Re: [Bro] Signatures - zeek - lists.zeek.org

List overview All Threads
Download

Re: [Bro] Signatures

[Bro] Summer Internship

[Bro] Install issue - Bro cluster

Seth Hall

9 Feb 2011 9 Feb '11

7:20 p.m.

On Feb 9, 2011, at 1:14 PM, Neslog wrote:

How about the file_flush.bro? When I'm testing I lod that one with a short time inerval.

Good catch. I had a nagging feeling that I was missing something. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/

Reply

Show replies by date

David Rodrigues

10 Feb 10 Feb

10:57 a.m.

New subject: [Bro] Signatures

Thanks, using @load file-flush (with a dash) worked :) But now I'm running into another problem. The signature is only triggered once for the same host and for a given period of time. Is there a way to report every single signature match? On Wed, Feb 9, 2011 at 7:20 PM, Seth Hall <seth(a)icir.org> wrote:

On Feb 9, 2011, at 1:14 PM, Neslog wrote:

How about the file_flush.bro? When I'm testing I lod that one with a short time inerval.

Good catch. I had a nagging feeling that I was missing something. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ _______________________________________________ Bro mailing list bro(a)bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Reply

Neslog

3:54 p.m.

New subject: [Bro] Signatures

Not sure within poicy but you may want to try tcpreplay and set to generate the traffic at wire speed instead of disk I/O. On 2/10/11, David Rodrigues <david.network.security(a)gmail.com> wrote:

Thanks, using @load file-flush (with a dash) worked :) But now I'm running into another problem. The signature is only triggered once for the same host and for a given period of time. Is there a way to report every single signature match? On Wed, Feb 9, 2011 at 7:20 PM, Seth Hall <seth(a)icir.org> wrote:

On Feb 9, 2011, at 1:14 PM, Neslog wrote:

How about the file_flush.bro? When I'm testing I lod that one with a short time inerval.

Good catch. I had a nagging feeling that I was missing something. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ _______________________________________________ Bro mailing list bro(a)bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-- Sent from my mobile device

Reply

David Rodrigues

11 Feb 11 Feb

8:56 a.m.

New subject: [Bro] Signatures

I'm using 'nc' to see how BroIDS behaves. For now, it's not a problem of speed. Maybe later... I want to use it in a 10Gbps network speed. Maybe 100Gps in 1/2 years. On Thu, Feb 10, 2011 at 3:54 PM, Neslog <neslog(a)gmail.com> wrote:

Not sure within poicy but you may want to try tcpreplay and set to generate the traffic at wire speed instead of disk I/O. On 2/10/11, David Rodrigues <david.network.security(a)gmail.com> wrote:

Thanks, using @load file-flush (with a dash) worked :) But now I'm running into another problem. The signature is only triggered once for the same host and for a given period of time. Is there a way to report every single signature match? On Wed, Feb 9, 2011 at 7:20 PM, Seth Hall <seth(a)icir.org> wrote:

On Feb 9, 2011, at 1:14 PM, Neslog wrote:

How about the file_flush.bro? When I'm testing I lod that one with a short time inerval.

Good catch. I had a nagging feeling that I was missing something. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ _______________________________________________ Bro mailing list bro(a)bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-- Sent from my mobile device

Reply

Seth Hall

16 Feb 16 Feb

8:33 p.m.

New subject: [Bro] Signatures

On Feb 10, 2011, at 4:57 AM, David Rodrigues wrote:

using @load file-flush (with a dash) worked :)

Oops!

The signature is only triggered once for the same host and for a given period of time. Is there a way to report every single signature match?

Sorry to sort of disappear on you for a few days. I haven't had a chance to test yet, but I'm surprised that you are only seeing this trigger once. Could you capture some traffic and send the signature you are using? By default, it should be triggering on every match for a host. Thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/

Reply

David Rodrigues

21 Feb 21 Feb

10:02 a.m.

New subject: [Bro] Signatures

I'm sorry. I'll be more precise. The signature is only triggered once for the same host and for a given period of time (and for the same tcp connection). If I close and restart the connection the signature is always triggered. Is that normal? Thanks, David On Wed, Feb 16, 2011 at 8:33 PM, Seth Hall <seth(a)icir.org> wrote:

On Feb 10, 2011, at 4:57 AM, David Rodrigues wrote:

using @load file-flush (with a dash) worked :)

Oops!

The signature is only triggered once for the same host and for a given period of time. Is there a way to report every single signature match?

Sorry to sort of disappear on you for a few days. I haven't had a chance to test yet, but I'm surprised that you are only seeing this trigger once. Could you capture some traffic and send the signature you are using? By default, it should be triggering on every match for a host. Thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/

Reply

Seth Hall

23 Feb 23 Feb

6:08 a.m.

New subject: [Bro] Signatures

On Feb 21, 2011, at 4:02 AM, David Rodrigues wrote:

The signature is only triggered once for the same host and for a given period of time (and for the same tcp connection). If I close and restart the connection the signature is always triggered. Is that normal?

Ah! I believe that is normal. I don't think that the same signature will trigger multiple times in the same TCP connection. Can you give any more details about the scenario in which you need this? The example doesn't have enough context for me to know if there is another way of implementing what you are trying to accomplish. Thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/

Reply

David Rodrigues

11:24 a.m.

New subject: [Bro] Signatures

First I though it was a bug. I only realized that it only concerned the same tcp connections after my first e-mail. But the behavior is different for Suricata. That's why I asked if it was a bug or normal behavior for Bro. But now it's crystal clear. Thanks a lot, David On Wed, Feb 23, 2011 at 6:08 AM, Seth Hall <seth(a)icir.org> wrote:

On Feb 21, 2011, at 4:02 AM, David Rodrigues wrote:

The signature is only triggered once for the same host and for a given period of time (and for the same tcp connection). If I close and restart the connection the signature is always triggered. Is that normal?

Ah! I believe that is normal. I don't think that the same signature will trigger multiple times in the same TCP connection. Can you give any more details about the scenario in which you need this? The example doesn't have enough context for me to know if there is another way of implementing what you are trying to accomplish. Thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/

Reply

4110

days inactive

4124

days old

zeek@lists.zeek.org

Manage subscription

7 comments

3 participants

tags (0)

participants (3)

David Rodrigues
Neslog
Seth Hall