# Process packets despite bad checksums.
redef ignore_checksums = T;
This will change significantly with Bro 2.2 when we have the file analysis
First we are going to do an extremely simple case of loading some data and matching it. First we will create an intelligence file in Bro’s intelligence format. Create a file named “intel1.dat” with the following content. Keep in mind that all field separation is with literal tabs! Double check that you don’t have spaces as separators. | |
``` | |
#fields<TAB>indicator<TAB>indicator_type<TAB>meta.source | |
fetchback.com<TAB>Intel::DOMAIN<TAB>my_special_source | |
``` | |
The next step will obviously be to load this data into Bro which is done as a configuration option. Put the following script into the same directory as your “intel1.dat” file and call it “intel-1.bro”. | |
```bro |
##! DNS Detect Abnormal Number of Lookup Failures | |
##! watches for hosts recieving an abnormal number of NXDOMAIN DNS Lookup Failures | |
##! Improvements & derivatives | |
@load base/protocols/dns | |
@load base/frameworks/sumstats | |
@load base/utils/time |
curl -H 'Host: www.cyberciti.biz' -H 'Host: www.google.com' 75.126.153.206:80 |
#!/usr/bin/env python2 | |
## | |
## This script takes a line from the dpd.log generated with the | |
## policy/frameworks/dpd/packet-segment-logging.bro script, and | |
## outputs a PCAP to stdout | |
## | |
## Vlad Grigorescu | |
## vlad@broala.com | |
## |
0.000000 bro_init | |
0.000000 filter_change_tracking | |
1406693027.271405 ChecksumOffloading::check | |
1406693027.271405 filter_change_tracking | |
1406693027.271405 new_connection | |
[0] c: connection = [id=[orig_h=2600:100c:b00b:608b:a54c:8e84:2fe0:b532, orig_p=65378/tcp, resp_h=2607:f8b0:4000:805::1015, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=189105], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1406693027.271405, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=C5abPgn1C03Sbffqi, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitial |
wpad:tmp2 liamrandall$ bro -r /Users/liamrandall/TrafficSamples/xmas2011.pcap local "Site::local_nets += {10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12}" | |
wpad:tmp2 liamrandall$ ls *.log | |
conn.log ftp.log known_hosts.log loaded_scripts.log packet_filter.log signatures.log software.log | |
files.log http.log known_services.log notice.log pe.log smtp.log | |
wpad:tmp2 liamrandall$ bro -v | |
bro version 2.4-beta | |
wpad:tmp2 liamrandall$ less known_ | |
known_: No such file or directory | |
wpad:tmp2 liamrandall$ cat known_hosts.log | |
#separator \x09 |
### Keybase proof | |
I hereby claim: | |
* I am liamrandall on github. | |
* I am liamrandall (https://keybase.io/liamrandall) on keybase. | |
* I have a public key ASDOOp_WKcK6A0ME0cGNmAhbJUg1f_7A9G0z5Rzne_fvcgo | |
To claim this, I am signing this object: |
I hereby claim:
To claim this, I am signing this object: