From vern at icir.org Thu Jul 5 13:59:50 2007 From: vern at icir.org (Vern Paxson) Date: Thu, 05 Jul 2007 13:59:50 -0700 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) Message-ID: <200707052059.l65Kxp2g056870@jaguar.icir.org> We plan to release Bro version 1.3 quite soon (and in advance of the upcoming Bro workshop). To that end, it would be helpful if some folks would be willing to pre-test it: http://www.icir.org/vern/tmp/bro-1.2.16.tar.gz One particular area we'd like help with is OpenBSD support, since this has been a bugaboo for a while now, and we're hoping it's finally in place. But general testing to ensure it builds and executes correctly would also be very helpful. I'm hoping to collect feedback within a few days to a week, so we can aim for releasing 1.3 shortly after. Thanks ... Vern From vern at icir.org Thu Jul 5 22:36:17 2007 From: vern at icir.org (Vern Paxson) Date: Thu, 05 Jul 2007 22:36:17 -0700 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) Message-ID: <200707060536.l665aHGw098656@jaguar.icir.org> FYI, the pre-test has been updated to: http://www.icir.org/vern/tmp/bro-1.2.18.tar.gz with the main changes being fixes for ICMP messages that include non-TCP/UDP excerpts, and a BinPAC portability tweak. Vern From christian at whoop.org Fri Jul 6 17:55:59 2007 From: christian at whoop.org (Christian Kreibich) Date: Fri, 06 Jul 2007 17:55:59 -0700 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) In-Reply-To: <200707060536.l665aHGw098656@jaguar.icir.org> References: <200707060536.l665aHGw098656@jaguar.icir.org> Message-ID: <1183769759.29999.116.camel@strangepork> Fyi, the latest 1.3 pre-release is now available at: http://www.icir.org/christian/bro/bro-1.2.19.tar.gz This one has additional gcc 4.x compatibility fixes and should also no longer cause the regex parser errors some people saw earlier: http://www.bro-ids.org/wiki/index.php/"Error_compiling_pattern" Cheers, Christian -- ________________________________________________________________________ http://www.icir.org/christian http://www.whoop.org From jean-philippe.luiggi at didconcept.com Fri Jul 6 22:07:09 2007 From: jean-philippe.luiggi at didconcept.com (jean-philippe luiggi) Date: Sat, 7 Jul 2007 01:07:09 -0400 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) In-Reply-To: <1183769759.29999.116.camel@strangepork> References: <200707060536.l665aHGw098656@jaguar.icir.org> <1183769759.29999.116.camel@strangepork> Message-ID: <20070707010709.1be0ccd3@mygw.lan.mynetwork.local> Hello, I tested the previous testing release on OpenBSD and the compile stage worked well. Very good job !! I've (too) some remarks : 1?) There was a little problem with "bro.rc" which didn't want to run because we use a function called "stop()", i suggest to call it "brostop()" in order to evade some problems with the shell :-) 2?) I worked on the (in)famous "DNS non blocking" section, if we add the "libbind" package (using 'pkg_add libbind'), we should have the non blocking features. So i tried but i think there's a typo's problem inside "configure.in" +-+-+ dnl ################################################ dnl # DNS resolver checks. dnl ################################################ dnl dnl Check whether our arpa/nameser.h provides type ns_msg. dnl If not, we disable nonblocking DNS lookups. dnl We assume worst case first and improve on it below. AM_CONDITIONAL(USE_NBDNS, false) dnl Add potential header locations to path if test -d /usr/local/bind/include; then CFLAGS="$CFLAGS -L/usr/local/bind/include" fi +-+-+ The last test (with CFLAGS's definition) could not work with OpenBSD because we should find the include's file in "/usr/local/include/bind" (if we added the libbind's package). I changed (added) the following : +-+-+ if test -d /usr/local/include/bind; then CFLAGS="$CFLAGS -I/usr/local/include/bind" fi +-+-+ and now the configure's test for DNS works fine. I discovered another problem with libmagic (the problem i run into is relevant to "magic.h" and OpenBSD). We should specify in the Makefile the correct location for the include file so i'm now trying to use (in configure.in) : +-+-+ openbsd*) AM_CONDITIONAL(USE_NMALLOC, true) AC_DEFINE(HAVE_OPENBSD,,[We are on a OpenBSD system]) LDFLAGS="${LDFLAGS} -L/usr/local/lib" V_INCLS="${V_INCLS} -I/usr/local/include" CXXFLAGS="${CXXFLAGS} -I/usr/local/include" ;; +-+-+ It's may be a correct workaround (speaking of OpenBSD) as all packages are put in /usr/local/{include/lib} Best regards, And again, very very good job. Jean-philippe. On Fri, 06 Jul 2007 17:55:59 -0700 Christian Kreibich wrote: > Fyi, the latest 1.3 pre-release is now available at: > > http://www.icir.org/christian/bro/bro-1.2.19.tar.gz > > This one has additional gcc 4.x compatibility fixes and should also no > longer cause the regex parser errors some people saw earlier: > http://www.bro-ids.org/wiki/index.php/"Error_compiling_pattern" > > Cheers, > Christian > -- > ________________________________________________________________________ > http://www.icir.org/christian > http://www.whoop.org > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > > > !DSPAM:1,468ee813282231804284693! From vern at icir.org Mon Jul 9 14:43:57 2007 From: vern at icir.org (Vern Paxson) Date: Mon, 09 Jul 2007 14:43:57 -0700 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) In-Reply-To: <20070707010709.1be0ccd3@mygw.lan.mynetwork.local> (Sat, 07 Jul 2007 01:07:09 EDT). Message-ID: <200707092143.l69LhvgS076395@jaguar.icir.org> > I've (too) some remarks : We've attempted to incorporate these into http://www.icir.org/vern/tmp/bro-1.2.20.tar.gz Please let us know if any of hte problems remain. Vern From Stephan at rheoli.net Mon Jul 9 23:42:25 2007 From: Stephan at rheoli.net (Stephan) Date: Tue, 10 Jul 2007 08:42:25 +0200 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) In-Reply-To: <1183769759.29999.116.camel@strangepork> References: <200707060536.l665aHGw098656@jaguar.icir.org> <1183769759.29999.116.camel@strangepork> Message-ID: <20070710064225.GA8281@rheoli.net> Hi, As mentioned later from Jean-Philippe it runs fine on OpenBSD-i386. I'm got allways core dumps when I run it on SPARC64 machines on Solaris 8 and on OpenBSD 4.1-current could this an endian problem? gdb example (OpenBSD; bro 1.2.19): ---- Program received signal SIGBUS, Bus error. Connection (this=0x0, s=0x12207c8, k=0x1222208, t=1165532761.666986, id=0xffffffffffff7350) at Obj.h:123 123 location = 0; (gdb) ---- Best regards, Stephan On Fri, Jul 06, 2007 at 05:55:59PM -0700, Christian Kreibich wrote: > Fyi, the latest 1.3 pre-release is now available at: > > http://www.icir.org/christian/bro/bro-1.2.19.tar.gz > > This one has additional gcc 4.x compatibility fixes and should also no > longer cause the regex parser errors some people saw earlier: > http://www.bro-ids.org/wiki/index.php/"Error_compiling_pattern" > > Cheers, > Christian > -- > ________________________________________________________________________ > http://www.icir.org/christian > http://www.whoop.org > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From jp.luiggi at free.fr Tue Jul 10 11:27:32 2007 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Tue, 10 Jul 2007 14:27:32 -0400 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) In-Reply-To: <200707092143.l69LhvgS076395@jaguar.icir.org> References: <20070707010709.1be0ccd3@mygw.lan.mynetwork.local> <200707092143.l69LhvgS076395@jaguar.icir.org> Message-ID: <20070710182732.GA16200@armada.mynetwork.local> Hello all, It's not related to OpenBSD (same thing on a Debian) but i run into a problem with policy/tftp.bro : /opt/share/bro-1.3/policy/tftp.bro, line 59: error: unknown identifier uncomment, at or near "uncomment" I think the various ";;;;" are the problem, i had to replace them with "#". +-+-+ tftp.bro ;;;; uncomment the following ### global sessions: table[conn_id] of tftp_session_info; ### # The following yields a conn_id that should be present in "sessions". ### global sessions_index: table[tftp_session_id] of conn_id; ### global session_id = 0; +-+-+ Best regards, Jean-philippe. On Mon, Jul 09, 2007 at 02:43:57PM -0700, Vern Paxson wrote: > > I've (too) some remarks : > > We've attempted to incorporate these into > > http://www.icir.org/vern/tmp/bro-1.2.20.tar.gz > > Please let us know if any of hte problems remain. > > Vern > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From vern at icir.org Tue Jul 10 11:34:41 2007 From: vern at icir.org (Vern Paxson) Date: Tue, 10 Jul 2007 11:34:41 -0700 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) In-Reply-To: <20070710182732.GA16200@armada.mynetwork.local> (Tue, 10 Jul 2007 14:27:32 EDT). Message-ID: <200707101834.l6AIYfpD028711@jaguar.icir.org> > /opt/share/bro-1.3/policy/tftp.bro, line 59: error: unknown identifier > uncomment, at or near "uncomment" > > I think the various ";;;;" are the problem, i had to replace them with "#". Oops - that came from building the distribution in a tree that inadvertantly included a new, not yet completed TFTP analyzer - sorry about that. Vern From dopheide at ncsa.uiuc.edu Tue Jul 10 17:35:56 2007 From: dopheide at ncsa.uiuc.edu (Mike Dopheide) Date: Tue, 10 Jul 2007 19:35:56 -0500 Subject: [Bro] Patch for 1.3? Was: Type conversion and table initialization In-Reply-To: <45E5FE68.4020505@ncsa.uiuc.edu> References: <45E4BDD4.6070807@ncsa.uiuc.edu> <20070228173955.GE28976@icir.org> <45E5FCCF.4060100@lbl.gov> <45E5FE68.4020505@ncsa.uiuc.edu> Message-ID: <469425EC.9080000@ncsa.uiuc.edu> Would it be possible to get this added in before the 1.3 release? Thanks, Mike Mike Dopheide wrote: > Haha.. you beat me to it. Here's what I was about to submit (patch > attached): > > # Returns an addr from a string > function rawstring_to_addr%(s: string%): addr > %{ > char* x = new char[16]; > const u_char* sp = s->Bytes(); > > if(s->Len() != 4){ > sprintf(x,"0.0.0.0"); > }else{ > sprintf(x,"%i.%i.%i.%i",sp[0],sp[1],sp[2],sp[3]); > } > > Val* ret = new AddrVal(x); > delete [] x; > return ret; > %} > > > > Mark Dedlow wrote: >> Robin Sommer wrote: >>> On Tue, Feb 27, 2007 at 17:25 -0600, Mike Dopheide wrote: >>> >>>> I've got a udp packet that contains an IP address in the packet >>>> contents[*]. >>> >>> Hmmm... can't think of any other way than adding a new built-in >>> ffunction specifically for this. >> >> I think this is as simple as adding to bro.bif: >> >> function hex_to_addr%(str: string%): addr >> %{ >> int a,b,c,d; >> int r; >> r = sscanf(str->CheckString(), "%x.%x.%x.%x", &a, &b, &c, &d); >> if ( r != 4 ) >> run_time("hex addr not parseable"); >> return new AddrVal(dotted_to_addr(fmt("%d.%d.%d.%d", a,b,c,d))); >> %} >> >> >> You may need to tweak the format, eg, for the \x format, to something >> like "\\x%x\\x%x\\x%x\\x%x". >> >> Mark >> >> > > ------------------------------------------------------------------------ > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From christian at whoop.org Wed Jul 11 00:51:29 2007 From: christian at whoop.org (Christian Kreibich) Date: Wed, 11 Jul 2007 09:51:29 +0200 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) In-Reply-To: <20070710064225.GA8281@rheoli.net> References: <200707060536.l665aHGw098656@jaguar.icir.org> <1183769759.29999.116.camel@strangepork> <20070710064225.GA8281@rheoli.net> Message-ID: <1184140289.32460.5.camel@strangepork> Hi Stephan, On Tue, 2007-07-10 at 08:42 +0200, Stephan wrote: > Hi, > > As mentioned later from Jean-Philippe it runs fine on OpenBSD-i386. Cool, I'm glad that's sorted out. > I'm got allways core dumps when I run it on SPARC64 machines on > Solaris 8 and on OpenBSD 4.1-current could this an endian problem? > > gdb example (OpenBSD; bro 1.2.19): > ---- > Program received signal SIGBUS, Bus error. > Connection (this=0x0, s=0x12207c8, k=0x1222208, t=1165532761.666986, > id=0xffffffffffff7350) at Obj.h:123 > 123 location = 0; > (gdb) > ---- Ouch, that looks pretty serious. Could you post or send me a backtrace when that crash occurs? (Just type "bt" at the gdb prompt.) Also, how are you running Bro when this happens (on a particular trace, live traffic, etc.)? Thanks very much for your feedback. Cheers, Christian -- ________________________________________________________________________ http://www.icir.org/christian http://www.whoop.org From vern at icir.org Thu Jul 12 04:01:47 2007 From: vern at icir.org (Vern Paxson) Date: Thu, 12 Jul 2007 04:01:47 -0700 Subject: [Bro] Patch for 1.3? Was: Type conversion and table initialization In-Reply-To: <469425EC.9080000@ncsa.uiuc.edu> (Tue, 10 Jul 2007 19:35:56 CDT). Message-ID: <200707121101.l6CB1lLT091827@jaguar.icir.org> > Would it be possible to get this added in before the 1.3 release? Please try the appended and let me know if it works as you need. Vern Index: src/bro.bif =================================================================== --- src/bro.bif (revision 4618) +++ src/bro.bif (working copy) @@ -496,6 +496,23 @@ return ret; %} +# Interprets the first 4 bytes of 'b' as an IPv4 address in network order. +function raw_bytes_to_v4_addr%(b: string%): addr + %{ + uint32 a = 0; + + if ( b->Len() < 4 ) + builtin_run_time("too short a string as input to raw_bytes_to_v4_addr()"); + + else + { + const u_char* bp = b->Bytes(); + a = (bp[0] << 24) | (bp[1] << 16) | (bp[2] << 8) | bp[3]; + } + + return new AddrVal(a); + %} + function to_net%(a: addr%): net %{ #ifdef BROv6 From dopheide at ncsa.uiuc.edu Thu Jul 12 11:33:32 2007 From: dopheide at ncsa.uiuc.edu (Mike Dopheide) Date: Thu, 12 Jul 2007 13:33:32 -0500 Subject: [Bro] Patch for 1.3? Was: Type conversion and table initialization In-Reply-To: <200707121101.l6CB1lLT091827@jaguar.icir.org> References: <200707121101.l6CB1lLT091827@jaguar.icir.org> Message-ID: <469673FC.5090305@ncsa.uiuc.edu> Vern, That works great. The only issue is that the packets I'm dealing with have it in host order rather than network order. -Mike Vern Paxson wrote: >> Would it be possible to get this added in before the 1.3 release? > > Please try the appended and let me know if it works as you need. > > Vern > > > Index: src/bro.bif > =================================================================== > --- src/bro.bif (revision 4618) > +++ src/bro.bif (working copy) > @@ -496,6 +496,23 @@ > return ret; > %} > > +# Interprets the first 4 bytes of 'b' as an IPv4 address in network order. > +function raw_bytes_to_v4_addr%(b: string%): addr > + %{ > + uint32 a = 0; > + > + if ( b->Len() < 4 ) > + builtin_run_time("too short a string as input to raw_bytes_to_v4_addr()"); > + > + else > + { > + const u_char* bp = b->Bytes(); > + a = (bp[0] << 24) | (bp[1] << 16) | (bp[2] << 8) | bp[3]; > + } > + > + return new AddrVal(a); > + %} > + > function to_net%(a: addr%): net > %{ > #ifdef BROv6 > > From pauls at utdallas.edu Thu Jul 12 13:37:15 2007 From: pauls at utdallas.edu (Paul Schmehl) Date: Thu, 12 Jul 2007 15:37:15 -0500 Subject: [Bro] Several questions Message-ID: I'm working on an upgrade to the bro port in FreeBSD (from 0.9a4a to 1.1d-stable.) I've never used bro, but I maintain a number of ports. I've found that bro is quite a complex port. I've had to address a number of issues where bro does things in a "non-standard" (for FreeBSD) way, but I've finally got the port installing correctly and in the "right" (for FreeBSD) locations. Now I'm testing running bro, and I've run into some problems that I don't know the answer to. 1) When I try to run bro.rc start, I get a permission denied error. bro.rc: Starting ..........bro.rc: Failed to start Bro /var/tmp/bro/bin/bro.rc: /var/tmp/bro/bin: Permission denied ... FAILED I tried changing the user from bro to root, but I still get the error. All the directories and files have the "standard" permissions (xwrx-rx-r for dirs and executables -rw-r--r- for other files such as policy files and scripts. The messages file doesn't include any additional information. If I set DEBUG=1 in bro.rc, I get this: root at utd59514# /var/tmp/bro/bin/bro.rc start bro.rc: Starting /var/tmp/bro/bin/bro.rc: /var/tmp/bro/bin: Permission denied Huh? root at utd59514# ls -lsa /var/tmp/bro/bin/bro 1760 -r-xr-xr-x 1 root wheel 1784264 Jul 12 09:27 /var/tmp/bro/bin/bro And I can run bro from the commandline (although that brings up another issue) root at utd59514# /var/tmp/bro/bin/bro -i bge0 ^C Any suggestions as to where to look for this problem would be appreciated. 2) I can't seem to figure out the correct format for the local.site.bro file root at utd59514# /var/tmp/bro/bin/bro -i bge0 utd59514.utdallas.edu.bro /var/tmp/bro/bro/site/utd59514.utdallas.edu.bro, line 1: error: syntax error, at or near "," Here's the file: root at utd59514# less /var/tmp/bro/bro/site/utd59514.utdallas.edu.bro 129.110.0.0/16, 10.0.0.0/8 I have tried enclosing this in brackets [129.110.0.0/16, 10.0.0.0/8]. I have tried replacing the comma with a space. I have tried 129.110.0.0/16 with and without the brackets. No matter what format I use, I get the syntax error. Is this a bug? Or have I missed something doh simple? -- Paul Schmehl (pauls at utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pkcs7-signature Size: 3701 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070712/d438742a/attachment.bin From bltierney at lbl.gov Thu Jul 12 17:03:23 2007 From: bltierney at lbl.gov (Brian Tierney) Date: Thu, 12 Jul 2007 17:03:23 -0700 Subject: [Bro] Several questions In-Reply-To: References: Message-ID: <4696C14B.2000105@lbl.gov> The bro.rc does not work unless you run 'make install-brolite' Did you do that? No idea how this all maps to a 'FreeBSD port' Paul Schmehl wrote: > I'm working on an upgrade to the bro port in FreeBSD (from 0.9a4a to > 1.1d-stable.) I've never used bro, but I maintain a number of ports. > I've found that bro is quite a complex port. I've had to address a > number of issues where bro does things in a "non-standard" (for FreeBSD) > way, but I've finally got the port installing correctly and in the > "right" (for FreeBSD) locations. > > Now I'm testing running bro, and I've run into some problems that I > don't know the answer to. > > 1) When I try to run bro.rc start, I get a permission denied error. > > bro.rc: Starting ..........bro.rc: Failed to start Bro > /var/tmp/bro/bin/bro.rc: /var/tmp/bro/bin: Permission denied > ... FAILED > > I tried changing the user from bro to root, but I still get the error. > All the directories and files have the "standard" permissions (xwrx-rx-r > for dirs and executables -rw-r--r- for other files such as policy files > and scripts. The messages file doesn't include any additional information. > > If I set DEBUG=1 in bro.rc, I get this: > > root at utd59514# /var/tmp/bro/bin/bro.rc start > bro.rc: Starting /var/tmp/bro/bin/bro.rc: /var/tmp/bro/bin: Permission > denied > > Huh? > > root at utd59514# ls -lsa /var/tmp/bro/bin/bro > 1760 -r-xr-xr-x 1 root wheel 1784264 Jul 12 09:27 /var/tmp/bro/bin/bro > > And I can run bro from the commandline (although that brings up another > issue) > > root at utd59514# /var/tmp/bro/bin/bro -i bge0 > ^C > > Any suggestions as to where to look for this problem would be appreciated. > > 2) I can't seem to figure out the correct format for the local.site.bro > file > > root at utd59514# /var/tmp/bro/bin/bro -i bge0 utd59514.utdallas.edu.bro > /var/tmp/bro/bro/site/utd59514.utdallas.edu.bro, line 1: error: syntax > error, at or near "," > > Here's the file: > > root at utd59514# less /var/tmp/bro/bro/site/utd59514.utdallas.edu.bro > 129.110.0.0/16, 10.0.0.0/8 > > I have tried enclosing this in brackets [129.110.0.0/16, 10.0.0.0/8]. I > have tried replacing the comma with a space. I have tried > 129.110.0.0/16 with and without the brackets. No matter what format I > use, I get the syntax error. > > Is this a bug? Or have I missed something doh simple? > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -- ------------------------------------------------------------------------ Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL) 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720 tel: 510-486-7381 fax: 510-495-2998 efax: 425-642-4558 bltierney at lbl.gov http://www-didc.lbl.gov/~tierney ------------------------------------------------------------------------ From pauls at utdallas.edu Thu Jul 12 19:13:22 2007 From: pauls at utdallas.edu (Paul Schmehl) Date: Thu, 12 Jul 2007 21:13:22 -0500 Subject: [Bro] Several questions In-Reply-To: <4696C14B.2000105@lbl.gov> References: <4696C14B.2000105@lbl.gov> Message-ID: <3BC04753EB6E44A8228E63E9@paul-schmehls-powerbook59.local> --On July 12, 2007 5:03:23 PM -0700 Brian Tierney wrote: > > The bro.rc does not work unless you run 'make install-brolite' > Did you do that? > No, I did not. However, the documentation says you can run bro_config instead. I *did* do that. "The Bro-Lite configuration script can be used to automatically configure (or reconfigure) Bro for you. It checks your system's BPF settings, creates a "bro" user account, installs a script to start Bro at boot time, installs the report generation package, and installs a number of cron jobs to checkpoint Bro every night, run periodic reports, and manage log files. To run this configuration script type: bro_config This script creates the file @file{$BROHOME/etc/bro.cfg}. bro_config will ask a number of simple questions. Note that the full functionality of this script is only supported under FreeBSD. Some additional configuration may need to be done by hand under Linux." Paul Schmehl (pauls at utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pkcs7-signature Size: 3701 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070712/1341dd12/attachment.bin From pauls at utdallas.edu Thu Jul 12 21:48:14 2007 From: pauls at utdallas.edu (Paul Schmehl) Date: Thu, 12 Jul 2007 23:48:14 -0500 Subject: [Bro] More questions Message-ID: <132850B553A17C3DC6202174@paul-schmehls-powerbook59.local> I figured out that I'm going to have to write a FreeBSD-type startup script to replace bro.rc, so that problem is "solved". I also figured out the syntax for the local.site.bro file and some fiddling around and reading. Now I have another question - how do you daemonize bro? bro -h doesn't show a daemon switch (normally -D), and when I run it, even without the debug switch, it does not daemonize. Obviously, from the cmdline I can use &, but that is not available from a startup script. What's the normal convention? Paul Schmehl (pauls at utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pkcs7-signature Size: 3701 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070712/69af8e27/attachment.bin From vern at icir.org Fri Jul 13 00:36:33 2007 From: vern at icir.org (Vern Paxson) Date: Fri, 13 Jul 2007 00:36:33 -0700 Subject: [Bro] Patch for 1.3? Was: Type conversion and table initialization In-Reply-To: (Thu, 12 Jul 2007 04:01:47 PDT). Message-ID: <200707130736.l6D7aX01055190@jaguar.icir.org> > Please try the appended and let me know if it works as you need. Mike, per our off-line conversation, here's an updated patch. Thanks for your help with this. Vern Index: src/bro.bif =================================================================== --- src/bro.bif (revision 4618) +++ src/bro.bif (working copy) @@ -496,6 +496,23 @@ return ret; %} +# Interprets the first 4 bytes of 'b' as an IPv4 address in network order. +function raw_bytes_to_v4_addr%(b: string%): addr + %{ + uint32 a = 0; + + if ( b->Len() < 4 ) + builtin_run_time("too short a string as input to raw_bytes_to_v4_addr()"); + + else + { + const u_char* bp = b->Bytes(); + a = (bp[0] << 24) | (bp[1] << 16) | (bp[2] << 8) | bp[3]; + } + + return new AddrVal(htonl(a)); + %} + function to_net%(a: addr%): net %{ #ifdef BROv6 From Stephan at rheoli.net Fri Jul 13 03:18:39 2007 From: Stephan at rheoli.net (Stephan) Date: Fri, 13 Jul 2007 12:18:39 +0200 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) In-Reply-To: <1184140289.32460.5.camel@strangepork> References: <200707060536.l665aHGw098656@jaguar.icir.org> <1183769759.29999.116.camel@strangepork> <20070710064225.GA8281@rheoli.net> <1184140289.32460.5.camel@strangepork> Message-ID: <20070713101839.GA15301@rheoli.net> Hi Christian I've compiled bro 1.2.20 an run the test again with the same bus error. At the moment I'm using a pcap file to run the test. Here are the gdb output: $ sudo gdb bin/bro GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc64-unknown-openbsd4.1"... (gdb) run -r /home/pcap/test.pcap mt Starting program: /usr/local/bro/bin/bro -r /home/pcap/test.pcap mt Program received signal SIGBUS, Bus error. Connection (this=0x0, s=0x12955d8, k=0x1297318, t=1165532761.666986, id=0xfffffffffffdd0d0) at Obj.h:123 123 location = 0; (gdb) bt #0 Connection (this=0x0, s=0x12955d8, k=0x1297318, t=1165532761.666986, id=0xfffffffffffdd0d0) at Obj.h:123 #1 0x0000000000262708 in NetSessions::NewConn(HashKey*, double, ConnID const*, unsigned char const*, int) (this=0x12955d8, k=0x1297318, t=1165532761.666986, id=0xfffffffffffdd0d0, data=0x1290ee4 "\215?", proto=19495908) at Conn.h:304 #2 0x000000000014a6a4 in ConnCompressor::Instantiate(double, HashKey*, IP_Hdr const*) (this=0x1288380, t=1165532761.666986, key=0x1297318, ip=0xfffffffffffdd3c0) at IP.h:115 #3 0x00000000001495f4 in ConnCompressor::NextPacket(double, HashKey*, IP_Hdr const*, pcap_pkthdr const*, unsigned char const*) (this=0x1288380, t=1165532761.666986, key=0x1297318, ip=0xfffffffffffdd3c0, hdr=0x128c9e0, pkt=0x1290ec2 "") at ConnCompressor.cc:171 #4 0x000000000025f7d4 in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int) (this=0x12955d8, t=1165532761.666986, hdr=0x128c9e0, ip_hdr=0xfffffffffffdd3c0, pkt=0x1290ec2 "", hdr_size=14) at Sessions.cc:544 #5 0x000000000025f278 in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int, PacketSortElement*) (this=0x12955d8, t=1165532761.666986, hdr=0x128c9e0, pkt=0x1290ec2 "", hdr_size=14, pkt_elem=0x0) at Sessions.cc:294 #6 0x0000000000212f80 in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*, PacketSortElement*) (t=1165532761.666986, ---Type to continue, or q to quit--- hdr=0x128c9e0, pkt=0x1290ec2 "", hdr_size=14, src_ps=0x128c9a0, pkt_elem=0x0) at Net.cc:402 #7 0x0000000000226a98 in PktSrc::Process() (this=0x128c9a0) at PktSrc.cc:216 #8 0x00000000002132c8 in net_run() () at Net.cc:491 #9 0x0000000000109b88 in main (argc=1024, argv=0x400) at main.cc:1009 (gdb) Best regards, Stephan From vern at icir.org Fri Jul 13 03:28:28 2007 From: vern at icir.org (Vern Paxson) Date: Fri, 13 Jul 2007 03:28:28 -0700 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) In-Reply-To: <20070713101839.GA15301@rheoli.net> (Fri, 13 Jul 2007 12:18:39 +0200). Message-ID: <200707131028.l6DASSGY082642@jaguar.icir.org> > Connection (this=0x0, s=0x12955d8, k=0x1297318, t=1165532761.666986, > id=0xfffffffffffdd0d0) at Obj.h:123 > 123 location = 0; Any chance you're running out of memory? It's failing inside a routine "new" allocation. Depending on your shell, you might try raising your per-process memory limits. In tcsh, for example, via "unlimit datasize". Vern From dopheide at ncsa.uiuc.edu Fri Jul 13 10:17:23 2007 From: dopheide at ncsa.uiuc.edu (Mike Dopheide) Date: Fri, 13 Jul 2007 12:17:23 -0500 Subject: [Bro] Patch for 1.3? Was: Type conversion and table initialization In-Reply-To: <200707130736.l6D7aX01055190@jaguar.icir.org> References: <200707130736.l6D7aX01055190@jaguar.icir.org> Message-ID: <4697B3A3.1030608@ncsa.uiuc.edu> Perfect, Vern. Thank you. -Mike Vern Paxson wrote: >> Please try the appended and let me know if it works as you need. > > Mike, per our off-line conversation, here's an updated patch. Thanks > for your help with this. > > Vern > > > Index: src/bro.bif > =================================================================== > --- src/bro.bif (revision 4618) > +++ src/bro.bif (working copy) > @@ -496,6 +496,23 @@ > return ret; > %} > > +# Interprets the first 4 bytes of 'b' as an IPv4 address in network order. > +function raw_bytes_to_v4_addr%(b: string%): addr > + %{ > + uint32 a = 0; > + > + if ( b->Len() < 4 ) > + builtin_run_time("too short a string as input to raw_bytes_to_v4_addr()"); > + > + else > + { > + const u_char* bp = b->Bytes(); > + a = (bp[0] << 24) | (bp[1] << 16) | (bp[2] << 8) | bp[3]; > + } > + > + return new AddrVal(htonl(a)); > + %} > + > function to_net%(a: addr%): net > %{ > #ifdef BROv6 > > From vern at icir.org Sat Jul 14 00:10:22 2007 From: vern at icir.org (Vern Paxson) Date: Sat, 14 Jul 2007 00:10:22 -0700 Subject: [Bro] More questions In-Reply-To: <132850B553A17C3DC6202174@paul-schmehls-powerbook59.local> (Thu, 12 Jul 2007 23:48:14 CDT). Message-ID: <200707140710.l6E7AM5A009077@jaguar.icir.org> > Now I have another question - how do you daemonize bro? There's no mechanism beyond '&' from a shell. I'm confused by your statement that this isn't available from a startup script, since we routinely run shell scripts (that then background things) on our FreeBSD systems upon startup. Vern From pauls at utdallas.edu Sat Jul 14 14:52:45 2007 From: pauls at utdallas.edu (Paul Schmehl) Date: Sat, 14 Jul 2007 16:52:45 -0500 Subject: [Bro] More questions In-Reply-To: <200707140710.l6E7AM5A009077@jaguar.icir.org> References: <200707140710.l6E7AM5A009077@jaguar.icir.org> Message-ID: <2FA138CAA0C8AD7698D14E98@paul-schmehls-powerbook59.local> --On July 14, 2007 12:10:22 AM -0700 Vern Paxson wrote: >> Now I have another question - how do you daemonize bro? > > There's no mechanism beyond '&' from a shell. I'm confused by your > statement that this isn't available from a startup script, since we > routinely run shell scripts (that then background things) on our > FreeBSD systems upon startup. > I figured it out. I can't use a standard rc.subr script to start bro. I have to use bro.rc. Paul Schmehl (pauls at utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pkcs7-signature Size: 3701 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070714/bc6f4d5c/attachment.bin From jean-philippe.luiggi at didconcept.com Sat Jul 14 16:27:32 2007 From: jean-philippe.luiggi at didconcept.com (jean-philippe luiggi) Date: Sat, 14 Jul 2007 19:27:32 -0400 Subject: [Bro] More questions In-Reply-To: <2FA138CAA0C8AD7698D14E98@paul-schmehls-powerbook59.local> References: <200707140710.l6E7AM5A009077@jaguar.icir.org> <2FA138CAA0C8AD7698D14E98@paul-schmehls-powerbook59.local> Message-ID: <20070714192732.38220c16@mygw.lan.mynetwork.local> Hello Paul, You're right, using "bro.rc" is the best way to run the IDS (as far i know). I usually use it on OpenBSD as-is and have no problems. Best regards, Jean-philippe. On Sat, 14 Jul 2007 16:52:45 -0500 Paul Schmehl wrote: > --On July 14, 2007 12:10:22 AM -0700 Vern Paxson > wrote: > > >> Now I have another question - how do you daemonize bro? > > > > There's no mechanism beyond '&' from a shell. I'm confused by your > > statement that this isn't available from a startup script, since we > > routinely run shell scripts (that then background things) on our > > FreeBSD systems upon startup. > > > I figured it out. I can't use a standard rc.subr script to start > bro. I have to use bro.rc. > > Paul Schmehl (pauls at utdallas.edu) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ From tarupp at fnal.gov Mon Jul 16 08:50:04 2007 From: tarupp at fnal.gov (Tim Rupp) Date: Mon, 16 Jul 2007 10:50:04 -0500 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) In-Reply-To: <200707092143.l69LhvgS076395@jaguar.icir.org> References: <200707092143.l69LhvgS076395@jaguar.icir.org> Message-ID: <469B93AC.3030405@fnal.gov> Hi list, I'm having a problem compiling 1.2.20. Looking for any advice. Compiling on Ubuntu Feisty include -O -W -Wall -Wno-unused -I../linux-include -g -O2 -c -o FTP.o `test -f 'FTP.cc' || echo './'`FTP.cc source='File.cc' object='File.o' libtool=no \ depfile='.deps/File.Po' tmpdepfile='.deps/File.TPo' \ depmode=gcc3 /bin/bash ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I../linux-include -O -W -Wall -Wno-unused -I../linux-include -g -O2 -c -o File.o `test -f 'File.cc' || echo './'`File.cc File.cc: In member function ?void BroFile::InitEncrypt(const char*)?: File.cc:666: warning: dereferencing type-punned pointer will break strict-aliasing rules source='FileAnalyzer.cc' object='FileAnalyzer.o' libtool=no \ depfile='.deps/FileAnalyzer.Po' tmpdepfile='.deps/FileAnalyzer.TPo' \ depmode=gcc3 /bin/bash ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -I../linux-include -O -W -Wall -Wno-unused -I../linux-include -g -O2 -c -o FileAnalyzer.o `test -f 'FileAnalyzer.cc' || echo './'`FileAnalyzer.cc FileAnalyzer.cc: In member function ?void File_Analyzer::Identify()?: FileAnalyzer.cc:80: error: ?cl_scanbuff? was not declared in this scope FileAnalyzer.cc: In static member function ?static void File_Analyzer::InitClamAV()?: FileAnalyzer.cc:113: error: ?cl_loaddbdir? was not declared in this scope make[3]: *** [FileAnalyzer.o] Error 1 make[3]: Leaving directory `/home/tarupp/bro-1.2.20/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/tarupp/bro-1.2.20/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/tarupp/bro-1.2.20' make: *** [all] Error 2 clamav-dev version is 0.90.2-0ubuntu1 Thanks in advance. -Tim Vern Paxson wrote: >> I've (too) some remarks : > > We've attempted to incorporate these into > > http://www.icir.org/vern/tmp/bro-1.2.20.tar.gz > > Please let us know if any of hte problems remain. > > Vern > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From christian at whoop.org Mon Jul 16 09:29:12 2007 From: christian at whoop.org (Christian Kreibich) Date: Mon, 16 Jul 2007 18:29:12 +0200 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) In-Reply-To: <20070713101839.GA15301@rheoli.net> References: <200707060536.l665aHGw098656@jaguar.icir.org> <1183769759.29999.116.camel@strangepork> <20070710064225.GA8281@rheoli.net> <1184140289.32460.5.camel@strangepork> <20070713101839.GA15301@rheoli.net> Message-ID: <1184603352.1086.26.camel@strangepork> Hi Stephan, On Fri, 2007-07-13 at 12:18 +0200, Stephan wrote: > Hi Christian > > I've compiled bro 1.2.20 an run the test again with the same > bus error. At the moment I'm using a pcap file to run the > test. Thanks. I'd like to try to reproduce the error, but I can't seem to get a build on the sole Solaris box I have access to, which is a "SunOS 5.9 Generic_122300-06 sun4u sparc SUNW,Sun-Fire-880 Solaris". I see two gccs on that box, 3.4.2 and 4.1.2. With both, I get clashes between C header files and STL types, ? la /usr/include/net/if.h:87: error: template argument required for `struct map' With gcc4, I also had to add -lstdc++ to LDFLAGS. Are there any additional Solaris tricks one has to apply to work around these problems, or did the build Just Work for you? What compiler are you using? Cheers, Christian -- ________________________________________________________________________ http://www.icir.org/christian http://www.whoop.org From christian at whoop.org Mon Jul 16 11:03:04 2007 From: christian at whoop.org (Christian Kreibich) Date: Mon, 16 Jul 2007 20:03:04 +0200 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) In-Reply-To: <469B93AC.3030405@fnal.gov> References: <200707092143.l69LhvgS076395@jaguar.icir.org> <469B93AC.3030405@fnal.gov> Message-ID: <1184608984.1086.68.camel@strangepork> On Mon, 2007-07-16 at 10:50 -0500, Tim Rupp wrote: > Hi list, I'm having a problem compiling 1.2.20. Looking for any advice. Hi Tim, >From your report it looks like there is more variance in the ClamAV API than we were aware of. Unfortunately we don't currently provide --disable-clamav at configure time. If you don't really need ClamAV functionality, the kludge to try would be removing clamav-dev, so Bro won't pick it up. We'll make sure this becomes more configurable in the future... Cheers, Christian -- ________________________________________________________________________ http://www.icir.org/christian http://www.whoop.org From tarupp at fnal.gov Mon Jul 16 11:05:47 2007 From: tarupp at fnal.gov (Tim Rupp) Date: Mon, 16 Jul 2007 13:05:47 -0500 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) In-Reply-To: <1184608984.1086.68.camel@strangepork> References: <200707092143.l69LhvgS076395@jaguar.icir.org> <469B93AC.3030405@fnal.gov> <1184608984.1086.68.camel@strangepork> Message-ID: <469BB37B.1080503@fnal.gov> Christian Kreibich wrote: > On Mon, 2007-07-16 at 10:50 -0500, Tim Rupp wrote: >> Hi list, I'm having a problem compiling 1.2.20. Looking for any advice. > > Hi Tim, > >>From your report it looks like there is more variance in the ClamAV API > than we were aware of. Unfortunately we don't currently provide > --disable-clamav at configure time. If you don't really need ClamAV > functionality, the kludge to try would be removing clamav-dev, so Bro > won't pick it up. We'll make sure this becomes more configurable in the > future... > > Cheers, > Christian Ok, no problem. I was just going off what the output of configure said. I saw it had a libclamav option so I said "what the heck" and installed it. I'll remove it and try again. Thanks! Tim From vern at icir.org Mon Jul 16 23:57:27 2007 From: vern at icir.org (Vern Paxson) Date: Mon, 16 Jul 2007 23:57:27 -0700 Subject: [Bro] new Bro CURRENT and STABLE releases (1.3 and 1.2) Message-ID: <200707170657.l6H6vRnc071281@jaguar.icir.org> Bro release 1.3 is now available from: ftp://bro-ids.org/bro-1.X-current.tar.gz This becomes the new CURRENT release. The 1.2 branch (formerly CURRENT) is now the STABLE release: ftp://bro-ids.org/bro-1.2-stable.tar.gz Most of the 1.3 changes are refinements and fixes of various sorts, as opposed to major functionality. The most significant new features are that the Bro manual has now been wikified at http://www.bro-ids.org/wiki/index.php/User_Manual and Bro's analyzers for SMB, NetBIOS and NCP have a great deal more functionality. The appended changelog lists numerous other features/ changes/fixes. The old STABLE release, based on the 1.1 release, remains available at ftp://bro-ids.org/bro-1.1d-stable.tar.gz We do not anticipate making any further changes to it. Vern -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1.3 Mon Jul 16 22:11:00 PDT 2007 - The Bro manual has been wikified at: http://www.bro-ids.org/wiki/index.php/User_Manual and this is the format in which it will evolve in the future (Christian Kreibich). - Much more extensive support for SMB, NetBIOS and NCP (Chris Grier). - The new attribute &priority=n defines the order of execution for handlers of the same event (Robin Sommer). Handlers with higher priority are executed first. n is an integer expression that must evaluate to a constant when the script is loaded. Example: > cat foo.bro event bro_init() &priority = -5 { print -5; } event bro_init() &priority = 5 { print 5; } event bro_init() { print 0; } # default priority=0 > ./bro foo.bro 5 0 -5 The connection_state_remove() handler in conn.bro now has priority -10 and therefore executes after all other handlers for this event. This fixes a long-standing problem of sometimes $addl fields not showing up in connection summaries. - The new expressions record(...), table(...), set(...) and vector(...) are constructors for the corresponding aggregate types (Vern Paxson). For example, record($foo = "hi", $bar = -6) is the same as the existing constructor [$foo = "hi", $bar = -6] For tables, sets, and vectors, the "..." values within the ()'s have the same syntax as those that you can list in variable initializations. For example, table([1, T] = "black", [4, F] = "red") returns a table of type "table[count, bool] of string". set(4, 3, -1) is a value of type "set[int]". - You can associate attributes with table() and set() constructors (Robin Sommer). For example: local s = set(1.2.3.4) &read_expire = 5 secs; associates a 5-second read expiration with the set assigned to s. - Bro now explicitly supports port numbers reflecting a transport protocol type of "unknown" (Christian Kreibich). Currently, this means "not TCP, UDP or ICMP". The numerical value of such a port is the IP protocol, so ranges from 0..255. For example: global p: port = 0/unknown; print fmt("%s", p); print fmt("p is TCP? %s", get_port_transport_proto(p) == tcp); print fmt("p is unknown? %s", get_port_transport_proto(p) == unknown_transport); yields 0/unknown p is TCP? F p is unknown? T In comparisons of different protocol types, the following holds: unknown < TCP < UDP < ICMP. - If your system supports "GeoIP" (see http://www.maxmind.com/app/geolitecity for a corresponding city database), then the new script function lookup_location(a: addr): geo_location returns a record of geographic information associated with an address (Seth Hall). The geo_location record has $country_code, $region and $city fields. If no information is available, each of these will be set to empty strings. If Bro hasn't been configured with GeoIP support, or if the address is IPv6 that cannot be directly converted to IPv4, then Bro produces a run-time error and likewise returns empty strings. - Signature-matching on HTTP components now processes the URI with escape sequences expanded (Robin Sommer). Ideally, there would be two signature keywords, one for decoded URIs (corresponding to this case) and one that allows matching against the URI as originally transmitted. - The connection compressor is no longer considered experimental, and is used by default (Robin Sommer). - The new function lookup_hostname(host: string): addr_set asychronously looks up the IPv4 address(es) of the given host via DNS (Robin Sommer). Like lookup_addr(), this function can only be used within a "when" statement. - The new built-in raw_bytes_to_v4_addr(s: string): addr takes a string that points to at least 4 bytes, and returns an address corresponding to interpreting these as being an IPv4 address in network order (Vern Paxson; suggested by Mike Dopheide). - Trace-rewriting support for DNS, SMB (Chris Grier). - The new script function find_all(str: string, re: pattern): string_set returns a string_set giving all occurrences of the pattern "re" in the string "str" (Robin Sommer). (Note that string_set's are unordered.) - The new policy script save-peer-status.bro generates a log to peer_status.$BRO_LOG_SUFFIX of updates received from communication peers (Robin Sommer). - The policy script print-filter.bro now includes two (scoped) variables, terminate_bro and to_file, which control whether to exit after printing the filter (default T) and whether to write to the log file pcap_filter.$BRO_LOG_SUFFIX or (default) to stdout (Robin Sommer). - The new script variable check_for_unused_event_handlers controls whether Bro checks for unused event handlers (Robin Sommer). It defaults to T, which was the past behavior (always report). - Bro now terminates if the only pending activity is future timers (Robin Sommer). It used to wait for those timers to expire, but this can cause fundamental problems if the timers are associated with table management (since these might never completely drain). - Tables and sets inside of records are now initialized to empty values rather than uninitialized (Vern Paxson). - A new variable allow_services_from (in hot.bro) complements the existing allow_service_to variable (Brian Tierney). It specifies that access to the given service from the given originator is allowed. - global_sizes() no longer reports internal variables (Robin Sommer). - The IRC analyzer is now activated if any of the (many) IRC event handlers are defined (Robin Sommer). - The default value for tcp_close_delay is now 5 sec rather than 0 sec (Robin Sommer). This prevents some spurious connection events. - Improved logic for dealing with "reversed" connections such as backscatter (Vern Paxson). - You can now left-justify fields when using fmt() with "%-" like in sprintf (Christian Kreibich). - Updates to DNS query types (Larry Leviton). - Added mechanism to http-header.bro to skip printing some HTTP headers (Larry Leviton). - The IrcHotWord notice now sets the associated connection (Robin Sommer). - If a notice has a tag, it's no longer overridden (Robin Sommer). - ServerFound notices now set the port field (Robin Sommer). - The built-in lookup_ID() now returns the string "" if the ID does not exist, rather than a run-time error (Robin Sommer). - The new tuning option ProtocolDetector::suppress_servers specifies a set of analyzers for which Bro generates ServerFound notices, but not ProtocolFound (Robin Sommer). This both reduces log file size and conserves memory. - A new notice_action_filter, tally_notice_type_and_ignore, works the same as tally_notice_type but returns IGNORE (Robin Sommer) - Setting summary_interval == 0 disables the creation of irc-bots.summary.log (Robin Sommer). - If you @load foo and a directory "foo" is in your path, Bro no longer tries to load it (Robin Sommer). - A number of BinPAC fixes and enhancements (Ruoming Pang, Chris Grier and Vern Paxson). - BinPAC now resides in aux/binpac rather than src/binpac (Ruoming Pang and Christian Kreibich). This reflects a decoupling of it from Bro so that it can be used to generate protocol analyzers for other projects too. - Removed example Inktomi entries from skip_scan_sources initialization, since they no longer exist (Vern Paxson). - The variable make notice_once_per_orig_tally_interval is now redef'able (Brian Tierney). - SIGPROF to the communication child process now logs resource stats to remote.log (Matthias Vallentin). - The new built-in getpid(): count returns Bro's process ID (Robin Sommer). - Patterns for detecting IRC-based bots updated (Robin Sommer). - irc-bot-syslog now logs just bots, not all IRC client/servers (Robin Sommer). - The new variable suppress_notice_actions in notice.bro suppresses notice_actions events for selected notice types (Robin Sommer). - Files opened during operation now rotate just like those opened at startup (Robin Sommer). - ResourceStats now also logs elapsed time and the reported number of packets-on-the-link (Mark Dedlow). - Printing a "file" value now produces its name (Robin Sommer). - Removed deliberate truncation of payload in port 80 FIN packets (Vern Paxson). - remote.log now includes received peer_descriptions (Robin Sommer). - Significant POP3 analyzer speed-ups (Vern Paxson). - Updated README (Vern Paxson). - Fix for "@load a" followed by "@load a.bro" not loading the same file twice (Robin Sommer). - Bug fixes for propagating state operations to uninitialized variables and for spurious state inconsistency messags (Robin Sommer). - Bug fix for sending final sync-points during pseudo-realtime mode (Robin Sommer). - Fix for possible buffer overflow (Christian Kreibich). - Bug fix for spurious end-of-file's during inter-Bro communication (Robin Sommer). - Bug fix for dpd_match_only_beginning=F (Robin Sommer). - Bug fix for updating timestamps (Christian Kreibich). - Bug fix for skipping ADU processing in adu.bro (Christian Kreibich and Zhichun Li). - Fix for ICMPs that carry ICMP headers (or non-TCP/UDP/ICMP headers) within them (Vern Paxson). - Fix for files being rotated after the timer queue has been deleted (Vern Paxson). - Bug fix for signature-matching with IPv6 subnets (Vern Paxson). - Bug fix for connection compressor setting connection origin (Robin Sommer). - Bug fix for interconn.bro when processing peculiar connections (Vern Paxson). - Fix for off-by-one buffer in sscanf call (Christian Kreibich). - Fixed inefficiency/warning flagged by g++ (Vern Paxson). - Bug fix for NUL string termination in SMB processing (Zhichun Li). - Fix for over-ref'ing of file Val's (Vern Paxson). - Fixes for some g++ warnings (Christian Kreibich, Vern Paxson). - gcc 3.4.2 portability fixes (Robin Sommer). - Minor build fixes for Broccoli, including a version bump to match that of Bro. See aux/broccoli/ChangeLog for details. - distcheck fixes (Christian Kreibich). - Configuration portability fixes (Matthias Vallentin, Jean-philippe Luiggi). - OpenBSD portability fixes (Jean-philippe Luiggi, Christian Kreibich). From jp.luiggi at free.fr Wed Jul 18 11:13:46 2007 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Wed, 18 Jul 2007 14:13:46 -0400 Subject: [Bro] Release Note for OpenBSD Message-ID: <20070718181346.GA17416@armada.mynetwork.local> Hello all, I wanted to do it then i forgot... :-( We could add a note somewhere in the whole Bro's package and/or Wiki in order to specify adding the "libbind's package" (pkg_add libbind) before compiling Bro if we want to have the DNS non blocking features. Best regards, Jean-philippe. From ju at klipix.org Thu Jul 19 11:09:29 2007 From: ju at klipix.org (Julien Desfossez) Date: Thu, 19 Jul 2007 14:09:29 -0400 Subject: [Bro] new_packet, BuildHeader and IPv6 Message-ID: <469FA8D9.1000400@klipix.org> Hello, I am working on the function NetSessions::BuildHeader and I have two questions : - This function is called in NetSessions::DoNextPacket just after a "if ( new_packet )" but this condition seems to be always false. Is there something to activate to make it work ? - As NetSessions::BuildHeader takes in parameter "const struct ip* ip" I have two solutions to make it work with IPv6 : copy this function and adapt it for IPv6 or change the prototype to : "NetSessions::BuildHeader(const IP_Hdr* hdr)". I have currently chosen the second option, but I'd like to hear what you think about that before I make too much changes. Thank you, Julien Desfossez From Stephan at rheoli.net Thu Jul 19 12:05:00 2007 From: Stephan at rheoli.net (Stephan) Date: Thu, 19 Jul 2007 21:05:00 +0200 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) In-Reply-To: <1184603352.1086.26.camel@strangepork> References: <200707060536.l665aHGw098656@jaguar.icir.org> <1183769759.29999.116.camel@strangepork> <20070710064225.GA8281@rheoli.net> <1184140289.32460.5.camel@strangepork> <20070713101839.GA15301@rheoli.net> <1184603352.1086.26.camel@strangepork> Message-ID: <20070719190500.GA23380@rheoli.net> Hi Christian, At the moment I'm testing only on a Sun SPARC64 with OpenBSD 4.1. Next week I can compile bro on a Solaris 8 with gcc 4.1.2. As I'm compiled bro 1.1. last time Solaris 8 I've had no compile errors as I remember. Best regards, Stephan On Mon, Jul 16, 2007 at 06:29:12PM +0200, Christian Kreibich wrote: > Hi Stephan, > > On Fri, 2007-07-13 at 12:18 +0200, Stephan wrote: > > Hi Christian > > > > I've compiled bro 1.2.20 an run the test again with the same > > bus error. At the moment I'm using a pcap file to run the > > test. > > Thanks. I'd like to try to reproduce the error, but I can't seem to get > a build on the sole Solaris box I have access to, which is a > "SunOS 5.9 Generic_122300-06 sun4u sparc SUNW,Sun-Fire-880 Solaris". > > I see two gccs on that box, 3.4.2 and 4.1.2. With both, I get clashes > between C header files and STL types, ? la > > /usr/include/net/if.h:87: error: template argument required for `struct map' > > With gcc4, I also had to add -lstdc++ to LDFLAGS. Are there any > additional Solaris tricks one has to apply to work around these > problems, or did the build Just Work for you? What compiler are you > using? > > Cheers, > Christian > -- > ________________________________________________________________________ > http://www.icir.org/christian > http://www.whoop.org > From rreitz at fnal.gov Fri Jul 20 08:56:26 2007 From: rreitz at fnal.gov (Randolph Reitz) Date: Fri, 20 Jul 2007 10:56:26 -0500 Subject: [Bro] BRO Workshop next week. Message-ID: <4C5C73EC-477A-4321-9224-AF3EDD8F0970@fnal.gov> I believe the BRO workshop will be at the San Diego Supercomputer Center. Is there a room number where Tim and I should be on Monday morning? Thanks, Randy Reitz From vern at icir.org Fri Jul 20 11:02:06 2007 From: vern at icir.org (Vern Paxson) Date: Fri, 20 Jul 2007 11:02:06 -0700 Subject: [Bro] new Bro CURRENT release (1.3.1) Message-ID: <200707201802.l6KI26hD063053@jaguar.icir.org> Bro release 1.3.1 is now available from: ftp://bro-ids.org/bro-1.X-current.tar.gz This version fixes three bugs found in the recent 1.3 release: 1.3.1 Thu Jul 19 09:39:33 PDT 2007 - Bug fix for dynamic protocol detection (Robin Sommer). - Bug fix for zip-encoded Web items (Robin Sommer). - Configuration fix for installation (Brian Tierney). Patch appended. Vern -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ diff -ru bro-1.3/CHANGES bro-1.3.1/CHANGES --- bro-1.3/CHANGES 2007-07-16 22:57:55.000000000 -0700 +++ bro-1.3.1/CHANGES 2007-07-20 09:15:37.000000000 -0700 @@ -1,7 +1,16 @@ -@(#) $Id: CHANGES 4638 2007-07-17 05:57:45Z vern $ +@(#) $Id: CHANGES 4653 2007-07-20 16:05:51Z vern $ -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +1.3.1 Thu Jul 19 09:39:33 PDT 2007 + +- Bug fix for dynamic protocol detection (Robin Sommer). + +- Bug fix for zip-encoded Web items (Robin Sommer). + +- Configuration fix for installation (Brian Tierney). + + 1.3 Mon Jul 16 22:11:00 PDT 2007 - The Bro manual has been wikified at: diff -ru bro-1.3/scripts/bro_config.in bro-1.3.1/scripts/bro_config.in --- bro-1.3/scripts/bro_config.in 2006-11-28 09:51:59.000000000 -0800 +++ bro-1.3.1/scripts/bro_config.in 2007-07-20 09:15:35.000000000 -0700 @@ -1,5 +1,5 @@ #!/bin/sh -# $Id: bro_config.in 3773 2006-11-03 16:37:50Z tierney $ +# $Id: bro_config.in 4652 2007-07-20 15:39:03Z tierney $ # # default install location for bro # We probably need to sync this with what was used for --prefix @@ -273,7 +273,7 @@ BRO_LOG_ARCHIVE="${BRO_LOG_ARCHIVE:-${BROHOME}/archive}" # Bro policy paths -BROPATH="${BROHOME}/site:${BROHOME}/policy" +BROPATH="${BROHOME}/site:${BROHOME}/policy:${BROHOME}/policy/sigs" export BROPATH # Filename of the Bro start policy. Must be located in one of the directories in \$BROPATH diff -ru bro-1.3/src/PIA.cc bro-1.3.1/src/PIA.cc --- bro-1.3/src/PIA.cc 2007-07-04 08:28:12.000000000 -0700 +++ bro-1.3.1/src/PIA.cc 2007-07-20 09:15:37.000000000 -0700 @@ -92,7 +92,8 @@ if ( pkt_buffer.state == INIT ) new_state = BUFFERING; - if ( pkt_buffer.state == BUFFERING && len > 0 ) + if ( (pkt_buffer.state == BUFFERING || new_state == BUFFERING) && + len > 0 ) { AddToBuffer(&pkt_buffer, seq, len, data, is_orig); if ( pkt_buffer.size > dpd_buffer_size ) @@ -199,7 +200,7 @@ new_state = BUFFERING; } - if ( stream_buffer.state == BUFFERING ) + if ( stream_buffer.state == BUFFERING || new_state == BUFFERING ) { AddToBuffer(&stream_buffer, len, data, is_orig); if ( stream_buffer.size > dpd_buffer_size ) diff -ru bro-1.3/src/ZIP.cc bro-1.3.1/src/ZIP.cc --- bro-1.3/src/ZIP.cc 2006-09-15 16:35:40.000000000 -0700 +++ bro-1.3.1/src/ZIP.cc 2007-07-20 09:15:36.000000000 -0700 @@ -89,25 +89,28 @@ zip->avail_out = unzip_size; zip_status = inflate(zip, Z_SYNC_FLUSH); - if ( zip_status == Z_STREAM_END ) + if ( zip_status != Z_STREAM_END && + zip_status != Z_OK && + zip_status != Z_BUF_ERROR ) { + Weird("inflate_failed"); inflateEnd(zip); - delete zip; - zip = 0; break; } - if ( zip_status != Z_OK && zip_status != Z_BUF_ERROR ) + int have = unzip_size - zip->avail_out; + if ( have ) + ForwardStream(have, unzipbuf, IsOrig()); + + if ( zip_status == Z_STREAM_END ) { - Weird("inflate_failed"); inflateEnd(zip); + delete zip; + zip = 0; break; } - int have = unzip_size - zip->avail_out; - ForwardStream(have, unzipbuf, IsOrig()); zip_status = Z_OK; - } while ( zip->avail_out == 0 ); } diff -ru bro-1.3/VERSION bro-1.3.1/VERSION --- bro-1.3/VERSION 2007-07-16 23:00:41.000000000 -0700 +++ bro-1.3.1/VERSION 2007-07-20 09:15:37.000000000 -0700 @@ -1 +1 @@ -1.3 +1.3.1 From robin at icir.org Fri Jul 20 11:56:16 2007 From: robin at icir.org (Robin Sommer) Date: Fri, 20 Jul 2007 11:56:16 -0700 Subject: [Bro] new_packet, BuildHeader and IPv6 In-Reply-To: <469FA8D9.1000400@klipix.org> References: <469FA8D9.1000400@klipix.org> Message-ID: <20070720185616.GG24942@icir.org> On Thu, Jul 19, 2007 at 14:09 -0400, you wrote: > - This function is called in NetSessions::DoNextPacket just after a "if > ( new_packet )" but this condition seems to be always false. > Is there something to activate to make it work ? Yes, it's true if a script is loaded which contains an event handler for new_packet. > "NetSessions::BuildHeader(const IP_Hdr* hdr)". I'm not really familiar with the IPv6 code but this sounds right to me. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From adayadil.thomas at gmail.com Fri Jul 20 13:55:59 2007 From: adayadil.thomas at gmail.com (Adayadil Thomas) Date: Fri, 20 Jul 2007 16:55:59 -0400 Subject: [Bro] new Bro CURRENT release (1.3.1) In-Reply-To: <200707201802.l6KI26hD063053@jaguar.icir.org> References: <200707201802.l6KI26hD063053@jaguar.icir.org> Message-ID: Is there any paper or documentation on how the dynamic protocol detection works? Thanks On 7/20/07, Vern Paxson wrote: > Bro release 1.3.1 is now available from: > > ftp://bro-ids.org/bro-1.X-current.tar.gz > > This version fixes three bugs found in the recent 1.3 release: > > 1.3.1 Thu Jul 19 09:39:33 PDT 2007 > > - Bug fix for dynamic protocol detection (Robin Sommer). > > - Bug fix for zip-encoded Web items (Robin Sommer). > > - Configuration fix for installation (Brian Tierney). > > Patch appended. > > Vern > > -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > diff -ru bro-1.3/CHANGES bro-1.3.1/CHANGES > --- bro-1.3/CHANGES 2007-07-16 22:57:55.000000000 -0700 > +++ bro-1.3.1/CHANGES 2007-07-20 09:15:37.000000000 -0700 > @@ -1,7 +1,16 @@ > -@(#) $Id: CHANGES 4638 2007-07-17 05:57:45Z vern $ > +@(#) $Id: CHANGES 4653 2007-07-20 16:05:51Z vern $ > > -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > +1.3.1 Thu Jul 19 09:39:33 PDT 2007 > + > +- Bug fix for dynamic protocol detection (Robin Sommer). > + > +- Bug fix for zip-encoded Web items (Robin Sommer). > + > +- Configuration fix for installation (Brian Tierney). > + > + > 1.3 Mon Jul 16 22:11:00 PDT 2007 > > - The Bro manual has been wikified at: > diff -ru bro-1.3/scripts/bro_config.in bro-1.3.1/scripts/bro_config.in > --- bro-1.3/scripts/bro_config.in 2006-11-28 09:51:59.000000000 -0800 > +++ bro-1.3.1/scripts/bro_config.in 2007-07-20 09:15:35.000000000 -0700 > @@ -1,5 +1,5 @@ > #!/bin/sh > -# $Id: bro_config.in 3773 2006-11-03 16:37:50Z tierney $ > +# $Id: bro_config.in 4652 2007-07-20 15:39:03Z tierney $ > # > # default install location for bro > # We probably need to sync this with what was used for --prefix > @@ -273,7 +273,7 @@ > BRO_LOG_ARCHIVE="${BRO_LOG_ARCHIVE:-${BROHOME}/archive}" > > # Bro policy paths > -BROPATH="${BROHOME}/site:${BROHOME}/policy" > +BROPATH="${BROHOME}/site:${BROHOME}/policy:${BROHOME}/policy/sigs" > export BROPATH > > # Filename of the Bro start policy. Must be located in one of the directories in \$BROPATH > diff -ru bro-1.3/src/PIA.cc bro-1.3.1/src/PIA.cc > --- bro-1.3/src/PIA.cc 2007-07-04 08:28:12.000000000 -0700 > +++ bro-1.3.1/src/PIA.cc 2007-07-20 09:15:37.000000000 -0700 > @@ -92,7 +92,8 @@ > if ( pkt_buffer.state == INIT ) > new_state = BUFFERING; > > - if ( pkt_buffer.state == BUFFERING && len > 0 ) > + if ( (pkt_buffer.state == BUFFERING || new_state == BUFFERING) && > + len > 0 ) > { > AddToBuffer(&pkt_buffer, seq, len, data, is_orig); > if ( pkt_buffer.size > dpd_buffer_size ) > @@ -199,7 +200,7 @@ > new_state = BUFFERING; > } > > - if ( stream_buffer.state == BUFFERING ) > + if ( stream_buffer.state == BUFFERING || new_state == BUFFERING ) > { > AddToBuffer(&stream_buffer, len, data, is_orig); > if ( stream_buffer.size > dpd_buffer_size ) > diff -ru bro-1.3/src/ZIP.cc bro-1.3.1/src/ZIP.cc > --- bro-1.3/src/ZIP.cc 2006-09-15 16:35:40.000000000 -0700 > +++ bro-1.3.1/src/ZIP.cc 2007-07-20 09:15:36.000000000 -0700 > @@ -89,25 +89,28 @@ > zip->avail_out = unzip_size; > zip_status = inflate(zip, Z_SYNC_FLUSH); > > - if ( zip_status == Z_STREAM_END ) > + if ( zip_status != Z_STREAM_END && > + zip_status != Z_OK && > + zip_status != Z_BUF_ERROR ) > { > + Weird("inflate_failed"); > inflateEnd(zip); > - delete zip; > - zip = 0; > break; > } > > - if ( zip_status != Z_OK && zip_status != Z_BUF_ERROR ) > + int have = unzip_size - zip->avail_out; > + if ( have ) > + ForwardStream(have, unzipbuf, IsOrig()); > + > + if ( zip_status == Z_STREAM_END ) > { > - Weird("inflate_failed"); > inflateEnd(zip); > + delete zip; > + zip = 0; > break; > } > > - int have = unzip_size - zip->avail_out; > - ForwardStream(have, unzipbuf, IsOrig()); > zip_status = Z_OK; > - > } > while ( zip->avail_out == 0 ); > } > diff -ru bro-1.3/VERSION bro-1.3.1/VERSION > --- bro-1.3/VERSION 2007-07-16 23:00:41.000000000 -0700 > +++ bro-1.3.1/VERSION 2007-07-20 09:15:37.000000000 -0700 > @@ -1 +1 @@ > -1.3 > +1.3.1 > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From vern at icir.org Fri Jul 20 13:59:21 2007 From: vern at icir.org (Vern Paxson) Date: Fri, 20 Jul 2007 13:59:21 -0700 Subject: [Bro] new Bro CURRENT release (1.3.1) In-Reply-To: (Fri, 20 Jul 2007 16:55:59 EDT). Message-ID: <200707202059.l6KKxLEA079250@jaguar.icir.org> > Is there any paper or documentation on how the dynamic protocol detection works? There's a paper at http://www.icir.org/robin/papers/usenix06/ <- HTML http://www.icir.org/robin/papers/usenix06.pdf - Vern From robin at icir.org Fri Jul 20 20:41:57 2007 From: robin at icir.org (Robin Sommer) Date: Fri, 20 Jul 2007 20:41:57 -0700 Subject: [Bro] new Bro CURRENT release (1.3.1) In-Reply-To: <200707202059.l6KKxLEA079250@jaguar.icir.org> References: <200707202059.l6KKxLEA079250@jaguar.icir.org> Message-ID: <20070721034157.GE27513@icir.org> On Fri, Jul 20, 2007 at 13:59 -0700, Vern Paxson wrote: > There's a paper at .. and there's also some documentation on usage in the Wiki. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From Stephan at rheoli.net Mon Jul 23 03:30:32 2007 From: Stephan at rheoli.net (Stephan) Date: Mon, 23 Jul 2007 12:30:32 +0200 Subject: [Bro] Bro 1.3 available for pre-testing (esp. OpenBSD) In-Reply-To: <1184603352.1086.26.camel@strangepork> References: <200707060536.l665aHGw098656@jaguar.icir.org> <1183769759.29999.116.camel@strangepork> <20070710064225.GA8281@rheoli.net> <1184140289.32460.5.camel@strangepork> <20070713101839.GA15301@rheoli.net> <1184603352.1086.26.camel@strangepork> Message-ID: <20070723103032.GA1019@rheoli.net> Hi Christian Had the same problem with Solaris 8 and gcc 4.1.2. Solved this by commenting out the #include: ------------ --- src/ARP.h.orig 2007-07-23 10:52:13.107942000 +0200 +++ src/ARP.h 2007-07-23 10:52:23.717930000 +0200 @@ -26,7 +26,7 @@ #include #include #include -#include +//#include #include #ifdef HAVE_NET_ETHERNET_H #include ------------ GDB output from Solaris 8 backtrace: ------------ Program received signal SIGSEGV, Segmentation fault. 0x00018e5c in TransientID (this=0xa48d8c) at SerialObj.h:56 56 SerialObj.h: No such file or directory. in SerialObj.h (gdb) bt #0 0x00018e5c in TransientID (this=0xa48d8c) at SerialObj.h:56 #1 0x000702e0 in Connection (this=0xa48d7c, s=0xa47620, k=0x4336e8, t=1165532761.666986, id=0xffbef220) at Conn.cc:152 #2 0x0021962c in NetSessions::NewConn (this=0xa47620, k=0x4336e8, t=1165532761.666986, id=0xffbef220, data=0xa4700c "\215?", proto=6) at Sessions.cc:1110 #3 0x00077f94 in ConnCompressor::Instantiate (this=0xa30718, t=1165532761.666986, key=0x4336e8, ip=0xffbef560) at ConnCompressor.cc:504 #4 0x00078d3c in ConnCompressor::FirstFromOrig (this=0xa30718, t=1165532761.666986, key=0x4336e8, ip=0xffbef560, tp=0xa4700c) at ConnCompressor.cc:225 #5 0x000796a8 in ConnCompressor::NextPacket (this=0xa30718, t=1165532761.666986, key=0x4336e8, ip=0xffbef560, hdr=0xa44b40, pkt=0xa46fea "") at ConnCompressor.cc:188 #6 0x0021c42c in NetSessions::DoNextPacket (this=0xa47620, t=1165532761.666986, hdr=0xa44b40, ip_hdr=0xffbef560, pkt=0xa46fea "", hdr_size=14) at Sessions.cc:544 #7 0x0021cddc in NetSessions::NextPacket (this=0xa47620, t=1165532761.666986, hdr=0xa44b40, pkt=0xa46fea "", hdr_size=14, pkt_elem=0x0) at Sessions.cc:294 #8 0x0021d21c in NetSessions::DispatchPacket (this=0xa47620, t=1165532761.666986, hdr=0xa44b40, pkt=0xa46fea "", hdr_size=14, src_ps=0xa44b08, pkt_elem=0x0) at Sessions.cc:246 ---Type to continue, or q to quit--- #9 0x00190dfc in net_packet_dispatch (t=1165532761.666986, hdr=0xa44b40, pkt=0xa46fea "", hdr_size=14, src_ps=0xa44b08, pkt_elem=0x0) at Net.cc:402 #10 0x001916f0 in net_packet_arrival (t=1165532761.666986, hdr=0xa44b40, pkt=0xa46fea "", hdr_size=14, src_ps=0xa44b08) at Net.cc:464 #11 0x001ae388 in PktSrc::Process (this=0xa44b08) at PktSrc.cc:216 #12 0x00191210 in net_run () at Net.cc:491 #13 0x00018998 in main (argc=4, argv=0xffbefca4) at main.cc:1009 (gdb) ------------ Best regards, Stephan On Mon, Jul 16, 2007 at 06:29:12PM +0200, Christian Kreibich wrote: > Hi Stephan, > > On Fri, 2007-07-13 at 12:18 +0200, Stephan wrote: > > Hi Christian > > > > I've compiled bro 1.2.20 an run the test again with the same > > bus error. At the moment I'm using a pcap file to run the > > test. > > Thanks. I'd like to try to reproduce the error, but I can't seem to get > a build on the sole Solaris box I have access to, which is a > "SunOS 5.9 Generic_122300-06 sun4u sparc SUNW,Sun-Fire-880 Solaris". > > I see two gccs on that box, 3.4.2 and 4.1.2. With both, I get clashes > between C header files and STL types, ? la > > /usr/include/net/if.h:87: error: template argument required for `struct map' > > With gcc4, I also had to add -lstdc++ to LDFLAGS. Are there any > additional Solaris tricks one has to apply to work around these > problems, or did the build Just Work for you? What compiler are you > using? > > Cheers, > Christian > -- > ________________________________________________________________________ > http://www.icir.org/christian > http://www.whoop.org > From jmzhou.ml at gmail.com Wed Jul 25 22:19:33 2007 From: jmzhou.ml at gmail.com (jmzhou.ml at gmail.com) Date: Wed, 25 Jul 2007 22:19:33 -0700 (PDT) Subject: [Bro] rpc decoder possible double-free problem Message-ID: Hi, I notice that in ~RPC_Reply, there is a statement "delete call_;". However, this call_ is instantiated by calling t_context->connection()->FindCall( msg()->xid()). This means that it is not "new"ed. This call_ supposely is deleted in the ~RPC_Message. Thus, there is a potential double-free here. The root cause is that binpac generates the "delete call_" for &let field. This is incorrect behavior. However, I haven't figured out how to fix it in binpac. A quick fix to this problem is to modify the rpc-protocol.pac:RPC_Reply, replacing the RPC_AcceptedReply(call) and RPC_RejectedReply(call) with: RPC_AcceptedReply($context.conn.FindCall(msg.xid)) RPC_RejectedReply($context.conn.FindCall(msg.xid)) Cheers, Jimmy ____________________________________________________________ The future is not set. There is no fate but what we make for ourselves. - Terminator II, Judgment Day ------------------------------------------------------------ From geek00l at gmail.com Thu Jul 26 05:12:18 2007 From: geek00l at gmail.com (CS Lee) Date: Thu, 26 Jul 2007 20:12:18 +0800 Subject: [Bro] GeoIP Message-ID: <1bb5dd90707260512q33e1973bg37c19d83536fad94@mail.gmail.com> Hi all, I have followed the steps here - http://www.bro-ids.org/wiki/index.php/GeoLocation but when I configure bro-1.3, I have this - Bro Configuration Summary ========================================================== - Debugging enabled: no - OpenSSL support: yes - Non-blocking main loop: yes - Non-blocking resolver: yes - Installation prefix: /usr/local/stow/bro-1.3-GEOIP - Perl interpreter: /usr/local/bin/perl5 - Using basic_string: yes - Using libmagic: Yes - Using libclamav: No - Binpac used: shipped with Bro - Using libGeoIP: No - Pcap used: system-provided How can I force it to enable GeoIP support. Thanks. -- Best Regards, CS Lee -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070726/05d50dd8/attachment.html From jp.luiggi at free.fr Thu Jul 26 06:50:45 2007 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Thu, 26 Jul 2007 09:50:45 -0400 Subject: [Bro] GeoIP In-Reply-To: <1bb5dd90707260512q33e1973bg37c19d83536fad94@mail.gmail.com> References: <1bb5dd90707260512q33e1973bg37c19d83536fad94@mail.gmail.com> Message-ID: <20070726135045.GA31358@armada.mynetwork.local> Hello all, The "./configure" tries to find specific files. ==== checking GeoIPCity.h usability... yes checking GeoIPCity.h presence... yes checking for GeoIPCity.h... yes checking for GeoIP_open_type in -lGeoIP... yes ==== Here're the package i installed on a Debian's box : ==== mygw:/var/download/bro-1.3.1# dpkg -l | grep -i geoip ii libgeoip-dev 1.3.17-1.1 Development files for the GeoIP library ii libgeoip1 1.3.17-1.1 A non-DNS IP-to-country resolver library ==== So first question : What's your operating system ? Best regards, Jean-philippe. Thu, Jul 26, 2007 at 08:12:18PM +0800, CS Lee wrote: > Hi all, > > I have followed the steps here - > http://www.bro-ids.org/wiki/index.php/GeoLocation but when I configure > bro-1.3, I have this - > > Bro Configuration Summary > ========================================================== > > - Debugging enabled: no > - OpenSSL support: yes > - Non-blocking main loop: yes > - Non-blocking resolver: yes > - Installation prefix: /usr/local/stow/bro-1.3-GEOIP > - Perl interpreter: /usr/local/bin/perl5 > - Using basic_string: yes > - Using libmagic: Yes > - Using libclamav: No > - Binpac used: shipped with Bro > - Using libGeoIP: No > - Pcap used: system-provided > > How can I force it to enable GeoIP support. > > Thanks. > > -- > Best Regards, > > CS Lee > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From seth at net.ohio-state.edu Thu Jul 26 07:31:33 2007 From: seth at net.ohio-state.edu (Seth Hall) Date: Thu, 26 Jul 2007 10:31:33 -0400 Subject: [Bro] GeoIP In-Reply-To: <1bb5dd90707260512q33e1973bg37c19d83536fad94@mail.gmail.com> References: <1bb5dd90707260512q33e1973bg37c19d83536fad94@mail.gmail.com> Message-ID: On Jul 26, 2007, at 8:12 AM, CS Lee wrote: > I have followed the steps here - http://www.bro-ids.org/wiki/ > index.php/GeoLocation but when I configure bro-1.3, I have this - > How can I force it to enable GeoIP support. If you installed the package/port under freebsd, just make sure your CFLAGS and LDFLAGS variables have correct include and lib paths. For example with bash.. export CFLAGS=-I/usr/local/include export LDFLAGS=-L/usr/local/lib I'll add it to the wiki now too. .Seth From pauls at utdallas.edu Thu Jul 26 07:37:07 2007 From: pauls at utdallas.edu (Paul Schmehl) Date: Thu, 26 Jul 2007 09:37:07 -0500 Subject: [Bro] GeoIP In-Reply-To: <1bb5dd90707260512q33e1973bg37c19d83536fad94@mail.gmail.com> References: <1bb5dd90707260512q33e1973bg37c19d83536fad94@mail.gmail.com> Message-ID: <0D6A2FEC664FE5A98C3C3782@utd59514.utdallas.edu> --On Thursday, July 26, 2007 20:12:18 +0800 CS Lee wrote: > Hi all, > > I have followed the steps here - > http://www.bro-ids.org/wiki/index.php/GeoLocation but when I configure > bro-1.3, I have this - > > Bro Configuration Summary > ========================================================== > > - Debugging enabled: no > - OpenSSL support: yes > - Non-blocking main loop: yes > - Non-blocking resolver: yes > - Installation prefix: /usr/local/stow/bro- 1.3-GEOIP > - Perl interpreter: /usr/local/bin/perl5 > - Using basic_string: yes > - Using libmagic: Yes > - Using libclamav: No > - Binpac used: shipped with Bro > - Using libGeoIP: No > - Pcap used: system-provided > > How can I force it to enable GeoIP support. > Is geoip installed? (net/geoip in ports.) -- Paul Schmehl (pauls at utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pkcs7-signature Size: 3701 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070726/68791b35/attachment.bin From geek00l at gmail.com Thu Jul 26 08:41:27 2007 From: geek00l at gmail.com (CS Lee) Date: Thu, 26 Jul 2007 23:41:27 +0800 Subject: [Bro] GeoIP In-Reply-To: <0D6A2FEC664FE5A98C3C3782@utd59514.utdallas.edu> References: <1bb5dd90707260512q33e1973bg37c19d83536fad94@mail.gmail.com> <0D6A2FEC664FE5A98C3C3782@utd59514.utdallas.edu> Message-ID: <1bb5dd90707260841h61da62b6p5e590a0ecc292d2d@mail.gmail.com> Hi all, Thanks for quick reply, I have GeoIP installed via FreeBSD port, now trying the solution mentioned. Cheers ;) -- Best Regards, CS Lee -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070726/9789c2cc/attachment.html From geek00l at gmail.com Thu Jul 26 20:46:27 2007 From: geek00l at gmail.com (CS Lee) Date: Fri, 27 Jul 2007 11:46:27 +0800 Subject: [Bro] GeoIP In-Reply-To: References: <1bb5dd90707260512q33e1973bg37c19d83536fad94@mail.gmail.com> Message-ID: <1bb5dd90707262046o4e0f354eyd682b3bb06afdaff@mail.gmail.com> Seth, If i export the variables, I have problem with FileAnalyzer, just to let you know that I don't have problem compiling without GeoIP at all. source='FileAnalyzer.cc' object='FileAnalyzer.o' libtool=no \ depfile='.deps/FileAnalyzer.Po' tmpdepfile='.deps/FileAnalyzer.TPo' \ depmode=gcc3 /usr/local/bin/bash ../depcomp \ g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit -O -I/usr/local/include -W -Wall -Wno-unused -g -O2 -c -o FileAnalyzer.o `test -f 'FileAnalyzer.cc' || echo './'`FileAnalyzer.cc FileAnalyzer.cc: In member function `void File_Analyzer::Identify()': FileAnalyzer.cc:80: error: `cl_scanbuff' was not declared in this scope FileAnalyzer.cc: In static member function `static void File_Analyzer::InitClamAV()': FileAnalyzer.cc:113: error: `cl_loaddbdir' was not declared in this scope gmake[3]: *** [FileAnalyzer.o] Error 1 gmake[3]: Leaving directory `/usr/i-Apps/bro-1.3.1/src' gmake[2]: *** [all] Error 2 Thanks. On 7/26/07, Seth Hall wrote: > > > On Jul 26, 2007, at 8:12 AM, CS Lee wrote: > > > I have followed the steps here - http://www.bro-ids.org/wiki/ > > index.php/GeoLocation but when I configure bro-1.3, I have this - > > > How can I force it to enable GeoIP support. > > If you installed the package/port under freebsd, just make sure your > CFLAGS and LDFLAGS variables have correct include and lib paths. For > example with bash.. > > export CFLAGS=-I/usr/local/include > export LDFLAGS=-L/usr/local/lib > > I'll add it to the wiki now too. > > .Seth > > -- Best Regards, CS Lee -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070727/0630b4ca/attachment.html From tarupp at fnal.gov Thu Jul 26 22:02:35 2007 From: tarupp at fnal.gov (Tim Rupp) Date: Fri, 27 Jul 2007 00:02:35 -0500 Subject: [Bro] GeoIP In-Reply-To: <1bb5dd90707262046o4e0f354eyd682b3bb06afdaff@mail.gmail.com> References: <1bb5dd90707260512q33e1973bg37c19d83536fad94@mail.gmail.com> <1bb5dd90707262046o4e0f354eyd682b3bb06afdaff@mail.gmail.com> Message-ID: <46A97C6B.5000106@fnal.gov> This is the same problem I had when installing with the clamAV libs on Ubuntu 7.04. The solution was to remove the libclamav development libraries. -Tim CS Lee wrote: > Seth, > > If i export the variables, I have problem with FileAnalyzer, just to let > you know that I don't have problem compiling without GeoIP at all. > > source='FileAnalyzer.cc' object='FileAnalyzer.o ' libtool=no \ > depfile='.deps/FileAnalyzer.Po' > tmpdepfile='.deps/FileAnalyzer.TPo' \ > depmode=gcc3 /usr/local/bin/bash ../depcomp \ > g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib > -I../src -I. -I.. -Ilibedit -O -I/usr/local/include -W -Wall > -Wno-unused -g -O2 -c -o FileAnalyzer.o `test -f 'FileAnalyzer.cc' || > echo './'`FileAnalyzer.cc > FileAnalyzer.cc: In member function `void File_Analyzer::Identify()': > FileAnalyzer.cc:80: error: `cl_scanbuff' was not declared in this scope > FileAnalyzer.cc: In static member function `static void > File_Analyzer::InitClamAV()': > FileAnalyzer.cc:113: error: `cl_loaddbdir' was not declared in this scope > gmake[3]: *** [FileAnalyzer.o] Error 1 > gmake[3]: Leaving directory `/usr/i-Apps/bro- 1.3.1/src' > gmake[2]: *** [all] Error 2 > > Thanks. > > On 7/26/07, *Seth Hall* > wrote: > > > On Jul 26, 2007, at 8:12 AM, CS Lee wrote: > > > I have followed the steps here - http://www.bro-ids.org/wiki/ > > index.php/GeoLocation but when I configure bro-1.3, I have this - > > > How can I force it to enable GeoIP support. > > If you installed the package/port under freebsd, just make sure your > CFLAGS and LDFLAGS variables have correct include and lib paths. For > example with bash.. > > export CFLAGS=-I/usr/local/include > export LDFLAGS=-L/usr/local/lib > > I'll add it to the wiki now too. > > .Seth > > > > > -- > Best Regards, > > CS Lee > > > ------------------------------------------------------------------------ > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From robin at icir.org Thu Jul 26 23:12:29 2007 From: robin at icir.org (Robin Sommer) Date: Thu, 26 Jul 2007 23:12:29 -0700 Subject: [Bro] Workshop material online Message-ID: <20070727061218.GA20641@icir.org> This week we had the first Bro Hands-On Workshop at the San Diego Supercomputer Center. The workshop's web page now contains all the material we used (slides and exercises with templates and solutions): http://www.bro-ids.org/bro-workshop-2007/agenda.html As this material makes actually some nice, up-to-date documentation, it's also available in the Wiki at: http://www.bro-ids.org/wiki/index.php/WorkshopMaterial Thanks to everybody who attended the workshop! (Some slides have been slightly updated so those who have been there might want to update their local copies.) Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From geek00l at gmail.com Fri Jul 27 18:18:57 2007 From: geek00l at gmail.com (CS Lee) Date: Sat, 28 Jul 2007 09:18:57 +0800 Subject: [Bro] GeoIP In-Reply-To: <46A97C6B.5000106@fnal.gov> References: <1bb5dd90707260512q33e1973bg37c19d83536fad94@mail.gmail.com> <1bb5dd90707262046o4e0f354eyd682b3bb06afdaff@mail.gmail.com> <46A97C6B.5000106@fnal.gov> Message-ID: <1bb5dd90707271818s1759c9f7p603d31800c10ebd7@mail.gmail.com> Hi Tim, Thanks, the problem goes away after i remove clamav On 7/27/07, Tim Rupp wrote: > > This is the same problem I had when installing with the clamAV libs on > Ubuntu 7.04. The solution was to remove the libclamav development > libraries. > > -Tim > > CS Lee wrote: > > Seth, > > > > If i export the variables, I have problem with FileAnalyzer, just to let > > you know that I don't have problem compiling without GeoIP at all. > > > > source='FileAnalyzer.cc' object='FileAnalyzer.o ' libtool=no \ > > depfile='.deps/FileAnalyzer.Po' > > tmpdepfile='.deps/FileAnalyzer.TPo' \ > > depmode=gcc3 /usr/local/bin/bash ../depcomp \ > > g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib > > -I../src -I. -I.. -Ilibedit -O -I/usr/local/include -W -Wall > > -Wno-unused -g -O2 -c -o FileAnalyzer.o `test -f 'FileAnalyzer.cc' || > > echo './'`FileAnalyzer.cc > > FileAnalyzer.cc: In member function `void File_Analyzer::Identify()': > > FileAnalyzer.cc:80: error: `cl_scanbuff' was not declared in this scope > > FileAnalyzer.cc: In static member function `static void > > File_Analyzer::InitClamAV()': > > FileAnalyzer.cc:113: error: `cl_loaddbdir' was not declared in this > scope > > gmake[3]: *** [FileAnalyzer.o] Error 1 > > gmake[3]: Leaving directory `/usr/i-Apps/bro- 1.3.1/src' > > gmake[2]: *** [all] Error 2 > > > > Thanks. > > > > On 7/26/07, *Seth Hall* > > wrote: > > > > > > On Jul 26, 2007, at 8:12 AM, CS Lee wrote: > > > > > I have followed the steps here - http://www.bro-ids.org/wiki/ > > > index.php/GeoLocation but when I configure bro-1.3, I have this - > > > > > How can I force it to enable GeoIP support. > > > > If you installed the package/port under freebsd, just make sure your > > CFLAGS and LDFLAGS variables have correct include and lib > paths. For > > example with bash.. > > > > export CFLAGS=-I/usr/local/include > > export LDFLAGS=-L/usr/local/lib > > > > I'll add it to the wiki now too. > > > > .Seth > > > > > > > > > > -- > > Best Regards, > > > > CS Lee > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Best Regards, CS Lee -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070728/01dca404/attachment.html From vern at icir.org Sat Jul 28 20:55:02 2007 From: vern at icir.org (Vern Paxson) Date: Sat, 28 Jul 2007 20:55:02 -0700 Subject: [Bro] new Bro CURRENT release (1.3.2) Message-ID: <200707290355.l6T3t26N016638@jaguar.icir.org> Bro release 1.3.2 is now available from: ftp://bro-ids.org/bro-1.X-current.tar.gz This version fixes three bugs in the recent 1.3.1 release: 1.3.2 Tue Jul 24 13:36:27 PDT 2007 - Bug fix for files being closed prior to bro_done() (Vern Paxson). - aux/broccoli/contrib was not included in distribution (Robin Sommer). - Auto-configuration bug fix for BinPAC (Craig Leres). Patch appended. Vern -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ diff -ru bro-1.3.1/CHANGES bro-1.3.2/CHANGES --- bro-1.3.1/CHANGES Fri Jul 20 09:15:37 2007 +++ bro-1.3.2/CHANGES Sat Jul 28 18:03:59 2007 @@ -1,6 +1,15 @@ -@(#) $Id: CHANGES 4653 2007-07-20 16:05:51Z vern $ +@(#) $Id: CHANGES 4663 2007-07-28 00:37:28Z vern $ -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +1.3.2 Tue Jul 24 13:36:27 PDT 2007 + +- Bug fix for files being closed prior to bro_done() (Vern Paxson). + +- aux/broccoli/contrib was not included in distribution (Robin Sommer). + +- Auto-configuration bug fix for BinPAC (Craig Leres). + 1.3.1 Thu Jul 19 09:39:33 PDT 2007 diff -ru bro-1.3.1/VERSION bro-1.3.2/VERSION --- bro-1.3.1/VERSION Fri Jul 20 09:15:37 2007 +++ bro-1.3.2/VERSION Sat Jul 28 18:03:59 2007 @@ -1 +1 @@ -1.3.1 +1.3.2 diff -ru bro-1.3.1/aux/broccoli/Makefile.am bro-1.3.2/aux/broccoli/Makefile.am --- bro-1.3.1/aux/broccoli/Makefile.am Thu Jul 5 23:04:22 2007 +++ bro-1.3.2/aux/broccoli/Makefile.am Sat Jul 28 18:03:59 2007 @@ -15,4 +15,4 @@ dist_sysconf_DATA = broccoli.conf EXTRA_DIST = README AUTHORS COPYING VERSION depcomp ylwrap shtool \ - compat/sys/queue.h test/dummysensor.c broccoli.spec + compat/sys/queue.h test/dummysensor.c broccoli.spec contrib diff -ru bro-1.3.1/aux/broccoli/Makefile.in bro-1.3.2/aux/broccoli/Makefile.in --- bro-1.3.1/aux/broccoli/Makefile.in Fri Jul 20 09:16:40 2007 +++ bro-1.3.2/aux/broccoli/Makefile.in Sat Jul 28 18:05:28 2007 @@ -124,7 +124,7 @@ dist_sysconf_DATA = broccoli.conf EXTRA_DIST = README AUTHORS COPYING VERSION depcomp ylwrap shtool \ - compat/sys/queue.h test/dummysensor.c broccoli.spec + compat/sys/queue.h test/dummysensor.c broccoli.spec contrib subdir = . ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 Only in bro-1.3.2/aux/broccoli: contrib diff -ru bro-1.3.1/configure bro-1.3.2/configure --- bro-1.3.1/configure Fri Jul 20 09:16:24 2007 +++ bro-1.3.2/configure Sat Jul 28 18:05:13 2007 @@ -1671,7 +1671,7 @@ # Define the identity of the package. PACKAGE=bro - VERSION=1.3.1 + VERSION=1.3.2 cat >>confdefs.h <<_ACEOF @@ -9146,7 +9146,7 @@ fi -if test "$BINPAC" == ""; then +if test "$BINPAC" = ""; then subdirs="$subdirs aux/binpac" diff -ru bro-1.3.1/configure.in bro-1.3.2/configure.in --- bro-1.3.1/configure.in Sat Jul 14 23:09:11 2007 +++ bro-1.3.2/configure.in Sat Jul 28 18:03:59 2007 @@ -1,4 +1,4 @@ -dnl @(#) $Id: configure.in 4628 2007-07-15 06:09:04Z vern $ (LBL) +dnl @(#) $Id: configure.in 4663 2007-07-28 00:37:28Z vern $ (LBL) dnl dnl Copyright (c) 1997, 1998, 2001, 2002 dnl The Regents of the University of California. All rights reserved. @@ -483,7 +483,7 @@ dnl # build, unless the user selected another binpac dnl # via --with-binpac=. dnl ################################################ -if test "$BINPAC" == ""; then +if test "$BINPAC" = ""; then AC_CONFIG_SUBDIRS(aux/binpac) BINPAC="\${top_builddir}/aux/binpac/src/binpac" binpacmsg="shipped with Bro" diff -ru bro-1.3.1/src/main.cc bro-1.3.2/src/main.cc --- bro-1.3.1/src/main.cc Thu Jul 5 23:04:17 2007 +++ bro-1.3.2/src/main.cc Sat Jul 28 18:03:57 2007 @@ -1,4 +1,4 @@ -// $Id: main.cc 4613 2007-07-06 04:16:51Z vern $ +// $Id: main.cc 4657 2007-07-24 20:37:07Z vern $ // // Copyright (c) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003 // The Regents of the University of California. All rights reserved. @@ -281,12 +281,12 @@ done_with_network(); net_delete(); + terminate_bro(); + // Close files after net_delete(), because net_delete() // might write to connection content files. BroFile::CloseCachedFiles(); - terminate_bro(); - delete rule_matcher; exit(0); @@ -1010,11 +1010,11 @@ done_with_network(); net_delete(); + terminate_bro(); + // Close files after net_delete(), because net_delete() // might write to connection content files. BroFile::CloseCachedFiles(); - - terminate_bro(); #ifdef USE_MPATROL fputs( "Stopping mpatrol logging...", stderr ); diff -ru bro-1.3.1/src/version.c bro-1.3.2/src/version.c --- bro-1.3.1/src/version.c Fri Jul 20 09:26:58 2007 +++ bro-1.3.2/src/version.c Sat Jul 28 18:17:08 2007 @@ -1 +1 @@ -char version[] = "1.3.1"; +char version[] = "1.3.2"; From vern at icir.org Sat Jul 28 22:13:12 2007 From: vern at icir.org (Vern Paxson) Date: Sat, 28 Jul 2007 22:13:12 -0700 Subject: [Bro] new_packet, BuildHeader and IPv6 In-Reply-To: <469FA8D9.1000400@klipix.org> (Thu, 19 Jul 2007 14:09:29 EDT). Message-ID: <200707290513.l6T5DCsp017656@jaguar.icir.org> > - This function is called in NetSessions::DoNextPacket just after a "if > ( new_packet )" but this condition seems to be always false. > Is there something to activate to make it work ? As Robin mentioned, if you define a "new_packet" event handler in your policy script, then the variable will be assigned to a non-null value and the test will succeed. > - As NetSessions::BuildHeader takes in parameter "const struct ip* ip" I > have two solutions to make it work with IPv6 : copy this function and > adapt it for IPv6 or change the prototype to : > "NetSessions::BuildHeader(const IP_Hdr* hdr)". > I have currently chosen the second option, but I'd like to hear what you > think about that before I make too much changes. That's a reasonable approach. Currently, the new_packet event takes a pkt_hdr record, which is currently defined to hold an ip_hdr record. I think the cleanest approach would be to modify pkt_hdr to take either in ip_hdr record *or* an ip6_hdr record (which you would need to define); you can make both &optional, establishing a convention that at most one of them is set for any given packet. Vern From jp.luiggi at free.fr Fri Jul 27 13:52:43 2007 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Fri, 27 Jul 2007 16:52:43 -0400 Subject: [Bro] Format of log file Message-ID: <20070727205243.GA9483@armada.mynetwork.local> Hello, Just a simple question, why do we've some files which start with t= ("alarm/notice") and others with just ("arp/conn") ? I ask this because i'm writing a little script and it'll be more easy to only have one format. :-) Best regards, Jean-philippe. From jp.luiggi at free.fr Mon Jul 30 07:43:23 2007 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Mon, 30 Jul 2007 10:43:23 -0400 Subject: [Bro] Format of log file Message-ID: <20070730144323.GA10937@armada.mynetwork.local> Hello, I've a little question, why do we've some files (log) which start with t=, example : alarm/notice and others with just , example : arp/conn ? I ask this because i'm writing a little script and it'll be more easy to only have one format. :-) Another thing, i'm thinking about adding one more parameter in bro.cfg, we may use it to specify if we want the log's time in epoch 's time or 'normal' time. What to do think about this ? Best regards, Jean-philippe. From vern at icir.org Mon Jul 30 08:58:38 2007 From: vern at icir.org (Vern Paxson) Date: Mon, 30 Jul 2007 08:58:38 -0700 Subject: [Bro] Format of log file In-Reply-To: <20070730144323.GA10937@armada.mynetwork.local> (Mon, 30 Jul 2007 10:43:23 EDT). Message-ID: <200707301558.l6UFwcbR049569@jaguar.icir.org> > I've a little question, why do we've some files (log) which start with > t=, example : alarm/notice and others with just , > example : arp/conn ? Historically each file has used fixed-column format, without tags to indicate the meaning of the column. We've started migrating to tags for just the reason you cite, to make it easier to write back-end parsers. However, this effort is not complete. > I ask this because i'm writing a little script and it'll > be more easy to only have one format. :-) In the interim you might consider writing helper scripts that will translate the different log files into a tagged format. > Another thing, i'm thinking about adding one more parameter in bro.cfg, we > may use it to specify if we want the log's time in epoch 's time or 'normal' > time. By normal time do you mean human-readable timestamps? If so, you can achieve that using the "cf" tool in aux/cf - except it presently expects timestamps to start at the beginning of each line, so you'd need to extend it to know about t=. (If you do, please send us a patch for the addition.) Vern From robin at icir.org Mon Jul 30 09:16:06 2007 From: robin at icir.org (Robin Sommer) Date: Mon, 30 Jul 2007 09:16:06 -0700 Subject: [Bro] Format of log file In-Reply-To: <20070727205243.GA9483@armada.mynetwork.local> References: <20070727205243.GA9483@armada.mynetwork.local> Message-ID: <20070730161606.GD28704@icir.org> On Fri, Jul 27, 2007 at 16:52 -0400, Jean-Philippe Luiggi wrote: > Just a simple question, why do we've some files which start with > t= ("alarm/notice") and others with just > ("arp/conn") ? I think the notice/alarm files are the only ones starting with "t=" but they only do that if you use use_tagging=T. We added this tagged format to make these files more easily parseable (and also readable IMHO) though you're right that this is inconsistent with other logs. However, each log file looks pretty much different anyway and so I would think that you always need some file-specific parsing logic. Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From jp.luiggi at free.fr Mon Jul 30 10:31:42 2007 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Mon, 30 Jul 2007 13:31:42 -0400 Subject: [Bro] Format of log file In-Reply-To: <200707301558.l6UFwcbR049569@jaguar.icir.org> References: <20070730144323.GA10937@armada.mynetwork.local> <200707301558.l6UFwcbR049569@jaguar.icir.org> Message-ID: <20070730173142.GA20909@armada.mynetwork.local> Hello, On Mon, Jul 30, 2007 at 08:58:38AM -0700, Vern Paxson wrote: > Historically each file has used fixed-column format, without tags to > indicate the meaning of the column. We've started migrating to tags for > just the reason you cite, to make it easier to write back-end parsers. > However, this effort is not complete. Ok, i understand, it sound likes good. > In the interim you might consider writing helper scripts that will > translate the different log files into a tagged format. Ok, no problem for this. > By normal time do you mean human-readable timestamps? If so, you can achieve > that using the "cf" tool in aux/cf - except it presently expects timestamps > to start at the beginning of each line, so you'd need to extend it to know > about t=. (If you do, please send us a patch for the addition.) > > Vern What i thought about was to have the choice to have directly in the log a human-readable format for time. I'll work as soon as possible on "cf" as suggested. :-) Best regards, Jean-philippe. From jp.luiggi at free.fr Mon Jul 30 10:34:46 2007 From: jp.luiggi at free.fr (Jean-Philippe Luiggi) Date: Mon, 30 Jul 2007 13:34:46 -0400 Subject: [Bro] Format of log file In-Reply-To: <20070730161606.GD28704@icir.org> References: <20070727205243.GA9483@armada.mynetwork.local> <20070730161606.GD28704@icir.org> Message-ID: <20070730173446.GB20909@armada.mynetwork.local> Hello, On Mon, Jul 30, 2007 at 09:16:06AM -0700, Robin Sommer wrote: > > On Fri, Jul 27, 2007 at 16:52 -0400, Jean-Philippe Luiggi wrote: > > > Just a simple question, why do we've some files which start with > > t= ("alarm/notice") and others with just > > ("arp/conn") ? > > I think the notice/alarm files are the only ones starting with "t=" > but they only do that if you use use_tagging=T. We added this tagged > format to make these files more easily parseable (and also readable > IMHO) though you're right that this is inconsistent with other logs. > However, each log file looks pretty much different anyway and so I > would think that you always need some file-specific parsing logic. Yes i agree with you, i'm sure i'll allways have some specific parsing logic to manage. :-) If you agree with the fact to use tagging as the rules of choice, we may made a jump on this and develop it for the others files ? Best regards, Jean-philippe. From robin at icir.org Mon Jul 30 11:32:28 2007 From: robin at icir.org (Robin Sommer) Date: Mon, 30 Jul 2007 11:32:28 -0700 Subject: [Bro] Format of log file In-Reply-To: <20070730173446.GB20909@armada.mynetwork.local> References: <20070727205243.GA9483@armada.mynetwork.local> <20070730161606.GD28704@icir.org> <20070730173446.GB20909@armada.mynetwork.local> Message-ID: <20070730183228.GB31011@icir.org> On Mon, Jul 30, 2007 at 13:34 -0400, Jean-Philippe Luiggi wrote: > If you agree with the fact to use tagging as the rules of choice, we may > made a jump on this and develop it for the others files ? I generally agree though there are two issues to consider: - tagging is not equally well suited for all logs; something like http.log does is pretty free-form and harder to force into the tagging-style. - it breaks backwards-compatibility, which is large thing because people have scripts to parse the stuff already. So my hunch is to stay with what we have for now (i.e., tagged for notice/alarm, non-tagged for the rest). But I'm not claiming that this is ideal ... Robin -- Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org From jp.luiggi at free.fr Mon Jul 30 13:53:33 2007 From: jp.luiggi at free.fr (jean-philippe luiggi) Date: Mon, 30 Jul 2007 16:53:33 -0400 Subject: [Bro] Format of log file In-Reply-To: <20070730183228.GB31011@icir.org> References: <20070727205243.GA9483@armada.mynetwork.local> <20070730161606.GD28704@icir.org> <20070730173446.GB20909@armada.mynetwork.local> <20070730183228.GB31011@icir.org> Message-ID: <20070730165333.49d164bb@mygw.lan.mynetwork.local> Hello, On Mon, 30 Jul 2007 11:32:28 -0700 Robin Sommer wrote: > I generally agree though there are two issues to consider: > > - tagging is not equally well suited for all logs; something like > http.log does is pretty free-form and harder to force into the > tagging-style. > > - it breaks backwards-compatibility, which is large thing because > people have scripts to parse the stuff already. > > So my hunch is to stay with what we have for now (i.e., tagged for > notice/alarm, non-tagged for the rest). But I'm not claiming that > this is ideal ... I've no problem with this approach, i just wanted to be sure of the correct way to use. :-) I'll stay likes this for now. Best regards, Jean-philippe. From sanreich at gmx.de Tue Jul 31 17:39:21 2007 From: sanreich at gmx.de (Sandro Reichert) Date: Wed, 01 Aug 2007 02:39:21 +0200 Subject: [Bro] broccoli and enum Message-ID: <46AFD639.2090309@gmx.de> hi all, i'm playing around with broccoli and i have problems with events that contain enum type. the event is defined in a policy and i can use it for inter-bro-comunication, but broccoli ignores it. calling the event without the enum type argument works well. where is my mistake? thanks!! sandro example: c code (modified 'broping'): bro_mytest(BroConn *conn, void *data, uint32 *num, BroRecord *status) { /*just print a simple message....*/ printf("event mytest received!\n"); } bro_event_registry_add(bc, "mytest", (BroEventFunc) bro_mytest, NULL) ; policy code: type testtype : enum { first_type, second_type, }; # 1) does'nt work with broccoli! event mytest(123, first_type); # 2) this works! event mytest(123);