[Bro] (no subject)
bec_agarcia at correo.seguridad.unam.mx
bec_agarcia at correo.seguridad.unam.mx
Sun Mar 16 14:06:10 PDT 2008
Thanks for reply my email
well i do the things of the web page :
http://www.bro-ids.org/wiki/index.php/%22Error_compiling_pattern%22
but i still have problems with bro, after do this three lines:
$ cd src/
$ rm bif_parse.{cc,h} parse.cc re-parse.{cc,h} rule-parse.{cc,h}
$ make
i have the next output
root at lobito:~/Desktop# bro -r seg190-5-21-19febrero08.tcpdump tcp
alarm weird ftp smtp
/usr/local/bro/policy/scan.bro, line 92: warning: no such host:
j5004.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 92: warning: no such host:
j5005.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host:
j5006.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host:
j100.inktomi.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host:
j101.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host:
j3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host:
si3000.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host:
si3001.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host:
si3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host:
si3003.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host:
si4000.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host:
si4001.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host:
si4002.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host:
wm3018.inktomi.com
/usr/local/bro/policy/hot-ids.bro, line 15: run-time error: error
compiling pattern /^?.*((y[o0]u)(r|ar[e3])([o0]wn.*))/
/usr/local/bro/policy/ftp.bro, line 43: run-time error: error
compiling pattern
/((((((((((((((((((((((^?.*(.*(etc\/|master\.)?(passwd|shadow|s?pwd\.db)))|(
^?.*(.*snoop\.(tar|tgz).*)))|(^?.*(.*bnc\.(tar|tgz).*)))|(^?.*(.*datapipe.*)))|(^?.*(.*ADMw0rm.*)))|(^?.*(.*newnick.*)))|(^?.*(.*sniffit.*)))|(^?.*(.*neet\. (tar|tgz).*)))|(^?.*(.*\.\.\..*)))|(^?.*(.*ftpscan.txt.*)))|(^?.*(.*jcc.pdf.*)))|(^?.*(.*\.[Ff]rom.*)))|(^?.*(.*sshd\.(tar|tgz).*)))|(^?.*(.*\/rk7.*)))|(^?. *(.*rk7\..*)))|(^?.*(.*[aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(.*[tT][aA][gG][gG][eE][dD].*)))|(^?.*(.*shv4\.(tar|tgz).*)))|(^?.*(.*lrk\.(tar|tgz).*)))|
(^?.*(.*lyceum\.(tar|tgz).*)))|(^?.*(.*maxty\.(tar|tgz).*)))|(^?.*(.*rootII\.(tar|tgz).*)))|(^?.*(.*invader\.(tar|tgz).*))/
/usr/local/bro/policy/ftp.bro, line 48: run-time error: error
compiling pattern /(^?.*(.*\.rhosts))|(^?.*(.*\.forward))/
/usr/local/bro/policy/ftp.bro, line 51: run-time error: error
compiling pattern /^?.*([Ee][Xx][Ee][Cc].*)/
/usr/local/bro/policy/ftp.bro, line 63: run-time error: error
compiling pattern /^?.*(,0,0)/
/usr/local/bro/policy/ftp.bro, line 154: run-time error: error
compiling pattern /^?.*((\/|[A-Za-z]:[\\\/]).*)/
/usr/local/bro/policy/ftp.bro, line 349: run-time error: error
compiling pattern /^?.*([\x00-\x7f])/
/usr/local/bro/policy/ftp.bro, line 462: run-time error: error
compiling pattern /^?.*([Ee][Xx][Ee][Cc])/
/usr/local/bro/policy/ftp.bro, line 527: run-time error: error
compiling pattern /^?.*(\"([^\"]|\"\")*(\/|\\)([^\"]|\"\")*\")/
/usr/local/bro/policy/ftp.bro, line 545: run-time error: error
compiling pattern /^?.*(((\/)+([^\/]|\\\/)+)?((\/)+\.\.(\/)+))/
/usr/local/bro/policy/ftp.bro, line 555: run-time error: error
compiling pattern /^?.*((\/){2,})/
/usr/local/bro/policy/ftp.bro, line 700: run-time error: error
compiling pattern /^?.*([\x80-\xff]{3})/
/usr/local/bro/policy/ftp.bro, line 735: run-time error: error
compiling pattern /^?.*(USER|PASS|ACCT)/
/usr/local/bro/policy/smtp.bro, line 19: run-time error: error
compiling pattern /^?.*(.*@.*lbl.gov)/
/usr/local/bro/policy/smtp.bro, line 22: run-time error: error
compiling pattern /^?.*(@)/
/usr/local/bro/policy/smtp.bro, line 84: run-time error: error
compiling pattern /^?.*(.*<.*@.*:.*>.*)/
/usr/local/bro/policy/smtp.bro, line 85: run-time error: error
compiling pattern /^?.*(.*<.*@.*:.*>.*)/
/usr/local/bro/policy/smtp.bro, line 86: run-time error: error
compiling pattern /^?.*(.*)/
/usr/local/bro/policy/smtp.bro, line 87: run-time error: error
compiling pattern /^?.*(.*)/
/usr/local/bro/policy/smtp.bro, line 88: run-time error: error
compiling pattern /^?.*(.*)/
/usr/local/bro/policy/smtp.bro, line 267: run-time error: error
compiling pattern /^?.*((<|:|>)*)/
/usr/local/bro/policy/smtp.bro, line 281: run-time error: error
compiling pattern /^?.*(<( |\t)*)/
/usr/local/bro/policy/smtp.bro, line 292: run-time error: error
compiling pattern /^?.*(( |\t)*>)/
/usr/local/bro/policy/smtp.bro, line 303: run-time error: error
compiling pattern /^?.*(:)/
This error alter the final traffic analyse????
This problem creates a lot of false/positives????
How can i resolve this problem???
thanks for all
Robin Sommer <robin at icir.org> ha escrito:
>
> On Fri, Mar 14, 2008 at 14:34 -0500,
> bec_agarcia at correo.seguridad.unam.mx wrote:
>
>> i try to start up bro on ubuntu but when i execute
>> /usr/local/bro/etc/bro.rc --start, i recive the next output with a lot
>> of errors, but i dont know where and how i can resolve them, anybody
>> help me please
>
> Please see if this helps:
>
> http://www.bro-ids.org/wiki/index.php/%22Error_compiling_pattern%22
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the Bro
mailing list