[Bro] new Bro releases
rmkml
rmkml at wanadoo.fr
Fri Sep 10 00:46:10 PDT 2004
Hi,
I am compiled pb on 09a4 (not pb before this version),
Im not found YACC/bison in Makefile,
$ make
...
bison -y -d -t -v builtin-func.y
flex -obif_lex.cc builtin-func.l
g++ -o bif_lex.o -c bif_lex.cc
g++ -o bif_parse.o -c bif_parse.cc
y.tab.c: In function `int yyparse()':
y.tab.c:1705: syntax error before `goto'
*** Error code 1
Possible help me please ?
before release, Im changed in Makefile : bison -> byacc
but on this release, Im not found bison in Makefile
second light pb :
$ ./configure
...
config.status: creating aux/adtrace/Makefile
config.status: error: cannot find input file: aux/adtrace/Makefile.in
Im use bro on freebsd v4.10R.
Thanks
Rmkml at Wanadoo.fr
On Wed, 8 Sep 2004, Vern Paxson wrote:
> Date: Wed, 08 Sep 2004 19:24:29 -0700
> From: Vern Paxson <vern at icir.org>
> To: bro at bro-ids.org
> Subject: [Bro] new Bro releases
>
> New CURRENT (0.9a4) and STABLE (0.8a88) releases are now available from:
>
> ftp://bro-ids.org/bro-pub-0.9-current.tar.gz
> ftp://bro-ids.org/bro-pub-0.8-stable.tar.gz
>
> The CURRENT release includes some incompatible changes to file formats and
> environment variables. NOTE: file formats for the "alert" and "signature"
> logs are likely to change again in the near future. In addition, there
> will soon be another release in which the current "log" and "alert" terms
> are renamed (to "alarm" and "notice", respectively).
>
> There are also some bug fixes, new features, and changes to the distribution's
> directory structure, file formats, and environment variables, per the
> appended change log.
>
> The STABLE release fixes a bug:
>
>> - Fixed broken VLAN support (integration of original patch was incomplete).
>
> per the appended patch.
>
> Vern
>
>
> -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
>
> 0.9a4 Wed Sep 8 17:33:54 PDT 2004
>
> - The directory structure of the Bro distribution has changed (Jason Lee).
> The source code is now in a subdirectory, src/, and the scripts
> snort2bro (and snort2bro.cfg) and make-ftp-safe-vocabulary.awk have
> been moved into scripts/.
>
> - "make install" has been revamped (Jason Lee).
>
> - The format of the alert log file has changed. Fields in it are
> colon-separated. THIS WILL LIKELY CHANGE SOON.
>
> - The policy for formatting signature matches has been revamped,
> including colon-separated fields in the signature log file
> (Roger Winslow). THIS WILL LIKELY CHANGE SOON.
>
> - The BRO_ID environment variable has been renamed BRO_LOG_SUFFIX.
>
> - A new flag, -e, lets you specify Bro code to execute via the command
> line (Christian Kreibich). So, for example,
>
> bro -r mytrace.tcpdump -e 'redef traditional_conn_format = T' tcp
>
> will run tcp.bro on the trace "mytrace.tcpdump", but with
> traditional_conn_format redefined to be true. Note that statements
> have an implicit ';' added to them for convenience.
>
> - A new signature alert, "MultipleSigResponders", is generated if a
> host triggers the same signature on multiple responders.
>
> - Bro now supports "packet profiling", which provides fairly fine-grained
> statistics on number of packets processed, volume, elapsed real/user/system
> time, and change in memory consumption (Holger Dreger). Three variables
> control the output. The double pkt_profile_freq controls the frequency
> of output. The units in which it's interpreted depends on the setting
> of the pkt_profile_mode variable (which is of type pkt_profile_modes,
> an enum). A value of PKT_PROFILE_MODE_SECS means that statistics
> are generated every pkt_profile_freq seconds; PKT_PROFILE_MODE_PKTS
> means every pkt_profile_freq packets; and PKT_PROFILE_MODE_BYTES, every
> pkt_profile_freq bytes. The default (PKT_PROFILE_MODE_NONE) means
> to not generate packet profiling.
>
> Packet profiling is written to the new log file, pkt_profile_file.
> If you "@load pkt-profile", you can turn on packet profiling using
> some handy defaults.
>
> - statistics.bro now reports on how many TCP connections are in
> <originator-state, responder-state> for the different TCP endpoint
> states (SYN sent, SYN ack'd, connection established, etc.).
> Contributed by Holger Dreger.
>
> - tcp_content_delivery_ports_{orig,resp} are now table's of bool rather
> than set's (Ruoming Pang). The semantics are that if you have a
> tcp_contents event handler, then if the orig/resp port is in the given
> table *and the yield value is T*, then the event will be invoked. This
> allows you to now explicitly skip over some ports.
>
> - The processing of default values in tables has been changed internally
> (Ruoming Pang). It's possible this has introduced some subtle bugs
> (as some of these came up during testing).
>
> - A serious bug in Base64 processing has been fixed (Ruoming Pang).
>
> - The NetBIOS and SMB analyzers have been updated in minor ways
> (Ruoming Pang).
>
> - statistics.bro now reports a "lag" figure indicating the elasped
> time between the last expired timer's target expiration time and
> the current packet timestamp (Robin Sommer). Lag can grow if Bro
> is getting behind in timer expiration due to the setting of
> max_timer_expires.
>
> - Bro's default filter is now "tcp or udp or icmp" rather than
> "tcp or udp".
>
> - alert_info records now have an optional port associated with them
> (for example, to be used to describe scan activity).
>
> - A bug has been fixed in which deleting a table element with an
> associated timer could crash Bro (Robin Sommer).
>
> - A bug that would cause a crash for malformed EPASV directives
> has been fixed (Robin Sommer).
>
> - A bug with inactivity timeouts not being generated for partial
> connections has been fixed (Robin Sommer).
>
> - A bug in synflood.bro has been fixed (Robin Sommer).
>
> - Some tuning adjustments to incremental expiration of table entries
> (Robin Sommer).
>
> - Improved portability to Darwin (Christian Kreibich).
>
> - alert_info records now have additional optional fields, "iconn"
> (associated ICMP connection), "dst" (destination address), and
> "p" (associated port). The source_is_responder fields has been
> removed.
>
> - The default packet filter now includes "icmp".
>
> - Some memory allocation/free mismatches & minor leaks (Robin Sommer).
>
> - Minor tweaks to ssl.bro (Robin Sommer).
>
> - Bro now supports "null" link layers (Christian Kreibich).
>
> - aux/adtrace contains a program that spits out MAC/IP information
> from traces (Holger Dreger).
>
> - The formatting of "weird" messages that have additional parameters
> has been changed to be more regularized with other "weird" messages.
>
> - The new "weird" type "base64_illegal_encoding" takes the place of
> some previously unstructured Base64 "weird" errors.
>
> - A tweak to ftp.bro will give it slightly more consistent results
> for some forms of unusual traffic.
>
>
> -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
>
> diff -ru bro-pub-0.8a87/CHANGES bro-pub-0.8a88/CHANGES
> --- bro-pub-0.8a87/CHANGES Sun Jul 11 10:26:36 2004
> +++ bro-pub-0.8a88/CHANGES Wed Sep 8 17:56:23 2004
> @@ -3,6 +3,11 @@
> -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
>
> +0.8a88 Wed Sep 8 17:56:03 PDT 2004
> +
> +- A serious bug in Base64/MIME processing has been fixed (Ruoming Pang).
> +
> +
> 0.8a87 Sun Jul 11 10:26:35 PDT 2004
>
> - Fixed broken VLAN support (integration of original patch was incomplete).
> diff -ru bro-pub-0.8a87/VERSION bro-pub-0.8a88/VERSION
> --- bro-pub-0.8a87/VERSION Sun Jul 11 10:23:57 2004
> +++ bro-pub-0.8a88/VERSION Wed Sep 8 17:55:55 2004
> @@ -1 +1 @@
> -0.8a87
> +0.8a88
> diff -ru bro-pub-0.8a87/Base64.cc bro-pub-0.8a88/Base64.cc
> --- bro-pub-0.8a87/Base64.cc Sun Jun 6 10:42:38 2004
> +++ bro-pub-0.8a88/Base64.cc Wed Sep 8 17:56:27 2004
> @@ -60,33 +60,10 @@
> *pbuf = buf = new char[blen];
> }
>
> - int rlen = 0;
> - int dlen;
> + int dlen = 0;
>
> - for ( dlen = 0; dlen < len; ++dlen )
> + while ( 1 )
> {
> - if ( data[dlen] == '=' )
> - ++base64_padding;
> -
> - int k = base64_table[(unsigned char) data[dlen]];
> - if ( k < 0 )
> - {
> - if ( ++errored == 1 )
> - // ### This and the next one should be
> - // a Weird, not a run-time error.
> - IllegalEncoding(fmt("character %d ignored by Base64 decoding", (int) (data[dlen])));
> - continue;
> - }
> -
> - // Stop decoding if we don't have enough buffer.
> - if ( base64_group_next < 3 )
> - {
> - if ( ++rlen > blen )
> - break;
> - }
> -
> - base64_group[base64_group_next++] = k;
> -
> if ( base64_group_next == 4 )
> {
> // For every group of 4 6-bit numbers,
> @@ -99,14 +76,17 @@
> continue;
> }
>
> + int num_octets = 3 - base64_padding;
> +
> + if ( buf + num_octets > *pbuf + blen )
> + break;
> +
> uint32 bit32 =
> ((base64_group[0] & 0x3f) << 18) |
> ((base64_group[1] & 0x3f) << 12) |
> ((base64_group[2] & 0x3f) << 6) |
> ((base64_group[3] & 0x3f));
>
> - int num_octets = 3 - base64_padding;
> -
> if ( --num_octets >= 0 )
> *buf++ = char((bit32 >> 16) & 0xff);
>
> @@ -122,6 +102,23 @@
> base64_group_next = 0;
> base64_padding = 0;
> }
> +
> + if ( dlen >= len )
> + break;
> +
> + if ( data[dlen] == '=' )
> + ++base64_padding;
> +
> + int k = base64_table[(unsigned char) data[dlen]];
> + if ( k >= 0 )
> + base64_group[base64_group_next++] = k;
> + else
> + {
> + if ( ++errored == 1 )
> + IllegalEncoding(fmt("character %d ignored by Base64 decoding", (int) (data[dlen])));
> + }
> +
> + ++dlen;
> }
>
> *pblen = buf - *pbuf;
> @@ -134,7 +131,8 @@
>
> if ( base64_group_next != 0 )
> {
> - IllegalEncoding(fmt("incomplete base64 group, padding with %d bits of 0", (4-base64_group_next) * 6));
> + if ( base64_group_next < 4 )
> + IllegalEncoding(fmt("incomplete base64 group, padding with %d bits of 0", (4-base64_group_next) * 6));
> Decode(4 - base64_group_next, padding, pblen, pbuf);
> return -1;
> }
> _______________________________________________
> Bro mailing list
> Bro at ICSI.Berkeley.EDU
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list