New user, with a Fedora install.
1 - Starting with the basics. As a normal user:
[BroControl] > install
Error: running "bro -v" failed with output:
can't open 'debug.log' for debugging output
Does bro have to run as root?
2 - Is there an NNTP reflector for this mailing list?
Ken Goldman kgoldman(a)us.ibm.com
I looked at this a while back, and didn't pursue it because the protocol
itself really doesn't have a lot of useful information. There are no
filenames or really any useful metadata in the protocol (that's all
contained in the .torrent file which is downloaded via a different
There might be something for DHT, but that would require parsing
a completely different protocol.
Johanna Amann <johanna(a)icir.org> writes:
>> Will I be able to detect torrent download using bro, i could see some
>> torrent analyzers,is there any load statement should i include in local.bro
>> or how to detect?
> The Bittorrent analyzer in Bro has not been touched in years and I assume
> that it is not functional (it certainly has not been tested by anyone in a
> long time).
> If you are interested in trying to enable it, you will have to write all
> scripts yourself. As you probably are aware for most protocol analyzers we
> have scripts in base/ that create the logfiles that are written to disk.
> These scripts were never created for the Bittorrent analyzer - you would
> have to write them from scratch (and as I mentioned I have doubts if it
> still works).
> So - short version - there is no quick and easy way to enable it
> Bro mailing list
The Bro team would like to encourage the development of Bro scripts and plugins by creating a website front-end for the Bro Package Manager, which additional functionality to be determined. We are seeking input from the Bro user community as to what features would be desirable.
Please let us know what features you would like to see by filling out our questionnaire:
Training and Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
Am trying to use the webapp detection script to detect webapps like
I saw previous threads it was mentioned to enable "*Make sure to set your
Sites::local_net variable * If you set it to
I have included 0.0.0.0/0 in networks.cfg,
I have also included in local.bro
redef Software::asset_tracking = ALL_HOSTS;
still I couldnt see any webapps traffic mentioning facebook i could see
only multicast address like 188.8.131.52
Any solution ,much appreciated
*Mobile: ** +45 **81923531*
*Lyskær 9** [image: Inline images 1]*
*2730 Herlev, Denmark *
*Web: **http://www.capmon.dk <http://www.capmon.dk/>*
Does anyone know a way to get a list of all triggered events given a pcap
Currently what I do is just print some indicative message for each
suspected relevant events (quit tedious task)
If am trying to add smb-ransomware.bro , to my bro setup ,where should I
include this in the bro directories.
root@csh:/home/raj# find / -name "smb"
and after this I can include in local.bro, @load policy/protocols/smb
I have a question regarding how the connections are created in conn.log.
I thought that the combination tuple o (src_ip, src_port, dest_ip,
dest_port)was used to define one connection but this is not the case.
>From my conn.log file I have 6 connections with 6 unique different uids but
with the same exact combination tuple mentioned above.
The first connection is the one that establishes the ssl connection and the
other 5 are identified as *OTH *which is No *SYN seen, just midstream
traffic (a “partial connection” that was not later closed).*
Are they not all included in the same connection because bro did not
identify the ssl connection closing? If so, does this mean that bro
considers a flow as a unique connection if there is a problem protocol
beggining and ending?