Monday, April 09, 2007

Bro Basics Follow-Up

In my post Bro Basics I outlined the steps I took to install Bro. Since Friday I've taken a few more steps to get reports working.

First, I re-ran make brolite-install as root.

Next, I noticed errors in mail from bro:

Date: Sat, 7 Apr 2007 00:10:01 -0400 (EDT)
From: analyst@cel433.taosecurity.com (Cron Daemon)
To: analyst@cel433.taosecurity.com
Subject: Cron <analyst@cel433> ( nice -n 19
+/usr/local/bro-1.2.1/scripts/site-report.pl )
X-Cron-Env: <BROHOME=/usr/local/bro-1.2.1>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/home/analyst>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=analyst>
X-Cron-Env: <USER=analyst>

Can't locate Bro/Config.pm in @INC (@INC contains:
+/usr/local/bro/perl/lib/perl5/site_perl /usr/local/lib/perl5/5.8.8/BSDPAN
+/usr/local/lib/perl5/site_perl/5.8.8/mach /usr/local/lib/perl5/site_perl/5.8.8
+/usr/local/lib/perl5/site_perl /usr/local/lib/perl5/5.8.8/mach
+/usr/local/lib/perl5/5.8.8 .) at /usr/local/bro-1.2.1/scripts/site-report.pl
+line 25.
BEGIN failed--compilation aborted at /usr/local/bro-1.2.1/scripts/site-report.pl
+line 25.

I looked around and found Bro/Config.pm in /usr/local/bro-1.2.1/perl/lib/perl5/site_perl/5.8.8/Bro/Config.pm.

I looked at site-report.pl and saw this:

# look for our modules first
use lib '/usr/local/bro/perl/lib/perl5/site_perl';

Since I installed Bro in /usr/local/bro-1.2.1 I thought making a symlink from /usr/local/bro to /usr/local/bro-1.2.1 was the best approach.

The next time the report script tried to run I got a new error.

/libexec/ld-elf.so.1: /usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so:
Undefined +symbol "__h_errno"

Weird. I compared libperl.so on cel433 (the Bro sensor) with the same file on poweredge, another FreeBSD box.

cel433:/home/analyst$ file /usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so
/usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so: ELF 32-bit LSB shared object,
Intel 80386, version 1 (FreeBSD), not stripped
cel433:/home/analyst$ md5 /usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so
MD5 (/usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so) =
a5d4a3b0bbc9b4b9e0cf136e35546651

cel433:/home/analyst$ ls -al /usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so
-r-xr-xr-x 1 root wheel 1143233 Sep 2 2006
/usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so

poweredge:/home/richard$ file /usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so
/usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so: ELF 32-bit LSB shared object,
Intel 80386, version 1 (FreeBSD), not stripped
poweredge:/home/richard$ md5 /usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so
MD5 (/usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so) =
061ee20f36b76dc5a2fb22de37caa987

poweredge:/home/richard$ ls -al /usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so
-r-xr-xr-x 1 root wheel 1143233 Jun 21 2006
/usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so

The files appear the same but the MD5 hashes don't match. I fixed that by copying what I presumed was the good copy from poweredge:

cel433:/root# scp richard@poweredge:/usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so
/usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so
Password:
libperl.so 100% 1116KB 1.1MB/s 00:00
cel433:/root# md5 /usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so
MD5 (/usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so) =
061ee20f36b76dc5a2fb22de37caa987

That was the last fix. I got an email with the following report, saved at /usr/local/bro-1.2.1/reports/taosecuritycom.1176091803.24141.rpt.

Site Report for taosecuritycom, from 2007/04/08 00:00:30 to 2007/04/09 00:00:30
generated on Mon Apr 9 00:11:27 2007
========================================================================
Summary
========================================================================
Incident Count: 0

========================================================================
Incident Details
========================================================================
No data to report
========================================================================
Signature Distributions
========================================================================
No data to report

========================================================================
Scans
========================================================================
No data to report

========================================================================
Connection Log Summary
========================================================================
Site-wide connection statistics

Successful: 7506
Unsuccessful: 19341
Ratio: 1:2.576


Top 20 Sources

Host IP Bytes Conn. Count
------------------------------- --------------- ------ ------------
...3-202-28.hsd1.va.comcast.net 69.143.202.28 17 M 7504
sd-6260.dedibox.fr 88.191.38.164 0 1
...46.static.newcomamericas.net 200.30.136.146 0 1


Top 20 Destinations

Host IP Bytes Conn. Count
------------------------------- --------------- ------ ------------
eh-in-f191.google.com 72.14.207.191 52 M 2103
vhost.identityvector.com 209.40.96.212 175 M 660
207.159.120.151 207.159.120.151 141 K 501
208-45-133-152.excite.com 208.45.133.152 222 K 373
207.159.120.146 207.159.120.146 72528 258
64.147.181.34 64.147.181.34 1.8 M 258
ad.turn.com 70.42.138.14 1.6 M 146
208-45-133-13.excite.com 208.45.133.13 1.7 M 138
208-45-133-134.excite.com 208.45.133.134 91943 131
38.96.134.241 38.96.134.241 85585 127
208-45-133-23.excite.com 208.45.133.23 2.2 M 127
...9.142.97.available.above.net 209.249.142.97 66912 106
204.176.49.2 204.176.49.2 15182 101
lib1.store.vip.mud.yahoo.net 68.142.205.139 175 K 85
64.147.181.44 64.147.181.44 1.2 M 84
64.147.181.32 64.147.181.32 3.3 M 80
...49.142.8.available.above.net 209.249.142.8 23520 73
wzus.wc.ask.com 65.214.37.120 25009 65
...eploy.akamaitechnologies.com 72.247.28.57 518 K 55
38.96.134.245 38.96.134.245 17459 54


Top 20 Local Email Senders

Hostname IP Conn. Count
--------------------------------------- --------------- ------------
c-69-143-202-28.hsd1.va.comcast.net 69.143.202.28 7


Top 20 Services

Service Conn. Count % of Total Bytes In Bytes Out
------------ ------------ ---------- --------- ---------
http 7003 93.30 275 M 12 M
https 254 3.38 3.1 M 1.0 M
other 193 2.57 1.2 M 3.9 M
pop-3 23 0.31 46361 1187
whois 19 0.25 16646 309
smtp 7 0.09 1536 7542
spop 5 0.07 35772 3283
ssh 2 0.03 0 82

========================================================================
Byte Transfer Pairs
========================================================================
Hot Report - Top 20
Local Remote Conn.
Local Host Remote Host Bytes Bytes Count
----------------------- ----------------------- --------- --------- -------
...hsd1.va.comcast.net ....identityvector.com 153296 175 M 1276
...hsd1.va.comcast.net eh-in-f191.google.com 812404 52.5 M 6320
...hsd1.va.comcast.net ...maitechnologies.com 12997 12.2 M 4
...hsd1.va.comcast.net 64.147.181.31 4503 K 15328 32
...hsd1.va.comcast.net 64.147.181.32 142095 3414 K 164
...hsd1.va.comcast.net ...-70.mc.videotron.ca 2492 K 4261 1
...hsd1.va.comcast.net 194.117.143.76 6885 2360 K 6
...hsd1.va.comcast.net ...5-133-23.excite.com 212442 2213 K 254
...hsd1.va.comcast.net 64.147.181.34 1145 K 1867 K 516
...hsd1.va.comcast.net 66.11.53.136 1084 1811 K 4
...hsd1.va.comcast.net ...5-133-13.excite.com 340294 1751 K 276
...hsd1.va.comcast.net ad.turn.com 136361 1665 K 292
...hsd1.va.comcast.net 38.99.76.85 12127 1648 K 42
...hsd1.va.comcast.net ntserver-4d41.4dv.net 673 1478 K 5
...hsd1.va.comcast.net 81.216.125.158 1409 K 2932 1
...hsd1.va.comcast.net 64.147.181.44 574291 1250 K 198
...hsd1.va.comcast.net ...ices.brightcove.com 36951 1073 K 92
...hsd1.va.comcast.net 194.117.143.77 4037 1042 K 6
...hsd1.va.comcast.net gfo-cm.nexcess.net 43809 725792 86
...hsd1.va.comcast.net ...-133-152.excite.com 674704 227462 746

It's basically connection logging information, since I'm running a default brolite installation. As I enable other components I expect to see other details.

No comments: