From pierfrancesco_porcu at libero.it Wed Dec 12 07:05:48 2001 From: pierfrancesco_porcu at libero.it (=?utf-8?Q?pierfrancesco=5Fporcu@libero.it?=) Date: Wed, 12 Dec 2001 16:05:48 +0100 Subject: =?iso-8859-1?Q?Bro_and_port_scan?= Message-ID: Hi, I have another questions regarding bro(version 07a90).I'am testing the capability of bro to detect port scanner.After , i have found others problem: 1) It don't detect Fin, Xmas and Null scans. 2) Bro don't detect two time the seme scan betweent the same hosts on the same ports. 3) It consume a great quantity of memory. To resolve the first i have added a script to detect Fin, Xmas and Null scans usuing the weird event their produce.And all works good. To resolve the 2? and the 3?, i have added to scan.bro a recursive function (that use bro delete function and a table of support) to delete the record of the table scan_triples(is deleted also the table of support). While the first problem seems to be resolved, the second is gotten worse. There is a way to easy delete a subset of a table? or another way to reduce the consume of memory of the scan analyzer? Thanks. Pierfrancesco Porcu. From athomas at unity.ncsu.edu Wed Dec 26 13:56:24 2001 From: athomas at unity.ncsu.edu (Ashley Thomas) Date: Wed, 26 Dec 2001 16:56:24 -0500 (EST) Subject: regarding mechanism , policy. In-Reply-To: <200110250712.f9P7CVH38818@yak.aciri.org> Message-ID: hi, It is very advantageous to have mechanism and policy separated (as mentioned in Bro paper) but does it incur any overhead ? The paper says: for each event passed to the interpreter, it retrieves the (semi-) compiled code for the corresponding handler, binds the values of the events to the arguments of the handler, and interprets the code. Would'nt this take some extra time compared to if it was already compiled? (although the flexibility is lost in the latter case) thanks a lot Ashley From athomas at unity.ncsu.edu Fri Dec 28 22:54:20 2001 From: athomas at unity.ncsu.edu (Ashley Thomas) Date: Sat, 29 Dec 2001 01:54:20 -0500 (EST) Subject: internal error: bad reference count Message-ID: hi, I am using bro 0.7a48 version on openBSD 2.9. (I have made some changes to it.) I am getting an internal error while running bro on a specific case. Any pointers on when does an 'internal error' occur ? If anyone one could give some pointers/ideas as to what might be the type of error that would be helpful. this is what gdb 'where' returned: --------------------------------------------------------------------- internal error: bad reference count Program received signal SIGABRT, Aborted. 0x401716ff in _thread_sys_kill () (gdb) where #0 0x401716ff in _thread_sys_kill () #1 0x4019d680 in abort () #2 0x167a7 in internal_error (fmt=0x1672a "%s", arg=0x5bc9c "bad reference count") at util.cc:233 #3 0x16746 in internal_error (msg=0x5bc9c "bad reference count") at util.cc:224 #4 0x5bcc3 in bad_ref () at Obj.cc:124 #5 0x3e574 in Frame::Release (this=0x4355e0) at Obj.h:93 #6 0x3e536 in Frame::~Frame (this=0x4355e0, __in_chrg=3) at Frame.cc:33 #7 0x3faba in BroFunc::Call (this=0x18f480, args=0x42f740) at Obj.h:94 #8 0x2986a in EventMgr::Dispatch (this=0xbf43c) at Event.h:38 #9 0x298b9 in EventMgr::Drain (this=0xbf43c) at Event.cc:107 #10 0x59cc6 in dispatch_next_packet () at Net.cc:250 #11 0x5a21d in net_run () at Net.cc:308 #12 0x33c1 in main (argc=6, argv=0xdfbfd82c) at main.cc:372 --------------------------------------------------------------------- This happened when it received a http packet. thanks a lot Ashley