nks for the pointer.
Aashish
On Tue, Jul 10, 2018 at 06:02:51PM -0500, Jon Siwek wrote:
> On Tue, Jul 10, 2018 at 2:10 PM Aashish Sharma wrote:
>
> > [ 96%] Building CXX object
> > libcaf_openssl/CMakeFiles/libcaf_openssl_shared.dir/src/manager.cpp.o
> > clang: warn
4PM -0500, Daniel Thayer wrote:
> Was master (after the broker merge) previously working on this same machine?
>
> It works for me on 10.4-RELEASE. Maybe you could try "make distclean"
> and "git pull" and try again.
>
>
> On 7/10/18 2:03 PM, Aashish Sharma w
Probably obvious but I am not very sure so asking here.
I see this error trying to build current master - Thoughts what am I missing ?
(trying the build on: FreeBSD 10.3-STABLE)
I am building as:
./configure --prefix=/usr/local/bro-master && make
..
..
gmake[6]: Leaving directory
The same could happen with bad data in a line of a file. These
> situations do not cause Bro to stop watching input files anymore. The
> old behavior is available through settings in the Ascii reader.
>
> Johanna
>
> On 20 Apr 2018, at 14:09, Aashish Sharma wrote:
&g
While testing other stuff, I realized that if input-framework cannot find a file
its now generating reporter_warning event instead of reporter_error ?
Did "error" changed to "warning" for some reason ? Wasn't previously this a
error condition ?
0.00Reporter::WARNING
r 18, 2018 at 01:46:08PM +, Azoff, Justin S wrote:
> > On Apr 17, 2018, at 4:04 PM, Aashish Sharma <asha...@lbl.gov> wrote:
> >
> > For now, I am resorting to _func route only. I think by using some
> > more
> > heuristics in worker's expire functions for
Justin,
On Wed, Apr 18, 2018 at 01:46:08PM +, Azoff, Justin S wrote:
> How are you tracking slow scanners on the workers? If you have 50 workers
> and you
> are not distributing the data between them, there's only a 1 in 50 chance
> that you'll
> see the same scanner twice on the same
I have a aggregation policy where I am trying to keep counts of number of
connections an IP made in a cluster setup.
For now, I am using table on workers and manager and using expire_func to
trigger worker2manager and manager2worker events.
All works great until tables grow to > 1 million
,
Aashish
On Fri, Apr 13, 2018 at 07:46:33AM -0400, Seth Hall wrote:
>
>
> On 13 Apr 2018, at 0:30, Aashish Sharma wrote:
>
> > So I am seeing some weird stuff in my sample pcap of scanners. May be
> > too
> > obvious and I am just not seeing why/how of it.
>
So I am seeing some weird stuff in my sample pcap of scanners. May be too
obvious and I am just not seeing why/how of it.
Here is the issue : ( I have time in human format for easier read):
SO I just pick one session from conn.log and this is the connection in
question: (there are many more
Nevermind! Please ignore! Issue resolved - it was a mistake on my end!
Aashish
On Mon, Mar 19, 2018 at 4:11 PM, Aashish Sharma <asha...@lbl.gov> wrote:
> So I just moved one of my boxes to bro-2.5.3 and see this report.
>
> Any ideas - ? permission issues or something else going
So I just moved one of my boxes to bro-2.5.3 and see this report.
Any ideas - ? permission issues or something else going on with broctl cron ?
Aashish
- Forwarded message from Cron Daemon -
Date: Mon, 19 Mar 2018 16:05:38 -0700 (PDT)
From: Cron Daemon
To: bro
Subject: Cron
My view:
I have again and again encountered 4 types cases while doing script/pkg work:
1) manager2worker: Input-framework reads external data and all workers need to
see it.
examples: intel-framework,
2) worker2manager: workers see something report to manager, manager keeps
aggregated
Ah! Nice. Yes, this is what I was looking for. Thanks for the pointer Seth!
On Fri, Sep 08, 2017 at 02:45:21PM -0400, Seth Hall wrote:
>
>
> On 8 Sep 2017, at 13:29, Aashish Sharma wrote:
>
> > Can we specify dependent packages in bro-pkg and would bro-pkg go and
> &
ry has that on his queue.
>
> > On Sep 8, 2017, at 12:29 PM, Aashish Sharma <asha...@lbl.gov> wrote:
> >
> > Can we specify dependent packages in bro-pkg and would bro-pkg go and
> > resolve
> > (install) those dependencies by itself ?
> >
> > Also
Can we specify dependent packages in bro-pkg and would bro-pkg go and resolve
(install) those dependencies by itself ?
Also, can we make the bro-pkg dump some output (notes) before? or after? pkg
installation - something like see this file for details etc ?
Aashish
[ re-igniting an OLD thread ]
OK so @DIR sort of works.
I've used this as
global smtp_indicator_feed= fmt
("%s/feeds/smtp_malicious_indicators.out",@DIR) ;
Problem is: @DIR gives the path of the directory where script is residing.
So when I do broctl install - all the scripts go into :
(Not sure if I am interpreting your question right but here is how I read it)
basically use "in" operator
local my_ip_table : table[addr] of bool ;
local ip: addr = 127.0.0.1
if ( ip in my_ip_table)
found
else
not found
btw, you can also use "!in" operator too which is
LOGGER node can affect the
entire clusterization architecture.
Aashish
On Thu, Jun 01, 2017 at 02:10:47PM -0400, Seth Hall wrote:
> On Thu, Jun 1, 2017 at 1:12 PM, Aashish Sharma <asha...@lbl.gov> wrote:
>
> > I can surely do "Cluster::local_node_type() =
SO with the emergence of logging node, I am encoutering an issue with
clusterization and was seeking feedback on whats a better way to do this.
Presently I have been using:
@if (( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER
) || ! Cluster::is_enabled())
@end if
> const global_hash_seed: string = ""
Yes, with setting of global_hash_seed, bloomfilter movement across workers is
working fine and as expected, I see from initial tests.
While we are on this thread, is the following good or there is a better way to
copy/merge bloomfilter once its sent
I tried doing that and then merging with an existing (initialized) bloomfilter
on worker.
I see this error:
1493427133.170419 Reporter::INFO calling inside the m_w_add_bloom
worker-1-
1493427133.170419 Reporter::ERROR incompatible hashers in
BasicBloomFilter merge
Anyone seen this out of CMU:
SEI CERT C++ Coding Standard Rules for Developing Safe, Reliable, and
Secure Systems in C++
http://cert.org/downloads/secure-coding/assets/sei-cert-cpp-coding-standard-2016-v01.pdf
Not sure how good/bad/awesome/relevant this is.
Aashish
SO I came across a sample of Broker-API usage:
when (local res = Broker::exists(Cluster::cluster_store,
Broker::data("known_hosts")))
{
local res_bool = Broker::refine_to_bool(res$result);
if(res_bool)
{
when ( local res2 =
SO this doesn't (at the moment) seem to be related to table expiration. My
table is maintained on manager and expire_func only runs on manager.
But, I see 'a' worker stall with 99-100% CPU for a good while while all other
workers go down to 5-6% CPU. conn.log continues to grow though
GDB
Yes, I have been making heavy use of tables ( think a million entries a day and
million expires a day)
Let me figure out a way to upload the scripts on github or send them yours and
justin's way otherwise.
Strangely this code kept running fine for last month and reasonably stable. I
am not
So I am running a new detection package and everything seemed right but somehow
since yesterday each worker is running at 5.7% to 6.3% CPU and not generating
logs.
The backtrace shows the following and how much (%) CPU is spending on what
functions.
Can someone help me read why might BRO
So if we have compresscmd unset then archive-log script does a copy:
archive-log:nice cp $file_name "$dest"
Any reason why it doesn't do move instead ?
I propose changing cp to mv
Aashish
___
bro-dev mailing list
bro-dev@bro.org
I have noticed that at times my proxies are spending way too much CPU (100% for
extended duration) in tree operations which include inserts and
tree_balance_after_insert. Anyone has any pointers to what might be going on
proxies ?
Aashish
___
I have noticed that sometimes (more often than not), not all workers see a
manager2worker event or likewise not all workers report a worker2manager event
on manager - missing as high as 10% of the events and as little as 1% of such
events are 'missing' ie don't show up.
This is puzzling since
On Tue, Nov 29, 2016 at 07:51:21PM +, Siwek, Jon wrote:
>
> But a new feature could be added to bro-pkg that allows package authors to
> specify a list of config files in their bro-pkg.meta. Then on
> install/upgrade/remove, if a user has made modifications to any of those
> files, they
Hello,
I have a package where I provide a sample configuration file for people to
redef according to their needs and specifics.
Now everytime when they upgrade the package, I risk over writing their modified
config file.
SO I decided to call the config file scan-config.bro.orig but then I
Scott,
I was using the following script when I was playing with the packet-bricks Dec
last year:
utilObj = dofile("scripts/utils.lua")
utilObj:enable_nmpipes()
pe = PktEngine.new("e0")
lb = Brick.new("LoadBalancer", 2)
lb:connect_input("ix0")
lb:connect_output("ix0{1", "ix0{2", "ix0{3",
Would it be possible (also suggestion on what might be the best way) to add an
event/execute a script once log-rotation/compression is complete.
Use case: We archive the logs to a mass storage while leaving a local copy for
N days. Right now, its a guessing game on when to run the nightly
if you made any changes to those scripts (a bug in
> those scripts could potentially run make-archive-name with
> invalid parameters).
>
>
> On 10/3/16 3:18 PM, Aashish Sharma wrote:
> >HI Daniel,
> >
> >>As for the strange directory names, one possible reason
e subdirectories of
> the /logs/ directory, or if you noticed the presence of
> a new spool/tmp/post-terminate-* directory.
>
> As for the strange directory names, one possible reason could be your
> make-archive-name script is producing bad output.
>
>
>
> On 10/3/16 2:
I see notifications as following:
- Forwarded message from Xxx -
Date: Mon, 3 Oct 2016 11:54:39 -0700 (PDT)
From:
To:
Subject: [bro-cluster] archive log failure
Unable to archive one or more logs in directory:
May be try: ftp://ftp.ee.lbl.gov/cf-1.2.5.tar.gz
eg: cf conn.log | less
On Fri, Aug 12, 2016 at 02:03:48PM -0400, Dave Florek wrote:
> Hello,
>
> Because I lose so much processing power when manually converting Bro output
> logs from Epoch to EST using bro-cut, can I have a feature that
>
HI Daniel,
Are there any specific node.cfg settings or broctl.cfg settings to run the
Logging node ? Could you please point me to the right locations.
Thanks,
Aashish
___
bro-dev mailing list
bro-dev@bro.org
I have been thinking and trying different things but for now, it appears that
if we are to share policies around, there is no easy way to be able to
distribute input-files along with policy files.
Basically, right now I use
redef Scan::whitelist_ip_file =
HI Jan,
> > A solution could be to evaluate the interval expression every time it is
> > used inside the table implementation. The drawback would be that there
For all of my needs above has worked fairly well. including using exp_val= 0
secs as default.
Based on the value of item in the
> In other words, my proposal is to put authors into control of their
> code, and make them fully responsible for it too --- not us. We'd just
> connect authors with users, with as little friction as possible.
>
I support this completely.
> If we want some kind of quality measure, we could
Jan,
> I guess the function for initialization receives the index that should
> be initialized.
Thank you. This works!
For future reference:
I also needed to convert the following table to use opaque of cardinality for
this table grows reasonably big:
global distinct_backscatter_peers:
So I am trying to convert tables into using opaque of cardinality since thats
more memory efficient (or counting bloomfilters for that matter):
works: if table (0) converted to (1)
errors: if table (2) converted to (3)
Details: I am trying the following, original table (0) converted to (1):
Nevermind my email!
I found: src/probabilistic/cardinality-counter.bif
Thanks,
Aashish
On Mon, May 9, 2016 at 2:29 AM, Aashish Sharma <asha...@lbl.gov> wrote:
> Matthias,
>
> I am encountering some big tables in my scan-detection heuristics and which
> grow due t
Matthias,
I am encountering some big tables in my scan-detection heuristics and which
grow due to scanners:
So was thinking of this possibility to use counting bloomfilters instead of
tables and sets. After-all we are still looking for cardinality of tables and
sets for identifying scanners.
So I am trying to use bloomfilter_counting_init for keeping a count of uniq IPs
seen within a subnet and instead of relying on a table or a set, I was toying
with an idea of using bloomfilter_counting_init.
However, I am not clear on the parameterization below:
global
I am in process of clusterizing a bunch of scripts and using worker2manager and
manager2worker events for doing so. This seem to be working *quite fantastic*
actually and I see 1-to-1 mapping on data moving around.
I still don't quite understand how the communication happens in background
[
https://bro-tracker.atlassian.net/browse/BIT-1472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=25205#comment-25205
]
Aashish Sharma commented on BIT-1472:
-
Until you are set to update libGeoIP2 API, could you add this bif
I got a query from ANL about Bro's capability to detect MOTS:
"I had a question for you – I was at a talk last week, and someone was
talking about a Man on the Side attack. The presenter had indicated that
suricata was currently the only tool doing this detection, but that they
+ ##|| report_hour == 16 || report_hour == 23) &&
report_min == 0 && report_sec == 0)
+
+if (current_time() > nrt)
{
+ nrt = next_report_time();
}
}
On Wed, Nov 18, 2015 at 11:34:39AM -0800, Craig Leres wrote:
> On 11/18/2015 10:58 AM, Aas
So, I am trying to have bro send me report/alerts at specific timeslots.
Given current_time is the wall-clock time, I am relying on current_time()
function to get time and then, my code is : if (hh:mm:ss == desired time), run
a report. I noticed inconsistencies so here is more detailed debug
Much better way! Thanks Craig!
Aashish
On Wed, Nov 18, 2015 at 11:34:39AM -0800, Craig Leres wrote:
> On 11/18/2015 10:58 AM, Aashish Sharma wrote:
> > So, I am trying to have bro send me report/alerts at specific timeslots.
> >
> > Given current_time is the wall-cloc
[
https://bro-tracker.atlassian.net/browse/BIT-835?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=21955#comment-21955
]
Aashish Sharma commented on BIT-835:
I'd take this one!
On Fri, Sep 04, 2015 at 07:52:00AM -0500, Seth
t; > Project: Bro Issue Tracker
> > Issue Type: New Feature
> > Components: Bro
> >Affects Versions: git/master
> >Reporter: Aashish Sharma
> > Fix For: 2.5
> >
> > Attachments: drop.bro, d
[
https://bro-tracker.atlassian.net/browse/BIT-1396?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=21954#comment-21954
]
Aashish Sharma commented on BIT-1396:
-
Please close it!
If I encounter this again, I will request a new
Aashish Sharma created BIT-1472:
---
Summary: Bif for a new function to calculates haversine distance
between two geoip locations
Key: BIT-1472
URL: https://bro-tracker.atlassian.net/browse/BIT-1472
[
https://bro-tracker.atlassian.net/browse/BIT-1396?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20918#comment-20918
]
Aashish Sharma commented on BIT-1396:
-
Issue Remains.
I am not sure what specific crashes
I am trying using BrokerStore with a master and a clone setup. Where by I was
thinking of using master on manager and all the workers are clones. However, I
am somewhat confused at a few things - attaching the sample policies used:
1) I see that stores-listener.bro has clone created into it
[
https://bro-tracker.atlassian.net/browse/BIT-1396?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20715#comment-20715
]
Aashish Sharma commented on BIT-1396:
-
I found the 'missing' logs in spool/tmp/crash_dump
is not running.
I think restart --clean should first check configurations (step 3) and then if
success, move further or stop.
buggy/typo scripts are preffered to be debugged while bro is running.
Aashsih
--
Aashish Sharma (asha...@lbl.gov)
Cyber Security
Aashish Sharma created BIT-1396:
---
Summary: Logs disappearing on broctl restart
Key: BIT-1396
URL: https://bro-tracker.atlassian.net/browse/BIT-1396
Project: Bro Issue Tracker
Issue Type
[
https://bro-tracker.atlassian.net/browse/BIT-1396?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20702#comment-20702
]
Aashish Sharma commented on BIT-1396:
-
Example:
-rw-r--r-- 1 bro bro81M May 13 13:33
[
https://bro-tracker.atlassian.net/browse/BIT-1396?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20706#comment-20706
]
Aashish Sharma commented on BIT-1396:
-
Yes, nothing in stderr.log - likely got over-written
[
https://bro-tracker.atlassian.net/browse/BIT-1396?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20704#comment-20704
]
Aashish Sharma commented on BIT-1396:
-
Ah! Yes, I see logs in spool/tmp/post-terminate-
[
https://bro-tracker.atlassian.net/browse/BIT-1396?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20707#comment-20707
]
Aashish Sharma commented on BIT-1396:
-
Um! Well the stderr.log in spool/tmp/port-terminate
[
https://bro-tracker.atlassian.net/browse/BIT-1396?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20706#comment-20706
]
Aashish Sharma edited comment on BIT-1396 at 5/14/15 6:19 PM:
--
Yes
[
https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Aashish Sharma updated BIT-1306:
Yes, So sorry, I couldn't get to it soon enough. Yes, Patch fixes the problem.
Aashish
[
https://bro-tracker.atlassian.net/browse/BIT-1370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20222#comment-20222
]
Aashish Sharma commented on BIT-1370:
-
I've been running vlad's branch
[
https://bro-tracker.atlassian.net/browse/BIT-1326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20022#comment-20022
]
Aashish Sharma commented on BIT-1326:
-
I am trying to test some stuff with the current
[
https://bro-tracker.atlassian.net/browse/BIT-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Aashish Sharma updated BIT-1182:
Resolution: Fixed
Status: Closed (was: Open)
I tested out 30K+ adds/deletes with input
[
https://bro-tracker.atlassian.net/browse/BIT-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=19942#comment-19942
]
Aashish Sharma commented on BIT-1335:
-
I prefer keeping protocol + fid - Easy to sort
[
https://bro-tracker.atlassian.net/browse/BIT-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=19908#comment-19908
]
Aashish Sharma commented on BIT-1182:
-
ah! that makes sense now. You are correct. I
Aashish Sharma created BIT-1306:
---
Summary: bro process would get stuck/freeze with myricom drivers
Key: BIT-1306
URL: https://bro-tracker.atlassian.net/browse/BIT-1306
Project: Bro Issue Tracker
that was identified.
--
This message was sent by Atlassian JIRA
(v6.4-OD-09-005#64005)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
--
Aashish Sharma (asha...@lbl.gov
[
https://bro-tracker.atlassian.net/browse/BIT-1286?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=18703#comment-18703
]
Aashish Sharma commented on BIT-1286:
-
This is a very neat policy for sure!!
--
Aashish
/mailman/listinfo/bro-dev
--
Aashish Sharma (asha...@lbl.gov)
Cyber Security,
Lawrence Berkeley National Laboratory
http://go.lbl.gov/pgp-aashish
Office: (510)-495-2680 Cell: (510)-612-7971
pgp8APRygUKSj.pgp
Description: PGP signature
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
--
Aashish Sharma (asha...@lbl.gov)
Cyber Security,
Lawrence Berkeley National Laboratory
http://go.lbl.gov/pgp-aashish
[
https://bro-tracker.atlassian.net/browse/BIT-1140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=16825#comment-16825
]
Aashish Sharma commented on BIT-1140:
-
SO I have been running the code for last 5 days
[
https://bro-tracker.atlassian.net/browse/BIT-1204?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Aashish Sharma updated BIT-1204:
Resolution: Fixed
Status: Closed (was: Open)
setting CommTimeout = 300 ( or higher number
[
https://bro-tracker.atlassian.net/browse/BIT-1204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=16823#comment-16823
]
Aashish Sharma commented on BIT-1204:
-
Yes ! increasing CommTimeout works well
Aashish Sharma created BIT-1204:
---
Summary: broctl query|print timesout for really large tables
Key: BIT-1204
URL: https://bro-tracker.atlassian.net/browse/BIT-1204
Project: Bro Issue Tracker
[
https://bro-tracker.atlassian.net/browse/BIT-1140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=16801#comment-16801
]
Aashish Sharma commented on BIT-1140:
-
Thanks for the fix Matthias. I am testing your topic
Aashish Sharma created BIT-1180:
---
Summary: Input framework subsiquient REREAD fails after file
update
Key: BIT-1180
URL: https://bro-tracker.atlassian.net/browse/BIT-1180
Project: Bro Issue Tracker
Aashish Sharma created BIT-1181:
---
Summary: Input-framework errors should be fatal (or Notice_Alarm)
instead of silent reporter::error failures
Key: BIT-1181
URL: https://bro-tracker.atlassian.net/browse/BIT-1181
[
https://bro-tracker.atlassian.net/browse/BIT-1140?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Aashish Sharma updated BIT-1140:
Attachment: bloom-test2.bro
bloom-test-short.bro
Test files to reproduce
[
https://bro-tracker.atlassian.net/browse/BIT-1140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=16010#comment-16010
]
Aashish Sharma commented on BIT-1140:
-
Matthias,
I have created two simple test files
I haven't got chance to measure if the fix is effective or not yet. I have
start measuring the CPU spikes in this week after putting in the fix for
scan_udp.bro. I should have some results in a couple of days.
Aashish
On Tue, Feb 18, 2014 at 2:19 PM, Jon Siwek (JIRA)
Aashish Sharma created BIT-1126:
---
Summary: Logs disappearing after bro termination
Key: BIT-1126
URL: https://bro-tracker.atlassian.net/browse/BIT-1126
Project: Bro Issue Tracker
Issue Type
89 matches
Mail list logo