Does anyone know if there is a Bro plugin for CoAP traffic detection and
identification? We have the MQTT plugin for IoT bits, but we would like to
support CoAP as well. Thanks!
Dear Bro,
Do you have any info regarding notary.icsi.berkeley.edu<http://notary.icsi.berkeley.edu>? It doesn’t resolve anymore.
Thanks,
Peter Hallin
Lund University IRT
Vidarebefordrat brev:
Från: Travis Caskey <tjcaskey(a)icsi.berkeley.edu<mailto:tjcaskey@icsi.berkeley.edu>>
Datum: 26 juli 2018 19:56:00 CEST
Till: <peter.hallin(a)ldc.lu.se<mailto:peter.hallin@ldc.lu.se>>, <frontdesk(a)ICSI.Berkeley.EDU<mailto:frontdesk@ICSI.Berkeley.EDU>>
Ämne: Re: [Contact ICSI] ICSI Notary down?
Svara till: <tjcaskey(a)icsi.berkeley.edu<mailto:tjcaskey@icsi.berkeley.edu>>
Peter,
I would recommend that you send note of this problem to bro(a)bro.org<mailto:bro@bro.org>, where I believe they can be of further assistance.
Travis
On 7/26/2018 1:27 AM, peter.hallin(a)ldc.lu.se<mailto:peter.hallin@ldc.lu.se> wrote:
Peter Hallin (peter.hallin(a)ldc.lu.se<mailto:peter.hallin@ldc.lu.se>) sent a message using the contact form
at https://www.icsi.berkeley.edu/icsi/contact.
Hello,
We are using the SSL certificate notary with our Bro installation, but now it
seems down. The website is also unavailabe.
Just wanted to check if this is temporary or if the service has been retired.
Thanks,
Peter Hallin
Lund University IRT
Hello,
I notice that sometimes the field host in a bro-http log is missing or
contains localhost as a value.
How is that possible?
This is an example of a log witth localhost as host:
http.11:00:00-12:00:00.bak.gz:{"ts":"2018-07-25T11:39:09.440378Z","uid":"CZDkyn2xwPRU17Qm9g","id_orig_h":"198.134.154.227","id_orig_p":49558,"id_resp_h":"192.168.237.29","id_resp_p":8081,"trans_depth":3,"method":"GET","host":"localhost","uri":"/ospos/index.php/login","version":"1.1","user_agent":"Mozilla/5.0
(Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101
Firefox/22.0","request_body_len":0,"response_body_len":0,"status_code":500,"status_msg":"Internal
Server Error","tags":[]}
In this one the host is missing:
http.12:00:00-13:00:00.bak.gz:{"ts":"2018-07-25T12:09:31.955600Z","uid":"CERXcsevwbBQrqWDf","id_orig_h":"192.168.235.47","id_orig_p":57326,"id_resp_h":"192.168.50.201","id_resp_p":80,"trans_depth":2,"request_body_len":0,"response_body_len":0,"tags":[]}
Is that a normal behavior?
Thanks
--
Federico Foschini.
Dear Bro Community,
We're excited to announce that registration for BroCon 2018 is now
open at https://www.brocon2018.com .
BroCon 2018 will take place October 10-12, in Arlington, VA. It offers
the Bro community a chance to meet face-to-face, share new ideas and
developments, and better understand and secure their networks. The
conference is composed of presentations from members of the community
and the Bro development team.
We'll post the Call for Presentations shortly. If your organization is
interested in supporting BroCon, please check out the sponsorship
opportunities.
Robin
--
Robin Sommer * ICSI/LBNL * robin(a)icir.org * www.icir.org/robin
Hi,
the registration for the Bro Workshop Europe (September 18th/19th, @KIT,
Karlsruhe, Germany) is now open.
To register, please visit
https://dsn.tm.kit.edu/english/bro_workshop_europe.php (this is also
linked from https://bro.org).
The workshop is a one-day event split in two half-days to allow easy
traveling for participants in Europe: the program will start at with lunch
on Tuesday and end after lunch on Wednesday.
The program will consist of talks by the Bro development team and external
contributors. A large part of the development team will be attending the
workshop. I will send another email once a more detailed program is
available.
If you are interested in giving a talk at the Workshop, please send an
email to info(a)bro.org.
Johanna
Greetings,
As the date for Brocon2018 approaches, I wanted to note that we still have sponsorship opportunities available. You can find a sponsorship prospectus with details and contact information on the BroCon2018 Sponsorship page. [1]
Thanks!
- Keith
[1] https://www.brocon2018.com/event/sponsors
Hi, I am trying to create an rpm package to easily distribute a package
to other sensors but seem to be doing something wrong when building the
package. The package builds okay but when installed, I end up with an
error, which is "bro: error while loading shared libraries:
libbroker.so.0: cannot open shared object file: No such file or directory."
Running ldd, shows "not found" but on a working instance, the path is
populated (/opt/bro/lib/libbroker.so.0). I also double checked that the
file exists on the file system and it's there.
I can launch broctl and run a few commands but when I do "deploy," I get
the above error.
On the build system, I have installed the prerequisite software using yum.
yum install cmake make gcc gcc-c++ flex bison libpcap-devel
openssl-devel python-devel swig zlib-devel rpm-build
Also installed pf_ring from an rpm using the ntop.org repo.
The process I followed for building the package was:
git clone --recursive https://github.com/bro/bro.git
cd bro
LDFLAGS="-lpfring -lpcap" ./configure --prefix=/opt/bro
--with-pcap=/usr/local/ --pkg-name-prefix=Bro --binary-package
cd build
make package
scp the file to the intended sensor
yum localinstall Bro-2.5-725-Linux-x86_64.rpm
The [root@bro00 ~]# ldd /opt/bro/bin/bro |grep libbroker
libbroker.so.0 => not found
Both the build machine and the intended install target are setup the
same. They are Centos 7.5.1804 (Core) VM's running on VMware 6.5 with
kernel 3.10.0-862.6.3.el7.x86_64.
Compiling BRO from source but leaving off the --binary-package flags
resulted in a working install on the build machine as well using make &&
make install. I am not sure what piece I am missing here so any advice
would be appreciated.
Regards,
Brandon
It's not much but any interest in putting this or a variation into the
code?
Change email subject from:
[Bro] Connection summary from ${TIMEFRAME}
to
[Bro] Connection summary from ${TIMEFRAME} - ${HOSTNAME}
# diff
${BROINSTALLPATH}share/broctl/scripts/postprocessors/summarize-connections
${BROINSTALLPATH}/share/broctl/scripts/postprocessors/summarize-connections.orig
25d24
< systemname="$(hostname)"
82c81
< "${scriptsdir}"/send-mail "$subject - $systemname" <$output
---
> "${scriptsdir}"/send-mail "$subject" <$output
#
--
Regards,
Chris Chiaverini
Cyber Security Operations
Brookhaven National Laboratory
Upton, New York 11973
