Signatures

Hi all,

I'm trying Bro Ids for the very first time.

I want to have a log file where I can see which signatures have been triggered.

So I have created a very simple signature and check if it is triggered
with --debug-rules.

Result:
1297262131.735271 SensitiveSignature 192.168.1.60: my signature

So the signature is triggered. However no file is created.

Am I missing something? I have read a lot of information and I didn't
find anything.

BTW, the Bro Reference Manual refers the Bro variable
signatures_files. However it seems that the correct one is
signature_files. Am I wrong?

Many thanks,

David

Result:
1297262131.735271 SensitiveSignature 192.168.1.60: my signature

So the signature is triggered. However no file is created.

Am I missing something? I have read a lot of information and I didn't
find anything.

I'm assuming you're loading the signatures.bro script? If you are, it should be creating a file named signatures.log in the current working directory.

BTW, the Bro Reference Manual refers the Bro variable
signatures_files. However it seems that the correct one is
signature_files. Am I wrong?

Sorry about that. Much of that documentation will be going away before too long. We just started on a fairly major project to improve Bro and documentation is included in that, but we're in-progress on a lot of things at the moment.

You are right though, it's signature_files.

  .Seth

You are right. It created a file named signatures.log in the current
working directory (not in the log directory). However, it's empty

Do I need to do something else?

Thanks,

David

You are right. It created a file named signatures.log in the current
working directory (not in the log directory). However, it's empty

The log directory is used by BroControl. If you execute the bro binary on the command line, it won't have all of the nice BroControl log rotation and functionality for managing and running production Bro instances.

Do I need to do something else?

Try loading the notice.bro script and see if you get the signature match output into the notice.log file. I'm not sure offhand why you aren't seeing the signature match in signatures.log.

  .Seth

Thanks Seth. But I still have no information in log files.

My files are simple, but maybe something is wrong...

local.site.bro:
@load site
@load signatures
@load notice
redef signature_files += "/opt/bro/site/signatures.sig";

signatures.sig:
signature sig-1-1 {
  event "my signature"
  payload /.*my/
}

I have also tried to change local.site.bro to:
@load site
@load signatures
@load notice
redef signature_files += "/opt/bro/site/signatures.sig";
redef signature_actions += {
  ["sig-1-1"] = SIG_FILE,
};

./bro --debug-rules -i eth2 /opt/bro/site/local.site.bro
outputs:
1297265765.179661 SensitiveSignature 192.168.1.60: my signature

But I still have empty log files (notice.log and signatures.log).

It's working with the configuration bellow.

I know understand the problem.

I had to stop bro to get the results...

Thanks Seth for your help.

David

Ah, Bro buffers file writes so you have two options (one which you've already found).

* Quit Bro so that files are flushed and closed.
* Disable the buffering on the file you are interested in -- set_buf(sig_file, F);

  .Seth

Good catch. I had a nagging feeling that I was missing something.

  .Seth

Thanks,

using @load file-flush (with a dash) worked

But now I'm running into another problem.

The signature is only triggered once for the same host and for a given
period of time.

Is there a way to report every single signature match?

Not sure within poicy but you may want to try tcpreplay and set to
generate the traffic at wire speed instead of disk I/O.

I'm using 'nc' to see how BroIDS behaves. For now, it's not a problem of speed.

Maybe later... I want to use it in a 10Gbps network speed. Maybe
100Gps in 1/2 years.

using @load file-flush (with a dash) worked

Oops!

The signature is only triggered once for the same host and for a given
period of time.

Is there a way to report every single signature match?

Sorry to sort of disappear on you for a few days. I haven't had a chance to test yet, but I'm surprised that you are only seeing this trigger once. Could you capture some traffic and send the signature you are using? By default, it should be triggering on every match for a host.

Thanks,
  .Seth

I'm sorry. I'll be more precise.

The signature is only triggered once for the same host and for a given
period of time (and for the same tcp connection).

If I close and restart the connection the signature is always triggered.

Is that normal?

Thanks,

David

Ah! I believe that is normal. I don't think that the same signature will trigger multiple times in the same TCP connection.

Can you give any more details about the scenario in which you need this? The example doesn't have enough context for me to know if there is another way of implementing what you are trying to accomplish.

Thanks,
  .Seth

First I though it was a bug. I only realized that it only concerned
the same tcp connections after my first e-mail. But the behavior is
different for Suricata. That's why I asked if it was a bug or normal
behavior for Bro. But now it's crystal clear.

Thanks a lot,

David