From zqs at pub.xaonline.com Sun Dec 1 18:24:10 2002 From: zqs at pub.xaonline.com (zhang qingsheng) Date: Mon, 2 Dec 2002 10:24:10 +0800 Subject: who know setup of libpcap? Message-ID: <004301c299a9$e7ef2f10$823075ca@xjtusoftware> I met somewhat question about setup of libpcap,I can't solve it,who can give me detail guidelines about it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20021202/912794ab/attachment.html From wsffree at hotmail.com Tue Dec 3 00:25:56 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Tue, 03 Dec 2002 16:25:56 +0800 Subject: who know setup of libpcap? Message-ID: >I met somewhat question about setup of libpcap,I can't solve it,who can give me detail guidelines about it. When u setup the linux, there is a choice for u to setup the libpcap or not. Or u can use rpm,but i did not try this , when u secced ,tell me please. cloud _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.msn.com/cn From rpang at icir.org Tue Dec 3 22:02:59 2002 From: rpang at icir.org (Ruoming Pang) Date: Tue, 3 Dec 2002 22:02:59 -0800 (PST) Subject: building bro in linux In-Reply-To: <004301c299a9$e7ef2f10$823075ca@xjtusoftware> Message-ID: Hi, I wonder anyone has experience in building Bro in linux and, especially, in resolving the following problem: nb_dns.o: In function `nb_dns_activity': nb_dns.o(.text+0x678): undefined reference to `__ns_initparse' nb_dns.o(.text+0x742): undefined reference to `_ns_flagdata' nb_dns.o(.text+0x748): undefined reference to `_ns_flagdata' nb_dns.o(.text+0x9bc): undefined reference to `__ns_parserr' collect2: ld returned 1 exit status make: *** [bro] Error 1 I am using linux 2.4.18-3 (Redhat 7.3). I nm'ed libresolv.a and did find __ns_initparse in it: /usr/lib/libresolv.a:ns_parse.o:00000000 T __ns_initparse Thanks a lot, Ruoming From grd-pub.56 at NOSPAMnetcourrier.com Tue Dec 3 23:36:47 2002 From: grd-pub.56 at NOSPAMnetcourrier.com (grd-pub.56 at NOSPAMnetcourrier.com) Date: Wed, 4 Dec 2002 08:36:47 +0100 Subject: building bro in linux In-Reply-To: References: Message-ID: <20021204073302.C5C8B17DF1@postfix3-2.free.fr> Hi, You should try linking with "/usr/lib/libresolv.a" instead of "-lresolv" -- the latter uses the dynamic library, libresolv.so, unless you add the "-static" option. Just edit the Makefile accordingly. Good luck, Olivier. On Wednesday 04 December 2002 07:02 am, you wrote: > Hi, > > I wonder anyone has experience in building Bro in linux and, especially, > in resolving the following problem: > > nb_dns.o: In function `nb_dns_activity': > nb_dns.o(.text+0x678): undefined reference to `__ns_initparse' > nb_dns.o(.text+0x742): undefined reference to `_ns_flagdata' > nb_dns.o(.text+0x748): undefined reference to `_ns_flagdata' > nb_dns.o(.text+0x9bc): undefined reference to `__ns_parserr' > collect2: ld returned 1 exit status > make: *** [bro] Error 1 > > I am using linux 2.4.18-3 (Redhat 7.3). I nm'ed libresolv.a and did find > __ns_initparse in it: > > /usr/lib/libresolv.a:ns_parse.o:00000000 T __ns_initparse > > Thanks a lot, > Ruoming From wsffree at hotmail.com Tue Dec 10 05:11:46 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Tue, 10 Dec 2002 21:11:46 +0800 Subject: About Bro's manual Message-ID: Hi I have a question about manual. edit (s: string, edit_char: string): string Returns a version of s assuming that edit_char is the ``backspace'' character (usually "\x08" for backspace or "\x7f" for DEL). For example, edit("hello there", "e") returns "llo t". ~~~~~~~~~~Should this be "hllo th"? Thanks Have a nice day! Ciao Cloud _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.msn.com/cn From rpang at icir.org Tue Dec 10 08:38:22 2002 From: rpang at icir.org (Ruoming Pang) Date: Tue, 10 Dec 2002 08:38:22 -0800 (PST) Subject: About Bro's manual In-Reply-To: Message-ID: > edit (s: string, edit_char: string): string > Returns a version of s assuming that edit_char is the ``backspace'' > character (usually "\x08" for backspace or "\x7f" for DEL). For example, > edit("hello there", "e") returns "llo t". > ~~~~~~~~~~Should this be "hllo th"? Hi, I think the manual is right. Just try to type "hello there" on your keyboard, but instead of typing 'e', type backspace instead for each 'e'. And see what you get. :) Ruoming From jwiens at nersp.nerdc.ufl.edu Wed Dec 18 09:23:55 2002 From: jwiens at nersp.nerdc.ufl.edu (Jordan K Wiens) Date: Wed, 18 Dec 2002 12:23:55 -0500 (EST) Subject: archives? Message-ID: Are there archives of this mailing list to read older messages on? Either web, or otherwise would be helpful. -- Jordan Wiens UF Network Incident Response Team (352)392-2061 From vern at icir.org Wed Dec 18 10:46:29 2002 From: vern at icir.org (Vern Paxson) Date: Wed, 18 Dec 2002 10:46:29 -0800 Subject: archives? In-Reply-To: Your message of Wed, 18 Dec 2002 12:23:55 EST. Message-ID: <200212181846.gBIIkU3I025920@jaguar.icir.org> > Are there archives of this mailing list to read older messages on? Either > web, or otherwise would be helpful. To get the archive (as one enormous file :-( ), send email to majordomo at lbl.gov with "get bro archive" in the body. Vern From wsffree at hotmail.com Mon Dec 23 05:10:22 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Mon, 23 Dec 2002 21:10:22 +0800 Subject: about packet's load Message-ID: Hi Merry X'mas Please show me the variable , which present the packet's load in Bro! I want to implement SWT in Bro. Thanks in advance! Have a nice day! Ciao Cloud _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.msn.com/cn From wsffree at hotmail.com Mon Dec 23 05:10:06 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Mon, 23 Dec 2002 21:10:06 +0800 Subject: about packet's load Message-ID: Hi Merry X'mas Please show me the variable , which present the packet's load in Bro! I want to implement SWT in Bro. Thanks in advance! Have a nice day! Ciao Cloud >From: Vern Paxson >To: Jordan K Wiens >CC: bro at lbl.gov >Subject: Re: archives? >Date: Wed, 18 Dec 2002 10:46:29 -0800 > > > Are there archives of this mailing list to read older messages on? Either > > web, or otherwise would be helpful. > >To get the archive (as one enormous file :-( ), send email to >majordomo at lbl.gov with "get bro archive" in the body. > > Vern _________________________________________________________________ ??????????????? MSN Hotmail? http://www.hotmail.com From vern at icir.org Mon Dec 23 10:40:51 2002 From: vern at icir.org (Vern Paxson) Date: Mon, 23 Dec 2002 10:40:51 -0800 Subject: about packet's load In-Reply-To: Your message of Mon, 23 Dec 2002 21:10:22 +0800. Message-ID: <200212231840.gBNIep3I011939@jaguar.icir.org> > Please show me the variable , which present the packet's load in Bro! I don't know what you mean by "packet load" ... ? Vern From wsffree at hotmail.com Mon Dec 23 18:48:43 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Tue, 24 Dec 2002 10:48:43 +0800 Subject: about packet's load Message-ID: > > Please show me the variable , which present the packet's load in Bro! > >I don't know what you mean by "packet load" ... ? Sorry for my poor english. I use "packet load" as : the data of IP packet , or the data of TCP/UDP packet. Ciao Cloud _________________________________________________________________ ???? MSN Explorer: http://explorer.msn.com/lccn/ From vern at icir.org Mon Dec 23 23:07:44 2002 From: vern at icir.org (Vern Paxson) Date: Mon, 23 Dec 2002 23:07:44 -0800 Subject: about packet's load In-Reply-To: Your message of Tue, 24 Dec 2002 10:48:43 +0800. Message-ID: <200212240707.gBO77i3I021684@jaguar.icir.org> > I use "packet load" as : the data of IP packet , or the data of TCP/UDP > packet. Ah - the term you're looking for is "payload". You can get this using the "packet_contents" event handler, or using the new signature engine (for which Robin Sommer has contributed a new chapter for the Bro manual, which will be included in the next development release). Vern From wsffree at hotmail.com Tue Dec 24 05:07:45 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Tue, 24 Dec 2002 21:07:45 +0800 Subject: about packet's load Message-ID: Two hour to the great moment! Best wish! >Ah - the term you're looking for is "payload". You can get this using >the "packet_contents" event handler, or using the new signature engine >(for which Robin Sommer has contributed a new chapter for the Bro >manual, which will be included in the next development release). void FragReassembler::AddFragment(const struct ip* ip, const u_char* pkt, uint32 frag_field) { ...... // Remove header. pkt += hdr_len; len -= hdr_len; + printf("%s,/n",(char *) pkt);//change NewBlock(network_time, offset, len, pkt); } I make the aboving change to print the payload of telnet , but it does not work! Ciao Cloud _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.msn.com/cn From vern at icir.org Tue Dec 24 09:12:55 2002 From: vern at icir.org (Vern Paxson) Date: Tue, 24 Dec 2002 09:12:55 -0800 Subject: about packet's load In-Reply-To: Your message of Tue, 24 Dec 2002 21:07:45 +0800. Message-ID: <200212241712.gBOHCt3I027018@jaguar.icir.org> > void FragReassembler::AddFragment(const struct ip* ip, const u_char* pkt, > uint32 frag_field) > { > ...... You shouldn't modify the event engine when there's already an event that generates what you need. Perhaps we should move this discussion over to private email. Vern From wsffree at hotmail.com Wed Dec 25 06:03:11 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Wed, 25 Dec 2002 22:03:11 +0800 Subject: about collect packets Message-ID: Hi Marry christmas. I can't find out pcap_dispatch either pcap_loop in Bro. How does Bro collet packets ??? Have a nice year. Ciao Cloud _________________________________________________________________ ???? MSN Explorer: http://explorer.msn.com/lccn/ From dart at nersc.gov Wed Dec 25 10:30:47 2002 From: dart at nersc.gov (Eli Dart) Date: Wed, 25 Dec 2002 10:30:47 -0800 Subject: about collect packets In-Reply-To: Message from "Wang Shaofu" of "Wed, 25 Dec 2002 22:03:11 +0800." Message-ID: <20021225183047.33E2F3B1AE@gemini.nersc.gov> Check for pcap_open_live in PktSrc.cc -- I think you'll find what you're looking for there.... --eli In reply to "Wang Shaofu" : > Hi > > Marry christmas. > > I can't find out pcap_dispatch either pcap_loop in Bro. > How does Bro collet packets ??? > > Have a nice year. > Ciao > Cloud > > > _________________________________________________________________ > =C3=E2=B7=D1=CF=C2=D4=D8 MSN Explorer: http://explorer.msn.com/lccn/=20 > From athomas at cc.gatech.edu Wed Dec 25 10:37:45 2002 From: athomas at cc.gatech.edu (Ashley Thomas) Date: Wed, 25 Dec 2002 13:37:45 -0500 Subject: about collect packets References: Message-ID: <3E09FAF9.1040207@cc.gatech.edu> There are other libpcap functions which Bro makes use of. Wang Shaofu wrote: > Hi > > Marry christmas. > > I can't find out pcap_dispatch either pcap_loop in Bro. > How does Bro collet packets ??? > > Have a nice year. > Ciao > Cloud > > > _________________________________________________________________ > ???? MSN Explorer: http://explorer.msn.com/lccn/ -- Ashley Thomas Research scientist College of Computing Georgia Tech. From wsffree at hotmail.com Wed Dec 25 20:04:47 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Thu, 26 Dec 2002 12:04:47 +0800 Subject: about collect packets Message-ID: >There are other libpcap functions which Bro makes use of. Oh , it is pcap_next. Thanks a lot! Have a nice day. Ciao Cloud _________________________________________________________________ ???? MSN Explorer: http://explorer.msn.com/lccn/ From wsffree at hotmail.com Wed Dec 25 20:10:01 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Thu, 26 Dec 2002 12:10:01 +0800 Subject: about collect packets Message-ID: >Check for pcap_open_live in PktSrc.cc -- I think you'll find what >you're looking for there.... Great! Thanks a lot Have a nice day. Ciao Cloud _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.msn.com/cn From andersonlee2002 at hotmail.com Thu Dec 26 06:40:17 2002 From: andersonlee2002 at hotmail.com (Anderson Lee) Date: Thu, 26 Dec 2002 22:40:17 +0800 Subject: how to use Bro getting 41 features of a connect record Message-ID: Hello! I am doing my research work in Intrusion Detection System. I read a paper about abnormal detection technique by CS Columbia University. An clustering algorithm is applied to cassify the normal and abnormal connections. Connections has higher level than packets which is used in snort, so connection can have less data size and more infomation. http://kdd.ics.uci.edu/databases/kddcup99/kddcup.names http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html The author said Bro is modified to generate the 41 features, I would preciated if someone is kind enough to give me some hints how to do this. I am sure a event analyser and handler sould added to Bro, but where, how and when to invoke the event handler. Thanks! Anderson Lee _________________________________________________________________ MSN 8 with e-mail virus protection service: 3 months FREE*. http://join.msn.com/?page=features/virus&xAPID=42&PS=47575&PI=7324&DI=7474&SU= http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_eliminateviruses_3mf From andersonlee2002 at hotmail.com Thu Dec 26 06:57:06 2002 From: andersonlee2002 at hotmail.com (Anderson Lee) Date: Thu, 26 Dec 2002 22:57:06 +0800 Subject: how to use Bro getting 41 features of a connect record Message-ID: Hello! I am doing my research work in Intrusion Detection System. I read a paper about abnormal detection technique by CS Columbia University. An clustering algorithm is applied to cassify the normal and abnormal connections. Connections has higher level than packets which is used in snort, so connection can have less data size and more infomation. http://kdd.ics.uci.edu/databases/kddcup99/kddcup.names http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html The author said Bro is modified to generate the 41 features, I would preciated if someone is kind enough to give me some hints how to do this. I am sure a event analyser and handler sould added to Bro, but where, how and when to invoke the event handler. Thanks! Anderson Lee _________________________________________________________________ The new MSN 8: smart spam protection and 3 months FREE*. http://join.msn.com/?page=features/junkmail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_smartspamprotection_3mf From wsffree at hotmail.com Fri Dec 27 02:25:14 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Fri, 27 Dec 2002 18:25:14 +0800 Subject: about & Message-ID: Hi class SteppingStoneManager { public: SteppingStoneManager() { endp_cnt = 0; } PQueue(SteppingStoneEndpoint)& OrderedEndpoints()//??? ~~~What does this mean? I can not find it in standard C++. { return ordered_endps; } ...... } Thanks for your help Have a nice year; Ciao Cloud _________________________________________________________________ ???? MSN Explorer: http://explorer.msn.com/lccn/ From vern at icir.org Fri Dec 27 23:44:28 2002 From: vern at icir.org (Vern Paxson) Date: Fri, 27 Dec 2002 23:44:28 -0800 Subject: how to use Bro getting 41 features of a connect record In-Reply-To: Your message of Thu, 26 Dec 2002 22:57:06 +0800. Message-ID: <200212280744.gBS7iS3I072791@jaguar.icir.org> > http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html > The author said Bro is modified to generate the 41 features, I > would preciated if someone is kind enough to give me some hints how > to do this. I am sure a event analyser and handler sould added to > Bro, but where, how and when to invoke the event handler. Presumably, yes, they wrote policy scripts, and perhaps also extended the event engine. But it seems you should ask the authors directly to get the details. Vern From vern at icir.org Fri Dec 27 23:46:57 2002 From: vern at icir.org (Vern Paxson) Date: Fri, 27 Dec 2002 23:46:57 -0800 Subject: about & In-Reply-To: Your message of Fri, 27 Dec 2002 18:25:14 +0800. Message-ID: <200212280746.gBS7kv3I072875@jaguar.icir.org> > PQueue(SteppingStoneEndpoint)& OrderedEndpoints()//?????? > ~~~What does this mean? I can not find > it in > standard C++. "PQueue(SteppingStoneEndpoint)" is actually a macro definition (defined in Queue.h) that refers to an instantiation of a generic type. In particular, it's definiing a pointer to a Queue, for which the elements of the queue are SteppingStoneEndpoint objects. If I had started writing Bro recently rather than quite a few years ago, I would have used templates instead. So "PQueue(SteppingStoneEndpoint)&" is a reference to such a pointer. Vern From wsffree at hotmail.com Mon Dec 30 21:14:47 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Tue, 31 Dec 2002 13:14:47 +0800 Subject: about hash Message-ID: Hi Looking for help! hash_t HashKey::HashBytes(const void* bytes, int size) const { const unsigned char* cp = (const unsigned char*) bytes; hash_t h = 0;//unsigned int for ( int i = 0; i < size; ++i ) // Overflow is okay here. h = (h >> 31) + (h << 1) + cp[i]; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~This arithmetic make sure there is no collision???? return h; } Have a nice day! Ciao Cloud _________________________________________________________________ ??????????????? MSN Hotmail? http://www.hotmail.com From christian at whoop.org Tue Dec 31 08:08:01 2002 From: christian at whoop.org (Christian Kreibich) Date: 31 Dec 2002 17:08:01 +0100 Subject: about hash In-Reply-To: References: Message-ID: <1041350880.547.5.camel@Gonzo> On Tue, 2002-12-31 at 06:14, Wang Shaofu wrote: > Hi > Looking for help! > > hash_t HashKey::HashBytes(const void* bytes, int size) const > { > const unsigned char* cp = (const unsigned char*) bytes; > hash_t h = 0;//unsigned int > > for ( int i = 0; i < size; ++i ) > // Overflow is okay here. > h = (h >> 31) + (h << 1) + cp[i]; > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~This arithmetic make > sure there is no collision???? Hi, I'm not familiar with the rest of the HashKey class, but calculation of a hash key as in this case doesn't take care of collisions -- they're resolved later, when looking up an item in a hash table. Cheers, Christian. -- ________________________________________________________________________ http://www.whoop.org