[Bro] Some results from basic testing of bro-1.4prerelease.

Luca Renaud renaud.luca at gmail.com
Mon Sep 15 20:15:54 PDT 2008

Some facts derived from the testing of bro-1.4prerelease:

First,I run bro on a DebianLinuxPPC workstation,which I use for
webbrowsing(ADSL connection) and offline use(for several purposes).
I capture the traffic with tcpdump and bro does the analysis of the
captured traffic.As only the related http traffic services/ports
are enabled it's not a specially rich testing.Anyway,I get a much
less number of weird events(I have never had more troublesome notices)
than when I do the analysis of the same files with bro-1.2.1.
As weird events are generally considered traffic that "should never
happen",shouldn't both versions signal approximately the same number
of weird events?

The compiling of bro-1.4prerelease on the above system(Debian testing)
was done normally,I got some compiler warnings but at first sight
the usual harmless ones.

As I run both bro versions on the same files I got warnings like that:
line 1: run-time error: wrong data format, expected version 13 but got
version 18
(running bro-1.2.1)
line 1: run-time error: wrong data format, expected version 18 but got
version 13
(running bro-1.4prerelease)
It seems related to the use of both versions of bro in the same
computer session.

When I do bro -r tcpdumpcapturefile backdoor.bro I get:
(using 1.4release)
line 1: warning: event handlers never invoked:
line 1: warning:         Drop::restore_dropped_address
When I do bro -r tcpdumpcapturefile I don't get the 2 above lines.
(using 1.4release).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080916/60c65e05/attachment.html 

More information about the Bro mailing list