command!), when I call e.g.
"NOTICE([$note=***, $msg="***"])", I get NOT generated a notice.log
file ANYWHERE on my VM
* I can somehow circumvent that by manipulating the
share/bro/base/frameworks/notice/main.bro file, when I explicitly
set the $path variables in there to my absolute path like
"/var/log/bro/notice"
Some background I already found out:
* it is said in the Bro documentation NOT to change any files in the
directories (and its sub-folders) from share/bro EXCEPT the
share/bro/site-folder
* I found out, all the modules for which the DEFAULT path log-file
generation is working somehow load (directly or indirectly) the
base/utils/paths or the base/utils/site modules
What I want:
* getting generated my notice.log file without specifiying an absolute
path; only the file-name (just like as it works for the other log
files in my /var/log/bro folder)
Please help me to get my notice.log file WITHOUT manipulating files
which one should not touch!
Thanks alot in advance!
Hello,
I need to prepare for my exam Resilient Networks and I have a few questions
about Bro. Do you have smething like lectures? I would gladly pay for that,
that someone help me to prepare Bro for exam.
Regards,
Neda Danilović
*www.kaficamagazin.rs <http://www.kaficamagazin.rs>*
Hello,
I was just wondering if it was possible to lookup fa_file or Files::Info records given a FUID. I have been looking through the built in functions but have not seen anything.
Best,
Jereme Lamps
Hi all,
I'd like to ask guidance on how to contribute to BRO by proposing
extensions to existing protocol analyzers.
For instance, suppose that I realize a patch to the DHCP analyzer that
includes new unsupported options. Such patch would impact on multiple
files like those in src/analyzer/protocol/dhcp,
scripts/base/protocols/dhcp as well as new types to be included in
init-bare.bro.
What would be the best procedure (and format) to submit such a patch?
best,
Valerio
We announce the release of Bro v2.5.2. The new version is now available for
download at:
https://bro.org/download/index.html
or directly at:
https://www.bro.org/downloads/bro-2.5.2.tar.gz
Binary packages for the new version are currently building and will be available
in the next hours at:
https://bro.org/download/packages.html
This is a security release that fixes an out-of-bound write in the ContentLine
analyzer. This issue can be used by remote attackers to crash Bro (i.e. a DoS
attack). There also is a possibility this can be exploited in other ways.
This bug was found by Frank Meier. A CVE has been requested for this bug.
Bro 2.5.2 does not contain any other changes. We urge everyone to update their
installation as quickly as possible.
Due to the potential severity of this bug we also provide a patched version of
Bro v2.4.2. The only difference to version v2.4.1 is this bugfix. Please note
that we encourage users to use version 2.5.2 instead; we do generally not
provide security updates for old releases; version 2.4.2 is missing a number of
other bugfixes that were applied to v2.5.2.
Version 2.4.2 is available for download at:
https://www.bro.org/downloads/bro-2.4.2.tar.gz
Johanna
Hi everyone,
I'm looking to build a Bro architecture with several Tap components (I
mean the tcpdump stuff), all separated from the core.
I've seen the "cluster" architecture
(https://www.bro.org/sphinx/cluster/index.html), but as I said I want to
split out the capture work, not the protocol analysis stuff.
My situation is the following : I have several "boxes" (with not enough
power to do the protocol analysis work, that's the point) in different
networks, all connected to one single "core" component. I would like to
deploy network capture (Tap) instances on all those boxes, and let the
core component do all the hard stuff (I can potentially install a
front-end on this core component to set up many "workers" behind it).
Is there any way to do this ? Any documentation ? Does anyone have any
clue about how to set it up that way ?
Thanks a lot,
Pierre
Hi,
Is there a way to view which host were scanned when receiving a notice for the scan.bro script? We have been receiving a lot of notices lately for “x.x.x.x scanned at least X unique hosts on port X in Xtime”. I cannot seem to find a good way to determine which host were scanned by the host machine.
Thanks,
Hello,
Anyone every experienced with setting a costume postprocessor func to a
specific filter ?
here's what I want to do :
function rotation_postprocessor_func(info: Log::RotationInfo) : bool
{
# Move file to name including both opening and closing time.
local dst = fmt("/tmp/%s.%s.log", info$path,
strftime(Log::default_rotation_date_format,
info$open));
system(fmt("/bin/mv %s %s", info$fname, dst));
# Run default postprocessor.
return Log::run_rotation_postprocessor_cmd(info, dst);
}
Log::add_filter(test_log::LOG,[
$name="test_log",
$path_func=test_log_func,
$config=table(["tsv"] = "T"),
$interv=100sec,
$postprocessor=rotation_postprocessor_func,
$include=set("ts")
]);
and when I run it in a cluster mode\single instance mode - I see that the
"test_log" are rotated like all the other logs, meaning that my /tmp/
folder is empty
Any ideas ?
Thanks
B
