[Bro] Some results from basic testing of bro-1.4prerelease.
Robin Sommer
robin at icir.org
Tue Sep 16 10:54:31 PDT 2008
On Tue, Sep 16, 2008 at 04:15 +0100, you wrote:
> Some facts derived from the testing of bro-1.4prerelease:
Thanks for testing 1.4.
> As weird events are generally considered traffic that "should never
> happen",shouldn't both versions signal approximately the same number
> of weird events?
Generally, yes, though there might be changes which change how
things are interpreted (in some cases there's no crisp definition
of whether something's weird or not). I don't remember anything
specific for HTTP in this context though. It would be very helpful
if you could single out a connection or two which show the
difference between 1.2 and 1.4 and sent us the trace file as well as
the command-line you're using.
> line 1: run-time error: wrong data format, expected version 13 but got
> version 18
[...]
> It seems related to the use of both versions of bro in the same
> computer session.
Right, each run creates a .state directory where any persistent
state is stored. The format of the state file is not compatible
between 1.2 and 1.4, i.e., one Bro version cannot read the files
generated by the other.
> line 1: warning: event handlers never invoked:
> line 1: warning: Drop::restore_dropped_address
> When I do bro -r tcpdumpcapturefile I don't get the 2 above lines.
> (using 1.4release).
That's an intentional change as these warning are often not very
helpful and are therefore now suppressed by default. You can turn
them back on by setting check_for_unused_event_handlers=T.
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list