Bro signatures parse error?

wangliejun wangliejun at nsfocus.com
Tue Sep 16 07:14:29 PDT 2003 

On Tue, 16 Sep 2003 01:30:36 +0200
Robin Sommer <robin at icir.org> wrote:
 
> Some of the keywords have been renamed in newer versions, and I
> forgot to adapt the examples. The attacked patch should fix
> the problems (note that for sig.ex.ssl-worm.bro you need to load
> policy/ssl-worm.bro, too).
> 
Thanks for your great help! Patched signatures now can be handled
correctly. There is still a minor problem , when I launch Bro with -S
option, Bro core dumps, it seems a problem in the code of printing debug
infomation.

[root@ /usr/local/sbin]> ./bro -s sig.ex.web-rules.bro -S -i lnc0 mt
    .
    .
    .
   snip
    .
    .
    .
Rule sid-1665 (638)
        HTTP     |.*[\/\\][mM][kK][iI][lL][oO][gG]\.[eE][xX][eE]| (719)
        RuleHdrTest ip[9:1] == 0x00000006/0xffffffff
        RuleHdrTest ip[12:4] != 0x80030000/0xffff0000 0x83f30000/0xffff0000
        RuleHdrTest ip[16:4] == 0x80030000/0xffff0000 0x83f30000/0xffff0000
        RuleHdrTest tcp[2:2] == 0x00000050/0xffffffff
        RuleConditionTCPState: 0x3
        RuleActionEvent: |WEB-MISC mkilog.exe access|


---------------
[0 Payload patterns]
[0 HTTP patterns]
[0 FTP patterns]
Segmentation fault (core dumped)
[root@ /usr/local/sbin]> gdb -c bro.core -s bro
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `bro'.
Program terminated with signal 11, Segmentation fault.
#0  0x282aa022 in ?? ()
(gdb) bt
#0  0x282aa022 in ?? ()
#1  0x282a8e1d in ?? ()
#2  0x282a915a in ?? ()
#3  0x282a8d59 in ?? ()
#4  0x80e6999 in RuleMatcher::PrintTreeDebug ()
#5  0x80e693e in RuleMatcher::PrintDebug ()
#6  0x804c6df in main ()
#7  0x804b211 in _start ()
(gdb)

ssl-worm.bro also needs a little modification to work, attached is the
patch for 0.8a34 package

-- 
Wang
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl-worm.bro.diff
Type: application/octet-stream
Size: 737 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030916/0e8779e3/attachment.obj

More information about the Bro mailing list