We are very excited to announce a public beta of Bro 2.0! Please give
it a try and let us know what you think. More information here:
http://blog.bro-ids.org/2011/10/public-beta-of-bro-20-released.html
Thanks to everybody who worked on this, it shaped up really nicely I
think!
Robin
Just installed Bro 2.0 Beta on Redhat 5.7. I had to change a few line of the broctl script of the form:
proc.fromchild = proc.stdout if proc.stdout != None else []
The version of python on Readhat 5.7, Python 2.4.3, cann't handle this type of construct.
Which versions of python was used to develop Bro 2.0 Beta?
Bill Jones
Yeah, it needs Python 2.6 right now. If we can make it 2.4-compatible
with just a few small tweaks, that sounds worth it. We did already do
that for some of the other Python code in the package.
So if with your changes you find it to work fine with 2.4, could you
file a patch with the tracker?
Thanks,
Robin
The new log formats are a lot easier to read.
There are quite a few new check that are going to be very user full.
Thanks to every for all the work that you put into this version of bro. It is really quite nice!
Sure I can do a patch.
Are there any scripts like the old stats.bro scrip that will print packets processed.
The new log formats are a lot easier to read.
Don't forget to check out the new log processing tool bro-cut in the aux
directory:
bro-cut [options] <columns>
Extracts the given columns from an ASCII Bro log on standard input. By
default, bro-cut does not include format header blocks into the output.
Example: cat conn.log | bro-cut -d ts id.orig_h id.orig_p
-c Include the first format header block into the output.
-C Include all format header blocks into the output.
-d Convert time values into human-readable format (needs gawk).
-D <fmt> Like -d, but specify format for time (see strtime(3) for syntax).
For the time conversion, the format string can also be specified by setting
an environment variable BRO_CUT_TIMEFMT.
Here are some more examples (output abbreviated):
% bro-cut ts id.orig_h id.resp_p < conn.log
1319742168.465601 192.150.187.147 80
1319742167.737945 192.150.187.147 80
% bro-cut host uri < http.log | awk '{ print $1$2 }'
s0.2mdn.net/879366/flashwrite_1_2.js
maps.google.com/mapfiles/home3.html
% bro-cut -d ts < conn.log
2011-10-27T12:02:48-0700
% bro-cut -D '%s' ts orig_bytes resp_bytes \
< conn.log \
> sort -n \
> awk '{ if ($1 == ts) { size+=$2+$3 } \
else { if (size != 0) print $1, size; \
ts=$1; size=0 } }'
1319742168 33628
1319742169 22814
Enjoy,
Matthias
No, I don't think we have an equivalent for that right now. But that
would be good to add.
Robin
Hm, I totally missed that one. I'll work on it after the workshop, it should be fairly easy and really belongs in 2.0 anyway.
.Seth