From magnus.anderssen at orange.ch Tue May 1 09:57:52 2001 From: magnus.anderssen at orange.ch (Anderssen Magnus) Date: Tue, 1 May 2001 18:57:52 +0200 Subject: malformed regular expression Message-ID: <130F25996DF0D411A9970002A513A71E4DC4B3@VDLAEXC7> Hi, I'm getting this run-time error: rune-time error: attempt to match to a malformed regular expression. The problem is that I don't know where it occurs. (in which event, ...) Do I get this message when trying to write to a file a empty string returned by Bro? Is there a way to get more precise error message? To be able to correct my script. Thanks <> Magnus Anderssen (D2 26A), Network Security Orange Communications SA WTC, 2 av. de Gratta-Paille, 1000 Lausanne 30 Grey direct phone : +41 21 216 1191 : mobile : +41 78 787 1191 fax : +41 86 078 787 1191 -------------- next part -------------- A non-text attachment was scrubbed... Name: policy.zip Type: application/octet-stream Size: 20744 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20010501/c7f8d74f/attachment.obj From vern at ee.lbl.gov Wed May 2 00:59:28 2001 From: vern at ee.lbl.gov (Vern Paxson) Date: Wed, 02 May 2001 00:59:28 PDT Subject: malformed regular expression In-Reply-To: Your message of Tue, 01 May 2001 18:57:52 PDT. Message-ID: <200105020759.f427xS309643@daffy.ee.lbl.gov> > I'm getting this run-time error: Please indicate what version of Bro you're running, so I can try to reproduce the problem. Vern From vern at ee.lbl.gov Wed May 2 01:31:00 2001 From: vern at ee.lbl.gov (Vern Paxson) Date: Wed, 02 May 2001 01:31:00 PDT Subject: malformed regular expression In-Reply-To: Your message of Wed, 02 May 2001 10:19:32 PDT. Message-ID: <200105020831.f428V0L10087@daffy.ee.lbl.gov> [I've put bro at lbl.gov back onto the cc line, since others may find this dialog helpful] > I run it on FreeBSD4.2. > The run-time error appears some times, but not allways... > When I monitor an ethernet network, it may appear 10 times a day. > but yesterday I tried it on a gigabit link... and the error appears a lot > more. > > It seems to occur with some packet arrival. > > $ bro -i wx0 mt.bro The next thing to do is use -w tracefile to record the traffic that Bro is reading, and then see if you can reproduce the problem using -r tracefile. If so, send the trace to me and I'll track it down, and fix the error message. Vern > > Magnus > > > > -----Original Message----- > > From: Vern Paxson [SMTP:vern at ee.lbl.gov] > > Sent: Wednesday, May 02, 2001 10:16 AM > > To: Anderssen Magnus > > Subject: Re: malformed regular expression > > > > > I'm using 0.6 and 0.7.48a... > > > > Okay, now I need to know how you're invoking it, because if I try just > > running "bro" (version 0.7a48) on your policy scripts, it runs okay for > > me. > > > > Vern From vern at ee.lbl.gov Wed May 2 16:54:17 2001 From: vern at ee.lbl.gov (Vern Paxson) Date: Wed, 02 May 2001 16:54:17 PDT Subject: malformed regular expression In-Reply-To: Your message of Tue, 01 May 2001 18:57:52 PDT. Message-ID: <200105022354.f42NsHV12552@daffy.ee.lbl.gov> The problem is that Bro was incorrectly processing an empty regular expression (corresponding to the "skip_authentication" variable, which was empty because you commented out its redefinition). Here's a patch. Vern *** RE.cc.ORIG Sun Oct 24 22:55:24 1999 --- RE.cc Wed May 2 16:48:03 2001 *************** *** 428,437 **** int Specific_RE_Matcher::MatchAll(byte_vec bv, int n) { if ( ! dfa ) ! { ! run_time("attempt to match to a malformed regular expression"); ! return 0; ! } DFA_State* d = dfa->StartState(); while ( d ) --- 428,436 ---- int Specific_RE_Matcher::MatchAll(byte_vec bv, int n) { if ( ! dfa ) ! // An empty pattern matches "all" iff what's being ! // matched is empty. ! return n == 0; DFA_State* d = dfa->StartState(); while ( d ) *************** *** 449,458 **** int Specific_RE_Matcher::Match(byte_vec bv, int n) { if ( ! dfa ) ! { ! run_time("attempt to match to a malformed regular expression"); ! return 0; ! } DFA_State* d = dfa->StartState(); --- 448,455 ---- int Specific_RE_Matcher::Match(byte_vec bv, int n) { if ( ! dfa ) ! // An empty pattern matches anything. ! return 1; DFA_State* d = dfa->StartState(); From magnus.anderssen at orange.ch Wed May 30 10:17:22 2001 From: magnus.anderssen at orange.ch (Anderssen Magnus) Date: Wed, 30 May 2001 19:17:22 +0200 Subject: method for clean-up Message-ID: <130F25996DF0D411A9970002A513A71E4DC5EA@VDLAEXC7> Hi, I am making a module for Bro to track some specific UDP traffic... I've an object (GTP_Conn) inheritating from UDP_Conn instantiated in Session.cc. I'm using a Dictionary, like the one used for the tcp_conns, udp_conns variables. I've created a custom key, the lookup works so I suppose the dictionary works well. this is how I created the dictionary: declare(PDict, GTP_Tunnel); // GTP_Tunnel is the class type of my custom object ... PDict(GTP_Tunnel) tunnels; ... tunnels.SetDeleteFunc(bro_obj_delete_func); // just copied this from the // tcp_conns exemple This is what I get when shuting down after simulating 1 packet: -- ...... received termination signal 1 packets received on interface lo0, 0 dropped Abort (core dumped) -- This is what I get when shuting down after simulating a lot of packet BUT only one GTP_Tunnel instance... -- ...... received termination signal 92854 packets received on interface lo0, 0 dropped /: write failed, file system full Abort -- Note : I have inserted printfs in all the destructors, it seems that the destructors of the tunnel instance(s) and of the variable 'tunnels' are not called, but GTP_Conn's one are called. Magnus.