Stack Overflow
Stack Overflow

Questions tagged [bro]

Bro is the former name of Zeek. Zeek is a network analysis framework - implemented as a domain specific programming language to enable users to create powerful network security monitoring (NSM) capabilities while also providing a comprehensive platform for general network traffic analysis.

From the Zeek website:

Adaptable

Zeek's domain-specific scripting language enables site-specific monitoring policies.

Efficient

Zeek targets high-performance networks and is used operationally at a variety of large sites.

Flexible

Zeek is not restricted to any particular detection approach and does not rely on traditional signatures.

Forensics

Zeek comprehensively logs what it sees and provides a high-level archive of a network's activity.

In-depth Analysis

Zeek comes with analyzers for many protocols, enabling high-level semantic analysis at the application layer.

Highly Stateful

Zeek keeps extensive application-layer state about the network it monitors.

Open Interfaces

Zeek interfaces with other applications for real-time exchange of information.

Open Source

Zeek comes with a BSD license, allowing for free use with virtually no restrictions.

References:

69 questions
4
votes
2 answers

How to write http layer sniffer

I want to write an application layer sniffer (SMTP/ftp/http). Based on my searchs, first (and perhaps hardest!) step is to reassemble the tcp stream of the sniffed connections. Indeed, what I need is something like the "follow TCP stream" option of…
user3162097
  • 41
  • 3
3
votes
1 answer

Bro-cut and conn.log - how to access individuals columns?

How do you access the names of the columns in the Bro conn.log so that you can see what the fields are called?
Neda
  • 125
  • 6
3
votes
2 answers

Error while starting Bro

I am trying to install Bro on my machine running Ubuntu 16.04 and I am facing the following problem on bro start. It has multiple errors and kindly assist on how to resolve them. [BroControl] > start starting bro (was crashed) ... bro terminated…
Anuvrat Tiku
  • 1,616
  • 2
  • 17
  • 25
3
votes
1 answer

Extracting file matching bro signature

I've written a signature to match small iframes in http responses. This works fine and I get an entry in signatures.log and notice.log. I'd like to extract any files which hit this sig so I can have a closer look, If I look at the signature_match…
Alan H
  • 53
  • 4
3
votes
1 answer

Bro: Log only one stream

My goal is to run a command like bro --iface and get only the conn.log, but I cannot tell from the Bro docs or manpages how to do this. Thanks.
zzu
  • 258
  • 1
  • 11
2
votes
1 answer

Bro / Zeek debugging logs?

Is there anyway to see more debugging info with Bro / Zeek ? Here's what I know of so far. Logs on Manager, & workers (Stderr.log, Stdout.log) broctl status broctl diag broctl print, & peerstatus both hang, so are of no use for debugging broctl…
clarkej
  • 41
  • 5
2
votes
0 answers

Missing logs in current folder

I am using security onion image 16.04.5.6. I am new to Bro and according to this in current folder I should be albe to find http.logs file. However I only see : loaded_scripts.log reporter.log stderr.log packet_filter.log stats.log …
roffensive
  • 564
  • 4
  • 22
2
votes
1 answer

How could BRO-IDS compare strings with NUL-terminator

I am testing string comparison with BRO, and got some runtime errors. Hope you guys could take a look and give me some hints. For example i have two strings, let's say str_A and str_B, str_A is sort of a pattern, like: str_A =…
Xifeng
  • 31
  • 3
2
votes
2 answers

How to remove BRO IDS (installed from source using make) from Ubuntu-16.04?

I installed BRO 2.5.3 from source code using make in ubuntu-16.04. However I can't uninstall it using make uninstall Any ideas how to remove it?
alshaboti
  • 643
  • 8
  • 18
2
votes
1 answer

Bro Script: Hardcoded IP addresses

Ich have one assignment and I need a little help. I have infected.pcap and the following task: Hardcoded IP addresses Sometimes, malware contains hardcoded IP addresses to download their payload or to communicate with their command and control (C&C)…
Neda
  • 125
  • 6
2
votes
0 answers

Opening a file that has colons in the filename with Java (displayed as slashes in MacOs Finder)

This issue is for Linux/Mac; I don't even think the files could exist with slashes if they were unzipped onto a Windows box. Hi, I have a requirement to open log files which were output by the popular BRO IDS system. The files are read only and I…
PHY6
  • 391
  • 3
  • 12
2
votes
1 answer

Bro Script to look up hostname from IP Address

I've wrote a bro script using the Input::add_table function to look up IPs and their corresponding hostnames and insert them into the conn_id record - so that I have id.source_name & id.destination_name in every log file. This works fine except when…
Alan H
  • 53
  • 4
2
votes
1 answer

How to generate the software.log from a pcap file using bro?

I'm trying to generate the software.log file from a PCAP file I have, the default bro -r my.pcap seems to generate some of the log files but not this one. After googling about adding local on the end is supposed to fix it, but it doesn't.
Crizly
  • 971
  • 1
  • 12
  • 33
2
votes
0 answers

How to visulize data in Bro network security monitor

I have configured Bro Network Security Monitor on my Linux system.In logs directory, different logs are maintained by Bro. In each file, data is in tsv form. I have to visualize this data for better usage and monitoring. I think Bro does not provide…
Hafiz Muhammad Shafiq
  • 8,168
  • 12
  • 63
  • 121
2
votes
1 answer

Bro doesn't log outgoing HTTP requests

Newbie question here: I installed Bro on a fresh Ubuntu. I run bro and create http requests from that Ubuntu. bro logs the responses I get, but I don't see any logs of the OUTGOING requests. When I send http requests TO the apache server, installed…
ooga chaka
  • 21
  • 4
1
2 3 4 5