From magnus.anderssen at orange.ch Thu Feb 1 07:45:48 2001 From: magnus.anderssen at orange.ch (Anderssen Magnus) Date: Thu, 1 Feb 2001 16:45:48 +0100 Subject: OS setup Message-ID: <2B26E094BB13D3118FB3006008214FA5019F8403@vdlaexc0.orange.ch> Hi, I'm trying to configure Bro to run on my system (freeBSD4.2). >From the alpha doc : - BPF kernel support : I got it - /dev/bpf devices, permissions : 'MAKEDEV'ed the devices and set crw-r----- permissions - sysctl buffer sizes : which buffer sizes are revelant. - libpcap that doesn't limit buffer sizes : how to know ? I got the libcap (v0.5)provided with freeBSD 4.2 Thanks in advance. Magnus Anderssen From magnus.anderssen at orange.ch Fri Feb 2 07:35:02 2001 From: magnus.anderssen at orange.ch (Anderssen Magnus) Date: Fri, 2 Feb 2001 16:35:02 +0100 Subject: dump files, loopback Message-ID: <2B26E094BB13D3118FB3006008214FA5019F8435@vdlaexc0.orange.ch> Hi again, I've installed Bro on a machine with freeBSD4.2 ( libpcap0.5). Since I cannot connect the machine on the network where I am now, I would like test my policy. I've tried to start bro on the localhost interface. I am only using the standard conn.bro file modified a little bit : the only processing of event I do is to write the name of the event function. I works with bro_init(). But nothing is logged ( I am not using the log module so it shoult appear in my terminal), but tcpdump 'sees' the traffic (telnet and ftp on localhost). I've also tried to read from a dump file of tcpdump (tcpdump -i lo0 -w filename), but I get this kind of output : ... weird: 981105864.406810 bad_IP_cheksum ... I've tried to read the file with tcpdump (-r filename) and it works. So I thought that maybe my localhost device does not format the packets correctly and tried to read a dump from another machine. But even tcpdump won't read these files (comming from a linux box). Do somebody have a raw dump for to try or even better a solution to my problem(s). Thanks, Magnus. From kerberos_007 at hotmail.com Sat Feb 3 12:52:06 2001 From: kerberos_007 at hotmail.com (kerberos kkk) Date: Sat, 03 Feb 2001 15:52:06 -0500 Subject: Connection Summary: Bro Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20010203/77e91e6f/attachment.html From magnus.anderssen at orange.ch Wed Feb 7 05:19:01 2001 From: magnus.anderssen at orange.ch (Anderssen Magnus) Date: Wed, 7 Feb 2001 14:19:01 +0100 Subject: FW: bad tag in BroType::AsTableType Message-ID: <2B26E094BB13D3118FB3006008214FA501D64028@vdlaexc0.orange.ch> > Hi, > > I get this message concerning a record type variable : > - login.bro, line 100 (record { user:string, demuxed:bool... }): bad tag > in BroType::AsTableType. > > I've been modifying (simplifying) the example scripts. Even removing > all the variables from the record does no help : I still get the error > message with empty { }. > > Did somebody have the same problem ? How did you solve the problem ? > > Magnus Anderssen From kerberos_007 at hotmail.com Thu Feb 8 14:45:02 2001 From: kerberos_007 at hotmail.com (kerberos kkk) Date: Thu, 08 Feb 2001 17:45:02 -0500 Subject: Bro: "weird_file: undeclared variable" Message-ID: hi I just compiled the bro.7a48 vers and ran. it ran for the first time and went to listening mode on the port i specified. .."listening on eth0" i stopped it. The next time i run it gives.. policy/login.bro, line 362 (weird_file): error, undeclared variable policy/login.bro, line 404 (weird_file): error, undeclared variable policy/login.bro, line 409 (weird_file): error, undeclared variable policy/login.bro, line 414 (weird_file): error, undeclared variable I have'nt changed anything. Has anyone seen this problem ? Thanks for the help _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com From vern at ee.lbl.gov Tue Feb 13 01:55:35 2001 From: vern at ee.lbl.gov (Vern Paxson) Date: Tue, 13 Feb 2001 01:55:35 PST Subject: OS setup In-Reply-To: Your message of Thu, 01 Feb 2001 16:45:48 PST. Message-ID: <200102130955.f1D9tZ501941@daffy.ee.lbl.gov> Sorry for the lengthy delay in replying to the recent messages - I had *three* papers due during the last couple of weeks, and was completely buried working on them. > - libpcap that doesn't limit buffer sizes : how to know ? I got the libcap > (v0.5)provided with freeBSD 4.2 Here's a patch to fix pcap-bpf.c. Vern *** pcap-bpf.c 1998/07/12 13:14:55 1.31 --- pcap-bpf.c 2000/01/26 23:21:30 *************** *** 159,165 **** int fd; struct ifreq ifr; struct bpf_version bv; ! u_int v; pcap_t *p; p = (pcap_t *)malloc(sizeof(*p)); --- 166,172 ---- int fd; struct ifreq ifr; struct bpf_version bv; ! u_int v, n; pcap_t *p; p = (pcap_t *)malloc(sizeof(*p)); *************** *** 184,196 **** sprintf(ebuf, "kernel bpf filter out of date"); goto bad; } ! v = 32768; /* XXX this should be a user-accessible hook */ ! /* Ignore the return value - this is because the call fails on ! * BPF systems that don't have kernel malloc. And if the call ! * fails, it's no big deal, we just continue to use the standard ! * buffer size. */ ! (void) ioctl(fd, BIOCSBLEN, (caddr_t)&v); (void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) { --- 191,211 ---- sprintf(ebuf, "kernel bpf filter out of date"); goto bad; } ! ! /* ! * The bpf buffer length typically defaults to 4k. Check to see ! * what it is and if it's not larger than 32k, try to raise it. */ ! n = 32768; /* XXX this should be a user-accessible hook */ ! if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) >= 0 && v < n) { ! /* ! * Ignore the return value - this is because the call ! * fails on BPF systems that don't have kernel malloc. ! * And if the call fails, it's no big deal, we just ! * continue to use the standard buffer size. ! */ ! (void) ioctl(fd, BIOCSBLEN, (caddr_t)&n); ! } (void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) { From vern at ee.lbl.gov Tue Feb 13 01:55:40 2001 From: vern at ee.lbl.gov (Vern Paxson) Date: Tue, 13 Feb 2001 01:55:40 PST Subject: dump files, loopback In-Reply-To: Your message of Fri, 02 Feb 2001 16:35:02 PST. Message-ID: <200102130955.f1D9teZ01946@daffy.ee.lbl.gov> > I've installed Bro on a machine with freeBSD4.2 ( libpcap0.5). Since > I cannot connect the machine on the network where I am now, I would like > test my policy. I've tried to start bro on the localhost interface. I am > only using the standard conn.bro file modified a little bit : the only > processing of event I do is to write the name of the event function. I works > with bro_init(). But nothing is logged ( I am not using the log module so it > shoult appear in my terminal), but tcpdump 'sees' the traffic (telnet and > ftp on localhost). > I've also tried to read from a dump file of tcpdump (tcpdump -i lo0 > -w filename), but I get this kind of output : > ... > weird: 981105864.406810 bad_IP_cheksum The problem is likely in PktSrc::SetHdrSize(), which is hardwired to know about a few interface types. Presumably libpcap returns DLT_NULL for the loopback interface. The code currently sets the header length to 4 bytes for that type. Perhaps this has changed under FreeBSD (or never worked). Vern From vern at ee.lbl.gov Tue Feb 13 01:55:48 2001 From: vern at ee.lbl.gov (Vern Paxson) Date: Tue, 13 Feb 2001 01:55:48 PST Subject: Bro: "weird_file: undeclared variable" In-Reply-To: Your message of Thu, 08 Feb 2001 17:45:02 PST. Message-ID: <200102130955.f1D9tmv01956@daffy.ee.lbl.gov> > I just compiled the bro.7a48 vers and ran. > it ran for the first time and went to listening mode on the port i > specified. .."listening on eth0" > > i stopped it. The next time i run it gives.. > > policy/login.bro, line 362 (weird_file): error, undeclared variable > policy/login.bro, line 404 (weird_file): error, undeclared variable > policy/login.bro, line 409 (weird_file): error, undeclared variable > policy/login.bro, line 414 (weird_file): error, undeclared variable > > I have'nt changed anything. > > Has anyone seen this problem ? The problem is this. The first time you're running Bro, it's creating a "weird" file to record unusual events. The name of this file is "weird.$BRO_ID", but if you haven't set $BRO_ID then it's just "weird". However, login.bro contains "@load weird", which instructs Bro to look for a policy file called "weird" or "weird.bro". The first of these is the problem, it's loading the empty file it just created rather than policy/weird.bro. Workaround: set $BRO_ID before running. Probably the correct longer term fix is to have a default name that still has a suffix (probably ".log"). Vern From vern at ee.lbl.gov Tue Feb 13 01:55:45 2001 From: vern at ee.lbl.gov (Vern Paxson) Date: Tue, 13 Feb 2001 01:55:45 PST Subject: FW: bad tag in BroType::AsTableType In-Reply-To: Your message of Wed, 07 Feb 2001 14:19:01 PST. Message-ID: <200102130955.f1D9tji01951@daffy.ee.lbl.gov> > I get this message concerning a record type variable : > - login.bro, line 100 (record { user:string, demuxed:bool... }): bad tag > in BroType::AsTableType. > > I've been modifying (simplifying) the example scripts. Even removing > all the variables from the record does no help : I still get the error > message with empty { }. > > Did somebody have the same problem ? How did you solve the problem ? Send me the script(s) you're using and the invocation arguments. Generally, "bad tag" indicates an internal error in which there's a type inconsistency, such as bro.init giving one type for a variable, but the Bro interpreter assuming a different type. Vern From yjheo at etri.re.kr Wed Feb 14 20:52:51 2001 From: yjheo at etri.re.kr (yjheo at etri.re.kr) Date: Thu, 15 Feb 2001 13:52:51 +0900 Subject: No subject Message-ID: <001501c0970b$26b05a60$0d04000a@etri.re.kr> subscribe bro ============================================ Young-Jun Heo Senior Member of engineering Staff Network Security Architecture Research Team Information Security Application Department Information Security Technology Division ETRI 161 Kajong-dong, Yusong-Gu, Taejon, 305-350, KOREA Tel: +82 42 860 5473 Fax: +82 42 860 5611 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20010215/6b8ff189/attachment.html From flah at phess.org Wed Feb 21 20:31:08 2001 From: flah at phess.org (Phil C) Date: Wed, 21 Feb 2001 23:31:08 -0500 Subject: Common Question? Message-ID: <20010221233108.A2670@planw-65-33-233-186.pompano.net> I am using bro version 0.7a48, which ofcourse came with the usual slew of scripts in /usr/local/share/bro. Bro always complains about the file conn.bro line 197, which is trying to: if ( have_FTP && is_ftp_data_conn(c) ) That looks ok to me (have_FTP is set to T), the error is: 982815367.072217 ./conn.bro, line 198 (is_ftp_data_conn): run-time error, value used but not set If I am suffering from this problem, I assume it is by now a common question on this list. If so and there are archives or places for 'newbies' to go please point me there... One more quick question, what does &redef do? I see it smattered all over but never mentioned in the docs. -- Thanks, Phil From kerberos_007 at hotmail.com Thu Feb 22 15:10:25 2001 From: kerberos_007 at hotmail.com (kerberos kkk) Date: Thu, 22 Feb 2001 18:10:25 -0500 Subject: Bro: http_request Message-ID: hi, I am using bro-pub-0.7a48. internal_func(const char* name) , in Var.cc returns NULL when 'http_request' is being passed to it. this function calls internal_val(const char* name) which does this: ID* id = lookup_ID(name); id->ID_Val(); but this ID_Val function returns NULL. I saw this because when an HTTP connection came in c = new HTTP_Conn....line in Sessions.cc was not being executed because the http_request variable was not set. This happens only for http_request. ftp / telnet etc runs fine. I ran bro-pub-0.6 which didnt have this problem. I cant figure out why. Any insight into this will be very helpful. thanks a lot _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com From vern at ee.lbl.gov Sun Feb 25 23:48:29 2001 From: vern at ee.lbl.gov (Vern Paxson) Date: Sun, 25 Feb 2001 23:48:29 PST Subject: Common Question? In-Reply-To: Your message of Wed, 21 Feb 2001 23:31:08 PST. Message-ID: <200102260748.f1Q7mTe16250@daffy.ee.lbl.gov> > I am using bro version 0.7a48, which ofcourse came with the usual slew of > scripts in /usr/local/share/bro. Bro always complains about the file conn.bro > line 197, which is trying to: > > if ( have_FTP && is_ftp_data_conn(c) ) > > That looks ok to me (have_FTP is set to T), the error is: > > 982815367.072217 ./conn.bro, line 198 (is_ftp_data_conn): run-time error, value used but not set have_FTP should only be true if you did "@load ftp" somewhere in your policy script (or loaded one of the standard scripts that does this). If you're setting it by hand instead, that's your problem. If not, please send me exactly how you're invoking Bro and with what policy script. > One more quick question, what does &redef do? I see it smattered all over but > never mentioned in the docs. It marks a variable as redefinable (or refinable). So for example you can have: global foo = 5 &redef; ... redef foo = 4; and the second definition redefines foo's initial value to be 4 rather than 5. You also can use += and -= to redef aggregate variables (tables, sets) to have more or fewer members (and you can use += to add to a pattern variable). If the first declaration of foo above didn't include &redef, then Bro would complain upon seeing the second definition. redef is a basic mechanism for allowing one policy script to override some of the values in another script so you can express one policy as modifications to another policy, rather than having to maintain two slightly different versions of the policies. Vern From vern at ee.lbl.gov Sun Feb 25 23:50:25 2001 From: vern at ee.lbl.gov (Vern Paxson) Date: Sun, 25 Feb 2001 23:50:25 PST Subject: Bro: http_request In-Reply-To: Your message of Thu, 22 Feb 2001 18:10:25 PST. Message-ID: <200102260750.f1Q7oPf16263@daffy.ee.lbl.gov> > internal_func(const char* name) , in Var.cc returns NULL when 'http_request' > is being passed to it. This will happen unless your policy script defines a http_request event handler (which you can do, for example, by using "@load http" to pull in the usual HTTP handler). If that doesn't explain the problem you're encountering, please send exactly how you're invoking Bro and with what policy script. Vern From kerberos_007 at hotmail.com Mon Feb 26 18:29:55 2001 From: kerberos_007 at hotmail.com (kerberos kkk) Date: Mon, 26 Feb 2001 21:29:55 -0500 Subject: Common Question? Message-ID: hi, if i use http_session_id in http.bro and my_script.bro i define global http_session_id = 0 ; in both the scripts. It says "already defined". If i remove from one place it says "Not defined" Can i get around this prob ? I thought global would make the variable visible to all the scripts. thanks >From: Vern Paxson >To: Phil C >CC: bro at listserv.lbl.gov >Subject: Re: Common Question? >Date: Sun, 25 Feb 2001 23:48:29 PST > > > I am using bro version 0.7a48, which ofcourse came with the usual slew >of > > scripts in /usr/local/share/bro. Bro always complains about the file >conn.bro > > line 197, which is trying to: > > > > if ( have_FTP && is_ftp_data_conn(c) ) > > > > That looks ok to me (have_FTP is set to T), the error is: > > > > 982815367.072217 ./conn.bro, line 198 (is_ftp_data_conn): run-time >error, value used but not set > >have_FTP should only be true if you did "@load ftp" somewhere in your >policy script (or loaded one of the standard scripts that does this). >If you're setting it by hand instead, that's your problem. If not, please >send me exactly how you're invoking Bro and with what policy script. > > > One more quick question, what does &redef do? I see it smattered all >over but > > never mentioned in the docs. > >It marks a variable as redefinable (or refinable). So for example you >can have: > > global foo = 5 &redef; > > ... > > redef foo = 4; > >and the second definition redefines foo's initial value to be 4 rather than >5. >You also can use += and -= to redef aggregate variables (tables, sets) to >have >more or fewer members (and you can use += to add to a pattern variable). > >If the first declaration of foo above didn't include &redef, then Bro >would complain upon seeing the second definition. > >redef is a basic mechanism for allowing one policy script to override >some of the values in another script so you can express one policy as >modifications to another policy, rather than having to maintain two >slightly different versions of the policies. > > Vern _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com From vern at ee.lbl.gov Mon Feb 26 23:01:48 2001 From: vern at ee.lbl.gov (Vern Paxson) Date: Mon, 26 Feb 2001 23:01:48 PST Subject: Common Question? In-Reply-To: Your message of Mon, 26 Feb 2001 21:29:55 PST. Message-ID: <200102270701.f1R71mv22800@daffy.ee.lbl.gov> > if i use http_session_id in http.bro and my_script.bro As I mentioned before: > If you're setting it by hand instead, that's your problem. If not, please > send me exactly how you're invoking Bro and with what policy script. I really can't help with problems in my_script.bro unless I know what's in it! (and, naturally, any changes you've made to the scripts that come with the distribution) Vern