From wsffree at hotmail.com Sun Jun 1 06:07:23 2003 From: wsffree at hotmail.com (Wang Shaofu) Date: Sun, 01 Jun 2003 21:07:23 +0800 Subject: Reporting time Message-ID: Dear Prof. I have one more question: when Bro detected a Stepping Stone , it show us a time. Is the time when Bro see a packet belong to the Chain??? (for example, Bro see a packet at time A, and find ~~~~ a new chain which the packet belong to. So Bro report the chain, and the time when it find the ~~~~~~~here, the time is A? chain.) _________________________________________________________________ ??????????????? MSN Hotmail? http://www.hotmail.com From vern at icir.org Mon Jun 2 23:39:52 2003 From: vern at icir.org (Vern Paxson) Date: Mon, 02 Jun 2003 23:39:52 -0700 Subject: about NLANR In-Reply-To: Your message of Mon, 26 May 2003 19:14:32 +0800. Message-ID: <200306030639.h536dqer057068@jaguar.icir.org> > I used the trace file from NLANR to test Bro. But Bro does nothing but > report > bad checksum. That's because those traces don't have any packet contents. > What should I do , to make trace file available to Bro? You should first consider whether it will be useful to analyze them with Bro, given a lack of contents. If so, then "redef ignore_checksums = T" will turn off the checksum tests. Vern From vern at icir.org Wed Jun 4 23:29:32 2003 From: vern at icir.org (Vern Paxson) Date: Wed, 04 Jun 2003 23:29:32 -0700 Subject: Segmentation fault, Bro and a Debian In-Reply-To: Your message of 29 Apr 2003 17:48:43 +0200. Message-ID: <200306050629.h556TW20051385@jaguar.icir.org> Sorry for the very long delay in replying to your message. I've been really underwater :-(, but now am surfacing. > I try to use bro under Debian un-stable (today upgrade) and after some > light modification, I was able to compile bro. But after that, I 've a > segmentation fault... I am working on getting a new Bro "current" release out the door soon. It will include a number of portability fixes. > 3- I replace '#include ' by '#include ' because, > hash_map wasn't founded. This work fine but added a warning like that: (The fix for this was to remove use of hash_map's completely.) > I just change "if ( prefix.compare(curr_name, 0, arglen ) )" by "if ( > prefix.compare(arglen, 0, curr_name ) )" FYI, this has been changed to: if ( strncmp(curr_name, prefix.c_str(), arglen) ) > 6- A classical link problem with bro compilation under Linux, solve by > replacing: "-lresolv" by "/usr/lib/resolv.a" in the Makefile. This one may remain - I'm not enough of an autoconf whiz to untangle these sorts of headache. > After that, the compilation go to the end but, when I compile bro with > the -g flag and run gdb, I could see that: Once I get the "current" release out the door (and *do* bug me about it if I let it lapse, sigh), please let me know if this remains. Vern From vern at icir.org Wed Jun 4 23:33:17 2003 From: vern at icir.org (Vern Paxson) Date: Wed, 04 Jun 2003 23:33:17 -0700 Subject: Reporting time In-Reply-To: Your message of Sun, 01 Jun 2003 21:07:23 +0800. Message-ID: <200306050633.h556XH20051428@jaguar.icir.org> > I have one more question: when Bro detected a Stepping Stone , it show us a > time. Is the time > when Bro see a packet belong to the Chain? It's the time when Bro's algorithm has determined that a stepping stone exists. You could follow the logic in stepping.bro regarding when it generates this output in order to determine this. Vern From sylvain at detilly.net Thu Jun 5 02:05:52 2003 From: sylvain at detilly.net (Sylvain de Tilly) Date: 05 Jun 2003 11:05:52 +0200 Subject: Bro as a prelude-sensor Message-ID: <87isrknbbj.fsf@mag-laptop.cfssi.net> Hello, I update the Manux patch which enable bro to be a prelude sensor (previous patch was here : http://manux.rstack.org/prelude_bro/). Alerts are not as well integrate as prelude-nids but it could be in next future a very interesting sensor for prelude. You could download it here : http://www.detilly.net/ids/download, it's the "bro-0.8a20-prelude-sensor.patch" file. Don't hesitate to read the readme.txt file before using the patch. Any critics are welcome. Regards, -- Sylvain de Tilly "Mettons nous tout GNU !" un GNUdiste. From wsffree at hotmail.com Thu Jun 5 03:13:59 2003 From: wsffree at hotmail.com (Wang Shaofu) Date: Thu, 05 Jun 2003 18:13:59 +0800 Subject: Reporting time Message-ID: > > I have one more question: when Bro detected a Stepping Stone , it show us a > > time. Is the time > > when Bro see a packet belong to the Chain? > >It's the time when Bro's algorithm has determined that a stepping stone exists. >You could follow the logic in stepping.bro regarding when it generates this >output in order to determine this. stepping.bro use the function of networktime() to report the time. And networktime() is the time , when see the packet! It is different to the currenttime(). Have a nice day! -- cloud _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.msn.com/cn From wsffree at hotmail.com Thu Jun 5 03:19:57 2003 From: wsffree at hotmail.com (Wang Shaofu) Date: Thu, 05 Jun 2003 18:19:57 +0800 Subject: about NLANR Message-ID: > > I used the trace file from NLANR to test Bro. But Bro does nothing but > > report > > bad checksum. > >That's because those traces don't have any packet contents. But the checksum function seems do not check the checksum of contents, just the packet head. > > > What should I do , to make trace file available to Bro? > >You should first consider whether it will be useful to analyze them with >Bro, given a lack of contents. I see the stepping.bro is using the ON/OFF algorithm, when report "time". I have a novel way to detect connection pair! And I want to compare my algorithm with the ON/OFF. :) > >If so, then "redef ignore_checksums = T" will turn off the checksum tests. Have nice day! -- cloud _________________________________________________________________ ?????????????? MSN Messenger: http://messenger.msn.com/cn From dmoore at caida.org Thu Jun 5 09:18:08 2003 From: dmoore at caida.org (David Moore) Date: Thu, 5 Jun 2003 09:18:08 -0700 Subject: about NLANR In-Reply-To: References: Message-ID: <20030605091808.Z83289@login.caida.org> On Thu, Jun 05, 2003 at 06:19:57PM +0800, Wang Shaofu wrote: > > >> I used the trace file from NLANR to test Bro. But Bro does nothing > but > >> report > >> bad checksum. > > > >That's because those traces don't have any packet contents. > > But the checksum function seems do not check the checksum of contents, > just the packet head. the nlanr traces anonymize the ip addresses but do not update the ip header checksum to reflect that change, so the checksum check will fail in general. -- david moore From hakim at cs.cmu.edu Tue Jun 10 12:13:03 2003 From: hakim at cs.cmu.edu (Hyang-Ah Kim) Date: Tue, 10 Jun 2003 15:13:03 -0400 (EDT) Subject: Bro compile problem Message-ID: Hello, I encountered a problem while compiling bro(v0.8a20) on Linux machine. I wonder if anyone had the same problem before. I have libpcap, flex, byacc, and bison installed. Here is the error msg. --------------------------------------------------- g++ -o bif_parse.o -c bif_parse.cc builtin-func.y:60: 'vector' is used as a type, but is not defined as a type. builtin-func.y: In function `int yyparse()': builtin-func.y:148: `args' undeclared (first use this function) builtin-func.y:148: (Each undeclared identifier is reported only once for each function it appears in.) make: *** [bif_parse.o] Error 1 ----------------------------------------------------- Well, is there the archive for this mailing list? If so, I may search the archive before throwing a question to the mailing list. Thank you. - Hyang-Ah ** WAR IS NOT AN ANSWER. GIVE PEACE A CHANCE. ** From vern at icir.org Sat Jun 14 23:50:28 2003 From: vern at icir.org (Vern Paxson) Date: Sat, 14 Jun 2003 23:50:28 -0700 Subject: Bro compile problem In-Reply-To: Your message of Tue, 10 Jun 2003 15:13:03 EDT. Message-ID: <200306150650.h5F6oSWT031748@jaguar.icir.org> > I encountered a problem while compiling bro(v0.8a20) on Linux machine. As just announced on the bro-devel at lbl.gov list, there's now a new "CURRENT" release, 0.8a32, available from ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.8-current.tar.gz Please give it a try and see whether it fixes the portability problems you encountered - it should build better under Linux now. > Well, is there the archive for this mailing list? Yes - "get bro archive" via majordomo at lbl.gov retrieves the archive, though unfortunately it is only available as a single humongous file :-(. Vern From lxg0601 at xanet.edu.cn Sun Jun 15 00:14:08 2003 From: lxg0601 at xanet.edu.cn (隸苤試) Date: Sun, 15 Jun 2003 15:14:08 +0800 Subject: Bro compile problem In-Reply-To: Your message of Tue, 10 Jun 2003 15:13:03 EDT. Message-ID: <200306150650.h5F6oSWT031748@jaguar.icir.org> A non-text attachment was scrubbed... Name: not available Type: Size: 577 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030615/2846cccf/attachment.ksh From lxg0601 at xanet.edu.cn Sun Jun 15 00:46:40 2003 From: lxg0601 at xanet.edu.cn (隸苤試) Date: Sun, 15 Jun 2003 15:46:40 +0800 Subject: Bro compile problem In-Reply-To: Your message of Tue, 10 Jun 2003 15:13:03 EDT. Message-ID: <200306150650.h5F6oSWT031748@jaguar.icir.org> A non-text attachment was scrubbed... Name: not available Type: Size: 581 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030615/2846cccf/attachment-0001.ksh From lxg0601 at xanet.edu.cn Sun Jun 15 01:29:59 2003 From: lxg0601 at xanet.edu.cn (隸苤試) Date: Sun, 15 Jun 2003 16:29:59 +0800 Subject: Bro compile problem In-Reply-To: Your message of Tue, 10 Jun 2003 15:13:03 EDT. Message-ID: <200306150650.h5F6oSWT031748@jaguar.icir.org> A non-text attachment was scrubbed... Name: not available Type: Size: 585 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030615/2846cccf/attachment-0002.ksh From lxg0601 at xanet.edu.cn Sun Jun 15 02:17:09 2003 From: lxg0601 at xanet.edu.cn (隸苤試) Date: Sun, 15 Jun 2003 17:17:09 +0800 Subject: Bro compile problem In-Reply-To: Your message of Tue, 10 Jun 2003 15:13:03 EDT. Message-ID: <200306150650.h5F6oSWT031748@jaguar.icir.org> A non-text attachment was scrubbed... Name: not available Type: Size: 589 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030615/2846cccf/attachment-0003.ksh From lxg0601 at xanet.edu.cn Sun Jun 15 02:47:06 2003 From: lxg0601 at xanet.edu.cn (隸苤試) Date: Sun, 15 Jun 2003 17:47:06 +0800 Subject: Bro compile problem In-Reply-To: Your message of Tue, 10 Jun 2003 15:13:03 EDT. Message-ID: <200306150650.h5F6oSWT031748@jaguar.icir.org> A non-text attachment was scrubbed... Name: not available Type: Size: 593 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030615/2846cccf/attachment-0004.ksh From lxg0601 at xanet.edu.cn Sun Jun 15 03:47:09 2003 From: lxg0601 at xanet.edu.cn (隸苤試) Date: Sun, 15 Jun 2003 18:47:09 +0800 Subject: Bro compile problem In-Reply-To: Your message of Tue, 10 Jun 2003 15:13:03 EDT. Message-ID: <200306150650.h5F6oSWT031748@jaguar.icir.org> A non-text attachment was scrubbed... Name: not available Type: Size: 597 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030615/2846cccf/attachment-0005.ksh From lxg0601 at xanet.edu.cn Sun Jun 15 04:47:07 2003 From: lxg0601 at xanet.edu.cn (隸苤試) Date: Sun, 15 Jun 2003 19:47:07 +0800 Subject: Bro compile problem In-Reply-To: Your message of Tue, 10 Jun 2003 15:13:03 EDT. Message-ID: <200306150650.h5F6oSWT031748@jaguar.icir.org> A non-text attachment was scrubbed... Name: not available Type: Size: 601 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030615/2846cccf/attachment-0006.ksh From lxg0601 at xanet.edu.cn Sun Jun 15 05:47:07 2003 From: lxg0601 at xanet.edu.cn (隸苤試) Date: Sun, 15 Jun 2003 20:47:07 +0800 Subject: Bro compile problem In-Reply-To: Your message of Tue, 10 Jun 2003 15:13:03 EDT. Message-ID: <200306150650.h5F6oSWT031748@jaguar.icir.org> A non-text attachment was scrubbed... Name: not available Type: Size: 605 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030615/2846cccf/attachment-0007.ksh From lxg0601 at xanet.edu.cn Sun Jun 15 06:47:42 2003 From: lxg0601 at xanet.edu.cn (隸苤試) Date: Sun, 15 Jun 2003 21:47:42 +0800 Subject: Bro compile problem In-Reply-To: Your message of Tue, 10 Jun 2003 15:13:03 EDT. Message-ID: <200306150650.h5F6oSWT031748@jaguar.icir.org> A non-text attachment was scrubbed... Name: not available Type: Size: 609 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030615/2846cccf/attachment-0008.ksh From lxg0601 at xanet.edu.cn Sun Jun 15 08:48:02 2003 From: lxg0601 at xanet.edu.cn (隸苤試) Date: Sun, 15 Jun 2003 23:48:02 +0800 Subject: Bro compile problem In-Reply-To: Your message of Tue, 10 Jun 2003 15:13:03 EDT. Message-ID: <200306150650.h5F6oSWT031748@jaguar.icir.org> A non-text attachment was scrubbed... Name: not available Type: Size: 613 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030615/2846cccf/attachment-0009.ksh From vern at icir.org Sun Jun 15 09:28:39 2003 From: vern at icir.org (Vern Paxson) Date: Sun, 15 Jun 2003 09:28:39 -0700 Subject: mail loop in bro@lbl.gov Message-ID: <200306151628.h5FGSdWT043594@jaguar.icir.org> This was caused by a subscriber who apparently auto-forwarded posts back to the list. I've removed them, so that should fix the problem. Sorry about the clutter! Vern From lxg0601 at xanet.edu.cn Sun Jun 15 09:48:18 2003 From: lxg0601 at xanet.edu.cn (隸苤試) Date: Mon, 16 Jun 2003 00:48:18 +0800 Subject: Bro compile problem In-Reply-To: Your message of Tue, 10 Jun 2003 15:13:03 EDT. Message-ID: <200306150650.h5F6oSWT031748@jaguar.icir.org> A non-text attachment was scrubbed... Name: not available Type: Size: 617 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030616/2846cccf/attachment.ksh From anton at netForensics.com Mon Jun 16 14:48:14 2003 From: anton at netForensics.com (Anton Chuvakin, Ph.D.) Date: Mon, 16 Jun 2003 17:48:14 -0400 (EDT) Subject: NEW Bro compile problems In-Reply-To: <200306150650.h5F6oSWT031748@jaguar.icir.org> References: <200306150650.h5F6oSWT031748@jaguar.icir.org> Message-ID: All, Here is what I got: Linux bastion 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown and then ./configure make g++ -I. -Ilibedit -O -Ilinux-include -o bifcl bif_lex.o bif_parse.o bif_arg.o ./bifcl event.bif ./bifcl const.bif g++ -I. -Ilibedit -O -Ilinux-include -c main.cc In file included from Net.h:27, from main.cc:37: PktSrc.h:26:18: pcap.h: No such file or directory make: *** [main.o] Error 1 I "fix" it by adding 'INCLS = -Ilinux-include -I/usr/include/pcap' Then it goes: g++ -I. -Ilibedit -O -Ilinux-include -I/usr/include/pcap -c util.cc util.cc: In function `void init_random_seed ()': util.cc:395: `uint32_t' undeclared (first use this function) util.cc:395: (Each undeclared identifier is reported only once for each function it appears in.) util.cc:395: parse error before `[' util.cc:399: `buf' undeclared (first use this function) util.cc:427: parse error before `=' util.cc:430: `result' undeclared (first use this function) make: *** [util.o] Error 1 Any ideas? The whole issue seems to me due to my missing something obvious, but then again its Monday 5:49PM :-) Best, -- Anton Chuvakin, Ph.D., GCIA, GCIH Senior Security Analyst netForensics - http://www.netForensics.com 732-393-6071 From vern at icir.org Mon Jun 16 15:45:30 2003 From: vern at icir.org (Vern Paxson) Date: Mon, 16 Jun 2003 15:45:30 -0700 Subject: NEW Bro compile problems In-Reply-To: Your message of Mon, 16 Jun 2003 17:48:14 EDT. Message-ID: <200306162245.h5GMjUWT040998@jaguar.icir.org> > PktSrc.h:26:18: pcap.h: No such file or directory > make: *** [main.o] Error 1 > > I "fix" it by adding 'INCLS = -Ilinux-include -I/usr/include/pcap' One of the recent additions was to change #include "pcap.h" in PktSrc.h to #include I imagine this is the problem. I'm not quite sure what's the "right" solution here, but maybe we should just go back to using "pcap.h". That's what I've tentatively done. > util.cc: In function `void init_random_seed ()': > util.cc:395: `uint32_t' undeclared (first use this function) I've changed this to uint32 (and also for the declaration of "result" a little later in the function. That should do the trick. Vern From anton at netForensics.com Wed Jun 25 12:28:55 2003 From: anton at netForensics.com (Anton Chuvakin, Ph.D.) Date: Wed, 25 Jun 2003 15:28:55 -0400 (EDT) Subject: more syslog? In-Reply-To: <200306162245.h5GMjUWT040998@jaguar.icir.org> References: <200306162245.h5GMjUWT040998@jaguar.icir.org> Message-ID: All, While I am enjoying running my new bro-0.8_32, I find that some of the stuff gets reported to syslog (such as ContentGap and some FTP attacks), while the rest is getting piled to multiple files (ftp.log, http.log, etc). I looked at the manual and the *.bro file and it looks like its hard-coded with ALERT statements. Is there any way to globally redirect everything to syslog? Best, -- Anton Chuvakin, Ph.D., GCIA, GCIH Senior Security Analyst netForensics - http://www.netForensics.com 732-393-6071 From sylvain at detilly.net Thu Jun 26 05:09:14 2003 From: sylvain at detilly.net (Sylvain de Tilly) Date: Thu, 26 Jun 2003 14:09:14 +0200 Subject: A patch for Bro in OpenBSD Message-ID: <878yrpm45x.fsf@mag-laptop.cfssi.net> Hi, I wrote a patch that enable Bro to compile on a OpenBSD system. This patch is downloadable here : http://www.detilly.net/ids/download/bro-0.8a32-OpenBSD.patch See the README.OpenBSD which is given in the patch. You should use the bind library too due to the libc resolv functions which are not as complete as FreeBSD one. If you don't want to install all bind9 sources, I just separate the interesting part here : http://www.detilly.net/ids/download/bind.tgz Regards, -- Sylvain de Tilly "Mettons nous tout GNU !" un GNUdiste. From sylvain at detilly.net Thu Jun 26 06:22:20 2003 From: sylvain at detilly.net (Sylvain de Tilly) Date: Thu, 26 Jun 2003 15:22:20 +0200 Subject: A patch for Bro in OpenBSD In-Reply-To: <878yrpm45x.fsf@mag-laptop.cfssi.net> (Sylvain de Tilly's message of "Thu, 26 Jun 2003 14:09:14 +0200") References: <878yrpm45x.fsf@mag-laptop.cfssi.net> Message-ID: <87znk5km7n.fsf@mag-laptop.cfssi.net> I juste forget to say that I've got warning during compilation : | main.o: In function `main': | main.o(.text+0x17a9): warning: sprintf() is often misused, please use snprintf() I don't solve it (don't search it) I've got warning during execution too : | ./bro: ./bro : WARNING: symbol(__p_class_syms) size mismatch relink your program | ./bro: ./bro : WARNING: symbol(__p_type_syms) size mismatch relink your program Like others warning, don't solve it. I don't try to use Bro a lot with these warnings... But all must work well. Sylvain de Tilly a dit: > Hi, > > I wrote a patch that enable Bro to compile on a OpenBSD system. This > patch is downloadable here : > > http://www.detilly.net/ids/download/bro-0.8a32-OpenBSD.patch > > See the README.OpenBSD which is given in the patch. > > You should use the bind library too due to the libc resolv functions > which are not as complete as FreeBSD one. If you don't want to install > all bind9 sources, I just separate the interesting part here : > > http://www.detilly.net/ids/download/bind.tgz > > > Regards, > > -- > Sylvain de Tilly > > "Mettons nous tout GNU !" > un GNUdiste. > -- Sylvain de Tilly "Mettons nous tout GNU !" un GNUdiste. From crd at cert.org Thu Jun 26 07:17:22 2003 From: crd at cert.org (Chad Dougherty) Date: Thu, 26 Jun 2003 14:17:22 +0000 Subject: A patch for Bro in OpenBSD In-Reply-To: <878yrpm45x.fsf@mag-laptop.cfssi.net> References: <878yrpm45x.fsf@mag-laptop.cfssi.net> Message-ID: <232184984.1056637042@[10.10.10.60]> --On Thursday, June 26, 2003 14:09 +0200 Sylvain de Tilly wrote: [...] > > You should use the bind library too due to the libc resolv functions > which are not as complete as FreeBSD one. If you don't want to install > all bind9 sources, I just separate the interesting part here : > I found it easier just to install libbind from the ports collection; /usr/ports/net/libbind/ -Chad From sylvain at detilly.net Fri Jun 27 04:23:43 2003 From: sylvain at detilly.net (Sylvain de Tilly) Date: Fri, 27 Jun 2003 13:23:43 +0200 Subject: A patch for Bro in OpenBSD In-Reply-To: <232184984.1056637042@[10.10.10.60]> (Chad Dougherty's message of "Thu, 26 Jun 2003 14:17:22 +0000") References: <878yrpm45x.fsf@mag-laptop.cfssi.net> <232184984.1056637042@[10.10.10.60]> Message-ID: <87u1abwyps.fsf@mag-laptop.cfssi.net> Hi Chad, Thanks for your information, I didn't know the existence of this library and it's sound like perfect for the problems. So I try to use it but at the final linking stage of the compilation, I've got this error message : | main.o: In function `main': | main.o(.text+0x17a9): warning: sprintf() is often misused, please use snprintf() | nb_dns.o: In function `nb_dns_init': | nb_dns.o(.text+0x80): undefined reference to `__res_state' | nb_dns.o(.text+0xf1): undefined reference to `__res_state' | collect2: ld returned 1 exit status When I do an objdump -t to the libbind.so.1 or to libbind.a, I can't see any __res_state symbols. If I do the same with the libbind found in the official bind9, I find this symbol. My libbind is the 9.2.2rc2 from OpenBSD snapshot (less than 1 week). So I'll keep the patch like that for the moment. If anybody have an idea.... Regards, Chad Dougherty a dit: > --On Thursday, June 26, 2003 14:09 +0200 Sylvain de Tilly > wrote: > [...] >> >> You should use the bind library too due to the libc resolv functions >> which are not as complete as FreeBSD one. If you don't want to install >> all bind9 sources, I just separate the interesting part here : >> > > I found it easier just to install libbind from the ports collection; > /usr/ports/net/libbind/ > > -Chad > > -- Sylvain de Tilly "Mettons nous tout GNU !" un GNUdiste. From crd at cert.org Fri Jun 27 07:48:46 2003 From: crd at cert.org (Chad Dougherty) Date: Fri, 27 Jun 2003 14:48:46 +0000 Subject: A patch for Bro in OpenBSD In-Reply-To: <87u1abwyps.fsf@mag-laptop.cfssi.net> References: <878yrpm45x.fsf@mag-laptop.cfssi.net> <232184984.1056637042@[10.10.10.60]> <87u1abwyps.fsf@mag-laptop.cfssi.net> Message-ID: <320460527.1056725326@[10.10.10.60]> --On Friday, June 27, 2003 13:23 +0200 Sylvain de Tilly wrote: > > Hi Chad, > > Thanks for your information, I didn't know the existence of this > library and it's sound like perfect for the problems. So I try to use > it but at the final linking stage of the compilation, I've got this > error message : > >| main.o: In function `main': >| main.o(.text+0x17a9): warning: sprintf() is often misused, please use >| snprintf() nb_dns.o: In function `nb_dns_init': >| nb_dns.o(.text+0x80): undefined reference to `__res_state' >| nb_dns.o(.text+0xf1): undefined reference to `__res_state' >| collect2: ld returned 1 exit status > > When I do an objdump -t to the libbind.so.1 or to libbind.a, I can't > see any __res_state symbols. If I do the same with the libbind found > in the official bind9, I find this symbol. My libbind is the 9.2.2rc2 > from OpenBSD snapshot (less than 1 week). > > So I'll keep the patch like that for the moment. If anybody have an > idea.... > Hrm. That's odd. What version of OpenBSD are you using? I'm using the 3.3-stable branch (both core OS and ports) and didn't have this problem. The libbind in the -stable ports branch is 9.2.2rc1. -Chad