From richard_bejtlich at yahoo.com Mon Jan 12 16:06:18 2004 From: richard_bejtlich at yahoo.com (Richard Bejtlich) Date: Mon, 12 Jan 2004 16:06:18 -0800 (PST) Subject: Want to contribute to a book? Message-ID: <20040113000618.32360.qmail@web60810.mail.yahoo.com> Hello, I'm under contract with Addison-Wesley to write a book on network security monitoring, and I've written over 400 pages so far. I would like to include instructions on setting up Bro on FreeBSD, and general best practices for this tool. Would anyone be interested in contributing? I'll give full credit in the text and acknowledgements. I also plan to mention Snort and Prelude in the same chapter. The focus is open source, so I avoid commercial products. This is not "another Snort book." I'm covering dozens of tools to address many facets of network security monitoring. Traditional "IDS" is only one chapter, but I'd like to do justice to Bro. I would need the material in the next two weeks to make my deadlines. Thank you, Richard Bejtlich http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus From christian at whoop.org Tue Jan 13 04:49:12 2004 From: christian at whoop.org (Christian Kreibich) Date: 13 Jan 2004 12:49:12 +0000 Subject: Want to contribute to a book? In-Reply-To: <20040113000618.32360.qmail@web60810.mail.yahoo.com> References: <20040113000618.32360.qmail@web60810.mail.yahoo.com> Message-ID: <1073998152.30392.30.camel@ghouls.cl.cam.ac.uk> On Tue, 2004-01-13 at 00:06, Richard Bejtlich wrote: > Hello, > > I'm under contract with Addison-Wesley to write a book > on network security monitoring, and I've written over > 400 pages so far. I would like to include > instructions on setting up Bro on FreeBSD, and general > best practices for this tool. > > Would anyone be interested in contributing? I'll give > full credit in the text and acknowledgements. > > I also plan to mention Snort and Prelude in the same > chapter. The focus is open source, so I avoid > commercial products. Hi Richard, just make sure you mention them alphabetically ;) Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From sunmu at netpower.com.cn Fri Jan 16 22:56:34 2004 From: sunmu at netpower.com.cn (=?gb2312?B?y+/EwQ==?=) Date: Sat, 17 Jan 2004 14:56:34 +0800 Subject: a question about RE Message-ID: <003801c3dcc7$0b54df20$ab00a8c0@sunmu> hello everyone? I have a question about a regular-expression line in "scan.l" file. It is: ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+)) I can't understand what "[[:xdigit:]]" means? Would you give me an explanation? Thanks & Regards! herdsman sun Netpower Inc. in Beijing From vern at icir.org Sat Jan 17 07:43:12 2004 From: vern at icir.org (Vern Paxson) Date: Sat, 17 Jan 2004 07:43:12 -0800 Subject: a question about RE In-Reply-To: Your message of Sat, 17 Jan 2004 14:56:34 +0800. Message-ID: <200401171543.i0HFhCY7017291@jaguar.icir.org> > ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+)) > > I can't understand what "[[:xdigit:]]" means? > Would you give me an explanation? [[:xdigit:]] is one of the magic charaacter classes that POSIX standardized. It expands to any hex digit, i.e., [0-9a-fA-F]. More precisely, it expands to any character matched by 's isxdigit(). The full set of such expansions are: [:alnum:] [:alpha:] [:blank:] [:cntrl:] [:digit:] [:graph:] [:lower:] [:print:] [:punct:] [:space:] [:upper:] [:xdigit:] - Vern From yuen.silvia at lab.ntt.co.jp Wed Jan 28 18:34:23 2004 From: yuen.silvia at lab.ntt.co.jp (Silvia Yuen) Date: Thu, 29 Jan 2004 11:34:23 +0900 (JST) Subject: helper utilities - cf and hf Message-ID: <20040129.113423.607959522.slyuen@lab.ntt.co.jp> Hello, I would like to convert the timestamp of the output trace to human-readable format. Bro's manual describes a cf tool that can do this job. However, I could not find this utility. May I know where can I find this utility and how to use it? Thank you. Regards, Silvia From mtdedlow at lbl.gov Wed Jan 28 19:00:27 2004 From: mtdedlow at lbl.gov (Mark Dedlow) Date: Wed, 28 Jan 2004 19:00:27 -0800 Subject: helper utilities - cf and hf In-Reply-To: <20040129.113423.607959522.slyuen@lab.ntt.co.jp> References: <20040129.113423.607959522.slyuen@lab.ntt.co.jp> Message-ID: <4018774B.8030506@lbl.gov> > I would like to convert the timestamp of the > output trace to human-readable format. Bro's manual describes a cf tool > that can do this job. However, I could not find this utility. May I know > where can I find this utility and how to use it? Thank you. ftp://ftp.ee.lbl.gov/cf.tar.gz There's no man page, but it'll tell you: % /usr/local/bin/cf -h cf version 1.1 usage: cf [-f fmt] [-lsu] [file ...] I just happen to know that "-f fmt" is a timestamp format, eg: % echo 987987987 | /usr/local/bin/cf Apr 22 18:06:27 % echo 987987987 | /usr/local/bin/cf -f '%c' Sun Apr 22 18:06:27 2001 % echo 987987987 | /usr/local/bin/cf -f '%Y-%m-%d %H:%M:%S' 2001-04-22 18:06:27 etc... From vern at icir.org Wed Jan 28 20:51:16 2004 From: vern at icir.org (Vern Paxson) Date: Wed, 28 Jan 2004 20:51:16 -0800 Subject: helper utilities - cf and hf In-Reply-To: Your message of Wed, 28 Jan 2004 19:00:27 PST. Message-ID: <200401290451.i0T4pGY7080856@jaguar.icir.org> > ftp://ftp.ee.lbl.gov/cf.tar.gz > > There's no man page, but it'll tell you: Actually, there is a man page, cf.1, which can be formatted using nroff -man as usual for Unix man pages. This version of cf is newer than the one in aux/cf/ of the Bro distribution (as you well know!, since you are the one who contributed the additions), but will be included in the next Bro release as aux/cf-1.1/ . Vern From mtdedlow at lbl.gov Wed Jan 28 22:38:54 2004 From: mtdedlow at lbl.gov (Mark Dedlow) Date: Wed, 28 Jan 2004 22:38:54 -0800 Subject: helper utilities - cf and hf In-Reply-To: <200401290451.i0T4pGY7080856@jaguar.icir.org> References: <200401290451.i0T4pGY7080856@jaguar.icir.org> Message-ID: <4018AA7E.3030405@lbl.gov> >>There's no man page, but it'll tell you: > > > Actually, there is a man page, cf.1, which can be formatted using nroff > -man as usual for Unix man pages. Mea culpa. I just did 'make install' and noted no man page installation, but a glance at the makefile reveals one has to 'make install-man'. Mark