Hi all,
I am new in Bro. I want to add new events to Bro. These events would occur
when some statistical parameters cross multiple sessions to an internal
host/network exceed their thresholds. An example event would be that the number
of connections made from external hosts to an monitored internal host exceeds
100 in last two seconds. Another example event would be that the number of
Rejected connection requests to my internal network exceeds 200 in last two
minutes. Any one knows how to create such events?
Another problem I met when I tried to run Bro (./bro.rc --start) in Fedora 3.
Success message was displayed on the screen. But when I check the status, it is
not running. After I tried to run Bro again, the following error message
appears:
Hi,
I'm running Bro on Red Hat Enteprise Linux 4.
I too had the error below regarding a bogus '-'
The culprit was bro.rc.
In this subroutine:
pidisrunning() {
else
# the rest of *NIX
_running_pid=`ps -o "pid,command" -ax | grep
"${_pid}.*${_cmd_line}" | grep -v "grep ${_pid}.*${_cmd_line}"`
fi
remove the "-" from "-ax" for the "ps" command. The revised line would
be:
_running_pid=`ps -o "pid,command" ax | grep
Hope that helps!
Joncarlo Ruggieri
University of CA, Davis
Your second question :
I think due to interdependency of signature related policy files they all need to be loaded or (not loaded) together.
You need to define use_signatures variable in ../policy/brolite.bro as T (true) for enabling all the signature related policy files to be loaded.
Aashish Sharma
Thanks. that helps.
Bing
Quoting Joncarlo Ruggieri <joncarlo@ucdavis.edu>:
Hi Aashish,
Thanks. That helps. Any thought about my first question?
Bing
Quoting Aashish Sharma <aashish@uiuc.edu>:
Hi Bing,
Hi all,
I am new in Bro. I want to add new events to Bro. These events would occur
when some statistical parameters cross multiple sessions to an internal
host/network exceed their thresholds. An example event would be that the number
of connections made from external hosts to an monitored internal host exceeds
100 in last two seconds. Another example event would be that the number of
Rejected connection requests to my internal network exceeds 200 in last two
minutes. Any one knows how to create such events?
it all depends on what kinds of events trigger updates to your
statistical parameters, and whether those elementary events already
exist or not. Generally a good way to find existing events is by looking
at src/event.bif, which lists all events the core can trigger. If you
find suitable building blocks in there, you can start with a new policy
script that maintains state through the event handlers for event types
you're interested in. If you cannot find anything suitable (which, at
least for network-based events, is rather unlikely), you might have to
extend the core to support new events to be handled by your policy
scripts.
In your case, the event types connection_attempt() and
connection_rejected() sound ideal. In their respective handlers, you can
maintain connection state in a number of tables to achieve what you
want. When you notice that the rate limits you defined are exceeded, you
can trigger an event "manually" using the event() statement, or just
perform the corresponding action directly in the state-maintaining code.
Have a look at scan.bro for an example of something that is similar what
you want; also check out this thread in the archives:
http://mailman.icsi.berkeley.edu/pipermail/bro/2005-February/001774.html
Hope this helps.
Cheers,
Christian.