[Bro] enabling dpd results in run-time error
William L. Jones
jones at tacc.utexas.edu
Wed May 9 13:27:15 PDT 2007
Try the following:
cd /usr/local/bro
cp policy/sigs/dpd.sig site/dpd.sig
Bill Jones
> -----Original Message-----
> From: bro-bounces at ICSI.Berkeley.EDU
[mailto:bro-bounces at ICSI.Berkeley.EDU]
> On Behalf Of Harry Hoffman
> Sent: Wednesday, May 09, 2007 3:20 PM
> To: bro at ICSI.Berkeley.EDU
> Subject: [Bro] enabling dpd results in run-time error
>
> Hi All,
>
> running bro-1.2.1 under CentOS 5.0.
>
> I'm attempting to enable dpd via brolite.bro. When I change the:
> const use_dpd = F;
> to
> const use_dpd = T;
>
> bro fails to start with the following errors:
>
> /usr/local/bro/policy/http-request.bro, line 34: run-time error: error
> compiling pattern
> /((((((((((((((((((((^?.*(etc\/(passwd|shadow|netconfig)))|(^?.*(IFS[
> \t]*=)))|(^?.*(nph-test-
>
cgi\?)))|(^?.*((%0a|\.\.)\/(bin|etc|usr|tmp))))|(^?.*(\/Admin_files\/ord
er
> \.log)))|(^?.*(\/carbo\.dll)))|(^?.*(\/cgi-bin\/(phf|php\.cgi|test-
> cgi))))|(^?.*(\/cgi-dos\/args\.bat)))|(^?.*(\/cgi-
>
win\/uploader\.exe)))|(^?.*(\/search97\.vts)))|(^?.*(tk\.tgz)))|(^?.*(ow
nz
>
)))|(^?.*(viewtopic\.php.*%.*\(.*\()))|(^?.*(sshd\.(tar|tgz).*)))|(^?.*(
[a
>
A][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(shv4\.(tar|tgz).*)))|(^?.*(lrk
\.
>
(tar|tgz).*)))|(^?.*(lyceum\.(tar|tgz).*)))|(^?.*(maxty\.(tar|tgz).*)))|
(^
> ?.*(rootII\.(tar|tgz).*)))|(^?.*(invader\.(tar|tgz).*))/
> /usr/local/bro/policy/http-request.bro, line 42: run-time error: error
> compiling pattern
>
/((^?.*(.*\/c\+dir))|(^?.*(.*cool.dll.*)))|(^?.*(.*Admin.dll.*Admin.dll.
*)
> )/
> /usr/local/bro/policy/http-request.bro, line 48: run-time error: error
> compiling pattern /^?.*(\/cgi-bin\/(phf|php\.cgi|test-cgi))/
> /usr/local/bro/policy/http-request.bro, line 50: run-time error: error
> compiling pattern /^?.*(wwwroot|WWWROOT)/
> /usr/local/bro/policy/http-reply.bro, line 111: run-time error: error
> compiling pattern /^?.*(^ )/
> /usr/local/bro/policy/hot-ids.bro, line 15: run-time error: error
> compiling pattern /^?.*((y[o0]u)(r|ar[e3])([o0]wn.*))/
> /usr/local/bro/policy/ftp.bro, line 43: run-time error: error
compiling
> pattern
>
/((((((((((((((((((((((^?.*(.*(etc\/|master\.)?(passwd|shadow|s?pwd\.db)
))
>
|(^?.*(.*snoop\.(tar|tgz).*)))|(^?.*(.*bnc\.(tar|tgz).*)))|(^?.*(.*datap
ip
>
e.*)))|(^?.*(.*ADMw0rm.*)))|(^?.*(.*newnick.*)))|(^?.*(.*sniffit.*)))|(^
?.
>
*(.*neet\.(tar|tgz).*)))|(^?.*(.*\.\.\..*)))|(^?.*(.*ftpscan.txt.*)))|(^
?.
>
*(.*jcc.pdf.*)))|(^?.*(.*\.[Ff]rom.*)))|(^?.*(.*sshd\.(tar|tgz).*)))|(^?
.*
>
(.*\/rk7.*)))|(^?.*(.*rk7\..*)))|(^?.*(.*[aA][dD][oO][rR][eE][bB][sS][dD
].
>
*)))|(^?.*(.*[tT][aA][gG][gG][eE][dD].*)))|(^?.*(.*shv4\.(tar|tgz).*)))|
(^
>
?.*(.*lrk\.(tar|tgz).*)))|(^?.*(.*lyceum\.(tar|tgz).*)))|(^?.*(.*maxty\.
(t
>
ar|tgz).*)))|(^?.*(.*rootII\.(tar|tgz).*)))|(^?.*(.*invader\.(tar|tgz).*
))
> /
> /usr/local/bro/policy/ftp.bro, line 48: run-time error: error
compiling
> pattern /(^?.*(.*\.rhosts))|(^?.*(.*\.forward))/
> /usr/local/bro/policy/ftp.bro, line 51: run-time error: error
compiling
> pattern /^?.*([Ee][Xx][Ee][Cc].*)/
> /usr/local/bro/policy/ftp.bro, line 63: run-time error: error
compiling
> pattern /^?.*(,0,0)/
> /usr/local/bro/policy/ftp.bro, line 154: run-time error: error
compiling
> pattern /^?.*((\/|[A-Za-z]:[\\\/]).*)/
> /usr/local/bro/policy/ftp.bro, line 349: run-time error: error
compiling
> pattern /^?.*([\x00-\x7f])/
> /usr/local/bro/policy/ftp.bro, line 462: run-time error: error
compiling
> pattern /^?.*([Ee][Xx][Ee][Cc])/
> /usr/local/bro/policy/ftp.bro, line 527: run-time error: error
compiling
> pattern /^?.*(\"([^\"]|\"\")*(\/|\\)([^\"]|\"\")*\")/
> /usr/local/bro/policy/ftp.bro, line 545: run-time error: error
compiling
> pattern /^?.*(((\/)+([^\/]|\\\/)+)?((\/)+\.\.(\/)+))/
> /usr/local/bro/policy/ftp.bro, line 555: run-time error: error
compiling
> pattern /^?.*((\/){2,})/
> /usr/local/bro/policy/ftp.bro, line 700: run-time error: error
compiling
> pattern /^?.*([\x80-\xff]{3})/
> /usr/local/bro/policy/ftp.bro, line 735: run-time error: error
compiling
> pattern /^?.*(USER|PASS|ACCT)/
> /usr/local/bro/policy/portmapper.bro, line 310: run-time error: error
> compiling pattern /^?.*(^\[)/
> /usr/local/bro/policy/portmapper.bro, line 311: run-time error: error
> compiling pattern /^?.*(\]$)/
> /usr/local/bro/policy/login.bro, line 66: run-time error: error
compiling
> pattern
>
/((((((((((((((((((((((((((((((((^?.*(rewt))|(^?.*(eggdrop)))|(^?.*(\/bi
n\
>
/eject)))|(^?.*(oir##t)))|(^?.*(ereeto)))|(^?.*((shell|xploit)_?code)))|
(^
> ?.*(execshell)))|(^?.*(ff\.core)))|(^?.*(unset[
>
\t]+(histfile|history|HISTFILE|HISTORY))))|(^?.*(neet\.tar)))|(^?.*(r0kk
0)
> ))|(^?.*(su[
> \t]+(daemon|news|adm))))|(^?.*(\.\/clean)))|(^?.*(rm[ \t]+-rf[
> \t]+secure)))|(^?.*(cd[
> \t]+\/dev\/[a-zA-Z]{3})))|(^?.*(solsparc_lpset)))|(^?.*(\.\/[a-z]+[
>
\t]+passwd)))|(^?.*(\.\/bnc)))|(^?.*(bnc\.conf)))|(^?.*(\"\/bin\/ksh\"))
)|
> (^?.*(LAST
> STAGE OF DELIRIUM)))|(^?.*(SNMPXDMID_PROG)))|(^?.*(snmpXdmid for
> solaris)))|(^?.*(\"\/bin\/uname)))|(^?.*(gcc[
> \t]+1\.c)))|(^?.*(>\/etc\/passwd)))|(^?.*(lynx[ \t]+-source[
>
\t]+.*(packetstorm|shellcode|linux|sparc))))|(^?.*(gcc.*\/bin\/login)))|
(^
> ?.*(#define
> NOP.*0x)))|(^?.*(printf\(\"overflowing)))|(^?.*(exec[a-
> z]*\(\"\/usr\/openwin)))|(^?.*(perl[
> \t]+.*x.*[0-9][0-9][0-9][0-9])))|(^?.*(ping.*-s.*%d))/
> /usr/local/bro/policy/login.bro, line 72: run-time error: error
compiling
> pattern /^?.*([ \t]*(cd|pushd|more|less|cat|vi|emacs|pine)[
> \t]+((['"]?\.\.\.)|(["'](\.*)[ \t])))/
> /usr/local/bro/policy/login.bro, line 75: run-time error: error
compiling
> pattern /^?.*(No such file or directory)/
>
>
> Any ideas why? I've search the lists and google but nothing is coming
up.
> Also, checked the configure.log to see if perhaps I missed something
> there.
>
> Cheers,
> Harry
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list