Worker System Memory Exhaustion

Hi Aashish,

Have been using scan-NG, seems to be working though I'm curious, why do
you redefine local networks in scan-NG/debug.bro - wouldn't scan-NG pick
up that information from /usr/local/bro/etc/networks.cfg?

Also in regards to debugging, will it tell me if a path can't be found?
I was unsure of the reference
/feeds/BRO-feeds/LBL-subnets.csv-LATEST_BRO in the scan-config.bro - is
that in fact $BRO_PATH/feeds/BRO-feeds/LBL-subnets.csv-LATEST_BRO

Greg

HI Greg,

you redefine local networks in scan-NG/debug.bro - wouldn't scan-NG pick

This was oversight. I added that as part of debugging when running against
pcaps/tests/standalone. I forgot to remove it before making a git commit. Now
removed.

In a broctl run, it should pick local_nets out of networks.cfg only.

/feeds/BRO-feeds/LBL-subnets.csv-LATEST_BRO in the scan-config.bro - is

this was a problem I faced when releasing this code. for my setup, I infer
Darknet based on file (LBL-subnets.csv-LATEST_BRO). LBL-subnets.csv-LATEST_BRO
is published by the networking based on polling network devices every hour and
has list of allocated subnets in it. Anything which is not in this file is
Darknet and triggers the LandMine heuristics.

If you'd like to use LandMine heuristics, I'd suggest populate this file with
your list of allocated subnets (could be dynamic where you can keep appending to
this file ) or static. Input-framework takes care of feeding this into BRO and
if a row is removed those changes also get propagated into bro.

So, redef Site::subnet_feed should point to your list of allocated subnets.

Now, some sites have actually the other way round, where they have a list of
Darknets or unallocated subnets. If thats case with you let me know. I'll send
you a slightly different file.

(Justin tried to simplify these all in his version but not sure where it was
left).

btw, I am re-writing a ton of scan-NG to make these much more easier to
config/run and distribute.

Aashish

Yes! I wrote something for this. I split out from scan.bro into bro-is-darknet:

https://github.com/ncsa/bro-is-darknet

This tries to handle the four possible darknet setups I identified.

bro-simple-scan depends on this package for the darknet based scan detection.

Hi Justin,

I switched to your package for now, thanks for suggesting it, and thanks
for the documentation on GIT regarding how to redefine lit and dark
nets, very nice.

Looking forward to checking out Aashish's rewrite of his scan-NG package
which promises great improvements like easier configuration for
numbskulls like me. :stuck_out_tongue:

Greg