From wsffree at hotmail.com Tue Aug 6 20:31:42 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Wed, 07 Aug 2002 11:31:42 +0800 Subject: function like printf,in Bro language Message-ID: Hi :) I make one change in demux.bro : ... function demux_conn(id: conn_id, tag: string, otag: string, rtag: string): bool { ... if ( ! created_demux_dir ) { mkdir(demux_dir); created_demux_dir = T; printf("%s",demux_dir); ~~~~~~~~~~~~~~~~~~~~~~~~~~~change here. } ... } ... And invoke bro ,using : ./bro -i eth0 demux.bro And the output is : policy/demux.bro,line 21 (printf):error,undeclared variable policy/demux.bro,line 21 (printf(%s,demux_dir)):warning,expression value ignored Is there a function doing what does "printf" do ,in Bro language? Thanks for your help,and have a nice day. :) cloud _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.microsoft.com/cn/ From robin at icir.org Tue Aug 6 20:45:30 2002 From: robin at icir.org (Robin Sommer) Date: Wed, 7 Aug 2002 05:45:30 +0200 Subject: function like printf,in Bro language In-Reply-To: References: Message-ID: <20020807034530.GA14520@net.uni-sb.de> On Wed, Aug 07, 2002 at 11:31 +0800, Wang Shaofu wrote: > printf("%s",demux_dir); [...] > Is there a function doing what does "printf" do ,in Bro language? There is "fmt" which builds a string in a printf-like way (see the "predefined functions" section in Bro's manual for details). But for the case above, you don't need it actually: print demux_dir; Robin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20020807/455f2501/attachment.bin From wsffree at hotmail.com Thu Aug 8 07:34:50 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Thu, 08 Aug 2002 22:34:50 +0800 Subject: function like printf,in Bro language Message-ID: > > printf("%s",demux_dir); >[...] > > Is there a function doing what does "printf" do ,in Bro language? > >There is "fmt" which builds a string in a printf-like way (see the >"predefined functions" section in Bro's manual for details). > >But for the case above, you don't need it actually: > > print demux_dir; > >Robin I want to put it to the screen. fmt can not do that . What should I do ? _________________________________________________________________ ???? MSN Explorer: http://explorer.msn.com/lccn/ From rpang at icir.org Thu Aug 8 15:55:27 2002 From: rpang at icir.org (Ruoming Pang) Date: Thu, 8 Aug 2002 15:55:27 -0700 (PDT) Subject: function like printf,in Bro language In-Reply-To: Message-ID: > >There is "fmt" which builds a string in a printf-like way (see the > >"predefined functions" section in Bro's manual for details). > > I want to put it to the screen. fmt can not do that . What should I do ? Either of following two ways will do: print demux_dir; or print fmt("%s", demux_dir); Ruoming From sjh at whiskey.ucf.ics.uci.edu Wed Aug 21 22:03:44 2002 From: sjh at whiskey.ucf.ics.uci.edu (Seth Hettich) Date: Wed, 21 Aug 2002 22:03:44 -0700 Subject: bro Message-ID: <200208220503.g7M53il10406@whiskey.ucf.ics.uci.edu> Hello, I just got bro read the manual, and am still looking at the src. In order to get it to build w/ g++ 3.1 I had to change a few files, all changes like: change: (DFA.h line 123) friend DFA_State; // for DFA_State::ComputeXtion To: friend class DFA_State; // for DFA_State::ComputeXtion Also, how active is development? Looking at the file dates it seems like nothing has changes since last Sept. -Seth From vern at icir.org Thu Aug 22 22:00:36 2002 From: vern at icir.org (Vern Paxson) Date: Thu, 22 Aug 2002 22:00:36 -0700 Subject: bro In-Reply-To: Your message of Wed, 21 Aug 2002 22:03:44 PDT. Message-ID: <200208230500.g7N50a12076244@yak.icir.org> > change: (DFA.h line 123) > friend DFA_State; // for DFA_State::ComputeXtion > To: > friend class DFA_State; // for DFA_State::ComputeXtion Thanks. (This has actually already been fixed for the next release.) > Also, how active is development? Looking at the file dates > it seems like nothing has changes since last Sept. Development is quite active. I've been debating whether to put together another alpha snapshot, or wait until I flesh out the remaining parts of the manual and then put out a beta release (one that would be publicly available off of the Web). If folks are particularly interested in another alpha snapshot (a lot has been added, but it would only be briefly described in the CHANGES file), I'd be interested in hearing that. Vern From wushi at yahoo.com Thu Aug 22 23:22:55 2002 From: wushi at yahoo.com (shi wu) Date: Thu, 22 Aug 2002 23:22:55 -0700 (PDT) Subject: No subject Message-ID: <20020823062255.34714.qmail@web13902.mail.yahoo.com> yes, I am interested in another alpha snapshot, I think bro is perfect.pls upload it. thanks Original Message ----- From: "Vern Paxson" To: Cc: Sent: Friday, August 23, 2002 1:00 PM Subject: Re: bro > > change: (DFA.h line 123) > > friend DFA_State; // for DFA_State::ComputeXtion > > To: > > friend class DFA_State; // for DFA_State::ComputeXtion > > Thanks. (This has actually already been fixed for the next release.) > > > Also, how active is development? Looking at the file dates > > it seems like nothing has changes since last Sept. > > Development is quite active. I've been debating whether to put together > another alpha snapshot, or wait until I flesh out the remaining parts of > the manual and then put out a beta release (one that would be publicly > available off of the Web). If folks are particularly interested in another > alpha snapshot (a lot has been added, but it would only be briefly described > in the CHANGES file), I'd be interested in hearing that. > > Vern __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com From mazequest at hotmail.com Tue Aug 27 08:13:06 2002 From: mazequest at hotmail.com (Kyle C Quest) Date: Tue, 27 Aug 2002 15:13:06 +0000 Subject: OMD Message-ID: Hi everybody, I posted links to OMD diagram drafts about 2 years ago (July 13). I wonder if anybody made any copies. The temp website where the diagrams were posted expired a while ago and my old OMD diagram copies and the new OMD diagrams were stored on one of the computers that were damaged during my move to Boston in August of the same year. I would like to resotore the old diagrams and the new ones (based on the old diagrams). Kyle _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx From wsffree at hotmail.com Wed Aug 28 19:25:37 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Thu, 29 Aug 2002 10:25:37 +0800 Subject: about State Diagram... Message-ID: Dear Prof. 1.I have read some source code of Bro. And confused about the state diagram (or called event sequence diagram). Would you do me a favour , send the state diagram to me. It will help me to understand the Bro'work. 2.How the functions and events difined in *.bro , are been used in *.cc . Is there some function like: call_event ( event bro_event, ... ) , call_function ( function bro_function, ...) . 3.There is some table defined like this : global active_conn: table[conn_id] of connection; ... active_conn[c$id] = c; //???But the type of c$id is not a int.How large //the active_conn is? ... 4.When I invoke Bro : ./bro -i eth0 stepping.bro, it does not print the information about stepping stone until the link is terminated. Is there some way to report the stepping stone when the stepping stone is active( real time). So much question, :) Excuse for my poor english.Maybee I did not put my puestion well. Looking forward for your help. Have a nice day. Cloud _________________________________________________________________ ???? MSN Explorer: http://explorer.msn.com/lccn/ From vern at icir.org Fri Aug 30 00:30:30 2002 From: vern at icir.org (Vern Paxson) Date: Fri, 30 Aug 2002 00:30:30 -0700 Subject: new Bro release available - 0.7a175 Message-ID: <200208300730.g7U7UU12090874@yak.icir.org> A new Bro alpha release is now available from: ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7a175.tar.gz It includes a considerable number of changes and new features (some quite experimental and likely to change somewhat in the near future). I've appended the relevant entries from the CHANGES file. Vern -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v0.7a174 Thu Aug 29 21:14:34 PDT 2002 - bro -s reads in a *signature* file to search for regular expressions in packet payloads or TCP byte streams (written by Robin Sommer). See policy/rules.bro for an example of a policy script for processing the matches. Note that this feature is experimental, and will be evolving in the near future. - The python script "snort2bro" reads in Snort signatures and translates them into Bro signature rules, suitable for processing using -s. An example of its operation is seen by running python snort2bro < sig.ex.web-rules.snort which, after reading in sig.ex.classification.config and sig.ex.reference.config, generates the output given in sig.ex.web-rules.bro, which is suitable to use as input to bro -s. - bro -d invokes a gdb-like debugger (written by Umesh Shankar). You can set breakpoints and watchpoints, examine tracebacks, print Bro expressions, and the like. Type "help" for on-line help. - bro -t turns on tracing of the policy script execution, written to the given file. - Bro now includes an SMTP analyzer, which includes processing MIME message bodies (written by Ruoming Pang). See smtp.bro and mime.bro for related policy scripts. smtp.bro includes several experimental techniques for detecting mail relaying. - You can now define enumerated types, such as type scanner_type: enum { SCANNER_STEALTH, SCANNER_HIGH_SPEED, SCANNER_AMBIGUOUS, }; Enumerated types can be compared for equality with one another, and used as table indices, but cannot be converted to/from integers. - bro -A invokes an experimental, general trace transformation/ anonymization framework (written by Ruoming Pang) which writes a modified tcpdump trace file from the input (which can be the network or another trace file) with potentially extensive modifications to the recorded packets. Transformers are built from .rw files (currently, {finger,ftp,ident,smtp}.rw), which are processed by the utility "rwcl" to generate both event engine analyzer components and rewriter policy scripts (for example, after configuring and building Bro, you'll find the scripts policy/{finger,ftp,ident,smtp}.rw.bro). See policy/smtp-rewriter.bro for an example of a policy script that performs transformation/anonymization. - New built-ins: split(s: string, p: pattern): string_array; takes a string and splits it into pieces at each occurrence of the regular expression pattern p. (The functionality is like that in awk.) It returns a string_array, which is a table[count] of string that is indexed starting at 1, giving the different pieces. For example, split("foobar", /o/) returns a 3-element table, for which [1] is the string "f", [2] is the string "" (empty), and [3] is the string "bar". split1(s: string, p: pattern): string_array; split1() does the same thing as split(), but only performs splitting at the first occurrence, so it returns either a one-element table (if the pattern doesn't appear in the string) or a two-element table. split1("foobar", /o/) returns a 2-element table for which [1] is "f" and [2] is "obar". md5_hash(s: string): string returns (in human-readable form) the MD5 hash of a given string. So, for example, md5_hash("foobar") yields "3858f62230ac3c915f300c664312c63f". to_addr(s: string): addr takes a string representing an address in "dotted quad" format and returns the correponding "addr" value. set_buf(f: file, buffered: bool) sets the given file to have its writes buffered or unbuffered depending on the value of "buffered". It does not return a value. connection_exists: function(c: conn_id): bool returns T if the given connection identifier corresponds to a currently instantiated connection (one for which the event engine has state), F otherwise. lookup_connection(c: conn_id): connection returns the "connection" record associated with the given connection identifier, or a fatal run-time error if there isn't one. set_inactivity_timeout(c: conn_id, timeout: interval): interval sets the inactivity timeout for the given connection to the given interval, returning the old interval. If the interval is non-zero, then when no packets have been processed for a connection after that much time has elapsed, the connection is deleted, and an "inactivity_timeout" event generated. get_matcher_stats(): matcher_stats used for gathering statistics about the signature matcher rewriting_trace(): bool returns T if -A was specified (anonymize/rewrite a trace), F otherwise. - New events: connection_state_remove(c: connection); Invoked when the event engine has removed the connection from its state. connection_SYN_packet(c: connection, pkt: SYN_packet); Invoked for each SYN/SYN-ACK packet. connection_timeout(c: connection); Invoked when the event engine times out a connection - for example, because the originator sent a SYN that was never answered, so the connection was never established. connection_reused: event(c: connection); Invoked when the event engine decides that a new SYN for an existing connection reflects a reuse of the connection four-tuple, rather than belonging to the existing connection. - New globals: const ignore_checksums = F &redef; If true, then the event engine does not verify checksums (and hence will not discard packets with bad checksums). const tcp_deliver_undelivered = F &redef; If true, then when the event engine closes a connection, if that connection has a chunk of data not yet delivered to its analyzer (which only happens if the data is above a sequence hole, indicating either a packet filter glitch or a protocol botch), then the undelivered data will at that point be delivered to the connection's analyzer. const tcp_reassembler_ports_orig: set[port] = {} &redef; const tcp_reassembler_ports_resp: set[port] = {} &redef; Sets of ports for which, if a connection has the corresponding originator/responder port, then the event engine will reassemble the byte stream of the connection. Normally, the event engine reassembles byte streams for any connection for which there's an analyzer, and otherwise doesn't. These variables can be used to force reassembly for the originator or responder side (respectively) of connections for which there isn't otherwise an analyzer. This is useful when doing signature matching on reassembled byte streams, for protocols that are not otherwise analyzed by the event engine. const table_expire_interval = 1 min &redef; How often to check table entries to see whether they've expired (see &read_expire, etc., below). const requires_trace_commitment = F; If true, then when rewriting/anonymizing traces, nothing will actually be written to the edited trace file unless you call: rewrite_commit_trace(c: connection, commit: bool, future: bool) If "future" is true, then future rewritten packets will be automatically commited; otherwise, writing them to the trace file requires another explicit rewrite_commit_trace() call. const inactivity_timeout = 0 secs &redef; As noted above, when a connection becomes inactive, time it out after this interval. If 0 secs, then don't time it out. - An SSH analyzer extracts SSH client/server version information. See ssh.bro for the related policy script. - There's now a (very) simple TFTP analyzer available in tftp.bro. - You can now set the global "frag_timeout" to an interval which controls how long fragments are kept before discarding them (contributed by Ashley Thomas). If you don't set the global, or set it to 0.0 sec, then fragments are kept around indefinitely. - An implementation of an experimental anti-evasion technique, "active mapping", has been written by Umesh Shankar. It is not yet ready for general use, and isn't compiled in unless -DACTIVE_MAPPING. - Four new attributes can now be associated with tables (implemented by Robin Sommer): &read_expire, &write_expire, and &create_expire will delete table entries after a given interval has elapsed since the table entry was last read, written, or created. For example: global a: table[addr] of count &default=0 &create_expire = 5 sec; will delete each entry added to it 5 seconds after the entry was added, regardless of subsequent read/write activity to the element. &expire_func allows you to associate a function with the table such that whenever an entry expires, the function is invoked. It's passed the value of the table entry (not the index - perhaps this should be changed), and returns an "interval" value. If the interval is <= 0.0 seconds, then the table entry is immediately deleted. Otherwise, it is deleted after the given interval has elapsed. - When listing multiple attributes, you no longer separate them with commas. For example, if you used to have: global a: table[string] of count &default=0, &redef; you now need to use: global a: table[string] of count &default=0 &redef; - You can now construct records using [$field1 = , $field2 = , ...] Such record values can be assigned to other records providing that the target value's type includes all of the fields (same name and type) present in the record value, and that any missing fields have the &optional or &default attribute (see next item). You can also include a record value inside the record constructor, and all of its fields will be included in the constructed record value. - Record fields can now be annotated with &optional, to indicate that the field needn't be present, or &default, which indicates a default value to provide if the field is missing. - You can query as to whether a record has a value for a given field using the new "?$" operator. So for example: type my_rec: record { num: count &default = 0; msg: string; # mandatory, since no &optional/&default }; global r: my_rec; r = [$msg = "hello"]; print r?$num, r?$msg, r$num; will print "F, T, 0," because even though 'r' has a default value for $num (which shows up when printing r$num), that field is missing, hence r?$num is F. - An experimental scheme has been added (by Umesh Shankar) for managing general attributes associated either with all values ("global attributes") or particular particular values. This scheme is likely to change in the near future, and hence isn't explained here further. - The DNS analysis now includes ADDL and AUTH records, and much richer policy script analysis (per policy/dns.bro). - You can now "redef" a function or event handler to override its previous definition. For a function, this looks like: redef log_hook = function(msg: string): bool { ... } For an event handler, it's just the usual definition preceded by "redef. For example, redef event ack_above_hole(c: connection) { } would replace the default ack_above_hole handler with one that does nothing. - HTTP server and HTTP proxy backdoor detectors have been added, generating http_signature_found and http_proxy_signature_found, respectively (contributed by Ruoming Pang). - A KaZaA backdoor detector has been added, which generates kazaa_signature_found for likely KaZaA connections. - The new policy scripts flag-irc.bro and flag-warez.bro provide hooks for defining site policies for detecting IRC and access to warez. - portmapper.bro now tracks the services it sees, and the names are used in connection summaries rather than generic services like port-656. - bro -C (or redef'ing the "ignore_checksums" global to T) instructs Bro to ignore any checksum errors and go ahead and analyze such packets. - The (trivial) policy script print-globals.bro dumps out all of the policy script global variables and the amount of memory they consume. - The policy script code-red.bro has been renamed worm.bro and generalized to detect Nimda as well as Code Red 1 & 2. - A bunch of additional default sensitive URIs have been added to http.bro. http.bro also now doesn't report worm-related URIs. - A bunch of less common portnames were removed from port-names.bro. - Empty regular expressions are now allowed. - The finger_request event now has a third parameter, the additional text after the username. - More systematic handling of NULs and CRLF by the event engine. - Hex escape sequences now must have exactly two hexadecimal characters. - FYI - work has begun on significantly altering the way that policy scripts generate alerts. - Work has begun (by Robin Sommer) on a general framework for tracking client/server versions. See software.bro. - Work has begun on a NETBIOS analyzer (see NetbiosSSN.cc). Contributions (e.g., finishing it :-) welcome. - Work has begun on migrating the internals to process IPv6 in addition to IPv4. - A number of bug fixes, leaks, and memory allocation lint tweaks. From vern at icir.org Sat Aug 31 11:20:20 2002 From: vern at icir.org (Vern Paxson) Date: Sat, 31 Aug 2002 11:20:20 -0700 Subject: about State Diagram... In-Reply-To: Your message of Thu, 29 Aug 2002 10:25:37 +0800. Message-ID: <200208311820.g7VIKK12024184@yak.icir.org> > 1.I have read some source code of Bro. And confused about the state diagram > (or called event sequence diagram). Would you do me a favour , send the > state diagram to me. It will help me to understand the Bro'work. I don't now what you mean by the event sequence diagram. The basic structure of how packets flow up from the network, through libpcap, into the event engine, and there are transformed into events, is outlined in the Bro paper that comes with the distribution (see doc/bro-CN99.ps). > 2.How the functions and events difined in *.bro , are been used in *.cc . See NetVar.{h,cc}, which imports the variables into the event engine. Each also is defined in policy/bro.init (which provides the typing information). There's no automated mechanism for this (we may add one in a bit); instead, you edit the changes into policy/bro.init, NetVar.cc, and NetVar.h. > Is there some function like: call_event ( event bro_event, ... ) , > call_function ( function bro_function, ...) . You can see how this works for a function by following the references to "log_hook" in the sources. You can see it for an event by following any of the many events that are invoked, for example, "connection_established". > 3.There is some table defined like this : > global active_conn: table[conn_id] of connection; > ... > active_conn[c$id] = c; //???But the type of c$id is not a int.How large > //the active_conn is? Tables can be indexed by records, providing that all of the components of the records are scalar (non-aggregate) types. > 4.When I invoke Bro : ./bro -i eth0 stepping.bro, it does not print the > information about stepping stone until the link is terminated. Is there > some way to report the stepping stone when the stepping stone is active( > real time). You can modify the script to use "log" (which logs alerts immediately), or to flush the stepping stone log file using flush_all(). Vern