Dear Bro Community,
We're excited to announce that registration for BroCon 2018 is now
open at https://www.brocon2018.com .
BroCon 2018 will take place October 10-12, in Arlington, VA. It offers
the Bro community a chance to meet face-to-face, share new ideas and
developments, and better understand and secure their networks. The
conference is composed of presentations from members of the community
and the Bro development team.
We'll post the Call for Presentations shortly. If your organization is
interested in supporting BroCon, please check out the sponsorship
opportunities.
Robin
--
Robin Sommer * ICSI/LBNL * robin(a)icir.org * www.icir.org/robin
BroCon 2018 is accepting presentation proposals. We are looking for talks to represent the many applications of Bro. Suitable topics include, but are not limited to:
* as a tool for solving problems;
* interesting user stories, solutions, or research projects;
* a postmortem analysis of a security incident, emphasizing Bro’s contribution;
* the value Bro brings to your professional work;
* and, using Bro for more than intrusion detection.
* Please, no product presentations
Criteria for evaluating proposals include whether the topic is applicable to multiple types of organizations, gives people ideas to take home and use, can be understood by a broad audience, or is novel to many in the audience. Scrolling through our YouTube Channel may provide some insight into the types of presentations we wish to feature. Plan on limiting your talk to 30-35 minutes with an additional 10 minutes for questions/comments.
Send abstracts (max 500 words) to: info(a)bro.org
Subject: BroCon 2018 Call for Presentations
Submission due date: Friday, July 13th
Target date for announcing speakers: Friday, July 27th
CFPs are selected by the Bro Leadership Team:
Johanna Amann, ICSI / Corelight / LBNL
Seth Hall, Corelight
Keith Lehigh, Indiana University
Vern Paxson, Corelight / ICSI / UC Berkeley
Michal Purzynski, Mozilla Foundation
Aashish Sharma, Lawrence Berkeley Lab
Adam Slagell, National Center for Supercomputing Applications
Robin Sommer, Corelight / ICSI / LBNL
Jan Grashöfer, Karlsruhe Institute of Technology (KIT)
- Keith Lehigh
Technical Program Chair
BroCon 2018
Hey all,
So...I run a very lean box, and that means not using broctl. With
older versions of linux rc.local was just fine to get a script to start
bro, but with systemd it's not the same. My startup script is similar
to the below:
cd /opt/bro/spool/bro && /opt/bro/bin/bro -C -i eth0 -i eth1 --filter
'long filter option here' local "Site::local_nets += {
externalIP,internatNET }" &
This has worked like a champ but this command in a .service file or the
.service file pointing to a script that contains the above does not
work. So I have a couple points/questions:
1. Has anyone worked out a systemd .service file with bro that doesn't
use broctl?
2. It would be nice to have a command line flag that can be used to
specify the log path, this way I could forgo the cd command above.
Thank you.
James
Is it possible to easily configure Bro in cluster mode to connect on
alternate ports other than 22? The reason I ask is that I'm running my bro
processes inside containers on a host that already has sshd on port 22 (I'm
running a sidecar sshd inside the container on port 2022). I can probably
find it if I dig around, but if someone knows how to do this, let me know.
Hello all!
Need advice about a problem i have:
I am initiating many bro command on dynamically incoming pcaps, such as:
"bro -r some_file_name".
On every run, logs are created in the same directory, but the next run
rewrite those logs. How can bro create logs with uniqe log name foreach run?
Also tried to add timestamp to the log name but did not find how to get
current time.
Love for your help,
John
I'm curious if there is a rough estimate or best practice for the amount of
plugins that a bro instance can run without affecting performance?
I have about 5 running so far on a couple instances and all seems good, but
not sure if there's a limit to the number bro can run, if it doesn't
matter, etc.
Thanks in advance.
Hi there,
I wrote a little script to keep track of some values send between to two
PLCs, measuring the pressure of a compressor. To test it, I recorded the
data traffic between those PLCs with wireshark.
However, I noticed that if I run Bro as command-line-utility, all
packets belong to the same Connection UID (which is right, it's one
single TCP connection), like this:
1524935590.861128 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Abfall 3.028429
1524935592.240910 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Abfall 2.936921
1524935593.510075 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Abfall 2.855541
1524935594.644501 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Abfall 2.78682
1524935595.890453 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Abfall 2.762949
1524935597.034076 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.765842
1524935598.310198 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.772352
1524935599.455176 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.777778
1524935600.715050 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.783203
1524935601.858465 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.78899
1524935603.105988 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.794777
1524935604.263663 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.798756
If I replay the pcap with tcpreplay and use Bro with BroCtl, the
connection UID changes every 4 to 5 packets:
1530283326.472442 C0RGCfPjoO1qjgaB3 192.168.0.2 49153
192.168.0.20 102 Abfall 3.028429
1530283327.851737 ClqAHP3vbrPywNYyBl 192.168.0.2 49153
192.168.0.20 102 Abfall 2.936921
1530283329.200584 ClqAHP3vbrPywNYyBl 192.168.0.2 49153
192.168.0.20 102 Abfall 2.855541
1530283330.327749 ClqAHP3vbrPywNYyBl 192.168.0.2 49153
192.168.0.20 102 Abfall 2.78682
1530283331.575829 ClqAHP3vbrPywNYyBl 192.168.0.2 49153
192.168.0.20 102 Abfall 2.762949
1530283332.723797 ClqAHP3vbrPywNYyBl 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.765842
1530283333.995711 CHT44c1znQoXygQZFh 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.772352
1530283335.139726 CHT44c1znQoXygQZFh 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.777778
1530283336.399753 CHT44c1znQoXygQZFh 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.783203
1530283337.547808 CHT44c1znQoXygQZFh 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.78899
1530283338.791763 CoRELlzadjrZDCds2 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.794777
1530283339.947775 CoRELlzadjrZDCds2 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.798756
Could it be because I'm using tcpreplay? Or is it a wanted behavior of Bro?
Thanks!
Dane
In conn.log local_orig , local_resp fields implemented like below so i
done same implementation in files.log and ssl.log , but i am facing one
problem ,ssl log says local_orig is true
but files log says local_orig is false
conn.log
if( |Site::local_nets| > 0 )
{
c$conn$local_orig=Site::is_local_addr(c$id$orig_h);
c$conn$local_resp=Site::is_local_addr(c$id$resp_h);
}
ssl.log
if( |Site::local_nets| > 0 )
{
c$ssl$local_orig=Site::is_local_addr(c$id$orig_h);
c$ssl$local_resp=Site::is_local_addr(c$id$resp_h);
}
files.log
if( |Site::local_nets| > 0 )
{
f$info$local_orig=Site::is_local_addr(c$id$orig_h);
f$info$local_resp=Site::is_local_addr(c$id$resp_h);
}
Regards,
Sunu
Hi All,
We received a phishing email to our CEO (See below). The link if you run
against virustotal is flagged as malicious/phishing. Is there a way to
utilize Bro to automate checking against virustotal, is there any limit as
to how many emails with links you can check against virustotal, if there
are better solutions?
*From:* E-ḟax Online <712-559-2211> @electronic ḟax transmission@Donotreply
<bison(a)bigrunlf.com>
*Sent:* Tuesday, June 26, 2018 12:01 PM
*Subject:* Delivery-Scanned- 32234
Hello,
You have a new fax from eFax with a page count of 3
Date Received: *2018-06-22 09:07:26 EDT*
Type: *Attached in pdf*
Number of pages: *3*
Reference #: chd_pgf4-1509631610-13058327707-63
View Scanned Document-41223
<https://wecdit.com/Silent%22%3A%3F%3E%3CSilent%22%3A%3F%3E%3CSilent%22%3A%3…>
Yours,
Fax System
Hello,
I don’t see a way to extract an EML file using the current smtp and mime protocol analyzers. Past queries on the mail lists don’t seem to be resolved. The smtp analyzer supports file analysis through the mime analyzer, which presents decoded content. Has anyone already found a way to extract the entire un-decoded SMTP DATA message text?
I wrote a prototype script module with an smtp_data event handler that creates a “<c$uid>.<c$smtp_state$messages_transferred>.eml” file for each message, using the open/write_file/close functions. The file contents look like what’s needed, except that the crlf line terminators are removed. I don’t know if that’s a side-effect of using the file functions, or if they’re removed by the smtp analyzer. I played with the enable_raw_output() function and the &raw_output attribute to no avail, so I suspect the latter.
I haven’t gone further than that because I’m heading towards developing a plugin to get this capability. I haven’t settled on how best to do that, so any suggestions will be much appreciated. My initial thought is to extend class SMTP_Analyzer to add file analysis for the SMTP_IN_DATA state, unless someone points out a simpler/better approach.
I’d really like to contribute whatever comes out of this if it satisfies a general need.
Thanks,
Brian
