2 Dec
2012
2 Dec
'12
6:47 p.m.
Hello,
I'm just getting up to speed on Bro and Broccoli in an attempt to port some of our
existing sensors to the Bro environment. I've been trying to connect unsuccessfully
to a Bro server using the Barnyard2 alert_bro mechanism. The initial connection fails
with a "Could not connect to Bro!" message. I attempted the same connection
using py-broccoli and I get an IOError message. I've modified the local.bro script
to contain:
@load policy/frameworks/communication/listen
redef Communication::listen_port = 47757/tcp;
@load policy/integration/barnyard2
redef Communication::nodes += {
["local"] = [$host=127.0.0.1,
$class="barnyard",$events=/Barnyard2:barnyard_alert/,$connect=F]
};
From examining the spo_alert_bro.c code in a debugger, it seems that the socket call in
try_connect in the broccoli bro_openssl.c is failing.
Is my local.bro code correct? It seems that Bro is not accepting Broccoli connections.
Any help would be greatly appreciated.
Thanks,
Dan
____________________
Dan Wyschogrod
Senior Scientist
Cyber Security
Raytheon/BBN Technologies
dwyschogrod(a)bbn.com
2 Dec
2 Dec
9:04 p.m.
On Dec 2, 2012, at 9:47 PM, Daniel Wyschogrod <dwyschogrod(a)bbn.com> wrote:
["local"] = [$host=127.0.0.1,
$class="barnyard",$events=/Barnyard2:barnyard_alert/,$connect=F]
};
You need two commas in that event name. Sorry I didn't get that integration done in
the Barnyard2 integration scripts already, I really should have.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
3 Dec
3 Dec
5:53 a.m.
On Dec 3, 2012, at 12:04 AM, Seth Hall <seth(a)icir.org> wrote:
On Dec 2, 2012, at 9:47 PM, Daniel Wyschogrod <dwyschogrod(a)bbn.com> wrote:
Arg! Two colons. :) You could even just use /Barnyard2::.*/
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
["local"] = [$host=127.0.0.1,
$class="barnyard",$events=/Barnyard2:barnyard_alert/,$connect=F]
};
You need two commas in that event name.
6:34 a.m.
Seth,
Thanks for the quick reply. Turns out that the missing colon was just a transcription
error in hand copying the code to my email computer. The original had two colons. The
problem seems to be that the instance of Bro never sees the connection from Broccoli.
There's no indication in the logs that the connection was attempted and the barnyard2
instance dies with the message:
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/home/dwyschogrod/suricata-local/etc/barnyard2.conf"
Log directory = /home/dwyschogrod/suricata-local/logs
alert_bro Connecting to Bro (127.0.0.1:12345)...ERROR: failed!
Could not connect to Bro!
Fatal Error, Quitting..
The latest version of my local.bro code (I've changed the listen_port):
@load policy/frameworks/communication/listen
redef Communication::listen_port = 12345/tcp;
#redef Communication::listen_interface = 127.0.0.1;
redef Communication::listen_ssl = F;
@load policy/integration/barnyard2
redef Communication::nodes += {
["local"] = [$host=127.0.0.1, $class="barnyard",
$events=/Barnyard2::.*/, $connect = F, $ssl = F]
};
Thanks again for the help.
Dan
____________________
Dan Wyschogrod
Senior Scientist
Cyber Security
Raytheon/BBN Technologies
dwyschogrod(a)bbn.com
On Dec 3, 2012, at 8:53 AM, Seth Hall <seth(a)icir.org> wrote:
On Dec 3, 2012, at 12:04 AM, Seth Hall <seth(a)icir.org> wrote:
On Dec 2, 2012, at 9:47 PM, Daniel Wyschogrod <dwyschogrod(a)bbn.com> wrote:
Arg! Two colons. :) You could even just use /Barnyard2::.*/
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
["local"] = [$host=127.0.0.1,
$class="barnyard",$events=/Barnyard2:barnyard_alert/,$connect=F]
};
You need two commas in that event name.
8:28 a.m.
Seth,
I think I've tracked down the problem, but it leads to another mystery. In my
local.bro file, as I've pointed out, I have inserted the line:
redef Communication::listen_port = 12345/tcp;
In the barnyard2.conf file, I've added:
output alert_bro: 127.0.0.1:12345
I'm expecting, of course, a connection on port 12345. However, when I did a
"netstat -l", I discovered that the bro process was listening on port 47760! The
output from netstat -l was:
tcp 0 0 0.0.0.0:47760 0.0.0.0:* LISTEN 6326/bro
When I changed the barnyard2.conf to:
output alert_bro: 127.0.0.1:47760
the connection took place as expected. In addition, py-broccoli makes the connection as
well when i use:
Connection("127.0.0.1:47760")
On further investigation, I found that a bro file was generated in
spool/installed-scripts-do-not-touch/auto called standalone-layout.bro. Its content is:
# Automatically generated. Do not edit.
redef Communication::listen_port = 47760/tcp;
redef Communication::nodes += {
["control"] = [$host=127.0.0.1, $zone_id="",
$class="control", $events=Control::controller_events],
};
The 47760 port is the same in the standalone-layout.bro no matter what I set the
listen_port to in local.bro. Where does the 47760 port come from and what can I do to use
a different port?
Thanks again,
Dan
____________________
Dan Wyschogrod
Senior Scientist
Cyber Security
Raytheon/BBN Technologies
dwyschogrod(a)bbn.com
On Dec 3, 2012, at 8:53 AM, Seth Hall <seth(a)icir.org> wrote:
On Dec 3, 2012, at 12:04 AM, Seth Hall <seth(a)icir.org> wrote:
On Dec 2, 2012, at 9:47 PM, Daniel Wyschogrod <dwyschogrod(a)bbn.com> wrote:
Arg! Two colons. :) You could even just use /Barnyard2::.*/
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
["local"] = [$host=127.0.0.1,
$class="barnyard",$events=/Barnyard2:barnyard_alert/,$connect=F]
};
You need two commas in that event name.
8:38 a.m.
On Dec 3, 2012, at 11:28 AM, Daniel Wyschogrod <dwyschogrod(a)bbn.com> wrote:
I think I've tracked down the problem, but it
leads to another mystery. In my local.bro file, as I've pointed out, I have inserted
the line:
Oh, are you running this through BroControl? BroControl configures the communication
framework for you. All you need to do is add another value to the Communication::nodes
variable with the events to listen to.
redef Communication::nodes += {
["barnyard2"] = [$host=127.0.0.1, $class="Barnyard2",
$events=/Barnyard2::.*/],
};
You *should* now be able to connect to the process, but you'll have to connect on
port 47760/tcp. Is there a particular reason that you want to change that? You
can't really do that in any BroControl deployment at the moment, and the
communication code only can listen on a single port per Bro process.
This is a somewhat undefined area of operation because there hasn't been a lot of
work to integrated external applications on clusters like this yet.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
9 a.m.
Seth,
Thanks for clarifying that. I can certainly live with port 47760 now that I know that
it's the "official" port. It probably would be a good idea to add to the
documentation that BroControl uses this port, though I might have missed it.
Going forward, we hope to contribute some of our work with external sensors.
Thanks again for your help.
Dan
____________________
Dan Wyschogrod
Senior Scientist
Cyber Security
Raytheon/BBN Technologies
dwyschogrod(a)bbn.com
On Dec 3, 2012, at 11:38 AM, Seth Hall <seth(a)icir.org> wrote:
On Dec 3, 2012, at 11:28 AM, Daniel Wyschogrod <dwyschogrod(a)bbn.com> wrote:
I think I've tracked down the problem, but
it leads to another mystery. In my local.bro file, as I've pointed out, I have
inserted the line:
Oh, are you running this through BroControl? BroControl configures the communication
framework for you. All you need to do is add another value to the Communication::nodes
variable with the events to listen to.
redef Communication::nodes += {
["barnyard2"] = [$host=127.0.0.1, $class="Barnyard2",
$events=/Barnyard2::.*/],
};
You *should* now be able to connect to the process, but you'll have to connect on
port 47760/tcp. Is there a particular reason that you want to change that? You
can't really do that in any BroControl deployment at the moment, and the
communication code only can listen on a single port per Bro process.
This is a somewhat undefined area of operation because there hasn't been a lot of
work to integrated external applications on clusters like this yet.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
9:22 a.m.
Going forward, we hope to contribute some of our work
with external sensors.
Just to bring it to your attention, I did do a patch [1] to the Barnyard2 output plugin
for Bro that fixed some bugs, but it doesn't look like it's in a release yet.
So if you run in to more issues, that might be your answer (or your problem).
Jon
https://github.com/firnsy/barnyard2/pull/25
3493
days inactive
3493
days old
7 comments
3 participants
participants (3)
-
Daniel Wyschogrod -
Seth Hall -
Siwek, Jonathan Luke