Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
Any insight would be helpful.
New user, with a Fedora install.
1 - Starting with the basics. As a normal user:
[BroControl] > install
Error: running "bro -v" failed with output:
can't open 'debug.log' for debugging output
Does bro have to run as root?
2 - Is there an NNTP reflector for this mailing list?
Ken Goldman kgoldman(a)us.ibm.com
I looked at this a while back, and didn't pursue it because the protocol
itself really doesn't have a lot of useful information. There are no
filenames or really any useful metadata in the protocol (that's all
contained in the .torrent file which is downloaded via a different
There might be something for DHT, but that would require parsing
a completely different protocol.
Johanna Amann <johanna(a)icir.org> writes:
>> Will I be able to detect torrent download using bro, i could see some
>> torrent analyzers,is there any load statement should i include in local.bro
>> or how to detect?
> The Bittorrent analyzer in Bro has not been touched in years and I assume
> that it is not functional (it certainly has not been tested by anyone in a
> long time).
> If you are interested in trying to enable it, you will have to write all
> scripts yourself. As you probably are aware for most protocol analyzers we
> have scripts in base/ that create the logfiles that are written to disk.
> These scripts were never created for the Bittorrent analyzer - you would
> have to write them from scratch (and as I mentioned I have doubts if it
> still works).
> So - short version - there is no quick and easy way to enable it
> Bro mailing list
The Bro team would like to encourage the development of Bro scripts and plugins by creating a website front-end for the Bro Package Manager, which additional functionality to be determined. We are seeking input from the Bro user community as to what features would be desirable.
Please let us know what features you would like to see by filling out our questionnaire:
Training and Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
Am trying to use the webapp detection script to detect webapps like
I saw previous threads it was mentioned to enable "*Make sure to set your
Sites::local_net variable * If you set it to
I have included 0.0.0.0/0 in networks.cfg,
I have also included in local.bro
redef Software::asset_tracking = ALL_HOSTS;
still I couldnt see any webapps traffic mentioning facebook i could see
only multicast address like 188.8.131.52
Any solution ,much appreciated
*Mobile: ** +45 **81923531*
*Lyskær 9** [image: Inline images 1]*
*2730 Herlev, Denmark *
*Web: **http://www.capmon.dk <http://www.capmon.dk/>*
Does anyone know a way to get a list of all triggered events given a pcap
Currently what I do is just print some indicative message for each
suspected relevant events (quit tedious task)
If am trying to add smb-ransomware.bro , to my bro setup ,where should I
include this in the bro directories.
root@csh:/home/raj# find / -name "smb"
and after this I can include in local.bro, @load policy/protocols/smb