Bro and Darpa dataset problems

Zeek
1

Hello to all,

I am trying to run Bro on the 1999 Darpa dataset in order to get results and use them in my Phd research. I am using Bro 1.2.1 on an Ubuntu 7.10 machine.

I have installed Bro and try to run it through the command :

/usr/local/bro/bin/bro -r outside.tcpdump brolite

where outside.tcpdump is the file containing the Darpa dataset.

If I use the default Bro 1.2.1 source code i get the known errors (error compiling pattern) at runtime and I get the following results :

For 5 days of data (2nd week of Darpa) I get 26318 alerts, which are mainly *HTTP_SensitiveURI* and a small percentage 2-3% are *sensitiveLogin.*

If I use the Bro 1.2.1 source code after I have removed the 6 files from source code :

http://www.bro-ids.org/wiki/index.php/"Error_compiling_pattern"

I do not get any errors but I get the following results :

For 5 days of data (2nd week of Darpa) I get only 16 alerts, which are :

t=920936697.501194 no=SensitiveConnection na=NOTICE_ALARM_ALWAYS sa=172.16.112.194 sp=2285/tcp da=135.8.60.182 dp=23/tcp msg=hot:\ 172.16.112.194\ 3741b\ >\ 135.8.60.182/telnet\ 30476b\ 10097.6s\ "lucyj"\ \ @1 tag=@1
t=921119665.164879 no=SensitiveLogin na=NOTICE_ALARM_ALWAYS sa=172.16.113.204 sp=8259/tcp da=195.115.218.108 dp=23/tcp user=roderica msg=172.16.113.204/8259\ >\ 195.115.218.108/telnet\ output\ "^L\\x1b[24;1H"bt.c"\ 6\ lines,\ 76\ characters\\x1b[4;9Hi\ =\ (float\ *)\ malloc\ (300);\\x1b[5;9Hprintf("Jumping\ to\ address:\ ha\ ha\ ha\\n");\\x1b[7;1H~" tag=@10
t=921120857.604970 no=SensitiveConnection na=NOTICE_ALARM_ALWAYS sa=172.16.113.204 sp=8259/tcp da=195.115.218.108 dp=23/tcp msg=hot:\ 172.16.113.204\ 5330b\ >\ 195.115.218.108/telnet\ 32971b\ 18149.6s\ "roderica"\ \ @10 tag=@10
t=921149967.471687 no=ScanSummary na=NOTICE_ALARM_ALWAYS sa=204.97.153.43 num=0 msg=204.97.153.43\ scanned\ a\ total\ of\ 0\ hosts
t=921191119.811940 no=SensitiveConnection na=NOTICE_ALARM_ALWAYS sa=172.16.113.84 sp=5061/tcp da=195.73.151.50 dp=23/tcp msg=hot:\ 172.16.113.84\ 2777b\ >\ 195.73.151.50/telnet\ 24910b\ 9230.2s\ fail/reynaldv\ "reynaldv"\ \ @10 tag=@10
t=921197787.382379 no=FTP_Sensitive na=NOTICE_ALARM_ALWAYS sa=194.7.248.153 sp=1112/tcp da=172.16.112.50 dp=21/tcp user=anonymous num=250 msg=ftp:\ 194.7.248.153/1112\ >\ 172.16.112.50/ftp\ #93\ RNTO\ .rhosts\ (ok)
t=921236083.657840 no=ScanSummary na=NOTICE_ALARM_ALWAYS sa=207.103.80.104 num=0 msg=207.103.80.104\ scanned\ a\ total\ of\ 0\ hosts
t=921236083.657840 no=ScanSummary na=NOTICE_ALARM_ALWAYS sa=209.117.157.183 num=0 msg=209.117.157.183\ scanned\ a\ total\ of\ 0\ hosts
t=921236083.657840 no=SensitiveConnection na=NOTICE_ALARM_ALWAYS sa=172.16.114.168 sp=22889/tcp da=197.182.91.233 dp=23/tcp msg=hot:\ 172.16.114.168\ 6003b\ }3\ 197.182.91.233/telnet\ 57126b\ 14024.9s\ "kiaraa"\ \ @8 tag=@8
t=921276791.470544 no=AddressDropped na=NOTICE_ALARM_ALWAYS sa=209.167.99.71 sp=1029/tcp da=172.16.112.50 dp=5/tcp msg=low\ port\ trolling\ 209.167.99.71\ 5/tcp tag=@8
t=921276801.859385 no=PortScan na=NOTICE_ALARM_ALWAYS sa=209.167.99.71 sp=2106/tcp da=172.16.112.50 dp=78/tcp msg=209.167.99.71\ has\ scanned\ 50\ ports\ of\ 172.16.112.50 tag=@9
t=921276831.072201 no=PortScan na=NOTICE_ALARM_ALWAYS sa=209.167.99.71 sp=4219/tcp da=172.16.112.50 dp=284/tcp msg=209.167.99.71\ has\ scanned\ 250\ ports\ of\ 172.16.112.50 tag=@10
t=921276938.172329 no=PortScan na=NOTICE_ALARM_ALWAYS sa=209.167.99.71 sp=12443/tcp da=172.16.112.50 dp=1042/tcp msg=209.167.99.71\ has\ scanned\ 1000\ ports\ of\ 172.16.112.50 tag=@11
t=921322768.174245 no=ScanSummary na=NOTICE_ALARM_ALWAYS sa=204.97.153.43 num=0 msg=204.97.153.43\ scanned\ a\ total\ of\ 0\ hosts
t=921322768.174245 no=ScanSummary na=NOTICE_ALARM_ALWAYS sa=209.167.99.71 num=0 msg=209.167.99.71\ scanned\ a\ total\ of\ 0\ hosts
t=921322768.174245 no=SensitiveConnection na=NOTICE_ALARM_ALWAYS sa=172.16.114.207 sp=10102/tcp da=196.37.75.158 dp=23/tcp msg=hot:\ 172.16.114.207\ 4060b\ }3\ 196.37.75.158/telnet\ 25337b\ 12792.4s\ "selmam"\ \ @6 tag=@6

I guess I am missing something. For the same data Snort produces 15000 alerts....

If somebody has a clue what's going wrong or has successfully run Bro on Darpa dataset please help me

Giorgos