From rmkml at wanadoo.fr Sat Sep 4 08:30:20 2004 From: rmkml at wanadoo.fr (rmkml) Date: Sat, 4 Sep 2004 17:30:20 +0200 (CEST) Subject: [Bro] Add micro timestamp in Logger.cc ? (to syslog) Message-ID: Hi, I use bro with syslog event, I would like add micro timestamp in Logger.cc to syslog event, but I don't say, possible help me ? in hack this file / function in 09a3 please. Regards Rmkml at Wanadoo.fr From vern at icir.org Sun Sep 5 01:22:35 2004 From: vern at icir.org (Vern Paxson) Date: Sun, 05 Sep 2004 01:22:35 -0700 Subject: [Bro] Add micro timestamp in Logger.cc ? (to syslog) In-Reply-To: Your message of Sat, 04 Sep 2004 17:30:20 +0200. Message-ID: <200409050822.i858MZDe002712@jaguar.icir.org> > I use bro with syslog event, > > I would like add micro timestamp in Logger.cc to syslog event, > > but I don't say, > > possible help me ? > > in hack this file / function in 09a3 please. The general way to do this is to search the source for here what's going on is done. In this case, a search on "syslog" will locate the code in Logger.cc that's doing this. Vern From rmkml at wanadoo.fr Sun Sep 5 10:05:43 2004 From: rmkml at wanadoo.fr (rmkml) Date: Sun, 5 Sep 2004 19:05:43 +0200 (CEST) Subject: [Bro] Add micro timestamp in Logger.cc ? (to syslog) In-Reply-To: <200409050822.i858MZDe002712@jaguar.icir.org> References: <200409050822.i858MZDe002712@jaguar.icir.org> Message-ID: Thanks answers guru, void Logger::Log(const char* msg) { int has_timestamp = fabs(atof(msg) - network_time) <= 30.0; if ( enabled ) { // const char* sub_msg = msg; // if ( has_timestamp ) // { // Don't include the timestamp in the logging, // as it gets tacked on by syslog anyway. // sub_msg = strchr(sub_msg, ' '); // if ( sub_msg ) // ++sub_msg; // skip over ' ' // else // sub_msg = msg; // } syslog(LOG_NOTICE, "%s", sub_msg); } ... but syslog not contains micro timestamp, possible help me please ? Regards Rmkml at Wanadoo.fr On Sun, 5 Sep 2004, Vern Paxson wrote: > Date: Sun, 05 Sep 2004 01:22:35 -0700 > From: Vern Paxson > To: rmkml > Cc: bro at lbl.gov > Subject: Re: [Bro] Add micro timestamp in Logger.cc ? (to syslog) > >> I use bro with syslog event, >> >> I would like add micro timestamp in Logger.cc to syslog event, >> >> but I don't say, >> >> possible help me ? >> >> in hack this file / function in 09a3 please. > > The general way to do this is to search the source for here what's going > on is done. In this case, a search on "syslog" will locate the code in > Logger.cc that's doing this. > > Vern > From vern at icir.org Sun Sep 5 10:09:06 2004 From: vern at icir.org (Vern Paxson) Date: Sun, 05 Sep 2004 10:09:06 -0700 Subject: [Bro] Add micro timestamp in Logger.cc ? (to syslog) In-Reply-To: Your message of Sun, 05 Sep 2004 19:05:43 +0200. Message-ID: <200409051709.i85H96De090747@jaguar.icir.org> > ... > > but syslog not contains micro timestamp, My point was that if you want it you should *add it* via the network_time variable (see the reference to it at the top of the routine). Vern From rmkml at wanadoo.fr Sun Sep 5 11:11:21 2004 From: rmkml at wanadoo.fr (rmkml) Date: Sun, 5 Sep 2004 20:11:21 +0200 (CEST) Subject: [Bro] Add micro timestamp in Logger.cc ? (to syslog) In-Reply-To: <200409051709.i85H96De090747@jaguar.icir.org> References: <200409051709.i85H96De090747@jaguar.icir.org> Message-ID: Ok Solved by Christian, Thanks Christian & Vern, Regards Rmkml at Wanadoo.fr On Sun, 5 Sep 2004, Vern Paxson wrote: > Date: Sun, 05 Sep 2004 10:09:06 -0700 > From: Vern Paxson > To: rmkml > Cc: bro at lbl.gov > Subject: Re: [Bro] Add micro timestamp in Logger.cc ? (to syslog) > >> ... >> >> but syslog not contains micro timestamp, > > My point was that if you want it you should *add it* via the network_time > variable (see the reference to it at the top of the routine). > > Vern > From rmkml at wanadoo.fr Sun Sep 5 12:11:03 2004 From: rmkml at wanadoo.fr (rmkml) Date: Sun, 5 Sep 2004 21:11:03 +0200 (CEST) Subject: [Bro] Disable service name in alert||log.log ? Message-ID: Hi, Possible/How disable service name in this file ? Change : 1094411512.196834 WeirdActivity 193.250.83.215/49649 > 62.23.34.172/http: RST_with_data to : 1094411512.196834 WeirdActivity 193.250.83.215/49649 > 62.23.34.172/80: RST_with_data use bro 09a3 Regards Rmkml at Wanadoo.fr From christian at whoop.org Sun Sep 5 14:01:55 2004 From: christian at whoop.org (Christian Kreibich) Date: Sun, 05 Sep 2004 22:01:55 +0100 Subject: [Bro] Disable service name in alert||log.log ? In-Reply-To: References: Message-ID: <1094418114.25984.364.camel@west> On Sun, 2004-09-05 at 20:11, rmkml wrote: > Hi, > > Possible/How disable service name in this file ? > > Change : > 1094411512.196834 WeirdActivity 193.250.83.215/49649 > 62.23.34.172/http: > RST_with_data > > to : > 1094411512.196834 WeirdActivity 193.250.83.215/49649 > 62.23.34.172/80: > RST_with_data > > use bro 09a3 Hi, have a look at endpoint_id() in port-name.bro. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From rmkml at wanadoo.fr Sun Sep 5 22:30:47 2004 From: rmkml at wanadoo.fr (rmkml) Date: Mon, 6 Sep 2004 07:30:47 +0200 (CEST) Subject: [Bro] Disable service name in alert||log.log ? In-Reply-To: <1094418114.25984.364.camel@west> References: <1094418114.25984.364.camel@west> Message-ID: YES Thanks Christian Regards Rmkml at Wanadoo.fr On Sun, 5 Sep 2004, Christian Kreibich wrote: > Date: Sun, 05 Sep 2004 22:01:55 +0100 > From: Christian Kreibich > To: rmkml > Cc: bro at lbl.gov > Subject: Re: [Bro] Disable service name in alert||log.log ? > > On Sun, 2004-09-05 at 20:11, rmkml wrote: >> Hi, >> >> Possible/How disable service name in this file ? >> >> Change : >> 1094411512.196834 WeirdActivity 193.250.83.215/49649 > 62.23.34.172/http: >> RST_with_data >> >> to : >> 1094411512.196834 WeirdActivity 193.250.83.215/49649 > 62.23.34.172/80: >> RST_with_data >> >> use bro 09a3 > > Hi, > > have a look at endpoint_id() in port-name.bro. > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > > > From zhangwei at comexgenesys.com Mon Sep 6 01:14:36 2004 From: zhangwei at comexgenesys.com (Cliff) Date: Mon, 6 Sep 2004 16:14:36 +0800 Subject: [Bro] About the output format Message-ID: <000901c493e9$92ae5c60$7a0aa8c0@comex10> Hi all, I input the command as following: ./bro -i eth0 mt The output is as following: 1094468791.638379 0.105562 192.168.10.124 211.91.212.51 other 3032 24631 tcp ? ? REJ X 1094468791.638448 0.415231 192.168.10.124 218.25.150.228 other 3030 6002 tcp ? ? REJ X 1094468792.383596 0.000666 221.199.8.218 192.168.10.124 other 7206 3028 tcp 0 0 SF X 1094468792.392729 15.350670 192.168.10.109 61.135.158.131 http 2140 80 tcp 360 559 RSTO X 1094468822.722984 0.000914 192.168.10.135 210.19.14.6 pop-3 1544 110 tcp 0 0 SF X 1094468815.766135 9.566325 192.168.10.119 210.19.14.6 pop-3 4550 110 tcp 58 73 SF X 1094468827.517104 0.001351 192.168.10.117 192.168.10.138 netbios-ssn 1298 139 tcp 0 0 SF X 1094468826.497050 1.021691 192.168.10.119 165.254.12.131 http 4554 80 tcp 878 2003 SF X 1094468827.351215 0.845803 192.168.10.119 218.1.65.18 http 4559 80 tcp 559 477 SF X 1094468827.373599 0.832877 192.168.10.119 218.1.65.18 http 4560 80 tcp 584 452 SF X 1094468847.453140 0.502465 192.168.10.124 218.25.150.228 other 3034 6002 tcp ? ? REJ X 1094468848.450949 0.117970 192.168.10.124 211.91.212.51 other 3037 24631 tcp ? ? REJ X 1094468848.371727 0.546075 192.168.10.124 218.25.150.228 other 3034 6002 tcp ? ? REJ X 1094468848.975291 0.077632 192.168.10.124 211.91.212.51 other 3037 24631 tcp ? ? REJ X 1094468835.266162 0.001448 192.168.10.116 210.19.14.6 smtp 2218 25 tcp 0 0 SF X I don't understand the latter output format as "tcp 360 559 RSTO X",who can explain it detailed. Thanks, Cliff From zhangwei at comexgenesys.com Mon Sep 6 21:16:48 2004 From: zhangwei at comexgenesys.com (Cliff) Date: Tue, 7 Sep 2004 12:16:48 +0800 Subject: [Bro] How to generate the alerts directly? Message-ID: <003c01c49491$87e5ce50$7a0aa8c0@comex10> Hi all, I run the bro on linux plateform, #./bro mt -w /home/zhangwei/bro0907.dump generate the "event" as following: 1094541140.067097 0.000000 64.53.211.63 192.168.10.138 other 6881 35621 tcp 0 ? SH X 1094541140.410734 12.237875 142.179.55.64 192.168.10.138 other 6884 35617 tcp 0 ? SH X 1094541140.758831 0.092686 192.168.10.119 210.19.14.6 pop-3 2880 110 tcp 0 0 SF X 1094541138.304385 5.093945 192.168.10.138 209.187.140.241 other 35627 6881 tcp 0 0 SF X 1094541142.283356 1.248243 192.168.10.107 202.104.32.234 pop-3 3221 110 tcp 61 6509 SF X 1094541159.391014 0.058311 192.168.10.100 211.152.52.47 other 1433 5000 tcp ? ? REJ X 1094541140.259379 4.830893 217.164.54.166 192.168.10.138 other 6881 35631 tcp 68 0 SF X 1094541142.332284 3.056888 192.168.10.107 202.108.255.203 pop-3 3222 110 tcp 54 3271 SF X 1094541159.929456 0.225219 192.168.10.100 211.152.52.47 other 1433 5000 tcp ? ? REJ X 1094541146.373011 0.140324 192.168.10.108 216.155.193.137 other 1098 5050 tcp ? ? RSTOS0 X then, # ./bro -r /home/zhangwei/bro0907.dump generate the "alerts" as following: 1094539834.607852 weird: spontaneous_FIN 1094539847.830742 weird: possible_split_routing 1094539847.856824 weird: data_before_established 1094539847.866336 weird: possible_split_routing 1094539847.866336 weird: data_before_established 1094539847.866483 weird: inappropriate_FIN 1094539848.113024 weird: possible_split_routing 1094539848.139317 weird: data_before_established 1094539848.148563 weird: possible_split_routing 1094539848.148563 weird: data_before_established I have two questions: First,are the terms which i use right,such as "event" ,"alerts"? Second,whether can I generate those alerts directly? If can,which command should i use? Or how to modify the source code? Thanks, Cliff From vern at icir.org Thu Sep 9 14:48:39 2004 From: vern at icir.org (Vern Paxson) Date: Thu, 09 Sep 2004 14:48:39 -0700 Subject: [Bro] test of the mailing list, ignore Message-ID: <200409092148.i89LmdDe020021@jaguar.icir.org> From vern at icir.org Wed Sep 8 19:24:29 2004 From: vern at icir.org (Vern Paxson) Date: Wed, 08 Sep 2004 19:24:29 -0700 Subject: [Bro] new Bro releases Message-ID: <200409090224.i892OTDe094153@jaguar.icir.org> New CURRENT (0.9a4) and STABLE (0.8a88) releases are now available from: ftp://bro-ids.org/bro-pub-0.9-current.tar.gz ftp://bro-ids.org/bro-pub-0.8-stable.tar.gz The CURRENT release includes some incompatible changes to file formats and environment variables. NOTE: file formats for the "alert" and "signature" logs are likely to change again in the near future. In addition, there will soon be another release in which the current "log" and "alert" terms are renamed (to "alarm" and "notice", respectively). There are also some bug fixes, new features, and changes to the distribution's directory structure, file formats, and environment variables, per the appended change log. The STABLE release fixes a bug: > - Fixed broken VLAN support (integration of original patch was incomplete). per the appended patch. Vern -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0.9a4 Wed Sep 8 17:33:54 PDT 2004 - The directory structure of the Bro distribution has changed (Jason Lee). The source code is now in a subdirectory, src/, and the scripts snort2bro (and snort2bro.cfg) and make-ftp-safe-vocabulary.awk have been moved into scripts/. - "make install" has been revamped (Jason Lee). - The format of the alert log file has changed. Fields in it are colon-separated. THIS WILL LIKELY CHANGE SOON. - The policy for formatting signature matches has been revamped, including colon-separated fields in the signature log file (Roger Winslow). THIS WILL LIKELY CHANGE SOON. - The BRO_ID environment variable has been renamed BRO_LOG_SUFFIX. - A new flag, -e, lets you specify Bro code to execute via the command line (Christian Kreibich). So, for example, bro -r mytrace.tcpdump -e 'redef traditional_conn_format = T' tcp will run tcp.bro on the trace "mytrace.tcpdump", but with traditional_conn_format redefined to be true. Note that statements have an implicit ';' added to them for convenience. - A new signature alert, "MultipleSigResponders", is generated if a host triggers the same signature on multiple responders. - Bro now supports "packet profiling", which provides fairly fine-grained statistics on number of packets processed, volume, elapsed real/user/system time, and change in memory consumption (Holger Dreger). Three variables control the output. The double pkt_profile_freq controls the frequency of output. The units in which it's interpreted depends on the setting of the pkt_profile_mode variable (which is of type pkt_profile_modes, an enum). A value of PKT_PROFILE_MODE_SECS means that statistics are generated every pkt_profile_freq seconds; PKT_PROFILE_MODE_PKTS means every pkt_profile_freq packets; and PKT_PROFILE_MODE_BYTES, every pkt_profile_freq bytes. The default (PKT_PROFILE_MODE_NONE) means to not generate packet profiling. Packet profiling is written to the new log file, pkt_profile_file. If you "@load pkt-profile", you can turn on packet profiling using some handy defaults. - statistics.bro now reports on how many TCP connections are in for the different TCP endpoint states (SYN sent, SYN ack'd, connection established, etc.). Contributed by Holger Dreger. - tcp_content_delivery_ports_{orig,resp} are now table's of bool rather than set's (Ruoming Pang). The semantics are that if you have a tcp_contents event handler, then if the orig/resp port is in the given table *and the yield value is T*, then the event will be invoked. This allows you to now explicitly skip over some ports. - The processing of default values in tables has been changed internally (Ruoming Pang). It's possible this has introduced some subtle bugs (as some of these came up during testing). - A serious bug in Base64 processing has been fixed (Ruoming Pang). - The NetBIOS and SMB analyzers have been updated in minor ways (Ruoming Pang). - statistics.bro now reports a "lag" figure indicating the elasped time between the last expired timer's target expiration time and the current packet timestamp (Robin Sommer). Lag can grow if Bro is getting behind in timer expiration due to the setting of max_timer_expires. - Bro's default filter is now "tcp or udp or icmp" rather than "tcp or udp". - alert_info records now have an optional port associated with them (for example, to be used to describe scan activity). - A bug has been fixed in which deleting a table element with an associated timer could crash Bro (Robin Sommer). - A bug that would cause a crash for malformed EPASV directives has been fixed (Robin Sommer). - A bug with inactivity timeouts not being generated for partial connections has been fixed (Robin Sommer). - A bug in synflood.bro has been fixed (Robin Sommer). - Some tuning adjustments to incremental expiration of table entries (Robin Sommer). - Improved portability to Darwin (Christian Kreibich). - alert_info records now have additional optional fields, "iconn" (associated ICMP connection), "dst" (destination address), and "p" (associated port). The source_is_responder fields has been removed. - The default packet filter now includes "icmp". - Some memory allocation/free mismatches & minor leaks (Robin Sommer). - Minor tweaks to ssl.bro (Robin Sommer). - Bro now supports "null" link layers (Christian Kreibich). - aux/adtrace contains a program that spits out MAC/IP information from traces (Holger Dreger). - The formatting of "weird" messages that have additional parameters has been changed to be more regularized with other "weird" messages. - The new "weird" type "base64_illegal_encoding" takes the place of some previously unstructured Base64 "weird" errors. - A tweak to ftp.bro will give it slightly more consistent results for some forms of unusual traffic. -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ diff -ru bro-pub-0.8a87/CHANGES bro-pub-0.8a88/CHANGES --- bro-pub-0.8a87/CHANGES Sun Jul 11 10:26:36 2004 +++ bro-pub-0.8a88/CHANGES Wed Sep 8 17:56:23 2004 @@ -3,6 +3,11 @@ -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +0.8a88 Wed Sep 8 17:56:03 PDT 2004 + +- A serious bug in Base64/MIME processing has been fixed (Ruoming Pang). + + 0.8a87 Sun Jul 11 10:26:35 PDT 2004 - Fixed broken VLAN support (integration of original patch was incomplete). diff -ru bro-pub-0.8a87/VERSION bro-pub-0.8a88/VERSION --- bro-pub-0.8a87/VERSION Sun Jul 11 10:23:57 2004 +++ bro-pub-0.8a88/VERSION Wed Sep 8 17:55:55 2004 @@ -1 +1 @@ -0.8a87 +0.8a88 diff -ru bro-pub-0.8a87/Base64.cc bro-pub-0.8a88/Base64.cc --- bro-pub-0.8a87/Base64.cc Sun Jun 6 10:42:38 2004 +++ bro-pub-0.8a88/Base64.cc Wed Sep 8 17:56:27 2004 @@ -60,33 +60,10 @@ *pbuf = buf = new char[blen]; } - int rlen = 0; - int dlen; + int dlen = 0; - for ( dlen = 0; dlen < len; ++dlen ) + while ( 1 ) { - if ( data[dlen] == '=' ) - ++base64_padding; - - int k = base64_table[(unsigned char) data[dlen]]; - if ( k < 0 ) - { - if ( ++errored == 1 ) - // ### This and the next one should be - // a Weird, not a run-time error. - IllegalEncoding(fmt("character %d ignored by Base64 decoding", (int) (data[dlen]))); - continue; - } - - // Stop decoding if we don't have enough buffer. - if ( base64_group_next < 3 ) - { - if ( ++rlen > blen ) - break; - } - - base64_group[base64_group_next++] = k; - if ( base64_group_next == 4 ) { // For every group of 4 6-bit numbers, @@ -99,14 +76,17 @@ continue; } + int num_octets = 3 - base64_padding; + + if ( buf + num_octets > *pbuf + blen ) + break; + uint32 bit32 = ((base64_group[0] & 0x3f) << 18) | ((base64_group[1] & 0x3f) << 12) | ((base64_group[2] & 0x3f) << 6) | ((base64_group[3] & 0x3f)); - int num_octets = 3 - base64_padding; - if ( --num_octets >= 0 ) *buf++ = char((bit32 >> 16) & 0xff); @@ -122,6 +102,23 @@ base64_group_next = 0; base64_padding = 0; } + + if ( dlen >= len ) + break; + + if ( data[dlen] == '=' ) + ++base64_padding; + + int k = base64_table[(unsigned char) data[dlen]]; + if ( k >= 0 ) + base64_group[base64_group_next++] = k; + else + { + if ( ++errored == 1 ) + IllegalEncoding(fmt("character %d ignored by Base64 decoding", (int) (data[dlen]))); + } + + ++dlen; } *pblen = buf - *pbuf; @@ -134,7 +131,8 @@ if ( base64_group_next != 0 ) { - IllegalEncoding(fmt("incomplete base64 group, padding with %d bits of 0", (4-base64_group_next) * 6)); + if ( base64_group_next < 4 ) + IllegalEncoding(fmt("incomplete base64 group, padding with %d bits of 0", (4-base64_group_next) * 6)); Decode(4 - base64_group_next, padding, pblen, pbuf); return -1; } From rmkml at wanadoo.fr Fri Sep 10 00:46:10 2004 From: rmkml at wanadoo.fr (rmkml) Date: Fri, 10 Sep 2004 09:46:10 +0200 (CEST) Subject: [Bro] new Bro releases In-Reply-To: <200409090224.i892OTDe094153@jaguar.icir.org> References: <200409090224.i892OTDe094153@jaguar.icir.org> Message-ID: Hi, I am compiled pb on 09a4 (not pb before this version), Im not found YACC/bison in Makefile, $ make ... bison -y -d -t -v builtin-func.y flex -obif_lex.cc builtin-func.l g++ -o bif_lex.o -c bif_lex.cc g++ -o bif_parse.o -c bif_parse.cc y.tab.c: In function `int yyparse()': y.tab.c:1705: syntax error before `goto' *** Error code 1 Possible help me please ? before release, Im changed in Makefile : bison -> byacc but on this release, Im not found bison in Makefile second light pb : $ ./configure ... config.status: creating aux/adtrace/Makefile config.status: error: cannot find input file: aux/adtrace/Makefile.in Im use bro on freebsd v4.10R. Thanks Rmkml at Wanadoo.fr On Wed, 8 Sep 2004, Vern Paxson wrote: > Date: Wed, 08 Sep 2004 19:24:29 -0700 > From: Vern Paxson > To: bro at bro-ids.org > Subject: [Bro] new Bro releases > > New CURRENT (0.9a4) and STABLE (0.8a88) releases are now available from: > > ftp://bro-ids.org/bro-pub-0.9-current.tar.gz > ftp://bro-ids.org/bro-pub-0.8-stable.tar.gz > > The CURRENT release includes some incompatible changes to file formats and > environment variables. NOTE: file formats for the "alert" and "signature" > logs are likely to change again in the near future. In addition, there > will soon be another release in which the current "log" and "alert" terms > are renamed (to "alarm" and "notice", respectively). > > There are also some bug fixes, new features, and changes to the distribution's > directory structure, file formats, and environment variables, per the > appended change log. > > The STABLE release fixes a bug: > >> - Fixed broken VLAN support (integration of original patch was incomplete). > > per the appended patch. > > Vern > > > -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > > 0.9a4 Wed Sep 8 17:33:54 PDT 2004 > > - The directory structure of the Bro distribution has changed (Jason Lee). > The source code is now in a subdirectory, src/, and the scripts > snort2bro (and snort2bro.cfg) and make-ftp-safe-vocabulary.awk have > been moved into scripts/. > > - "make install" has been revamped (Jason Lee). > > - The format of the alert log file has changed. Fields in it are > colon-separated. THIS WILL LIKELY CHANGE SOON. > > - The policy for formatting signature matches has been revamped, > including colon-separated fields in the signature log file > (Roger Winslow). THIS WILL LIKELY CHANGE SOON. > > - The BRO_ID environment variable has been renamed BRO_LOG_SUFFIX. > > - A new flag, -e, lets you specify Bro code to execute via the command > line (Christian Kreibich). So, for example, > > bro -r mytrace.tcpdump -e 'redef traditional_conn_format = T' tcp > > will run tcp.bro on the trace "mytrace.tcpdump", but with > traditional_conn_format redefined to be true. Note that statements > have an implicit ';' added to them for convenience. > > - A new signature alert, "MultipleSigResponders", is generated if a > host triggers the same signature on multiple responders. > > - Bro now supports "packet profiling", which provides fairly fine-grained > statistics on number of packets processed, volume, elapsed real/user/system > time, and change in memory consumption (Holger Dreger). Three variables > control the output. The double pkt_profile_freq controls the frequency > of output. The units in which it's interpreted depends on the setting > of the pkt_profile_mode variable (which is of type pkt_profile_modes, > an enum). A value of PKT_PROFILE_MODE_SECS means that statistics > are generated every pkt_profile_freq seconds; PKT_PROFILE_MODE_PKTS > means every pkt_profile_freq packets; and PKT_PROFILE_MODE_BYTES, every > pkt_profile_freq bytes. The default (PKT_PROFILE_MODE_NONE) means > to not generate packet profiling. > > Packet profiling is written to the new log file, pkt_profile_file. > If you "@load pkt-profile", you can turn on packet profiling using > some handy defaults. > > - statistics.bro now reports on how many TCP connections are in > for the different TCP endpoint > states (SYN sent, SYN ack'd, connection established, etc.). > Contributed by Holger Dreger. > > - tcp_content_delivery_ports_{orig,resp} are now table's of bool rather > than set's (Ruoming Pang). The semantics are that if you have a > tcp_contents event handler, then if the orig/resp port is in the given > table *and the yield value is T*, then the event will be invoked. This > allows you to now explicitly skip over some ports. > > - The processing of default values in tables has been changed internally > (Ruoming Pang). It's possible this has introduced some subtle bugs > (as some of these came up during testing). > > - A serious bug in Base64 processing has been fixed (Ruoming Pang). > > - The NetBIOS and SMB analyzers have been updated in minor ways > (Ruoming Pang). > > - statistics.bro now reports a "lag" figure indicating the elasped > time between the last expired timer's target expiration time and > the current packet timestamp (Robin Sommer). Lag can grow if Bro > is getting behind in timer expiration due to the setting of > max_timer_expires. > > - Bro's default filter is now "tcp or udp or icmp" rather than > "tcp or udp". > > - alert_info records now have an optional port associated with them > (for example, to be used to describe scan activity). > > - A bug has been fixed in which deleting a table element with an > associated timer could crash Bro (Robin Sommer). > > - A bug that would cause a crash for malformed EPASV directives > has been fixed (Robin Sommer). > > - A bug with inactivity timeouts not being generated for partial > connections has been fixed (Robin Sommer). > > - A bug in synflood.bro has been fixed (Robin Sommer). > > - Some tuning adjustments to incremental expiration of table entries > (Robin Sommer). > > - Improved portability to Darwin (Christian Kreibich). > > - alert_info records now have additional optional fields, "iconn" > (associated ICMP connection), "dst" (destination address), and > "p" (associated port). The source_is_responder fields has been > removed. > > - The default packet filter now includes "icmp". > > - Some memory allocation/free mismatches & minor leaks (Robin Sommer). > > - Minor tweaks to ssl.bro (Robin Sommer). > > - Bro now supports "null" link layers (Christian Kreibich). > > - aux/adtrace contains a program that spits out MAC/IP information > from traces (Holger Dreger). > > - The formatting of "weird" messages that have additional parameters > has been changed to be more regularized with other "weird" messages. > > - The new "weird" type "base64_illegal_encoding" takes the place of > some previously unstructured Base64 "weird" errors. > > - A tweak to ftp.bro will give it slightly more consistent results > for some forms of unusual traffic. > > > -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > > diff -ru bro-pub-0.8a87/CHANGES bro-pub-0.8a88/CHANGES > --- bro-pub-0.8a87/CHANGES Sun Jul 11 10:26:36 2004 > +++ bro-pub-0.8a88/CHANGES Wed Sep 8 17:56:23 2004 > @@ -3,6 +3,11 @@ > -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > > +0.8a88 Wed Sep 8 17:56:03 PDT 2004 > + > +- A serious bug in Base64/MIME processing has been fixed (Ruoming Pang). > + > + > 0.8a87 Sun Jul 11 10:26:35 PDT 2004 > > - Fixed broken VLAN support (integration of original patch was incomplete). > diff -ru bro-pub-0.8a87/VERSION bro-pub-0.8a88/VERSION > --- bro-pub-0.8a87/VERSION Sun Jul 11 10:23:57 2004 > +++ bro-pub-0.8a88/VERSION Wed Sep 8 17:55:55 2004 > @@ -1 +1 @@ > -0.8a87 > +0.8a88 > diff -ru bro-pub-0.8a87/Base64.cc bro-pub-0.8a88/Base64.cc > --- bro-pub-0.8a87/Base64.cc Sun Jun 6 10:42:38 2004 > +++ bro-pub-0.8a88/Base64.cc Wed Sep 8 17:56:27 2004 > @@ -60,33 +60,10 @@ > *pbuf = buf = new char[blen]; > } > > - int rlen = 0; > - int dlen; > + int dlen = 0; > > - for ( dlen = 0; dlen < len; ++dlen ) > + while ( 1 ) > { > - if ( data[dlen] == '=' ) > - ++base64_padding; > - > - int k = base64_table[(unsigned char) data[dlen]]; > - if ( k < 0 ) > - { > - if ( ++errored == 1 ) > - // ### This and the next one should be > - // a Weird, not a run-time error. > - IllegalEncoding(fmt("character %d ignored by Base64 decoding", (int) (data[dlen]))); > - continue; > - } > - > - // Stop decoding if we don't have enough buffer. > - if ( base64_group_next < 3 ) > - { > - if ( ++rlen > blen ) > - break; > - } > - > - base64_group[base64_group_next++] = k; > - > if ( base64_group_next == 4 ) > { > // For every group of 4 6-bit numbers, > @@ -99,14 +76,17 @@ > continue; > } > > + int num_octets = 3 - base64_padding; > + > + if ( buf + num_octets > *pbuf + blen ) > + break; > + > uint32 bit32 = > ((base64_group[0] & 0x3f) << 18) | > ((base64_group[1] & 0x3f) << 12) | > ((base64_group[2] & 0x3f) << 6) | > ((base64_group[3] & 0x3f)); > > - int num_octets = 3 - base64_padding; > - > if ( --num_octets >= 0 ) > *buf++ = char((bit32 >> 16) & 0xff); > > @@ -122,6 +102,23 @@ > base64_group_next = 0; > base64_padding = 0; > } > + > + if ( dlen >= len ) > + break; > + > + if ( data[dlen] == '=' ) > + ++base64_padding; > + > + int k = base64_table[(unsigned char) data[dlen]]; > + if ( k >= 0 ) > + base64_group[base64_group_next++] = k; > + else > + { > + if ( ++errored == 1 ) > + IllegalEncoding(fmt("character %d ignored by Base64 decoding", (int) (data[dlen]))); > + } > + > + ++dlen; > } > > *pblen = buf - *pbuf; > @@ -134,7 +131,8 @@ > > if ( base64_group_next != 0 ) > { > - IllegalEncoding(fmt("incomplete base64 group, padding with %d bits of 0", (4-base64_group_next) * 6)); > + if ( base64_group_next < 4 ) > + IllegalEncoding(fmt("incomplete base64 group, padding with %d bits of 0", (4-base64_group_next) * 6)); > Decode(4 - base64_group_next, padding, pblen, pbuf); > return -1; > } > _______________________________________________ > Bro mailing list > Bro at ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From rmkml at wanadoo.fr Fri Sep 10 00:51:49 2004 From: rmkml at wanadoo.fr (rmkml) Date: Fri, 10 Sep 2004 09:51:49 +0200 (CEST) Subject: [Bro] new Bro releases In-Reply-To: References: <200409090224.i892OTDe094153@jaguar.icir.org> Message-ID: Sorry for my post, bison/byacc are src/Makefile Regards Rmkml at Wanadoo.fr On Fri, 10 Sep 2004, rmkml wrote: > Date: Fri, 10 Sep 2004 09:46:10 +0200 (CEST) > From: rmkml > To: Vern Paxson > Cc: bro at bro-ids.org > Subject: Re: [Bro] new Bro releases > > Hi, > > I am compiled pb on 09a4 (not pb before this version), > > Im not found YACC/bison in Makefile, > > $ make > ... > bison -y -d -t -v builtin-func.y > flex -obif_lex.cc builtin-func.l > g++ -o bif_lex.o -c bif_lex.cc > g++ -o bif_parse.o -c bif_parse.cc > y.tab.c: In function `int yyparse()': > y.tab.c:1705: syntax error before `goto' > *** Error code 1 > > Possible help me please ? > before release, Im changed in Makefile : bison -> byacc > but on this release, Im not found bison in Makefile > > > second light pb : > $ ./configure > ... > config.status: creating aux/adtrace/Makefile > config.status: error: cannot find input file: aux/adtrace/Makefile.in > > > Im use bro on freebsd v4.10R. > > Thanks > > Rmkml at Wanadoo.fr > > > > On Wed, 8 Sep 2004, Vern Paxson wrote: > >> Date: Wed, 08 Sep 2004 19:24:29 -0700 >> From: Vern Paxson >> To: bro at bro-ids.org >> Subject: [Bro] new Bro releases >> >> New CURRENT (0.9a4) and STABLE (0.8a88) releases are now available from: >> >> ftp://bro-ids.org/bro-pub-0.9-current.tar.gz >> ftp://bro-ids.org/bro-pub-0.8-stable.tar.gz >> >> The CURRENT release includes some incompatible changes to file formats and >> environment variables. NOTE: file formats for the "alert" and "signature" >> logs are likely to change again in the near future. In addition, there >> will soon be another release in which the current "log" and "alert" terms >> are renamed (to "alarm" and "notice", respectively). >> >> There are also some bug fixes, new features, and changes to the >> distribution's >> directory structure, file formats, and environment variables, per the >> appended change log. >> >> The STABLE release fixes a bug: >> >>> - Fixed broken VLAN support (integration of original patch was >>> incomplete). >> >> per the appended patch. >> >> Vern >> >> >> -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> >> >> 0.9a4 Wed Sep 8 17:33:54 PDT 2004 >> >> - The directory structure of the Bro distribution has changed (Jason Lee). >> The source code is now in a subdirectory, src/, and the scripts >> snort2bro (and snort2bro.cfg) and make-ftp-safe-vocabulary.awk have >> been moved into scripts/. >> >> - "make install" has been revamped (Jason Lee). >> >> - The format of the alert log file has changed. Fields in it are >> colon-separated. THIS WILL LIKELY CHANGE SOON. >> >> - The policy for formatting signature matches has been revamped, >> including colon-separated fields in the signature log file >> (Roger Winslow). THIS WILL LIKELY CHANGE SOON. >> >> - The BRO_ID environment variable has been renamed BRO_LOG_SUFFIX. >> >> - A new flag, -e, lets you specify Bro code to execute via the command >> line (Christian Kreibich). So, for example, >> >> bro -r mytrace.tcpdump -e 'redef traditional_conn_format = T' tcp >> >> will run tcp.bro on the trace "mytrace.tcpdump", but with >> traditional_conn_format redefined to be true. Note that statements >> have an implicit ';' added to them for convenience. >> >> - A new signature alert, "MultipleSigResponders", is generated if a >> host triggers the same signature on multiple responders. >> >> - Bro now supports "packet profiling", which provides fairly fine-grained >> statistics on number of packets processed, volume, elapsed >> real/user/system >> time, and change in memory consumption (Holger Dreger). Three variables >> control the output. The double pkt_profile_freq controls the frequency >> of output. The units in which it's interpreted depends on the setting >> of the pkt_profile_mode variable (which is of type pkt_profile_modes, >> an enum). A value of PKT_PROFILE_MODE_SECS means that statistics >> are generated every pkt_profile_freq seconds; PKT_PROFILE_MODE_PKTS >> means every pkt_profile_freq packets; and PKT_PROFILE_MODE_BYTES, every >> pkt_profile_freq bytes. The default (PKT_PROFILE_MODE_NONE) means >> to not generate packet profiling. >> >> Packet profiling is written to the new log file, pkt_profile_file. >> If you "@load pkt-profile", you can turn on packet profiling using >> some handy defaults. >> >> - statistics.bro now reports on how many TCP connections are in >> for the different TCP endpoint >> states (SYN sent, SYN ack'd, connection established, etc.). >> Contributed by Holger Dreger. >> >> - tcp_content_delivery_ports_{orig,resp} are now table's of bool rather >> than set's (Ruoming Pang). The semantics are that if you have a >> tcp_contents event handler, then if the orig/resp port is in the given >> table *and the yield value is T*, then the event will be invoked. This >> allows you to now explicitly skip over some ports. >> >> - The processing of default values in tables has been changed internally >> (Ruoming Pang). It's possible this has introduced some subtle bugs >> (as some of these came up during testing). >> >> - A serious bug in Base64 processing has been fixed (Ruoming Pang). >> >> - The NetBIOS and SMB analyzers have been updated in minor ways >> (Ruoming Pang). >> >> - statistics.bro now reports a "lag" figure indicating the elasped >> time between the last expired timer's target expiration time and >> the current packet timestamp (Robin Sommer). Lag can grow if Bro >> is getting behind in timer expiration due to the setting of >> max_timer_expires. >> >> - Bro's default filter is now "tcp or udp or icmp" rather than >> "tcp or udp". >> >> - alert_info records now have an optional port associated with them >> (for example, to be used to describe scan activity). >> >> - A bug has been fixed in which deleting a table element with an >> associated timer could crash Bro (Robin Sommer). >> >> - A bug that would cause a crash for malformed EPASV directives >> has been fixed (Robin Sommer). >> >> - A bug with inactivity timeouts not being generated for partial >> connections has been fixed (Robin Sommer). >> >> - A bug in synflood.bro has been fixed (Robin Sommer). >> >> - Some tuning adjustments to incremental expiration of table entries >> (Robin Sommer). >> >> - Improved portability to Darwin (Christian Kreibich). >> >> - alert_info records now have additional optional fields, "iconn" >> (associated ICMP connection), "dst" (destination address), and >> "p" (associated port). The source_is_responder fields has been >> removed. >> >> - The default packet filter now includes "icmp". >> >> - Some memory allocation/free mismatches & minor leaks (Robin Sommer). >> >> - Minor tweaks to ssl.bro (Robin Sommer). >> >> - Bro now supports "null" link layers (Christian Kreibich). >> >> - aux/adtrace contains a program that spits out MAC/IP information >> from traces (Holger Dreger). >> >> - The formatting of "weird" messages that have additional parameters >> has been changed to be more regularized with other "weird" messages. >> >> - The new "weird" type "base64_illegal_encoding" takes the place of >> some previously unstructured Base64 "weird" errors. >> >> - A tweak to ftp.bro will give it slightly more consistent results >> for some forms of unusual traffic. >> >> >> -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> >> >> diff -ru bro-pub-0.8a87/CHANGES bro-pub-0.8a88/CHANGES >> --- bro-pub-0.8a87/CHANGES Sun Jul 11 10:26:36 2004 >> +++ bro-pub-0.8a88/CHANGES Wed Sep 8 17:56:23 2004 >> @@ -3,6 +3,11 @@ >> -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> >> >> +0.8a88 Wed Sep 8 17:56:03 PDT 2004 >> + >> +- A serious bug in Base64/MIME processing has been fixed (Ruoming Pang). >> + >> + >> 0.8a87 Sun Jul 11 10:26:35 PDT 2004 >> >> - Fixed broken VLAN support (integration of original patch was incomplete). >> diff -ru bro-pub-0.8a87/VERSION bro-pub-0.8a88/VERSION >> --- bro-pub-0.8a87/VERSION Sun Jul 11 10:23:57 2004 >> +++ bro-pub-0.8a88/VERSION Wed Sep 8 17:55:55 2004 >> @@ -1 +1 @@ >> -0.8a87 >> +0.8a88 >> diff -ru bro-pub-0.8a87/Base64.cc bro-pub-0.8a88/Base64.cc >> --- bro-pub-0.8a87/Base64.cc Sun Jun 6 10:42:38 2004 >> +++ bro-pub-0.8a88/Base64.cc Wed Sep 8 17:56:27 2004 >> @@ -60,33 +60,10 @@ >> *pbuf = buf = new char[blen]; >> } >> >> - int rlen = 0; >> - int dlen; >> + int dlen = 0; >> >> - for ( dlen = 0; dlen < len; ++dlen ) >> + while ( 1 ) >> { >> - if ( data[dlen] == '=' ) >> - ++base64_padding; >> - >> - int k = base64_table[(unsigned char) data[dlen]]; >> - if ( k < 0 ) >> - { >> - if ( ++errored == 1 ) >> - // ### This and the next one should be >> - // a Weird, not a run-time error. >> - IllegalEncoding(fmt("character %d ignored by >> Base64 decoding", (int) (data[dlen]))); >> - continue; >> - } >> - >> - // Stop decoding if we don't have enough buffer. >> - if ( base64_group_next < 3 ) >> - { >> - if ( ++rlen > blen ) >> - break; >> - } >> - >> - base64_group[base64_group_next++] = k; >> - >> if ( base64_group_next == 4 ) >> { >> // For every group of 4 6-bit numbers, >> @@ -99,14 +76,17 @@ >> continue; >> } >> >> + int num_octets = 3 - base64_padding; >> + >> + if ( buf + num_octets > *pbuf + blen ) >> + break; >> + >> uint32 bit32 = >> ((base64_group[0] & 0x3f) << 18) | >> ((base64_group[1] & 0x3f) << 12) | >> ((base64_group[2] & 0x3f) << 6) | >> ((base64_group[3] & 0x3f)); >> >> - int num_octets = 3 - base64_padding; >> - >> if ( --num_octets >= 0 ) >> *buf++ = char((bit32 >> 16) & 0xff); >> >> @@ -122,6 +102,23 @@ >> base64_group_next = 0; >> base64_padding = 0; >> } >> + >> + if ( dlen >= len ) >> + break; >> + >> + if ( data[dlen] == '=' ) >> + ++base64_padding; >> + >> + int k = base64_table[(unsigned char) data[dlen]]; >> + if ( k >= 0 ) >> + base64_group[base64_group_next++] = k; >> + else >> + { >> + if ( ++errored == 1 ) >> + IllegalEncoding(fmt("character %d ignored by >> Base64 decoding", (int) (data[dlen]))); >> + } >> + >> + ++dlen; >> } >> >> *pblen = buf - *pbuf; >> @@ -134,7 +131,8 @@ >> >> if ( base64_group_next != 0 ) >> { >> - IllegalEncoding(fmt("incomplete base64 group, padding with %d >> bits of 0", (4-base64_group_next) * 6)); >> + if ( base64_group_next < 4 ) >> + IllegalEncoding(fmt("incomplete base64 group, padding >> with %d bits of 0", (4-base64_group_next) * 6)); >> Decode(4 - base64_group_next, padding, pblen, pbuf); >> return -1; >> } >> _______________________________________________ >> Bro mailing list >> Bro at ICSI.Berkeley.EDU >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > From rmkml at wanadoo.fr Fri Sep 10 01:05:16 2004 From: rmkml at wanadoo.fr (rmkml) Date: Fri, 10 Sep 2004 10:05:16 +0200 (CEST) Subject: [Bro] two compile pb on 09a4 Message-ID: Hi, On freebsd v4.10R : $ ./configure => change bison to byacc in src/Makefile $ make ... ./bifcl const.bif g++ -I. -I.. -Ilibedit -O -I/var/tmp/libpcap-0.8.3 -c main.cc In file included from main.cc:68: setsignal.h:26: syntax error before `,' main.cc:235: syntax error before `(' *** Error code 1 on linux kernel v2.4.26 : $ ./configure $ make ... bison -y -d -t -v builtin-func.y flex -obif_lex.cc builtin-func.l g++ -o bif_lex.o -c bif_lex.cc g++ -o bif_parse.o -c bif_parse.cc g++ -I. -I.. -Ilibedit -O -I../linux-include -o bif_arg.o -c bif_arg.cc bif_arg.cc:3: config.h: No such file or directory make[1]: *** [bif_arg.o] Error 1 make[1]: Leaving directory `/usr/src/bro/bro-pub-0.9a4/src' make: *** [all] Error 2 on 09a3, I found config.h, but not found on 09a4. on linux and freebsd, $ make distclean not work ... No pb before this release. Regards Rmkml at Wanadoo.fr From rmkml at wanadoo.fr Sat Sep 11 12:49:48 2004 From: rmkml at wanadoo.fr (rmkml) Date: Sat, 11 Sep 2004 21:49:48 +0200 (CEST) Subject: [Bro] not detect {big} scan with scan analyser Message-ID: Hi, Im use bro 09a[3-4-5] on freebsd v4.10R, bro not detect this scan, (joigned pcap/gz file) with default policy, but in conn.log file : 1085375478.746540 0.000008 128.173.231.31 62.23.34.167 smtp 3618 25 tcp ? ? REJ X 1085375479.331791 0.000003 128.173.231.31 62.23.34.167 smtp 3618 25 tcp ? ? REJ X 1085375481.138096 ? 128.173.231.31 62.23.34.162 ftp 3565 21 tcp ? ? S0 X 1085375481.138064 ? 128.173.231.31 62.23.34.162 http 3566 80 tcp ? ? S0 X 1085375481.138104 ? 128.173.231.31 62.23.34.162 dns 3567 53 tcp ? ? S0 X 1085375481.138047 ? 128.173.231.31 62.23.34.162 smtp 3568 25 tcp ? ? S0 X 1085375481.138072 ? 128.173.231.31 62.23.34.162 finger 3569 79 tcp ? ? S0 X ... $ export BROPATH=/c/confL/policy $ export BRO_DNS_FAKE=1 # disable dns lookup $ /usr/local/bin/bro09a5_nodns_micro -r scantcp-viginia_edu.tcpdump bro.init mt -> scan anlyser in mt.bro (@load scan) Possible help me ? Regards Rmkml at Wanadoo.fr -------------- next part -------------- A non-text attachment was scrubbed... Name: scantcp-virginia_edu.tcpdump.gz Type: application/octet-stream Size: 9732 bytes Desc: scantcp.pcap.gz Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20040911/a0457069/attachment.obj From christian at whoop.org Sat Sep 11 14:09:45 2004 From: christian at whoop.org (Christian Kreibich) Date: Sat, 11 Sep 2004 22:09:45 +0100 Subject: [Bro] two compile pb on 09a4 In-Reply-To: References: Message-ID: <1094936984.6715.308.camel@localhost.localdomain> Hi, On Fri, 2004-09-10 at 09:05, rmkml wrote: > Hi, > > On freebsd v4.10R : > > $ ./configure > => change bison to byacc in src/Makefile > $ make > ... > ./bifcl const.bif > g++ -I. -I.. -Ilibedit -O -I/var/tmp/libpcap-0.8.3 -c main.cc > In file included from main.cc:68: > setsignal.h:26: syntax error before `,' > main.cc:235: syntax error before `(' > *** Error code 1 I'm confused after your two earlier postings what you're trying to achieve. In any case, never edit the Makefile, instead see what the configure script reports and try to fix the problem from there. Changes to Makefiles (as opposed to Makefile.ins) will get overwritten as soon as you run the configure script again. > on linux kernel v2.4.26 : > $ ./configure > $ make > ... > bison -y -d -t -v builtin-func.y > flex -obif_lex.cc builtin-func.l > g++ -o bif_lex.o -c bif_lex.cc > g++ -o bif_parse.o -c bif_parse.cc > g++ -I. -I.. -Ilibedit -O -I../linux-include -o bif_arg.o -c bif_arg.cc > bif_arg.cc:3: config.h: No such file or directory > make[1]: *** [bif_arg.o] Error 1 > make[1]: Leaving directory `/usr/src/bro/bro-pub-0.9a4/src' > make: *** [all] Error 2 > > on 09a3, I found config.h, but not found on 09a4. I think something went wrong when you ran configure, and you did not get a config.h file in the end. What are the last lines printed when you run configure? They should look roughly like this: config.status: creating Makefile config.status: creating src/Makefile config.status: creating aux/cf-1.1/Makefile config.status: creating doc/Makefile config.status: creating doc/ref-manual/Makefile config.status: creating doc/quick-start/Makefile config.status: creating doc/user-manual/Makefile config.status: creating aux/adtrace/Makefile config.status: creating policy/Makefile config.status: creating policy/sigs/Makefile config.status: creating scripts/Makefile config.status: creating scripts/bro_config config.status: creating scripts/bro.rc config.status: creating scripts/localnetMAC.pl config.status: creating scripts/s2b/Makefile config.status: creating aux/bdcat/Makefile config.status: creating config.h config.status: config.h is unchanged config.status: executing default commands > > on linux and freebsd, > $ make distclean > not work ... When something does not work, please *always* include detailed descriptions of *how* it did not work. We can't help you otherwise. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From christian at whoop.org Sat Sep 11 14:18:21 2004 From: christian at whoop.org (Christian Kreibich) Date: Sat, 11 Sep 2004 22:18:21 +0100 Subject: [Bro] not detect {big} scan with scan analyser In-Reply-To: References: Message-ID: <1094937500.6716.314.camel@localhost.localdomain> Hi, On Sat, 2004-09-11 at 20:49, rmkml wrote: > Hi, > > Im use bro 09a[3-4-5] on freebsd v4.10R, > > bro not detect this scan, (joigned pcap/gz file) man, please do *not* send snippets of full-packet captures of any site other than your own private network to a public mailing list! I don't need to know how you're using these traces but I'm sure the folks from vetmed.vt.edu don't want to see their traffic dissected in public on the Internet. > with default policy, > > but in conn.log file : > > 1085375478.746540 0.000008 128.173.231.31 62.23.34.167 smtp 3618 25 tcp ? > ? REJ X > 1085375479.331791 0.000003 128.173.231.31 62.23.34.167 smtp 3618 25 tcp ? > ? REJ X > 1085375481.138096 ? 128.173.231.31 62.23.34.162 ftp 3565 21 tcp ? ? S0 X > 1085375481.138064 ? 128.173.231.31 62.23.34.162 http 3566 80 tcp ? ? S0 X > 1085375481.138104 ? 128.173.231.31 62.23.34.162 dns 3567 53 tcp ? ? S0 X > 1085375481.138047 ? 128.173.231.31 62.23.34.162 smtp 3568 25 tcp ? ? S0 X > 1085375481.138072 ? 128.173.231.31 62.23.34.162 finger 3569 79 tcp ? ? S0 > X > ... > > $ export BROPATH=/c/confL/policy > $ export BRO_DNS_FAKE=1 # disable dns lookup > $ /usr/local/bin/bro09a5_nodns_micro -r > scantcp-viginia_edu.tcpdump bro.init mt Note: you normally do not need to include bro.init separately on the command line as that's always included (see main.cc). > -> scan anlyser in mt.bro (@load scan) > > Possible help me ? I'm not sure what you're feeding into Bro, but that's not that many SYNs. I suggest you dig through the scan.bro policy and try to understand why it decides that it is not a scan -- you'll also *need* to understand if you want to use the scan analyzer realiable. Regards, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From zhangwei at comexgenesys.com Mon Sep 13 20:01:55 2004 From: zhangwei at comexgenesys.com (Cliff) Date: Tue, 14 Sep 2004 11:01:55 +0800 Subject: [Bro] About source code Message-ID: <002a01c49a0b$77b73670$7a0aa8c0@comex10> Hi rmkml, Have you ever research the source code of code? I think to understand the framework of the source code and hope to get your help! :-) Best Regards, Cliff From zhangwei at comexgenesys.com Tue Sep 14 02:31:34 2004 From: zhangwei at comexgenesys.com (Cliff) Date: Tue, 14 Sep 2004 17:31:34 +0800 Subject: [Bro] About source code References: <002a01c49a0b$77b73670$7a0aa8c0@comex10> Message-ID: <002301c49a3d$a3d3b620$7a0aa8c0@comex10> Hi rmkml, sorry for i typing the wrong words. I mean whether you have interest in the source code ,not only on the use of "Bro". Have you ever research the source code? Because I see only the mail discussing the use of "Bro" in mail list.I hope the range of discussion should be more wide. :-) Thanks, Cliff ----- Original Message ----- From: "rmkml" To: "Cliff" Sent: Tuesday, September 14, 2004 5:13 PM Subject: Re: [Bro] About source code > Hi Cliff, > > sorry, > I don't understand your email, > > please explain me ? > > Regards > Rmkml at Wanadoo.fr > > > On Tue, 14 Sep 2004, Cliff wrote: > > > Date: Tue, 14 Sep 2004 11:01:55 +0800 > > From: Cliff > > To: bro at bro-ids.org > > Subject: [Bro] About source code > > > > Hi rmkml, > > Have you ever research the source code of code? > > I think to understand the framework of the source code and hope to get your help! :-) > > > > > > Best Regards, > > Cliff > > > > _______________________________________________ > > Bro mailing list > > Bro at ICSI.Berkeley.EDU > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > From christian at whoop.org Tue Sep 14 04:48:33 2004 From: christian at whoop.org (Christian Kreibich) Date: Tue, 14 Sep 2004 12:48:33 +0100 Subject: [Bro] About source code In-Reply-To: <002301c49a3d$a3d3b620$7a0aa8c0@comex10> References: <002a01c49a0b$77b73670$7a0aa8c0@comex10> <002301c49a3d$a3d3b620$7a0aa8c0@comex10> Message-ID: <1095162513.31139.28.camel@ghouls.cl.cam.ac.uk> On Tue, 2004-09-14 at 10:31, Cliff wrote: > Hi rmkml, > sorry for i typing the wrong words. > I mean whether you have interest in the source code ,not only on the use of "Bro". > Have you ever research the source code? > Because I see only the mail discussing the use of "Bro" in mail list.I hope the range of discussion should be more wide. :-) Just to make sure -- you're generally welcome to ask anything Bro-relevant on this list, no matter what part of the system it relates to. Regards, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From mike.muratet at torchtechnologies.com Tue Sep 14 08:20:04 2004 From: mike.muratet at torchtechnologies.com (Mike Muratet) Date: Tue, 14 Sep 2004 10:20:04 -0500 Subject: [Bro] Packet service time vs connection time References: <002a01c49a0b$77b73670$7a0aa8c0@comex10> <002301c49a3d$a3d3b620$7a0aa8c0@comex10> <1095162513.31139.28.camel@ghouls.cl.cam.ac.uk> Message-ID: <001f01c49a6e$509f8c50$5301a8c0@muratet> Greetings I am attempting a clustering analysis on packet data collected with tcpdump using bro. I have used the conn script that comes with the bro distribution to process interarrival and connection times for connections. Also of interest are the packet interarrival and service times. Given that there is a single time stamp for each record, is there a way to calculate a service time for a packet? I don't think there is (without access to the interface) but I'm not a network expert and I thought I should check. I have the Paxson and Floyd paper 'Wide Area Traffic....' but I haven't found any bits about service time. (Vern, are you out there?) Regards Mike From slau at lbl.gov Tue Sep 14 13:18:04 2004 From: slau at lbl.gov (Stephen Lau) Date: Tue, 14 Sep 2004 13:18:04 -0700 Subject: [Bro] About source code In-Reply-To: <002a01c49a0b$77b73670$7a0aa8c0@comex10> References: <002a01c49a0b$77b73670$7a0aa8c0@comex10> Message-ID: <414751FC.1010801@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cliff wrote: | Hi rmkml, | Have you ever research the source code of code? | I think to understand the framework of the source code and hope to get your help! :-) | Yes. There are occasional questions about the source code itself, but most of the questions on the email list are regarding using Bro. Feel free to ask any questions about the source code. I'm sure someone on the list will be able to help you. Steve - -- +--------------------------------------------------------------------- Stephen Lau - slau at lbl.gov | Lawrence Berkeley National Labs | "Wolverines!!" 1 Cyclotron Road, Berkeley CA 94720 U.S. | - Red Dawn (1984) +1(510) 486-7178(Work) +1(510) 486-4316(Fax) | PGP: 44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B main(i){putchar(i["irj^q;f[d%]djxi"]+i) &&i++%13&&main(i);} +--------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr2 (Windows XP) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBR1H8mgSrK/Y/dIsRArIkAKDXoRPXw8TqO82jSoZzGNQERMdctQCgzbOL UgtRXK39yzUmBeE7VsH/+w4= =knlc -----END PGP SIGNATURE----- From vern at icir.org Tue Sep 14 16:23:40 2004 From: vern at icir.org (Vern Paxson) Date: Tue, 14 Sep 2004 16:23:40 -0700 Subject: [Bro] Packet service time vs connection time In-Reply-To: Your message of Tue, 14 Sep 2004 10:20:04 CDT. Message-ID: <200409142323.i8ENNep3039199@jaguar.icir.org> > is there a way to calculate a service > time for a packet? What would this mean? Most services are TCP-based, in which case it may take multiple packets to even express a request / response. (That said, Bro does have a framework for packet-level analysis, but it's not part of the documented feature set. I can give you some source-code pointers if you want.) > I have the Paxson > and Floyd paper 'Wide Area Traffic....' but I haven't found any bits about > service time. (Vern, are you out there?) Evidently so! :-) Vern From jomcn at verizon.net Wed Sep 15 14:06:47 2004 From: jomcn at verizon.net (john mcnicholas) Date: Wed, 15 Sep 2004 17:06:47 -0400 Subject: [Bro] configure problem Message-ID: <20040915210647.TOOF8960.out008.verizon.net@achilles> Hi. I'm new to bro and my first attempt to build the app (v0.9) failed - I couldn't get by configure. I checked the archives and another person had the same error but it appears he solved it on his own and I couldn't tell how. Briefly, I ran configure and the system can't find input file: "aux/adtrace.Makefile.in". //---------------- // ouput summary $ ./configure ... config.status: creating aux/adtrace/Makefile config.status: error: cannot find input file: aux/adtrace/Makefile.in //------ I got the same error on 2 different operating systems: OS/X 10.3.5 and SuSE Linux 9.1. Please let me know if you need additional information. Thanks in advance for your help. John //--------------------- // detailed output > ./configure checking build system type... powerpc-apple-darwin7.5.0 checking host system type... powerpc-apple-darwin7.5.0 checking target system type... powerpc-apple-darwin7.5.0 checking for gcc... gcc checking for C compiler default output... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for OPENSSL_add_all_algorithms_conf in -lcrypto... yes checking for SSL_new in -lssl... yes checking whether OPENSSL_add_all_algorithms_conf is declared... yes checking for OpenSSL >= 0.9.7... yes checking for perl5... no checking for perl... /usr/bin/perl checking if we need to include arpa/nameser_compat.h... yes checking for bison... bison -y checking for g++... g++ checking whether we are using the GNU C++ compiler... yes checking whether g++ accepts -g... yes checking for flex... flex checking for yywrap in -lfl... yes checking lex output file root... lex.yy checking whether yytext is a pointer... yes checking for a BSD-compatible install... /usr/bin/install -c checking whether make sets ${MAKE}... yes checking for gzip... gzip checking how to run the C preprocessor... gcc -E checking for ANSI C header files... yes checking return type of signal handlers... void checking for sigset... no checking for sigaction... yes checking for int32_t using gcc... yes checking for u_int32_t using gcc... yes checking for u_int16_t using gcc... yes checking whether time.h and sys/time.h may both be included... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking for memory.h... (cached) yes checking for netinet/ip6.h... yes checking for socklen_t... yes checking if syslog returns int... no checking if we should declare socket and friends... no checking for gethostbyname... yes checking for socket... yes checking for putmsg in -lstr... no checking for local pcap library... not found checking for pcap_open_live in -lpcap... yes checking for pcap_freecode in -lpcap... yes checking for pcap headers... checking if pcap_compile_nopcap needs error parameter... not needed checking for bpf_set_bufsize... no checking for working memcmp... yes checking for strftime... yes checking for strerror... yes checking for strsep... yes checking for mallinfo... no checking for ns_initparse in -lresolv... no checking for ns_initparse in resolver... yes checking for pcap_version in libpcap... yes checking for tgetnum in -ltermcap... yes checking readline/readline.h usability... no checking readline/readline.h presence... no checking for readline/readline.h... no checking whether byte ordering is bigendian... yes checking for ns_msg... yes checking for res_mkquery... yes checking for union semun... yes checking for struct sembuf... yes configure: creating ./config.status config.status: creating Makefile config.status: creating src/Makefile config.status: creating aux/cf-1.1/Makefile config.status: creating doc/Makefile config.status: creating doc/ref-manual/Makefile config.status: creating doc/quick-start/Makefile config.status: creating doc/user-manual/Makefile config.status: creating aux/adtrace/Makefile config.status: error: cannot find input file: aux/adtrace/Makefile.in From vern at icir.org Wed Sep 15 14:28:18 2004 From: vern at icir.org (Vern Paxson) Date: Wed, 15 Sep 2004 14:28:18 -0700 Subject: [Bro] configure problem In-Reply-To: Your message of Wed, 15 Sep 2004 17:06:47 EDT. Message-ID: <200409152128.i8FLSIp3076865@jaguar.icir.org> > Hi. I'm new to bro and my first attempt to build the app (v0.9) failed - I > couldn't get by configure. This turns out to be due to some files missing from the distribution. I've now put out a new version of CURRENT, 0.9a4a (not 0.9a5, since that's already been used internally), so please refetch and see if you still have a problem. Vern From JRLee at lbl.gov Wed Sep 15 14:30:27 2004 From: JRLee at lbl.gov (Jason Lee) Date: Wed, 15 Sep 2004 14:30:27 -0700 Subject: [Bro] configure problem In-Reply-To: <20040915210647.TOOF8960.out008.verizon.net@achilles> References: <20040915210647.TOOF8960.out008.verizon.net@achilles> Message-ID: <4148B473.1050001@lbl.gov> John, Yeah, that was my fault, its fixed in 0.9a5 which I think will be out real soon now :-) sorry about that. Cheers, jason john mcnicholas wrote: > Hi. I'm new to bro and my first attempt to build the app (v0.9) failed - I > couldn't get by configure. I checked the archives and another person had > the same error but it appears he solved it on his own and I couldn't tell > how. > > Briefly, I ran configure and the system can't find input file: > "aux/adtrace.Makefile.in". > > //---------------- > // ouput summary > > $ ./configure > ... > config.status: creating aux/adtrace/Makefile > config.status: error: cannot find input file: aux/adtrace/Makefile.in > > //------ > > I got the same error on 2 different operating systems: OS/X 10.3.5 and > SuSE Linux 9.1. Please let me know if you need additional information. > > Thanks in advance for your help. > > John > > > //--------------------- > // detailed output > > >>./configure > > checking build system type... powerpc-apple-darwin7.5.0 > checking host system type... powerpc-apple-darwin7.5.0 > checking target system type... powerpc-apple-darwin7.5.0 > checking for gcc... gcc > checking for C compiler default output... a.out > checking whether the C compiler works... yes > checking whether we are cross compiling... no > checking for suffix of executables... > checking for suffix of object files... o > checking whether we are using the GNU C compiler... yes > checking whether gcc accepts -g... yes > checking for OPENSSL_add_all_algorithms_conf in -lcrypto... yes > checking for SSL_new in -lssl... yes > checking whether OPENSSL_add_all_algorithms_conf is declared... yes > checking for OpenSSL >= 0.9.7... yes > checking for perl5... no > checking for perl... /usr/bin/perl > checking if we need to include arpa/nameser_compat.h... yes > checking for bison... bison -y > checking for g++... g++ > checking whether we are using the GNU C++ compiler... yes > checking whether g++ accepts -g... yes > checking for flex... flex > checking for yywrap in -lfl... yes > checking lex output file root... lex.yy > checking whether yytext is a pointer... yes > checking for a BSD-compatible install... /usr/bin/install -c > checking whether make sets ${MAKE}... yes > checking for gzip... gzip > checking how to run the C preprocessor... gcc -E > checking for ANSI C header files... yes > checking return type of signal handlers... void > checking for sigset... no > checking for sigaction... yes > checking for int32_t using gcc... yes > checking for u_int32_t using gcc... yes > checking for u_int16_t using gcc... yes > checking whether time.h and sys/time.h may both be included... yes > checking for sys/types.h... yes > checking for sys/stat.h... yes > checking for stdlib.h... yes > checking for string.h... yes > checking for memory.h... yes > checking for strings.h... yes > checking for inttypes.h... yes > checking for stdint.h... yes > checking for unistd.h... yes > checking for memory.h... (cached) yes > checking for netinet/ip6.h... yes > checking for socklen_t... yes > checking if syslog returns int... no > checking if we should declare socket and friends... no > checking for gethostbyname... yes > checking for socket... yes > checking for putmsg in -lstr... no > checking for local pcap library... not found > checking for pcap_open_live in -lpcap... yes > checking for pcap_freecode in -lpcap... yes > checking for pcap headers... checking if pcap_compile_nopcap needs error > parameter... not needed > checking for bpf_set_bufsize... no > checking for working memcmp... yes > checking for strftime... yes > checking for strerror... yes > checking for strsep... yes > checking for mallinfo... no > checking for ns_initparse in -lresolv... no > checking for ns_initparse in resolver... yes > checking for pcap_version in libpcap... yes > checking for tgetnum in -ltermcap... yes > checking readline/readline.h usability... no > checking readline/readline.h presence... no > checking for readline/readline.h... no > checking whether byte ordering is bigendian... yes > checking for ns_msg... yes > checking for res_mkquery... yes > checking for union semun... yes > checking for struct sembuf... yes > configure: creating ./config.status > config.status: creating Makefile > config.status: creating src/Makefile > config.status: creating aux/cf-1.1/Makefile > config.status: creating doc/Makefile > config.status: creating doc/ref-manual/Makefile > config.status: creating doc/quick-start/Makefile > config.status: creating doc/user-manual/Makefile > config.status: creating aux/adtrace/Makefile > config.status: error: cannot find input file: aux/adtrace/Makefile.in > > > _______________________________________________ > Bro mailing list > Bro at ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3796 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20040915/53dcf70e/attachment.bin From mike.muratet at torchtechnologies.com Wed Sep 15 15:11:12 2004 From: mike.muratet at torchtechnologies.com (Mike Muratet) Date: Wed, 15 Sep 2004 17:11:12 -0500 Subject: [Bro] TCP Connection duration = ? References: <20040915210647.TOOF8960.out008.verizon.net@achilles> Message-ID: <006601c49b70$ea17fea0$5301a8c0@muratet> Greetings Using the tcp analyzer (tcp.bro) on a tcpdump file collected over 30 days, I see many instances where the connection duration is '?'. I've looked at the manual, and by the definition of 'duration' I am led to believe that a ? indicates a record with an end event that never received a begin event. I'm still trying to find the calculation in the source, but does this make sense? Thanks Mike From anton at netForensics.com Wed Sep 15 15:22:18 2004 From: anton at netForensics.com (Anton Chuvakin, Ph.D.) Date: Wed, 15 Sep 2004 18:22:18 -0400 (EDT) Subject: [Bro] configure problem In-Reply-To: <4148B473.1050001@lbl.gov> References: <20040915210647.TOOF8960.out008.verizon.net@achilles><4148B473.1050001@lbl.gov> Message-ID: > Yeah, that was my fault, its fixed in 0.9a5 which I think will > be out real soon now :-) sorry about that. Have you guys also fixed the 'make install'? It refers to a non-existing .cfg.sample file.... (in 0.9a4) > > Cheers, > jason > > > > john mcnicholas wrote: >> Hi. I'm new to bro and my first attempt to build the app (v0.9) failed - I >> couldn't get by configure. I checked the archives and another person had >> the same error but it appears he solved it on his own and I couldn't tell >> how. >> >> Briefly, I ran configure and the system can't find input file: >> "aux/adtrace.Makefile.in". >> >> //---------------- >> // ouput summary >> >> $ ./configure >> ... >> config.status: creating aux/adtrace/Makefile >> config.status: error: cannot find input file: aux/adtrace/Makefile.in >> >> //------ >> >> I got the same error on 2 different operating systems: OS/X 10.3.5 and >> SuSE Linux 9.1. Please let me know if you need additional information. >> >> Thanks in advance for your help. >> >> John >> >> >> //--------------------- >> // detailed output >> >> >>> ./configure >> >> checking build system type... powerpc-apple-darwin7.5.0 >> checking host system type... powerpc-apple-darwin7.5.0 >> checking target system type... powerpc-apple-darwin7.5.0 >> checking for gcc... gcc >> checking for C compiler default output... a.out >> checking whether the C compiler works... yes >> checking whether we are cross compiling... no >> checking for suffix of executables... checking for suffix of object >> files... o >> checking whether we are using the GNU C compiler... yes >> checking whether gcc accepts -g... yes >> checking for OPENSSL_add_all_algorithms_conf in -lcrypto... yes >> checking for SSL_new in -lssl... yes >> checking whether OPENSSL_add_all_algorithms_conf is declared... yes >> checking for OpenSSL >= 0.9.7... yes >> checking for perl5... no >> checking for perl... /usr/bin/perl >> checking if we need to include arpa/nameser_compat.h... yes >> checking for bison... bison -y >> checking for g++... g++ >> checking whether we are using the GNU C++ compiler... yes >> checking whether g++ accepts -g... yes >> checking for flex... flex >> checking for yywrap in -lfl... yes >> checking lex output file root... lex.yy >> checking whether yytext is a pointer... yes >> checking for a BSD-compatible install... /usr/bin/install -c >> checking whether make sets ${MAKE}... yes >> checking for gzip... gzip >> checking how to run the C preprocessor... gcc -E >> checking for ANSI C header files... yes >> checking return type of signal handlers... void >> checking for sigset... no >> checking for sigaction... yes >> checking for int32_t using gcc... yes >> checking for u_int32_t using gcc... yes >> checking for u_int16_t using gcc... yes >> checking whether time.h and sys/time.h may both be included... yes >> checking for sys/types.h... yes >> checking for sys/stat.h... yes >> checking for stdlib.h... yes >> checking for string.h... yes >> checking for memory.h... yes >> checking for strings.h... yes >> checking for inttypes.h... yes >> checking for stdint.h... yes >> checking for unistd.h... yes >> checking for memory.h... (cached) yes >> checking for netinet/ip6.h... yes >> checking for socklen_t... yes >> checking if syslog returns int... no >> checking if we should declare socket and friends... no >> checking for gethostbyname... yes >> checking for socket... yes >> checking for putmsg in -lstr... no >> checking for local pcap library... not found >> checking for pcap_open_live in -lpcap... yes >> checking for pcap_freecode in -lpcap... yes >> checking for pcap headers... checking if pcap_compile_nopcap needs error >> parameter... not needed >> checking for bpf_set_bufsize... no >> checking for working memcmp... yes >> checking for strftime... yes >> checking for strerror... yes >> checking for strsep... yes >> checking for mallinfo... no >> checking for ns_initparse in -lresolv... no >> checking for ns_initparse in resolver... yes >> checking for pcap_version in libpcap... yes >> checking for tgetnum in -ltermcap... yes >> checking readline/readline.h usability... no >> checking readline/readline.h presence... no >> checking for readline/readline.h... no >> checking whether byte ordering is bigendian... yes >> checking for ns_msg... yes >> checking for res_mkquery... yes >> checking for union semun... yes >> checking for struct sembuf... yes >> configure: creating ./config.status >> config.status: creating Makefile >> config.status: creating src/Makefile >> config.status: creating aux/cf-1.1/Makefile >> config.status: creating doc/Makefile >> config.status: creating doc/ref-manual/Makefile >> config.status: creating doc/quick-start/Makefile >> config.status: creating doc/user-manual/Makefile >> config.status: creating aux/adtrace/Makefile >> config.status: error: cannot find input file: aux/adtrace/Makefile.in >> >> >> _______________________________________________ >> Bro mailing list >> Bro at ICSI.Berkeley.EDU >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Anton Chuvakin, Ph.D., GCIA, GCIH Security Strategist Product Management Group netForensics - http://www.netForensics.com 732-393-6071 ************************************************************************************************** The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** netForensics has scanned this email for viruses, vandals and malicious content. ** ************************************************************************************************** From zhangwei at comexgenesys.com Wed Sep 15 18:45:05 2004 From: zhangwei at comexgenesys.com (Cliff) Date: Thu, 16 Sep 2004 09:45:05 +0800 Subject: [Bro] TCP Connection duration = ? References: <20040915210647.TOOF8960.out008.verizon.net@achilles> <006601c49b70$ea17fea0$5301a8c0@muratet> Message-ID: <002c01c49b8e$d0086950$7a0aa8c0@comex10> ya,I have the same problem with Mike. There are many '?' duration in logs as following: 1095308764.656004 1.809737 192.168.10.119 210.19.14.6 pop-3 3403 110 tcp 58 73 SF X 1095308766.082135 1.730581 192.168.10.121 128.230.129.221 nntp 4596 119 tcp 40 168 SF X 1095308787.021557 0.175026 192.168.10.124 61.168.68.245 other 2881 1039 tcp ? ? REJ X 1095308786.694412 0.755664 192.168.10.124 61.149.37.104 other 2880 35220 tcp ? ? REJ X 1095308787.675227 0.072789 192.168.10.124 220.164.96.132 other 2883 14977 tcp ? ? REJ X 1095308787.721514 0.172381 192.168.10.124 61.168.68.245 other 2881 1039 tcp ? ? REJ X I want to know the mechanism how to generate the '?'. Who can help me? Thanks in advance. :-) Cliff ----- Original Message ----- From: "Mike Muratet" To: Sent: Thursday, September 16, 2004 6:11 AM Subject: [Bro] TCP Connection duration = ? > Greetings > > Using the tcp analyzer (tcp.bro) on a tcpdump file collected over 30 days, I > see many instances where the connection duration is '?'. I've looked at the > manual, and by the definition of 'duration' I am led to believe that a ? > indicates a record with an end event that never received a begin event. I'm > still trying to find the calculation in the source, but does this make > sense? > > Thanks > > Mike > > _______________________________________________ > Bro mailing list > Bro at ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From zhangwei at comexgenesys.com Thu Sep 16 00:38:08 2004 From: zhangwei at comexgenesys.com (Cliff) Date: Thu, 16 Sep 2004 15:38:08 +0800 Subject: [Bro] Chinese version of the manual Message-ID: <006901c49bc0$2346dfd0$7a0aa8c0@comex10> Hi all, I intend to translate the manual of Bro into chinese version. I found that many of people are still interested in the *snort* in the open source communities of China. So,i intend to improve the popularity of *bro* on China mainland. Who would like to join the work with me? Thanks, Cliff From zhangwei at comexgenesys.com Thu Sep 16 00:39:54 2004 From: zhangwei at comexgenesys.com (Cliff) Date: Thu, 16 Sep 2004 15:39:54 +0800 Subject: [Bro] Chinese version of the manual Message-ID: <007b01c49bc0$5e2ed490$7a0aa8c0@comex10> Hi all, I intend to translate the manual of Bro into chinese version. I found that many of people are still interested in the *snort* in the open source communities of China. So,i intend to improve the popularity of *bro* on China mainland. Who would like to join the work with me? Thanks, Cliff From rmkml at wanadoo.fr Thu Sep 16 09:49:56 2004 From: rmkml at wanadoo.fr (rmkml) Date: Thu, 16 Sep 2004 18:49:56 +0200 (CEST) Subject: [Bro] Memory usage ? Message-ID: Hi, How find memory usage on bro 09a5 with fbsd v4.10R ? possible ? How find memory leak on bro ? My bro use actually : (top) PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 342 vodka 4 0 107M 99M bpf 58:01 1.32% 1.32% bro09a5_nodns_ bro started 2 days. Thanks Regards Rmkml at Wanadoo.fr From christian at whoop.org Thu Sep 16 11:01:44 2004 From: christian at whoop.org (Christian Kreibich) Date: Thu, 16 Sep 2004 19:01:44 +0100 Subject: [Bro] TCP Connection duration = ? In-Reply-To: <006601c49b70$ea17fea0$5301a8c0@muratet> References: <20040915210647.TOOF8960.out008.verizon.net@achilles> <006601c49b70$ea17fea0$5301a8c0@muratet> Message-ID: <1095357704.3467.133.camel@localhost.localdomain> Hi Mike, On Wed, 2004-09-15 at 23:11, Mike Muratet wrote: > Greetings > > Using the tcp analyzer (tcp.bro) on a tcpdump file collected over 30 days, I > see many instances where the connection duration is '?'. I've looked at the > manual, and by the definition of 'duration' I am led to believe that a ? > indicates a record with an end event that never received a begin event. I'm > still trying to find the calculation in the source, but does this make > sense? I think the spot to look at is in policy/conn.bro, around line 204. If the log entry is written out at a time where none of the endpoints have closed the connection, the duration cannot yet be known, and hence is written out as "?". Hope this helps, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From christian at whoop.org Thu Sep 16 11:22:33 2004 From: christian at whoop.org (Christian Kreibich) Date: Thu, 16 Sep 2004 19:22:33 +0100 Subject: [Bro] Chinese version of the manual In-Reply-To: <006901c49bc0$2346dfd0$7a0aa8c0@comex10> References: <006901c49bc0$2346dfd0$7a0aa8c0@comex10> Message-ID: <1095358953.3467.156.camel@localhost.localdomain> Hi, On Thu, 2004-09-16 at 08:38, Cliff wrote: > Hi all, > I intend to translate the manual of Bro into chinese version. > I found that many of people are still interested in the *snort* in the open source communities of China. > So,i intend to improve the popularity of *bro* on China mainland. > > Who would like to join the work with me? thanks for the offer! The most important point to consider is whether you'd be able to contribute regularly as a translator -- a one-shot translation would be great but keeping the translation up to date is more important because support requests due to outdated documentation can become very time consuming. What do you think? Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From JRLee at lbl.gov Thu Sep 16 11:28:15 2004 From: JRLee at lbl.gov (Jason Lee) Date: Thu, 16 Sep 2004 11:28:15 -0700 Subject: [Bro] Memory usage ? In-Reply-To: References: Message-ID: <4149DB3F.9020405@lbl.gov> I belive that if you put '@load statistics' it will print out bros stats every 'statistics_interval' of time. (This is expensive, so its not recommanded for production/highly utilized bros) Cheers, jason rmkml wrote: > Hi, > > How find memory usage on bro 09a5 with fbsd v4.10R ? > > possible ? > > How find memory leak on bro ? > > My bro use actually : (top) > > PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND > 342 vodka 4 0 107M 99M bpf 58:01 1.32% 1.32% bro09a5_nodns_ > > bro started 2 days. > > Thanks > > Regards > > Rmkml at Wanadoo.fr > > _______________________________________________ > Bro mailing list > Bro at ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3796 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20040916/a00d41f2/attachment.bin From zhangwei at comexgenesys.com Thu Sep 16 20:17:31 2004 From: zhangwei at comexgenesys.com (Cliff) Date: Fri, 17 Sep 2004 11:17:31 +0800 Subject: [Bro] Chinese version of the manual References: <006901c49bc0$2346dfd0$7a0aa8c0@comex10> <1095358953.3467.156.camel@localhost.localdomain> Message-ID: <004901c49c64$e2822860$7a0aa8c0@comex10> Hi Christian Your advices are very important to the translation work. ya,firstly,I must set up the translation team. Then,divide the whole work into several parts. Everyone of the team is reponsible for one of the manual and keep update. I hope to complete the main part of the work before December. hi,Han,Let's begin it. My MSN:great_z03 at hotmail.com You can contact with me directly by it. Welcome anyone to join the interesting work. :-) Thanks, Cliff ----- Original Message ----- From: "Christian Kreibich" To: "Bro List" Sent: Friday, September 17, 2004 2:22 AM Subject: Re: [Bro] Chinese version of the manual > Hi, > > On Thu, 2004-09-16 at 08:38, Cliff wrote: > > Hi all, > > I intend to translate the manual of Bro into chinese version. > > I found that many of people are still interested in the *snort* in the open source communities of China. > > So,i intend to improve the popularity of *bro* on China mainland. > > > > Who would like to join the work with me? > > thanks for the offer! The most important point to consider is whether > you'd be able to contribute regularly as a translator -- a one-shot > translation would be great but keeping the translation up to date is > more important because support requests due to outdated documentation > can become very time consuming. What do you think? > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > > > _______________________________________________ > Bro mailing list > Bro at ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From chema at cs.berkeley.edu Thu Sep 16 20:50:21 2004 From: chema at cs.berkeley.edu (=?iso-8859-1?q?Jos=E9_Mar=EDa_Gonz=E1lez?=) Date: Thu, 16 Sep 2004 20:50:21 -0700 Subject: [Bro] Why does Bro store addresses internally in network order (AddrVal class)? Message-ID: <200409162050.21328.chema@cs.berkeley.edu> Simple question, eh? I assume there has to be a reason for this. When parsing a D.D.D.D text, scan.l calls AddrVal::AddrVal(char const *), which Init()'s its addr_val using dotted_to_addr() (net_util.cc). The latter parses the text and calls htonl() before returning. -Chema From zhangwei at comexgenesys.com Fri Sep 17 01:31:29 2004 From: zhangwei at comexgenesys.com (Cliff) Date: Fri, 17 Sep 2004 16:31:29 +0800 Subject: [Bro] a odd problem Message-ID: <008a01c49c90$bdbb7820$7a0aa8c0@comex10> Hi all, I encounter a odd problem when i run *bro* today. # ./bro my -w /home/zw/bro09171617.dump input in flex scanner failed my.bro as following: #my.bro 09/06/2004 by Cliff @load mt @load worm @load snort #redef suppress_scan_checks=T; redef root_servers={192.168.10.2}; redef interfaces="eth0"; #redef bro_log_file=open_log_file("comex"); redef weird_file=open_log_file("./log/comex"); #capture_filters and restrict_filters #redef capture_filters+={["ftp"]="port ftp",["telnet"]="port telnet", # ["ssh"]="port ssh", # }; #redef restrict_filters={["net"]="net 192.168.10"}; #signature_files redef signature_files+="snort-default.sig"; redef signature_files+="worm.sig"; It work well before.However,it doesn't work today? Who can give me some hints? Thanks, Cliff From rpang at CS.Princeton.EDU Fri Sep 17 05:45:36 2004 From: rpang at CS.Princeton.EDU (Ruoming Pang) Date: Fri, 17 Sep 2004 08:45:36 -0400 Subject: [Bro] a odd problem In-Reply-To: <008a01c49c90$bdbb7820$7a0aa8c0@comex10> References: <008a01c49c90$bdbb7820$7a0aa8c0@comex10> Message-ID: <792B7936-08A7-11D9-8C28-000D9335A7D8@cs.princeton.edu> > # ./bro my -w /home/zw/bro09171617.dump > input in flex scanner failed How about putting "my" in the end of the command line? ./bro -w /home/zw/bro09171617.dump my (All options must come before policy script names in order for them to recognized as options.) Ruoming From vern at icir.org Fri Sep 17 07:56:59 2004 From: vern at icir.org (Vern Paxson) Date: Fri, 17 Sep 2004 07:56:59 -0700 Subject: [Bro] a odd problem In-Reply-To: Your message of Fri, 17 Sep 2004 16:31:29 +0800. Message-ID: <200409171456.i8HEuxp3002211@jaguar.icir.org> > I encounter a odd problem when i run *bro* today. > > # ./bro my -w /home/zw/bro09171617.dump Flags need to come before policy scripts. It's interpreting "-w" and "/home/zw/bro09171617.dump" as scripts to interpret. I would've expected it to stop by saying "error: can't open -w" (that's what it does for me), unless you happen to have a file "-w" in your Bro searchpath. Do you have such a file? Can you send me the tcpdump trace file, so I can see if I can reproduce this? Vern From jomcn at verizon.net Fri Sep 17 10:32:14 2004 From: jomcn at verizon.net (john mcnicholas) Date: Fri, 17 Sep 2004 13:32:14 -0400 Subject: [Bro] configure problem In-Reply-To: Message-ID: <20040917173214.SQSR26805.out003.verizon.net@achilles> First the good news, the updated tar did fix the "./configure" problem. Thanks! (side note: there seems to be a minor incompatibility with and SUSE Linux - I'll write that up later.) However, now I am having the same problem as Anton Chuvakin. Fortunately it should be easy to solve. In short, "./make install" fails because the file: "scripts/bro.cfg.example" is missing. I looked in the "0.8" release and the file wasn't there either; I'm guessing it is new. I'm not familiar enough with the product to try and create one. The quick and dirty solution is for someone to send their copy of the file to me - your call if it should be posted for everyone. Longer term is to update the tar again. Thanks for your help. John -----Original Message----- From: bro-admin at ICSI.Berkeley.EDU [mailto:bro-admin at ICSI.Berkeley.EDU] On Behalf Of Anton Chuvakin, Ph.D. Sent: Wednesday, September 15, 2004 6:22 PM To: bro at bro-ids.org Subject: Re: [Bro] configure problem Importance: High > Yeah, that was my fault, its fixed in 0.9a5 which I think will > be out real soon now :-) sorry about that. Have you guys also fixed the 'make install'? It refers to a non-existing .cfg.sample file.... (in 0.9a4) > > Cheers, > jason > > > > john mcnicholas wrote: >> Hi. I'm new to bro and my first attempt to build the app (v0.9) failed - I >> couldn't get by configure. I checked the archives and another person had >> the same error but it appears he solved it on his own and I couldn't tell >> how. >> >> Briefly, I ran configure and the system can't find input file: >> "aux/adtrace.Makefile.in". >> >> //---------------- >> // ouput summary >> >> $ ./configure >> ... >> config.status: creating aux/adtrace/Makefile >> config.status: error: cannot find input file: aux/adtrace/Makefile.in >> >> //------ >> >> I got the same error on 2 different operating systems: OS/X 10.3.5 and >> SuSE Linux 9.1. Please let me know if you need additional information. >> >> Thanks in advance for your help. >> >> John >> >> >> //--------------------- >> // detailed output >> >> >>> ./configure >> >> checking build system type... powerpc-apple-darwin7.5.0 >> checking host system type... powerpc-apple-darwin7.5.0 >> checking target system type... powerpc-apple-darwin7.5.0 >> checking for gcc... gcc >> checking for C compiler default output... a.out >> checking whether the C compiler works... yes >> checking whether we are cross compiling... no >> checking for suffix of executables... checking for suffix of object >> files... o >> checking whether we are using the GNU C compiler... yes >> checking whether gcc accepts -g... yes >> checking for OPENSSL_add_all_algorithms_conf in -lcrypto... yes >> checking for SSL_new in -lssl... yes >> checking whether OPENSSL_add_all_algorithms_conf is declared... yes >> checking for OpenSSL >= 0.9.7... yes >> checking for perl5... no >> checking for perl... /usr/bin/perl >> checking if we need to include arpa/nameser_compat.h... yes >> checking for bison... bison -y >> checking for g++... g++ >> checking whether we are using the GNU C++ compiler... yes >> checking whether g++ accepts -g... yes >> checking for flex... flex >> checking for yywrap in -lfl... yes >> checking lex output file root... lex.yy >> checking whether yytext is a pointer... yes >> checking for a BSD-compatible install... /usr/bin/install -c >> checking whether make sets ${MAKE}... yes >> checking for gzip... gzip >> checking how to run the C preprocessor... gcc -E >> checking for ANSI C header files... yes >> checking return type of signal handlers... void >> checking for sigset... no >> checking for sigaction... yes >> checking for int32_t using gcc... yes >> checking for u_int32_t using gcc... yes >> checking for u_int16_t using gcc... yes >> checking whether time.h and sys/time.h may both be included... yes >> checking for sys/types.h... yes >> checking for sys/stat.h... yes >> checking for stdlib.h... yes >> checking for string.h... yes >> checking for memory.h... yes >> checking for strings.h... yes >> checking for inttypes.h... yes >> checking for stdint.h... yes >> checking for unistd.h... yes >> checking for memory.h... (cached) yes >> checking for netinet/ip6.h... yes >> checking for socklen_t... yes >> checking if syslog returns int... no >> checking if we should declare socket and friends... no >> checking for gethostbyname... yes >> checking for socket... yes >> checking for putmsg in -lstr... no >> checking for local pcap library... not found >> checking for pcap_open_live in -lpcap... yes >> checking for pcap_freecode in -lpcap... yes >> checking for pcap headers... checking if pcap_compile_nopcap needs error >> parameter... not needed >> checking for bpf_set_bufsize... no >> checking for working memcmp... yes >> checking for strftime... yes >> checking for strerror... yes >> checking for strsep... yes >> checking for mallinfo... no >> checking for ns_initparse in -lresolv... no >> checking for ns_initparse in resolver... yes >> checking for pcap_version in libpcap... yes >> checking for tgetnum in -ltermcap... yes >> checking readline/readline.h usability... no >> checking readline/readline.h presence... no >> checking for readline/readline.h... no >> checking whether byte ordering is bigendian... yes >> checking for ns_msg... yes >> checking for res_mkquery... yes >> checking for union semun... yes >> checking for struct sembuf... yes >> configure: creating ./config.status >> config.status: creating Makefile >> config.status: creating src/Makefile >> config.status: creating aux/cf-1.1/Makefile >> config.status: creating doc/Makefile >> config.status: creating doc/ref-manual/Makefile >> config.status: creating doc/quick-start/Makefile >> config.status: creating doc/user-manual/Makefile >> config.status: creating aux/adtrace/Makefile >> config.status: error: cannot find input file: aux/adtrace/Makefile.in >> >> >> _______________________________________________ >> Bro mailing list >> Bro at ICSI.Berkeley.EDU >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Anton Chuvakin, Ph.D., GCIA, GCIH Security Strategist Product Management Group netForensics - http://www.netForensics.com 732-393-6071 **************************************************************************** ********************** The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** netForensics has scanned this email for viruses, vandals and malicious content. ** **************************************************************************** ********************** _______________________________________________ Bro mailing list Bro at ICSI.Berkeley.EDU http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From vern at icir.org Fri Sep 17 10:58:21 2004 From: vern at icir.org (Vern Paxson) Date: Fri, 17 Sep 2004 10:58:21 -0700 Subject: [Bro] configure problem In-Reply-To: Your message of Fri, 17 Sep 2004 13:32:14 EDT. Message-ID: <200409171758.i8HHwLp3017337@jaguar.icir.org> > In short, "./make install" fails because the file: > "scripts/bro.cfg.example" is missing. Here's the file. It's also been fixed to be included in the next distribution. Vern # Source file config for running bro # On a linux system this file will normally exist in /etc/sysconfig # and will have the same filename as the RC start script which calls it. # On a FreeBSD machine this file will normally reside in /usr/local/etc # and will have the same filename as the RC start script which calls it. # The following variables are exported and needed by Bro at runtime # These are mostly undocumented. arrrrrr!!!!!! # BROLOGS # BROHOME # BROPATH # host only format BRO_HOSTNAME=`hostname | awk -F. ' { print } '` # FQDN format # HOSTNAME=`hostname` # Directory containing Bro binaries BRO_BIN_DIR="${BROHOME}/bin" # Filename of the Bro start policy # START_POLICY="default.bro" BRO_START_POLICY="brolite.bro" # Directory containing Bro logs BROLOGS="${BROHOME}/logs" export BROLOGS # Log archive directory BRO_LOG_ARCHIVE="${BROHOME}/archive" # Directory containing Bro signature files BRO_SIG_DIR="${BROHOME}/local/sigs" # Bro policy paths BROPATH="${BROHOME}/policy:${BROHOME}/policy/local:${BROHOME}/policy/local-priv:${BROHOME}/local/policy:${BROHOME}/site" export BROPATH # Location of site specific policy and configurations BROSITE="${BROHOME}/site" # Location of host specific policy and configurations BROHOST="${BROHOME}/host" # A prefix to use when looking for local policy files to load. # BRO_PREFIX="local" # Location of the Bro executable BRO="${BRO_BIN_DIR}/bro" # Base command line options. BRO_ADD_OPTS=" -W" # Turn on Bro's Watchdog feature BRO_OPTS="${BRO_ADD_OPTS}" # Interface name to listen on. The default is to use the busiest one found. BRO_CAPTURE_INTERFACE="" # Multiple interface should be specified as a space delimited list. # Examples: # CAPTURE_INTERFACE="sk0 sk1 sk5" # CAPTURE_INTERFACE="eth0 eth3" # CAPTURE_INTERFACE="eth0" # If set to YES and there are any signature files ending with .bro in $SIG_DIR # then they will be started with bro. Set to NO to disable signatures # Set to YES to enable bro to run with 'signature matching' on (YES/NO) BRO_USE_SIGNATURES=YES # Shoud a trace (tcpdump) file be created in the log directory (YES/NO) BRO_CREATE_TRACE_FILE=NO # How long to wait during checkpointing after startin a new Bro process and # stopping the old one. This value is in seconds BRO_CHECKPOINT_OVERLAP_TIME=20 # Starting time for a report run (0001 is 12:01 am and 1201 is 12:01pm) BRO_REPORT_START_TIME=0000 # How often (in hours) to generate an activity report BRO_REPORT_INTERVAL=24 # This is the how often to rotate the logs (in hours) BRO_LOG_ROTATE_INTERVAL=24 # This is the how often to restart bro (in hours) BRO_CHECKPOINT_INTERVAL=24 # The maximum time allowed for a Bro process to cleanup and exit # This value is in seconds BRO_MAX_SHUTDOWN_TIME=$(( 60 * 60 * 2 )) # 2 hours # Use this to enable the init script to autorestart Bro in the event of an # unexpected shutdown. The value should be YES or NO BRO_ENABLE_AUTORESTART="YES" # Maximum times to try to auto-restart Bro before giving up. # This is used by the bro-autorestart.sh script. BRO_MAX_RESTART_ATTEMPTS=5 # Location of the run-time variable directory. This is normally /var/run/bro # and contains the pidfile and other temporal data. BRO_RUNTIME_DIR="/var/run/bro" # Email address for local reports to be mailed to BRO_EMAIL_LOCAL="bro at localhost" # Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc) BRO_EMAIL_EXTERNAL="NO" # Email address for remote reports to be mailed to BRO_EMAIL_REMOTE="BRO-IDS at bro-ids.org" # User id to install and run Bro under BRO_USER_ID="bro" # Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG) BRO_SITE_NAME="" # Do you want to encrypt email reports (YES/NO) BRO_ENCRYPT_EMAIL="NO" # Location of GPG binary or encrypting email BRO_GPG_BIN="/usr/local/bin/gpg" From rmkml at wanadoo.fr Fri Sep 17 15:52:47 2004 From: rmkml at wanadoo.fr (rmkml) Date: Sat, 18 Sep 2004 00:52:47 +0200 (CEST) Subject: [Bro] WeirdActivity unknown_DNS_RR_type question Message-ID: Hi, I found this event : 1095461470.723979 WeirdActivity unknown_DNS_RR_type x.x.x.x/59258 > 195.68.0.1/53 and tcpdump packet : 1095461470.720237 x.x.x.x.59258 > 195.68.0.1.53: [udp sum ok] 28701+ PTR? 220.27.170.80.in-addr.arpa. (44) (ttl 63, id 3049, len 72) 1095461470.723981 195.68.0.1.53 > x.x.x.x.59258: [udp sum ok] 28701 q: PTR? 220.27.170.80.in-addr.arpa. 1/4/5 220.27.170.80.in-addr.arpa. PTR d80-170-27-220.cust.tele2.fr. ns: 170.80.in-addr.arpa. NS sunic.sunet.se., 170.80.in-addr.arpa. NS kalmar.dns.swip.net., 170.80.in-addr.arpa. NS ns.ripe.net., 170.80.in-addr.arpa. NS kista.dns.swip.net. ar: ns.ripe.net. A 193.0.0.193, ns.ripe.net. AAAA, kista.dns.swip.net. A 192.71.220.9, sunic.sunet.se. A 192.36.125.2, kalmar.dns.swip.net. A 192.71.1 80.46 (281) (DF) (ttl 60, id 0, len 309) AAAA is unknown rr type ? I use bro 09a5 on fbsd410R, and starting bro with dns analyzer. Regards Rmkml at Wanadoo.fr From vern at icir.org Fri Sep 17 16:34:11 2004 From: vern at icir.org (Vern Paxson) Date: Fri, 17 Sep 2004 16:34:11 -0700 Subject: [Bro] WeirdActivity unknown_DNS_RR_type question In-Reply-To: Your message of Sat, 18 Sep 2004 00:52:47 +0200. Message-ID: <200409172334.i8HNYBp3047754@jaguar.icir.org> > AAAA is unknown rr type ? Per CHANGES: ... DNS analyzer doesn't understand AAAA yet ... However, Roger Winslow & Scott Campbell have recently extended the DNS analysis, and one of the several things they added was AAAA support. So this will work in the next release. Vern From zhangwei at comexgenesys.com Sat Sep 18 00:07:36 2004 From: zhangwei at comexgenesys.com (Cliff) Date: Sat, 18 Sep 2004 15:07:36 +0800 Subject: [Bro] a odd problem References: <200409171456.i8HEuxp3002211@jaguar.icir.org> Message-ID: <001701c49d4e$304a4480$7a0aa8c0@comex10> Hi Vern, I ran the following command,not set "-w" switch,and still generated the output. So I feel very confused. [cliff at oradata bro-pub-0.9a3]$ ./bro mt -i eth0 input in flex scanner failed [cliff at oradata bro-pub-0.9a3]$ ./bro -i eth0 mt input in flex scanner failed mt.bro is as follwoing: # $Id: mt.bro,v 1.1.1.1 2004/04/30 00:31:28 jason Exp $ @load log @load dns-lookup @load hot @load frag @load tcp @load scan @load weird @load finger @load ident @load ftp @load login @load portmapper @load ntp @load tftp Thanks, Cliff ----- Original Message ----- From: "Vern Paxson" To: "Cliff" Cc: Sent: Friday, September 17, 2004 10:56 PM Subject: Re: [Bro] a odd problem > > I encounter a odd problem when i run *bro* today. > > > > # ./bro my -w /home/zw/bro09171617.dump > > Flags need to come before policy scripts. It's interpreting "-w" and > "/home/zw/bro09171617.dump" as scripts to interpret. I would've expected > it to stop by saying "error: can't open -w" (that's what it does for me), > unless you happen to have a file "-w" in your Bro searchpath. Do you > have such a file? Can you send me the tcpdump trace file, so I can see > if I can reproduce this? > > Vern > _______________________________________________ > Bro mailing list > Bro at ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From rmkml at wanadoo.fr Sun Sep 19 14:17:13 2004 From: rmkml at wanadoo.fr (rmkml) Date: Sun, 19 Sep 2004 23:17:13 +0200 (CEST) Subject: [Bro] Strange Packet (invert ip) Message-ID: Hi, I received this packet : (tcpdump383) 1095628174.157851 IP (tos 0x0, ttl 117, id 62764, offset 0, flags [none], length: 40) 211.91.135.39.80 > x.x.x.x.52510: S [tcp sum ok] 3738538976:3738538996(20) a ck 1775556062 win 8760 but bro09a5, event this : 1095628174.157850 WeirdActivity bad_TCP_header_len x.x.x.x/52510 > 211.91.135.39/80 tethereal0101 : 1 23:09:34.157851 211.91.135.39 -> x.x.x.x TCP 80 > 52510 [SYN, ACK] Seq=0 Ack=1 Win=8760, bogus TCP header length (0, must be at least 20) snort220 : 09/19-23:09:34.157851 [**] [116:46:1] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**] [Classification: A suspicious filename was detected] [Priority: 2] {TCP} 211.91.135.39:0 -> x.x.x.x:0 Why bro invert ip ? and why bro use bad tcp port ? Regards Rmkml at Wanadoo.fr From vern at icir.org Sun Sep 19 14:24:19 2004 From: vern at icir.org (Vern Paxson) Date: Sun, 19 Sep 2004 14:24:19 -0700 Subject: [Bro] Strange Packet (invert ip) In-Reply-To: Your message of Sun, 19 Sep 2004 23:17:13 +0200. Message-ID: <200409192124.i8JLOJp3076817@jaguar.icir.org> > 1095628174.157851 IP (tos 0x0, ttl 117, id 62764, offset 0, flags [none], > length: 40) 211.91.135.39.80 > x.x.x.x.52510: S [tcp sum ok] > 3738538976:3738538996(20) a > ck 1775556062 win 8760 > > but bro09a5, event this : > > 1095628174.157850 WeirdActivity > bad_TCP_header_len x.x.x.x/52510 > 211.91.135.39/80 Note, these two have *different* timestamps, which means they refer to different packets. Vern From vern at icir.org Sun Sep 19 15:20:44 2004 From: vern at icir.org (Vern Paxson) Date: Sun, 19 Sep 2004 15:20:44 -0700 Subject: [Bro] Why does Bro store addresses internally in network order (AddrVal class)? In-Reply-To: Your message of Thu, 16 Sep 2004 20:50:21 PDT. Message-ID: <200409192220.i8JMKip3078008@jaguar.icir.org> > Simple question, eh? I assume there has to be a reason > for this. I think this is now simply a legacy. Is it a problem? Vern From chema at cs.berkeley.edu Sun Sep 19 16:42:02 2004 From: chema at cs.berkeley.edu (=?iso-8859-1?q?Jos=E9_Mar=EDa_Gonz=E1lez?=) Date: Sun, 19 Sep 2004 16:42:02 -0700 Subject: [Bro] Why does Bro store addresses internally in network order (AddrVal class)? In-Reply-To: <200409192220.i8JMKip3078008@jaguar.icir.org> References: <200409192220.i8JMKip3078008@jaguar.icir.org> Message-ID: <200409191642.02102.chema@cs.berkeley.edu> On Sunday 19 September 2004 15:20, Vern Paxson wrote: > I think this is now simply a legacy. Is it a problem? Nope. I thought there could be some efficiency reason underneath it. -Chema From vern at icir.org Sun Sep 19 22:43:47 2004 From: vern at icir.org (Vern Paxson) Date: Sun, 19 Sep 2004 22:43:47 -0700 Subject: [Bro] a odd problem In-Reply-To: Your message of Sat, 18 Sep 2004 15:07:36 +0800. Message-ID: <200409200543.i8K5hlp3086815@jaguar.icir.org> > [cliff at oradata bro-pub-0.9a3]$ ./bro mt -i eth0 > input in flex scanner failed I tracked this down (and fixed it). The problem is that reading the file "mt" fails in some fashion. The example I was able to reproduce was when "mt" was a directory rather than a text file. (The same could happen if "mt.bro" is a directory). Inspect your $BROPATH to see what file it's opening. The fix is for a better error message in this case. For example, if "mt" is a subdirectory in the current directory, you'll get: ./mt, line 1: error: read failed with "Operation not permitted" I've appended a patch for it, which will be included in the next release. Vern RCS file: /home/portnoy/u2/src/projects/bro/src/scan.l,v retrieving revision 1.4 retrieving revision 1.5 diff -Lsrc/scan.l -Lsrc/scan.l -u -r1.4 -r1.5 --- src/scan.l +++ src/scan.l @@ -19,6 +19,8 @@ // WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF // MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +#include + #include "input.h" #include "util.h" #include "Scope.h" @@ -53,6 +55,14 @@ #define YY_USER_ACTION strncpy(last_tok, yytext, sizeof(last_tok) - 1); #define YY_USER_INIT last_tok[0] = '\0'; + +extern "C" const char* const sys_errlist[]; + +// We define our own YY_INPUT because we want to trap the case where +// a read fails. +#define YY_INPUT(buf,result,max_size) \ + if ( ((result = fread(buf, 1, max_size, yyin)) == 0) && ferror(yyin) ) \ + error(fmt("read failed with \"%s\"", sys_errlist[errno])); // Files we have already scanned (or are in the process of scanning). static PList(char) files_scanned; From vern at icir.org Sun Sep 19 22:50:35 2004 From: vern at icir.org (Vern Paxson) Date: Sun, 19 Sep 2004 22:50:35 -0700 Subject: [Bro] How to generate the alerts directly? In-Reply-To: Your message of Tue, 07 Sep 2004 12:16:48 +0800. Message-ID: <200409200550.i8K5oZp3086964@jaguar.icir.org> > # ./bro -r /home/zhangwei/bro0907.dump > generate the "alerts" as following: > 1094539834.607852 weird: spontaneous_FIN > 1094539847.830742 weird: possible_split_routing These are not "alerts" but rather "weird"'s - that is, messages that reflect unusual/broken activity. > First,are the terms which i use right,such as "event" ,"alerts"? Per the above, those are "weird"'s. Perhaps there's a better name to use; in the future, they might be merged with the "NOTICE" framework (which is called ALERT in the present release, but this changes with the next release). > Second,whether can I generate those alerts directly? > If can,which command should i use? Or how to modify the source code? I don't know what you mean by "directly" here. If you mean in your policy script, you do so by calling ALERT(). Vern From vern at icir.org Sun Sep 19 22:51:45 2004 From: vern at icir.org (Vern Paxson) Date: Sun, 19 Sep 2004 22:51:45 -0700 Subject: [Bro] Strange Packet (invert ip) In-Reply-To: Your message of Sun, 19 Sep 2004 23:17:13 +0200. Message-ID: <200409200551.i8K5pjp3087002@jaguar.icir.org> > length: 40) 211.91.135.39.80 > x.x.x.x.52510: S [tcp sum ok] > ... > 1095628174.157850 WeirdActivity > bad_TCP_header_len x.x.x.x/52510 > 211.91.135.39/80 > ... > and why bro use bad tcp port ? Now I understand the question. The original packet was a SYN ACK from 211.91.135.39/80 to x.x.x.x/52510, but Bro reports it in the opposite order. The reason for this (which I agree is not intuitive) is that because the packet was a SYN ACK, Bro instantiates a corresponding connection in the opposite direction (because presumably x.x.x.x sent an initial SYN using source port 52510). Bro's current "weird" framework (which needs to be reworked) always identifies the connection rather than the culprit, so if the sender of something strange was the apparent server side, it comes out looking instead like it came from the apparent client side. Vern From jomcn at verizon.net Wed Sep 22 11:45:14 2004 From: jomcn at verizon.net (jomcn at verizon.net) Date: Wed, 22 Sep 2004 14:45:14 -0400 Subject: [Bro] bro .9 install problems Message-ID: <20040922184514.RSME22385.out006.verizon.net@outgoing.verizon.net> Hi. I'm still having problems installing bro .9a4a on SUSE Linux. The "configure" and "make" (compile) steps worked (as far as I can tell). But I'm unable to successfully execute "sudo make install". The following files are missing/unavailable: 1. IP4.pm // some perl module that helps "guess the network configuration" 2. intern.bro.default 3. mail_reports.sh I MAY need either need either #1 or #2, but I would like to have both. I do think #3 is necessary. Thanks for your help. John // below is most of the output **** Dectected previous bro.cfg file ***** May I use /home/johnm/src/bro-pub-0.9a4a/scripts/bro.cfg for defaults? [Y/n]y Sourcing /home/johnm/src/bro-pub-0.9a4a/scripts/bro.cfg for defaults. Log archive directory [/usr/local/bro/archive] User id to install and run Bro under [bro] Interface name to listen on. The default is to use the busiest one found. [eth0] Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG) [SOMESITE] Starting time for a report run (0001 is 12:01 am and 1201 is 12:01pm) [0000] How often (in hours) to generate an activity report [24] Email local reports? (YES/NO) [NO] Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc) [NO] Do you want to encrypt email reports (YES/NO) [NO] Running pf script to check if you have enough devices ... done. You have 4 pf devices Bro recommends more devices, may I create more for you [Y/n] n Checking bro against uid=1001(bro) gid=100(users) groups=100(users),14 (uucp),16(dialout),17(audio),33(video) ( bro ) bro Can read /dev/pf devices.... Good May I guess your network configuration for you? [YES] no Please edit intern.bro so that it describes your network configuration cp: cannot stat `intern.bro.default': No such file or directory Finished make add_cron make[2]: Entering directory `/home/johnm/src/bro-pub-0.9a4a/scripts' Bro already installed in crontab! Not installing crontab make[2]: Leaving directory `/home/johnm/src/bro-pub-0.9a4a/scripts' /usr/bin/install -c -d /usr/local/bro/bin /usr/bin/install -c -d /usr/local/bro/etc /usr/bin/install -c -d /usr/local/bro/logs /usr/bin/install -c -d /usr/local/bro/site /usr/bin/install -c -d /usr/local/bro/reports /usr/bin/install -c -d /usr/local/bro/scripts /usr/bin/install -c -d /usr/local/bro/var /usr/bin/install -c -d /usr/local/etc/rc.d/ /usr/bin/install -c mail_reports.sh /usr/local/bro/scripts/mail_reports.sh /usr/bin/install: cannot stat `mail_reports.sh': No such file or directory make[1]: *** [install] Error 1 make[1]: Leaving directory `/home/johnm/src/bro-pub-0.9a4a/scripts' make: *** [install] Error 2 From zhangwei at comexgenesys.com Thu Sep 23 02:19:12 2004 From: zhangwei at comexgenesys.com (Cliff) Date: Thu, 23 Sep 2004 17:19:12 +0800 Subject: [Bro] log_file variable in ftp.bro Message-ID: <002801c4a14e$6854b780$7a0aa8c0@comex10> Hi all, I redefined the log_file variable in myself bro script as follwoing: ============================================ # $Id: myftp.bro,v1.0 2004/09/23 Cliff $ @load mt redef root_servers={192.168.0.2}; redef interfaces="eth0"; redef restrict_filters={["net"]="net 192.168.10"}; #redefine log file in ftp.bro redef log_file=open_log_file("comex"); ======================================= the log_file is defined in ftp.bro on line 54 as following: ............... global log_file = open_log_file("ftp") &redef; .......................... But I run bro ,the output is as following: [root at oradata bro-pub-0.8a87]# ./bro myftp policy/myftp.bro, line 11 (log_file): error, "redef" used but not previously defined I don't understand the reason,who can help me? Thanks, Cliff From vern at icir.org Thu Sep 23 07:14:48 2004 From: vern at icir.org (Vern Paxson) Date: Thu, 23 Sep 2004 07:14:48 -0700 Subject: [Bro] log_file variable in ftp.bro In-Reply-To: Your message of Thu, 23 Sep 2004 17:19:12 +0800. Message-ID: <200409231414.i8NEEmp3095339@jaguar.icir.org> > the log_file is defined in ftp.bro on line 54 as following: > ............... > global log_file = open_log_file("ftp") &redef; Yes, but that's part of an "export" that's inside "scope FTP". So you need to use: global FTP::log_file = open_log_file("ftp") &redef; to redef it. Vern From christian at whoop.org Thu Sep 23 08:03:11 2004 From: christian at whoop.org (Christian Kreibich) Date: Thu, 23 Sep 2004 16:03:11 +0100 Subject: [Bro] log_file variable in ftp.bro In-Reply-To: <200409231414.i8NEEmp3095339@jaguar.icir.org> References: <200409231414.i8NEEmp3095339@jaguar.icir.org> Message-ID: <1095951347.26593.120.camel@localhost.localdomain> On Thu, 2004-09-23 at 15:14, Vern Paxson wrote: > > the log_file is defined in ftp.bro on line 54 as following: > > ............... > > global log_file = open_log_file("ftp") &redef; > > Yes, but that's part of an "export" that's inside "scope FTP". So you > need to use: > > global FTP::log_file = open_log_file("ftp") &redef; > > to redef it. I think Vern meant to say "module FTP" and redef FTP::log_file = open_log_file("comex"); Call me smartass if I'm wrong! :) The CHANGES file has some details on this too (and on lots of other things that aren't fully documented yet). Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From vern at icir.org Thu Sep 23 08:03:13 2004 From: vern at icir.org (Vern Paxson) Date: Thu, 23 Sep 2004 08:03:13 -0700 Subject: [Bro] log_file variable in ftp.bro In-Reply-To: Your message of Thu, 23 Sep 2004 16:03:11 BST. Message-ID: <200409231503.i8NF3Dp3000164@jaguar.icir.org> > I think Vern meant to say "module FTP" and > > redef FTP::log_file = open_log_file("comex"); Yep, thanks! Hazards of sending email before one's morning coffee ... Vern From zhangwei at comexgenesys.com Thu Sep 23 18:53:46 2004 From: zhangwei at comexgenesys.com (Cliff) Date: Fri, 24 Sep 2004 09:53:46 +0800 Subject: [Bro] log_file variable in ftp.bro References: <200409231503.i8NF3Dp3000164@jaguar.icir.org> Message-ID: <003001c4a1d9$5ea2f6d0$7a0aa8c0@comex10> Hi Vern/Christian, Ya,It's Ok to modify the script as what you said.I see that this is the result from "scope" used in ftp.bro. However,I don't understand that Why to import the concept of "scope" and "module" such as "module FTP" in ftp.bro and "module HTTP" in http.bro? What advantages has it? Thanks, Cliff ----- Original Message ----- From: "Vern Paxson" To: "Christian Kreibich" Cc: "Bro List" Sent: Thursday, September 23, 2004 11:03 PM Subject: Re: [Bro] log_file variable in ftp.bro > > I think Vern meant to say "module FTP" and > > > > redef FTP::log_file = open_log_file("comex"); > > Yep, thanks! Hazards of sending email before one's morning coffee ... > > Vern > _______________________________________________ > Bro mailing list > Bro at ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From christian at whoop.org Fri Sep 24 02:25:07 2004 From: christian at whoop.org (Christian Kreibich) Date: Fri, 24 Sep 2004 10:25:07 +0100 Subject: [Bro] log_file variable in ftp.bro In-Reply-To: <003001c4a1d9$5ea2f6d0$7a0aa8c0@comex10> References: <200409231503.i8NF3Dp3000164@jaguar.icir.org> <003001c4a1d9$5ea2f6d0$7a0aa8c0@comex10> Message-ID: <1096017907.26190.146.camel@localhost.localdomain> On Fri, 2004-09-24 at 02:53, Cliff wrote: > Hi Vern/Christian, > Ya,It's Ok to modify the script as what you said.I see that this is the result from "scope" used in ftp.bro. > However,I don't understand that Why to import the concept of "scope" and "module" such as "module FTP" in ftp.bro and "module HTTP" in http.bro? What advantages has it? It's just to have a concept of namespaces -- in a large policy configuration there's a good chance that symbol names (for variables, functions etc) would collide. The module and export statements allow you to control how much pollution you cause in other modules. Also it's much nicer if you don't have to think all the time about whether a symbol name might already exist in another module. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From rreitz at fnal.gov Fri Sep 24 14:02:22 2004 From: rreitz at fnal.gov (Randolph Reitz) Date: Fri, 24 Sep 2004 16:02:22 -0500 Subject: [Bro] BRO on FreeBSD 5.2.1 Message-ID: <07D57002-0E6D-11D9-A513-000A95D15230@fnal.gov> I have bro installed on FreeBSD 5.2.1. This release of FreeBSD uses the device file system devfs(5) to create /dev/bpfxx devices on demand. The problem is when these devices are created, root owns the new device. Bro running as 'bro' can't access it. I guess a fix is to run bro as root. Any other ideas? Thanks, Randy Reitz Computer Security Team From vern at icir.org Fri Sep 24 14:14:41 2004 From: vern at icir.org (Vern Paxson) Date: Fri, 24 Sep 2004 14:14:41 -0700 Subject: [Bro] BRO on FreeBSD 5.2.1 In-Reply-To: Your message of Fri, 24 Sep 2004 16:02:22 CDT. Message-ID: <200409242114.i8OLEfp3051014@jaguar.icir.org> > I guess a fix is to run bro as root. Any other ideas? What we generally do is to make the device readable by some group and put user "bro" in that group. Definitely recommended over running Bro as root! Vern From rreitz at fnal.gov Fri Sep 24 14:39:44 2004 From: rreitz at fnal.gov (Randolph Reitz) Date: Fri, 24 Sep 2004 16:39:44 -0500 Subject: [Bro] BRO on FreeBSD 5.2.1 In-Reply-To: <200409242114.i8OLEfp3051014@jaguar.icir.org> References: <200409242114.i8OLEfp3051014@jaguar.icir.org> Message-ID: <3FFA74FD-0E72-11D9-A513-000A95D15230@fnal.gov> OK, but the devfs devices are created as... gumshoe# ls -lt /dev/b* crw------- 1 bro wheel 23, 1 Sep 24 14:14 /dev/bpf1 crw------- 1 bro wheel 23, 0 Sep 24 14:14 /dev/bpf0 (I changed the owner from root to bro.) If bro is a member of group wheel, bro still can't read the device. I don't know how to control the permissions, owner or group of devfs devices. The devfs(5) man page is useless. Randy On Sep 24, 2004, at 4:14 PM, Vern Paxson wrote: >> I guess a fix is to run bro as root. Any other ideas? > > What we generally do is to make the device readable by some group and > put > user "bro" in that group. Definitely recommended over running Bro as > root! > > Vern > _______________________________________________ > Bro mailing list > Bro at ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From vern at icir.org Fri Sep 24 14:43:03 2004 From: vern at icir.org (Vern Paxson) Date: Fri, 24 Sep 2004 14:43:03 -0700 Subject: [Bro] BRO on FreeBSD 5.2.1 In-Reply-To: Your message of Fri, 24 Sep 2004 16:39:44 CDT. Message-ID: <200409242143.i8OLh3p3054219@jaguar.icir.org> > OK, but the devfs devices are created as... > > gumshoe# ls -lt /dev/b* > crw------- 1 bro wheel 23, 1 Sep 24 14:14 /dev/bpf1 > crw------- 1 bro wheel 23, 0 Sep 24 14:14 /dev/bpf0 > > (I changed the owner from root to bro.) If bro is a member of group > wheel, bro still can't read the device. I'm confused. If the files are mode 600 and "bro" owns them, then it certainly should be able to read them ... ! > I don't know how to control > the permissions, owner or group of devfs devices. The devfs(5) man > page is useless. So the problem is that devfs creates them on-the-fly, so you're not able to alter their ownership? What happens if you create them statically via /dev/MAKEDEV? Vern From rreitz at fnal.gov Fri Sep 24 16:46:43 2004 From: rreitz at fnal.gov (Randolph Reitz) Date: Fri, 24 Sep 2004 18:46:43 -0500 Subject: [Bro] BRO on FreeBSD 5.2.1 In-Reply-To: <200409242143.i8OLh3p3054219@jaguar.icir.org> References: <200409242143.i8OLh3p3054219@jaguar.icir.org> Message-ID: When devfs creates the /dev/bpfxx files, it creates them as follows... crw------- 1 root wheel 23, 1 Sep 24 14:14 /dev/bpfxx After the /dev/bpfxx is created, bro complains that it can't read the /dev/bpfxx and stops. I change the owner to bro and then restart bro. The traffic I'm currently monitoring is not the Fermi border traffic, it's internal traffic. So only two bpfxx have been automatically created. When I hook up the border traffic, I expect that a lot of /dev/bpfxx will be created, so I need to find a way to tell devfs to create /dev/bpfxx with owner 'bro'. I don't know how to do this. The /dev/MAKEDEV doesn't exist in 5.2. Randy On Sep 24, 2004, at 4:43 PM, Vern Paxson wrote: >> OK, but the devfs devices are created as... >> >> gumshoe# ls -lt /dev/b* >> crw------- 1 bro wheel 23, 1 Sep 24 14:14 /dev/bpf1 >> crw------- 1 bro wheel 23, 0 Sep 24 14:14 /dev/bpf0 >> >> (I changed the owner from root to bro.) If bro is a member of group >> wheel, bro still can't read the device. > > I'm confused. If the files are mode 600 and "bro" owns them, then > it certainly should be able to read them ... ! > >> I don't know how to control >> the permissions, owner or group of devfs devices. The devfs(5) man >> page is useless. > > So the problem is that devfs creates them on-the-fly, so you're not > able > to alter their ownership? What happens if you create them statically > via > /dev/MAKEDEV? > > Vern > _______________________________________________ > Bro mailing list > Bro at ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro Randy Reitz Computer Security Team From dart at nersc.gov Fri Sep 24 17:09:18 2004 From: dart at nersc.gov (Eli Dart) Date: Fri, 24 Sep 2004 17:09:18 -0700 Subject: [Bro] BRO on FreeBSD 5.2.1 In-Reply-To: Message from Randolph Reitz of "Fri, 24 Sep 2004 18:46:43 CDT." Message-ID: <20040925000918.704BBF987@gemini.nersc.gov> In reply to Randolph Reitz : > When devfs creates the /dev/bpfxx files, it creates them as follows... > > crw------- 1 root wheel 23, 1 Sep 24 14:14 /dev/bpfxx > > After the /dev/bpfxx is created, bro complains that it can't read the > /dev/bpfxx and stops. I change the owner to bro and then restart bro. > The traffic I'm currently monitoring is not the Fermi border traffic, > it's internal traffic. So only two bpfxx have been automatically > created. When I hook up the border traffic, I expect that a lot of > /dev/bpfxx will be created, so I need to find a way to tell devfs to > create /dev/bpfxx with owner 'bro'. I don't know how to do this. take a look at /etc/devfs.conf and /etc/rc.d/devfs also man devfs --eli > > The /dev/MAKEDEV doesn't exist in 5.2. > > Randy > > On Sep 24, 2004, at 4:43 PM, Vern Paxson wrote: > > >> OK, but the devfs devices are created as... > >> > >> gumshoe# ls -lt /dev/b* > >> crw------- 1 bro wheel 23, 1 Sep 24 14:14 /dev/bpf1 > >> crw------- 1 bro wheel 23, 0 Sep 24 14:14 /dev/bpf0 > >> > >> (I changed the owner from root to bro.) If bro is a member of group > >> wheel, bro still can't read the device. > > > > I'm confused. If the files are mode 600 and "bro" owns them, then > > it certainly should be able to read them ... ! > > > >> I don't know how to control > >> the permissions, owner or group of devfs devices. The devfs(5) man > >> page is useless. > > > > So the problem is that devfs creates them on-the-fly, so you're not > > able > > to alter their ownership? What happens if you create them statically > > via > > /dev/MAKEDEV? > > > > Vern > > _______________________________________________ > > Bro mailing list > > Bro at ICSI.Berkeley.EDU > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > Randy Reitz > Computer Security Team > > _______________________________________________ > Bro mailing list > Bro at ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 224 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20040924/8b9cbf96/attachment.bin From rreitz at fnal.gov Fri Sep 24 19:56:02 2004 From: rreitz at fnal.gov (Randolph Reitz) Date: Fri, 24 Sep 2004 21:56:02 -0500 Subject: [Bro] BRO on FreeBSD 5.2.1 In-Reply-To: <20040925000918.704BBF987@gemini.nersc.gov> References: <20040925000918.704BBF987@gemini.nersc.gov> Message-ID: <6F95E8F6-0E9E-11D9-88DD-000A95D15230@fnal.gov> I was stuck on devfs(5). devfs(8) is much more helpful. Thanks for the clue, Randy On Sep 24, 2004, at 7:09 PM, Eli Dart wrote: > > In reply to Randolph Reitz : > >> When devfs creates the /dev/bpfxx files, it creates them as follows... >> >> crw------- 1 root wheel 23, 1 Sep 24 14:14 /dev/bpfxx >> >> After the /dev/bpfxx is created, bro complains that it can't read the >> /dev/bpfxx and stops. I change the owner to bro and then restart bro. >> The traffic I'm currently monitoring is not the Fermi border traffic, >> it's internal traffic. So only two bpfxx have been automatically >> created. When I hook up the border traffic, I expect that a lot of >> /dev/bpfxx will be created, so I need to find a way to tell devfs to >> create /dev/bpfxx with owner 'bro'. I don't know how to do this. > > take a look at /etc/devfs.conf and /etc/rc.d/devfs > > also man devfs > > --eli > > >> >> The /dev/MAKEDEV doesn't exist in 5.2. >> >> Randy >> >> On Sep 24, 2004, at 4:43 PM, Vern Paxson wrote: >> >>>> OK, but the devfs devices are created as... >>>> >>>> gumshoe# ls -lt /dev/b* >>>> crw------- 1 bro wheel 23, 1 Sep 24 14:14 /dev/bpf1 >>>> crw------- 1 bro wheel 23, 0 Sep 24 14:14 /dev/bpf0 >>>> >>>> (I changed the owner from root to bro.) If bro is a member of group >>>> wheel, bro still can't read the device. >>> >>> I'm confused. If the files are mode 600 and "bro" owns them, then >>> it certainly should be able to read them ... ! >>> >>>> I don't know how to control >>>> the permissions, owner or group of devfs devices. The devfs(5) man >>>> page is useless. >>> >>> So the problem is that devfs creates them on-the-fly, so you're not >>> able >>> to alter their ownership? What happens if you create them statically >>> via >>> /dev/MAKEDEV? >>> >>> Vern >>> _______________________________________________ >>> Bro mailing list >>> Bro at ICSI.Berkeley.EDU >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> >> Randy Reitz Computer Security Team >> >> _______________________________________________ >> Bro mailing list >> Bro at ICSI.Berkeley.EDU >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > > From chema at cs.berkeley.edu Sat Sep 25 18:49:54 2004 From: chema at cs.berkeley.edu (=?iso-8859-1?q?Jos=E9_Mar=EDa_Gonz=E1lez?=) Date: Sat, 25 Sep 2004 18:49:54 -0700 Subject: [Bro] Multi-dimensional Tables Message-ID: <200409251849.54299.chema@cs.berkeley.edu> I've got 2 questions on multi-dimensional tables. For both of them, I'll try to work with: global a: table[count] of table[addr] of port; 1) How do I create yields for the overall table, i.e., how do I create an object of type "table[addr] of port" ? I want to eventually have: global a: table[count] of table[addr] of port = { [0] = XXX, [1] = XXX, }; I can predefine all the subtables, and then assing them, but it doesn't seem too clean. global a0: table[addr] of port; global a1: table[addr] of port; global a: table[count] of table[addr] of port = { [0] = a0, [1] = a1, }; 2) When I define attributes for the table, which table is affected, the total one, or the yield one? In other words, If I define the original, total table as: global a: table[count] of table[addr] of port &write_expire= { [0] = a0, [1] = a1, }; and I don't modify any of the values in a0, will the full a0 table expire, or just the values from a0? TIA. -Chema From zhangwei at comexgenesys.com Sun Sep 26 18:38:04 2004 From: zhangwei at comexgenesys.com (Cliff) Date: Mon, 27 Sep 2004 09:38:04 +0800 Subject: [Bro] log_file variable in ftp.bro References: <200409231503.i8NF3Dp3000164@jaguar.icir.org> <003001c4a1d9$5ea2f6d0$7a0aa8c0@comex10> <1096017907.26190.146.camel@localhost.localdomain> Message-ID: <001601c4a432$a712be40$7a0aa8c0@comex10> Hi Christian, Very thank you for your detailed explanation. :) The concept of "scope" is the same with the "namespace" of C++. Thanks, Cliff ----- Original Message ----- From: "Christian Kreibich" To: "Bro List" Sent: Friday, September 24, 2004 5:25 PM Subject: Re: [Bro] log_file variable in ftp.bro > On Fri, 2004-09-24 at 02:53, Cliff wrote: > > Hi Vern/Christian, > > Ya,It's Ok to modify the script as what you said.I see that this is the result from "scope" used in ftp.bro. > > However,I don't understand that Why to import the concept of "scope" and "module" such as "module FTP" in ftp.bro and "module HTTP" in http.bro? What advantages has it? > > It's just to have a concept of namespaces -- in a large policy > configuration there's a good chance that symbol names (for variables, > functions etc) would collide. The module and export statements allow you > to control how much pollution you cause in other modules. Also it's much > nicer if you don't have to think all the time about whether a symbol > name might already exist in another module. > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > > > _______________________________________________ > Bro mailing list > Bro at ICSI.Berkeley.EDU > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From vern at icir.org Mon Sep 27 23:49:39 2004 From: vern at icir.org (Vern Paxson) Date: Mon, 27 Sep 2004 23:49:39 -0700 Subject: [Bro] Multi-dimensional Tables In-Reply-To: Your message of Sat, 25 Sep 2004 18:49:54 PDT. Message-ID: <200409280649.i8S6ndp3086863@jaguar.icir.org> Good questions! > global a: table[count] of table[addr] of port; > > 1) How do I create yields for the overall table, i.e., how > do I create an object of type "table[addr] of port" ? > > I want to eventually have: > > global a: table[count] of table[addr] of port = { > [0] = XXX, > [1] = XXX, > }; You have to do it the way you listed: > global a0: table[addr] of port; > global a1: table[addr] of port; > global a: table[count] of table[addr] of port = { > [0] = a0, > [1] = a1, > }; because there's currently no way to "construct" a table using an expression by itself (unlike record constructors, such as [$foo=1, $bar="hi"]). > 2) When I define attributes for the table, which table is > affected, the total one, or the yield one? The total one. > If I define the original, total table as: > > global a: table[count] of table[addr] of port &write_expire= { > [0] = a0, > [1] = a1, > }; > > and I don't modify any of the values in a0, will the full > a0 table expire, or just the values from a0? If you want to affect the yield table, define its own type: type yield_table: table[addr] of port &write_expire = 5 sec; global a: table[count] of yield_table = { ... } - Vern From rmkml at wanadoo.fr Tue Sep 28 06:23:03 2004 From: rmkml at wanadoo.fr (rmkml) Date: Tue, 28 Sep 2004 15:23:03 +0200 (CEST) Subject: [Bro] Possible disable split_routing detecting ? Message-ID: Hi, I use bro, but not have more 1 link to InterNet, Possible disable split_routing detecting/function ? Regards Rmkml at Wanadoo.fr From vern at icir.org Tue Sep 28 20:27:43 2004 From: vern at icir.org (Vern Paxson) Date: Tue, 28 Sep 2004 20:27:43 -0700 Subject: [Bro] Possible disable split_routing detecting ? In-Reply-To: Your message of Tue, 28 Sep 2004 15:23:03 +0200. Message-ID: <200409290327.i8T3Rhp3075296@jaguar.icir.org> > I use bro, > > but not have more 1 link to InterNet, > > Possible disable split_routing detecting/function ? If it's not possible that you're seeing split routing, then it's important to figure out why Bro believes it's seeing it. You should capture a trace using -w for which Bro reports split routing; see if running on the trace off-line reproduces that message; and, if so, investigate the trace to determine whether in fact the given connection is missing part of its SYN/SYN-ACK pair. Vern From det2702 at mac.com Wed Sep 29 07:04:12 2004 From: det2702 at mac.com (Det 2702) Date: Wed, 29 Sep 2004 07:04:12 -0700 Subject: [Bro] /usr/local/bro/scripts/pm Message-ID: <11453797.1096466652291.JavaMail.det2702@mac.com> Greetings, I'm in the process of building bro 0.90 on FreeBSD 5.2. I'm getting the following errors toward the end of the "make install" process: /usr/bin/install -c -d /usr/local/bro/scripts/pm /usr/bin/install -c -d /usr/local/bro/scripts/pm/Bro /usr/bin/install -c -d /usr/local/bro/scripts/pm/Bro/Report /usr/bin/install -c -d /usr/local/bro/scripts/pm/Bro/Log /usr/bin/install -c site-report.pl /usr/local/bro/scripts/site-report.pl /usr/bin/install -c -c -m 644 pm/Bro/Report.pm /usr/local/bro/scripts/pm/Bro/Report.pm install: pm/Bro/Report.pm: No such file or directory *** Error code 71 Stop in /usr/local/downloads/bro-pub-0.9a4a/scripts. *** Error code 1 Stop in /usr/local/downloads/bro-pub-0.9a4a/scripts. *** Error code 1 It looks like the bro/scripts/pm directory is missing from the tar ball. Is there any way I can get a copy? Regards, Randy From vern at icir.org Wed Sep 29 23:07:22 2004 From: vern at icir.org (Vern Paxson) Date: Wed, 29 Sep 2004 23:07:22 -0700 Subject: [Bro] /usr/local/bro/scripts/pm In-Reply-To: Your message of Wed, 29 Sep 2004 07:04:12 PDT. Message-ID: <200409300607.i8U67Mp3007304@jaguar.icir.org> > It looks like the bro/scripts/pm directory is missing from the tar ball. Is there any way I can get a copy? I've put a snapshot in http://www.icir.org/vern/tmp/bro-pm.tar.gz - Vern