From copaseticsituation at gmail.com Sat Oct 8 10:25:40 2005 From: copaseticsituation at gmail.com (Jeff) Date: Sat, 8 Oct 2005 13:25:40 -0400 Subject: [Bro] Compiling problem Message-ID: I've run into this error while compiling on OpenBSD 3.7. bash-3.00# make g++ -o bif_parse.o -c bif_parse.cc builtin-func.y:2: vector: No such file or directory *** Error code 1 Stop in /home/usr/bro-pub-0.8a88 (line 572 of Makefile). bash-3.00# I've not been able o find anything in the archives. Please let me know if you have any suggestion. Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20051008/514fb821/attachment.html From rene.neumerkel at inf.tu-dresden.de Sat Oct 8 12:39:37 2005 From: rene.neumerkel at inf.tu-dresden.de (Rene Neumerkel) Date: Sat, 08 Oct 2005 21:39:37 +0200 Subject: [Bro] Compiling problem In-Reply-To: References: Message-ID: <43482079.5090507@inf.tu-dresden.de> Jeff wrote: > I've run into this error while compiling on OpenBSD 3.7. > > bash-3.00# make > g++ -o bif_parse.o -c bif_parse.cc > builtin-func.y:2: vector: No such file or directory > *** Error code 1 > > Stop in /home/usr/bro-pub-0.8a88 (line 572 of Makefile). > bash-3.00# > > I've not been able o find anything in the archives. > > Please let me know if you have any suggestion. > > Jeff Hi Jeff, vector.h is a standard lib like, for instance, stdio.h and should generally be installed on your system by default. Don't know about OpenBSD though, since all i have is a Linux box. If you can find the file on your system, then adding the path to the include-path of the gcc should help you. Hope that helps! Regards, Rene From copaseticsituation at gmail.com Thu Oct 13 06:44:56 2005 From: copaseticsituation at gmail.com (Jeff) Date: Thu, 13 Oct 2005 09:44:56 -0400 Subject: [Bro] OpenBSD Compiling problem Message-ID: I've finally gotten all headers found on compile. I had a problem with the if_ether.h being found. I actually had to find ip_ether.h and copy it with the if_ether.h file name. Now I've run into the following during the make: ############################### source='ef.c' object='ef.o' libtool=no depfile='.deps/ef.Po' tmpdepfile='.deps/ef.TPo' depmode=gcc /bin/sh ../../depcomp gcc -DHAVE_CONFIG_H -I. -I. -I../.. -g -O2 -I/include -c `test -f ef.c || echo './'`ef.c In file included from ef.l:13: /usr/include/netinet/ether.h:37: warning: `ETHERMTU' redefined /usr/include/net/ethernet.h:343: warning: this is the location of the previous definition In file included from ef.l:13: /usr/include/netinet/ether.h:47: redefinition of `struct ether_header' *** Error code 1 Stop in /home/jsa/bro-0.9a10/aux/hf. *** Error code 1 Stop in /home/jsa/bro-0.9a10/aux (line 157 of Makefile). ############################### I included the ether.h from the bro-9 directory after untarring. I am unable to vi ef to determine how it is defined. Any suggestions? Jeff On 10/11/05, Jeff < copaseticsituation at gmail.com> wrote: > > Thanks to all for the suggestions. > > Rene, it appears that you are correct that vector.h is not present on the > system. I installed the package from the OpenBSD site and it did include the > file. Upon closer review of the configure output, I've found that there are > a few file not found. I'll get those and copy them over to the /usr/include > and see how that works. I'll email back how it goes. > > Jeff > > On 10/8/05, Rene Neumerkel < rene.neumerkel at inf.tu-dresden.de> wrote: > > > > Jeff wrote: > > > > > I've run into this error while compiling on OpenBSD 3.7. > > > > > > bash-3.00# make > > > g++ -o bif_parse.o -c bif_parse.cc > > > builtin-func.y:2: vector: No such file or directory > > > *** Error code 1 > > > > > > Stop in /home/usr/bro-pub-0.8a88 (line 572 of Makefile). > > > bash-3.00# > > > > > > I've not been able o find anything in the archives. > > > > > > Please let me know if you have any suggestion. > > > > > > Jeff > > > > Hi Jeff, > > > > vector.h is a standard lib like, for instance, stdio.h and should > > generally be installed on your system by default. Don't know > > about OpenBSD though, since all i have is a Linux box. If you > > can find the file on your system, then adding the path to the > > include-path of the gcc should help you. > > > > Hope that helps! > > > > Regards, Rene > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20051013/ce8b101b/attachment.html From gklok at cogeco.ca Thu Oct 13 08:59:09 2005 From: gklok at cogeco.ca (Gordon Willem Klok) Date: Thu, 13 Oct 2005 11:59:09 -0400 Subject: [Bro] OpenBSD Compiling problem In-Reply-To: References: Message-ID: <434E844D.6070401@cogeco.ca> Patches for 0.9a9 on OpenBSD 3.7 and -current. aux/pcap-0.7.2 --- nametoaddr.c.orig Tue Sep 13 03:18:47 2005 +++ nametoaddr.c Tue Sep 13 03:20:55 2005 @@ -364,7 +364,7 @@ * "const char *", so no matter how we declare it here, it'll fail to * compile on one of 3.x or 4.x). */ -#if !defined(sgi) && !defined(__NetBSD__) && !defined(__FreeBSD__) +#if !defined(sgi) && !defined(__NetBSD__) && !defined(__FreeBSD__) && !defined(__OpenBSD__) extern int ether_hostton(char *, struct ether_addr *); #endif --- hf.l.orig Tue Sep 13 03:31:25 2005 +++ hf.l Mon Sep 19 00:37:44 2005 @@ -16,17 +16,17 @@ #ifdef NEED_NAMESER_COMPAT_H #include - #ifndef NS_MAXDNAME - #define NS_MAXDNAME 1025 - #endif - #ifndef NS_INADDRSZ - #define NS_INADDRSZ 4 - #endif - #ifndef NS_IN6ADDRSZ - #define NS_IN6ADDRSZ 16 - #endif #else #include + #endif + #ifndef NS_MAXDNAME + #define NS_MAXDNAME 1025 + #endif + #ifndef NS_INADDRSZ + #define NS_INADDRSZ 4 + #endif + #ifndef NS_IN6ADDRSZ + #define NS_IN6ADDRSZ 16 #endif #include From vern at icir.org Thu Oct 13 12:35:32 2005 From: vern at icir.org (Vern Paxson) Date: Thu, 13 Oct 2005 12:35:32 -0700 Subject: [Bro] OpenBSD Compiling problem In-Reply-To: Your message of Thu, 13 Oct 2005 11:59:09 EDT. Message-ID: <200510131935.j9DJZWA8061995@jaguar.icir.org> > Patches for 0.9a9 on OpenBSD 3.7 and -current. Note, these shouldn't be needed for the current 0.9a11 release. Vern From bchen at cs.ucf.edu Thu Oct 20 08:54:43 2005 From: bchen at cs.ucf.edu (bchen at cs.ucf.edu) Date: Thu, 20 Oct 2005 11:54:43 -0400 Subject: [Bro] capture all events at one point In-Reply-To: <200510141902.j9EJ2ntU021829@fruitcake.ICSI.Berkeley.EDU> References: <200510141902.j9EJ2ntU021829@fruitcake.ICSI.Berkeley.EDU> Message-ID: <20051020115443.d12xdvp94w8ogww0@mail.cs.ucf.edu> Hi all, I am wondering whether I can capture all events at one point. I want to log the sequence of all events happened between two hosts and look for interesting patterns. thanks. Bing From vern at icir.org Thu Oct 20 09:15:51 2005 From: vern at icir.org (Vern Paxson) Date: Thu, 20 Oct 2005 09:15:51 -0700 Subject: [Bro] capture all events at one point In-Reply-To: Your message of Thu, 20 Oct 2005 11:54:43 EDT. Message-ID: <200510201615.j9KGFpjR090294@jaguar.icir.org> You can use -t tracefile to construct a trace file of all event invocations and function calls during a run. It gets very large very quickly, though. Vern From robin at icir.org Thu Oct 20 11:16:56 2005 From: robin at icir.org (Robin Sommer) Date: Thu, 20 Oct 2005 11:16:56 -0700 Subject: [Bro] capture all events at one point In-Reply-To: <20051020115443.d12xdvp94w8ogww0@mail.cs.ucf.edu> References: <200510141902.j9EJ2ntU021829@fruitcake.ICSI.Berkeley.EDU> <20051020115443.d12xdvp94w8ogww0@mail.cs.ucf.edu> Message-ID: <20051020181656.GA31052@net.informatik.tu-muenchen.de> On Thu, Oct 20, 2005 at 11:54 -0400, bchen at cs.ucf.edu wrote: > I am wondering whether I can capture all events at one point. I want to If you run Bro with the capture-events.bro script, it will record all events into a file events.bst. You can then use "bro -x events.bst" to get a readable ASCII version of that file. Is this what you're looking for? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org From weaver at er.doe.gov Thu Oct 20 12:36:12 2005 From: weaver at er.doe.gov (Mike Weaver) Date: Thu, 20 Oct 2005 15:36:12 -0400 Subject: [Bro] BRO, BPF and FreeBSD 5.4 Message-ID: <004601c5d5ad$871a8d90$29d549c0@ad.mics.doe.gov> Hi All, I didn't see this issue addressed on the list before, but my apologies if I missed something. I relatively new to FreeBSD, but not to UN*X/Linux in general. I realize that BRO is developed on FreeBSD 4.x and not 'officially' supported on other versions, but due to security etc... I'd like to run it on the latest STABLE version (5.4). As you are probably aware, FreeBSD 5.x uses devfs and there is no longer a MAKEDEV command. I have BPF support enabled in my kernel config file, but no BPF devices exist. Bro_config detects this and offers to create them for me, but uses the MAKEDEV script. I've scoured Google, newsgroups, forums and the official FreeBSD documents, but can't seem to find how to manually create the BPF devices. I assume that this is pretty trivial, but I don't see what I'm missing. I also assume that Vern is intimately familiar with BPF from his association with LBL and his impressive portfolio of tools and projects. Any assistance would be appreciated! Thanks, Mike -- Mike Weaver US Department of Energy MICS/SC-21.1 Germantown Building Voice: 301-903-0072 Fax: 301-528-7774 Email: weaver at mics.doe.gov From JRLee at lbl.gov Thu Oct 20 13:21:12 2005 From: JRLee at lbl.gov (Jason R. Lee) Date: Thu, 20 Oct 2005 13:21:12 -0700 Subject: [Bro] BRO, BPF and FreeBSD 5.4 In-Reply-To: <004601c5d5ad$871a8d90$29d549c0@ad.mics.doe.gov> References: <004601c5d5ad$871a8d90$29d549c0@ad.mics.doe.gov> Message-ID: <4357FC38.3080004@lbl.gov> Mike, you might want to try something like this, which will allow BSD to dynamicly add the bpf devices as needed (i.e. when bro/tcpdump/etc. tries to open them) % devfs rule add path "bpf*" mode 660 user wheel This has been added into the newest/latest/greatest bro. So expect it to work in the next release. Cheers, jason PS you can man devfs for many, many more options. Mike Weaver wrote: >Hi All, > >I didn't see this issue addressed on the list before, but my apologies >if I missed something. I relatively new to FreeBSD, but not to >UN*X/Linux in general. I realize that BRO is developed on FreeBSD 4.x >and not 'officially' supported on other versions, but due to security >etc... I'd like to run it on the latest STABLE version (5.4). > >As you are probably aware, FreeBSD 5.x uses devfs and there is no >longer a MAKEDEV command. I have BPF support enabled in my kernel >config file, but no BPF devices exist. Bro_config detects this and >offers to create them for me, but uses the MAKEDEV script. > >I've scoured Google, newsgroups, forums and the official FreeBSD >documents, but can't seem to find how to manually create the BPF >devices. I assume that this is pretty trivial, but I don't see what >I'm missing. I also assume that Vern is intimately familiar with BPF >from his association with LBL and his impressive portfolio of tools >and projects. Any assistance would be appreciated! > >Thanks, > >Mike > >-- >Mike Weaver >US Department of Energy >MICS/SC-21.1 >Germantown Building >Voice: 301-903-0072 >Fax: 301-528-7774 >Email: weaver at mics.doe.gov > >_______________________________________________ >Bro mailing list >bro at bro-ids.org >http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > From jwebster at es.net Thu Oct 20 13:25:12 2005 From: jwebster at es.net (John Webster) Date: Thu, 20 Oct 2005 13:25:12 -0700 Subject: [Bro] BRO, BPF and FreeBSD 5.4 In-Reply-To: <004601c5d5ad$871a8d90$29d549c0@ad.mics.doe.gov> References: <004601c5d5ad$871a8d90$29d549c0@ad.mics.doe.gov> Message-ID: <2F758F9BB52C22C6FAFF7037@vortex.es.net> I use the following script in /usr/local/etc/rc.d to setup bpf, since I couldn't seem to get /etc/devfs.conf to work correctly. You'll need to add the bro user to the bpf group. ================== #!/bin/sh # name: 0devfs.sh so it runs before bro case "$1" in stop ) ;; start ) devfs ruleset 10 devfs rule add path "bpf*" mode 660 group bpf devfs rule applyset ;; esac =================== --On Thursday, October 20, 2005 15:36:12 -0400 Mike Weaver wrote: > Hi All, > > I didn't see this issue addressed on the list before, but my apologies > if I missed something. I relatively new to FreeBSD, but not to > UN*X/Linux in general. I realize that BRO is developed on FreeBSD 4.x > and not 'officially' supported on other versions, but due to security > etc... I'd like to run it on the latest STABLE version (5.4). > > As you are probably aware, FreeBSD 5.x uses devfs and there is no > longer a MAKEDEV command. I have BPF support enabled in my kernel > config file, but no BPF devices exist. Bro_config detects this and > offers to create them for me, but uses the MAKEDEV script. > > I've scoured Google, newsgroups, forums and the official FreeBSD > documents, but can't seem to find how to manually create the BPF > devices. I assume that this is pretty trivial, but I don't see what > I'm missing. I also assume that Vern is intimately familiar with BPF > from his association with LBL and his impressive portfolio of tools > and projects. Any assistance would be appreciated! > > Thanks, > > Mike > > -- > Mike Weaver > US Department of Energy > MICS/SC-21.1 > Germantown Building > Voice: 301-903-0072 > Fax: 301-528-7774 > Email: weaver at mics.doe.gov > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20051020/e48f5272/attachment.bin From JRLee at lbl.gov Thu Oct 20 13:45:35 2005 From: JRLee at lbl.gov (Jason R. Lee) Date: Thu, 20 Oct 2005 13:45:35 -0700 Subject: [Bro] BRO, BPF and FreeBSD 5.4 In-Reply-To: <2F758F9BB52C22C6FAFF7037@vortex.es.net> References: <004601c5d5ad$871a8d90$29d549c0@ad.mics.doe.gov> <2F758F9BB52C22C6FAFF7037@vortex.es.net> Message-ID: <435801EF.9060907@lbl.gov> I think the problem with /etc/devfs.conf is two fold: 1) it doesn't do wildcards, so you have to explicitly add each bpf device to it 2) I couldn't dynamically source it, if i changed it, i had to reboot ! Cheers, jason John Webster wrote: >I use the following script in /usr/local/etc/rc.d to setup bpf, >since I couldn't seem to get /etc/devfs.conf to work correctly. >You'll need to add the bro user to the bpf group. > >================== >#!/bin/sh > ># name: 0devfs.sh so it runs before bro > >case "$1" in > stop ) > ;; > start ) > devfs ruleset 10 > devfs rule add path "bpf*" mode 660 group bpf > devfs rule applyset > ;; >esac > >=================== > > >--On Thursday, October 20, 2005 15:36:12 -0400 Mike Weaver wrote: > > > >>Hi All, >> >>I didn't see this issue addressed on the list before, but my apologies >>if I missed something. I relatively new to FreeBSD, but not to >>UN*X/Linux in general. I realize that BRO is developed on FreeBSD 4.x >>and not 'officially' supported on other versions, but due to security >>etc... I'd like to run it on the latest STABLE version (5.4). >> >>As you are probably aware, FreeBSD 5.x uses devfs and there is no >>longer a MAKEDEV command. I have BPF support enabled in my kernel >>config file, but no BPF devices exist. Bro_config detects this and >>offers to create them for me, but uses the MAKEDEV script. >> >>I've scoured Google, newsgroups, forums and the official FreeBSD >>documents, but can't seem to find how to manually create the BPF >>devices. I assume that this is pretty trivial, but I don't see what >>I'm missing. I also assume that Vern is intimately familiar with BPF >>from his association with LBL and his impressive portfolio of tools >>and projects. Any assistance would be appreciated! >> >>Thanks, >> >>Mike >> >>-- >>Mike Weaver >>US Department of Energy >>MICS/SC-21.1 >>Germantown Building >>Voice: 301-903-0072 >>Fax: 301-528-7774 >>Email: weaver at mics.doe.gov >> >>_______________________________________________ >>Bro mailing list >>bro at bro-ids.org >>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> >> >> > > > > > From copaseticsituation at gmail.com Sun Oct 23 17:23:09 2005 From: copaseticsituation at gmail.com (Jeff) Date: Sun, 23 Oct 2005 17:23:09 -0700 Subject: [Bro] OpenBSD bro.rc unexpected "(" Message-ID: Hi, I've had the fun of getting Bro installed on OpenBSD and now have a problem with the bro.rc file. Here is the error from the bro.rc: bash-3.00# /usr/local/bro/etc/bro.rc --start /usr/local/bro/etc/bro.rc[476]: syntax error: `(' unexpected bash-3.00# Here are the corresponding lines form the bro.rc: 468 469 return ${_start_res} 470 fi 471 472 return 0 473 } 474 475 476 stop() { 477 # Check to see if bro is running 478 local _pid 479 local _bro_is_running 480 local _status_result 481 482 status 2>/dev/null >/dev/null 483 _status_result=$? 484 485 if [ "${_status_result}" = '0' ]; then 486 # try and stop it Has anyone else seen this error? Thanks, Jeff When working on the install, we had to copy ip_ether.h to if_ether.h and then use the gmake 3.8 to get it to work. I'm running OpenBSD 3.8 from the snapshots. Thanks to all who helped! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20051023/c1dd584a/attachment.html From vern at icir.org Sun Oct 23 20:13:20 2005 From: vern at icir.org (Vern Paxson) Date: Sun, 23 Oct 2005 20:13:20 -0700 Subject: [Bro] new Bro CURRENT and STABLE releases (1.0 and 0.9a11) Message-ID: <200510240313.j9O3DK34057871@jaguar.icir.org> Bro release 1.0 is now available from: ftp://bro-ids.org/bro-1.x-current.tar.gz This branch has become the new CURRENT release. The 0.9 branch (formerly CURRENT) is now the STABLE release, for which there is also a new release, 0.9a11, available from: ftp://bro-ids.org/bro-0.9-stable.tar.gz The 1.0 release contains a significant number of new features, protocol analyzers, and bug fixes, per the appended change log. The 0.9a11 release contains just a few bug fixes (at the bottom of this message); as a STABLE branch, from now on 0.9 will only be updated with significant bug fixes. The old STABLE release, based on the 0.8 branch, remains available at ftp://bro-ids.org/bro-pub-0.8-stable.tar.gz We do not anticipate making any further changes to it. Vern -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1.0 Sun Oct 23 17:27:45 PDT 2005 - Bro now includes BinPAC (Binary Protocol Analyzer Compiler), a language and compiler for automating the construction of analyzers for binary protocols (Ruoming Pang). - Ruoming has used BinPAC to rewrite the analyzers for DCE/RPC (with significant enhancements, including adding the endpoing mapper) and SMB (likewise enhanced and bug-fixed), and creating a new analyzer for NCP (Netware Core Protocol). The NCP analyzer generates two events: ncp_request(c: connection, frame_type: count, length: count, func: count) ncp_reply(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count) - The beginnings of an analyzer for NetBIOS name service (Ruoming Pang). It generates the following events: event nbns_standard_name_query(c: connection) event nbns_nbstat_query(c: connection) event nbns_name_reg_request(c: connection) event nbns_nb_name_query(c: connection) - New IRC analyzer (Roland Gruber). It generates a lot of events; see policy/irc.bro. Note, the formatting of the log file will at some point be changed to be more uniform and streamlined. - ICMP events now include an initial parameter of type "connection", the same as for TCP & UDP flows (Ruoming Pang). This facilitates traffic analysis by associating generic connection events such as connection_state_remove with ICMP events. This affects: event icmp_sent(c: connection, icmp: icmp_conn) event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context) event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context) - New POP3 analyzer (Florian Schimandl, Hugh Dollman and Robin Sommer). Loading pop3.bro analyzes the protocol messages, and loading mime-pop.bro also extracts the email headers and content. - New events (Ruoming Pang): connection_first_ACK(c: connection) generated upon the ACK completing a TCP handshake. Useful in detecting "blink scans" (a FIN coming from the client right after the ACK) tcp_rexmit(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count) generated when a TCP sender retransmits data rpc_call(c: connection, prog: count, ver: count, proc: count, status: count, start_time: time, call_len: count, reply_len: count) can be used to process RPC calls in a generic fashion nfs_reply_status(n: connection, status: count) supplies the status of NFS server replies netbios_session_raw_message(c: connection, is_orig: bool, msg: string) access to a NetBIOS SSN message in raw terms smb_get_dfs_referral(c: connection, max_referral_level: count, file_name: string) generated for SMB DFS referal requests dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) low-level event generated for each DNS request/reponse dce_rpc_bind(c: connection, uuid: string) generated for DCE RPC binds dce_rpc_message(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string) low-level access to DCE RPC messages; see const.bif for dce_rpc_ptype values epm_map_response(c: connection, uuid: string, p: port, h: addr) reply from DCE portmapper - New operator |x|, a sizeof operator (Christian Kreibich). It yields absolute values for numerical values, file size for files, the number of enums for an enum type, the number of addresses in subnets, number of fields in records, numeric equivalent for addresses, the number of elements in vectors/sets/tables, and the length of strings. - A new clone operator, "* ", produces deep copies of aggregate values and the usual duplicates for atomic ones (Christian Kreibich). For example, while: 1 type foo: record { 2 c: count; 3 s: string; 4 }; 5 6 f1$c = 10; 7 f1$s = "Hello"; 8 9 f2 = f1; 10 f1$c = 20; 11 f1$s = "World"; 12 13 print fmt("%d/%s %d/%s", f1$c, f1$s, f2$c, f2$s); yields "20/World 20/World", changing line 9 to: f2 = *f1; yields "20/World 10/Hello". - New operators "+=" and "-=", which work on both numerical values and strings (Christian Kreibich). - "+" now works on strings: s1 + s2 yields the concatenation of both (Christian Kreibich). - You can now express the equivalent of ICMP "port numbers" using /icmp, where is the ICMP type (Ruoming Pang). - Bro now accepts long versions of options, such as --readfile for -r (Christian Kreibich). - Bro now has a "pseudo-realtime" mode, activated by --pseudo-realtime, that causes it to mimic real-time operation when executing against a trace (Robin Sommer). This is useful for evaluating performance in a controlled fashion. - SMTP analyzer changes (Roger Winslow): support for 554 code in RCPT responses; logging when the server refuses the argument to RCPT; support for 502 code in response to a HELP command. - Addition of two universal hash functions: H3 (from David Moore, based on code by Ken Keys) and TwoWise (Dietzfelbinger, from Yin Zhang) (Ruoming Pang). Use --enable-h3 and --enable-dietzfelbinger to enable them (used as the hash function for short data). H3 is used by default. - The "bif" compiler for compiling Bro built-in functions now supports an "enum" type (Ruoming Pang). The syntax is: enum dce_rpc_ptype %{ DCE_RPC_REQUEST, DCE_RPC_PING, DCE_RPC_RESPONSE, %} which is translated to an enum declaration of "dce_rpc_ptype" in Bro, an EnumType* enum_dce_rpc_ptype in NetVar.{h,cc} and a C++ enum BroEnum::dce_rpc_ptype {...}. One limitation is that redef's on enum types cannot be taken into account because the bif is parsed at compile time. - 64-bit integer support via --enable-int64 (Ruoming Pang). - The new, experimental policy script adu.bro provides a generic way to extract application-layer ADUs (Christian Kreibich). It heuristicly groups blocks of content sent from one side to another, uninterrupted by any data in the opposite direction, into an approximate ADU (request or reply). These then generate adu_tx (originator -> responder) and adu_rx (responder -> originator) events. You can control on which ports it does this analysis, as well as the amount of data inspected nad grouped, using variables documented in the script. - The new built-in function function str_smith_waterman(s1: string, s2: string, params: sw_params) : sw_substring_vec computes the Smith-Waterman overlap between two strings (Christian Kreibich). The third parameter is a record with two fields, $min_toklen (minimum length for common tokens) and $sw_variant, which takes a value of 0 for single-matching and 1 for multiple-matching. The return value is a vector of sw_substring records, which hold the following fields: str: string; # the common subsequence index1: count; # where it occurs in input string 1 index2: count; # where it occurs in input string 2 new: bool; # true if start of new alignment - If you set the new control variable record_state_history to T, then connections recorded to the conn.$BRO_LOG_SUFFIX log file will include a field that shows the different states encountered during the connection (Mark Allman): Symbol State ------ ----- S Initial SYN seen for TCP connection. H SYN-ACK seen for TCP connection. D Data packet seen (TCP or UDP). A Pure ACK seen for TCP connection. F FIN seen for TCP connection. R RST seen for TCP connection. I TCP connection included a FIN+RST packet. Q TCP connection included a packet with multiple connection control flags other than FIN+RST (e.g., SYN+RST). C Connection included one or more packets with failed checksums (TCP or UDP). The symbols are printed in upper-case for connection originators and lower-case for responders. The S/H/F/R symbols are also repeated if Bro sees the corresponding control packet subsequently with a different sequence number. For example, a TCP connection which Bro saw from the beginning, i.e., a normal establishment, followed by the client (originator) first sending data, then the server responding, followed by the server initiating a normal close which the client then completes, will be annotated as "ShADadfF". - The "for" looping construct now can be used to iterate over the non-empty indices of a vector (Christian Kreibich). - If you set the new variable skip_http_data to T (default: F), then the HTTP analyzer will attempt to not reassemble the data portions of HTTP request/responses (Ruoming Pang). This can be a performance benefit in environments with high volumes of HTTP traffic, though it may not be a large win if the processing is dominated by executing the policy script. - The new built-in remask_addr(a1: addr, a2: addr, top_bits_from_a1: count): addr take some top bits (e.g. subnet address) from a1 and remaining bits (intra-subnet part) from a2 and merge them to get a new address (Ruoming Pang). Useful for anonymizing at the subnet level while preserving serial scans. - The new built-in decode_netbios_name(name: string): string takes a string in NetBIOS encoding and returns its original form (Ruoming Pang). - The new variable ignore_keep_alive_rexmit controls whether to include keep-alives when counting retransmitted packets (Ruoming Pang). It defaults to F (i.e., do count them). - The calling sequence of dce_rpc_request and dce_rpc_reply have changed to: event dce_rpc_request(c: connection, opnum: count, stub: string) event dce_rpc_response(c: connection, opnum: count, stub: string) (Ruoming Pang). Use dce_rpc_message to get access to the RPC type and the raw message. - The calling sequence of the netbios_session_message event has changed to: netbios_ssn_message(c: connection, is_orig: bool, msg_type: count, data_len: count) (Ruoming Pang). Previously it was parameterized with the connection and the raw message (now available via netbios_session_raw_message). - The calling sequences of smb_com_{read,write}_andx have changed to no longer include the is_orig parameter because it is in fact fixed for these events (Ruoming Pang). - The calling sequence of smb_message has changed (Ruoming Pang) to: smb_message(c: connection, is_orig: bool, cmd: string, body_length: count) - Bug fix specifying the &default value for tables that yield function values (Ruoming Pang). For example: type tcp_content_handler_func: function (c: connection, is_orig: bool, seq: count, contents: string); function default_tcp_content_handler(c: connection, is_orig: bool, seq: count, contents: string) { # do something ... } const tcp_content_orig_handlers: table[port] of tcp_content_handler_func = {} &redef &default = default_tcp_content_handler; Previously, Bro would take the function given with &default as the default function to call when accessing a missing element, rather than a default *value* to directly return. Bro now checks the value type against the function type to see if they match in type. - The new variables forward_remote_events and forward_remote_state_changes specify whether to broadcast events/state received from one peer to other peers (Robin Sommer). Both default to F. Note, these options are temporary; they will disappear when we add a more sophisticated script-level communication framework. - Vectors can now be initialized using the syntax such as global foo: vector of string = ["foo","bar"]; (Robin Sommer). - Bug fixes for &synchronize'ing vectors (Robin Sommer). - The internal implementation of strings in the policy language has been heavily revamped (Christian Kreibich). - String built-in functions are now in strings.bif rather than bro.bif (Christian Kreibich). This includes two new built-ins: str_split(s: string, idx: index_vec): string_vec strstr(big: string, little: string): count string_vec is a new policy script type that is an alias for "vector of string". - The new options --load-seeds and --save-seeds let you record Bro's seeds to a file and then re-use these seeds in a later invocation (Christian Kreibich). The primary intended usage is to provide determinism in hash table iterations etc. for debugging purposes. - Communication protocol changes (Robin Sommer): * Internal PING/PONG messages to measure round-trip times. The new script remote-ping.bro issues PINGs every second and logs to remote.log. * Optional data compression if libz is available. Remote::Peer$compression specifies compression level, with no compression being the default. * Inter-Bro communication is now performed in four explicit phases: // Setup: // Initial phase. // VERSION messages must be exchanged. // Ends when both peers have sent VERSION. // Handshake: // REQUEST_EVENTS/REQUEST_SYNC/CAPTURE_FILTER/CAPS/selected SERIALs // may be exchanged. // Phase ends when both peers have sent PHASE_DONE. // State synchronization: // Entered iff at least one of the peers has sent REQUEST_SYNC. // The peer with the smallest runtime (incl. in VERSION msg) sends // SERIAL messages comprising all of its state. // Phase ends when peer sends another PHASE_DONE. // Running: // Peers exchange SERIAL (and PING/PONG) messages. // Phase ends with connection tear-down by one of the peers. * Serializing network packets includes textual tags for identification. * Serializing files includes the state of buffering. - Pending events for remote peers are now flushed when Bro terminates, and the net_done event is *not* propagated to peers (Robin Sommer). - Makefile.am cleanups (Christian Kreibich). - libpcap portability fix for OpenBSD (Gordon Willem Klok). - Performance bug fix for SMTP relay detection (Vern Paxson). - sprintf -> snprintf tweak (Vern Paxson). - Bug fix for serializer regular-expression matchers (Robin Sommer). - Some fixes for access to uninitialized variables/state (Christian Kreibich and Vern Paxson). - More informative messages for some internal errors (Christian Kreibich). - Bug fixes for implementation of vectors (Christian Kreibich). - Fixes for FreeBSD 5 installs (Jason Lee). - gcc 4.0 compatibility (Christian Kreibich). - Bug fix for correctly propagating libpcap failures (Chema Gonzalez). - Bug fixes for prefix-preserving IP address anonymization (Chema Gonzalez). - The MIME analyzer in mime.bro is now in "module MIME" (Vern Paxson). - Bug fix for the IRC backdoor detector (Scott Campbell). - The capture filter used for NFS traffic now includes UDP fragments, since NFS UDP traffic is often fragmented (Ruoming Pang). - New internal mechanisms to suspend/resume processing to enable a Bro receiving synchronized state to put its own packet processing on hold (Robin Sommer). - A bug with the serialization cache not being used for modified objects has been fixed (Robin Sommer). - A number of enhancements to inter-Bro communication performance and error handling improved (Robin Sommer). - Internal restructuring to fix problems with dispatching packets when using the packet sorter (Ruoming Pang). - Christian Kreibich has contributed a number of fixes for code flaws such as potentially unsafe library calls. -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0.9a11 Sun Oct 23 18:20:31 PDT 2005 - libpcap portability fix for OpenBSD (Gordon Willem Klok). - Performance fix for high-volume SMTP relay detection (Vern Paxson). - Fix for bro.rc script configuration (Roger Winslow). - Fix for IRC backdoor detector (Scott Campbell). From rwinslow at lbl.gov Mon Oct 24 08:48:21 2005 From: rwinslow at lbl.gov (Roger Winslow) Date: Mon, 24 Oct 2005 08:48:21 -0700 Subject: [Bro] OpenBSD bro.rc unexpected "(" In-Reply-To: References: Message-ID: <435D0245.1080409@lbl.gov> bro.rc does it's best at catching failures to start but unfortunately doesn't catch it 100% of the time. Sometimes programs that segfault can produce error that you are seeing. It is likely that what is happening is that Bro is unable to start for some reason and the shell script is failing to catch the error. Is there anything in the *.info file in your $BROLOGS directory after this happens? If so could you send me that? Another thing to try is by starting Bro manually from the command line. I suspect if you do this you will get closer to what the real problem is. Roger Winslow Jeff wrote: > Hi, > > I've had the fun of getting Bro installed on OpenBSD and now have a > problem with the bro.rc file. Here is the error from the bro.rc: > > bash-3.00# /usr/local/bro/etc/bro.rc --start > /usr/local/bro/etc/bro.rc[476]: syntax error: `(' unexpected > bash-3.00# > > Here are the corresponding lines form the bro.rc: > > > 468 > 469 return ${_start_res} > 470 fi > 471 > 472 return 0 > 473 } > 474 > 475 > 476 stop() { > 477 # Check to see if bro is running > 478 local _pid > 479 local _bro_is_running > 480 local _status_result > 481 > 482 status 2>/dev/null >/dev/null > 483 _status_result=$? > 484 > 485 if [ "${_status_result}" = '0' ]; then > 486 # try and stop it > > > Has anyone else seen this error? > > Thanks, > > Jeff > > When working on the install, we had to copy ip_ether.h to if_ether.h > and then use the gmake 3.8 to get it to work. I'm running OpenBSD 3.8 > from the snapshots. Thanks to all who helped! From falletta at ftw.at Mon Oct 24 10:17:21 2005 From: falletta at ftw.at (Vincenzo Falletta) Date: Mon, 24 Oct 2005 19:17:21 +0200 Subject: [Bro] Bro-1.0 - error in compilation Message-ID: <435D1721.2050600@ftw.at> Hello! Excuse me for posting such kind of problems on this mailing list, but any help would be appreciated! I tried to compile bro-1.0 and I got the following error(s): [...] gcc -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac -I../src -I. -I.. -Ilibedit -I../linux-include -I../aux/libpcap-0.7.2 -O -W -Wall -Wno-unused -I. -I../src/binpac -I../src -I. -I.. -g -O2 -c `test -f nb_dns.c || echo './'`nb_dns.c g++ -g -O2 -o bro dce_rpc_pac.o ncp_pac.o smb_pac.o main.o net_util.o util.o parse.o scan.o re-parse.o re-scan.o rule-parse.o rule-scan.o Active.o Anon.o Attr.o BackDoor.o Base64.o BPF_Program.o BroString.o CCL.o ChunkedIO.o CompHash.o Conn.o ConnCompressor.o DCE_RPC.o DFA.o DNS.o DNS_Mgr.o DbgBreakpoint.o DbgHelp.o DbgWatch.o Debug.o DebugCmds.o DebugLogger.o Desc.o Dict.o Discard.o EquivClass.o Event.o EventHandler.o EventRegistry.o Expr.o FTP.o File.o Finger.o Frag.o Frame.o Func.o Gnutella.o HTTP.o Hash.o ICMP.o ID.o Ident.o IntSet.o InterConn.o IOSource.o IRC.o List.o Logger.o Login.o MIME.o NCP.o NFA.o NFS.o NTP.o NVT.o Net.o NetVar.o NetbiosSSN.o Obj.o OSFinger.o PacketFilter.o PacketSort.o PersistenceSerializer.o PktSrc.o PolicyFile.o POP3.o Portmap.o PrefixTable.o PriorityQueue.o Queue.o RE.o RPC.o Reassem.o RemoteSerializer.o Rlogin.o RSH.o Rule.o RuleAction.o RuleCondition.o RuleMatcher.o ScriptAnaly.o SMB.o SmithWaterman.o SMTP.o SSH.o Scope.o SerializationFormat.o SerialObj.o Serializer.o Sessions.o StateAccess.o Stats.o SteppingStone.o Stmt.o TCP.o TCP_Contents.o TCP_Endpoint.o TCP_Rewriter.o Telnet.o Timer.o Traverse.o TwoWise.o Type.o UDP.o Val.o Var.o XDR.o bsd-getopt-long.o cq.o md5.o patricia.o setsignal.o version.o strsep.o nb_dns.o -Llibedit -ledit -L../aux/libpcap-0.7.2 -lpcap -lresolv -lz /usr/lib/libresolv.a -ltermcap -L/usr/lib/termcap -lm RemoteSerializer.o(.text+0x1802): In function `SocketComm::ProcessPeerCompress(SocketComm::Peer*)': /home/falletta/bro-1.0/src/ChunkedIO.h:282: undefined reference to `vtable for CompressedChunkedIO' RemoteSerializer.o(.text+0x1fcf): In function `SocketComm::ProcessParentCompress()': /home/falletta/bro-1.0/src/ChunkedIO.h:282: undefined reference to `vtable for CompressedChunkedIO' collect2: ld returned 1 exit status make[4]: *** [bro] Error 1 make[4]: Leaving directory `/home/falletta/bro-1.0/src' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/home/falletta/bro-1.0/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/falletta/bro-1.0/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/falletta/bro-1.0' make: *** [all] Error 2 I'm using SuSE Linux 9.1 (i586), gcc 3.3.3 Any suggestion? Thanks for the attention, Vincenzo :-) From christian at whoop.org Mon Oct 24 12:12:30 2005 From: christian at whoop.org (Christian Kreibich) Date: Mon, 24 Oct 2005 12:12:30 -0700 Subject: [Bro] Bro-1.0 - error in compilation In-Reply-To: <435D1721.2050600@ftw.at> References: <435D1721.2050600@ftw.at> Message-ID: <1130181151.18719.57.camel@localhost> Hi Vincenzo, could you post the full output of your configure run and the output of "nm -a ChunkedIO.o"? Thanks. On Mon, 2005-10-24 at 19:17 +0200, Vincenzo Falletta wrote: > Hello! Excuse me for posting such kind of problems on this mailing list, > but any help would be appreciated! > I tried to compile bro-1.0 and I got the following error(s): Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From falletta at ftw.at Tue Oct 25 00:16:16 2005 From: falletta at ftw.at (Vincenzo Falletta) Date: Tue, 25 Oct 2005 09:16:16 +0200 Subject: [Bro] Bro-1.0 - error in compilation In-Reply-To: <1130181151.18719.57.camel@localhost> References: <435D1721.2050600@ftw.at> <1130181151.18719.57.camel@localhost> Message-ID: <435DDBC0.4080208@ftw.at> Here it is :-) BTW, another strange fact to me is that even if I have correctly installed the openSSL package, I get that "checking whether OPENSSL_add_all_algorithms_conf is declared... no" so finally I would have no OpenSSL support... Thanks for your patience! Vincenzo Christian Kreibich wrote: > Hi Vincenzo, > > could you post the full output of your configure run and the output of > "nm -a ChunkedIO.o"? Thanks. > > On Mon, 2005-10-24 at 19:17 +0200, Vincenzo Falletta wrote: > >>Hello! Excuse me for posting such kind of problems on this mailing list, >> but any help would be appreciated! >>I tried to compile bro-1.0 and I got the following error(s): > > > Cheers, > Christian. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: output-nm.txt Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20051025/406dbbed/attachment.txt -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: output-configure.txt Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20051025/406dbbed/attachment-0001.txt From christian at whoop.org Tue Oct 25 09:58:26 2005 From: christian at whoop.org (Christian Kreibich) Date: Tue, 25 Oct 2005 09:58:26 -0700 Subject: [Bro] Bro-1.0 - error in compilation In-Reply-To: <435DDBC0.4080208@ftw.at> References: <435D1721.2050600@ftw.at> <1130181151.18719.57.camel@localhost> <435DDBC0.4080208@ftw.at> Message-ID: <1130259507.18719.98.camel@localhost> Hi Vincenzo, On Tue, 2005-10-25 at 09:16 +0200, Vincenzo Falletta wrote: > Here it is :-) > BTW, another strange fact to me is that even if I have correctly > installed the openSSL package, I get that "checking whether > OPENSSL_add_all_algorithms_conf is declared... no" so finally I would > have no OpenSSL support... thanks for mentioning this detail, because it explains the problem. It looks like ChunkedIO.cc makes the compilation of CompressedChunkedIO depend on both libz *and* OpenSSL, even though it should only depend on libz. We'll look into it and fix it for the next release. > Thanks for your patience! Thanks for pointing out! Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From jives at security.berkeley.edu Wed Oct 26 02:24:54 2005 From: jives at security.berkeley.edu (John Ives) Date: Wed, 26 Oct 2005 02:24:54 -0700 Subject: [Bro] site-report.pl Message-ID: <6.2.3.4.2.20051026021915.03d2f0b0@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Because the installed perl was older than required when a colleague installed BRO, the scripts did not go in correctly. After a bit of fiddling with the system I finally appear to have gotten everything taken care of but the site-report.pl script. The script itself appears to run, however all I get is an email that says: report-range + report-start exceeds the current time exiting program Does anyone know if there is an easy way of fixing this? I already tried reinstalling the script from the src tree (it was necessary to get it running after upgrading perl). Thank you, John - ---------------------------------------------------------------------- - --- John Ives GSEC, GCIH, GCWN System & Network Security University of California, Berkeley Phone (510) 642-7773 Cell (510) 229-8676 - ---------------------------------------------------------------------- - --- -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQ19LZ5OthQ8M7PCaEQJXGACgjdZ27krtWPXlNx6ZnBnQfTHSSHIAoINJ fbkOeLNUPiHaBxqqBCwI3i3I =fLoG -----END PGP SIGNATURE----- From copaseticsituation at gmail.com Thu Oct 27 18:39:21 2005 From: copaseticsituation at gmail.com (Jeff) Date: Thu, 27 Oct 2005 21:39:21 -0400 Subject: [Bro] Error in hot.bro Message-ID: Hi, I've been trying to get this worked out but no luck yet. Any suggestions? bash-3.00# /usr/local/bro/bin/bro -i sis0 mt policy/hot.bro, line 78: error: unknown identifier is_local_addr, at or near "is_local_addr" The hot.bro appears to be the same as on some other installs that I work on, but here a section. # An internal function used by check_hot. function do_hot_check(c: connection, a: addr, t: table[addr] of string) { if ( a in t ) { ++c$hot; local hot_msg = fmt("<%s>", t[a]); append_addl(c, hot_msg); } } function check_spoof(c: connection): bool { local orig = c$id$orig_h; local resp = c$id$resp_h; local service = c$id$resp_p; if ( is_local_addr(orig) && is_local_addr(resp) && service !in allow_spoof_services ) { if ( c$id$orig_p == service && orig == resp ) event conn_weird("Land_attack", c); if ( same_local_net_is_spoof ) ++c$hot; } return c$hot != 0; } function check_hot(c: connection, state: count): bool { local id = c$id; local service = id$resp_p; if ( service in allow_services || c$service == "ftp-data" ) return F; if ( state == CONN_ATTEMPTED ) check_spoof(c); else if ( state == CONN_REJECTED ) Thanks, Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20051027/0706fd6d/attachment.html From rwinslow at lbl.gov Thu Oct 27 21:55:14 2005 From: rwinslow at lbl.gov (Roger Winslow) Date: Thu, 27 Oct 2005 21:55:14 -0700 Subject: [Bro] site-report.pl In-Reply-To: <6.2.3.4.2.20051026021915.03d2f0b0@localhost> References: <6.2.3.4.2.20051026021915.03d2f0b0@localhost> Message-ID: <4361AF32.3070602@lbl.gov> Is the problem seen when running it manually? from cron? the script usually complains like this when the total time range asked for extends beyond the current time. Roger Winslow John Ives wrote: > Because the installed perl was older than required when a colleague > installed BRO, the scripts did not go in correctly. After a bit of > fiddling with the system I finally appear to have gotten everything > taken care of but the site-report.pl script. The script itself > appears to run, however all I get is an email that says: > > report-range + report-start exceeds the current time > exiting program > > Does anyone know if there is an easy way of fixing this? I already > tried reinstalling the script from the src tree (it was necessary to > get it running after upgrading perl). > > Thank you, > > John > > > ---------------------------------------------------------------------- > --- > John Ives > GSEC, GCIH, GCWN > System & Network Security > University of California, Berkeley > > Phone (510) 642-7773 > Cell (510) 229-8676 > ---------------------------------------------------------------------- > --- > _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From vern at icir.org Thu Oct 27 23:10:35 2005 From: vern at icir.org (Vern Paxson) Date: Thu, 27 Oct 2005 23:10:35 -0700 Subject: [Bro] Error in hot.bro In-Reply-To: Your message of Thu, 27 Oct 2005 21:39:21 EDT. Message-ID: <200510280610.j9S6AZFj007936@jaguar.icir.org> > I've been trying to get this worked out but no luck yet. Any suggestions? > > bash-3.00# /usr/local/bro/bin/bro -i sis0 mt > policy/hot.bro, line 78: error: unknown identifier is_local_addr, at or nea= > r > "is_local_addr" Where is site.bro being loaded from via $BROPATH? That's the module that defines is_local_addr, and it's loaded by policy/hot.bro, so if you're getting this message it appears you're not loading the usual one from policy/site.bro. If you don't see a different site.bro that's being loaded, then does ls -lut indicate that policy/site.bro is being loaded when you run Bro? Vern