Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
New user, with a Fedora install.
1 - Starting with the basics. As a normal user:
[BroControl] > install
Error: running "bro -v" failed with output:
can't open 'debug.log' for debugging output
Does bro have to run as root?
2 - Is there an NNTP reflector for this mailing list?
--
Ken Goldman kgoldman(a)us.ibm.com
914-945-2415 (862-2415)
Well, that's protocol specific, but I did some digging:
> >>> TIME_FIXUP_CONSTANT
> 11644473600
> >>> hex(filetime)
> '0x01d238cc0f66a007'
> >>> filetime/10000000.
> 13122978809.960194
> >>> _-TIME_FIXUP_CONSTANT
> 1478505209.9601936
> >>> datetime.datetime.fromtimestamp(1478505209.9601936).strftime('%Y-%m-%d %H:%M:%S')
> '2016-11-07 01:53:29'
This is already implemented in smb-time.pac:
https://github.com/bro/bro/blob/master/src/analyzer/protocol/smb/smb-time.p…
You could try just adding this to your PAC file and then you'll be able
to use that function:
> %include ../smb/smb-time.pac
Check out krb-asn1.pac for an example of including another PAC file:
https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-asn1.p…
--Vlad
I looked at this a while back, and didn't pursue it because the protocol
itself really doesn't have a lot of useful information. There are no
filenames or really any useful metadata in the protocol (that's all
contained in the .torrent file which is downloaded via a different
channel).
There might be something for DHT, but that would require parsing
a completely different protocol.
--Vlad
Johanna Amann <johanna(a)icir.org> writes:
> Hi,
>
>> Will I be able to detect torrent download using bro, i could see some
>> torrent analyzers,is there any load statement should i include in local.bro
>> or how to detect?
>
> The Bittorrent analyzer in Bro has not been touched in years and I assume
> that it is not functional (it certainly has not been tested by anyone in a
> long time).
>
> If you are interested in trying to enable it, you will have to write all
> scripts yourself. As you probably are aware for most protocol analyzers we
> have scripts in base/ that create the logfiles that are written to disk.
> These scripts were never created for the Bittorrent analyzer - you would
> have to write them from scratch (and as I mentioned I have doubts if it
> still works).
>
> So - short version - there is no quick and easy way to enable it
> currently.
>
> Johanna
> _______________________________________________
> Bro mailing list
> bro(a)bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
The Bro team would like to encourage the development of Bro scripts and plugins by creating a website front-end for the Bro Package Manager, which additional functionality to be determined. We are seeking input from the Bro user community as to what features would be desirable.
Please let us know what features you would like to see by filling out our questionnaire:
https://goo.gl/forms/VyVH1aRIBB2qdZF53
------
Jeannette Dopheide
Training and Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
Hi All,
Am trying to use the webapp detection script to detect webapps like
facebook etc
I saw previous threads it was mentioned to enable "*Make sure to set your
Sites::local_net variable * If you set it to
0.0.0.0/0
I have included 0.0.0.0/0 in networks.cfg,
I have also included in local.bro
@load protocols/http/detect-webapps
redef Software::asset_tracking = ALL_HOSTS;
still I couldnt see any webapps traffic mentioning facebook i could see
only multicast address like 224.0.0.251
Any solution ,much appreciated
Thanks,
*Raj*
*IT Consultant*
*Mobile: ** +45 **81923531*
*Lyskær 9** [image: Inline images 1]*
*2730 Herlev, Denmark *
*Web: **http://www.capmon.dk <http://www.capmon.dk/>*
Hi all,
Does anyone know a way to get a list of all triggered events given a pcap
file ?
Currently what I do is just print some indicative message for each
suspected relevant events (quit tedious task)
Thanks
B
Hi All,
If am trying to add smb-ransomware.bro , to my bro setup ,where should I
include this in the bro directories.
root@csh:/home/raj# find / -name "smb"
/nsm/bro/share/bro/policy/protocols/smb
/nsm/bro/share/bro/base/protocols/smb
/opt/bro/bro-2.5/testing/btest/Traces/smb
/opt/bro/bro-2.5/testing/btest/scripts/base/protocols/smb
/opt/bro/bro-2.5/scripts/policy/protocols/smb
/opt/bro/bro-2.5/scripts/base/protocols/smb
/opt/bro/bro-2.5/build/src/analyzer/protocol/smb
/opt/bro/bro-2.5/src/analyzer/protocol/smb
and after this I can include in local.bro, @load policy/protocols/smb
Thanks,
*Raj*