Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
Does anyone know if there is a Bro plugin for CoAP traffic detection and
identification? We have the MQTT plugin for IoT bits, but we would like to
support CoAP as well. Thanks!
Dear Bro,
Do you have any info regarding notary.icsi.berkeley.edu<http://notary.icsi.berkeley.edu>? It doesn’t resolve anymore.
Thanks,
Peter Hallin
Lund University IRT
Vidarebefordrat brev:
Från: Travis Caskey <tjcaskey(a)icsi.berkeley.edu<mailto:tjcaskey@icsi.berkeley.edu>>
Datum: 26 juli 2018 19:56:00 CEST
Till: <peter.hallin(a)ldc.lu.se<mailto:peter.hallin@ldc.lu.se>>, <frontdesk(a)ICSI.Berkeley.EDU<mailto:frontdesk@ICSI.Berkeley.EDU>>
Ämne: Re: [Contact ICSI] ICSI Notary down?
Svara till: <tjcaskey(a)icsi.berkeley.edu<mailto:tjcaskey@icsi.berkeley.edu>>
Peter,
I would recommend that you send note of this problem to bro(a)bro.org<mailto:bro@bro.org>, where I believe they can be of further assistance.
Travis
On 7/26/2018 1:27 AM, peter.hallin(a)ldc.lu.se<mailto:peter.hallin@ldc.lu.se> wrote:
Peter Hallin (peter.hallin(a)ldc.lu.se<mailto:peter.hallin@ldc.lu.se>) sent a message using the contact form
at https://www.icsi.berkeley.edu/icsi/contact.
Hello,
We are using the SSL certificate notary with our Bro installation, but now it
seems down. The website is also unavailabe.
Just wanted to check if this is temporary or if the service has been retired.
Thanks,
Peter Hallin
Lund University IRT
Hello,
I notice that sometimes the field host in a bro-http log is missing or
contains localhost as a value.
How is that possible?
This is an example of a log witth localhost as host:
http.11:00:00-12:00:00.bak.gz:{"ts":"2018-07-25T11:39:09.440378Z","uid":"CZDkyn2xwPRU17Qm9g","id_orig_h":"198.134.154.227","id_orig_p":49558,"id_resp_h":"192.168.237.29","id_resp_p":8081,"trans_depth":3,"method":"GET","host":"localhost","uri":"/ospos/index.php/login","version":"1.1","user_agent":"Mozilla/5.0
(Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101
Firefox/22.0","request_body_len":0,"response_body_len":0,"status_code":500,"status_msg":"Internal
Server Error","tags":[]}
In this one the host is missing:
http.12:00:00-13:00:00.bak.gz:{"ts":"2018-07-25T12:09:31.955600Z","uid":"CERXcsevwbBQrqWDf","id_orig_h":"192.168.235.47","id_orig_p":57326,"id_resp_h":"192.168.50.201","id_resp_p":80,"trans_depth":2,"request_body_len":0,"response_body_len":0,"tags":[]}
Is that a normal behavior?
Thanks
--
Federico Foschini.
Dear Bro Community,
We're excited to announce that registration for BroCon 2018 is now
open at https://www.brocon2018.com .
BroCon 2018 will take place October 10-12, in Arlington, VA. It offers
the Bro community a chance to meet face-to-face, share new ideas and
developments, and better understand and secure their networks. The
conference is composed of presentations from members of the community
and the Bro development team.
We'll post the Call for Presentations shortly. If your organization is
interested in supporting BroCon, please check out the sponsorship
opportunities.
Robin
--
Robin Sommer * ICSI/LBNL * robin(a)icir.org * www.icir.org/robin
Hi,
the registration for the Bro Workshop Europe (September 18th/19th, @KIT,
Karlsruhe, Germany) is now open.
To register, please visit
https://dsn.tm.kit.edu/english/bro_workshop_europe.php (this is also
linked from https://bro.org).
The workshop is a one-day event split in two half-days to allow easy
traveling for participants in Europe: the program will start at with lunch
on Tuesday and end after lunch on Wednesday.
The program will consist of talks by the Bro development team and external
contributors. A large part of the development team will be attending the
workshop. I will send another email once a more detailed program is
available.
If you are interested in giving a talk at the Workshop, please send an
email to info(a)bro.org.
Johanna
Greetings,
As the date for Brocon2018 approaches, I wanted to note that we still have sponsorship opportunities available. You can find a sponsorship prospectus with details and contact information on the BroCon2018 Sponsorship page. [1]
Thanks!
- Keith
[1] https://www.brocon2018.com/event/sponsors
Hi, I am trying to create an rpm package to easily distribute a package
to other sensors but seem to be doing something wrong when building the
package. The package builds okay but when installed, I end up with an
error, which is "bro: error while loading shared libraries:
libbroker.so.0: cannot open shared object file: No such file or directory."
Running ldd, shows "not found" but on a working instance, the path is
populated (/opt/bro/lib/libbroker.so.0). I also double checked that the
file exists on the file system and it's there.
I can launch broctl and run a few commands but when I do "deploy," I get
the above error.
On the build system, I have installed the prerequisite software using yum.
yum install cmake make gcc gcc-c++ flex bison libpcap-devel
openssl-devel python-devel swig zlib-devel rpm-build
Also installed pf_ring from an rpm using the ntop.org repo.
The process I followed for building the package was:
git clone --recursive https://github.com/bro/bro.git
cd bro
LDFLAGS="-lpfring -lpcap" ./configure --prefix=/opt/bro
--with-pcap=/usr/local/ --pkg-name-prefix=Bro --binary-package
cd build
make package
scp the file to the intended sensor
yum localinstall Bro-2.5-725-Linux-x86_64.rpm
The [root@bro00 ~]# ldd /opt/bro/bin/bro |grep libbroker
libbroker.so.0 => not found
Both the build machine and the intended install target are setup the
same. They are Centos 7.5.1804 (Core) VM's running on VMware 6.5 with
kernel 3.10.0-862.6.3.el7.x86_64.
Compiling BRO from source but leaving off the --binary-package flags
resulted in a working install on the build machine as well using make &&
make install. I am not sure what piece I am missing here so any advice
would be appreciated.
Regards,
Brandon