Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
Hi all,
I'd like to ask guidance on how to contribute to BRO by proposing
extensions to existing protocol analyzers.
For instance, suppose that I realize a patch to the DHCP analyzer that
includes new unsupported options. Such patch would impact on multiple
files like those in src/analyzer/protocol/dhcp,
scripts/base/protocols/dhcp as well as new types to be included in
init-bare.bro.
What would be the best procedure (and format) to submit such a patch?
best,
Valerio
Hi All,
I am noticing a weird issue. I am not seeing debug prints from my scripts.
Initially some debug prints show up in stdout.log. Debug prints I make when
analyzing traffic i.e. http_header event etc are not showing up. I am using
flush_all() in my scripts and yet the debugs are not showing up in
stdout.log. Could someone comment on what could be going here? Thanks.
Dk
Hi,
In my http.log, I am seeing some lines being written without response code
etc. What could be the reason for this? One reason I could think of was,
what if the server or some entity between bro and the server that dropped
the request/response thus preventing the response from reaching bro or the
connection is closed on receiving the request by a downstream security
device. How does bro react in such cases? could one of these scenarios
explain why the response fields are missing from the log?
Dk.
Folks,
This may well be an RTFM - I just don't know which section would cover
this.
I have two modules created in /opt/app/bro/share/bro/site/ , with the
intention of having one @load the other - but I cannot seem to get the
combination to work, and I'm unsure even where the failure is.
The @load'ed module, "CU_net_defs", is intended as a shim to some .csv
files, periodically updated from the central DB which tracks internal
subnet allocations, which is supposed to instantiate two global sets of
CIDR's, one for top-level allocations (e.g. 128.253.0.0), and the other
for internally-allocated subnets (e.g. 128.253.101.0/25).
The @load'ing module, "bro-wsSMTP", is intended to detect user
workstations et.al. that have been compromised and are acting as spambots,
by the following methodology.
- understand the top-level allocations by @load'ing CU_net_defs;
- understand an internal set of our e-mail infrastructure hosts and
networks; and
- generate logfiles, "ws-smtp.{}.log", containing entries where
-- id$orig_h is part of a campus allocation;
-- id$orig_h is *not* part of our e-mail infrastructure; and
-- id$resp_h is *not* part of a campus allocation.
The final goal is to have the resulting "ws-smtp.{}.log" files fed into
Splunk for detection/correlation.
The thing is, once I create an expression intended to isolate by way of
the criteria above, I get no results whatever - even though the data is
clearly in the normal smtp.log file.
Slightly abridged instances of the module files are appended below. Can
anyone shed any light on this?
Thanks for any info,
--
Glenn Forbes Fleming Larratt
Cornell University IT Security Office
===== CU_net_defs/CU_net_defs.bro =====
module CU_net_defs;
export
{
type IDX: record { cidr: subnet; };
global CU_subnets: set[subnet];
global CU_allocations: set[subnet];
}
event bro_init()
{
Input::add_table([$source="/users/bro/devel/DNSDBnc/CU_subnets.txt", $name="CU_subnets",
$idx = IDX, $destination=CU_subnets]);
Input::remove("CU_subnets");
Input::add_table([$source="/users/bro/devel/DNSDBnc/CU_allocations.txt", $name="CU_allocations",
$idx = IDX, $destination=CU_allocations]);
Input::remove("CU_allocations");
}
=======================================
===== bro-wsSMTP/ws-SMTP-outbound.bro =====
@load base/protocols/smtp
@load CU_net_defs
module ws_SMTP_outbound;
export
{
global local_mail_infra: set[subnet] =
{
128.253.150.128/25,
[stuff redacted...]
132.236.101.7/32
};
}
event bro_init()
{
Log::add_filter(SMTP::LOG, [$name = "ws-smtp-outbound",
$path = "ws-smtp",
$pred(rec: SMTP::Info) =
{
return rec$id?$orig_h
&& rec$id$orig_h in CU_net_defs::CU_allocations
&& !(rec$id$orig_h in local_mail_infra)
&& rec$id?$resp_h
&& !(rec$id$resp_h in CU_net_defs::CU_allocations)
;
}
]
);
}
===========================================
Hi,
I just upgraded my BRO cluster machines from ubuntu 14.02 to 16.04. I just installed the latest version of BRO on the manager. All the machines in the cluster return this:
$ bro --version
bro version 2.5-294
But when I try to run broctl on the manager to start it up again, I get this error:
$ sudo broctl
Warning: the SitePolicyStandalone option is deprecated (use SitePolicyScripts instead).
Welcome to BroControl 1.7-7
Type "help" for help.
[BroControl] > check
manager scripts failed.
/bin/sh: 1: Syntax error: "(" unexpected
proxy-1 scripts failed.
/bin/sh: 1: Syntax error: "(" unexpected
proxy-2 scripts failed.
/bin/sh: 1: Syntax error: "(“ unexpected
.
.
.More of the same type of error
.
.
.
worker-3-16 scripts failed.
/bin/sh: 1: Syntax error: "(" unexpected
worker-3-17 scripts failed.
/bin/sh: 1: Syntax error: "(" unexpected
worker-3-18 scripts failed.
/bin/sh: 1: Syntax error: "(" unexpected
Any suggestions for where to find the file/script with the problem?
Thanks for your help,
-Brian
________________________________
The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.
Hey All,
Hey I've been trying to use the log filter framework to filter out
various things like certain IP ranges and other records. Here is my
attempt but Bro is complaining about line 8 saying my syntax isn't
correct. Does anyone know what I'm doing wrong? I've been using
Seth's blog post on the framework as an example of how to build the
log filters. --->
http://blog.bro.org/2012/02/filtering-logs-with-bro.html
Thanks in advance!
-James D.
###### code #######
global filter_ip_set: subnet = 1.0.0.0/8 &redef;
event bro_init()
{
Log::remove_default_filter(HTTP::LOG);
Log::add_filter(HTTP::LOG, [$name="orig_h_filter",
$pred(rec: HTTP::Info) = {
rec$id$orig_h in $filter_ip_set;
} ]);
Log::add_filter(HTTP::LOG, [$name="resp_h_filter",
$pred(rec: HTTP::Info) = {
rec$id$resp_h in $filter_ip_set;
} ]);
}
#########################
###### error ########
error in **snip*** test.bro, line 8: syntax error, at or near ";"
Hi,
I am trying to perform some analysis on the HTTP body. For regular messages
I am accumulating the http body using http_entity_data and http_end_entity
events. However, this doesn't seem to work for multi-part post message. How
do I accumulate multi-part post messages. Any help is appreciated. Thanks.
Dk.