Need to find a way to filter all traffic from a particular user-agent so
that it does not get logged.
Been reading docs and reviewing .bro files, but still kind of stumped. Any
help is greatly appreciated.
TIA
Hi all,
At various occasions I've came across a conn log indicating a session's
service as dns (udp port 53).
Yet I do not see that UID from bro's DNS log.
Any ideas why ?
Does conn's service field should indicate the bro analyzer being used ?
Thank you
B
Hi,
when i compile Bro elasticsearch plugin, i got the following error:
[ 18%] Creating build/lib/bif for Bro::ElasticSearch
Error copying directory from "/data/bro-2.5.4/aux/plugins/elasticsearch/build/bif" to "/data/bro-2.5.4/aux/plugins/elasticsearch/build/lib/bif".
My compile step is:
first, use the following command to compile Bro:
#./configure --with-pcap=/usr/lib64 --prefix=/usr/local/bro
#make
#make install
second, use the following command to compile elasticsearch plugin:
#cd bro-2.5.4/aux/plugins/elasticsearch
#./configure --with-libcurl=/usr/local
#make
#make install
I am sure the libpcap and libcure library path is not wrong.
When i make the dir "/data/bro-2.5.4/aux/plugins/elasticsearch/build/bif" manually and compile elasticsearch again, the error disappear.
But i do not know what effect it will have if i do this.
Can anyone tell me what may leds to this error and how to resolve it.
Best Regards
DeJin Wang
Hi all,
Given SSH example from Bro site is working fine ,when it is tested from
the command line .
I mean SSH events such as failed and success are generated and also log is
created.
But with out using ssh guess pcap file, when i do ssh thing between two
systems, these
events such as ssh_auth_fail and success are *NOT *generating. Can you tell
How to solve this issue?. or How can i enable SSH detection?
with regards
ravi
Hi Vern,
The span of original sentence is a bit too large to understand for me. But understand now. Thanks for your reply.
DeJin Wang
======last communication cotent======From :"Vern Paxson" <vern(a)corelight.com>; Date :09/24 2018 04:55:20To :"wangdj(a)ffcs.cn" <wangdj(a)ffcs.cn>Cc :"bro" <bro(a)bro.org>Subject :Re: [Bro] Does BPF filter of worker has the ability of packet retransmition
> "The packets can then be passed directly to a monitoring host where
> each worker has a BPF filter to limit its visibility to only that stream
> of flows, or onward to a commodity switch to split the traffic out to
> multiple 1G interfaces for the workers."
>
> Does this sentence means worker`s BPF filter can retransmit packets to other switch?
The "or onward" part is talking about what the front-end does, rather than
what the workers do. The front end *either* sends all packets to a host
for which each individual worker applies a (disjoint) BPF filter to the
stream to pick out those flows specifically for it; *or* the front end can
send the traffic to a switch that explicitly load-balances the traffic
across multiple 1G interfaces.
Vern
Hi,
According to instruction of intelligence framework, i wrote a intelligence framework text file myintel.txt which content is:
#fields indicator indicator_type meta.source meta.desc meta.url
14.215.177.39 Intel::ADDR baidu use baidu search -
Very simple. I also wrote a simple bro script file mytest.bro which content is:
@load policy/frameworks/intel/seen
@load policy/frameworks/intel/do_notice
redef Intel::read_files += { "./myintel.txt" };
when i run this script with command "./bro -i eth3 mytest" on a shell terminal and run "ping 14.215.177.39" command on another shell terminal, i got the following warning and :
warning: ./myintel.txt/Input::READER_ASCII: Did not find requested field indicator in input data file ./myintel.txt.
It seems that there is no error with the myintel.txt file, then what happened leads to this warning.
Best Regards
DeJin Wang
Hi Folks,
We’re about 2 1/2 weeks out from BroCon 2018. We’ve got a good conference put together with presentations from the community on topics such as writing analyzers, new scripts and packages, working with Bro data and managing Bro deployments. We also have a great keynote scheduled from Marcus Ranum. We’ve extended the hotel block rate until Monday, September 24th so you’ve still got time to make reservations at reduced price. We’re looking forward to seeing everybody in D.C.!
- Keith
Hi All,
I'm currently preparing to set up a Bro cluster to examine scalability.
I'm wondering if anyone has recommendations for 10, 40, and even 100 Gbit
NICs.
I've read the 100 Gbs Intrusion Detection paper, which used 10 Gigabit
Myricom sniffer cards, but this paper is from 2015. I'm wondering if
anyone has more recent data than that.
Thanks!
-Erich