Hi all,
I'd like to ask guidance on how to contribute to BRO by proposing
extensions to existing protocol analyzers.
For instance, suppose that I realize a patch to the DHCP analyzer that
includes new unsupported options. Such patch would impact on multiple
files like those in src/analyzer/protocol/dhcp,
scripts/base/protocols/dhcp as well as new types to be included in
init-bare.bro.
What would be the best procedure (and format) to submit such a patch?
best,
Valerio
Hello all,
I am attempting to monitor a Cisco CSR1000v within AWS via ERSPAN. Through
my research, I am running Bro version 2.5-147 on an AWS Linux AMI and have
uploaded a pcap containing ERSPAN data which I have been able to read;
however, the only log files that are being created from Bro/live traffic
are the following:
capture_loss
stats
stderr
stdout
weird
communication
As a test, I have used tcpdump to capture packets on the configured
interface (mon0) which sees plenty of traffic, however, I still cannot see
the corresponding logs from Bro.
Any help would be greatly appreciated!!
Thank you,
Planearium
Attention Bro Community,
While we’re in the process of developing a web site for the Bro Package Manager project, we’d like to share the packages we have collected so far. The package names and a short description are listed below:
bro/0xxon/bro-postgresql - A PostgreSQL reader and writer for Bro.
bro/0xxon/bro-sumstats-counttable - Two-dimensional buckets for sumstats (count occurences per $str).
bro/corelight/bro-long-connections - Find and log long-lived connections into a "conn_long" log.
bro/dopheide/bro_notice_correlation - Adds support for multi-notice correlation.
bro/dopheide/venom (installed: master) - https://security.web.cern.ch/security/venom.shtml
bro/hhzzk/dns-tunnels - Detect DNS Tunnels attack.
bro/initconf/CVE-2017-5638_struts.git
bro/initconf/phish-analysis.git
bro/initconf/scan-NG
bro/j-gras/add-json - Additional JSON-logging for Bro.
bro/j-gras/bro-af_packet-plugin - This plugin provides native AF_Packet support for Bro.
bro/j-gras/intel-extensions - Extensions for Bro's intelligence framework.
bro/joesecurity/Joe-Sandbox-Bro - JoeSandbox-Bro extracts files from your internet connection and analyzes them automatically on Joe Sandbox.
bro/jonzeolla/scan-sampling - Modified version of scan.bro to add destination IP sampling.
bro/jsiwek/bro-test-package - An example Bro package for testing purposes.
bro/jswaro/tcprs - TCP Retransmission and State Analyzer plugin for Bro.
bro/ncsa/bro-interface-setup - A broctl plugin that helps you setup capture interfaces
bro/pgaulon/bro-notice-slack - Bro Notices through Slack webhook
bro/scebro/ldap-analyzer - LDAP write operations analyzer for Bro.
bro/sethhall/bro-myricom - Packet source plugin that provides native Myricom SNF v3+v4 support.
bro/sethhall/credit-card-exposure - Detect credit card numbers in HTTP and SMTP with Bro.
bro/sethhall/domain-tld
bro/sethhall/ssn-exposure - Detect US Social Security numbers in HTTP and SMTP with Bro.
bro/srozb/dns_axfr - Find and notice DNS zone transfer attempts.
bro/theflakes/bro-large_uploads - Raise notices on outgoing files over X bytes in size.
To learn how to use the Package Manager, see our documentation here:
http://bro-package-manager.readthedocs.io/en/stable/index.html
------
Jeannette Dopheide
Training and Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
Corelight has made its Bro Log cheat sheets public on their Github:
https://github.com/corelight/bro-cheatsheets
------
Jeannette Dopheide
Training and Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
We are very happy to announce the release of Bro v2.51. The new version is now
available for download at:
https://bro.org/download/index.html
Binary packages also are available at:
https://bro.org/download/packages.html
This release contains a number of bug fixes. Fixes include:
- Better file analysis memory management
- Less cluster node communication
- Correct expiration of intelligence items after reinsertion
- A bug in the OCSP validation code
This point-release also includes a number of new features, including new
file handling BIFS, support for ERSPAN, and new BroControl options.
For more information see the NEWS and CHANGES files:
https://www.bro.org/download/NEWS.bro.htmlhttps://www.bro.org/download/CHANGES.bro.txt
Thanks to everyone who helped make this release possible. We extend
special thanks to the community for their feedback and support.
Johanna
Hi all,
I am experiencing a strange behaviour in BRO that I am not able to
troubleshoot autonomously.
I developed a simple binary protocol analyzer that produces a log file
of type prot1.log.
If I run bro offline on a dedicated pcap it correctly outputs prot1.log
with the proper record.
If I run bro sniffing on an interface and I tcpreplay the pcap on the
sniffed interface I get weird.log with SYN_inside_connection warning.
Is weird preemting the application of my analyzer?
many thanks in advance,
Valerio
It seems that bro 2.5.1 is not taking the SNF_DATARING_SIZE variable, no
matter what I set it to.
When at the defaults in the /etc/bro/node.cfg and with nothing set at
the shell, it still reports it is set via "userset" instead of "default"
like SNF_DESCRING_SIZE.
Here is the defaults:
- Nothing at shell
#env | grep SNF
#
- node.cfg with defaults
#fgrep -A 12 worker-1 node.cfg
[worker-1]
type=worker
host=<MYHOSTNAME>
interface=snf0
lb_method=myricom
lb_procs=8
#lb_procs=7
### Keep it on one NUMA node
## NUMA node0 CPU(s): 0,2,4,6,8,10,12,14,16,18,20,22
## NUMA node1 CPU(s): 1,3,5,7,9,11,13,15,17,19,21,23
pin_cpus=2,4,6,8,10,12,14,16
env_vars=SNF_APP_ID=10,SNF_FLAGS=0x1,SNF_NUM_RINGS=8,SNF_DEBUG_MASK=3
#
- defaults show "userset" for SNF_DATARING_SIZE
#fgrep SNF_D /data01/bro/spool/worker-1-1/stderr.log
121273 snf.0.-1 P (*userset*) * SNF_DATARING_SIZE = 134217728
(0x8000000) (128.0 MiB)*
121273 snf.0.-1 P (*default*) *SNF_DESCRING_SIZE = 67108864 (0x4000000)
(64.0 MiB)*
121273 snf.0.-1 P (environ) SNF_DEBUG_MASK = 3 (0x3)
121273 snf.0.-1 P (default) SNF_DEBUG_FILENAME = stderr
121273 snf.0.-1 P SNF_DEBUG_MASK=0x3 for modes WARN=0x1, PARAM=0x2
QSTATS=0x4 TIMESYNC=0x8 IOCTL=0x10 QEVENTS=0x20 ARISTA=0x40
#
-------------------------------------------
- Manually setting *SNF_DATARING_SIZE* and *SNF_DESCRING_SIZE*
#fgrep -A 12 worker-1 node.cfg
[worker-1]
type=worker
host=<MYHOSTNAME>
interface=snf0
lb_method=myricom
lb_procs=8
#lb_procs=7
### Keep it on one NUMA node
## NUMA node0 CPU(s): 0,2,4,6,8,10,12,14,16,18,20,22
## NUMA node1 CPU(s): 1,3,5,7,9,11,13,15,17,19,21,23
pin_cpus=2,4,6,8,10,12,14,16
#env_vars=SNF_APP_ID=10,SNF_FLAGS=0x1,SNF_NUM_RINGS=8,SNF_DEBUG_MASK=3
env_vars=SNF_APP_ID=10,SNF_FLAGS=0x1,SNF_NUM_RINGS=8,SNF_DEBUG_MASK=3,*SNF_DATARING_SIZE=4294967296,SNF_DESCRING_SIZE=1073741824*
#
- deploy new config with restart
#/opt/bro/bin/broctl deploy
<OMITTED>
- SNF_DATARING_SIZE still set to 128MB like in default and still reports
that it was set via "userset" (should be 4GB set via "environ")
#fgrep SNF_D /data01/bro/spool/worker-1-1/stderr.log
34852 snf.0.-1 P *(userset) SNF_DATARING_SIZE = 134217728
(0x8000000) (128.0 MiB)*
34852 snf.0.-1 P *(environ) SNF_DESCRING_SIZE = 1073741824
(0x40000000) (1024.0 MiB)*
34852 snf.0.-1 P (environ) SNF_DEBUG_MASK = 3 (0x3)
34852 snf.0.-1 P (default) SNF_DEBUG_FILENAME = stderr
34852 snf.0.-1 P SNF_DEBUG_MASK=0x3 for modes WARN=0x1, PARAM=0x2
QSTATS=0x4 TIMESYNC=0x8 IOCTL=0x10 QEVENTS=0x20 ARISTA=0x40
#
--
Regards,
Chris Chiaverini
Cyber Security Operations
Brookhaven National Laboratory
Upton, New York 11973
Hello,
I'm writing a bro script to output TCP payload of first ack from client
(is_orig = True),
I'm currently using tcp_packet event, check the ack flag and payload length
as well as if it is the first ack. I'm wondering if there is a cheaper way
to achieve this, since tcp_packet is pretty expensive.
I cannot use connection_first_ACK event because it does not give me the
actual TCP payload.
I cannot use ssl_client_hello because i want to handle not only ssl.
Does anyone have suggestions? Thanks for the help!
--
Sincerely,
Xu Zhang
For a long time I have used "redef Pcap::snaplen = 1600;" in local.bro to
make Bro drop its default snaplen from 8192 to 1600. This is helpful for
conserving memory when using Bro in conjunction with PF_RING and a high
number of ring slots.
Today I just noticed that while Bro does not complain about "redef
Pcap::snaplen = 1600;" when I run a "broctl check", that Bro appears to be
ignoring the redef. All my Bro instances are actually using a snaplen of
8192.
I use Bro on the latest Security Onion Ubuntu 14.04 platform, and have
observed this problem with both PF_RING 6.4.1 (SO stable) and PF_RING 6.6.0
(SO test).
The "Bucket Len" in the below PF_RING status file corresponds to the
snaplen of the app that allocated the ring.
root@nsm.xyz.org:~# cat /proc/net/pf_ring/15028-dmz.9
Bound Device(s) : dmz
Active : 1
Breed : Standard
Appl. Name : bro-dmz
Socket Mode : RX+TX
Capture Direction : RX+TX
Sampling Rate : 1
IP Defragment : No
BPF Filtering : Enabled
Sw Filt Hash Rules : 0
Sw Filt WC Rules : 0
Hw Filt Rules : 0
Sw Filt Hash Match : 0
Sw Filt Hash Miss : 0
Poll Pkt Watermark : 1
Num Poll Calls : 345386919
Channel Id Mask : 0xFFFFFFFFFFFFFFFF
Cluster Id : 21
Slot Version : 16 [6.4.1]
Min Num Slots : 128000
Bucket Len : 8192
Slot Len : 8248 [bucket+header]
Tot Memory : 1055756288
Tot Packets : 1966471960
Tot Pkt Lost : 3
Tot Insert : 1966471957
Tot Read : 1966471957
Insert Offset : 809944608
Remove Offset : 809944608
Num Free Slots : 128000
TX: Send Ok : 0
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0
Please advise me about how to successfully change the snaplen used by Bro
2.5 at this time, Can anyone reproduce this problem? I don't know if this
issue applies across the board or only comes up with PF_RING. Let me know
if there is anything I can do to help test this issue.
Thanks!
Kevin