From athomas at unity.ncsu.edu Sun Mar 17 19:54:20 2002 From: athomas at unity.ncsu.edu (Ashley Thomas) Date: Sun, 17 Mar 2002 22:54:20 -0500 (EST) Subject: table operation in bro Message-ID: hi, How expensive (w.r.to time) is a table operation like: [orig, resp] in distinct_peers in bro scripts ? where distinct_peers is a table,given by global distinct_peers: table[addr, addr] of bool; (from scan.bro) thanks ashley From vern at icir.org Sun Mar 17 20:13:58 2002 From: vern at icir.org (Vern Paxson) Date: Sun, 17 Mar 2002 20:13:58 -0800 Subject: table operation in bro In-Reply-To: Your message of Sun, 17 Mar 2002 22:54:20 EST. Message-ID: <200203180413.g2I4DwO18004@yak.icir.org> > How expensive (w.r.to time) is a table operation like: > [orig, resp] in distinct_peers > in bro scripts ? Cheap - a single hash table lookup. Vern From wushi at guanghua.sh.cn Sun Mar 17 22:45:31 2002 From: wushi at guanghua.sh.cn (wushi at guanghua.sh.cn) Date: Mon, 18 Mar 2002 14:45:31 +0800 Subject: HTTP reply Message-ID: <2C175CE01348C945BCF5D20FF269A3B2075D5C@master.guanghua.sh.cn> Hi,all: I think sometimes HTTP reply especially the first line is very useful. Through it, we can know whether the attack is successful. That is right? Forgive me poor English. Another question, How to detect the syn flood attack using Bro? May I use a timer In th Bro's interpret,so we can know the statistic of some network event? wushi 2002.3.18 From athomas at unity.ncsu.edu Mon Mar 18 13:33:29 2002 From: athomas at unity.ncsu.edu (Ashley Thomas) Date: Mon, 18 Mar 2002 16:33:29 -0500 (EST) Subject: Regarding pattern matching in bro Message-ID: hi, Is it possible to do a pattern matching using bro scripts for a hex pattern. for eg: "90 31 C0 99 52 52 B017 CD80 68 CC 73 68" or it supports only pattern matching for strings. thanks a lot ashley From vern at icir.org Tue Mar 19 09:24:21 2002 From: vern at icir.org (Vern Paxson) Date: Tue, 19 Mar 2002 09:24:21 -0800 Subject: HTTP reply In-Reply-To: Your message of Mon, 18 Mar 2002 14:45:31 +0800. Message-ID: <200203191724.g2JHOLO38129@yak.icir.org> > I think sometimes HTTP reply especially the first line is very useful. > Through it, we can know whether the attack is successful. > That is right? Yes, and HTTP.cc has *most* of the internal analysis already to extract this. What it's missing is the ability to accurately track persistent connections, which requires being able to tell when an item ends. For some items, finding the end is easy, you just use the content-length; but for those encoded using chunking or (especially) MIME/multipart, this is more work, and that's the part that's missing. If someone wants to finish it up, that would be great. > How to detect the syn flood attack using Bro? May I use a timer In th Bro's > interpret,so we can know the statistic of some network event? You could use a timer, or you could count the number of connection attempts arriving after a particular time for each server. One thing to note is that if you use connection_attempt, you only get the events after Bro times out the connection attempt (controlled by the tcp_attempt_delay variable). If you instead use new_connection, you'll get the events immediately. Vern From vern at icir.org Thu Mar 21 23:44:57 2002 From: vern at icir.org (Vern Paxson) Date: Thu, 21 Mar 2002 23:44:57 -0800 Subject: Regarding pattern matching in bro In-Reply-To: Your message of Mon, 18 Mar 2002 16:33:29 EST. Message-ID: <200203220744.g2M7ivO79436@yak.icir.org> > Is it possible to do a pattern matching using bro scripts > for a hex pattern. > for eg: > "90 31 C0 99 52 52 B017 CD80 68 CC 73 68" > or it supports only pattern matching for strings. What do you mean by a "hex pattern"? You can search for 8-bit regular expressions, e.g. /\x90\x31\xc0\x99/. Bro's regular expressions operate on strings, but strings can contain arbitrary binary data. Vern From vanepp at sfu.ca Tue Mar 26 16:48:01 2002 From: vanepp at sfu.ca (Peter Van Epp) Date: Tue, 26 Mar 2002 16:48:01 -0800 (PST) Subject: List archive? Message-ID: <200203270048.QAA27527@fraser.sfu.ca> Is there an archive of the mailing list where the ignorant (i.e. me) can avoid asking questions already asked on the list? If not, is there experience with bro on gigE speed links or is it hopeless before I start :-) Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. Canada From vern at icir.org Wed Mar 27 01:24:24 2002 From: vern at icir.org (Vern Paxson) Date: Wed, 27 Mar 2002 01:24:24 -0800 Subject: List archive? In-Reply-To: Your message of Tue, 26 Mar 2002 16:48:01 PST. Message-ID: <200203270924.g2R9OOO85167@yak.icir.org> > Is there an archive of the mailing list where the ignorant (i.e. me) > can avoid asking questions already asked on the list? Yes, send email to majordomo at lbl.gov with get bro archive in the body. > If not, is there > experience with bro on gigE speed links Yep - that's what we run it on at LBL and UC Berkeley. Vern From athomas at unity.ncsu.edu Wed Mar 27 16:09:32 2002 From: athomas at unity.ncsu.edu (Ashley Thomas) Date: Wed, 27 Mar 2002 19:09:32 -0500 (EST) Subject: Anyone seen this problem before ? Message-ID: hi, I have posted a similar mail before but could'nt find an answer. I get this error while installing bro: (bro-pub-0.7a90/libpcap0.6.2) ------------------------------------------------------------------------------------------- gcc -I. -O -I../libpcap-0.6.2 -c cq.c gcc -I. -O -I../libpcap-0.6.2 -Ibind8/include -Ibind8/portinc -c nb_dns.c gcc -I. -O -I../libpcap-0.6.2 -c setsignal.c gcc -I. -O -I../libpcap-0.6.2 -I. -c version.c c++ -o bro main.o net_util.o parse.o scan.o re-parse.o re-scan.o util.o Attr.o BackDoor.o BroString.o CCL.o CompHash.o Conn.o DFA.o Desc.o Dict.o Discard.o DNS.o DNS_Mgr.o EquivClass.o Event.o Expr.o File.o Finger.o Frag.o Frame.o FTP.o Func.o Hash.o HTTP.o ICMP.o ID.o Ident.o InterConn.o List.o Logger.o Login.o NFA.o NTP.o NVT.o Net.o NetVar.o Obj.o PktSrc.o Portmap.o PriorityQueue.o Queue.o Reassem.o Rlogin.o RE.o RPC.o Scope.o Sessions.o SteppingStone.o Stmt.o TCP.o Telnet.o Timer.o Type.o UDP.o Val.o Var.o XDR.o cq.o nb_dns.o setsignal.o version.o -Lbind8/lib -lbind ../libpcap-0.6.2/libpcap.a -lm parse.o: Definition of symbol `_yylhs' (multiply defined) parse.o: Definition of symbol `_yylen' (multiply defined) parse.o: Definition of symbol `_yydefred' (multiply defined) parse.o: Definition of symbol `_yydgoto' (multiply defined) parse.o: Definition of symbol `_yysindex' (multiply defined) parse.o: Definition of symbol `_yyrindex' (multiply defined) parse.o: Definition of symbol `_yygindex' (multiply defined) parse.o: Definition of symbol `_yytable' (multiply defined) parse.o: Definition of symbol `_yycheck' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yylhs' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yylen' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yydefred' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yydgoto' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yysindex' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yyrindex' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yygindex' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yytable' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yycheck' (multiply defined) collect2: ld returned 1 exit status *** Error code 1 Stop in /home/athomas/BRO/bro-pub-0.7a90 (line 90 of Makefile). ----------------------------------------------------------------------------------------- Any pointers on what might be the problem and how to get around ? It sees multiple definitions while doing 'make' ... Is it some problem with the flex/bison etc.. I am attaching what i saw while doing .configure if that might help in showing what might be the problem in my setting up ... While doing a ./configure in libpcap-0.6.2 i see: checking for flex... (cached) flex checking for flex 2.4 or higher... (cached) yes checking for bison... no configure: warning: don't have both flex and bison; reverting to lex/yacc checking for capable lex... (cached) yes and running ./configure in bro-pub-0.7a90 i see: checking for bison... no checking for byacc... no checking for c++... c++ checking whether the C++ compiler (c++ ) works... yes checking whether the C++ compiler (c++ ) is a cross-compiler... no checking whether we are using GNU C++... yes checking whether c++ accepts -g... yes checking for flex... flex checking for yywrap in -lfl... yes ---------------------------------------------------------------------------------------- Any help is appreciated.. thanks for your time regards ashley From athomas at unity.ncsu.edu Fri Mar 29 22:17:17 2002 From: athomas at unity.ncsu.edu (Ashley Thomas) Date: Sat, 30 Mar 2002 01:17:17 -0500 (EST) Subject: bit manipulation in bro scripts. Message-ID: hi all, does bro scripts support bit manipulation ? for eg: to see if the nth bit is set/not ? just curious.. thanks for your time ashley From athomas at unity.ncsu.edu Sun Mar 31 12:55:42 2002 From: athomas at unity.ncsu.edu (Ashley Thomas) Date: Sun, 31 Mar 2002 15:55:42 -0500 (EST) Subject: bro variable. Message-ID: hi all, I have added a bro variable in bro.init. global var = 1 &redef; -------------------------------------- Also in NetVar int var; var = opt_internal_int("var"); -------------------------------------- Now if i change var in the any of the .cc files does the change reflect at the policy level ? in any .cc file -> var = 2; what will be the value in the policy scripts ? -------------------------------------- **Otherwise is there a way to share a variable between the .cc files and the policy scripts ?? ** thanks a lot ashley