<div dir="ltr">Some facts derived from the testing of bro-1.4prerelease:<br><br>First,I run bro on a DebianLinuxPPC workstation,which I use for<br>webbrowsing(ADSL connection) and offline use(for several purposes).<br>I capture the traffic with tcpdump and bro does the analysis of the <br>
captured traffic.As only the related http traffic services/ports<br>are enabled it's not a specially rich testing.Anyway,I get a much<br>less number of weird events(I have never had more troublesome notices)<br>than when I do the analysis of the same files with bro-1.2.1.<br>
As weird events are generally considered traffic that "should never<br>happen",shouldn't both versions signal approximately the same number <br>of weird events?<br><br>The compiling of bro-1.4prerelease on the above system(Debian testing)<br>
was done normally,I got some compiler warnings but at first sight<br>the usual harmless ones.<br><br>As I run both bro versions on the same files I got warnings like that:<br>line 1: run-time error: wrong data format, expected version 13 but got <br>
version 18<br>(running bro-1.2.1)<br>line 1: run-time error: wrong data format, expected version 18 but got <br>version 13<br>(running bro-1.4prerelease)<br>It seems related to the use of both versions of bro in the same<br>
computer session.<br><br>When I do bro -r tcpdumpcapturefile backdoor.bro I get:<br>(using 1.4release)<br>line 1: warning: event handlers never invoked:<br>line 1: warning: Drop::restore_dropped_address<br>When I do bro -r tcpdumpcapturefile I don't get the 2 above lines.<br>
(using 1.4release).<br><br></div>