From robin at icir.org Thu Jan 3 11:13:23 2008 From: robin at icir.org (Robin Sommer) Date: Thu, 3 Jan 2008 11:13:23 -0800 Subject: [Bro] L flag in conn log In-Reply-To: <4769E389.8040700@sdsc.edu> References: <4769E389.8040700@sdsc.edu> Message-ID: <20080103191323.GL13475@icir.org> On Wed, Dec 19, 2007 at 19:37 -0800, scott sakai wrote: > However, I'd like to make sure that it is. Yes, the log format has changed as you indicated quite some time ago already. I'll fix the documentation. Thanks for pointing this out. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From owenmaft at 21cn.com Sun Jan 13 05:04:40 2008 From: owenmaft at 21cn.com (=?GB2312?B?wu23ycza?=) Date: Sun, 13 Jan 2008 21:04:40 +0800 (CST) Subject: [Bro] Can not dump the first packet? Message-ID: <113926.6951200229480553.JavaMail.root@webmail5> An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080113/ccf5f626/attachment.html From robin at icir.org Mon Jan 14 12:22:14 2008 From: robin at icir.org (Robin Sommer) Date: Mon, 14 Jan 2008 12:22:14 -0800 Subject: [Bro] Can not dump the first packet? In-Reply-To: <113926.6951200229480553.JavaMail.root@webmail5> References: <113926.6951200229480553.JavaMail.root@webmail5> Message-ID: <20080114202214.GF59596@icir.org> On Sun, Jan 13, 2008 at 21:04 +0800, you wrote: > But I found that the first packet (always the SYN packet) of the > connection was missed in the pcap file. This is due to the connection compressor. The compressor defers instantiating connection state until it sees packets from both sides, which is why it can't raise events such as tcp_packet() immediately with the first packet (the event carries a connection parameter). Not sure what the best fix for this is (if there's any at all) but you can work around the problem by turning the compressor off via "redef use_connection_compressor=F". Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From abinmoozhiyil at tataelxsi.co.in Wed Jan 16 07:38:54 2008 From: abinmoozhiyil at tataelxsi.co.in (Abin Moozhiyil) Date: Wed, 16 Jan 2008 21:08:54 +0530 Subject: [Bro] profile bro ids 1.2.1 Message-ID: <000201c85855$e72400e0$3521320a@telxsi.com> hai i'm facing an issue when trying to profile bro ids 1.2.1 using vtune in fedora 6. i gets an error as cannot access bro.init and vtune is not responding. i tried with export BROPATH=/usr/local/bro and still the problem exists. can u help me out in this issue. please recommend some profiling tools to profile bro software and how to profile it. expecting a + reply . thankyou. abin c m The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments contained in it. Contact your Administrator for further information. From robin at icir.org Wed Jan 16 09:25:39 2008 From: robin at icir.org (Robin Sommer) Date: Wed, 16 Jan 2008 09:25:39 -0800 Subject: [Bro] profile bro ids 1.2.1 In-Reply-To: <000201c85855$e72400e0$3521320a@telxsi.com> References: <000201c85855$e72400e0$3521320a@telxsi.com> Message-ID: <20080116172539.GD74565@icir.org> On Wed, Jan 16, 2008 at 21:08 +0530, Abin Moozhiyil wrote: > i tried with export BROPATH=/usr/local/bro and still the problem exists. BROPATH needs to point to the directory containing the policies, i.e., /usr/local/bro/policy. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From irdeto at gmail.com Thu Jan 17 05:59:28 2008 From: irdeto at gmail.com (Fabian Hensel) Date: Thu, 17 Jan 2008 14:59:28 +0100 Subject: [Bro] Multiple encapsulation Message-ID: Hi I have a rather urgent problem. For the evaluation of my diploma thesis, I want to run Bro in a DSL-Core Network. The traffic there is encapsulated multiple times and Bro does not inspect the real payload without adjustment. This is what I could determine from looking at a sample trace: MPLS: 4 bytes MPLS: 4 bytes IP: 20 bytes UDP: 8 bytes L2TP: 8 bytes PPP: 4 bytes Total encapsulation headers: 48 bytes I tried playing around with parse_udp_tunnels, udp_tunnel_port and encap_hdr_size (set to 48), but without any real success. Any chance I can get this working? Regards - Fabian From irdeto at gmail.com Thu Jan 17 08:01:38 2008 From: irdeto at gmail.com (Fabian Hensel) Date: Thu, 17 Jan 2008 17:01:38 +0100 Subject: [Bro] Multiple encapsulation In-Reply-To: References: Message-ID: I just realized. I had to do a redef capture_filters += { ["mpls"] = "mpls"}; redef encap_hdr_size = 48; Because the outermost encapsulation is MPLS... - Fabian On Jan 17, 2008 4:01 PM, Ashley Thomas wrote: > What would be the tcpdump filter you would use in that setup > let's say to capture only tcp packets. > > Bro uses libpcap like tcpdump to capture the packets. > > You can modify the filters that's there in the policy scripts to read > the packets > off the network interface. > > > > On Jan 17, 2008 8:59 AM, Fabian Hensel wrote: > > Hi > > > > I have a rather urgent problem. For the evaluation of my diploma > > thesis, I want to run Bro in a DSL-Core Network. The traffic there is > > encapsulated multiple times and Bro does not inspect the real payload > > without adjustment. This is what I could determine from looking at a > > sample trace: > > > > MPLS: 4 bytes > > MPLS: 4 bytes > > IP: 20 bytes > > UDP: 8 bytes > > L2TP: 8 bytes > > PPP: 4 bytes > > Total encapsulation headers: 48 bytes > > > > I tried playing around with parse_udp_tunnels, udp_tunnel_port and > > encap_hdr_size (set to 48), but without any real success. Any chance I > > can get this working? > > > > Regards - Fabian > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > > > -- > Karmanye Vadhikaraste Ma Phaleshu Kadachana, Ma Karma Phala Hetur > Bhurmatey Sangostva Akarmani > From vern at icir.org Thu Jan 17 08:02:32 2008 From: vern at icir.org (Vern Paxson) Date: Thu, 17 Jan 2008 08:02:32 -0800 Subject: [Bro] Multiple encapsulation In-Reply-To: (Thu, 17 Jan 2008 14:59:28 +0100). Message-ID: <200801171602.m0HG2bLQ022975@pork.ICSI.Berkeley.EDU> > sample trace: > > MPLS: 4 bytes > MPLS: 4 bytes > IP: 20 bytes > UDP: 8 bytes > L2TP: 8 bytes > PPP: 4 bytes > Total encapsulation headers: 48 bytes > > I tried playing around with parse_udp_tunnels, udp_tunnel_port and > encap_hdr_size (set to 48), but without any real success. Any chance I > can get this working? Bro doesn't have this sort of multiple layers of tunneling built into it in a ready-to-use form. In general, you could modify its dynamic protocol analysis to do this; but I think easiest would be to hack it in directly, right after packets are read, with code hardwired to know how to decapsulate the different types of tunneling present in your traces. Vern From vern at icir.org Thu Jan 17 08:14:42 2008 From: vern at icir.org (Vern Paxson) Date: Thu, 17 Jan 2008 08:14:42 -0800 Subject: [Bro] Multiple encapsulation In-Reply-To: (Thu, 17 Jan 2008 17:01:38 +0100). Message-ID: <200801171614.m0HGEmog023170@pork.ICSI.Berkeley.EDU> > redef capture_filters += { ["mpls"] = "mpls"}; > redef encap_hdr_size = 48; > > Because the outermost encapsulation is MPLS... If the encapsulation is always the same and fixed-sized, then yes, this can do the trick. My earlier reply was for cases where the encapsulation varies. Vern From robin at icir.org Thu Jan 17 09:03:11 2008 From: robin at icir.org (Robin Sommer) Date: Thu, 17 Jan 2008 09:03:11 -0800 Subject: [Bro] Multiple encapsulation In-Reply-To: <200801171602.m0HG2bLQ022975@pork.ICSI.Berkeley.EDU> References: <200801171602.m0HG2bLQ022975@pork.ICSI.Berkeley.EDU> Message-ID: <20080117170311.GD48242@icir.org> On Thu, Jan 17, 2008 at 08:02 -0800, Vern Paxson wrote: > analysis to do this; but I think easiest would be to hack it in directly, > right after packets are read, with code hardwired to know how to decapsulate > the different types of tunneling present in your traces. I actually do have an experimental patch for this somewhere. Fabian, please send me a mail if you still need it. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From abinmoozhiyil at tataelxsi.co.in Fri Jan 18 21:44:30 2008 From: abinmoozhiyil at tataelxsi.co.in (Abin Moozhiyil) Date: Sat, 19 Jan 2008 11:14:30 +0530 Subject: [Bro] Profilers for Bro Message-ID: <002a01c85a5e$5d3acf20$3521320a@telxsi.com> Hai, Currently I'm on the job of profiling Bro. I have been trying to use vtune profiler but has been unsuccessful. As I try to profile the vtune gets hanged. May be because that I haven't given the proper specificatins regarding 1. Application to launch: 2. Application arguments: (optional) 3. Working directory: (optional) I believe that vtune profiles the binary file of Bro. Please tell me the binary file corresponding to the Bro IDS software. Can anybody suggest any other profilers for the software other than vtune which is user friendly? I shall be much obliged if anyone come up with a solution to help me. Specifications: Bro-IDS v1.2.1 Fedora 6 vtune v9.0 Thanking you, Yours sincerely, Abin C M The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments contained in it. Contact your Administrator for further information. From diogo_c at brturbo.com.br Thu Jan 24 08:55:44 2008 From: diogo_c at brturbo.com.br (Diogo Corteletti de Oliveira) Date: Thu, 24 Jan 2008 13:55:44 -0300 Subject: [Bro] Start Problem Message-ID: <4798C310.2010001@brturbo.com.br> Hello Guys, After enabling the dpd (const use_dpd = T;) I am having problems starting bro with the following message: bro.rc: Starting ..........bro.rc: Failed to start Bro /usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5004.inktomisearch.com /usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5005.inktomisearch.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j5006.inktomisearch.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j100.inktomi.com /usr/local/bro/policy/scan.bro, line 93: warning: no such host: j101.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: j3002.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3000.inktomi.com /usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3001.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3002.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3003.inktomi.com /usr/local/bro/policy/scan.bro, line 95: warning: no such host: si4000.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4001.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4002.inktomi.com /usr/local/bro/policy/scan.bro, line 96: warning: no such host: wm3018.inktomi.com line 1: error: Can't open signature file dpd.sig ... FAILED From seth at net.ohio-state.edu Thu Jan 24 09:09:10 2008 From: seth at net.ohio-state.edu (Seth Hall) Date: Thu, 24 Jan 2008 12:09:10 -0500 Subject: [Bro] Start Problem In-Reply-To: <4798C310.2010001@brturbo.com.br> References: <4798C310.2010001@brturbo.com.br> Message-ID: <3FB86D2F-F9B1-489B-8FE2-5F80FF67E401@net.ohio-state.edu> On Jan 24, 2008, at 11:55 AM, Diogo Corteletti de Oliveira wrote: > > line 1: error: Can't open signature file dpd.sig Does your policy/sigs directory have the dpd.sig file in it? Also, what version of Bro are you running? .Seth From gspathoulas at gmail.com Fri Jan 25 02:08:04 2008 From: gspathoulas at gmail.com (Georgios Spathoulas) Date: Fri, 25 Jan 2008 12:08:04 +0200 Subject: [Bro] Problem in compiling Bro on an Ubuntu 7.10 system (probably something with lpcap) Message-ID: <1b53dab80801250208g76bccda0q45fe87fb5bd695d6@mail.gmail.com> Hello to all, I am an Intrusion Detection Researcher from Greece. I try to create an experimental setup, in order to test data fusion methods for combining alerts from different IDSs. I am trying to setup Bro IDS on an Ubuntu 7.10 system. I have tried both 1.2and 1.3 versions and I get the same error when I run the ./configure command : checking for local pcap library... not found checking for pcap_open_live in -lpcap... no checking for pcap_open_live in -lpcap... no configure: error: see the INSTALL doc for more info I guess I am missing something. I have Snort installed on the same system, I hope this does not create a problem. Whoever can help, please post to me a probable solution. Thank you in advance. The whole output of the ./configure command is giorgos at m1330:~/Desktop/bro-1.3.2$ ./configure checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking target system type... i686-pc-linux-gnu checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... no checking for mawk... mawk checking whether make sets $(MAKE)... yes checking for style of include used by make... GNU checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed checking dependency style of gcc... gcc3 checking for flex... flex checking for yywrap in -lfl... yes checking lex output file root... lex.yy checking whether yytext is a pointer... yes checking for bison... bison -y checking for g++... g++ checking whether we are using the GNU C++ compiler... yes checking whether g++ accepts -g... yes checking dependency style of g++... gcc3 checking for a BSD-compatible install... /usr/bin/install -c checking whether make sets $(MAKE)... (cached) yes checking for ranlib... ranlib checking for gzip... gzip checking for OPENSSL_add_all_algorithms_conf in -lcrypto... no checking for perl5... no checking for perl... /usr/bin/perl checking for chown... /bin/chown checking Linux kernel version... 2 checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... 64 checking for _LARGE_FILES value needed for large files... no checking how to run the C preprocessor... gcc -E checking for egrep... grep -E checking for ANSI C header files... yes checking return type of signal handlers... void checking for sigset... yes checking for int32_t using gcc... yes checking for u_int32_t using gcc... yes checking for u_int16_t using gcc... yes checking for u_int8_t using gcc... yes checking whether time.h and sys/time.h may both be included... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h.. . yes checking for unistd.h... yes checking for memory.h... (cached) yes checking netinet/in.h usability... yes checking netinet/in.h presence... yes checking for netinet/in.h... yes checking socket.h usability... no checking socket.h presence... no checking for socket.h... no checking getopt.h usability... yes checking getopt.h presence... yes checking for getopt.h... yes checking for net/ethernet.h... yes checking for netinet/ether.h... yes checking for netinet/if_ether.h... yes checking for sys/ethernet.h... no checking for netinet/ip6.h... yes checking for socklen_t... yes checking if syslog returns int... no checking if we should declare socket and friends... no checking for gethostbyname... yes checking for socket... yes checking for putmsg in -lstr... no checking for local pcap library... not found checking for pcap_open_live in -lpcap... no checking for pcap_open_live in -lpcap... no configure: error: see the INSTALL doc for more info -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080125/f5fff6c5/attachment.html From ager at net.in.tum.de Fri Jan 25 02:50:41 2008 From: ager at net.in.tum.de (Bernhard Ager) Date: Fri, 25 Jan 2008 11:50:41 +0100 Subject: [Bro] Problem in compiling Bro on an Ubuntu 7.10 system (probably something with lpcap) In-Reply-To: <1b53dab80801250208g76bccda0q45fe87fb5bd695d6@mail.gmail.com> References: <1b53dab80801250208g76bccda0q45fe87fb5bd695d6@mail.gmail.com> Message-ID: <20080125105041.GU9233@in.tum.de> On Fri, Jan 25, 2008 at 12:08:04PM +0200, Georgios Spathoulas wrote: > I am trying to setup Bro IDS on an Ubuntu 7.10 system. I have tried both 1.2and > 1.3 versions and I get the same error when I run the ./configure command : > > checking for local pcap library... not found > checking for pcap_open_live in -lpcap... no > checking for pcap_open_live in -lpcap... no > configure: error: see the INSTALL doc for more info Most likely you need to install the libpcap-dev or libpcap0.8-dev package. Likewise for other libraries. Bernhard -- Technische Universit?t Berlin An-Institut Deutsche Telekom Laboratories FG INET, Research Group Anja Feldmann Sekr. TEL 4 Ernst-Reuter-Platz 7 D-10587 Berlin From diogo_c at brturbo.com.br Fri Jan 25 05:47:37 2008 From: diogo_c at brturbo.com.br (Diogo Corteletti de Oliveira) Date: Fri, 25 Jan 2008 10:47:37 -0300 Subject: [Bro] Protocol Violation with Google IPs Message-ID: <4799E879.8010507@brturbo.com.br> Hello Guys, Anyone is having ProtocolViolation alarms with Google IPs? Analizying the packet trace I've noticed that either GMAIL or Google Talk is alerting Protocol Violation for the HTTP Analyzer. t=1201268671.707425 no=ProtocolViolation na=NOTICE_ALARM_ALWAYS sa=x.x.x.x sp=1233/tcp da=209.85.171.86 dp=80/tcp msg=x.x.x.x/1233\ >\ 209.85.171.86/http\ analyzer\ HTTP\ disabled\ due\ to\ protocol\ violation sub=not\ a\ http\ reply\ line tag=@4792 Tks From gspathoulas at gmail.com Sat Jan 26 00:51:37 2008 From: gspathoulas at gmail.com (Georgios Spathoulas) Date: Sat, 26 Jan 2008 10:51:37 +0200 Subject: [Bro] Problem in compiling Bro on an Ubuntu 7.10 system (probably something with lpcap) In-Reply-To: <20080125105041.GU9233@in.tum.de> References: <1b53dab80801250208g76bccda0q45fe87fb5bd695d6@mail.gmail.com> <20080125105041.GU9233@in.tum.de> Message-ID: <1b53dab80801260051r600fdebrd9a85ff9dfc9194e@mail.gmail.com> Hello again, I installed libcap-debv but no luck. I am attaching the config.log file. Please check it to see if you can discover the problem... 2008/1/25, Bernhard Ager : > > On Fri, Jan 25, 2008 at 12:08:04PM +0200, Georgios Spathoulas wrote: > > > I am trying to setup Bro IDS on an Ubuntu 7.10 system. I have tried both > 1.2and > > 1.3 versions and I get the same error when I run the ./configure command > : > > > > checking for local pcap library... not found > > checking for pcap_open_live in -lpcap... no > > checking for pcap_open_live in -lpcap... no > > configure: error: see the INSTALL doc for more info > > Most likely you need to install the libpcap-dev or libpcap0.8-dev > package. Likewise for other libraries. > > > Bernhard > -- > Technische Universit?t Berlin > An-Institut Deutsche Telekom Laboratories > FG INET, Research Group Anja Feldmann > Sekr. TEL 4 > Ernst-Reuter-Platz 7 > D-10587 Berlin > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080126/78cff90d/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: config.log Type: text/x-log Size: 41469 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080126/78cff90d/attachment-0001.bin From robin at icir.org Sun Jan 27 11:21:00 2008 From: robin at icir.org (Robin Sommer) Date: Sun, 27 Jan 2008 11:21:00 -0800 Subject: [Bro] Problem in compiling Bro on an Ubuntu 7.10 system (probably something with lpcap) In-Reply-To: <1b53dab80801260051r600fdebrd9a85ff9dfc9194e@mail.gmail.com> References: <1b53dab80801250208g76bccda0q45fe87fb5bd695d6@mail.gmail.com> <20080125105041.GU9233@in.tum.de> <1b53dab80801260051r600fdebrd9a85ff9dfc9194e@mail.gmail.com> Message-ID: <20080127192100.GD6120@icir.org> On Sat, Jan 26, 2008 at 10:51 +0200, you wrote: > Please check it to see if you can discover the problem.. It doesn't find the library: configure:8312: gcc -o conftest -g -O2 conftest.c -lpcap >&5 /usr/bin/ld: cannot find -lpcap While I can't help with the Ubuntu installation, you could try to configure with "--enable-shippedpcap". That links against a libpcap shipped with Bro. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Sun Jan 27 11:23:05 2008 From: robin at icir.org (Robin Sommer) Date: Sun, 27 Jan 2008 11:23:05 -0800 Subject: [Bro] Protocol Violation with Google IPs In-Reply-To: <4799E879.8010507@brturbo.com.br> References: <4799E879.8010507@brturbo.com.br> Message-ID: <20080127192305.GF6120@icir.org> On Fri, Jan 25, 2008 at 10:47 -0300, you wrote: > Anyone is having ProtocolViolation alarms with Google > IPs? Analizying the packet trace I've noticed that either GMAIL or > Google Talk is alerting Protocol Violation for the HTTP Analyzer. I can look into it if you send me the trace (just the single connection reported in the alarm please). Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From ager at net.in.tum.de Sun Jan 27 11:38:41 2008 From: ager at net.in.tum.de (Bernhard Ager) Date: Sun, 27 Jan 2008 20:38:41 +0100 Subject: [Bro] Problem in compiling Bro on an Ubuntu 7.10 system (probably something with lpcap) In-Reply-To: <1b53dab80801261626h3f1530d5hf10bc7670c299fce@mail.gmail.com> References: <1b53dab80801250208g76bccda0q45fe87fb5bd695d6@mail.gmail.com> <20080125105041.GU9233@in.tum.de> <1b53dab80801260051r600fdebrd9a85ff9dfc9194e@mail.gmail.com> <20080126213201.GX9233@in.tum.de> <1b53dab80801261626h3f1530d5hf10bc7670c299fce@mail.gmail.com> Message-ID: <20080127193841.GY9233@in.tum.de> On Sun, Jan 27, 2008 at 02:26:01AM +0200, Georgios Spathoulas wrote: > But it again stops complaining about openssl > > checking openssl/ssl.h usability... no > checking openssl/ssl.h presence... no > checking for openssl/ssl.h... no > configure: error: cannot find openssl/ssl.h, sorry > configure: error: /bin/bash './configure' failed for aux/broccoli Just repeat installing libraries. In this case, you'll need some flavor of libssl or openssl and the corresponding "dev" package. There might be more unresolved dependencies like this, and the solution is always the same :-) Bernhard -- Technische Universit?t Berlin An-Institut Deutsche Telekom Laboratories FG INET, Research Group Anja Feldmann Sekr. TEL 4 Ernst-Reuter-Platz 7 D-10587 Berlin