From wsffree at hotmail.com Wed May 1 01:29:37 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Wed, 01 May 2002 16:29:37 +0800 Subject: why??? Message-ID: Hi, It is so sorry to disturb you .But why I just receive the e-mail of questions about Bro ,and can not receive the answer of the question .For me ,the answer have the importance as well as the questions .It my pleasure to receive your help . Thinks a lot . ciao Cloud _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.microsoft.com/cn From jh0u at hotmail.com Wed May 1 10:42:51 2002 From: jh0u at hotmail.com (jd ls) Date: Wed, 01 May 2002 10:42:51 -0700 Subject: why??? Message-ID: > >Hi, >It is so sorry to disturb you .But why I just receive the e-mail of >questions about Bro ,and can not receive the answer of the question .For >me ,the answer have the importance as well as the questions .It my pleasure >to receive your help . >Thinks a lot . It's because nobody in the bro mailing list answered. My guess is that it's just you and I are the only ones subscribed to the bro mailing list... _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com From mjbennett at lbl.gov Wed May 1 10:59:57 2002 From: mjbennett at lbl.gov (Mike Bennett) Date: Wed, 1 May 2002 10:59:57 -0700 Subject: why??? In-Reply-To: Message-ID: <001901c1f13a$011fe830$32030380@wins.lbl.gov> It could be that the folks who actually answer the questions, like Vern, are so busy they just haven't had time to respond. Mike -----Original Message----- From: owner-bro at lbl.gov [mailto:owner-bro at lbl.gov] On Behalf Of jd ls Sent: Wednesday, May 01, 2002 10:43 AM To: bro at lbl.gov Subject: Re: why??? > >Hi, >It is so sorry to disturb you .But why I just receive the e-mail of >questions about Bro ,and can not receive the answer of the question .For >me ,the answer have the importance as well as the questions .It my pleasure >to receive your help . >Thinks a lot . It's because nobody in the bro mailing list answered. My guess is that it's just you and I are the only ones subscribed to the bro mailing list... _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com From vern at icir.org Wed May 1 10:56:09 2002 From: vern at icir.org (Vern Paxson) Date: Wed, 01 May 2002 10:56:09 -0700 Subject: why??? In-Reply-To: Your message of Wed, 01 May 2002 10:42:51 PDT. Message-ID: <200205011756.g41Hu9O72266@yak.icir.org> > It's because nobody in the bro mailing list answered. My guess is that it's > just you and I are the only ones subscribed to the bro mailing list... There are 205 people subscribed to the list. The original poster didn't give enough context to understand just what they were asking (at least for me). Questions generally get answered (sometimes it takes a while), or are retracted (which happened recently when the poster subsequently solved their own problem). The only pending thread on the list of which I'm aware is that from the messages sent a couple of weeks ago by Ashley Thomas (regarding fragmentation reassembly). I mean to reply to those, but it will take me a while to find the cycles to do so, due to day job crunches. Vern From Nathan.Dornbrook at rbs.co.uk Wed May 1 12:51:16 2002 From: Nathan.Dornbrook at rbs.co.uk (Dornbrook, Nathan) Date: Wed, 1 May 2002 20:51:16 +0100 Subject: why??? Message-ID: Warning: This email does not reflect the opinions of the Royal Bank of Scotland nor her subsidiary companies nor affliates. To be honest, I didn't understand the question. Generally, I just lurk, keeping tabs on bro to see when and if it will become a viable option for commercial implementation at a large institution like the Royal Bank (as snort has become). It's not that no one cares, it's just that no one else's problems are as important as one's own. If bro is frustrating you, take a look at snort, Dragon, NetRanger and ISS RealSecure (in that order). Nathan Dornbrook Head of Telecoms Network Security Royal Bank of Scotland Regus House, 10 Lochside Place Edinburgh Park, Edinburgh EH12 9RG * 0131-523 9299 e* dornbrn at rbos.co.uk -----Original Message----- From: Vern Paxson [mailto:vern at icir.org] Sent: 01 May 2002 18:56 To: jd ls Cc: bro at lbl.gov Subject: Re: why??? *** Warning: This message originates from the internet *** > It's because nobody in the bro mailing list answered. My guess is that it's > just you and I are the only ones subscribed to the bro mailing list... There are 205 people subscribed to the list. The original poster didn't give enough context to understand just what they were asking (at least for me). Questions generally get answered (sometimes it takes a while), or are retracted (which happened recently when the poster subsequently solved their own problem). The only pending thread on the list of which I'm aware is that from the messages sent a couple of weeks ago by Ashley Thomas (regarding fragmentation reassembly). I mean to reply to those, but it will take me a while to find the cycles to do so, due to day job crunches. Vern The Royal Bank of Scotland plc is registered in Scotland No 90312. Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. Agency agreements exist between members of The Royal Bank of Scotland Group. The Royal Bank of Scotland plc is regulated by IMRO, SFA and Personal Investment Authority. This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. Internet e-mails are not necessarily secure. The Royal Bank of Scotland plc does not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by The Royal Bank of Scotland plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate. From Nathan.Dornbrook at rbs.co.uk Thu May 2 03:06:33 2002 From: Nathan.Dornbrook at rbs.co.uk (Dornbrook, Nathan) Date: Thu, 2 May 2002 11:06:33 +0100 Subject: why??? Message-ID: I also forgot to mention this: Vern (and others) are pushing forward the general state of the technology available to us. It is a frustrating process for all conerned, with intermittent, but substantial, rewards, mostly in the form of the warm fuzzy feeling that comes when a tough problem is elegantly solved. For those who successfully commercially package their project, it also has substantial financial implications. Vern, keep up the fight. I'm really chuffed to see bro as an option, fighting for survival and acceptance. Cheers! Nathan Dornbrook Head of Telecoms Network Security Royal Bank of Scotland Regus House, 10 Lochside Place Edinburgh Park, Edinburgh EH12 9RG * 0131-523 9299 e* dornbrn at rbos.co.uk -----Original Message----- From: Dornbrook, Nathan Sent: 01 May 2002 20:51 To: 'bro at lbl.gov' Subject: RE: why??? *** Warning: This message originates from the internet *** Warning: This email does not reflect the opinions of the Royal Bank of Scotland nor her subsidiary companies nor affliates. To be honest, I didn't understand the question. Generally, I just lurk, keeping tabs on bro to see when and if it will become a viable option for commercial implementation at a large institution like the Royal Bank (as snort has become). It's not that no one cares, it's just that no one else's problems are as important as one's own. If bro is frustrating you, take a look at snort, Dragon, NetRanger and ISS RealSecure (in that order). Nathan Dornbrook Head of Telecoms Network Security Royal Bank of Scotland Regus House, 10 Lochside Place Edinburgh Park, Edinburgh EH12 9RG * 0131-523 9299 e* dornbrn at rbos.co.uk -----Original Message----- From: Vern Paxson [mailto:vern at icir.org] Sent: 01 May 2002 18:56 To: jd ls Cc: bro at lbl.gov Subject: Re: why??? *** Warning: This message originates from the internet *** > It's because nobody in the bro mailing list answered. My guess is that it's > just you and I are the only ones subscribed to the bro mailing list... There are 205 people subscribed to the list. The original poster didn't give enough context to understand just what they were asking (at least for me). Questions generally get answered (sometimes it takes a while), or are retracted (which happened recently when the poster subsequently solved their own problem). The only pending thread on the list of which I'm aware is that from the messages sent a couple of weeks ago by Ashley Thomas (regarding fragmentation reassembly). I mean to reply to those, but it will take me a while to find the cycles to do so, due to day job crunches. Vern The Royal Bank of Scotland plc is registered in Scotland No 90312. Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. Agency agreements exist between members of The Royal Bank of Scotland Group. The Royal Bank of Scotland plc is regulated by IMRO, SFA and Personal Investment Authority. This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. Internet e-mails are not necessarily secure. The Royal Bank of Scotland plc does not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by The Royal Bank of Scotland plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate. From jverdu at ac.upc.es Thu May 9 05:43:22 2002 From: jverdu at ac.upc.es (Javier Verdu Mula) Date: Thu, 9 May 2002 14:43:22 +0200 (MET DST) Subject: Bro's code Message-ID: <200205091243.g49ChMh29319@fonoll.ac.upc.es> Dear Mr. Paxson I am a PhD Student. I would like to ask you if you can send me the code of Bro. It is aimed to research studies. Thanks in advance. Best regards. ________________________________________________________________________ o o o Javier Verd? Mul? o o o PhD Student Mailto: jverdu at ac.upc.es o o o Department of Computer Architecture Phone : +34 93 401 7187 Universitat Polit?cnica de Catalunya Fax : +34 93 401 7055 U P C C/ Jordi Girona, 1-3, M?dulo D6-116 Campus Nord, 08034 BARCELONA (SPAIN) ________________________________________________________________________ From athomas at unity.ncsu.edu Mon May 13 12:18:50 2002 From: athomas at unity.ncsu.edu (Ashley Thomas) Date: Mon, 13 May 2002 15:18:50 -0400 (EDT) Subject: a quick doubt reg bro... Message-ID: Bro can be classified as a protocol-analysis NIDS, right ? I know it does signature/pattern matching too but it does lot of protocol analysis too, right ? So is it correct to classify bro more like a protocol analysis ids rather than sig-based ? it would be GREAT if anyone could drop a quick reply/comment.. thanks From vern at icir.org Mon May 13 12:34:18 2002 From: vern at icir.org (Vern Paxson) Date: Mon, 13 May 2002 12:34:18 -0700 Subject: a quick doubt reg bro... In-Reply-To: Your message of Mon, 13 May 2002 15:18:50 EDT. Message-ID: <200205131934.g4DJYIO18722@yak.icir.org> > Bro can be classified as a protocol-analysis NIDS, right ? > I know it does signature/pattern matching too but > it does lot of protocol analysis too, right ? > > So is it correct to classify bro more like a protocol > analysis ids rather than sig-based ? > > it would be GREAT if anyone could drop a quick reply/comment.. The way the Bro paper describes it, Bro is "activity-based" as opposed to signature-based. It certainly does emphasize detailed protocol analysis. What I've meant by activity-based is similar to what is recently emerging in the literature (by others) as "specification-based" intrusion detection, and that's I think a better term. So probably the best way to describe it is something like "a specification- based NIDS that emphasizes detailed protocol analysis, though also capable of signature-based detection". Vern From liwenjia2002 at hotmail.com Fri May 17 18:55:17 2002 From: liwenjia2002 at hotmail.com (=?gb2312?B?wO4gzsS8zg==?=) Date: Sat, 18 May 2002 09:55:17 +0800 Subject: some puzzles about the usage of bro Message-ID: Dear Mr. Paxson: I am a undergraduate student in China.When I try to use bro I have met some puzzles and I wish I could get help from you. First of all if bro detect intrusion activity,what will it do?Write this intrusion activity to log or print real-time notification in the screen. Secondly I have run bro many times in the LAN of my lab.But it did not have any response.So I am not sure if it is working.By th way,where does the bro's intrusion log file locate in linux? Thirdly would you please give me a list of which type of intrusion can bro detect and the corresponding intrusion signature of each intrusion activity bro can detect? Thank you very much for your kind guide and help. Yours Sincerely Lee _________________________________________________________________ ???? MSN Explorer?http://explorer.msn.com/lccn/intl.asp From athomas at unity.ncsu.edu Fri May 17 19:15:50 2002 From: athomas at unity.ncsu.edu (Ashley Thomas) Date: Fri, 17 May 2002 22:15:50 -0400 (EDT) Subject: some puzzles about the usage of bro In-Reply-To: Message-ID: >First of all if bro detect intrusion activity,what will it do?Write this > intrusion activity to log or print real-time notification in the screen. It is capable of doing both. You can look look for *.log files in the same directory where bro executable is there. >So I am not sure if it is working ! If bro starts correctly it will print listening on interface .... Are you getting this message ? > Thirdly would you please give me a list of which type of intrusion can >bro detect and the corresponding intrusion signature of each intrusion activity > bro can detect? It can detect almost everything if you can write the signature / analysis module into its policy scripts. By default it detects common alerts like - portscan - land attack - malicious fragments like (size < min_size) etc etc You can get a lot of these information in the bro user manual which comes along with the distribution... You can look for it in the doc/ directory. Hope that helps. -ashley thomas On Sat, 18 May 2002, [gb2312] ?? ???? wrote: > Dear Mr. Paxson: > > I am a undergraduate student in China.When I try to use bro I have met some > puzzles and I wish I could get help from you. > > First of all if bro detect intrusion activity,what will it do?Write this > intrusion activity to log or print real-time notification in the screen. > > Secondly I have run bro many times in the LAN of my lab.But it did not have > any response.So I am not sure if it is working.By th way,where does the > bro's intrusion log file locate in linux? > > Thirdly would you please give me a list of which type of intrusion can bro > detect and the corresponding intrusion signature of each intrusion activity > bro can detect? > > Thank you very much for your kind guide and help. > > Yours Sincerely > Lee > > > > > > > > > > _________________________________________________________________ > ???????? MSN Explorer??http://explorer.msn.com/lccn/intl.asp > > From liwenjia2002 at hotmail.com Fri May 17 20:05:53 2002 From: liwenjia2002 at hotmail.com (=?gb2312?B?wO4gzsS8zg==?=) Date: Sat, 18 May 2002 11:05:53 +0800 Subject: some puzzles about the usage of bro and thank you Message-ID: Hi,thank you very much for your reply.In general how do you use bro,i mean that what do you usually strike in your keyboard when yo want to run it?I have tried"./bro -i eth0" and "./bro" but it seemed taht they have NOT done any work.By the way I can NOT see the "Listening to eth0" message.When I strike in "./bro -i eth0" or "./bro",the system seems to be waiting and it does not have any response.So I am very puzzled.I wish you could help me.Thank you. _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.microsoft.com/cn From athomas at unity.ncsu.edu Fri May 17 20:08:54 2002 From: athomas at unity.ncsu.edu (Ashley Thomas) Date: Fri, 17 May 2002 23:08:54 -0400 (EDT) Subject: some puzzles about the usage of bro and thank you In-Reply-To: Message-ID: ./bro -i eth0 mt where mt is the starting script.. ...have a look into the bro user manual. This should work. -ashley thomas On Sat, 18 May 2002, [gb2312] ?? ???? wrote: > Hi,thank you very much for your reply.In general how do you use bro,i mean > that what do you usually strike in your keyboard when yo want to run it?I > have tried"./bro -i eth0" > and "./bro" but it seemed taht they have NOT done any work.By the way I can > NOT see the "Listening to eth0" message.When I strike in "./bro -i eth0" or > "./bro",the system seems to be waiting and it does not have any response.So > I am very puzzled.I wish you could help me.Thank you. > > _________________________________________________________________ > ???????????????????????????? MSN Messenger: > http://messenger.microsoft.com/cn > > From liwenjia2002 at hotmail.com Fri May 17 20:42:21 2002 From: liwenjia2002 at hotmail.com (=?gb2312?B?wO4gzsS8zg==?=) Date: Sat, 18 May 2002 11:42:21 +0800 Subject: thank you and what does this mena? Message-ID: I use "./bro -i eth0 tcp.bro" and it prints many lines,would you please tell me the meaning of each components of every line of the log?for example: 1021692805.796063 weird:spontaneous_FIN 1021692805.796063 0.0700001 other-8080 604 ? 202.197.96.14 202.197.97.252 RSTOSO X thank you for kind help and patience. _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.microsoft.com/cn From athomas at unity.ncsu.edu Fri May 17 21:18:44 2002 From: athomas at unity.ncsu.edu (Ashley Thomas) Date: Sat, 18 May 2002 00:18:44 -0400 (EDT) Subject: thank you and what does this mena? In-Reply-To: Message-ID: In bro user manual, which you can find in the doc/ directory See section 5.3.6 for the format of connection summary. ashley On Sat, 18 May 2002, [gb2312] ?? ???? wrote: > I use "./bro -i eth0 tcp.bro" and it prints many lines,would you please > tell me the meaning of each components of every line of the log?for > example: > > 1021692805.796063 weird:spontaneous_FIN > 1021692805.796063 0.0700001 other-8080 604 ? 202.197.96.14 202.197.97.252 > RSTOSO X > > > thank you for kind help and patience. > > _________________________________________________________________ > ???????????????????????????? MSN Messenger: > http://messenger.microsoft.com/cn > > From liwenjia2002 at hotmail.com Tue May 21 01:17:09 2002 From: liwenjia2002 at hotmail.com (=?gb2312?B?wO4gzsS8zg==?=) Date: Tue, 21 May 2002 16:17:09 +0800 Subject: A question Message-ID: I use "./bro -i eth0 tcp.bro -w tom.log" command to save the log to my specific log file-tom.log,but I can only use "./bro -r tom.log" to read it.All other application or viewer such as vi and gedit can NOT read it.Does this because the file format of this log file is NOT ASCII format?Please tell me how to deal with this problem.Thank you. _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.microsoft.com/cn From maillist151 at sohu.com Wed May 22 20:59:07 2002 From: maillist151 at sohu.com (maillist151 at sohu.com) Date: Thu, 23 May 2002 11:59:07 +0800 (CST) Subject: Can I use Bro to do IP fragment/reassemble tasks? Message-ID: <8323866.1022126347165.JavaMail.postfix@mx44.mail.sohu.com> Hi, pals! I have got some some IP fragment packages of a large datagram. (more than 1500 bytes). Can I use Bro to reassemble the IP packages? Another question, if I have a large datagram from higher level (maybe TCP), can I use Bro to fragment the large datagram into small IP packages? Best regards, George Ma From athomas at unity.ncsu.edu Wed May 22 21:44:07 2002 From: athomas at unity.ncsu.edu (Ashley Thomas) Date: Thu, 23 May 2002 00:44:07 -0400 (EDT) Subject: Can I use Bro to do IP fragment/reassemble tasks? In-Reply-To: <8323866.1022126347165.JavaMail.postfix@mx44.mail.sohu.com> Message-ID: Bro reassembles ip fragments (in view that it needs to do intrusion detection..) Make sure that in your mt.bro there is @load frag.bro Whether bro will suit your need is another qn.. bro reassembles the fragments and analyses the whole packet to detect intrusions or network anomalies... > Another question, if I have a large datagram from higher level (maybe TCP),can I use Bro to fragment the large datagram into small IP packages? Bro does'nt do that. On Thu, 23 May 2002 maillist151 at sohu.com wrote: > Hi, pals! > > I have got some some IP fragment packages of a large datagram. > (more than 1500 bytes). Can I use Bro to reassemble the IP packages? > > Another question, if I have a large datagram from higher level (maybe TCP), > can I use Bro to fragment the large datagram into small IP packages? > > Best regards, > George Ma > From athomas at unity.ncsu.edu Thu May 23 17:00:50 2002 From: athomas at unity.ncsu.edu (Ashley Thomas) Date: Thu, 23 May 2002 20:00:50 -0400 (EDT) Subject: Pattern matching vs Regular expression Message-ID: hi, Usage of Regular expression for pattern matching is anytime better than using simple string matching in the sense that - it gives more power - it can reduce the number of signatures needed. Apart from that speed-wise is reg-exp matching still much faster than simple sring matching like Bayer-moore or similar algos ?? any pointers or references will be great. thanks a lot ashley From vern at icir.org Thu May 23 23:35:33 2002 From: vern at icir.org (Vern Paxson) Date: Thu, 23 May 2002 23:35:33 -0700 Subject: Pattern matching vs Regular expression In-Reply-To: Your message of Thu, 23 May 2002 20:00:50 EDT. Message-ID: <200205240635.g4O6ZXO14078@yak.icir.org> > Apart from that speed-wise is reg-exp matching still much faster than > simple sring matching like Bayer-moore or similar algos ?? Regular expression matching is comparable in speed to simple string matching, and (generally) slower than Boyer-Moore *for single strings*. Where it can gain performance is that it can efficiently match a lot of strings in parallel. Robin Sommer & I are now working on using this to significantly enhance Bro's signature-matching capabilities - stay tuned. Vern From lihp at cn.is-one.net Fri May 24 00:14:50 2002 From: lihp at cn.is-one.net (LHP) Date: Fri, 24 May 2002 15:14:50 +0800 Subject: =?gb2312?B?tPC4tDogUGF0dGVybiBtYXRjaGluZyB2cyBSZWd1bGFyIGV4cHJlc3Npb24g?= In-Reply-To: <200205240635.g4O6ZXO14078@yak.icir.org> Message-ID: hi, dear all, how about the multi-pattern matching algorithms? I think the multi-pattern matching algorithms may be a well choice to solve the signatures matching problems in IDS. use these algorithms, we can match multi-signatures in parallel. Li hongpei ----------------------------------------------------------------------------------- Dr. Li hongpei Information Security One ( China ) Ltd. 9 Floor, Haijian Tower, No.8 Changwa Road West, Haidian District, Beijing P. R. China 100089 Tel: 8610-82643699-5268 Fax: 8610-82644970 mobile: 13651008229 e-mail: lihp at cn.is-one.net http://www.is-one.net -----????----- ???: owner-bro at lbl.gov [mailto:owner-bro at lbl.gov]?? Vern Paxson ????: 2002?5?24? 14:36 ???: Ashley Thomas ??: bro at lbl.gov ??: Re: Pattern matching vs Regular expression > Apart from that speed-wise is reg-exp matching still much faster than > simple sring matching like Bayer-moore or similar algos ?? Regular expression matching is comparable in speed to simple string matching, and (generally) slower than Boyer-Moore *for single strings*. Where it can gain performance is that it can efficiently match a lot of strings in parallel. Robin Sommer & I are now working on using this to significantly enhance Bro's signature-matching capabilities - stay tuned. Vern From vern at icir.org Fri May 24 07:19:06 2002 From: vern at icir.org (Vern Paxson) Date: Fri, 24 May 2002 07:19:06 -0700 Subject: =?gb2312?B?tPC4tDogUGF0dGVybiBtYXRjaGluZyB2cyBSZWd1bGFyIGV4cHJlc3Npb24g?= In-Reply-To: Your message of Fri, 24 May 2002 15:14:50 +0800. Message-ID: <200205241419.g4OEJ6O17507@yak.icir.org> > how about the multi-pattern matching algorithms? Yes, that's what I'm referring to. Vern From athomas at unity.ncsu.edu Fri May 24 12:59:20 2002 From: athomas at unity.ncsu.edu (Ashley Thomas) Date: Fri, 24 May 2002 15:59:20 -0400 (EDT) Subject: Pattern matching vs Regular expression In-Reply-To: <200205240635.g4O6ZXO14078@yak.icir.org> Message-ID: That's really nice. I was trying to do a comparison of Bro with Snort trying to compare the good and not so good qualities of each.. I'll be tuned for all news :)) thanks On Thu, 23 May 2002, Vern Paxson wrote: > > Apart from that speed-wise is reg-exp matching still much faster than > > simple sring matching like Bayer-moore or similar algos ?? > > Regular expression matching is comparable in speed to simple string > matching, and (generally) slower than Boyer-Moore *for single strings*. > Where it can gain performance is that it can efficiently match a lot of > strings in parallel. Robin Sommer & I are now working on using this to > significantly enhance Bro's signature-matching capabilities - stay tuned. > > Vern > From alevin at mailru.com Fri May 24 13:06:56 2002 From: alevin at mailru.com (Alex Levin) Date: Fri, 24 May 2002 13:06:56 -0700 Subject: source code References: Message-ID: <003901c2035e$8ef427d0$b4fea8c0@ALEVIN> Hi, where I can get source code of the bro ? Thanks Alex Levin From vern at icir.org Fri May 24 13:10:53 2002 From: vern at icir.org (Vern Paxson) Date: Fri, 24 May 2002 13:10:53 -0700 Subject: source code In-Reply-To: Your message of Fri, 24 May 2002 13:06:56 PDT. Message-ID: <200205242010.g4OKArO24829@yak.icir.org> > where I can get source code of the bro ? The latest public snapshot is ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7a90.tar.gz I hope to get a significantly enhanced version out the door mid-Summer. We've added a lot, but haven't put together all the documentation for it yet. Vern From wsffree at hotmail.com Fri May 24 19:40:23 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Sat, 25 May 2002 10:40:23 +0800 Subject: source code Message-ID: >The latest public snapshot is > > ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7a90.tar.gz ~~~What is it mean? :) I searchde through the ftp.ee.lbl.gov , but can not find it. Would you tell me the addrees in detail? Thanks alot. best regards Cloud _________________________________________________________________ ???????? Web ?????? ? MSN Hotmail?http://www.hotmail.com/cn From vern at icir.org Fri May 24 19:45:20 2002 From: vern at icir.org (Vern Paxson) Date: Fri, 24 May 2002 19:45:20 -0700 Subject: source code In-Reply-To: Your message of Sat, 25 May 2002 10:40:23 +0800. Message-ID: <200205250245.g4P2jKO32036@yak.icir.org> > >The latest public snapshot is > > > > ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7a90.tar.gz > ~~~What is it mean? :) > I searchde through the ftp.ee.lbl.gov , but can not find it. Would you tell > me the addrees in detail? Thanks alot. That's the correct URL. If your browser can't fetch it, use ordinary FTP. The file is "invisible" due to its leading '.', but it's definitely there and fetchable. Vern From lihp at cn.is-one.net Mon May 27 02:16:27 2002 From: lihp at cn.is-one.net (LHP) Date: Mon, 27 May 2002 17:16:27 +0800 Subject: Pattern matching vs Regular expression In-Reply-To: <200205241419.g4OEJ6O17507@yak.icir.org> Message-ID: hi, dear all, I have just read some source code, and found In snort, an implementation of a Aho-Corasick like Boyer-Moore Style Searching Algorthim has given, it allows multiple patterns to be searched for in a packet at the same time.and the snort content rules are placed in a Aho-Corasick like keyword search tree that overlaps similar prefixes. best regards Li hongpei -----????----- ???: Vern Paxson [mailto:vern at icir.org] ????: 2002?5?24? 22:19 ???: LHP ??: Ashley Thomas; bro at lbl.gov ??: Re: ??: Pattern matching vs Regular expression > how about the multi-pattern matching algorithms? Yes, that's what I'm referring to. Vern From Nathan.Dornbrook at rbs.co.uk Mon May 27 04:08:13 2002 From: Nathan.Dornbrook at rbs.co.uk (Dornbrook, Nathan) Date: Mon, 27 May 2002 12:08:13 +0100 Subject: Pattern matching vs Regular expression Message-ID: For what it's worth, ISS RealSecure purchased NetworkICE for the sole reason of getting their hands on multiple pattern matching and heuristic tree pruning with regards to where to look. So ISS RealSecure v6.5 now doesn't search the whole packet for long strings of "%20" for example, or "/././././cgi-bin/*.phf" Instead it looks soleley in the packet payload. By the same token, it won't look for solitary FIN packets out of sequence in the packet payload, either. These were both features of NetworkICE - and are part of the improved capability derived from Network Associates Sniffer Pro (the authors of Sniffer Pro went on to form NetworkICE after selling out). The advances that both Snort and NetworkICE bring to the table include not only searching in multiple parts of the packet simultaneously and intelligently matching different vulnerabilities against the parts of the packet that they can be found, but also a re-written packet driver that pulls packets in promiscuous mode at much higher speed than the OSes can. Cheers! Nathan Dornbrook Head of Network Security Royal Bank of Scotland Regus House, 10 Lochside Place Edinburgh Park, Edinburgh EH12 9RG * 0131-523 9299 e* dornbrn at rbos.co.uk -----Original Message----- From: LHP [mailto:lihp at cn.is-one.net] Sent: 27 May 2002 10:16 To: Vern Paxson Cc: Ashley Thomas; bro at lbl.gov Subject: re: Pattern matching vs Regular expression hi, dear all, I have just read some source code, and found In snort, an implementation of a Aho-Corasick like Boyer-Moore Style Searching Algorthim has given, it allows multiple patterns to be searched for in a packet at the same time.and the snort content rules are placed in a Aho-Corasick like keyword search tree that overlaps similar prefixes. best regards Li hongpei -----????----- ???: Vern Paxson [mailto:vern at icir.org] ????: 2002?5?24? 22:19 ???: LHP ??: Ashley Thomas; bro at lbl.gov ??: Re: ??: Pattern matching vs Regular expression > how about the multi-pattern matching algorithms? Yes, that's what I'm referring to. Vern ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????????????????????????? From vern at icir.org Mon May 27 08:46:42 2002 From: vern at icir.org (Vern Paxson) Date: Mon, 27 May 2002 08:46:42 -0700 Subject: Pattern matching vs Regular expression In-Reply-To: Your message of Mon, 27 May 2002 17:16:27 +0800. Message-ID: <200205271546.g4RFkgO73729@yak.icir.org> > I have just read some source code, and found In snort, an implementation > of a Aho-Corasick like Boyer-Moore Style Searching Algorthim has given, > it allows multiple patterns to be searched for in a packet at the same > time.and the snort content rules are placed in a Aho-Corasick like keyword > search tree that overlaps similar prefixes. Right - we're aiming for something along those lines, though a bit different. Vern