Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
Dear Bro Community,
We're excited to announce that registration for BroCon 2018 is now
open at https://www.brocon2018.com .
BroCon 2018 will take place October 10-12, in Arlington, VA. It offers
the Bro community a chance to meet face-to-face, share new ideas and
developments, and better understand and secure their networks. The
conference is composed of presentations from members of the community
and the Bro development team.
We'll post the Call for Presentations shortly. If your organization is
interested in supporting BroCon, please check out the sponsorship
opportunities.
Robin
--
Robin Sommer * ICSI/LBNL * robin(a)icir.org * www.icir.org/robin
BroCon 2018 is accepting presentation proposals. We are looking for talks to represent the many applications of Bro. Suitable topics include, but are not limited to:
* as a tool for solving problems;
* interesting user stories, solutions, or research projects;
* a postmortem analysis of a security incident, emphasizing Bro’s contribution;
* the value Bro brings to your professional work;
* and, using Bro for more than intrusion detection.
* Please, no product presentations
Criteria for evaluating proposals include whether the topic is applicable to multiple types of organizations, gives people ideas to take home and use, can be understood by a broad audience, or is novel to many in the audience. Scrolling through our YouTube Channel may provide some insight into the types of presentations we wish to feature. Plan on limiting your talk to 30-35 minutes with an additional 10 minutes for questions/comments.
Send abstracts (max 500 words) to: info(a)bro.org
Subject: BroCon 2018 Call for Presentations
Submission due date: Friday, July 13th
Target date for announcing speakers: Friday, July 27th
CFPs are selected by the Bro Leadership Team:
Johanna Amann, ICSI / Corelight / LBNL
Seth Hall, Corelight
Keith Lehigh, Indiana University
Vern Paxson, Corelight / ICSI / UC Berkeley
Michal Purzynski, Mozilla Foundation
Aashish Sharma, Lawrence Berkeley Lab
Adam Slagell, National Center for Supercomputing Applications
Robin Sommer, Corelight / ICSI / LBNL
Jan Grashöfer, Karlsruhe Institute of Technology (KIT)
- Keith Lehigh
Technical Program Chair
BroCon 2018
Hey all,
So...I run a very lean box, and that means not using broctl. With
older versions of linux rc.local was just fine to get a script to start
bro, but with systemd it's not the same. My startup script is similar
to the below:
cd /opt/bro/spool/bro && /opt/bro/bin/bro -C -i eth0 -i eth1 --filter
'long filter option here' local "Site::local_nets += {
externalIP,internatNET }" &
This has worked like a champ but this command in a .service file or the
.service file pointing to a script that contains the above does not
work. So I have a couple points/questions:
1. Has anyone worked out a systemd .service file with bro that doesn't
use broctl?
2. It would be nice to have a command line flag that can be used to
specify the log path, this way I could forgo the cd command above.
Thank you.
James
Is it possible to easily configure Bro in cluster mode to connect on
alternate ports other than 22? The reason I ask is that I'm running my bro
processes inside containers on a host that already has sshd on port 22 (I'm
running a sidecar sshd inside the container on port 2022). I can probably
find it if I dig around, but if someone knows how to do this, let me know.
Hello all!
Need advice about a problem i have:
I am initiating many bro command on dynamically incoming pcaps, such as:
"bro -r some_file_name".
On every run, logs are created in the same directory, but the next run
rewrite those logs. How can bro create logs with uniqe log name foreach run?
Also tried to add timestamp to the log name but did not find how to get
current time.
Love for your help,
John
I'm curious if there is a rough estimate or best practice for the amount of
plugins that a bro instance can run without affecting performance?
I have about 5 running so far on a couple instances and all seems good, but
not sure if there's a limit to the number bro can run, if it doesn't
matter, etc.
Thanks in advance.
Hi there,
I wrote a little script to keep track of some values send between to two
PLCs, measuring the pressure of a compressor. To test it, I recorded the
data traffic between those PLCs with wireshark.
However, I noticed that if I run Bro as command-line-utility, all
packets belong to the same Connection UID (which is right, it's one
single TCP connection), like this:
1524935590.861128 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Abfall 3.028429
1524935592.240910 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Abfall 2.936921
1524935593.510075 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Abfall 2.855541
1524935594.644501 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Abfall 2.78682
1524935595.890453 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Abfall 2.762949
1524935597.034076 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.765842
1524935598.310198 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.772352
1524935599.455176 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.777778
1524935600.715050 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.783203
1524935601.858465 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.78899
1524935603.105988 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.794777
1524935604.263663 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.798756
If I replay the pcap with tcpreplay and use Bro with BroCtl, the
connection UID changes every 4 to 5 packets:
1530283326.472442 C0RGCfPjoO1qjgaB3 192.168.0.2 49153
192.168.0.20 102 Abfall 3.028429
1530283327.851737 ClqAHP3vbrPywNYyBl 192.168.0.2 49153
192.168.0.20 102 Abfall 2.936921
1530283329.200584 ClqAHP3vbrPywNYyBl 192.168.0.2 49153
192.168.0.20 102 Abfall 2.855541
1530283330.327749 ClqAHP3vbrPywNYyBl 192.168.0.2 49153
192.168.0.20 102 Abfall 2.78682
1530283331.575829 ClqAHP3vbrPywNYyBl 192.168.0.2 49153
192.168.0.20 102 Abfall 2.762949
1530283332.723797 ClqAHP3vbrPywNYyBl 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.765842
1530283333.995711 CHT44c1znQoXygQZFh 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.772352
1530283335.139726 CHT44c1znQoXygQZFh 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.777778
1530283336.399753 CHT44c1znQoXygQZFh 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.783203
1530283337.547808 CHT44c1znQoXygQZFh 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.78899
1530283338.791763 CoRELlzadjrZDCds2 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.794777
1530283339.947775 CoRELlzadjrZDCds2 192.168.0.2 49153
192.168.0.20 102 Anstieg 2.798756
Could it be because I'm using tcpreplay? Or is it a wanted behavior of Bro?
Thanks!
Dane
In conn.log local_orig , local_resp fields implemented like below so i
done same implementation in files.log and ssl.log , but i am facing one
problem ,ssl log says local_orig is true
but files log says local_orig is false
conn.log
if( |Site::local_nets| > 0 )
{
c$conn$local_orig=Site::is_local_addr(c$id$orig_h);
c$conn$local_resp=Site::is_local_addr(c$id$resp_h);
}
ssl.log
if( |Site::local_nets| > 0 )
{
c$ssl$local_orig=Site::is_local_addr(c$id$orig_h);
c$ssl$local_resp=Site::is_local_addr(c$id$resp_h);
}
files.log
if( |Site::local_nets| > 0 )
{
f$info$local_orig=Site::is_local_addr(c$id$orig_h);
f$info$local_resp=Site::is_local_addr(c$id$resp_h);
}
Regards,
Sunu
Hi All,
We received a phishing email to our CEO (See below). The link if you run
against virustotal is flagged as malicious/phishing. Is there a way to
utilize Bro to automate checking against virustotal, is there any limit as
to how many emails with links you can check against virustotal, if there
are better solutions?
*From:* E-ḟax Online <712-559-2211> @electronic ḟax transmission@Donotreply
<bison(a)bigrunlf.com>
*Sent:* Tuesday, June 26, 2018 12:01 PM
*Subject:* Delivery-Scanned- 32234
Hello,
You have a new fax from eFax with a page count of 3
Date Received: *2018-06-22 09:07:26 EDT*
Type: *Attached in pdf*
Number of pages: *3*
Reference #: chd_pgf4-1509631610-13058327707-63
View Scanned Document-41223
<https://wecdit.com/Silent%22%3A%3F%3E%3CSilent%22%3A%3F%3E%3CSilent%22%3A%3…>
Yours,
Fax System