From wsffree at hotmail.com Tue Sep 3 05:38:20 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Tue, 03 Sep 2002 20:38:20 +0800 Subject: about Bison Message-ID: Hi all Have nice morning! Could u tell me where the implement of "extern void add_input_file(const char* file);" is? (in the input.h) Thanks very much. Ciao Cloud _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.microsoft.com/cn/ From vern at icir.org Tue Sep 3 17:06:12 2002 From: vern at icir.org (Vern Paxson) Date: Tue, 03 Sep 2002 17:06:12 -0700 Subject: about Bison In-Reply-To: Your message of Tue, 03 Sep 2002 20:38:20 +0800. Message-ID: <200209040006.g8406C5R010962@jaguar.icir.org> > Could u tell me where the implement of "extern void add_input_file(const > char* file);" is? (in the input.h) It's in scan.l. In general, you can track this sort of thing down by grep'ing through all of the sources. Vern From wsffree at hotmail.com Thu Sep 5 18:45:18 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Fri, 06 Sep 2002 09:45:18 +0800 Subject: about event handle Message-ID: Hi Good morning! I make the following changes: in main(...):add some code like Func * wsf; wsf=internal_func("wsf"); in bro.init:add a line as global wsf: event (msg: string); in login.bro: add a event as event wsf (msg: string) { print msg; } And when I invoke bro : ./bro -i eth0 login.bro , bro does not work , with the error information : lin1: internal error: internal variable wsf missing Aborted . Did I get the right way of creating and using event handle? Any help is welcome. Have a nice day. Ciao Cloud _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.microsoft.com/cn From vern at icir.org Fri Sep 6 00:08:14 2002 From: vern at icir.org (Vern Paxson) Date: Fri, 06 Sep 2002 00:08:14 -0700 Subject: about event handle In-Reply-To: Your message of Fri, 06 Sep 2002 09:45:18 +0800. Message-ID: <200209060708.g8678EAq033886@jaguar.icir.org> > in main(...):add some code like > Func * wsf; > wsf=internal_func("wsf"); > > in bro.init:add a line as > global wsf: event (msg: string); > in login.bro: add a event as > event wsf (msg: string) > { > print msg; > } > And when I invoke bro : ./bro -i eth0 login.bro , bro does not work , with > the error information : > lin1: internal error: internal variable wsf missing > Aborted . > Did I get the right way of creating and using event handle? That's the correct way. Perhaps you're running into search-path problems, in which the old version of bro.init is being found rather than the new version you created. (Not the problem, of course, if you edited bro.init in place rather than creating a new one.) The way to debug this is to check the access time on the modified bro.init using "ls -lu" in order to see whether it's indeed being read in. If it is, the next thing to do is to introduce a syntax error in the definition of wsf to see whether the line is indeed being parsed. Vern From wsffree at hotmail.com Fri Sep 6 06:15:42 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Fri, 06 Sep 2002 21:15:42 +0800 Subject: about event handle Message-ID: > > in main(...):add some code like > > Func * wsf; > > wsf=internal_func("wsf"); > > > > in bro.init:add a line as > > global wsf: event (msg: string); > > in login.bro: add a event as > > event wsf (msg: string) > > { > > print msg; > > } > > And when I invoke bro : ./bro -i eth0 login.bro , bro does not work , with > > the error information : > > lin1: internal error: internal variable wsf missing > > Aborted . > > Did I get the right way of creating and using event handle? > >That's the correct way. Perhaps you're running into search-path problems, >in which the old version of bro.init is being found rather than the new >version you created. (Not the problem, of course, if you edited bro.init >in place rather than creating a new one.) The way to debug this is to >check the access time on the modified bro.init using "ls -lu" in order >to see whether it's indeed being read in. If it is, the next thing to >do is to introduce a syntax error in the definition of wsf to see whether >the line is indeed being parsed. Thanks for your help.:) The access time on the modified bro.init before running bro is the same to the time after running bro. What shoul I do to make the bro read the bro.init? Have a nice day Ciao Cloud _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.microsoft.com/cn/ From vern at icir.org Fri Sep 6 09:19:05 2002 From: vern at icir.org (Vern Paxson) Date: Fri, 06 Sep 2002 09:19:05 -0700 Subject: about event handle In-Reply-To: Your message of Fri, 06 Sep 2002 21:15:42 +0800. Message-ID: <200209061619.g86GJ5Aq041144@jaguar.icir.org> > The access time on the modified bro.init before running bro is the same to > the time after running bro. What shoul I do to make the bro read the > bro.init? Bro searches $BROPATH, which defaults to .:policy:policy/local:/usr/local/lib/bro so for bro.init it will load the first instance it finds along that path. You should be able to use ls -ut to find just what files it's loading along the path. Vern From wsffree at hotmail.com Fri Sep 13 01:06:19 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Fri, 13 Sep 2002 16:06:19 +0800 Subject: about BaseList Message-ID: Dear Prof. There may be a mistake in the class of BaseList. ent BaseList::remove_nth(int n) { ...... for ( ; n < num_entries; n++ ) //this is to remove the member following entry[n] = entry[n+1]; //the nth one forward. entry[n] = 0; // for debugging ???Is this to make the nth one null? ...... } I thank that it should make the nth one null before removing the member following the nth one forward.And the code should be : ent BaseList::remove_nth(int n) { ...... entry[n] = 0; // for debugging ???Is this to make the nth one null? for ( ; n < num_entries; n++ ) //this is to remove the member following entry[n] = entry[n+1]; //the nth one forward. ...... } Or I get the wrong idea of your code? Thanks very much, Have a nice day. Ciao Cloud _________________________________________________________________ ??????????????? MSN Hotmail?http://www.hotmail.com/cn From robin at net.uni-sb.de Fri Sep 13 04:11:58 2002 From: robin at net.uni-sb.de (Robin Sommer) Date: Fri, 13 Sep 2002 13:11:58 +0200 Subject: about BaseList In-Reply-To: References: Message-ID: <20020913111158.GH1469@net.uni-sb.de> On Fri, Sep 13, 2002 at 16:06 +0800, Wang Shaofu wrote: > entry[n] = 0; // for debugging ???Is this to make the nth one > null? No. The n-th entry is removed by moving all following entries one position to the front, i.e. the n-th entry is overwritten by the n+1-th. The line above clears the array position that has been the end of the list before we deleted the n-th element. This is not necessary but helps debugging. Robin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20020913/5f649846/attachment.bin From jbarlow at ncsa.uiuc.edu Fri Sep 13 13:52:27 2002 From: jbarlow at ncsa.uiuc.edu (Jim Barlow) Date: Fri, 13 Sep 2002 15:52:27 -0500 Subject: Maybe useful script Message-ID: <20020913155227.B30260@osage.ncsa.uiuc.edu> I have written a perl script that has been quite handy when tracking down incidents when we need to parse the Bro http or ftp logs (these daily logs can get huge at our site). It organizes the logs by connection and you can also just pull out connections for specific IP addresses as well. It's available at: http://www.ncsa.uiuc.edu/~jbarlow/scripts/ Thought it might be useful for other sites if they don't already have a script like this. Let me know if there are any problems or additions you come across. -- James J. Barlow Senior System/Security Engineer National Center for Supercomputing Applications Voice : (217)244-6403 605 East Springfield Avenue Champaign, IL 61820 Cell : (217)840-0601 http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987 From wsffree at hotmail.com Sun Sep 15 21:35:16 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Mon, 16 Sep 2002 12:35:16 +0800 Subject: About ODesc Message-ID: Hi I can not understand the class of ODesc. Could you tell the detail of it : each variable represent what, how does each function work? Thanks in advance! Success everyday Ciao Cloud _________________________________________________________________ ???? MSN Explorer: http://explorer.msn.com/lccn/ From vern at icir.org Mon Sep 16 20:38:40 2002 From: vern at icir.org (Vern Paxson) Date: Mon, 16 Sep 2002 20:38:40 -0700 Subject: About ODesc In-Reply-To: Your message of Mon, 16 Sep 2002 12:35:16 +0800. Message-ID: <200209170338.g8H3ceAq027270@jaguar.icir.org> > I can not understand the class of ODesc. ODesc is used by Bro objects to describe themselves. An ODesc can associated with a file, in which case the description is written to the file; or, if no file is specified, then the description is built up in string internal to the ODesc object, which can then be retireved using Description(), Bytes(), or TakeBytes(). One way to figure this out by yourself is to search on references in the source code to ODesc. You'll find that they're all in Describe() and ValDescribe() methods. > Could you tell the detail of it : > each variable represent what, how does each function work? The workings should be apparent with a bit of inspection to those with a good familiarity with C++. Such familiarity is required at this point for those who want to delve into the details of Bro's inner workings. Vern From vern at icir.org Fri Sep 20 12:54:27 2002 From: vern at icir.org (Vern Paxson) Date: Fri, 20 Sep 2002 12:54:27 -0700 Subject: patch for Bro release 0.7a175 Message-ID: <200209201954.g8KJsRAq000178@jaguar.icir.org> The 0.7a175 release had a serious bug in it, in which a malformed TCP option could wedge Bro. This is fixed in the 0.7a175b release, now available from: ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7a175b.tar.gz I've also appended a patch for the 0.7a175 sources. More generally, I want to start moving towards the notion of "stable" versus "current" releases, where "stable" releases just have bug fixes applied to them, and no new features. In light of this, the above is also available as: ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7-stable.tar.gz - Vern *** TCP.cc.ORIG Tue Aug 27 15:47:09 2002 --- TCP.cc.NEW Thu Sep 19 22:49:27 2002 *************** *** 857,868 **** int SACK = 0; // Parse TCP options. ! char* options = (char*) tcp + sizeof(struct tcphdr); ! char* opt_end = (char*) tcp + tcp->th_off * 4; while ( options < opt_end ) { ! int opt = options[0]; if ( opt == TCPOPT_EOL ) // All done - could flag if more junk left over .... --- 898,909 ---- int SACK = 0; // Parse TCP options. ! u_char* options = (u_char*) tcp + sizeof(struct tcphdr); ! u_char* opt_end = (u_char*) tcp + tcp->th_off * 4; while ( options < opt_end ) { ! unsigned int opt = options[0]; if ( opt == TCPOPT_EOL ) // All done - could flag if more junk left over .... *************** *** 878,899 **** // We've run off the end, no room for the length. break; ! int opt_len = options[1]; if ( options + opt_len >= opt_end ) // No room for rest of option. break; switch ( opt ) { case TCPOPT_SACK_PERMITTED: SACK = 1; break; case TCPOPT_MAXSEG: MSS = (options[2] << 8) | options[3]; break; case 3: /* TCPOPT_WSCALE */ winscale = options[2]; break; --- 919,950 ---- // We've run off the end, no room for the length. break; ! unsigned int opt_len = options[1]; if ( options + opt_len >= opt_end ) // No room for rest of option. break; + if ( opt_len == 0 ) + // Trashed length field. + break; + switch ( opt ) { case TCPOPT_SACK_PERMITTED: SACK = 1; break; case TCPOPT_MAXSEG: + if ( opt_len < 4 ) + break; // bad length + MSS = (options[2] << 8) | options[3]; break; case 3: /* TCPOPT_WSCALE */ + if ( opt_len < 3 ) + break; // bad length + winscale = options[2]; break; From vern at icir.org Sat Sep 21 22:22:37 2002 From: vern at icir.org (Vern Paxson) Date: Sat, 21 Sep 2002 22:22:37 -0700 Subject: new Bro release available - 0.8a1 Message-ID: <200209220522.g8M5McAq024739@jaguar.icir.org> A new Bro alpha release is now available from: ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.8a1.tar.gz ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.8-current.tar.gz This is a "bleeding edge" release with a number of changes (appended). The current stable release remains 0.7a175b, available from: ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7-stable.tar.gz - Vern -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0.8a1 Sat Sep 21 22:09:23 PDT 2002 - IPv6 support enabled if you build using -DBROv6. Deficiencies: Bro doesn't yet look up hostnames for AAAA records; no handling of extension headers (if you have traces of these, please send them to me!); no handling of FTP PORT/PASV w/ IPv6 addresses (again, if you have traces, please send them!); DNS analyzer doesn't understand AAAA yet (again, please send me traces!); you have to change the capture_filter line in tcp.bro (as indicated in the script) in order to process TCP traffic, due to deficiencies in libpcap's support for IPv6. - Bro is migrating towards a more structured way of handling log messages / alerts. Analyzers now @load alert.bro, which has a function ALERT() for processing alerts. Soon this function will provide a variety of filtering/processing hooks; expect changes. - Bro now has an HTTP response analyzer (contributed by Ruoming Pang). The HTTP policy scripts have been split up into http.bro (just general definitions), http-request.bro (handles requests; loaded by http.bro), http-reply.bro (handles replies; you need to explicitly load this), and http-detail.bro (handles individual headers). http-reply.bro will be undergoing some significant reworking in the near future; probably the scripts will be merged back into a single http.bro plus http-detail.bro. - ssl-worm.bro contains a prototype policy script for detecting the Scalper SSL worm (contributed by Robin Sommer). It uses the signature file sig.ex.ssl-worm.bro. If someone has traces of Scalper in action to send us, that would be great. - A new policy script, contents.bro, extracts the contents of each Bro connection into its own pair of files (one file for each direction). Use in conjunction with -f or discarder_XXX() to extract specific connections. - A new built-in function, strcmp(), returns the usual comparison between two strings (contributed by Robin Sommer). - A new event, content_gap(), is generated when Bro detects that it is forced to skip over data in a reconstructed TCP stream because it is missing from the packet input. - BIND8 is no longer included with the distribution. If this causes you problems, let me know. - aux/scripts/bro_logchk is a Perl script for parsing Bro HTTP & FTP logs (contributed by Jim Barlow). - You can now compare addresses to see which is larger. a < b means that in network order, the octets making up 'a' are ordered before those for 'b'. E.g., 128.2.3.4 < 128.2.3.5 < 129.0.0.1. Note that IPv4 addresses are all < IPv6 addresses (other than IPv4 addresses that are embedded in IPv6 addresses, e.g., ::128.2.3.4 < 128.2.3.5). - Serious bug in TCP option handling fixed. - Some bugs in CRLF handling fixed (courtesy Ruoming Pang). - Bug in the implementation of &optional fixed. - Bug in computing memory statistics when not reading packets (from an interface or the trace file) fixed. - You can now include a trailing comma after the last item in an "enum" enumeration list. - port-name.bro now maps 389/tcp to "ldap". - A bug has been fixed in loading files multiple times From mayank at ncb.ernet.in Mon Sep 23 00:01:11 2002 From: mayank at ncb.ernet.in (Mayank-Bhatnagar) Date: Mon, 23 Sep 2002 12:31:11 +0530 (IST) Subject: Error during make Message-ID: hi, My sincere thanks to Prof. Vern for sending us the next release of Bro. However I tried to make Bro stable version ie > The current stable release remains 0.7a175b, available from: > ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7-stable.tar.gz But I am facing problem during make. I am running Linux 6.2 kernel 2.2.14-12. I am getting compilation problems which I tried to change code and recompile, but not successful. The file the errors report is "DebugCmds.cc" These are the errors I am getting:: _______________________________________ c++ -I. -O -Ilinux-include -c DebugCmds.cc DebugCmds.cc: In function `void lookup_global_symbols_regex(const class stoing &, class vector > &, bool = false)': DebugCmds.cc:41: no matching function for call to `string::push_back (char)' DebugCmds.cc:42: no matching function for call to `string::push_back (char)' DebugCmds.cc:44: no matching function for call to `string::push_back (char)' make: *** [DebugCmds.o] Error 1 __________________________________________ What possibly could be the reason, is there something that needs to be modified in code. Can anybody help me out. Thanks Mayank From jqxin1976 at yahoo.com Mon Sep 23 08:12:23 2002 From: jqxin1976 at yahoo.com (gong xin) Date: Mon, 23 Sep 2002 08:12:23 -0700 (PDT) Subject: Error during make In-Reply-To: Message-ID: <20020923151223.79621.qmail@web11907.mail.yahoo.com> Hello: When I tried to compile the 0.8a1 version. There is also some error with DNS_MGr.cc file. The error is shown as the following: c++ -I. -O -Ilinux-include -c DNS_Mgr.cc DNS_Mgr.cc: In method `void DNS_Mgr::AddResult (DNS_Mgr_Request *, nb_dns_result *)': DNS_Mgr.cc:661: parse error before `*' make: *** [DNS_Mgr.o] Error 1 Would someone shed some lights on the problem? Thanks very much. yours, Xin --- Mayank-Bhatnagar wrote: > hi, > > My sincere thanks to Prof. Vern for sending us the > next release of Bro. > > However I tried to make Bro stable version ie > > > > The current stable release remains 0.7a175b, > available from: > > > > ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7-stable.tar.gz > > > But I am facing problem during make. I am running > Linux 6.2 > kernel 2.2.14-12. > > I am getting compilation problems which I tried to > change code and > recompile, but not successful. > > The file the errors report is "DebugCmds.cc" > > These are the errors I am getting:: > > > _______________________________________ > > c++ -I. -O -Ilinux-include -c DebugCmds.cc > DebugCmds.cc: In function `void > lookup_global_symbols_regex(const class > stoing &, class vector *,__default_alloc_template > &, bool = > false)': > DebugCmds.cc:41: no matching function for call to > `string::push_back > (char)' > DebugCmds.cc:42: no matching function for call to > `string::push_back > (char)' > DebugCmds.cc:44: no matching function for call to > `string::push_back > (char)' > make: *** [DebugCmds.o] Error 1 > > __________________________________________ > > > > What possibly could be the reason, is there > something that needs to be > modified in code. Can anybody help me out. > > > Thanks > Mayank > > > __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com From vern at icir.org Mon Sep 23 09:15:14 2002 From: vern at icir.org (Vern Paxson) Date: Mon, 23 Sep 2002 09:15:14 -0700 Subject: Error during make In-Reply-To: Your message of Mon, 23 Sep 2002 08:12:23 PDT. Message-ID: <200209231615.g8NGFEAq045838@jaguar.icir.org> > When I tried to compile the 0.8a1 version. There is > also some error with DNS_MGr.cc file. The error is > shown as the following: Please try the appended patch and let me know if it works. Vern --- CURRENT/bro-pub-0.8a1/DNS_Mgr.cc Sat Sep 14 16:57:14 2002 +++ ./DNS_Mgr.cc Mon Sep 23 09:12:20 2002 @@ -1,4 +1,4 @@ -// $Header: /home/ram/u0/vern/bro/RCS/DNS_Mgr.cc,v 1.27 2002/09/14 23:57:01 vern Exp $ +// $Header: /home/ram/u0/vern/bro/RCS/DNS_Mgr.cc,v 1.27 2002/09/14 23:57:01 vern Exp vern $ // // Copyright (c) 1996-1999 // The Regents of the University of California. All rights reserved. @@ -658,7 +658,7 @@ void DNS_Mgr::AddResult(DNS_Mgr_Request* dr, struct nb_dns_result* r) { - hostent* h = (r && r->h_errno == 0) ? r->hostent : 0; + struct hostent* h = (r && r->h_errno == 0) ? r->hostent : 0; DNS_Mapping* new_dm; DNS_Mapping* prev_dm; @@ -758,13 +758,17 @@ for ( int i = 0; i < al1->Length(); ++i ) { - uint32 al1_i = al1->Index(i)->InternalUnsigned(); + addr_type al1_i = al1->Index(i)->AsAddr(); int j; for ( j = 0; j < al2->Length(); ++j ) { - uint32 al2_j = al2->Index(j)->InternalUnsigned(); + addr_type al2_j = al2->Index(j)->AsAddr(); +#ifdef BROv6 + if ( addr_eq(al1_i, al2_j) ) +#else if ( al1_i == al2_j ) +#endif break; } @@ -780,7 +784,7 @@ { for ( int i = 0; i < al->Length(); ++i ) { - uint32 al_i = al->Index(i)->InternalUnsigned(); + addr_type al_i = al->Index(i)->AsAddr(); fprintf(f, "%s%s", i > 0 ? "," : "", dotted_addr(al_i)); } } From vern at icir.org Mon Sep 23 23:05:29 2002 From: vern at icir.org (Vern Paxson) Date: Mon, 23 Sep 2002 23:05:29 -0700 Subject: Error during make In-Reply-To: Your message of Mon, 23 Sep 2002 12:31:11 +0530. Message-ID: <200209240605.g8O65TAq058666@jaguar.icir.org> > The file the errors report is "DebugCmds.cc" Umesh Shankar (who wrote the Bro debugger) should be getting in touch with you shortly about this. Vern From wsffree at hotmail.com Thu Sep 26 00:43:39 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Thu, 26 Sep 2002 15:43:39 +0800 Subject: Error during make Message-ID: Error as the same. And more error > > When I tried to compile the 0.8a1 version. There is > > also some error with DNS_MGr.cc file. The error is > > shown as the following: > >Please try the appended patch and let me know if it works. > > Vern > > >--- CURRENT/bro-pub-0.8a1/DNS_Mgr.cc Sat Sep 14 16:57:14 2002 >+++ ./DNS_Mgr.cc Mon Sep 23 09:12:20 2002 >@@ -1,4 +1,4 @@ >-// $Header: /home/ram/u0/vern/bro/RCS/DNS_Mgr.cc,v 1.27 2002/09/14 23:57:01 vern Exp $ >+// $Header: /home/ram/u0/vern/bro/RCS/DNS_Mgr.cc,v 1.27 2002/09/14 23:57:01 vern Exp vern $ > // > // Copyright (c) 1996-1999 > // The Regents of the University of California. All rights reserved. >@@ -658,7 +658,7 @@ > > void DNS_Mgr::AddResult(DNS_Mgr_Request* dr, struct nb_dns_result* r) > { >- hostent* h = (r && r->h_errno == 0) ? r->hostent : 0; >+ struct hostent* h = (r && r->h_errno == 0) ? r->hostent : 0; > > DNS_Mapping* new_dm; > DNS_Mapping* prev_dm; >@@ -758,13 +758,17 @@ > > for ( int i = 0; i < al1->Length(); ++i ) > { >- uint32 al1_i = al1->Index(i)->InternalUnsigned(); >+ addr_type al1_i = al1->Index(i)->AsAddr(); > > int j; > for ( j = 0; j < al2->Length(); ++j ) > { >- uint32 al2_j = al2->Index(j)->InternalUnsigned(); >+ addr_type al2_j = al2->Index(j)->AsAddr(); >+#ifdef BROv6 >+ if ( addr_eq(al1_i, al2_j) ) >+#else > if ( al1_i == al2_j ) >+#endif > break; > } > >@@ -780,7 +784,7 @@ > { > for ( int i = 0; i < al->Length(); ++i ) > { >- uint32 al_i = al->Index(i)->InternalUnsigned(); >+ addr_type al_i = al->Index(i)->AsAddr(); > fprintf(f, "%s%s", i > 0 ? "," : "", dotted_addr(al_i)); > } > } _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.microsoft.com/cn/ From sommer at in.tum.de Thu Sep 26 00:56:53 2002 From: sommer at in.tum.de (Robin Sommer) Date: Thu, 26 Sep 2002 09:56:53 +0200 Subject: Error during make In-Reply-To: References: Message-ID: <20020926075653.GF21316@in.tum.de> On Thu, Sep 26, 2002 at 15:43 +0800, Wang Shaofu wrote: > Error as the same. And more error I guess that you're using Linux, right? Please try the attached patch. But even if it helps, you may get more errors during linking (which I haven't tried to solve yet). Robin -- Robin Sommer * Room 01.08.055 * TU Munich * Phone (089) 289-18006 * sommer at in.tum.de -------------- next part -------------- diff -uNr bro-pub-0.8a1/nb_dns.c bro-patched/nb_dns.c --- bro-pub-0.8a1/nb_dns.c Thu Jul 22 01:51:28 1999 +++ bro-patched/nb_dns.c Mon Sep 23 18:01:02 2002 @@ -311,7 +311,7 @@ } if (ns_initparse((u_char *)msg, msglen, &handle) < 0) { sprintf(errstr, "ns_initparse(): %s", my_strerror(errno)); - nr->h_errno = NO_RECOVERY; + nr->host_errno = NO_RECOVERY; return (-1); } @@ -345,11 +345,11 @@ switch (ns_msg_getflag(handle, ns_f_rcode)) { case ns_r_nxdomain: - nr->h_errno = HOST_NOT_FOUND; + nr->host_errno = HOST_NOT_FOUND; return (1); case ns_r_servfail: - nr->h_errno = TRY_AGAIN; + nr->host_errno = TRY_AGAIN; return (1); case ns_r_noerror: @@ -359,7 +359,7 @@ case ns_r_notimpl: case ns_r_refused: default: - nr->h_errno = NO_RECOVERY; + nr->host_errno = NO_RECOVERY; return (1); } @@ -382,7 +382,7 @@ /* Parse next record */ if (ns_parserr(&handle, ns_s_an, -1, &rr) < 0) { if (errno != ENODEV) { - nr->h_errno = NO_RECOVERY; + nr->host_errno = NO_RECOVERY; return (1); } /* All done */ @@ -400,7 +400,7 @@ case T_A: if (rdlen != NS_INADDRSZ) { - nr->h_errno = NO_RECOVERY; + nr->host_errno = NO_RECOVERY; return (1); } @@ -417,7 +417,7 @@ (const u_char *)msg + msglen, rdata, bp, ep - bp); if (n < 0) { /* XXX return -1 here ??? */ - nr->h_errno = NO_RECOVERY; + nr->host_errno = NO_RECOVERY; return (1); } he->h_name = bp; diff -uNr bro-pub-0.8a1/nb_dns.h bro-patched/nb_dns.h --- bro-pub-0.8a1/nb_dns.h Thu Jul 22 01:51:27 1999 +++ bro-patched/nb_dns.h Mon Sep 23 18:00:44 2002 @@ -26,7 +26,7 @@ /* Public data */ struct nb_dns_result { void *cookie; - int h_errno; + int host_errno; struct hostent *hostent; }; --- bro-pub-0.8a1/DNS_Mgr.cc Sun Sep 15 01:57:14 2002 +++ bro-patched/DNS_Mgr.cc Mon Sep 23 18:22:09 2002 @@ -658,7 +658,7 @@ void DNS_Mgr::AddResult(DNS_Mgr_Request* dr, struct nb_dns_result* r) { - hostent* h = (r && r->h_errno == 0) ? r->hostent : 0; + hostent* h = (r && r->host_errno == 0) ? r->hostent : 0; DNS_Mapping* new_dm; DNS_Mapping* prev_dm; -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20020926/c9891101/attachment.bin From wsffree at hotmail.com Thu Sep 26 06:10:43 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Thu, 26 Sep 2002 21:10:43 +0800 Subject: Error during make Message-ID: >I guess that you're using Linux, right? Please try the attached Right ! I am using Linux. Could you tell me which system is the best to run Bro? >patch. But even if it helps, you may get more errors during linking >(which I haven't tried to solve yet). Great, it almost works! Why , just changing h_errno to host_errno ? But new error like : nb_dns.o: In function '_nb_dns_mkquery': */bro/nb_dns.c:203: undefined reference to '__res_mkquery' ... << attach5 >> How to open the attach5? _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.microsoft.com/cn/ From sommer at in.tum.de Thu Sep 26 08:30:20 2002 From: sommer at in.tum.de (Robin Sommer) Date: Thu, 26 Sep 2002 17:30:20 +0200 Subject: Error during make In-Reply-To: References: Message-ID: <20020926153020.GB25536@in.tum.de> On Thu, Sep 26, 2002 at 21:10 +0800, Wang Shaofu wrote: > Right ! I am using Linux. Could you tell me which system is the best to run > Bro? I don't know which is the best. Operationally, we're running it on FreeBSD here, but I am doing some developing on Linux as well. I would guess that there isn't a big difference between the two, but I've never compared them. If anyone has some experiences in this respect, I would really like to hear them. (In the near future, I will probably give Solaris a try, too.) > Great, it almost works! Why , just changing h_errno to host_errno ? Some system header file defines h_error as a macro on Linux. > nb_dns.o: In function '_nb_dns_mkquery': > */bro/nb_dns.c:203: undefined reference to '__res_mkquery' Right, that are the linker errors I had mentioned. No solution for them yet, but I will try to fix them, too. > How to open the attach5? That's a PGP signature. Robin -- Robin Sommer * Room 01.08.055 * TU Munich * Phone (089) 289-18006 * sommer at in.tum.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20020926/ea105b96/attachment.bin From vanepp at sfu.ca Thu Sep 26 08:47:18 2002 From: vanepp at sfu.ca (Peter Van Epp) Date: Thu, 26 Sep 2002 08:47:18 -0700 (PDT) Subject: Error during make In-Reply-To: <20020926153020.GB25536@in.tum.de> from "Robin Sommer" at Sep 26, 2002 05:30:20 PM Message-ID: <200209261547.IAA29839@fraser.sfu.ca> > > > On Thu, Sep 26, 2002 at 21:10 +0800, Wang Shaofu wrote: > > > Right ! I am using Linux. Could you tell me which system is the best to r= > un=20 > > Bro? > > I don't know which is the best. Operationally, we're running it on > FreeBSD here, but I am doing some developing on Linux as well. I > would guess that there isn't a big difference between the two, but > I've never compared them. If anyone has some experiences in this > respect, I would really like to hear them. > I have been poking at this very question in relation to running argus on Gig links. The fastest Argus installation I'm aware of (~ 400 megs per second) is running Linux RedHat7.3 (as am I about to start doing). I have been running FreeBSD for many years, however as part of Gig testing I have a pair of test bed machines with dual 1.6 Gig Athlon CPUs and SysKonnect Gig cards (two in each of two boxes). The boxes dual boot FreeBSD 4.6-RELEASE and RedHat 7.3. FreeBSD doesn't appear to be able to support dual athlons (one box works fine the other crashes, it is believed due to an athlon bug that Linux has a fix for and FreeBSD doesn't). Running FreeBSD single CPU, netperf looks to take about %50 of one CPU. On Linux netperf looks to take close to %100 of one CPU (leaving me all of the other for processing however). The main problem I have found (and which I believe is showing up as spotty throughput by packet size in netperf) is that FreeBSD loses packets (around 1000, in 10 million) on a spray ping on a crossover cable between boxes. RedHat doesn't (loss is both 0% and packets received = packets sent). That would appear to indicate a problem in either interrupt processing or the SysKonnect drivers on FreeBSD. The more efficient CPU would of course favor FreeBSD if the problems could be resolved. Of course other configurations may vary :-) Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. Canada From wsffree at hotmail.com Sat Sep 28 20:38:16 2002 From: wsffree at hotmail.com (Wang Shaofu) Date: Sun, 29 Sep 2002 11:38:16 +0800 Subject: about class Dcitionary Message-ID: Hi All As you kownn, snort works on packet data, while Bro works on connection data. I want to know how to use Bro to save all the connection to dist file. Could you help me. Best regards! _________________________________________________________________ ??????????????? MSN Hotmail?http://www.hotmail.com/cn From vern at icir.org Sat Sep 28 20:42:21 2002 From: vern at icir.org (Vern Paxson) Date: Sat, 28 Sep 2002 20:42:21 -0700 Subject: about class Dcitionary In-Reply-To: Your message of Sun, 29 Sep 2002 11:38:16 +0800. Message-ID: <200209290342.g8T3gLAq039483@jaguar.icir.org> > As you kownn, snort works on packet data, while Bro works on connection > data. Bro also has a signature engine that can read Snort rules, per the CHANGES file. > I > want to know how to use Bro to save all the connection to dist file. I don't quite know what you mean. Bro writes connection summaries to stdout if you load tcp.bro (or the usual load of mt.bro). It also can write a tcpdump packet trace file if you specify -w file. Vern