[Bro] three things

Mike Dopheide dopheide at ncsa.uiuc.edu
Wed Jan 31 12:03:47 PST 2007

I'm back and I'm stirring up trouble.  I've come across three different 
issues in the last couple days that the list might like to know about. 
None of this is a show stopper for me, just curiosities.

I've spent quite a bit of time trying to get a regular expression to 
match packet contents returned by udp_contents().  An example snippet of 
the contents would be:


I'd like to match against /.*NCSA.*/, but the match fails.  This morning 
I finally found clean() which makes the pattern work, but then my bytes 
count gets shifted all around.

(Maybe I should be using signatures...)

While looking at (1) I found that all patterns fail with bro-1.2.1 on 
Fedora Core 5:

line 54: run-time error: error compiling pattern /^?.*(.*NCSA.*)/

It happens with patterns I write or any patterns in the provided .bro 
files.  bro-1.1d works just fine on FC5 and bro-1.2.1 works fine on RHEL4

bro-1.2.1 won't compile on RHEL3 u8, but will on RHEL4.  On RHEL3, make 
fails with this error:

g++ -DHAVE_CONFIG_H -I. -I. -I..  -I. -I../src/binpac/lib -I../src -I.
-I.. -Ilibedit  -I/usr/kerberos/include -I../linux-include -O -W -Wall
-Wno-unused -I/usr/kerberos/include -I../linux-include  -g -O2 -c -o
bif_parse.o bif_parse.cc
In file included from
                 from ../src/builtin-func.y:2:
In method `struct streampos streambuf::pubseekoff(long long int,
ios::seek_dir, int = 3)':
conversion from `__off64_t' to non-scalar type `streampos' requested
In method `struct streampos streambuf::pubseekpos(_G_fpos64_t, int =
`struct streampos' used where a `long long int' was expected
warning: control reaches end of non-void function
`streambuf::pubseekpos(_G_fpos64_t, int)'
make[2]: *** [bif_parse.o] Error 1
make[2]: Leaving directory `/tmp/dopheide/bro-1.2.1/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/dopheide/bro-1.2.1'
make: *** [all] Error 2

More information about the Bro mailing list