From nikns at secure.lv Mon Sep 4 09:04:14 2006 From: nikns at secure.lv (nikns) Date: Mon, 4 Sep 2006 19:04:14 +0300 Subject: [Bro] Bro Download file versions Message-ID: <20060904160414.GA4556@secure.lv> Hello! Could you explain me, since I am a bit confused about version numberings, how does it comes that: Version 1.0.1 - Last published Aug 31, 2006, but downloading and untaring bro-1.X-current.tar.gz I get bro-1.1? What is the latest version of bro-ids and from which link I can download it? Thanks! nikns From vern at icir.org Mon Sep 4 09:18:55 2006 From: vern at icir.org (Vern Paxson) Date: Mon, 04 Sep 2006 09:18:55 -0700 Subject: [Bro] Bro Download file versions In-Reply-To: <20060904160414.GA4556@secure.lv> (Mon, 04 Sep 2006 19:04:14 +0300). Message-ID: <200609041618.k84GIthg060446@jaguar.icir.org> > how does it comes that: Version 1.0.1 - Last published Aug 31, 2006, > but downloading and untaring bro-1.X-current.tar.gz > I get bro-1.1? "1.0.1 - Last published Aug 31, 2006" is the tag on the bro-ids.org Web page, and refers to the version of the Web page itself. > What is the latest version of bro-ids 1.1. > and from which link I can download it? >From http://bro-ids.org/download.html . Vern From nikns at secure.lv Mon Sep 4 09:23:32 2006 From: nikns at secure.lv (nikns) Date: Mon, 4 Sep 2006 19:23:32 +0300 Subject: [Bro] Bro Download file versions In-Reply-To: <200609041618.k84GIthg060446@jaguar.icir.org> References: <20060904160414.GA4556@secure.lv> <200609041618.k84GIthg060446@jaguar.icir.org> Message-ID: <20060904162332.GA25029@secure.lv> On Mon, Sep 04, 2006 at 09:18:55AM -0700, Vern Paxson wrote: >> how does it comes that: Version 1.0.1 - Last published Aug 31, 2006, >> but downloading and untaring bro-1.X-current.tar.gz >> I get bro-1.1? > >"1.0.1 - Last published Aug 31, 2006" is the tag on the bro-ids.org Web >page, and refers to the version of the Web page itself. Ahh, i see! ;] >> What is the latest version of bro-ids > >1.1. > >> and from which link I can download it? > >>From http://bro-ids.org/download.html . On that page I can find only ftp://bro-ids.org/bro-1.X-current.tar.gz, which stands for current snapshot not 1.1-release, am I right? btw: how often that current snapshot tarball gets updated? Don't know is it right, but using svn to checkout, I get asked for password: Most likely you will only want the source code which you get by: svn checkout svn+ssh://portnoy.lbl.gov/home/portnoy/u2/src/bro-repository/trunk/bro any ideas?:) Thanks nikns > > Vern From vern at icir.org Mon Sep 4 10:16:23 2006 From: vern at icir.org (Vern Paxson) Date: Mon, 04 Sep 2006 10:16:23 -0700 Subject: [Bro] Bro Download file versions In-Reply-To: <20060904162332.GA25029@secure.lv> (Mon, 04 Sep 2006 19:23:32 +0300). Message-ID: <200609041716.k84HGNV3061218@jaguar.icir.org> > >>From http://bro-ids.org/download.html . > On that page I can find only ftp://bro-ids.org/bro-1.X-current.tar.gz, > which stands for current snapshot not 1.1-release, am I right? We do not make snapshots available. Rather, that link points to the current *release*, which at the moment is 1.1. You can see this by fetching the Change Log link, though I can see how this is all confusing. We'll aim to clarify the release numbering on that page soon. > btw: how often that current snapshot tarball gets updated? We've been doing roughly 6-9 months between public releases. (Again, these are not snapshots.) We're aiming for the 1.2 release around October. > Don't know is it right, but using svn to checkout, I get asked for password: Per the above, we don't make the SVN repository publicly accessible. We may consider changing this in the future if we get enough requests. Vern From nikns at secure.lv Tue Sep 5 08:51:13 2006 From: nikns at secure.lv (nikns) Date: Tue, 5 Sep 2006 18:51:13 +0300 Subject: [Bro] Bro Download file versions In-Reply-To: <200609041716.k84HGNV3061218@jaguar.icir.org> References: <20060904162332.GA25029@secure.lv> <200609041716.k84HGNV3061218@jaguar.icir.org> Message-ID: <20060905155113.GA22203@secure.lv> >Per the above, we don't make the SVN repository publicly accessible. We >may consider changing this in the future if we get enough requests. Anonymous svn access is must IMO. Who can check out current svn and upload tarball somewhere, please? ;] *g* > > Vern From christian at whoop.org Tue Sep 5 10:15:20 2006 From: christian at whoop.org (Christian Kreibich) Date: Tue, 05 Sep 2006 10:15:20 -0700 Subject: [Bro] Bro Download file versions In-Reply-To: <20060905155113.GA22203@secure.lv> References: <20060904162332.GA25029@secure.lv> <200609041716.k84HGNV3061218@jaguar.icir.org> <20060905155113.GA22203@secure.lv> Message-ID: <1157476520.12027.193.camel@strangepork> On Tue, 2006-09-05 at 18:51 +0300, nikns wrote: > Anonymous svn access is must IMO. Mhmmm ... not necessarily. Typically, making a repository publically accessible increases the frequency of requests to help fix compilation/ configuration issues fairly dramatically, and we have few cycles for these kinds of requests. Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From nikns at secure.lv Tue Sep 5 10:59:24 2006 From: nikns at secure.lv (nikns) Date: Tue, 5 Sep 2006 20:59:24 +0300 Subject: [Bro] Bro Download file versions In-Reply-To: <1157476520.12027.193.camel@strangepork> References: <20060904162332.GA25029@secure.lv> <200609041716.k84HGNV3061218@jaguar.icir.org> <20060905155113.GA22203@secure.lv> <1157476520.12027.193.camel@strangepork> Message-ID: <20060905175924.GA7594@secure.lv> Right, right! And what about releasing untested releases and submiting fixes that already has been fixed in svn? On Tue, Sep 05, 2006 at 10:15:20AM -0700, Christian Kreibich wrote: >On Tue, 2006-09-05 at 18:51 +0300, nikns wrote: >> Anonymous svn access is must IMO. > >Mhmmm ... not necessarily. Typically, making a repository publically >accessible increases the frequency of requests to help fix compilation/ >configuration issues fairly dramatically, and we have few cycles for >these kinds of requests. > >Cheers, >Christian. >-- >________________________________________________________________________ > http://www.cl.cam.ac.uk/~cpk25 > http://www.whoop.org > From jp.luiggi at free.fr Tue Sep 5 11:59:14 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Tue, 05 Sep 2006 14:59:14 -0400 Subject: [Bro] Bro's evolutions Message-ID: <20060905185914.GA6422@armada.mynetwork.local> Hello All, Several things : While i just sent a mail to Vern last week asking about the availability of the svn repository, i too agree with Christian, this access can bring its batch of problems so ... Another subject we spoke a few months ago (if not a year) : "Netflow" Let's imagine we would like having this used in "Bro", how doing this ? There're at least severals solutions : - Getting Netflow's flows coming directly inside Bro (turning it to be something likes a collector as flow-tools, nfcapd, etc.) - Use an external collector as one of those about which i speak above and let Bro getting informations from the data. In security, i like the principle of unicity so the second approach is better for me (an IDS is an IDS, not a Netflow's collector). So any advices, comments... Thank you. Best regards. From jmellander at lbl.gov Fri Sep 8 16:07:32 2006 From: jmellander at lbl.gov (Jim Mellander) Date: Fri, 08 Sep 2006 16:07:32 -0700 Subject: [Bro] Bro's evolutions In-Reply-To: <20060905185914.GA6422@armada.mynetwork.local> References: <20060905185914.GA6422@armada.mynetwork.local> Message-ID: <4501F7B4.6030703@lbl.gov> LBL is running a netflow -> bro conversion package for internal monitoring. In brief, we collect netflow records, parse them into Bro events, which are sent to a running Bro via the Brocolli library. If you're interested in working with this, great - it some help,as its a bit of a hack. I'll be happy to share what I'm doing... Jean-Philippe Luiggi wrote: > Hello All, > > Several things : > > While i just sent a mail to Vern last week asking about the > availability of the svn repository, i too agree with Christian, > this access can bring its batch of problems so ... > > Another subject we spoke a few months ago (if not a year) : "Netflow" > Let's imagine we would like having this used in "Bro", how doing this ? > > There're at least severals solutions : > > - Getting Netflow's flows coming directly inside Bro (turning it to be > something likes a collector as flow-tools, nfcapd, etc.) > > - Use an external collector as one of those about which i speak above > and let Bro getting informations from the data. > > In security, i like the principle of unicity so the second approach is > better for me (an IDS is an IDS, not a Netflow's collector). > > So any advices, comments... > > Thank you. > > Best regards. > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Jim Mellander Incident Response Manager Computer Protection Program Lawrence Berkeley National Laboratory (510) 486-7204 The reason you are having computer problems is: You're out of memory From nikns at secure.lv Tue Sep 12 02:54:27 2006 From: nikns at secure.lv (nikns) Date: Tue, 12 Sep 2006 12:54:27 +0300 Subject: [Bro] Dead links in documentation Message-ID: <20060912095427.GA23459@secure.lv> There are dead links in documentations that start with: http://dsd.lbl.gov/bro-lite/... nikns From jp.luiggi at free.fr Tue Sep 12 07:43:26 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Tue, 12 Sep 2006 10:43:26 -0400 Subject: [Bro] Bro's evolutions In-Reply-To: <4501F7B4.6030703@lbl.gov> References: <20060905185914.GA6422@armada.mynetwork.local> <4501F7B4.6030703@lbl.gov> Message-ID: <20060912144326.GB17464@armada.mynetwork.local> On Fri, Sep 08, 2006 at 04:07:32PM -0700, Jim Mellander wrote: > LBL is running a netflow -> bro conversion package for internal > monitoring. In brief, we collect netflow records, parse them into Bro > events, which are sent to a running Bro via the Brocolli library. If > you're interested in working with this, great - it some help,as its a > bit of a hack. I'll be happy to share what I'm doing... Hello Jim, Thank you for this information, i'll be happy using your software as it's exactly what i was looking for. Best regards. > Jean-Philippe Luiggi wrote: > > Hello All, > > > > Several things : > > > > While i just sent a mail to Vern last week asking about the > > availability of the svn repository, i too agree with Christian, > > this access can bring its batch of problems so ... > > > > Another subject we spoke a few months ago (if not a year) : "Netflow" > > Let's imagine we would like having this used in "Bro", how doing this ? From bltierney at lbl.gov Tue Sep 12 07:51:27 2006 From: bltierney at lbl.gov (Brian Tierney) Date: Tue, 12 Sep 2006 07:51:27 -0700 Subject: [Bro] Dead links in documentation In-Reply-To: <20060912095427.GA23459@secure.lv> References: <20060912095427.GA23459@secure.lv> Message-ID: <4506C96F.2020007@lbl.gov> Fixed. Thanks for pointing this out. nikns wrote: > There are dead links in documentations that start with: > http://dsd.lbl.gov/bro-lite/... > > > nikns > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- ------------------------------------------------------------------------ Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 425-642-4558 bltierney at lbl.gov http://www-didc.lbl.gov/~tierney ------------------------------------------------------------------------ From jmellander at lbl.gov Tue Sep 12 16:35:58 2006 From: jmellander at lbl.gov (Jim Mellander) Date: Tue, 12 Sep 2006 16:35:58 -0700 Subject: [Bro] Bro's evolutions In-Reply-To: <20060912144326.GB17464@armada.mynetwork.local> References: <20060905185914.GA6422@armada.mynetwork.local> <4501F7B4.6030703@lbl.gov> <20060912144326.GB17464@armada.mynetwork.local> Message-ID: <4507445E.4060201@lbl.gov> I've had a couple of requests for this code, so I'm developing a web page for it. Stay tuned. Jean-Philippe Luiggi wrote: > On Fri, Sep 08, 2006 at 04:07:32PM -0700, Jim Mellander wrote: >> LBL is running a netflow -> bro conversion package for internal >> monitoring. In brief, we collect netflow records, parse them into Bro >> events, which are sent to a running Bro via the Brocolli library. If >> you're interested in working with this, great - it some help,as its a >> bit of a hack. I'll be happy to share what I'm doing... > > Hello Jim, > > Thank you for this information, i'll be happy using your software as it's > exactly what i was looking for. > > Best regards. > >> Jean-Philippe Luiggi wrote: >>> Hello All, >>> >>> Several things : >>> >>> While i just sent a mail to Vern last week asking about the >>> availability of the svn repository, i too agree with Christian, >>> this access can bring its batch of problems so ... >>> >>> Another subject we spoke a few months ago (if not a year) : "Netflow" >>> Let's imagine we would like having this used in "Bro", how doing this ? > -- Jim Mellander Incident Response Manager Computer Protection Program Lawrence Berkeley National Laboratory (510) 486-7204 The reason you are having computer problems is: Daemon escaped from pentagram From jp.luiggi at free.fr Wed Sep 13 07:04:56 2006 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Wed, 13 Sep 2006 10:04:56 -0400 Subject: [Bro] Bro's evolutions In-Reply-To: <4507445E.4060201@lbl.gov> References: <20060905185914.GA6422@armada.mynetwork.local> <4501F7B4.6030703@lbl.gov> <20060912144326.GB17464@armada.mynetwork.local> <4507445E.4060201@lbl.gov> Message-ID: <20060913140456.GA11562@armada.mynetwork.local> Hello, No problem, thank you a lot. Best regards. On Tue, Sep 12, 2006 at 04:35:58PM -0700, Jim Mellander wrote: > I've had a couple of requests for this code, so I'm developing a web > page for it. Stay tuned. > > > > Jean-Philippe Luiggi wrote: > > On Fri, Sep 08, 2006 at 04:07:32PM -0700, Jim Mellander wrote: > >> LBL is running a netflow -> bro conversion package for internal > >> monitoring. In brief, we collect netflow records, parse them into Bro > >> events, which are sent to a running Bro via the Brocolli library. If > >> you're interested in working with this, great - it some help,as its a > >> bit of a hack. I'll be happy to share what I'm doing... > > > > Hello Jim, > > > > Thank you for this information, i'll be happy using your software as it's > > exactly what i was looking for. > > > > Best regards. > > > >> Jean-Philippe Luiggi wrote: > >>> Hello All, > >>> > >>> Several things : > >>> > >>> While i just sent a mail to Vern last week asking about the > >>> availability of the svn repository, i too agree with Christian, > >>> this access can bring its batch of problems so ... > >>> > >>> Another subject we spoke a few months ago (if not a year) : "Netflow" > >>> Let's imagine we would like having this used in "Bro", how doing this ? > > > > > -- > Jim Mellander > Incident Response Manager > Computer Protection Program > Lawrence Berkeley National Laboratory > (510) 486-7204 > > The reason you are having computer problems is: > > Daemon escaped from pentagram > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jbarlow at ncsa.uiuc.edu Thu Sep 21 12:21:04 2006 From: jbarlow at ncsa.uiuc.edu (James J. Barlow) Date: Thu, 21 Sep 2006 14:21:04 -0500 Subject: [Bro] Bro workshop at Supercomputing '06 Message-ID: <20060921192104.GA6199@wolrab.ncsa.uiuc.edu> There are a group of individuals who decided to have a semi-informal workshop at the Supercomputing '06 conference this year (http://sc06.supercomputing.org/). The workshop will be held Tuesday November 14th from 1 - 5pm and Wednesday the 15th from 9 - 12am. The reason it was split over two days is because of scheduling conflicts with the SC'06 event. It may also provide easier travel for people who only want to attend the workshop on those two days (get in Tuesday morning and leave Wednesday afternoon). Here are some of the people who will be giving presentations at the workshop: Brian Tierney: Bro Overview Robin Sommer: New features in Bro and future plans for Bro Scott Campbell: Bro-to-Bro communication Jason Lee: Bro Cluster Seth Hall: RBroccoli - Ruby interface for Broccoli Other areas of discussion will be around using netflows with Bro (Jim Mellander has brought up what he is doing on this list), how other sites are using Bro, feature changes/requests, maybe something on how to implement Bro and get past the intial hurdles, sharing Bro data between sites, and any other topics that people want to bring up. Also, in case people did not know, Bro has been used as the IDS at the Supercomputing events for a number of years now. So it might be interesting to discuss how that was set up and configured. If anyone is interested in attending just send me an email, or you can post something to the list. This workshop was put together (kind of at the last minute :) because of some interest with a few of the sites who use Bro and were going to be attending the SC'06 event. But we wanted to open it up for any other site that might be interested in attending. So it will be very informal and hopefully we can use this event to start something more formal in future years. SC'06 is in Tampa, Florida this year, and you can check out the main web page (http://sc06.supercomputing.org/) for information on where it's located. There is also a Travel section that has info on hotels in the area: http://sc06.supercomputing.org/travel/hotels.php -- James J. Barlow Head of Security Operations and Incident Response National Center for Supercomputing Applications Voice : (217)244-6403 1205 West Clark Street, Urbana, IL 61801 Cell : (217)840-0601 http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987 From robin at icir.org Fri Sep 22 09:02:41 2006 From: robin at icir.org (Robin Sommer) Date: Fri, 22 Sep 2006 09:02:41 -0700 Subject: [Bro] [Call for Papers] DIMVA 2007 Message-ID: <200609221602.k8MG2fRh019069@guava.ICSI.Berkeley.EDU> Dear Colleagues, please find attached the Call For Papers for DIMVA 2007, the Fourth GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment; which is to be held in Lucerne, Switzerland, July 12-13, 2007. Complete information is available at http://www.dimva.org/dimva2007. Please feel free to distribute this announcement. We apologize if you receive multiple copies of this message. Best Regards, The DIMVA 2007 Organizing Committee --------------------------------------------------------------------------- CALL FOR PAPERS DIMVA 2007 Fourth GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment Organized by the GI Special Interest Group SIDAR In Cooperation with IEEE Computer Society Task Force on Information Assurance Lucerne, Switzerland July 12 - 13, 2007 http://www.dimva.org/dimva2007 mailto:info at dimva.org --------------------------------------------------------------------------- The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. Each year DIMVA brings together international experts from academia, industry and government to present and discuss novel research in these areas. DIMVA is organized by the special interest group "Security - Intrusion Detection and Response" of the German Informatics Society (GI). The conference proceedings will appear in Springer's "Lecture Notes in Computer Science" (LNCS) series. DIMVA solicits submission of high-quality, original scientific work. This year we invite two types of paper submissions: - Full papers, presenting novel and mature research results. Full papers are limited to 20 pages, prepared according to the instructions provided below. They will be reviewed by the program committee, and papers accepted for presentation at the conference will be included in the proceedings. - Short papers (extended abstracts), presenting original, still ongoing work that has not yet reached the maturity required for a full paper. Short papers are limited to 10 pages, prepared according to the instructions provided below. They will also be reviewed by the program committee, and papers accepted for presentation at the conference will be included in the proceedings (containing "Extended Abstract" in the title). DIMVA's scope includes, but is not restricted to the following areas: - Intrusion Detection * Approaches * Implementations * Prevention and response * Result correlation * Evaluation * Potentials and limitations * Operational experiences * Evasion and other attacks * Legal and social aspects - Malware * Techniques * Detection * Prevention * Evaluation * Trends and upcoming risks * Forensics and recovery - Vulnerability Assessment * Vulnerabilities * Vulnerability detection * Vulnerability prevention DIMVA particularly encourages papers that discuss the integration of intrusion, malware, and vulnerability detection in large-scale operational communication networks. ORGANIZING COMMITTEE -------------------- General Chair: Bernhard H?mmerli, HTA Luzern info at dimva.org Program Chair: Robin Sommer, LBNL/ICSI pc-chair at dimva.org Sponsor Chair: Dirk Schadt, Computer Associates sponsor-chair at dimva.org PROGRAM COMMITTEE ----------------- Roland B?schkes, RWE (DE) Weidong Cui, Microsoft Research (US) Marc Dacier, Eur?com (FR) Herv? Debar, France T?l?com (FR) Sven Dietrich, Carnegie Mellon University (US) Toralv Dirro, McAfee (DE) Holger Dreger, TU Munich (DE) Mohamed Eltoweissy, Virginia Tech (US) Ulrich Flegel, University of Dortmund (DE) Felix C. Freiling, University of Mannheim (DE) Dirk H?ger, BSI (DE) Bernhard H?mmerli, HTA Lucerne (CH) Marc Heuse, n.runs (DE) Ming-Yuh Huang, Boeing (US) Erland Jonsson, Chalmers University (SE) Klaus Julisch, IBM Research (US) Angelos Keromytis, Columbia University (US) Hartmut K?nig, BTU Cottbus (DE) Christian Kreibich, ICSI (US) Christopher Kruegel, TU Vienna (AT) Pavel Laskov, Fraunhofer FIRST (DE) Wenke Lee, Georgia Tech (US) Jun Li, Tsinghua University (CN) Javier Lopez, University of Malaga (ES) John McHugh, Dalhousie University (CA) Michael Meier, University of Dortmund (DE) R. Sekar, Stony Brook University (US) Roberto Setola, Univ. CAMPUS Bio-Medico Rome (IT) Doug Tygar, UC Berkeley (US) Giovanni Vigna, UC Santa Barbara (US) Stephen Wolthusen, University of London (GB) S. Felix Wu, UC Davis (US) IMPORTANT DATES --------------- February 9, 2007 Deadline for submission of full and short papers. April 9, 2007 Notification of acceptance or rejection. April 27, 2007 Final camera-ready copies due. July 12-13, 2007 DIMVA conference. PAPER SUBMISSIONS ----------------- All papers must be submitted electronically in PDF format via the conference Web site. Submissions must be formatted according to the instructions provided by Springer Verlag (http://www.springer.de/comp/lncs/authors.html). Submitted papers must be in English and must not substantially overlap work that has been published before, or that is simultaneously in submission to a journal or a conference with proceedings. Simultaneous submission, submission of previously published work, and plagiarism constitute dishonesty or fraud. DIMVA prohibits these practices and may take appropriate action against authors who have committed them. Authors of accepted papers must ensure that their papers will be presented at the conference. Presentations must also be held in English. Details about the electronic submission procedure will be provided on the conference Web site by the end of December 2006. Authors of accepted papers must follow the Springer guidelines for the preparation of camera-ready copies. Details of the process will be provided to the authors in time. SPONSORSHIP OPPORTUNITIES ------------------------- We solicit interested organizations to serve as sponsors for DIMVA 2007; please contact the sponsor chair for information regarding corporate sponsorship at sponsor-chair at dimva.org. STEERING COMMITTEE ------------------ Chairs: Ulrich Flegel, University of Dortmund Michael Meier, University of Dortmund Members: Roland B?schkes, RWE Marc Heuse, n.runs Klaus Julisch, IBM Research Christopher Kruegel, TU Vienna Pavel Laskov, Fraunhofer FIRST From pallavi at eecs.berkeley.edu Mon Sep 25 12:45:41 2006 From: pallavi at eecs.berkeley.edu (Pallavi Joshi) Date: Mon, 25 Sep 2006 12:45:41 -0700 Subject: [Bro] Problem while building bro Message-ID: <451831E5.6070403@eecs.berkeley.edu> Hi, While building bro, I got an error because termcap.h was not found. After I included termcap.h in libedit, term.c got compiled but I got a segmentation fault saying: Command failed for target `dce_rpc_pac.cc'. How can I fix this up? Thanks, Pallavi From pallavi at eecs.berkeley.edu Mon Sep 25 13:22:26 2006 From: pallavi at eecs.berkeley.edu (Pallavi Joshi) Date: Mon, 25 Sep 2006 13:22:26 -0700 Subject: [Bro] Problem while building bro In-Reply-To: <451831E5.6070403@eecs.berkeley.edu> References: <451831E5.6070403@eecs.berkeley.edu> Message-ID: <45183A82.3030002@eecs.berkeley.edu> I am trying to build bro-1.1 on SunOS 5.9 and here is the output before make fails. ./bifcl ./event.bif ./bifcl ./const.bif ./bifcl ./common-rw.bif ./bifcl ./finger-rw.bif ./bifcl ./ident-rw.bif ./bifcl ./ftp-rw.bif ./bifcl ./smtp-rw.bif ./bifcl ./http-rw.bif ./bifcl ./strings.bif perl ./make_dbg_constants.pl ./DebugCmdInfoConstants.in make all-recursive Making all in binpac source='pac_parse.cc' object='pac_parse.o' libtool=no \ depfile='.deps/pac_parse.Po' tmpdepfile='.deps/pac_parse.TPo' \ depmode=none /bin/bash ../../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I../.. -W -Wall -Wno-unused -I/home/eecs/pallavi/libpcap-0.9.4 -I/home/eecs/pallavi/libpcap-0.9.4 -g -O2 -c -o pac_parse.o `test -f pac_parse.cc || echo './'`pac_parse.cc source='pac_scan.cc' object='pac_scan.o' libtool=no \ depfile='.deps/pac_scan.Po' tmpdepfile='.deps/pac_scan.TPo' \ depmode=none /bin/bash ../../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I../.. -W -Wall -Wno-unused -I/home/eecs/pallavi/libpcap-0.9.4 -I/home/eecs/pallavi/libpcap-0.9.4 -g -O2 -c -o pac_scan.o `test -f pac_scan.cc || echo './'`pac_scan.cc source='pac.cc' object='pac.o' libtool=no \ depfile='.deps/pac.Po' tmpdepfile='.deps/pac.TPo' \ depmode=none /bin/bash ../../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I../.. -W -Wall -Wno-unused -I/home/eecs/pallavi/libpcap-0.9.4 -I/home/eecs/pallavi/libpcap-0.9.4 -g -O2 -c -o pac.o `test -f pac.cc || echo './'`pac.cc source='pac_main.cc' object='pac_main.o' libtool=no \ depfile='.deps/pac_main.Po' tmpdepfile='.deps/pac_main.TPo' \ depmode=none /bin/bash ../../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I../.. -W -Wall -Wno-unused -I/home/eecs/pallavi/libpcap-0.9.4 -I/home/eecs/pallavi/libpcap-0.9.4 -g -O2 -c -o pac_main.o `test -f pac_main.cc || echo './'`pac_main.cc source='pac_output.cc' object='pac_output.o' libtool=no \ depfile='.deps/pac_output.Po' tmpdepfile='.deps/pac_output.TPo' \ depmode=none /bin/bash ../../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I../.. -W -Wall -Wno-unused -I/home/eecs/pallavi/libpcap-0.9.4 -I/home/eecs/pallavi/libpcap-0.9.4 -g -O2 -c -o pac_output.o `test -f pac_output.cc || echo './'`pac_output.cc source='pac_utils.cc' object='pac_utils.o' libtool=no \ depfile='.deps/pac_utils.Po' tmpdepfile='.deps/pac_utils.TPo' \ depmode=none /bin/bash ../../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I../.. -W -Wall -Wno-unused -I/home/eecs/pallavi/libpcap-0.9.4 -I/home/eecs/pallavi/libpcap-0.9.4 -g -O2 -c -o pac_utils.o `test -f pac_utils.cc || echo './'`pac_utils.cc g++ -g -O2 -o binpac pac_parse.o pac_scan.o pac.o pac_main.o pac_output.o pac_utils.o -lresolv -lpcap -lpcap -L/home/eecs/pallavi/libpcap-0.9.4 -lpcap -lnsl -lsocket -ltermcap ../src/binpac/binpac ./dce_rpc.pac *** Signal 11 make: Fatal error: Command failed for target `dce_rpc_pac.cc' Current working directory /home/eecs/pallavi/bro-1.1/src *** Error code 1 make: Fatal error: Command failed for target `all-recursive' Current working directory /home/eecs/pallavi/bro-1.1/src *** Error code 1 make: Fatal error: Command failed for target `all' Pallavi Joshi wrote: > Hi, > > While building bro, I got an error because termcap.h was not found. > After I included termcap.h in libedit, term.c got compiled but I got a > segmentation fault saying: Command failed for target > `dce_rpc_pac.cc'. How can I fix this up? > > Thanks, > > Pallavi > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From dhanesh at tataelxsi.co.in Tue Sep 26 02:11:01 2006 From: dhanesh at tataelxsi.co.in (Jaya Dhanesh) Date: Tue, 26 Sep 2006 14:41:01 +0530 Subject: [Bro] Problem in using 'http-request-header' in Signatures Message-ID: <001101c6e14b$b05efdd0$0637a8c0@telxsi.com> Hi, I was trying to write signatures for detecting connections to a mail server. I used 'http-request-header' followed by the payload to be matched. signature abcd { ip-proto == tcp tcp state established event "Connection to Mail server" http-request-header /.*mail/ } When I tried to start bro, I got the following error message: "parse error at line x:" i.e., at the line where i have mentioned http-request-header. I did load the analyzers. Can anyone suggest a way to handle this problem. Thanks, Dhanesh. From frenzy at frenzy.org Tue Sep 26 11:13:20 2006 From: frenzy at frenzy.org (frenzy at frenzy.org) Date: Tue, 26 Sep 2006 12:13:20 -0600 (MDT) Subject: [Bro] MAIL FROM in smtp.bro Message-ID: Hi folks, I was wondering why the following code is commented out of smtp.bro? I have a patch that looks for "MAIL FROM" and sets those as the sender in the smtp logs. It adds a couple of functions to mimic the structure of extract_recipient() etc. The functionality seems to work well. All of the valid sender addresses seem to get captured, though I have not done exhaustive testing for invalid addresses. in policy/smtp.bro 508 # else if ( cmd == "MAIL" && code == 250 ) 509 # smtp_command_mail(session, cmd_info); However, if there is a reason why we shouldn't be doing this, I won't submit the patch. Thanks, Randy http://www.frenzy.org "Sed Quis Custodiet Ipsos Custodes?" -Juvenal From robin at icir.org Tue Sep 26 13:22:14 2006 From: robin at icir.org (Robin Sommer) Date: Tue, 26 Sep 2006 13:22:14 -0700 Subject: [Bro] Problem in using 'http-request-header' in Signatures In-Reply-To: <001101c6e14b$b05efdd0$0637a8c0@telxsi.com> References: <001101c6e14b$b05efdd0$0637a8c0@telxsi.com> Message-ID: <20060926202214.GD27751@icir.org> On Tue, Sep 26, 2006 at 14:41 +0530, you wrote: > http-request-header /.*mail/ Oh, I'm sorry about that. The documentation talks about http-request-header but it appears that the code for it never made it into the distribution. I recall that I implemented this a long time ago but somehow it got lost. So for the time being, this functionality is actually not there. If you depend on it, it wouldn't be to difficult to add it again though. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org From dhanesh at tataelxsi.co.in Tue Sep 26 21:47:53 2006 From: dhanesh at tataelxsi.co.in (Jaya Dhanesh) Date: Wed, 27 Sep 2006 10:17:53 +0530 Subject: [Bro] Problem in using 'http-request-header' in Signatures In-Reply-To: <20060926202214.GD27751@icir.org> Message-ID: <001501c6e1f0$18802610$0637a8c0@telxsi.com> >Oh, I'm sorry about that. Thats OK. >If you depend on it, it wouldn't be to difficult to add it again >though. Thats good. Can you suggest me how to add it? Thanks, Dhanesh. From jbarlow at ncsa.uiuc.edu Wed Sep 27 09:30:26 2006 From: jbarlow at ncsa.uiuc.edu (James J. Barlow) Date: Wed, 27 Sep 2006 11:30:26 -0500 Subject: [Bro] More info on Bro workshop at SC'06 Message-ID: <20060927163026.GA26037@wolrab.ncsa.uiuc.edu> A few people have asked about whether or not you need to register for the SC'06 conference to attend the workshop. The workshop is not affiliated with the conference, so you do not need to register. However, depending on where the workshop room is located, there is a chance that people may need to purchase a guest pass to get to the room. I'd like to try and prevent this from happening, but we'll try to let people know if that is going to be the case as soon as we get more info. -- James J. Barlow Head of Security Operations and Incident Response National Center for Supercomputing Applications Voice : (217)244-6403 1205 West Clark Street, Urbana, IL 61801 Cell : (217)840-0601 http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987 From robin at icir.org Wed Sep 27 09:37:56 2006 From: robin at icir.org (Robin Sommer) Date: Wed, 27 Sep 2006 09:37:56 -0700 Subject: [Bro] Problem in using 'http-request-header' in Signatures In-Reply-To: <001501c6e1f0$18802610$0637a8c0@telxsi.com> References: <20060926202214.GD27751@icir.org> <001501c6e1f0$18802610$0637a8c0@telxsi.com> Message-ID: <20060927163756.GA5565@icir.org> On Wed, Sep 27, 2006 at 10:17 +0530, you wrote: > Thats good. Can you suggest me how to add it? If you give me a few days, I'll take a look at it. However, if you really want to give it a try yourself (which is always appreciated!), grep for "Rule::HTTP" across the source to see how it is done for HTTP URLs (the "http" signature keyword). http-request-header can be added in a similar fashion. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org From sanreich at gmx.de Thu Sep 28 11:44:36 2006 From: sanreich at gmx.de (Sandro Reichert) Date: Thu, 28 Sep 2006 18:44:36 -0000 Subject: [Bro] remote.bro Message-ID: <4479EFE6.1060509@gmx.de> Hi everybody! Where can I find a documentation about inter-bro communication? I can't find anything in the archive or the manuals. I'm using bro 0.9a9, because there is a wireless edition developed at Dresden University of Technology in Germany. I need the inter-bro communication to develop distributed policies. Thanks for all hints! Sandro From sanreich at gmx.de Thu Sep 28 11:57:55 2006 From: sanreich at gmx.de (Sandro Reichert) Date: Thu, 28 Sep 2006 20:57:55 +0200 Subject: [Bro] remote.bro Message-ID: <451C1B33.1020207@gmx.de> Hi everybody! Where can I find a documentation about inter-bro communication? I can't find anything in the archive or the manuals. I'm using bro 0.9a9, because there is a wireless edition developed at Dresden University of Technology in Germany. I need the inter-bro communication to develop distributed policies. Thanks for all hints! Sandro From christian at whoop.org Thu Sep 28 12:08:30 2006 From: christian at whoop.org (Christian Kreibich) Date: Thu, 28 Sep 2006 12:08:30 -0700 Subject: [Bro] remote.bro In-Reply-To: <4479EFE6.1060509@gmx.de> References: <4479EFE6.1060509@gmx.de> Message-ID: <1159470510.9119.88.camel@strangepork> Hi Sandro, start by reading remote.bro and the explanation of how to configure event communication in policies in the Broccoli documentation: http://www.bro-ids.org/broccoli/c85.html#AEN643 Sorry for the lack of documentation -- please do bug us if you can't get it to work. On Sun, 2006-05-28 at 20:45 +0200, Sandro Reichert wrote: > Hi everybody! > > Where can I find a documentation about inter-bro communication? I can't > find anything in the archive or the manuals. > I'm using bro 0.9a9, because there is a wireless edition developed at > Dresden University of Technology in Germany. I need the inter-bro > communication to develop distributed policies. > > Thanks for all hints! > > Sandro Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org From scampbell at lbl.gov Thu Sep 28 12:57:07 2006 From: scampbell at lbl.gov (scott campbell) Date: Thu, 28 Sep 2006 12:57:07 -0700 Subject: [Bro] remote.bro In-Reply-To: <1159470510.9119.88.camel@strangepork> References: <4479EFE6.1060509@gmx.de> <1159470510.9119.88.camel@strangepork> Message-ID: <451C2913.3040409@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christian Kreibich wrote: > Hi Sandro, > > start by reading remote.bro and the explanation of how to configure > event communication in policies in the Broccoli documentation: > > http://www.bro-ids.org/broccoli/c85.html#AEN643 > > Sorry for the lack of documentation -- please do bug us if you can't get > it to work. > > On Sun, 2006-05-28 at 20:45 +0200, Sandro Reichert wrote: >> Hi everybody! >> >> Where can I find a documentation about inter-bro communication? I can't >> find anything in the archive or the manuals. >> I'm using bro 0.9a9, because there is a wireless edition developed at >> Dresden University of Technology in Germany. I need the inter-bro >> communication to develop distributed policies. >> >> Thanks for all hints! >> >> Sandro > > Cheers, > Christian. I have a few pages describing what you need to do to set up inter-bro communication. See: http://www.nersc.gov/~scottc/software/bro/broToBro.html There are several other pages regarding this functionality and some basic policy scripts that can be found off my main page at: http://www.nersc.gov/~scottc Let me know if you have any problems with this. thanks! scott -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFFHCkTK2Plq8B7ZBwRAovXAKDFnP2jY5JiJw6B8+ryUd82W+EAHgCfW5r0 SX8rLRQ2YFrwPxMaZbd2IYA= =Bu8z -----END PGP SIGNATURE----- From vern at icir.org Thu Sep 28 23:43:25 2006 From: vern at icir.org (Vern Paxson) Date: Thu, 28 Sep 2006 23:43:25 -0700 Subject: [Bro] MAIL FROM in smtp.bro In-Reply-To: (Tue, 26 Sep 2006 12:13:20 MDT). Message-ID: <200609290643.k8T6hPsr013167@jaguar.icir.org> > I was wondering why the following code is commented out of smtp.bro? > ... > > in policy/smtp.bro > > 508 # else if ( cmd == "MAIL" && code == 250 ) > 509 # smtp_command_mail(session, cmd_info); Huh, I don't know what's up with that. I've cc'd Ruoming (who I believe wrote the original smtp.bro) in case he recalls. Vern From glavoie at gmail.com Fri Sep 29 06:10:46 2006 From: glavoie at gmail.com (Gabriel Lavoie) Date: Fri, 29 Sep 2006 09:10:46 -0400 Subject: [Bro] Bro compilation problem under Gentoo 2006.1 Message-ID: Hello, I'm trying to compile Bro 0.9a11 under Gentoo 2006.1 but I always get this error: cd . && /bin/sh /home/wildchild/bro/bro-0.9a11/missing --run autoheader configure.in:441: warning: AC_TRY_RUN called without default to allow cross compiling /usr/bin/autoheader-2.13: Symbol `ns_msg' is not covered by /usr/share/autoconf/acconfig.h make: *** [stamp-h.in] Erreur 1 Any idea? Thanks Gabriel Lavoie -- Gabriel Lavoie glavoie at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060929/5789897c/attachment.html From rpang at cs.princeton.edu Fri Sep 29 07:13:02 2006 From: rpang at cs.princeton.edu (Ruoming Pang) Date: Fri, 29 Sep 2006 10:13:02 -0400 Subject: [Bro] MAIL FROM in smtp.bro In-Reply-To: <200609290643.k8T6hPsr013167@jaguar.icir.org> References: <200609290643.k8T6hPsr013167@jaguar.icir.org> Message-ID: I don't remember either (Vern: I was about to ask you about it. :). I think it should be fine to uncomment the code. Please let me know if you have any problem after uncommenting it. Thanks, Ruoming On 9/29/06, Vern Paxson wrote: > > I was wondering why the following code is commented out of smtp.bro? > > ... > > > > in policy/smtp.bro > > > > 508 # else if ( cmd == "MAIL" && code == 250 ) > > 509 # smtp_command_mail(session, cmd_info); > > Huh, I don't know what's up with that. I've cc'd Ruoming (who I believe > wrote the original smtp.bro) in case he recalls. > > Vern > From robin at icir.org Fri Sep 29 11:41:19 2006 From: robin at icir.org (Robin Sommer) Date: Fri, 29 Sep 2006 11:41:19 -0700 Subject: [Bro] remote.bro In-Reply-To: <4479EFE6.1060509@gmx.de> References: <4479EFE6.1060509@gmx.de> Message-ID: <20060929184119.GF29116@icir.org> On Sun, May 28, 2006 at 20:45 +0200, Sandro Reichert wrote: > I'm using bro 0.9a9, because there is a wireless edition developed at > Dresden University of Technology in Germany. I need the inter-bro > communication to develop distributed policies. Adding to the replies by Christian and Scott, please note that the communication code in 0.9 is really old; there have been a lot of changes (and bug fixes) been done since then, and I'd actually strongly recommend to use a current version when doing any inter-Bro communication. That said, perhaps the "wireless edition" can be ported to the current version? What kind of enhancements does it include? (Anyone from Dresden happening to read this...?) Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org