From bsiamine at yahoo.fr Wed May 3 05:40:54 2006 From: bsiamine at yahoo.fr (bsila amine) Date: Wed, 3 May 2006 14:40:54 +0200 (CEST) Subject: [Bro] analyzer Message-ID: <20060503124054.44854.qmail@web26701.mail.ukl.yahoo.com> Hi can any one please tell me the procedure to add a new protocol analyzer. Thanks ___________________________________________________________________________ Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services pr?f?r?s : v?rifiez vos nouveaux mails, lancez vos recherches et suivez l'actualit? en temps r?el. Rendez-vous sur http://fr.yahoo.com/set From robin at icir.org Wed May 3 09:01:52 2006 From: robin at icir.org (Robin Sommer) Date: Wed, 3 May 2006 09:01:52 -0700 Subject: [Bro] analyzer In-Reply-To: <20060503124054.44854.qmail@web26701.mail.ukl.yahoo.com> References: <20060503124054.44854.qmail@web26701.mail.ukl.yahoo.com> Message-ID: <20060503160152.GD998@net.informatik.tu-muenchen.de> On Wed, May 03, 2006 at 14:40 +0200, bsila amine wrote: > can any one please tell me the procedure to add a new > protocol analyzer. The best way to see how an analyzer works is to take a look at one of the more simple existing analyzers. For a TCP protocol, the finger analyzer is a good starting point (it's in Finger.{h,cc}; you can ignore anything related to trace rewriting). For UDP the NTP analyzer makes a good example. Note that in the near future the analyzer interface will change, as we're working on a more general analyzer architecture (which is, e.g., able to analyze protocols independent of their well-know ports). It will be easy to convert analyzers to the new interface though. Which protocol do you want to add? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org From salom123 at ok.kz Wed May 10 06:47:53 2006 From: salom123 at ok.kz (salom123 at ok.kz) Date: Wed, 10 May 2006 19:47:53 +0600 Subject: [Bro] about Bro Message-ID: Hi Bro-Team, Wanted to make it clear... For example I am running the Bro as follows, bro -r mt -w And in the location where I am running this line it generates the files: - alarm.log, - ftp.log, - weird.log, - etc... Which one I have to take into account when I will be looking for labeled attacks? I mean, I already have the set of attacks (for example DARPA 1999 Training data, Week 2 data). Now, which file I have to look for the attacks, to find out if the Bro found any attacks? For the current time I am looking for the alarm.log file to see if the Bro found correct ones. Am I doing right? Thanks in advance. Also wanted to make it clear for example in SNORT for analyzing the tcpdump files i am writing, snort -r -c /etc/snort/snort.conf -l And now i want to do the same but with Bro, what i am writing is bro -r mt -w Am I doing it right? If not, please can you explain it to me? Thanks in advance. regards. From salom123 at ok.kz Wed May 10 07:25:15 2006 From: salom123 at ok.kz (salom123 at ok.kz) Date: Wed, 10 May 2006 20:25:15 +0600 Subject: [Bro] question on packages Message-ID: Hi Bro-Team, really sorry for asking this, but i am new to unix/linux environment. Please can you write all the needed packages that the OS should already have prior to installing the Bro system. What I mean is not only libpcap, tcpdump, etc... but I want to see the all packges like list of c compilers, bison, etc... It would be really cool for those who just want to install it and test the Bro on specific data. Thanks in advance. regards. From christian at whoop.org Wed May 10 08:19:43 2006 From: christian at whoop.org (Christian Kreibich) Date: Wed, 10 May 2006 16:19:43 +0100 Subject: [Bro] about Bro In-Reply-To: References: Message-ID: <1147274384.28616.126.camel@strangepork> Hi, you should check out the manuals at http://www.bro-ids.org/manuals.html to learn about the meaning of the individual log types. Note that Bro, like any other IDS, will need careful tuning in case you want it to alarm you of all the attacks labelled in the DARPA set. On Wed, 2006-05-10 at 19:47 +0600, salom123 at ok.kz wrote: > Hi Bro-Team, > > Wanted to make it clear... For example I am running the Bro as follows, [...] Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From christian at whoop.org Wed May 10 08:29:30 2006 From: christian at whoop.org (Christian Kreibich) Date: Wed, 10 May 2006 16:29:30 +0100 Subject: [Bro] question on packages In-Reply-To: References: Message-ID: <1147274970.28616.137.camel@strangepork> Hi again, just run ./configure and look at its output. It'll guide you through what you need. Also check ./configure --help for the optional features. The requirements are actually really quite basic and any typical development-type package configuration should be fine. We do not currently release binary packages, however, adding a spec file for RPMs, for example, would be pretty trivial. If any skilled packagers are reading this and interested in giving it a shot, get in touch -- we're lacking cycles for the additional maintenance overhead. On Wed, 2006-05-10 at 20:25 +0600, salom123 at ok.kz wrote: > Hi Bro-Team, > > really sorry for asking this, but i am new to unix/linux environment. > > Please can you write all the needed packages that the OS should already have prior to installing the Bro system. > > What I mean is not only libpcap, tcpdump, etc... but I want to see the all packges like list of c compilers, bison, etc... It would be really cool for those who just want to install it and test the Bro on specific data. Thanks in advance. > > regards. > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From jyjung at csail.mit.edu Wed May 10 12:13:42 2006 From: jyjung at csail.mit.edu (Jaeyeon Jung) Date: Wed, 10 May 2006 15:13:42 -0400 Subject: [Bro] logarithm or exponential function for .bro? Message-ID: <20060510191342.GA3608@csail.mit.edu> Hi, What is the best way to compute log (x) or exp (x) (and get the double-precision result) in a Bro policy? I notice that large-conns.bro has logarithm() implemented, but this returns the integer logarithm. Thanks! Jaeyeon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060510/aec46728/attachment.bin From rpang at cs.princeton.edu Wed May 10 12:19:27 2006 From: rpang at cs.princeton.edu (Ruoming Pang) Date: Wed, 10 May 2006 15:19:27 -0400 Subject: [Bro] logarithm or exponential function for .bro? In-Reply-To: <20060510191342.GA3608@csail.mit.edu> References: <20060510191342.GA3608@csail.mit.edu> Message-ID: Hi, I cannot find any log/exp implementation in bro.bif. But you are encouraged to add your own (see src/bro.bif for examples). And if you do so, please send your code to us. :-) Thanks, Ruoming On 5/10/06, Jaeyeon Jung wrote: > Hi, > > What is the best way to compute log (x) or exp (x) (and get > the double-precision result) in a Bro policy? I notice > that large-conns.bro has logarithm() implemented, but > this returns the integer logarithm. > > Thanks! > Jaeyeon > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > From jyjung at csail.mit.edu Wed May 10 14:21:40 2006 From: jyjung at csail.mit.edu (Jaeyeon Jung) Date: Wed, 10 May 2006 17:21:40 -0400 Subject: [Bro] logarithm or exponential function for .bro? In-Reply-To: References: <20060510191342.GA3608@csail.mit.edu> Message-ID: <20060510212140.GA22652@csail.mit.edu> Hi Ruoming, Thanks for the pointer (bro.bif). Added two functions, exp and log, in bro.bif as below. (Also tested them with a simple test.bro script.) -- Jaeyeon # The exp function returns the value of e (the base of natural log) # raised to power d. function exp%(d: double%): double %{ return new Val(exp(d), TYPE_DOUBLE); %} # The log function returns the natural logarithm of d. function log%(d: double%): double %{ return new Val(log(d), TYPE_DOUBLE); %} On Wed, May 10, 2006 at 03:19:27PM -0400, Ruoming Pang wrote: > Hi, > > I cannot find any log/exp implementation in bro.bif. But you are > encouraged to add your own (see src/bro.bif for examples). And if you > do so, please send your code to us. :-) > > Thanks, > Ruoming > > On 5/10/06, Jaeyeon Jung wrote: > > Hi, > > > > What is the best way to compute log (x) or exp (x) (and get > > the double-precision result) in a Bro policy? I notice > > that large-conns.bro has logarithm() implemented, but > > this returns the integer logarithm. > > > > Thanks! > > Jaeyeon > > > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060510/7ab3e8e2/attachment.bin From vern at icir.org Mon May 15 13:57:22 2006 From: vern at icir.org (Vern Paxson) Date: Mon, 15 May 2006 13:57:22 -0700 Subject: [Bro] new Bro CURRENT release 1.1 Message-ID: <200605152057.k4FKvMgg034508@jaguar.icir.org> Bro release 1.1 is now available from: ftp://bro-ids.org/bro-1.x-current.tar.gz This becomes the new CURRENT release. It contains a significant number of new features and bug fixes, per the appended change log. Vern -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1.1 Mon May 15 10:50:33 PDT 2006 - Bro now supports a "when" statement for taking action upon something becoming true asynchronously (Robin Sommer). This provides a powerful new mechanism with numerous applications. Syntax: when '(' ')' [timeout '{ '}'] where the first can be a single statement or a block enclosed in {}'s, but the set associated with "timeout" must be enclosed in {}'s (to reduce ambiguities in Bro's grammar). Bro executes the first statement when becomes true. If you give a timeout and the condition has not been satisfied before it expires, Bro executes the second statement instead. A simple example: global t: table[addr] of count; event connection_established(c: connection) { local orig = c$id$orig_h; if ( orig !in t ) { t[orig] = 1; when ( t[orig] == 5 ) print fmt("%s has established 5 connections", orig); timeout 1 hr { print fmt("%s has NOT established 5 connections", orig); delete t[orig]; } } else ++t[orig]; } Notes: - The condition may be evaluated more than once, and at arbitrary times. - When the when-body is executed, the condition is guaranteed to be still satisfied. - Expression reevaluation is primarily triggered by modifications to globals. However, reevaluations do not take place immediately but potentially at a later point. This means that if we change a global to a value which would execute the trigger but then change it back, the change may go unnoticed. - Inside the condition you may introduce new locals. For example, when ( (local x = foo()) && x == 42 ) ... Such an assignment always yields true as its expression value (but the assignment might be delayed, for example if foo() is a delayed function call - see below). Delaying function calls ======================= Functions called inside the condition of a when-clause may delay their results until they're ready. This works for both script-level and built-in functions. For script-level functions, there is a new construct, "return ", to delay a function's result. When used, the function returns at the time the when-stmt's condition becomes true, and it yields the value that the when-stmt's body then returns. Toy example: global X: table[string] of count; function a() : count { # This delays until condition becomes true. return when ( "a" in X ) { return X["a"]; } timeout 5 min { return 0; } } event bro_init() { # Installs a trigger which fires if a() returns 42. when ( a() == 42 ) { print "Yippie!"; } X["a"] = 42; } There's also a new built-in function which can delay lookup_addr(host: addr) performs asynchronous DNS address->hostname lookups. Example: local h; addr; [...] when (local name = lookup_addr(h)) { print h, name; } See the function gen_hot_notice_with_hostnames() in conn.bro for a more worked-out example of using the "when" clause to translate the local address in SensitiveConnection notices to a hostname (contributed by Brian Tierney). This functionality is activated by redef'ing xlate_hot_local_addr to T. Here is the full evaluation model of a when's condition: - The condition may be evaluated more than once, at arbitrary times. - It is always fully evaluated, no matter whether some former evaluation has been suspended by a delaying function call. - All function calls which do not delay are always *fully* executed each time the condition is evaluated. - Function calls which delay are only executed *once*; their result is cached and re-used in the case the condition is evaluated again. - The condition is guaranteed to be true when the body is executed (potentially using cached function results) - By default Bro now uses a configuration similar to what used to be activated using reduce-memory.bro, along with some additional state timeouts that are new (Robin Sommer and Vern Paxson). This allows for better state management out-of-the-box, at the cost of some precision of analysis and resilience to evasion. In particular, the intent is to move towards being able to run Bro continuously without inexorably growing the amount of memory used until exhaustion. You can access a configuration similar to the previous default state management settings by loading heavy-analysis.bro. It turns on a load-prefix of "heavy", so when you load XXX.bro, a file heavy.XXX.bro will also be automatically loaded if present. Note that, as was the case for reduce-memory, you need to load heavy-analysis prior to other files for it to have effect. - The new module clear-passwords.bro monitors login/FTP/IRC/POP traffic for cleartext passwords (Jason Lee). - The new script service-probe.bro looks for remote hosts that repeatedly connect to the same service on local hosts (for a configurable set of services and connection sizes) in order to detect brute-forcing attacks such as password-guessing (Jim Mellander). - A new ARP analyzer generates three events: event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string); event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string); event bad_arp(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string); with a corresponding policy script arp.bro (Chema Gonzalez and Vern Paxson). It writes logs to arp.$BRO_LOG_SUFFIX. It has not been tested much yet. - Bro Lite changes (Jason Lee): - default user for is now user 'bro' - now uses the correct sysctl on FreeBSD 6 - now uses the correct Perl path if site-report.pl not installed into '/usr/local/bro' - no longer prompts to encrypt email unless you pick to email reports - The default Bro Lite install now only checkpoints Bro once a week (Brian Tierney). - Implicit Bro file extensions (such as .bro for policy scripts and .sig for signatures) are now searched for first rather than only if the non-extension-version of the file doesn't exist (Vern Paxson). For example, running "bro -r trace mt" now first searches $BROPATH for "mt.bro" before searching for "mt", whereas it used to do these in the other order. - There's now a simpler mechanism for redef'ing variables on the command-line (Christian Kreibich). Any command line arguments of the form = are now expanded into policy code of the form "redef var=val;", where is wrapped in quotation marks if the value appears to be a string and doesn't have quotation marks already. This works with strings with whitespace such as foo="Hello World"; however, note that it means you can't use the mechanism to redef an enum value. - The Bro distribution now includes (and builds by default) Christian Kreibich's Broccoli library (Bro C Client Library), which enables programs to communicate with running Bro's (Christian Kreibich and Jason Lee). Configure with --disable-broccoli to turn this off. - Built-in functions log(x: double): double and exp(x: double): double which do natural logarithms and their inverses (Jaeyeon Jung). - The new built-in function gethostname() returns the local host's name (Jason Lee & Robin Sommer). - The new built-in function reading_traces() returns true if Bro is reading trace files (Robin Sommer). - The new built-ins suspend_processing() and continue_processing() provide script-level control for instructing the event engine to stop or resume processing packets (Robin Sommer). This is useful for coordinating simultaneous processing by multiple Bro's. - Email notices are now by default sent via /bin/mail, with "[Bro Alarm]" in the subject. - redef'ing a function now replaces the existing body rather than supplementing it (Robin Sommer), which was a bug. - You can now configure Bro to process encapsulated IP packets either by setting, as before, a fixed encap_hdr_size (for VLANs), or setting parse_udp_tunnels to T (Ruoming Pang). For the latter, you specify a UDP tunnel port using udp_tunnel_port (the previous variable "tunnel_port" has gone away); or you can leave it set to its default of 0/udp, in which case Bro will look for IP encapsulated in UDP packets on any port. - Added a simple form of profiling based on sampling the work done per-packet (Vern Paxson). The event engine generates a event load_sample(samples: load_sample_info, CPU: interval, dmem: int) event every load_sample_freq packets (roughly; it's randomized), where load_sample_freq defaults to 20. "samples" is simply a set[string]; it contains the names of the functions, event handlers, and their source files that were accessed during the processing of the sampled packet, along with an estimate of the CPU cost of processing the packet and (currently broken) memory allocated/freed. - Bro now includes experimental support for Endace DAG cards (Gregor Maier and Robin Sommer). To activate, configure with --with-DAG=/path/to/dagtool/installation and use "dag0" as the network interface. You may need to configure the card with the dagtools first. In general, if dagsnap works, Bro should work as well. - Log rotation has changed in a number of ways (Mark Dedlow & Robin Sommer): * The new variable log_rotate_base_time: string, if defined, specifies that logs should be rotated at log_rotate_base_time + i * rotate_interval intervals. Format is as a string in 24-hour time, "%H:%M", e.g, "12:00". This format may change in the future to instead be a Bro time type. * RotateLogs::date_format can be redefined to change format of timestamps in rotated files. * RotateLogs::build_name() can be redefined to implement an arbitrary naming scheme for rotated files. Note, this code has not been extensively tested. - Bro now by default builds a version of malloc bundled with its distribution (Vern Paxson & Brian Tierney). - The syntax for the clone operator now looks like a function call, "copy(x)" (Vern Paxson). - The new flag DNS::logging (default F), if T, disables generation of dns.log (which is often uninteresting and very large), though it still performs analysis leading to NOTICEs (Robin Sommer). - A new global, hostile_domain_list, has been added to dns.bro which lists domains to be flagged if A or MX records are queried (Scott Campbell). - Added globals dns_skip_all_{auth,addl} to skip all DNS AUTH/ADDL processing (Vern Paxson). Skipping these is on (true) by default, because such processing is quite expensive. - backdoor.bro now turns off by default some detectors that from experience have too many false positives, or (such as for HTTP) too many uninteresting true positives (Brian Tierney). In addition: - the module now generates a BackdoorFound notice for each backdoor - the new variable dump_backdoor_packets (default F) if set causes the packet that triggered the backdoor detection to be written to backdoor-packets/: - the new variable backdoor_ignore_host_port_pairs is a set[addr, port] specify host/port combinations to ignore - 587/tcp is now recognized as another SMTP port, and 7000/tcp as a popular IRC port ignored by default - brolite-backdoor.bro is a sample of using backdoor.bro - A bunch of enhancements and fixes for the IRC backdoor detector (Vern Paxson). - The cf utility in aux/cf/ now gets the format to use (unless you specify -f fmt) from $CFTIMEFMT in the environment. You can now specify -f without a format to revert to the default format. This change also includes a significant performance improvement when processing large files (Mark Dedlow and Craig Leres). - Cleanups for brolite.bro and brolite-backdoor.bro (Brian Tierney). brolite.bro now uses rotate-logs by default. - backdoor.bro now enables analysis of partial connections (Vern Paxson). - brolite config cleanup: removed smtp.bro from default, increased max_timer_expires, changed default BROPATH to look at site dir first (Brian Tierney). - The reference manual has been updated for the terminology changes of log -> alarm, alert -> notice, and rule -> signature (Vern Paxson). Some vestiges of the older terminology remain, in part because they're still present in some facets of Bro. - The new script function get_current_packet(): pcap_packet returns the current packet as a "pcap_packet" record with fields $ts_sec, $ts_usec, $caplen, $len (all of type count) and $data (a string) reflecting the corresponding libpcap values (Christian Kreibich). You can write this packet to a dump file using the new function dump_packet(pkt: pcap_packet, file_name: string): bool, which writes (or appends) the packet to a file of the given name, returning T on success and F on error. - The new fmt() specifier 'T' converts values of type "time" to ISO format timestamps, analogous to how 'D' does this for ISO dates (Mark Dedlow). fmt("%T", ) is equivalent to fmt("%s", strftime("%F-%T.%N", )), except that strftime does not (yet) offer "%N" for nanoseconds (but see 'date +%F-%T.%N'). - The new %S format for fmt() inserts a "raw" version of the given string - that is, embedded NULs, control characters, etc., are present without any escaping (Christian Kreibich). - Zero-padding and field widths now work for all fmt() formats rather than just %e/%f/%g (Christian Kreibich). For example, you can now say: local filename = fmt("log-%04.txt", ++counter); and get logfiles log-0001.txt, log-0002.txt, ..., log-0999.txt, etc. - The 'x' format specifier now supports values of type "addr", converting them t hex (Mark Dedlow). For example, fmt("str=%s hex=%x", 1.2.3.4, 1.2.3.4) produces str=1.2.3.4 hex=01020304 The field designation is either %08x (if compiled for IPv4 only) or %08x%08x%08x%08x (if compiled with IPv6 support). - firewall.bro has been extended to support multiple independent rule-sets (by calling begin() for the start of the next one), specifying sets of addresses, being FTP-aware, and with a more streamlined Notice message (Robin Sommer). - The HTTP script variables maintain_http_sessions and http_sessions are now exported so they can be redefined or, for the latter, have timeouts added/adjusted (Robin Sommer). - You can load the new policy script log-append.bro to change Bro's behavior so that when it runs appends to existing log files rather than overwriting them (Mark Dedlow). - New &disable_print_hook attribute for files (Robin Sommer). If set, print statements to the file don't trigger the print_hook event. This is useful to keep the output of certain files from being propagated to peers. - You can now associate "classes" with remote peers (Robin Sommer). When connecting, a node may send a specific class to which it considers itself belonging. The accepting side can then tune its configuration based on the received class. This is primarily for the having multiple unrelated Broccolis running on the same host, all connecting to the same remote Bro (e.g., sshd and syslog sensors). To use this, on the Bro side the record Remote::Destination now has a field "class: string" (default: unset). If set, the given config entry only applies for connecting remote peers that send the given class. If it is set and we're connecting to another peer, we propagate the class. Example: On the listening Bro: redef Remote::destinations += { ["peer-1"] = [$host = 127.0.0.1, $class="ftp", $events = /ftp.*/], ["peer-2"] = [$host = 127.0.0.1, $class="http", $events = /http.*/] }; On peer 1: redef Remote::destinations += { ["master"] = [$host = 127.0.0.1, $class="ftp", $events = /.*/, $connect=T] }; On peer 2: redef Remote::destinations += { ["master"] = [$host = 127.0.0.1, $class="http", $events = /.*/, $connect=T] }; All of these may run on the same host. - A bunch of changes to adu.bro (Christian Kreibich): - New ADU_MAX_DEPTH limits depth (at ADU granularity) into a flow up to which ADUs are reported. - Handles UDP. - New event adu_done(c: connection) signals that no further ADUs will be delivered for a connection. This is useful since adu.bro relies on event connection_state_remove() to remove state, and if a policy using adu.bro likewise uses this event type then event sequencing can cause adu_tx/rx events to occur after connection_state_remove() has been processed. - Now correctly clips ADU to maximum allowed size. (Note, this has been temporarily commented out because it relies on a new string function that has not yet been integrated into the main distribution.) - Now can ignore specific connections dynamically. - TCP content gaps are now recognized and ADU delivery is for now stopped for such flows, unless explicitly requested. - No longer logs to file in test mode. - The new function add_notice_tag() explicitly adds a unique notice tag to a connection's $addl field (Robin Sommer). This is sometimes necessary to ensure that the tag appears in the connection summary. - Bro now performs serialization (such as when checkpointing &persistent tables or communicating them between Bro's) in an incremental fashion, intermingling transfers of large tables with ongoing packet processing (Robin Sommer). Doing so helps avoid packet drops for large items. This has not yet been implemented for the initial handshake done for &synchronized items. - ssl.bro now stores certificates by default in the subdirectory "certs/" (Robin Sommer). - Analysis of weak/unknown ciphersuites in ssl.bro reworked (Holger Dreger). - New cipher for SSL analysis, SSL_CK_RC4_64_WITH_MD5 (Holger Dreger). - load-levels and cpu-adapt now log their adaptations to the log file rather than generating alarms (Robin Sommer). - The default adaptation levels in cpu-adapt have been tweaked for better behavior (Robin Sommer). - A new structure of the event loop (implemented by Robin Sommer) is now enabled during configuration by default (Christian Kreibich). You can revert to the previous structure using --disable-select-loop. - When configuring Bro, the version of pcap that comes with the Bro distribution is no longer used by default (Jason Lee). Instead, the system one is used, or one at the same directory level as Bro. To use the Bro distribution version, configure with --enable-shippedpcap. - backdoor.bro now has comments clarifying that it does not itself alter capture_filters (Vern Paxson). - If you set backdoor_stat_period to 0 sec, then this now turns off the periodic component of backdoor analysis (Holger Dreger). - The filters specified in notice_action_filters now take an additional argument specifying the action that has been determined so far (Robin Sommer). This allows the filter to decide to not change the current action, if it so wishes. - The new event notice_alarm(n: notice_info, action: NoticeAction) is generated for every notice that results in an alarm (Robin Sommer). - Tallying of notices is now done using a notice, which has type NoticeTally (Robin Sommer). - The new notice action filter alarm_always_notice specifies an action of NOTICE_ALARM_ALWAYS (Vern Paxson). - If the watchdog expires and Bro isn't generating a packet trace file, the current packet is saved to "watchdog-pkt.pcap" (Robin Sommer). - New boolean globals tcp_contents_deliver_all_{orig,resp} allow easy requesting of content delivery for all TCP traffic in orig/resp directions (Christian Kreibich). - The new event udp_contents(u: connection, is_orig: bool, contents: string) delivers the contents of UDP packets analogous to tcp_contents (Christian Kreibich). The boolean globals udp_content_deliver_all_{orig,resp} and tables udp_content_delivery_ports_{orig,resp} control for which ports content is delivered, analogous to the globals that control tcp_contents. - New option --set-seed=n sets the random number seed to n (Vern Paxson). - Notices now report current time for remotely-received notices rather than network time (Brian Tierney). - Notices now include a tag es= any time a peer description is defined, not just for remote notices (Robin Sommer). - The global log_as_connection has been removed from icmp.bro, which now only logs ICMP flows via the usual connection logging (Vern Paxson). - The Destination variable $accept_state has been renamed $accept_input to better reflect its meaning (Vern Paxson). - A remote destination's $sync field now indicates whether to accept ongoing state changes from peers, rather than just upon start-up (Robin Sommer). The variable $accept_state controls whether we accept events. - Logging of forms of Bro communication has been unified (Robin Sommer). - Updates for packet filtering documentation (Christian Kreibich). - A new global, stp_skip_src, lists sources that should be skipped for stepping-stone analysis (Vern Paxson). ssh-stepping.bro adds sources to this list if they've instantiated more than src_fanout_no_stp_analysis_thresh connections, keeping them blocked until they've been idle for 15 seconds. - Added a default notice-policy.bro as an example (Brian Tierney). - Expanded on descriptive text in notice-policy.bro (Vern Paxson). - ef removed from aux/hf/, as it's of little use and a headache to maintain for portability (Vern Paxson). - The version of libpcap bundled with the distribution has been elevated to 0.8.3 (Jason Lee). - Bro now compiles again if non-blocking DNS is not available (Robin Sommer). - Resource statistics logging now differentiates between offline processing vs. remote-communication-only (Mark Dedlow and Robin Sommer). - The script variable ICMP::distinct_pairs now times out its state, with a default of 15 minutes after creation (Robin Sommer). - The Bro version reported now includes "-debug" if Bro was configured with --enable-debug (Robin Sommer). - scan.bro now defaults "shut_down_all_scans" to T, meaning it by default detects scans on all ports, not just those in the set shut_down_scans (Vern Paxson). Please note, this variable is misnamed - it should be "detect_all_scans" - but that change is waiting on reworking the basic structure of scan detection. - Major bugfix for signature matcher missing matches on analyzer data (Robin Sommer). For example, a condition "http /foo/" would only have match with the first URL in a connection, not subsequent ones. Fixing this changes the calling sequence of the match_signatures() built-in to take an additional final parameter, "clear", which, if set, resets the matcher to its starting state prior to matching. - Serious bug in regular expression matching - and hence signature engine - fixed (Robin Sommer). - Bug fix for formatting (via fmt()) of very long strings (Vern Paxson). - Fixed mail_reports.sh to correctly find sendmail binary on various systems (Brian Tierney). - Numerous changes to Bro's internal string representation, and more flexibility in how strings are rendered for display (Christian Kreibich). - Pseudo-real-time now can be initialized using an optional argument that corresponds to the degree of time compression (Robin Sommer). For example, --pseudo-realtime=0.5 causes time to advance half as fast as it would in real-time. The default value is 1.0; any value > 0 is allowed. - The SSH analyzer now looks for just linefeeds as line terminators when extracting version strings, rather than carriage-return-line-feeds, to match actual implementations rather than the RFC (suggested by Chema Gonzalez). - Playing back events from files now working again (Robin Sommer). - Bro now uses current_time() rather than network_time to track the modification time of variables, since network_time doesn't advance when only receiving events (Robin Sommer). - Bug fixes for IPv6 support, including processing UDP traffic (which had been completely broken) and subtle interactions (actually, lack thereof) between the connection compressor and IPv6 that could lead to crashes (Vern Paxson). - Portability tweaks for NetBSD, 64-bit Linux SuSe and FreeBSD 5.4 (Christian Kreibich, Jason Lee and Vern Paxson). - Bug fix for IPv6 "::" constants that start with hex digits specified using 0x (Vern Paxson). - Calling the built-in terminate() function twice now has no additional effect (Christian Kreibich). It used to terminate Bro abruptly, without cleanly shutting down. - Removed active.bro; use active_connection() + connection_record() instead (Vern Paxson). - Bro lite reports now work with rotated logs files (Brian Tierney) - Bug fix for conditions such as "payload /^user/", which now work equivalent to "payload /user/" (Robin Sommer). - Tweaks to sensitive patterns in HTTP request URIs to reduce false positives (Brian Tierney). - Bug fixes for strip() built-in function (Holger Dreger). - Memory leak in built-in function to_addr() fixed (Ruoming Pang). - Bug fix for "hot" connections sometimes not having their notice tag appearing in connection summaries (Robin Sommer). - Bug fixes for IRC analysis (Vern Paxson and Robin Sommer). - Syslogging now works if Bro is running in communication-only mode i.e., live, but not reading a network interface (Robin Sommer). - Bug fix to allow tuning of TRW parameters (Vern Paxson). - Bug fixes for SSL analysis (Holger Dreger). - Removed logic that inverted orig/resp in some scans (Vern Paxson). - Lint & memory allocation tweaks (Vern Paxson). - Bug fixes for inactivity timeouts (Robin Sommer). - Bug fix for Bro Lite cron job (Jason Lee). - When binding to a listening port for remote communication fails, the port number is now reported (Robin Sommer). - Some spurious reporting removed from configure output (Jason Lee). - Fix for "weird"'s generated by connection compressor but not recognized at the policy script level (Vern Paxson). - Fixes for detecting content gaps and not matching previously delivered data (Ruoming Pang). - Bug fixes for TCP rewriter (Ruoming Pang). - Bug fixes for crashes in SSL analyzer (Vern Paxson). - Bug fix for avoiding busy-waiting when a communication child dies (Robin Sommer). - Bug fix for BiF's that use 'T' and 'F' in character constants (Vern Paxson). - Memory leak fixes (Robin Sommer, Christian Kreibich, Vern Paxson and Ruoming Pang). - The peer table for inter-Bro communication is now correctly indexed by a peer_id (Robin Sommer). - Bug fix for exchange of initial &synchronized state which could prevent communication from entering main phase (Robin Sommer). - Bug fix for propagating incremented table values derived from a table's &default (Robin Sommer). - Bug fixes for the POP3 analyzer when analyzing non-NUL-terminated strings or bad base64 encodings (Vern Paxson). - Updates for Bro's internal hash functions (Ruoming Pang). - The debug and communication log files now comply with $BRO_LOG_SUFFIX (Robin Sommer). - Some internal debugging additions (Ruoming Pang). - Internal cleanup regarding "const" strings (Ruoming Pang). - A number of casts changed to use modern C++-style pointer casting such as reinterpret_cast and static_cast (Ruoming Pang). - Bug fixes for inter-Bro communication on 64-bit systems (Robin Sommer). - Bug fixes for detecting errors for SSL connections (Robin Sommer). - Potential null pointer dereference fixed (Robin Sommer). - Inter-Bro communication is now more reliable in the presence of errors (Robin Sommer). - Performance enhancement for tracking values whose elements might change (Robin Sommer). - Fixes for peers having differing enum lists (Robin Sommer). This can occur because they're running different scripts and which do different redef +='s to add enum values. - += now works for interval types (Vern Paxson). - Bug fix for exchanging peer descriptions (Robin Sommer). - Bug fix for processing multipart-MIME HTTP messages with content-length headers (Ruoming Pang). - Bug fix for failing to escape "'s in HTTP server replies (Robin Sommer). - Bug fix for propagating increment operations on tables (Robin Sommer). - Bug fixes for files (Robin Sommer): set open time to current time if network time is not initialized; when deserializing files, prevent them from being closed immediately due to reference-counting interaction. - Bug fix to prevent reporting some scans twice (Robin Sommer). - Bug fix for printing enum's (Christian Kreibich). - When not configured with --enable debug, Bro now still accepts (yet ignores) option -B (Robin Sommer). - Serialization enhancements and fixes, including a change of the protocol version number (Robin Sommer). - Bug fix for logging inter-Bro communication (Robin Sommer). - Bug fixes for enumerating attributes and timers (Robin Sommer). - Bug fix for signatures matching first on one side of the connection, and then on the other, being reported twice (Robin Sommer). - Inter-Bro communication now continues to work even when packet processing has been suspended (Robin Sommer). - Fix for running multiple Bro's together in pseudo-realtime (Robin Sommer). - Tweak to print-resources.bro so it can be loaded standalone (Vern Paxson). - Bug fix for &persistent state not being save if Bro wasn't running with an input source (Robin Sommer). - Bug fix for which process ID to check to see if children are still alive (Robin Sommer). - Bug fix for no longer crashing if the expiration function associated with a table deletes the element from the table rather than returning an interval of 0 secs to indicate it should be deleted (Chema Gonzalez). - Bug fix for OutboundTFTP notice: now checks to ensure that not only is the source local, but the destination is not local (Vern Paxson). - Bug fix for a subtle interaction mediated by errno, which could cause a failed read() to later confuse pcap_dispatch() (Chema Gonzalez). - Bug fix for TCP contents assertion checking (Ruoming Pang). - Bug fix for error output on small RPC fragments (Ruoming Pang). - Fix for connection compressor bug in tracking connection history (Robin Sommer). - Bug fix for potential floating point exception in signature engine's resource-profiling code (Robin Sommer). - Bug fix for low-level List data structure when replacing a list element beyond the end of a list (Robin Sommer). - Bug fix in initializing capabilities when setting up communication between Bro peers (Robin Sommer). - A number of connection compressor bug fixes: weird's for spontaneous FINs and RSTs, consistent processing of "connections" that begin with RSTs, correct checksum computations, and weird's printed to stderr if no event handler defined (Robin Sommer). - load_sample_freq is now &redef (Vern Paxson). - Bug fix for backdoor detector incorrectly matching substrings (Vern Paxson). - Bug fix for canceling timers sometimes failing to cancel all of them (Robin Sommer). - Error handling during un-serialization now handled more robustly (Robin Sommer). - Bug fix for division by zero if expensive_profiling_multiple set to zero (Robin Sommer). - Bug fix for connection logs failing to track all of the annotation ($addl) associated with a connection (Vern Paxson). - Portability fix for BinPAC (Ruoming Pang). - Fix to NFS analyzer for missing values in events reporting failed requests (Vern Paxson). - autogen.sh now aborts as soon as one of the tools it invokes fails (Christian Kreibich). - Fixed bug where not having SSL would cause bro to not compile (Jason Lee). - State-holding fix for adu.bro (Christian Kreibich). - A number of configuration tweaks (Craig Leres & Christian Kreibich). - Fix for sig-functions.bro: checks isApache* functions, which ensure that Apache is indeed in the software set before accessing the index (Brian Tierney and Robin Sommer). - Smith-Waterman fixes and test suite script (Christian Kreibich). From salom123 at ok.kz Wed May 17 08:44:48 2006 From: salom123 at ok.kz (salom123 at ok.kz) Date: Wed, 17 May 2006 21:44:48 +0600 Subject: [Bro] Bro output on DARPA data set Message-ID: Hi All, I just wanted to know if someone has run Bro on DARPA 1999 Training week 1 and 2 data (only inside and outside tcpdump files)? The problem is that week 1 does not contain any attacks, but week 2 contains labeled attacks. I am checking the Bro output (alarm.log file) and see none of the labeled attacks... Please, help me to understand the Bro output? May be I am writing somethings wrongly...? Thanks in advance. regards From abhinay at cs.utexas.edu Thu May 18 11:57:56 2006 From: abhinay at cs.utexas.edu (Abhinay Kampasi) Date: Thu, 18 May 2006 13:57:56 -0500 Subject: [Bro] Documentation about List/Queue/HashMap data structures in Bro Message-ID: <446CC3B4.3030904@cs.utexas.edu> Hi, I am writing an anomaly detector using Bro. I have two questions. 1) I am trying to correlate traffic in the two directions of a connection. I am currently using the "DataSent" method of "TCP_Endpoint" class to do some processing when data is sent by an endpoint of a connection. I need to do so for the both the endpoints of a connection in order to correlate traffic in the two directions. Is there any other method that I can use, which gets invoked whenever data flows in either direction of a connection with some indication of whether the data was sent by originator or responder. 2) I need to maintain the different endpoints in some sort of ArrayList/HashMap. I observed that there are already some list/queue implementations in Bro. Where can I find documentation about using these data structures regarding available methods / method parameters, etc. Any help would be greatly appreciated. Thanks and Regards, Abhinay From rpang at cs.princeton.edu Thu May 18 12:15:28 2006 From: rpang at cs.princeton.edu (Ruoming Pang) Date: Thu, 18 May 2006 15:15:28 -0400 Subject: [Bro] Documentation about List/Queue/HashMap data structures in Bro In-Reply-To: <446CC3B4.3030904@cs.utexas.edu> References: <446CC3B4.3030904@cs.utexas.edu> Message-ID: <2D807467-F019-4873-AC46-2CF1229C7AB4@cs.princeton.edu> Hi Abhinay, > 1) I am trying to correlate traffic in the two directions of a > connection. I am currently using the "DataSent" method of > "TCP_Endpoint" > class to do some processing when data is sent by an endpoint of a > connection. For this type of analysis it might be better to write a Bro script instead of adding code directly to the engine. TCP_Endpoint::DataSent() corresponds to the event: event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%); Or if you want reassembled contents: event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%); > 2) I need to maintain the different endpoints in some sort of > ArrayList/HashMap. I observed that there are already some list/queue > implementations in Bro. Where can I find documentation about using > these > data structures regarding available methods / method parameters, etc. You may use "table" and "set" in the Bro language. Please see scripts under bro/policy/ for examples. Ruoming From MWeisbrod at its.ucsf.edu Fri May 19 16:11:36 2006 From: MWeisbrod at its.ucsf.edu (Weisbrod, Marc) Date: Fri, 19 May 2006 16:11:36 -0700 Subject: [Bro] Release 1.1 - Site Report. Message-ID: <84AB0D137E1C404DAF16B621C46701AA01C440B2@EXVS05.net.ucsf.edu> All, I just upgraded from 1.0 to the new 1.1 version. Since doing so, the daily site report now does not contain any data. My log files are still growing and Bro is check pointing successfully at night and running only one instance. Is any one else seeing that behavior? Marc From bltierney at lbl.gov Fri May 19 16:54:50 2006 From: bltierney at lbl.gov (Brian Tierney) Date: Fri, 19 May 2006 16:54:50 -0700 Subject: [Bro] Release 1.1 - Site Report. In-Reply-To: <84AB0D137E1C404DAF16B621C46701AA01C440B2@EXVS05.net.ucsf.edu> References: <84AB0D137E1C404DAF16B621C46701AA01C440B2@EXVS05.net.ucsf.edu> Message-ID: <446E5ACA.4050507@lbl.gov> Did you also do a 'make install-brolite'? That is needed to update some perl modules to deal with rotated file names for the reports. Also, in the new 1.1 release the default "brolite" behavior is to only checkpoint once/week and to enable "rotate-logs" every 24 hrs. However if you are upgrading from an earlier version, your crontab will not be modified, so you may want to change your crontab by hand to only checkpoint once / week. Weisbrod, Marc wrote: > All, > > I just upgraded from 1.0 to the new 1.1 version. Since doing so, the > daily site report now does not contain any data. My log files are > still growing and Bro is check pointing successfully at night and > running only one instance. > > Is any one else seeing that behavior? > > Marc > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- ------------------------------------------------------------------------ Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 603-719-5047 bltierney at lbl.gov http://www-didc.lbl.gov/~tierney ------------------------------------------------------------------------ From darkxer05 at yahoo.com Mon May 22 00:24:22 2006 From: darkxer05 at yahoo.com (Lee Sheng) Date: Mon, 22 May 2006 00:24:22 -0700 (PDT) Subject: [Bro] OpenBSD bro-1.1 In-Reply-To: Message-ID: <20060522072422.22637.qmail@web53911.mail.yahoo.com> Hi all, I previously run bro 0.9 on OpenBSD, everything is compiled correctly, however when I compile 1.1, I get this error source='smb_pac.cc' object='smb_pac.o' libtool=no depfile='.deps/smb_pac.Po' tm pdepfile='.deps/smb_pac.TPo' depmode=gcc3 /bin/sh ../depcomp g++ -DHAVE_CONFIG _H -I. -I. -I.. -I. -I../src/binpac -I../src -I. -I.. -Ilibedit -I/usr/includ e -O -W -Wall -Wno-unused -I/usr/include -g -O2 -I/usr/include -c -o smb_pac.o `test -f smb_pac.cc || echo './'`smb_pac.cc source='main.cc' object='main.o' libtool=no depfile='.deps/main.Po' tmpdepfile= '.deps/main.TPo' depmode=gcc3 /bin/sh ../depcomp g++ -DHAVE_CONFIG_H -I. -I. - I.. -I. -I../src/binpac -I../src -I. -I.. -Ilibedit -I/usr/include -O -W -Wal l -Wno-unused -I/usr/include -g -O2 -I/usr/include -c -o main.o `test -f main.c c || echo './'`main.cc In file included from Sessions.h:28, from RuleMatcher.h:12, from main.cc:59: ARP.h:28:26: net/ethernet.h: No such file or directory *** Error code 1 Stop in /nsm/addon-software/bro-1.1/src. *** Error code 1 Stop in /nsm/addon-software/bro-1.1/src (line 1112 of Makefile). *** Error code 1 Stop in /nsm/addon-software/bro-1.1/src (line 867 of Makefile). *** Error code 1 Stop in /nsm/addon-software/bro-1.1 (line 214 of Makefile). *** Error code 1 Stop in /nsm/addon-software/bro-1.1 (line 129 of Makefile). I don't know how to solve this error, anyone who run bro on OpenBSD might help? Thanks. --------------------------------- Sneak preview the all-new Yahoo.com. It's not radically different. Just radically better. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060522/8d65f87d/attachment.html From christian at whoop.org Mon May 22 08:13:05 2006 From: christian at whoop.org (Christian Kreibich) Date: Mon, 22 May 2006 16:13:05 +0100 Subject: [Bro] OpenBSD bro-1.1 In-Reply-To: <20060522072422.22637.qmail@web53911.mail.yahoo.com> References: <20060522072422.22637.qmail@web53911.mail.yahoo.com> Message-ID: <1148310786.3961.33.camel@strangepork> On Mon, 2006-05-22 at 00:24 -0700, Lee Sheng wrote: > Hi all, > > I previously run bro 0.9 on OpenBSD, everything is compiled correctly, > however when I compile 1.1, I get this error Hi Lee, I can confirm this. Arrrrrrrgh OpenBSD. The ARP issue is just a matter of figuring out the right headers, but there are more issues later in the build. We'll let get back to you. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From Stephan at rheoli.net Tue May 23 01:27:19 2006 From: Stephan at rheoli.net (Stephan) Date: Tue, 23 May 2006 10:27:19 +0200 Subject: [Bro] OpenBSD bro-1.1 In-Reply-To: <1148310786.3961.33.camel@strangepork> References: <20060522072422.22637.qmail@web53911.mail.yahoo.com> <1148310786.3961.33.camel@strangepork> Message-ID: <20060523082719.GA10067@rheoli.net> On Mon, May 22, 2006 at 04:13:05PM +0100, Christian Kreibich wrote: > On Mon, 2006-05-22 at 00:24 -0700, Lee Sheng wrote: > > Hi all, > > > > I previously run bro 0.9 on OpenBSD, everything is compiled correctly, > > however when I compile 1.1, I get this error > > Hi Lee, > > I can confirm this. Arrrrrrrgh OpenBSD. The ARP issue is just a matter > of figuring out the right headers, but there are more issues later in > the build. We'll let get back to you. > > Cheers, > Christian. > -- After patching the src/ files with the attached diff's bro-1.1 compiles fine on OpenBSD-sparc64 but as soon as I'm starting bro with # bin/bro -i ... mt the following error occures: """ policy/hot.bro, line 78: error: unknown identifier is_local_addr, at or near "is_local_addr" """ -> site.bro is @load'ed. -Stephan P.S.: More or less the sames patches are needed for my Solaris 8 but after the compilation bro core dump during startup. -------------- next part -------------- --- ARP.h.orig Mon May 22 16:48:23 2006 +++ ARP.h Mon May 22 17:00:41 2006 @@ -25,7 +25,7 @@ #include #include #include -#include +#include #ifndef arp_pkthdr #define arp_pkthdr arphdr -------------- next part -------------- --- DNS_Mgr.cc.orig Tue May 23 10:02:50 2006 +++ DNS_Mgr.cc Tue May 23 10:04:29 2006 @@ -930,7 +930,11 @@ void DNS_Mgr::GetFds(int* read, int* write, int* except) { +#ifdef HAVE_NB_DNS *read = nb_dns_fd(nb_dns); +#else + *read = -1; +#endif } double DNS_Mgr::NextTimestamp() @@ -1004,7 +1008,11 @@ int DNS_Mgr::AnswerAvailable(int timeout) { +#ifdef HAVE_NB_DNS int fd = nb_dns_fd(nb_dns); +#else + int fd = -1; +#endif if ( fd < 0 ) internal_error("nb_dns_fd() failed in DNS_Mgr::WaitForReplies"); -------------- next part -------------- --- TCP_Rewriter.cc.orig Tue May 23 09:34:54 2006 +++ TCP_Rewriter.cc Tue May 23 09:36:13 2006 @@ -50,9 +50,9 @@ static IP_IDSet* ip_id_set = 0; // pairs in the output trace int num_packets_held, num_packets_cleaned; -static struct timeval double_to_timeval(double t) +static struct bpf_timeval double_to_timeval(double t) { - struct timeval tv; + struct bpf_timeval tv; double t1 = floor(t); tv.tv_sec = int(t1); From jp.luiggi at free.fr Tue May 23 13:53:39 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Tue, 23 May 2006 16:53:39 -0400 Subject: [Bro] OpenBSD bro-1.1 In-Reply-To: <1148310786.3961.33.camel@strangepork> References: <20060522072422.22637.qmail@web53911.mail.yahoo.com> <1148310786.3961.33.camel@strangepork> Message-ID: <20060523205339.GA3922@armada.mynetwork.local> Hello all, Christian, Open isn't so bad.... :-)) === Beside of this, while playing with the new release i too run into the problem Lee is talking about. To solve the problem with ARP.h, we just need to include/use : #include , i guess using an #ifdef (HAVE_OPENBSD) should be a solution. So the question is : is this definition directly available upon running ./configure ? === Another thing i'm working into is the non blocking DNS. I discovered using the following OpenBSD's package (considering the 3.9 release) : libbind-9.2.3p1 BIND 8 compatible stub resolver library should give us the various ns_... definition. I'm now fighting with "m4" in order to implement something as --with-bind-lib= --with-bind-includes= into configure.am, should this sound right ? Thank you. Best regards. On Mon, May 22, 2006 at 04:13:05PM +0100, Christian Kreibich wrote: > On Mon, 2006-05-22 at 00:24 -0700, Lee Sheng wrote: > > Hi all, > > > > I previously run bro 0.9 on OpenBSD, everything is compiled correctly, > > however when I compile 1.1, I get this error > > Hi Lee, > > I can confirm this. Arrrrrrrgh OpenBSD. The ARP issue is just a matter > of figuring out the right headers, but there are more issues later in > the build. We'll let get back to you. > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From christian at whoop.org Wed May 24 04:30:58 2006 From: christian at whoop.org (Christian Kreibich) Date: Wed, 24 May 2006 12:30:58 +0100 Subject: [Bro] OpenBSD bro-1.1 In-Reply-To: <20060523205339.GA3922@armada.mynetwork.local> References: <20060522072422.22637.qmail@web53911.mail.yahoo.com> <1148310786.3961.33.camel@strangepork> <20060523205339.GA3922@armada.mynetwork.local> Message-ID: <1148470258.5459.34.camel@strangepork> On Tue, 2006-05-23 at 16:53 -0400, Jean-Philippe Luiggi wrote: > Hello all, > > Christian, Open isn't so bad.... :-)) I'm not going to comment on the quality of the OS, but it sure as hell is regularly causing me build headaches! > === > > Beside of this, while playing with the new release i too run into the problem > Lee is talking about. > > To solve the problem with ARP.h, we just need to include/use : > #include , Ah, but that is available neither on Linux, nor on FreeBSD, nor MacOS. I got it to work using this instead: --- ARP.h 20 Dec 2005 00:48:12 -0000 1.3 +++ ARP.h 22 May 2006 15:11:16 -0000 @@ -24,8 +24,10 @@ #include #include +#include +#include #include -#include +#include I was hoping that'd be portable enough so we can do without an ifdef, but haven't tried the other platforms yet. > i guess using an #ifdef (HAVE_OPENBSD) should > be a solution. Yeah, if we have to. > So the question is : is this definition directly available upon running > ./configure ? Sure, look at configure.in, most of that stuff is checked for already. It's just a matter of translating it down into the code with the least amount of clutter. > Another thing i'm working into is the non blocking DNS. I discovered using So non-blocking DNS in Bro is actually currently broken on OpenBSD? > the following OpenBSD's package (considering the 3.9 release) : > > libbind-9.2.3p1 BIND 8 compatible stub resolver library > > should give us the various ns_... definition. I'm now fighting with > "m4" in order to implement something as > > --with-bind-lib= > --with-bind-includes= > > into configure.am, should this sound right ? Yeah, though I don't think you need to fight at the m4 level but rather at the level of what autoconf already gives you (like AC_LINK_IFELSE). Thanks for your efforts! Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From jp.luiggi at free.fr Wed May 24 06:17:00 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Wed, 24 May 2006 09:17:00 -0400 Subject: [Bro] OpenBSD bro-1.1 In-Reply-To: <1148470258.5459.34.camel@strangepork> References: <20060522072422.22637.qmail@web53911.mail.yahoo.com> <1148310786.3961.33.camel@strangepork> <20060523205339.GA3922@armada.mynetwork.local> <1148470258.5459.34.camel@strangepork> Message-ID: <20060524131700.GA20425@armada.mynetwork.local> Hello, On Wed, May 24, 2006 at 12:30:58PM +0100, Christian Kreibich wrote: > > Christian, Open isn't so bad.... :-)) > > I'm not going to comment on the quality of the OS, but it sure as hell > is regularly causing me build headaches! You're right, i've the same problem from time to time... :-) > > Beside of this, while playing with the new release i too run into the problem > > Lee is talking about. > > > > To solve the problem with ARP.h, we just need to include/use : > > #include , > > Ah, but that is available neither on Linux, nor on FreeBSD, nor MacOS. I > got it to work using this instead: > > --- ARP.h 20 Dec 2005 00:48:12 -0000 1.3 > +++ ARP.h 22 May 2006 15:11:16 -0000 > @@ -24,8 +24,10 @@ > > #include > #include > +#include > +#include > #include > -#include > +#include > > I was hoping that'd be portable enough so we can do without an ifdef, > but haven't tried the other platforms yet. That's right, i'll use it. > > So the question is : is this definition directly available upon running > > ./configure ? > > Sure, look at configure.in, most of that stuff is checked for already. > It's just a matter of translating it down into the code with the least > amount of clutter. Ok. > > Another thing i'm working into is the non blocking DNS. I discovered using > > So non-blocking DNS in Bro is actually currently broken on OpenBSD? I may be wrong but i don't think it ever worked ? Without the package i'm talking about, we don't have the correct definitions. > > the following OpenBSD's package (considering the 3.9 release) : > > > > libbind-9.2.3p1 BIND 8 compatible stub resolver library > > > > should give us the various ns_... definition. I'm now fighting with > > "m4" in order to implement something as > > > > --with-bind-lib= > > --with-bind-includes= > > > > into configure.am, should this sound right ? > > Yeah, though I don't think you need to fight at the m4 level but rather > at the level of what autoconf already gives you (like AC_LINK_IFELSE). Ok, i'll check here. > Thanks for your efforts! Just normal considering the whole effort of all. Best regards. > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From darkxer05 at yahoo.com Wed May 24 06:42:00 2006 From: darkxer05 at yahoo.com (Lee Sheng) Date: Wed, 24 May 2006 06:42:00 -0700 (PDT) Subject: [Bro] OpenBSD bro-1.1 In-Reply-To: <20060523205339.GA3922@armada.mynetwork.local> Message-ID: <20060524134200.77459.qmail@web53901.mail.yahoo.com> Hi, I have applied the diff and seems stuck somewhere though, may I know what kind of flags been used for configure and do you guy use gmake instead of make. Here's the stuck - net_util.o(.text+0x2ee): In function `dotted_net(unsigned)': /nsm/addon-software/bro-1.1/src/net_util.cc:225: warning: sprintf() is often mis used, please use snprintf() main.o(.text+0xb7a): In function `main': /nsm/addon-software/bro-1.1/src/main.cc:482: warning: strcat() is almost always misused, please use strlcat() DNS_Mgr.o(.text+0x2e9c): In function `DNS_Mgr::GetFds(int*, int*, int*)': /nsm/addon-software/bro-1.1/src/DNS_Mgr.cc:933: undefined reference to `nb_dns_f d' DNS_Mgr.o(.text+0x2efe): In function `DNS_Mgr::AnswerAvailable(int)': /nsm/addon-software/bro-1.1/src/DNS_Mgr.cc:1007: undefined reference to `nb_dns_ fd' collect2: ld returned 1 exit status gmake[4]: *** [bro] Error 1 gmake[4]: Leaving directory `/nsm/addon-software/bro-1.1/src' gmake[3]: *** [all-recursive] Error 1 gmake[3]: Leaving directory `/nsm/addon-software/bro-1.1/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/nsm/addon-software/bro-1.1/src' gmake[1]: *** [all-recursive] Error 1 gmake[1]: Leaving directory `/nsm/addon-software/bro-1.1' gmake: *** [all] Error 2 Thanks for putting effort to solve the issue. Jean-Philippe Luiggi wrote: Hello all, Christian, Open isn't so bad.... :-)) === Beside of this, while playing with the new release i too run into the problem Lee is talking about. To solve the problem with ARP.h, we just need to include/use : #include , i guess using an #ifdef (HAVE_OPENBSD) should be a solution. So the question is : is this definition directly available upon running ./configure ? === Another thing i'm working into is the non blocking DNS. I discovered using the following OpenBSD's package (considering the 3.9 release) : libbind-9.2.3p1 BIND 8 compatible stub resolver library should give us the various ns_... definition. I'm now fighting with "m4" in order to implement something as --with-bind-lib= --with-bind-includes= into configure.am, should this sound right ? Thank you. Best regards. On Mon, May 22, 2006 at 04:13:05PM +0100, Christian Kreibich wrote: > On Mon, 2006-05-22 at 00:24 -0700, Lee Sheng wrote: > > Hi all, > > > > I previously run bro 0.9 on OpenBSD, everything is compiled correctly, > > however when I compile 1.1, I get this error > > Hi Lee, > > I can confirm this. Arrrrrrrgh OpenBSD. The ARP issue is just a matter > of figuring out the right headers, but there are more issues later in > the build. We'll let get back to you. > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro --------------------------------- New Yahoo! Messenger with Voice. Call regular phones from your PC and save big. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060524/3f22c3a3/attachment.html From christian at whoop.org Wed May 24 12:18:47 2006 From: christian at whoop.org (Christian Kreibich) Date: Wed, 24 May 2006 20:18:47 +0100 Subject: [Bro] OpenBSD bro-1.1 In-Reply-To: <20060524134200.77459.qmail@web53901.mail.yahoo.com> References: <20060524134200.77459.qmail@web53901.mail.yahoo.com> Message-ID: <1148498327.5459.98.camel@strangepork> On Wed, 2006-05-24 at 06:42 -0700, Lee Sheng wrote: > Hi, > > I have applied the diff and seems stuck somewhere though, may I know > what kind of flags been used for configure and do you guy use gmake > instead of make. Hi -- you've just bumped into exactly the issue Jean-Phillipe points out. I wasn't aware of the non-blocking DNS issues on OpenBSD. Regarding gmake: you should never need that for the normal build. The only situation in which you might currently need gmake is when you run make distcheck, and then only with older automake/autoconf setups. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From salom123 at ok.kz Thu May 25 01:32:06 2006 From: salom123 at ok.kz (salom123 at ok.kz) Date: Thu, 25 May 2006 14:32:06 +0600 Subject: [Bro] file is too large Message-ID: Hi all, I am trying to run Bro offline on files bigger than 2 GB. It does nothing, except saying "File is too large". Has anyone encountered the same problem? Is there any way of getting Bro to read files bigger than 2 GB? Thanks in advance. regards From christian at whoop.org Thu May 25 03:48:41 2006 From: christian at whoop.org (Christian Kreibich) Date: Thu, 25 May 2006 11:48:41 +0100 Subject: [Bro] file is too large In-Reply-To: References: Message-ID: <1148554122.2694.13.camel@strangepork> Hi, what platform is this on, and what release? 1.1 does configure large file support. Look for the following output in your configure run: checking for _FILE_OFFSET_BITS value needed for large files... 64 checking for _LARGE_FILES value needed for large files... no If it does not work despite the presence of those, we may not be using large-file enabled operations in all places. On Thu, 2006-05-25 at 14:32 +0600, salom123 at ok.kz wrote: > Hi all, > > I am trying to run Bro offline on files bigger than 2 GB. It does > nothing, except saying "File is too large". Has anyone encountered the > same problem? Is there any way of getting Bro to read files bigger > than 2 GB? Thanks in advance. > > regards Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From christian at whoop.org Thu May 25 03:56:50 2006 From: christian at whoop.org (Christian Kreibich) Date: Thu, 25 May 2006 11:56:50 +0100 Subject: [Bro] file is too large In-Reply-To: <1148554122.2694.13.camel@strangepork> References: <1148554122.2694.13.camel@strangepork> Message-ID: <1148554611.2694.20.camel@strangepork> On Thu, 2006-05-25 at 11:48 +0100, Christian Kreibich wrote: > Hi, > > what platform is this on, and what release? 1.1 does configure large > file support. Look for the following output in your configure run: > > checking for _FILE_OFFSET_BITS value needed for large files... 64 > checking for _LARGE_FILES value needed for large files... no > > If it does not work despite the presence of those, we may not be using > large-file enabled operations in all places. ps: note that if this message comes up from pcap then it might be the case that your pcap library cannot handle large files. See e.g. http://mailman.icsi.berkeley.edu/pipermail/bro/2006-March/002343.html > On Thu, 2006-05-25 at 14:32 +0600, salom123 at ok.kz wrote: > > Hi all, > > > > I am trying to run Bro offline on files bigger than 2 GB. It does > > nothing, except saying "File is too large". Has anyone encountered the > > same problem? Is there any way of getting Bro to read files bigger > > than 2 GB? Thanks in advance. > > > > regards Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From jp.luiggi at free.fr Thu May 25 06:31:14 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Thu, 25 May 2006 09:31:14 -0400 Subject: [Bro] OpenBSD bro-1.1 In-Reply-To: <20060524134200.77459.qmail@web53901.mail.yahoo.com> References: <20060523205339.GA3922@armada.mynetwork.local> <20060524134200.77459.qmail@web53901.mail.yahoo.com> Message-ID: <20060525133114.GA27075@armada.mynetwork.local> Hello Lee, It's just normal as OpenBSD doesn't support (yet) non blocking DNS. I'm working on the topic in order to solve this problem. Best regards. On Wed, May 24, 2006 at 06:42:00AM -0700, Lee Sheng wrote: > Hi, > > I have applied the diff and seems stuck somewhere though, may I know what kind of flags been used for configure and do you guy use gmake instead of make. > > Here's the stuck - > > net_util.o(.text+0x2ee): In function `dotted_net(unsigned)': > /nsm/addon-software/bro-1.1/src/net_util.cc:225: warning: sprintf() is often mis used, please use snprintf() > main.o(.text+0xb7a): In function `main': > /nsm/addon-software/bro-1.1/src/main.cc:482: warning: strcat() is almost always misused, please use strlcat() > DNS_Mgr.o(.text+0x2e9c): In function `DNS_Mgr::GetFds(int*, int*, int*)': > /nsm/addon-software/bro-1.1/src/DNS_Mgr.cc:933: undefined reference to `nb_dns_f d' > DNS_Mgr.o(.text+0x2efe): In function `DNS_Mgr::AnswerAvailable(int)': > /nsm/addon-software/bro-1.1/src/DNS_Mgr.cc:1007: undefined reference to `nb_dns_ fd' > collect2: ld returned 1 exit status > gmake[4]: *** [bro] Error 1 > gmake[4]: Leaving directory `/nsm/addon-software/bro-1.1/src' > gmake[3]: *** [all-recursive] Error 1 > gmake[3]: Leaving directory `/nsm/addon-software/bro-1.1/src' > gmake[2]: *** [all] Error 2 > gmake[2]: Leaving directory `/nsm/addon-software/bro-1.1/src' > gmake[1]: *** [all-recursive] Error 1 > gmake[1]: Leaving directory `/nsm/addon-software/bro-1.1' > gmake: *** [all] Error 2 > > Thanks for putting effort to solve the issue. > > > Jean-Philippe Luiggi wrote: Hello all, > > Christian, Open isn't so bad.... :-)) > > === > > Beside of this, while playing with the new release i too run into the problem > Lee is talking about. > > To solve the problem with ARP.h, we just need to include/use : > #include , i guess using an #ifdef (HAVE_OPENBSD) should > be a solution. > So the question is : is this definition directly available upon running > ./configure ? > > === > > Another thing i'm working into is the non blocking DNS. I discovered using > the following OpenBSD's package (considering the 3.9 release) : > > libbind-9.2.3p1 BIND 8 compatible stub resolver library > > should give us the various ns_... definition. I'm now fighting with > "m4" in order to implement something as > > --with-bind-lib= > --with-bind-includes= > > into configure.am, should this sound right ? > > Thank you. > > Best regards. > > > > > On Mon, May 22, 2006 at 04:13:05PM +0100, Christian Kreibich wrote: > > On Mon, 2006-05-22 at 00:24 -0700, Lee Sheng wrote: > > > Hi all, > > > > > > I previously run bro 0.9 on OpenBSD, everything is compiled correctly, > > > however when I compile 1.1, I get this error > > > > Hi Lee, > > > > I can confirm this. Arrrrrrrgh OpenBSD. The ARP issue is just a matter > > of figuring out the right headers, but there are more issues later in > > the build. We'll let get back to you. > > > > Cheers, > > Christian. > > -- > > ________________________________________________________________________ > > http://www.cl.cam.ac.uk/~cpk25 > > http://www.whoop.org > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > --------------------------------- > New Yahoo! Messenger with Voice. Call regular phones from your PC and save big. > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jp.luiggi at free.fr Thu May 25 06:42:12 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Thu, 25 May 2006 09:42:12 -0400 Subject: [Bro] OpenBSD bro-1.1 In-Reply-To: <1148498327.5459.98.camel@strangepork> References: <20060524134200.77459.qmail@web53901.mail.yahoo.com> <1148498327.5459.98.camel@strangepork> Message-ID: <20060525134212.GB27075@armada.mynetwork.local> Hello, The previous version (1.0) worked perfectly without non blocking DNS and now we've two options : - Make change into the various ".c" with the help of "#ifdef HAVE_NB_DNS" as Stephan did (see a previous mail) in order to exclude the offending functions to ever been used with OpenBSD. - Install/Use the non blocking DNS library (with the package i talked about) and make change into ./configure in order to specify the place where the various definitions needed are. Note that i prefer the second one even if it requires more job. Best regards. On Wed, May 24, 2006 at 08:18:47PM +0100, Christian Kreibich wrote: > On Wed, 2006-05-24 at 06:42 -0700, Lee Sheng wrote: > > Hi, > > > > I have applied the diff and seems stuck somewhere though, may I know > > what kind of flags been used for configure and do you guy use gmake > > instead of make. > > Hi -- you've just bumped into exactly the issue Jean-Phillipe points > out. I wasn't aware of the non-blocking DNS issues on OpenBSD. > > Regarding gmake: you should never need that for the normal build. The > only situation in which you might currently need gmake is when you run > make distcheck, and then only with older automake/autoconf setups. > > Cheers, > Christian. > -- > ________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > From christian at whoop.org Thu May 25 06:51:02 2006 From: christian at whoop.org (Christian Kreibich) Date: Thu, 25 May 2006 14:51:02 +0100 Subject: [Bro] OpenBSD bro-1.1 In-Reply-To: <20060525134212.GB27075@armada.mynetwork.local> References: <20060524134200.77459.qmail@web53901.mail.yahoo.com> <1148498327.5459.98.camel@strangepork> <20060525134212.GB27075@armada.mynetwork.local> Message-ID: <1148565062.2694.39.camel@strangepork> Hi, On Thu, 2006-05-25 at 09:42 -0400, Jean-Philippe Luiggi wrote: > Hello, > > The previous version (1.0) worked perfectly without non blocking DNS > and now we've two options : > > - Make change into the various ".c" with the help of "#ifdef HAVE_NB_DNS" > as Stephan did (see a previous mail) in order to exclude the offending > functions to ever been used with OpenBSD. HAVE_NB_DNS is exactly what we're still doing in 1.1, but the fact that the build bombs on OpenBSD means that our configure check is somehow broken since it thinks that non-blocking DNS lookups (nbDNS) support is available while actually it isn't. Things should certainly still build even if support for nbDNS is not available. > - Install/Use the non blocking DNS library (with the package i talked about) > and make change into ./configure in order to specify the place where > the various definitions needed are. > > Note that i prefer the second one even if it requires more job. Note that these options are not mutually exclusive. Configuration and build should complete if nbDNS is not available, while allowing you to specify any additional libraries/headers for getting this functionality via configure flags. We currently do some hard-coded guesswork to figure out the nbDNS setting in configure, and it appears that we need more flexibility there. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From jp.luiggi at free.fr Thu May 25 12:55:25 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Thu, 25 May 2006 15:55:25 -0400 Subject: [Bro] OpenBSD bro-1.1 In-Reply-To: <1148565062.2694.39.camel@strangepork> References: <20060524134200.77459.qmail@web53901.mail.yahoo.com> <1148498327.5459.98.camel@strangepork> <20060525134212.GB27075@armada.mynetwork.local> <1148565062.2694.39.camel@strangepork> Message-ID: <20060525195525.GA32429@armada.mynetwork.local> Hello, On Thu, May 25, 2006 at 02:51:02PM +0100, Christian Kreibich wrote: > Hi, > > > - Make change into the various ".c" with the help of "#ifdef HAVE_NB_DNS" > > as Stephan did (see a previous mail) in order to exclude the offending > > functions to ever been used with OpenBSD. > > HAVE_NB_DNS is exactly what we're still doing in 1.1, but the fact that > the build bombs on OpenBSD means that our configure check is somehow > broken since it thinks that non-blocking DNS lookups (nbDNS) support is > available while actually it isn't. Things should certainly still build > even if support for nbDNS is not available. I think you point out the problem with the "configure". :-) > > - Install/Use the non blocking DNS library (with the package i talked about) > > and make change into ./configure in order to specify the place where > > the various definitions needed are. > > > > Note that i prefer the second one even if it requires more job. > > Note that these options are not mutually exclusive. Configuration and > build should complete if nbDNS is not available, while allowing you to > specify any additional libraries/headers for getting this functionality > via configure flags. Yes, i just thought about this solution upon my last post . With this, we still could use OpenBSD with/without non blocking DNS. > We currently do some hard-coded guesswork to figure out the nbDNS > setting in configure, and it appears that we need more flexibility > there. Sounds like good. I'm now trying to figure out how using correctly the non blocking DNS library given by the OpenBSD bind's package. Best regards. From Stephan at rheoli.net Fri May 26 02:18:09 2006 From: Stephan at rheoli.net (Stephan) Date: Fri, 26 May 2006 11:18:09 +0200 Subject: [Bro] OpenBSD bro-1.1 In-Reply-To: <20060525195525.GA32429@armada.mynetwork.local> References: <20060524134200.77459.qmail@web53901.mail.yahoo.com> <1148498327.5459.98.camel@strangepork> <20060525134212.GB27075@armada.mynetwork.local> <1148565062.2694.39.camel@strangepork> <20060525195525.GA32429@armada.mynetwork.local> Message-ID: <20060526091809.GA16041@rheoli.net> Hello, On Thu, May 25, 2006 at 03:55:25PM -0400, Jean-Philippe Luiggi wrote: > Hello, > ... > Sounds like good. > I'm now trying to figure out how using correctly the non blocking > DNS library given by the OpenBSD bind's package. > > Best regards. > One way to build bro with non-blocking DNS lib without changing configure is to install libbind (from /usr/ports/net/libbind) set CFLAGS and LDFLAGS: - $ export CFLAGS=-I/usr/local/bind/include - $ export LDFLAGS=-L/usr/local/lib Then you can use the normal ./configure (with non-blocking DNS). But you get the following warning (looks like that some funktions are double-defined): ==== $ sudo bin/bro -i if1 mt bin/bro:/usr/lib/libc.so.39.0: bin/bro : WARNING: symbol(_res) size mismatch, relink your program bin/bro:/usr/lib/libc.so.39.0: /usr/local/lib/libbind.so.2.0 : WARNING: symbol(__p_type_syms) size mismatch, relink your program bin/bro:/usr/lib/libc.so.39.0: /usr/local/lib/libbind.so.2.0 : WARNING: symbol(__p_class_syms) size mismatch, relink your program policy/hot.bro, line 78: error: unknown identifier is_local_addr, at or near "is_local_addr" $ ==== The polixy/hot.bro script error occurs with/without non-blocking DNS. Best regards, Stephan From jp.luiggi at free.fr Fri May 26 08:19:00 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Fri, 26 May 2006 11:19:00 -0400 Subject: [Bro] OpenBSD bro-1.1 In-Reply-To: <20060526091809.GA16041@rheoli.net> References: <20060524134200.77459.qmail@web53901.mail.yahoo.com> <1148498327.5459.98.camel@strangepork> <20060525134212.GB27075@armada.mynetwork.local> <1148565062.2694.39.camel@strangepork> <20060525195525.GA32429@armada.mynetwork.local> <20060526091809.GA16041@rheoli.net> Message-ID: <20060526151900.GA24527@armada.mynetwork.local> Hello, On Fri, May 26, 2006 at 11:18:09AM +0200, Stephan wrote: > Hello, > > > I'm now trying to figure out how using correctly the non blocking > > DNS library given by the OpenBSD bind's package. > > > > Best regards. > > > > One way to build bro with non-blocking DNS lib without changing configure is to install libbind (from /usr/ports/net/libbind) set CFLAGS and LDFLAGS: > - $ export CFLAGS=-I/usr/local/bind/include > - $ export LDFLAGS=-L/usr/local/lib > Then you can use the normal ./configure (with non-blocking DNS). That's fine but here and "obviously" : ==== # export CFLAGS=-I/usr/local/bind/include # export LDFLAGS=-L/usr/local/lib # ./configure --prefix=/opt/share/bro-1.1; make checking build system type... i386-unknown-openbsd3.9 . . . Making all in test source='broping.c' object='broping.o' libtool=no depfile='.deps/broping.Po' tmpdepfile='.deps/broping.TPo' depmode=gcc3 /bin/sh ../depcomp gcc -DHAVE_CONFIG_H -I. -I. -I.. -I../src -W -Wall -Wno-unused -I/usr/local/bind/include -c test -f broping.c || echo './'broping.c /bin/sh ../libtool --mode=link gcc -I/usr/local/bind/include -L/usr/local/lib -o broping broping.o ../src/.libs/libbroccoli.a -lssl -lcrypto gcc -I/usr/local/bind/include -L/usr/local/lib -o broping broping.o ../src/.libs/libbroccoli.a -lssl -lcrypto ../src/.libs/libbroccoli.a(bro.o)(.text+0xd43): In function bro_conn_new': : undefined reference to __inet_ntoa' collect2: ld returned 1 exit status *** Error code 1 ==== This is strange (as the following warnings). Without the two "export", all went smoothly. > bin/bro:/usr/lib/libc.so.39.0: bin/bro : WARNING: symbol(_res) size mismatch, relink your program > bin/bro:/usr/lib/libc.so.39.0: /usr/local/lib/libbind.so.2.0 : WARNING: symbol(__p_type_syms) size mismatch, relink your program > bin/bro:/usr/lib/libc.so.39.0: /usr/local/lib/libbind.so.2.0 : WARNING: symbol(__p_class_syms) size mismatch, relink your program > policy/hot.bro, line 78: error: unknown identifier is_local_addr, at or near "is_local_addr" > $ > ==== > The polixy/hot.bro script error occurs with/without non-blocking DNS. > I think we've to look deeper inside these points. Thank you again Best regards. From jp.luiggi at free.fr Fri May 26 11:39:26 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Fri, 26 May 2006 14:39:26 -0400 Subject: [Bro] OpenBSD bro-1.1 In-Reply-To: <20060526091809.GA16041@rheoli.net> References: <20060524134200.77459.qmail@web53901.mail.yahoo.com> <1148498327.5459.98.camel@strangepork> <20060525134212.GB27075@armada.mynetwork.local> <1148565062.2694.39.camel@strangepork> <20060525195525.GA32429@armada.mynetwork.local> <20060526091809.GA16041@rheoli.net> Message-ID: <20060526183926.GA18323@armada.mynetwork.local> Hello, On Fri, May 26, 2006 at 11:18:09AM +0200, Stephan wrote: > Hello, > > > I'm now trying to figure out how using correctly the non blocking > > DNS library given by the OpenBSD bind's package. > > > > Best regards. > > > > One way to build bro with non-blocking DNS lib without changing configure is to install libbind (from /usr/ports/net/libbind) set CFLAGS and LDFLAGS: > - $ export CFLAGS=-I/usr/local/bind/include > - $ export LDFLAGS=-L/usr/local/lib > Then you can use the normal ./configure (with non-blocking DNS). That's fine but here and "obviously" : ==== # export CFLAGS=-I/usr/local/bind/include # export LDFLAGS=-L/usr/local/lib # ./configure --prefix=/opt/share/bro-1.1; make checking build system type... i386-unknown-openbsd3.9 . . . Making all in test source='broping.c' object='broping.o' libtool=no depfile='.deps/broping.Po' tmpdepfile='.deps/broping.TPo' depmode=gcc3 /bin/sh ../depcomp gcc -DHAVE_CONFIG_H -I. -I. -I.. -I../src -W -Wall -Wno-unused -I/usr/local/bind/include -c test -f broping.c || echo './'broping.c /bin/sh ../libtool --mode=link gcc -I/usr/local/bind/include -L/usr/local/lib -o broping broping.o ../src/.libs/libbroccoli.a -lssl -lcrypto gcc -I/usr/local/bind/include -L/usr/local/lib -o broping broping.o ../src/.libs/libbroccoli.a -lssl -lcrypto ../src/.libs/libbroccoli.a(bro.o)(.text+0xd43): In function bro_conn_new': : undefined reference to __inet_ntoa' collect2: ld returned 1 exit status *** Error code 1 ==== This is strange (as the following warnings). Without the two "export", all went smoothly. > bin/bro:/usr/lib/libc.so.39.0: bin/bro : WARNING: symbol(_res) size mismatch, relink your program > bin/bro:/usr/lib/libc.so.39.0: /usr/local/lib/libbind.so.2.0 : WARNING: symbol(__p_type_syms) size mismatch, relink your program > bin/bro:/usr/lib/libc.so.39.0: /usr/local/lib/libbind.so.2.0 : WARNING: symbol(__p_class_syms) size mismatch, relink your program > policy/hot.bro, line 78: error: unknown identifier is_local_addr, at or near "is_local_addr" > $ > ==== > The polixy/hot.bro script error occurs with/without non-blocking DNS. > I think we've to look deeper inside these points. Thank you again Best regards. From MWeisbrod at its.ucsf.edu Fri May 26 14:37:50 2006 From: MWeisbrod at its.ucsf.edu (Weisbrod, Marc) Date: Fri, 26 May 2006 14:37:50 -0700 Subject: [Bro] Time Machine Message-ID: <84AB0D137E1C404DAF16B621C46701AA01C440FE@EXVS05.net.ucsf.edu> All, I am working with the time machine and I getting logs (tm.log) but I am not seeing IP data being written to the disk. My tm.conf file looks like this: main { logfile "tm.log"; workdir "/data/tmp"; log_interval 10; device "em2"; # read_tracefile "trace.pcap"; filter "net 128.218.0.0/16"; # bro_connect_str "localhost:47757"; console 0; max_index_entries 50000; conn_timeout 1800; } class "tcp" { filter "tcp"; precedence 5; cutoff 10k; disk 700g; filesize 100m; mem 10M; pkts_to_disk 2; } class "udp" { filter "udp"; precedence 5; cutoff 10k; disk 500g; mem 10m; } The output of the tm.log file is similar to this: 191 476 429936 4056 79191 476 1148677908.887460 0 0 0.000000 1148679239.066095 stats_indexes: 209 ip index nodes 244 port index nodes 291 connection index nodes 1148679239.066137 stats_conns: 254 conns 1148679239.066206 stats_queries: 0 query subscriptions 1148679239.066264 stats_rusage: 0.83 s user + 1.04 s sys CPU 28028 MAXRSS 1148679249.067674 stats: 71966/0 recvd/dropd P (0.00) 71942 P 45510646 B 0.4 Mbit/s 1148679249.067806 stats_classes: class_tcp 407165 1704 44590156 65663 407165 1704 1148677908.821760 0 0 0.000000 class_udp 79281 477 433328 4088 79281 477 1148677908.887460 0 0 0.000000 1148679249.067931 stats_indexes: 213 ip index nodes 246 port index nodes 293 connection index nodes 1148679249.067973 stats_conns: 256 conns 1148679249.068066 stats_queries: 0 query subscriptions 1148679249.068106 stats_rusage: 0.84 s user + 1.04 s sys CPU 28028 MAXRSS 1148679259.069525 stats: 72543/0 recvd/dropd P (0.00) 72519 P 45939651 B 0.3 Mbit/s 1148679259.069684 stats_classes: class_tcp 407285 1706 45015383 66203 407285 1706 1148677908.821760 0 0 0.000000 class_udp 79547 480 436720 4120 79547 480 1148677908.887460 0 0 0.000000 1148679259.069819 stats_indexes: 218 ip index nodes 251 port index nodes 297 connection index nodes 1148679259.069861 stats_conns: 259 conns 1148679259.069946 stats_queries: 0 query subscriptions 1148679259.069986 stats_rusage: 0.86 s user + 1.04 s sys CPU 28028 MAXRSS 1148679269.071378 stats: 73177/0 recvd/dropd P (0.00) 73152 P 46424467 B 0.4 Mbit/s 1148679269.071513 stats_classes: class_tcp 407285 1706 45496807 66804 407285 1706 1148677908.821760 0 0 0.000000 class_udp 79547 480 440112 4152 79547 480 1148677908.887460 0 0 0.000000 1148679269.071652 stats_indexes: 218 ip index nodes 251 port index nodes 297 connection index nodes 1148679269.071695 stats_conns: 259 conns 1148679269.071764 stats_queries: 0 query subscriptions 1148679269.071803 stats_rusage: 0.87 s user + 1.04 s sys CPU 28028 MAXRSS Has any on run into this behavior before? Marc Marc Weisbrod Security Engineer University of California at San Francisco 1855 Folsom Street, Room 602 San Francisco, CA 94103 415.476.1841 mweisbrod at its.ucsf.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060526/0586a69b/attachment.html From vern at icir.org Fri May 26 14:44:35 2006 From: vern at icir.org (Vern Paxson) Date: Fri, 26 May 2006 14:44:35 -0700 Subject: [Bro] Time Machine In-Reply-To: Your message of Fri, 26 May 2006 14:37:50 PDT. Message-ID: <200605262144.k4QLiZfK075017@jaguar.icir.org> > I am working with the time machine and I getting logs (tm.log) but I am > not seeing IP data being written to the disk. For how long have you run, and over what volume of traffic? It can take a while for the first files to appear (many minutes at LBL), due to the Time Machine's efficiency at trimming down the traffic stream. Vern From stephen.lau at ucsf.edu Fri May 26 15:42:30 2006 From: stephen.lau at ucsf.edu (Stephen Lau) Date: Fri, 26 May 2006 15:42:30 -0700 Subject: [Bro] Time Machine In-Reply-To: <200605262144.k4QLiZfK075017@jaguar.icir.org> References: <200605262144.k4QLiZfK075017@jaguar.icir.org> Message-ID: <44778456.9070501@ucsf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vern Paxson wrote: >> I am working with the time machine and I getting logs (tm.log) but I > am >> not seeing IP data being written to the disk. > > For how long have you run, and over what volume of traffic? It can take > a while for the first files to appear (many minutes at LBL), due to the > Time Machine's efficiency at trimming down the traffic stream. > > Vern > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > Vern, Hi from the other side of the Bay. It's definitely seeing traffic. I was thinking along the same lines that it just hasn't flushed it buffers. I sent it a SIGHUP hoping it would terminate and flush but the logs were still zero. The link we're monitoring does not have very much traffic on it. Steve - -- +--------------------------------------------------------------------- Stephen Lau - Stephen.Lau at ucsf.edu Information Security Policy and Program Manager University of California, San Francisco 1855 Folsom, Suite 602, Box 0707, San Francisco, CA 94134 +1(415) 476-3106 (Work) +1(415) 476-0479 (Fax) PGP: 44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B +--------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFEd4QNmgSrK/Y/dIsRAqwPAKDMH0g/cadu3i5SDE5G9oEltHp5kQCgqKtC 4H+vT1P7mqwLVl0drzBhh14= =8Vyu -----END PGP SIGNATURE----- From christian at whoop.org Wed May 31 12:24:12 2006 From: christian at whoop.org (Christian Kreibich) Date: Wed, 31 May 2006 20:24:12 +0100 Subject: [Bro] file is too large In-Reply-To: References: Message-ID: <1149103452.30265.259.camel@strangepork> This issue has been resolved by an upgrade to Bro 1.1. On Thu, 2006-05-25 at 14:32 +0600, salom123 at ok.kz wrote: > Hi all, > > I am trying to run Bro offline on files bigger than 2 GB. It does > nothing, except saying "File is too large". Has anyone encountered the > same problem? Is there any way of getting Bro to read files bigger > than 2 GB? Thanks in advance. > > regards Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org