Ignore Weird Events???

Adriel_Desautels · June 5, 2008, 12:11am

Greetings List,
We are currently testing bro and have read the documentation. So far everything looks pretty good, very interesting technology to say the least. One question though. Why isn't this working?

# This file should describe your network configuration.
# If your local network is a class C, and its network
# address was 192.168.1.0 and a class B network
# with address space 10.1.0.0.
# Then you would put 192.168.1.0/24 and 10.1.0.0/16 into
# this file, telling bro what your local networks are.

@load site

redef notice_action_filters += {
WeirdActivity = ignore_notice,
};

redef local_nets: set[subnet] = {
     # example of a class C network
     192.168.1.0/24,
     # example of a class B network
     172.16.15.0/24
};

Which results in the following Error:

zerosum# ../scripts/bro.rc start
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/bro/site/zerosum.testme.com.bro, line 11: error: unknown identifier WeirdActivity, at or near "WeirdActivity"
... FAILED
zerosum#

Did we miss something?

Vern · June 5, 2008, 12:30am

You need two tweaks to your script, per the appended diff.

Note, in general you'd add definitions like yours to local.lite.bro rather
than local.site.bro. Putting them in the latter risks introducing dependency
circularities (such as due to the new "@load weird").

Vern

--- orig.bro 2008-06-04 17:28:17.000000000 -0700
+++ modified.bro 2008-06-04 17:28:11.000000000 -0700
@@ -6,9 +6,10 @@
# this file, telling bro what your local networks are.

@load site
+@load weird

redef notice_action_filters += {
- WeirdActivity = ignore_notice,
+ [Weird::WeirdActivity] = ignore_notice,
};

redef local_nets: set[subnet] = {

Adriel_Desautels · June 5, 2008, 12:59am

I do not have a local.lite.bro file, where's it at?

Regards,
  Adriel T. Desautels
  Chief Technology Officer
  Netragard, LLC.
  Office : 617-934-0269
  Mobile : 617-633-3821
  http://www.linkedin.com/pub/1/118/a45

Join the Netragard, LLC. Linked In Group:
http://www.linkedin.com/e/gis/48683/0B98E1705142

Vern · June 5, 2008, 1:02am

I do not have a local.lite.bro file, where's it at?

If you don't, then presumably you're not editing local.site.bro, and
my original concern doesn't matter.

Vern

Adriel_Desautels · June 5, 2008, 1:23am

Understood (I think). I'll give your edits a shot. Thank you for your help in advance. Also, any chance I can get my hands on the spinning cube code?

Regards,
  Adriel T. Desautels
  Chief Technology Officer
  Netragard, LLC.
  Office : 617-934-0269
  Mobile : 617-633-3821
  http://www.linkedin.com/pub/1/118/a45

Join the Netragard, LLC. Linked In Group:
http://www.linkedin.com/e/gis/48683/0B98E1705142

Adriel_Desautels · June 5, 2008, 1:27am

Curous, same problem:

Attempt to execute.

zerosum# /usr/local/bro/scripts/bro.rc start
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/bro/site/zerosum.netragard.com.bro, line 12: error: unknown identifier Weird::WeirdActivity, at or near "Weird::WeirdActivity"
... FAILED
zerosum#

CWD: /usr/local/bro/site/zerosum.netragard.com.bro
FreeBSD zerosum.netragard.com 6.2-RELEASE-p5 FreeBSD 6.2-RELEASE-p5 #1: Thu Jul 12 12:10:58 EDT 2007 root@zerosum.netragard.com:/usr/obj/usr/src/sys/ZEROSUM i386

zerosum# more zerosum.netragard.com.bro
# This file should describe your network configuration.
# If your local network is a class C, and its network
# address was 192.168.1.0 and a class B network
# with address space 10.1.0.0.
# Then you would put 192.168.1.0/24 and 10.1.0.0/16 into
# this file, telling bro what your local networks are.

@load site
@load weird

redef notice_action_filters += {
[Weird::WeirdActivity] = ignore_notice,
};

redef local_nets: set[subnet] = {
     # example of a class C network
     192.168.1.0/24,
     # example of a class B network
     172.16.15.0/24
};
zerosum#

Regards,
  Adriel T. Desautels
  Chief Technology Officer
  Netragard, LLC.
  Office : 617-934-0269
  Mobile : 617-633-3821
  http://www.linkedin.com/pub/1/118/a45

Join the Netragard, LLC. Linked In Group:
http://www.linkedin.com/e/gis/48683/0B98E1705142

Vern · June 5, 2008, 1:50am

identifier Weird::WeirdActivity, at or near "Weird::WeirdActivity"

You're then presumably using an older version of Bro that doesn't use
scoping for weird.bro. Try dropping "Weird::".

Vern

Adriel_Desautels · June 5, 2008, 1:53am

The version of bro that I installed was installed by the ports. I am trying the latest stable version thats available from your site now. It would be interesting to see how well this works.

Also, any news on how to get the code for the spinning cube of potential doom for Bro Visualization?

Regards,
  Adriel T. Desautels
  Chief Technology Officer
  Netragard, LLC.
  Office : 617-934-0269
  Mobile : 617-633-3821
  http://www.linkedin.com/pub/1/118/a45

Join the Netragard, LLC. Linked In Group:
http://www.linkedin.com/e/gis/48683/0B98E1705142

Vern · June 5, 2008, 1:57am

Also, any news on how to get the code for the spinning cube of potential
doom for Bro Visualization?

This is not part of the Bro distribution. The authors of it read the
Bro list, however, and might answer about it.

Vern

Seth_Hall · June 5, 2008, 2:34am

As far as I know, that code was never publicly released. We've used doomcube for the same effect though..
http://www.kismetwireless.net/doomcube/

.Seth

Scott_Campbell · June 5, 2008, 3:18am

The original code was (to the best of my knowledge) never actually
released. Someone else found it useful enough to port to GPL.

see:

http://www.kismetwireless.net/doomcube/

scott

Adriel Desautels wrote:

Topic		Replies	Views
ignoring ContentGap and friends Zeek	6	69	May 6, 2022
The code for "weird" logging activity. Zeek	3	83	May 6, 2022
bro email notifications Zeek	2	84	May 6, 2022
ERROR ! I keep getting a message saying "cant find weird" Zeek	2	85	May 6, 2022
modifying bro.init Zeek	9	78	May 6, 2022

Ignore Weird Events???

Related topics