From hall.692 at osu.edu Fri Jan 2 18:27:06 2009 From: hall.692 at osu.edu (Seth Hall) Date: Fri, 2 Jan 2009 21:27:06 -0500 Subject: [Bro] Hotel block/recommendation? Message-ID: <14CCB7FC-1F39-4306-879E-571B0E46EA3F@osu.edu> Is there a recommended hotel for the workshop? Thanks, .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From vern at icir.org Sat Jan 3 23:21:14 2009 From: vern at icir.org (Vern Paxson) Date: Sat, 03 Jan 2009 23:21:14 -0800 Subject: [Bro] Hotel block/recommendation? In-Reply-To: <14CCB7FC-1F39-4306-879E-571B0E46EA3F@osu.edu> (Fri, 02 Jan 2009 21:27:06 EST). Message-ID: <200901040721.n047LIMI007727@pork.ICSI.Berkeley.EDU> > Is there a recommended hotel for the workshop? The usual recommendation is the Durant Hotel, per: http://www.jdvhotels.com/hotels/durant/ though perhaps some of the other locals will have more suggestions. (The downtown Shattuck Hotel is currently closed for renovations. It may be open by the time of the workshop, but it could still be a gamble, as in the past we've had sufficiently bad experiences with it that we stopped referring ICSI visitors to it.) Vern From robin at icir.org Mon Jan 5 13:11:41 2009 From: robin at icir.org (Robin Sommer) Date: Mon, 5 Jan 2009 13:11:41 -0800 Subject: [Bro] Hotel block/recommendation? In-Reply-To: <200901040721.n047LIMI007727@pork.ICSI.Berkeley.EDU> References: <14CCB7FC-1F39-4306-879E-571B0E46EA3F@osu.edu> <200901040721.n047LIMI007727@pork.ICSI.Berkeley.EDU> Message-ID: <20090105211141.GD1255@icir.org> On Sat, Jan 03, 2009 at 23:21 -0800, Vern Paxson wrote: > The usual recommendation is the Durant Hotel, per: > > http://www.jdvhotels.com/hotels/durant/ ... and that's actually very conveniently located: the workshop will take place in a campus building just a couple blocks away. We will put some more location information online soon. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From mcuttler at bnl.gov Mon Jan 5 14:02:53 2009 From: mcuttler at bnl.gov (Matt Cuttler) Date: Mon, 05 Jan 2009 17:02:53 -0500 Subject: [Bro] linux vs freebsd In-Reply-To: <1229494806.13638.11.camel@srg.kevlo.org> Message-ID: Quoting Kevin Lo from 12/17/08 1:20 AM > > I made an OpenBSD port of bro-1.4, which included in the ports tree: > > http://www.openbsd.org/cgi-bin/cvsweb/ports/net/bro/ > I just switched from FBSD to OpenBSD. Kevin - thanks for the port. Built like a champ. Only one issue popped up - I had to remove the 'size' line from distinfo (I'm guessing some small "thing" changed upstream at ftp.bro-ids.org?). Thanks, Matt Cuttler From kevlo at kevlo.org Mon Jan 5 21:10:01 2009 From: kevlo at kevlo.org (Kevin Lo) Date: Tue, 06 Jan 2009 13:10:01 +0800 Subject: [Bro] linux vs freebsd In-Reply-To: References: Message-ID: <1231218601.26538.2.camel@srg.kevlo.org> Matt Cuttler wrote: > Quoting Kevin Lo from 12/17/08 1:20 AM > > > > > > I made an OpenBSD port of bro-1.4, which included in the ports tree: > > > > http://www.openbsd.org/cgi-bin/cvsweb/ports/net/bro/ > > > > > I just switched from FBSD to OpenBSD. Kevin - thanks for the port. Built > like a champ. Only one issue popped up - I had to remove the 'size' line > from distinfo (I'm guessing some small "thing" changed upstream at > ftp.bro-ids.org?). What version are you running? Note that the ports tree is developed against -current. Please see: http://www.openbsd.org/porttest.html#First > Thanks, > Matt Cuttler Kevin From mcuttler at bnl.gov Tue Jan 6 05:37:46 2009 From: mcuttler at bnl.gov (Matt Cuttler) Date: Tue, 06 Jan 2009 08:37:46 -0500 Subject: [Bro] linux vs freebsd In-Reply-To: <1231218601.26538.2.camel@srg.kevlo.org> Message-ID: > What version are you running? Note that the ports tree is developed > against -current. Please see: Ah, yes, I'm running stock 4.4. ..Which explains, among other things, why I didn't see bro in my ports directory to begin with! (I fetched your port by hand). Thanks, Matt Cuttler From lothar at lobraun.de Fri Jan 9 03:07:50 2009 From: lothar at lobraun.de (Lothar Braun) Date: Fri, 09 Jan 2009 12:07:50 +0100 Subject: [Bro] Error in TCP data length calculation Message-ID: <49673006.8040909@lobraun.de> Hi all, I tried to access the field tcp_hdr::dl in one of my bro scripts in order to obtain the TCP payload length. But all the values calculated by bro seemed to be way too big. This is due to a missing ntohs() call on the total length field in the IP-Header in Session.cc. I attached a patch against bro-1.4 that should fix the problem. Best regards, Lothar -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: bropatch.diff Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090109/1bf07ce8/attachment.ksh From robin at icir.org Fri Jan 9 08:03:08 2009 From: robin at icir.org (Robin Sommer) Date: Fri, 9 Jan 2009 08:03:08 -0800 Subject: [Bro] Error in TCP data length calculation In-Reply-To: <49673006.8040909@lobraun.de> References: <49673006.8040909@lobraun.de> Message-ID: <20090109160308.GA19072@icir.org> On Fri, Jan 09, 2009 at 12:07 +0100, Lothar Braun wrote: > This is due to a missing ntohs() call on the total length field in the > IP-Header in Session.cc. I attached a patch against bro-1.4 that should > fix the problem. Good catch! Can you please file the patch with our tracker (tracker.icir.org/bro) so that it don't get lost? Thanks! Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From lothar at lobraun.de Sat Jan 10 04:51:55 2009 From: lothar at lobraun.de (Lothar Braun) Date: Sat, 10 Jan 2009 13:51:55 +0100 Subject: [Bro] Error in TCP data length calculation In-Reply-To: <20090109160308.GA19072@icir.org> References: <49673006.8040909@lobraun.de> <20090109160308.GA19072@icir.org> Message-ID: <496899EB.5030405@lobraun.de> Hi, Robin Sommer wrote: > Good catch! Can you please file the patch with our tracker > (tracker.icir.org/bro) so that it don't get lost? Thanks! oh, I wasn't aware of that tracker. I created ticket #50 and attached the patch to it. Regards, Lothar From robin at icir.org Sat Jan 10 08:29:48 2009 From: robin at icir.org (Robin Sommer) Date: Sat, 10 Jan 2009 08:29:48 -0800 Subject: [Bro] Error in TCP data length calculation In-Reply-To: <496899EB.5030405@lobraun.de> References: <49673006.8040909@lobraun.de> <20090109160308.GA19072@icir.org> <496899EB.5030405@lobraun.de> Message-ID: <20090110162948.GA26790@icir.org> On Sat, Jan 10, 2009 at 13:51 +0100, Lothar Braun wrote: > oh, I wasn't aware of that tracker. It's new. :-) Thanks! Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Jan 12 11:10:58 2009 From: robin at icir.org (Robin Sommer) Date: Mon, 12 Jan 2009 11:10:58 -0800 Subject: [Bro] BroLite install (was: Bro 1.4 release now available) In-Reply-To: <20081017223009.GE6354@uiuc.edu> Message-ID: <20090112191058.GA4174@icir.org> On Fri, Oct 17, 2008 at 17:30 -0500, Aashish Sharma wrote: > Reading changelog says brolite may be deprecated. I see current > 1.4 release is missing ../etc/bro.rc, ../etc/bro.cfg and > ../site/local.site.bro files amongst others even after running > "make install-brolite". It took me a bit to get back to this but there's now a patch for 1.4 at http://tracker.icir.org/bro/ticket/51 which I hope puts things back into place for "make install-brolite". I would appreciate it if somebody using BroLite could give it a try and let me know whether this indeed fixes it. (Please add any feedback directly to the tracker item). Thanks, Robin P.S.: Please note that install-brolite remains deprecated and won't see any further updates. This is just to avoid breaking existing installations unnecessarily. -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From edthoma at sandia.gov Mon Jan 12 13:39:14 2009 From: edthoma at sandia.gov (Eric Thomas) Date: Mon, 12 Jan 2009 13:39:14 -0800 (PST) Subject: [Bro] DPD not getting expected results Message-ID: <20090112131339.K14238@piglet2.ran.sandia.gov> I'm running bro in offline mode (-r) trying to get various aspects of DPD to work. I needed a good trace to test, so I configured system B's SSH to run on ports 22, 23, and 80. Then I got a packet trace (tcpdump -w) while SSH'ing from system A to those three ports on system B. I ran bro on the trace with the following policy files (in this order): notice conn dpd irc-bot dyn-disable detect-protocols detect-protocols-http proxy http-request http-reply ssh zzz-custom zzz-custom is my custom policy file for redefs. In that file I redef'd dpd_conn_logs to T and ensured an all-inclusive capture_filter. The results are not what I was hoping for. I expected, because I enabled dpd_conn_logs, that SSH would be properly detected and the conn log would indicate that. Instead, there is a ? appended after the name of the port, which indicates the protocol wasn't parsed. I expected to see ProtocolViolation messages in the notice log because of the non-http protocol on port 80 (this is a feature of dyn-disable). And I expected to see ProtocolFound and ServerFound notices because of the SSH protocol on a non-standard port (according to the wiki, that code is in detect-protocols.bro). None of the three things I expected to happen happened. My notice log is completely empty. And the conn log has the three connections I expected (albiet with the missing detected protocol). I'm running bro 1.4. Any ideas on what I'm doing wrong here? Eric T edthoma at sandia.gov From robin at icir.org Mon Jan 12 16:58:28 2009 From: robin at icir.org (Robin Sommer) Date: Mon, 12 Jan 2009 16:58:28 -0800 Subject: [Bro] DPD not getting expected results In-Reply-To: <20090112131339.K14238@piglet2.ran.sandia.gov> References: <20090112131339.K14238@piglet2.ran.sandia.gov> Message-ID: <20090113005828.GE14715@icir.org> On Mon, Jan 12, 2009 at 13:39 -0800, you wrote: > run on ports 22, 23, and 80. Then I got a packet trace (tcpdump -w) while > SSH'ing from system A to those three ports on system B. > > I ran bro on the trace with the following policy files (in this order): Can you send me the trace file as well as your zzz-custom please? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From dikshie at sfc.wide.ad.jp Tue Jan 13 08:37:10 2009 From: dikshie at sfc.wide.ad.jp (dikshie) Date: Wed, 14 Jan 2009 01:37:10 +0900 Subject: [Bro] ipv6 Message-ID: <496CC336.7060702@sfc.wide.ad.jp> Hi, 1.any documentation how to use Bro to read and analyze ipv6 traces? 2.I use Bro-1.4 install from FreeBSD ports by add --enable-brov6 to CONFIGURE_ARGS= but bro fail to read ipv6 traces. 3.does bro can read ip6 multicast traces? with best regards, -dikshie- From hall.692 at osu.edu Tue Jan 13 08:44:23 2009 From: hall.692 at osu.edu (Seth Hall) Date: Tue, 13 Jan 2009 11:44:23 -0500 Subject: [Bro] ipv6 In-Reply-To: <496CC336.7060702@sfc.wide.ad.jp> References: <496CC336.7060702@sfc.wide.ad.jp> Message-ID: <5409BAE2-6304-4C48-932A-35E65FB796F4@osu.edu> On Jan 13, 2009, at 11:37 AM, dikshie wrote: > 2.I use Bro-1.4 install from FreeBSD ports by add > --enable-brov6 to CONFIGURE_ARGS= > but bro fail to read ipv6 traces. Make sure that you set your capture filter to include ipv6 traffic. It's not set to include it by default. From the command line you can do -f"ip and ip6" to include all ipv4 and ipv6 traffic. > 3.does bro can read ip6 multicast traces? I don't see why it would have any trouble with multicast. .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From dikshie at sfc.wide.ad.jp Tue Jan 13 08:51:42 2009 From: dikshie at sfc.wide.ad.jp (dikshie) Date: Wed, 14 Jan 2009 01:51:42 +0900 Subject: [Bro] ipv6 In-Reply-To: <5409BAE2-6304-4C48-932A-35E65FB796F4@osu.edu> References: <496CC336.7060702@sfc.wide.ad.jp> <5409BAE2-6304-4C48-932A-35E65FB796F4@osu.edu> Message-ID: <496CC69E.7000202@sfc.wide.ad.jp> Seth Hall wrote: > > On Jan 13, 2009, at 11:37 AM, dikshie wrote: > >> 2.I use Bro-1.4 install from FreeBSD ports by add >> --enable-brov6 to CONFIGURE_ARGS= >> but bro fail to read ipv6 traces. > > Make sure that you set your capture filter to include ipv6 traffic. > It's not set to include it by default. From the command line you can do > -f"ip and ip6" to include all ipv4 and ipv6 traffic. i use tcpdump to capture packet. #tcpdump -c 10000 -s 1500 -w ip6.pcap -nvvi em2 ip6 #tcpdump -s 1500 -nvv -w tcp6.pcap -r ip6.pcap tcp #bro -r tcp6.pcap 1231818666.514747 weird: spontaneous_FIN there are no *.log files (conn.log, etc). > >> 3.does bro can read ip6 multicast traces? > > I don't see why it would have any trouble with multicast. #tcpdump -w multicast.pcap -c 100000 -s 1500 -nvvi em2 ip6 multicast #bro -r multicast.pcap 1231827825.806499 weird: bad_UDP_checksum there are no *.log files. with best regards, -dikshie- From vern at icir.org Tue Jan 13 08:53:13 2009 From: vern at icir.org (Vern Paxson) Date: Tue, 13 Jan 2009 08:53:13 -0800 Subject: [Bro] ipv6 In-Reply-To: <496CC336.7060702@sfc.wide.ad.jp> (Wed, 14 Jan 2009 01:37:10 +0900). Message-ID: <200901131653.n0DGrI7i028153@pork.ICSI.Berkeley.EDU> > 1.any documentation how to use Bro to read and analyze > ipv6 traces? Nothing extra is needed other than --enable-brov6. Note though that Bro doesn't correctly deal with packets that have options (this is a BPF/pcap limitation, rather than something specific to Bro). > 2.I use Bro-1.4 install from FreeBSD ports by add > --enable-brov6 to CONFIGURE_ARGS= > but bro fail to read ipv6 traces. As usual, reports of failures work much better if you include a trace and command-line invocation that demonstrates the problem, so we can try to reproduce it. > 3.does bro can read ip6 multicast traces? It should be able to read them (as UDP, if that's what they are), but doesn't do any interesting analysis on them. Vern From rmkml at free.fr Tue Jan 13 06:56:30 2009 From: rmkml at free.fr (rmkml) Date: Tue, 13 Jan 2009 15:56:30 +0100 (CET) Subject: [Bro] ipv6 In-Reply-To: <200901131653.n0DGrI7i028153@pork.ICSI.Berkeley.EDU> References: <200901131653.n0DGrI7i028153@pork.ICSI.Berkeley.EDU> Message-ID: Hi, Bro v1.4.6 with ipv6 compiled works good, small example: ./bro146ipv6 -r ipv6_http.pcap -f 'ip6' bro.init mt conn.log: 1186341404.189852 0.029609 2001:6f8:102d:0:2d0:9ff:fee3:e8de 2001:6f8:900:7c0::2 http 59201 80 tcp 240 2259 SF X %1 http.log: 1186341404.199471 %1 start 2001:6f8:102d:0:2d0:9ff:fee3:e8de:59201 > 2001:6f8:900:7c0::2:80 1186341404.204585 %1 GET / (200 "OK" [2121] cl-1985.ham-01.de.sixxs.net) Regards Rmkml Crusoe-Researches.com On Tue, 13 Jan 2009, Vern Paxson wrote: > Date: Tue, 13 Jan 2009 08:53:13 -0800 > From: Vern Paxson > To: dikshie > Cc: bro at ICSI.Berkeley.EDU > Subject: Re: [Bro] ipv6 > >> 1.any documentation how to use Bro to read and analyze >> ipv6 traces? > > Nothing extra is needed other than --enable-brov6. > > Note though that Bro doesn't correctly deal with packets that have options > (this is a BPF/pcap limitation, rather than something specific to Bro). > >> 2.I use Bro-1.4 install from FreeBSD ports by add >> --enable-brov6 to CONFIGURE_ARGS= >> but bro fail to read ipv6 traces. > > As usual, reports of failures work much better if you include a trace and > command-line invocation that demonstrates the problem, so we can try to > reproduce it. > >> 3.does bro can read ip6 multicast traces? > > It should be able to read them (as UDP, if that's what they are), but > doesn't do any interesting analysis on them. > > Vern > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From hall.692 at osu.edu Tue Jan 13 10:07:30 2009 From: hall.692 at osu.edu (Seth Hall) Date: Tue, 13 Jan 2009 13:07:30 -0500 Subject: [Bro] ipv6 In-Reply-To: <496CC69E.7000202@sfc.wide.ad.jp> References: <496CC336.7060702@sfc.wide.ad.jp> <5409BAE2-6304-4C48-932A-35E65FB796F4@osu.edu> <496CC69E.7000202@sfc.wide.ad.jp> Message-ID: On Jan 13, 2009, at 11:51 AM, dikshie wrote: > #bro -r tcp6.pcap > > 1231818666.514747 weird: spontaneous_FIN > > there are no *.log files (conn.log, etc). Try running with the conn.bro script... #bro -rtcp6.pcap -f "ip6 or ip" conn .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From vern at icir.org Tue Jan 13 10:15:48 2009 From: vern at icir.org (Vern Paxson) Date: Tue, 13 Jan 2009 10:15:48 -0800 Subject: [Bro] ipv6 In-Reply-To: <496CC69E.7000202@sfc.wide.ad.jp> (Wed, 14 Jan 2009 01:51:42 +0900). Message-ID: <200901131815.n0DIFrbj029221@pork.ICSI.Berkeley.EDU> > #bro -r tcp6.pcap > > 1231818666.514747 weird: spontaneous_FIN > > there are no *.log files (conn.log, etc). Well, you haven't listed a script to process it with. Per the private note I just sent you, bro -f ip6 -r tcp6.pcap mt will generate the usual log files. (I overlooked -f ip6 - thanks, Seth!) Vern From robin at icir.org Tue Jan 13 13:43:45 2009 From: robin at icir.org (Robin Sommer) Date: Tue, 13 Jan 2009 13:43:45 -0800 Subject: [Bro] DPD not getting expected results In-Reply-To: <20090113005828.GE14715@icir.org> References: <20090112131339.K14238@piglet2.ran.sandia.gov> <20090113005828.GE14715@icir.org> Message-ID: <20090113214345.GF46868@icir.org> On Mon, Jan 12, 2009 at 16:58 -0800, I wrote: > Can you send me the trace file as well as your zzz-custom please? (For the record, this turns out to be a problem with the trace file.) Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From sychan at lbl.gov Wed Jan 14 14:45:49 2009 From: sychan at lbl.gov (Stephen Chan) Date: Wed, 14 Jan 2009 14:45:49 -0800 Subject: [Bro] Bro 1.4, bropipe and MacOS Message-ID: <496E6B1D.3070902@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Has anyone built and run bropipe under Bro 1.4 on MacOS 10.5.6? Bro and broccoli built and installed happily, and bropipe also built cleanly (after requiring that libstdc++ be explicitly put in the linker files, what's up with that?) But when I try to have bropipe connect to a local Bro instance, it fails to connect. In fact, it doesn't even seem to get to the point where it tries to open the tcp connection. Nothing shows up on a tcpdump (a telnet to the same port shows traffic getting through). A system call trace of the program (run with "./bropipe -df - host=127.0.0.1") gives this after the executable is pretty close to being done with loading libraries: open("/usr/local/bro/lib/libbroccoli.2.dylib\0", 0x0, 0x0) = 3 0 pread(0x3, "\316\372\355\376\a\0", 0x1000, 0x0) = 4096 0 mmap(0x22000, 0x10000, 0x5, 0x12, 0x3, 0x100000000) = 0x22000 0 mmap(0x32000, 0x1000, 0x3, 0x12, 0x3, 0x100000000) = 0x32000 0 mmap(0x33000, 0x1000, 0x7, 0x12, 0x3, 0x100000000) = 0x33000 0 mmap(0x34000, 0xF950, 0x1, 0x12, 0x3, 0x100000000) = 0x34000 0 fcntl(0x3, 0x2C, 0xFFFFFFFFBFFFB994) = 0 0 fcntl(0x3, 0x2C, 0xFFFFFFFFBFFFB994) = 0 0 fcntl(0x3, 0x2C, 0xFFFFFFFFBFFFB994) = 0 0 close(0x3) = 0 0 stat("/usr/lib/libstdc++.6.dylib\0", 0xBFFFD408, 0xFFFFFFFFBFFFB994) = 0 0 stat("/usr/lib/libgcc_s.1.dylib\0", 0xBFFFD408, 0xFFFFFFFFBFFFB994) = 0 0 stat("/usr/lib/libSystem.B.dylib\0", 0xBFFFD408, 0xFFFFFFFFBFFFB994) = 0 0 stat("/usr/lib/libssl.0.9.7.dylib\0", 0xBFFFD2F8, 0xFFFFFFFFBFFFB994) = 0 0 stat("/usr/lib/libcrypto.0.9.7.dylib\0", 0xBFFFD2F8, 0xFFFFFFFFBFFFB994) = 0 0 stat("/usr/lib/system/libmathCommon.A.dylib\0", 0xBFFFCF48, 0xFFFFFFFFBFFFB994) = 0 0 open("/dev/dtracehelper\0", 0x2, 0xBFFFE444) = 3 0 ioctl(0x3, 0x80086804, 0xBFFFE3C8) = 0 0 close(0x3) = 0 0 __sysctl(0xBFFFE29C, 0x2, 0xBFFFE2A4) = 0 0 bsdthread_register(0x92F4EF30, 0x92F872A4, 0x1000) = 0 0 open_nocancel("/dev/urandom\0", 0x0, 0x0) = 3 0 read_nocancel(0x3, "=x\2006F\005\222\236y\0", 0x20) = 32 0 close_nocancel(0x3) = 0 0 mmap(0x0, 0x3000, 0x3, 0x1002, 0x1000000, 0x100000000) = 0x44000 0 mmap(0x0, 0x200000, 0x3, 0x1002, 0x7000000, 0x100000000) = 0x47000 0 munmap(0x47000, 0xB9000) = 0 0 munmap(0x200000, 0x47000) = 0 0 mmap(0x0, 0x3000, 0x3, 0x1002, 0x1000000, 0x100000000) = 0x47000 0 getpid(0x0, 0x3000, 0x3) = 5743 0 select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0 select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0 select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0 [more selects ] select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0 select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0 could not connect to Bro at host=127.0.0.1:. Will try again in 5 seconds select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0 write_nocancel(0x2, "could not connect to Bro at host=127.0.0.1:.\n\0", 0x2D) = 45 0 write_nocancel(0x2, "Will try again in 5 seconds \n\0", 0x1D) = 29 0 select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0 It looks like the call to bro_conn_connect() at bropipe.cc:212 is getting stalled somehow. Has anyone else seen this? Is there something really obvious that I'm overlooking? Packet filters are ruled out, and nothing in the logs indicate that the system is seeing any activity. Basically the bro_conn_connect() call just seems to chase it's tail around for a bit and then return, without attempting a tcp connect. Thanks, Steve -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkluax0ACgkQcVd2YI1BWAgOfgCeIAk7AEC/LPmCBpm8fAZXRRT5 U/YAn3kC0+fTW1F79UBoNb9djMkMW0oN =9mhA -----END PGP SIGNATURE----- From sychan at lbl.gov Wed Jan 14 16:10:25 2009 From: sychan at lbl.gov (Stephen Chan) Date: Wed, 14 Jan 2009 16:10:25 -0800 Subject: [Bro] Bro 1.4, bropipe and MacOS In-Reply-To: <496E6B1D.3070902@lbl.gov> References: <496E6B1D.3070902@lbl.gov> Message-ID: <496E7EF1.1070600@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I figured out what was wrong, and it was indeed obvious. When you don't specify a host, the call to bro_conn_new_str() on line 198 sends a bogus string for the new bro connect handle, so that fails. And I was misreading the usage message as indicating that I needed to specify "host=127.0.0.1:47757", which doesn't work. And if you specify the ip address, but not the port, that doesn't work either. But if you specify everything explicitly with "bropipe - -df - 127.0.0.1:47757" then it works. I'll see about patching in some appropriate default handling code and submitting it. Steve On 1/14/09 2:45 PM, Stephen Chan wrote: > Hi, > Has anyone built and run bropipe under Bro 1.4 on MacOS 10.5.6? > > Bro and broccoli built and installed happily, and bropipe also > built cleanly (after requiring that libstdc++ be explicitly put in the > linker files, what's up with that?) > > But when I try to have bropipe connect to a local Bro instance, it > fails to connect. In fact, it doesn't even seem to get to the point > where it tries to open the tcp connection. Nothing shows up on a > tcpdump (a telnet to the same port shows traffic getting through). > > A system call trace of the program (run with "./bropipe -df - > host=127.0.0.1") gives this after the executable is pretty close to > being done with loading libraries: > > open("/usr/local/bro/lib/libbroccoli.2.dylib\0", 0x0, 0x0) = 3 0 > pread(0x3, "\316\372\355\376\a\0", 0x1000, 0x0) = 4096 0 > mmap(0x22000, 0x10000, 0x5, 0x12, 0x3, 0x100000000) = 0x22000 0 > mmap(0x32000, 0x1000, 0x3, 0x12, 0x3, 0x100000000) = 0x32000 0 > mmap(0x33000, 0x1000, 0x7, 0x12, 0x3, 0x100000000) = 0x33000 0 > mmap(0x34000, 0xF950, 0x1, 0x12, 0x3, 0x100000000) = 0x34000 0 > fcntl(0x3, 0x2C, 0xFFFFFFFFBFFFB994) = 0 0 > fcntl(0x3, 0x2C, 0xFFFFFFFFBFFFB994) = 0 0 > fcntl(0x3, 0x2C, 0xFFFFFFFFBFFFB994) = 0 0 > close(0x3) = 0 0 > stat("/usr/lib/libstdc++.6.dylib\0", 0xBFFFD408, > 0xFFFFFFFFBFFFB994) = 0 0 > stat("/usr/lib/libgcc_s.1.dylib\0", 0xBFFFD408, 0xFFFFFFFFBFFFB994) > = 0 0 > stat("/usr/lib/libSystem.B.dylib\0", 0xBFFFD408, > 0xFFFFFFFFBFFFB994) = 0 0 > stat("/usr/lib/libssl.0.9.7.dylib\0", 0xBFFFD2F8, > 0xFFFFFFFFBFFFB994) = 0 0 > stat("/usr/lib/libcrypto.0.9.7.dylib\0", 0xBFFFD2F8, > 0xFFFFFFFFBFFFB994) = 0 0 > stat("/usr/lib/system/libmathCommon.A.dylib\0", 0xBFFFCF48, > 0xFFFFFFFFBFFFB994) = 0 0 > open("/dev/dtracehelper\0", 0x2, 0xBFFFE444) = 3 0 > ioctl(0x3, 0x80086804, 0xBFFFE3C8) = 0 0 > close(0x3) = 0 0 > __sysctl(0xBFFFE29C, 0x2, 0xBFFFE2A4) = 0 0 > bsdthread_register(0x92F4EF30, 0x92F872A4, 0x1000) = 0 0 > open_nocancel("/dev/urandom\0", 0x0, 0x0) = 3 0 > read_nocancel(0x3, "=x\2006F\005\222\236y\0", 0x20) = 32 0 > close_nocancel(0x3) = 0 0 > mmap(0x0, 0x3000, 0x3, 0x1002, 0x1000000, 0x100000000) = > 0x44000 0 > mmap(0x0, 0x200000, 0x3, 0x1002, 0x7000000, 0x100000000) = > 0x47000 0 > munmap(0x47000, 0xB9000) = 0 0 > munmap(0x200000, 0x47000) = 0 0 > mmap(0x0, 0x3000, 0x3, 0x1002, 0x1000000, 0x100000000) = > 0x47000 0 > getpid(0x0, 0x3000, 0x3) = 5743 0 > select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0 > select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0 > select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0 > > [more selects ] > > select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0 > select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0 > could not connect to Bro at host=127.0.0.1:. > Will try again in 5 seconds > select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0 > write_nocancel(0x2, "could not connect to Bro at > host=127.0.0.1:.\n\0", 0x2D) = 45 0 > write_nocancel(0x2, "Will try again in 5 seconds \n\0", 0x1D) > = 29 0 > select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0 > > > It looks like the call to bro_conn_connect() at bropipe.cc:212 is > getting stalled somehow. > > Has anyone else seen this? Is there something really obvious that > I'm overlooking? Packet filters are ruled out, and nothing in the logs > indicate that the system is seeing any activity. Basically the > bro_conn_connect() call just seems to chase it's tail around for a bit > and then return, without attempting a tcp connect. > > Thanks, > Steve > _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklufvEACgkQcVd2YI1BWAhMgQCfTDxqOlUpqmwVQ4kZo083lNA5 JBUAnjCt532/wyLGuoFOZpxi1Poy41K5 =1MyV -----END PGP SIGNATURE----- From hall.692 at osu.edu Wed Jan 14 18:43:28 2009 From: hall.692 at osu.edu (Seth Hall) Date: Wed, 14 Jan 2009 21:43:28 -0500 Subject: [Bro] Bro 1.4, bropipe and MacOS In-Reply-To: <496E7EF1.1070600@lbl.gov> References: <496E6B1D.3070902@lbl.gov> <496E7EF1.1070600@lbl.gov> Message-ID: <1021F309-67FB-4AE5-A4C2-A87DF60FFB93@osu.edu> On Jan 14, 2009, at 7:10 PM, Stephen Chan wrote: > I'll see about patching in some appropriate default handling code > and submitting it. What's the current source for bropipe? Is it still just what's listed on Scott's page? http://www.nersc.gov/~scottc/software/bro/genericclient.html .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721 From robin at icir.org Thu Jan 15 10:37:31 2009 From: robin at icir.org (Robin Sommer) Date: Thu, 15 Jan 2009 10:37:31 -0800 Subject: [Bro] Bro 1.4, bropipe and MacOS In-Reply-To: <1021F309-67FB-4AE5-A4C2-A87DF60FFB93@osu.edu> References: <496E6B1D.3070902@lbl.gov> <496E7EF1.1070600@lbl.gov> <1021F309-67FB-4AE5-A4C2-A87DF60FFB93@osu.edu> Message-ID: <20090115183731.GF58398@icir.org> On Wed, Jan 14, 2009 at 21:43 -0500, you wrote: > What's the current source for bropipe? It's in aux/broccoli/contrib but I'm not sure that's actually the latest version? Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Thu Jan 15 10:38:23 2009 From: robin at icir.org (Robin Sommer) Date: Thu, 15 Jan 2009 10:38:23 -0800 Subject: [Bro] Bro 1.4, bropipe and MacOS In-Reply-To: <496E7EF1.1070600@lbl.gov> References: <496E6B1D.3070902@lbl.gov> <496E7EF1.1070600@lbl.gov> Message-ID: <20090115183823.GG58398@icir.org> On Wed, Jan 14, 2009 at 16:10 -0800, you wrote: > I'll see about patching in some appropriate default handling code > and submitting it. That's be great, thanks! Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Thu Jan 15 10:50:42 2009 From: robin at icir.org (Robin Sommer) Date: Thu, 15 Jan 2009 10:50:42 -0800 Subject: [Bro] [Workshop] Preliminary Agenda Message-ID: <20090115185042.GI58398@icir.org> For those folks registered for the workshop, we now have a preliminary agenda at http://www.icir.org/robin/bro/workshop09 . The page also a copy of the location and travel information that you guys should have already received per mail. (Note that the event has already registered full so unfortuantely we can't accomodate any further registrations.) Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From PHartDavis at mweb.com Fri Jan 16 05:15:38 2009 From: PHartDavis at mweb.com (Peter Hart-Davis - MWEB) Date: Fri, 16 Jan 2009 15:15:38 +0200 Subject: [Bro] BroLite install (was: Bro 1.4 release now available) Message-ID: <6586D1F97DDEDE408BEEF44402F379780D354EA3@mwmx4.mweb.com> Hi there I am new to Bro and the list so Greetings. Some feedback as requested. I am installing on Slackware 10.2.0 (old I know) gcc version 3.3.6, which was pretty straight forward although I have snort/libpcap etc installed from source and a PF Ring kernel so it is far from a vanilla Slackware. I had done a 'manual' install of Bro 1.4 prior to patching Bro for a BroLite install, I deleted and re-installed as I felt that I had missed a few things which did turn out to be the case e.g the perl reporting scripts. On patching and running "make install-brolite" all seems good 'out of the box' except I had to add "/usr/local/bro/site" to BROPATH in etc/bro.cfg, from my reading I gather this is likely due to a new location of site to share/bro/site? A suggestion, possibly a simple 'what goes where' or 'what is to be expected where' in the docs? Peter Peter Hart-Davis Senior Technical Engineer: MWEB IT Security Team Multichoice Subscriber Management services: Internet Division Tel.: + 27 021 596 8103 Cell: + 27 083 414 7455 Fax: + 27 021 596 8381 E-mail: phartdavis at mweb.com Registered Linux User #28564 Registered CISSP #89701 MSN: trip_tango at hotmail.com New from MWEB: Cellphone and Internet bundles! Bundle your Internet access with your cellular contract from R75 per month. Call 08600 32000 or click here(http://www.mweb.co.za/productsservices/MTALKMobile/tabid/1223/Default.aspx) for more info on the great deals available. MWEB :-) JUST LIKE THAT This electronic communication and the attached file(s) are subject to a disclaimer which can be accessed on the following link: Disclaimer - or copy the following URL into your browser - http://www.mweb.co.za/disclaimer. If you are unable to view the disclaimer, please contact abuse at mweb.com for a copy. From christian at whoop.org Fri Jan 16 10:51:41 2009 From: christian at whoop.org (Christian Kreibich) Date: Fri, 16 Jan 2009 10:51:41 -0800 Subject: [Bro] SVN is currently unavailable Message-ID: <1232131901.2885.343.camel@strangepork> Sorry folks. We are upgrading our servers. We'll report back when services are restored. -- Cheers, Christian From robin at icir.org Fri Jan 16 13:10:47 2009 From: robin at icir.org (Robin Sommer) Date: Fri, 16 Jan 2009 13:10:47 -0800 Subject: [Bro] SVN is currently unavailable In-Reply-To: <1232131901.2885.343.camel@strangepork> References: <1232131901.2885.343.camel@strangepork> Message-ID: <20090116211047.GY58398@icir.org> On Fri, Jan 16, 2009 at 10:51 -0800, Christian Kreibich wrote: > Sorry folks. We are upgrading our servers. We'll report back when > services are restored. Everything should be up and running again now. Let me know if there any problems. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Fri Jan 16 13:18:28 2009 From: robin at icir.org (Robin Sommer) Date: Fri, 16 Jan 2009 13:18:28 -0800 Subject: [Bro] BroLite install (was: Bro 1.4 release now available) In-Reply-To: <6586D1F97DDEDE408BEEF44402F379780D354EA3@mwmx4.mweb.com> References: <6586D1F97DDEDE408BEEF44402F379780D354EA3@mwmx4.mweb.com> Message-ID: <20090116211828.GZ58398@icir.org> On Fri, Jan 16, 2009 at 15:15 +0200, you wrote: > I am new to Bro and the list so Greetings. Welcome to Bro! > On patching and running "make install-brolite" all seems good 'out of > the box' except I had to add "/usr/local/bro/site" to BROPATH in > etc/bro.cfg, from my reading I gather this is likely due to a new > location of site to share/bro/site? To make sure I understand what you mean: are you saying that you had already policy files in /usr/local/bro/site which were now not found anymore (in which case that's ok to require a BROPATH change because, as you note, the standard location has changed); or are you saying that the install process puts files into /usr/local/bro/site which were then not found (in which case if would be a bug). > A suggestion, possibly a simple 'what goes where' or 'what is to > be expected where' in the docs? Yeah, I guess that would be good, except as that this fix will be only temporary anyway so it's mostly for people already using BroLite. Thanks for the feedback! Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From PHartDavis at mweb.com Mon Jan 19 02:36:11 2009 From: PHartDavis at mweb.com (Peter Hart-Davis - MWEB) Date: Mon, 19 Jan 2009 12:36:11 +0200 Subject: [Bro] BroLite install (was: Bro 1.4 release now available) In-Reply-To: <20090116211828.GZ58398@icir.org> References: <6586D1F97DDEDE408BEEF44402F379780D354EA3@mwmx4.mweb.com> <20090116211828.GZ58398@icir.org> Message-ID: <6586D1F97DDEDE408BEEF44402F379780D354EB9@mwmx4.mweb.com> Hi again Unfortunately it put the files into /usr/local/bro/site and not into /usr/local/bro/share/site i.e. a bug. The 'what goes where' or 'what is to be expected where' would be for the new layout. Something else I have picked up since is that running site-report.pl returns the following error: " Can't use an undefined value as a SCALAR reference at ./site-report.pl line 1278." Any suggestions would be appreciated. Peter -----Original Message----- From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Robin Sommer Sent: 16 January 2009 11:18 PM To: bro at ICSI.Berkeley.EDU; Peter Hart-Davis - MWEB Subject: Re: [Bro] BroLite install (was: Bro 1.4 release now available) On Fri, Jan 16, 2009 at 15:15 +0200, you wrote: > I am new to Bro and the list so Greetings. Welcome to Bro! > On patching and running "make install-brolite" all seems good 'out of > the box' except I had to add "/usr/local/bro/site" to BROPATH in > etc/bro.cfg, from my reading I gather this is likely due to a new > location of site to share/bro/site? To make sure I understand what you mean: are you saying that you had already policy files in /usr/local/bro/site which were now not found anymore (in which case that's ok to require a BROPATH change because, as you note, the standard location has changed); or are you saying that the install process puts files into /usr/local/bro/site which were then not found (in which case if would be a bug). > A suggestion, possibly a simple 'what goes where' or 'what is to > be expected where' in the docs? Yeah, I guess that would be good, except as that this fix will be only temporary anyway so it's mostly for people already using BroLite. Thanks for the feedback! Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro New from MWEB: Cellphone and Internet bundles! Bundle your Internet access with your cellular contract from R75 per month. Call 08600 32000 or click here(http://www.mweb.co.za/productsservices/MTALKMobile/tabid/1223/Default.aspx) for more info on the great deals available. MWEB :-) JUST LIKE THAT This electronic communication and the attached file(s) are subject to a disclaimer which can be accessed on the following link: Disclaimer - or copy the following URL into your browser - http://www.mweb.co.za/disclaimer. If you are unable to view the disclaimer, please contact abuse at mweb.com for a copy. From nlange at ucalgary.ca Wed Jan 21 00:15:29 2009 From: nlange at ucalgary.ca (nlange at ucalgary.ca) Date: Wed, 21 Jan 2009 01:15:29 -0700 (MST) Subject: [Bro] Brolite/Ubuntu Installation "No such file or directory" error Message-ID: <60727.137.186.49.84.1232525729.squirrel@137.186.49.84> Hello, We are a group of students working on our fourth year project at the University of Calgary. As part of our project, we need to install Bro on an Ubuntu system. We are working with the current version of Ubuntu and Bro. The error message looks as follows: make[1]: Leaving directory '/home/terminator/bro-1.4/aux' /bin/chown -R 'cat scripts/bro_user_id' /usr/local/bro/ cat: scripts/bro_user_id: No such file or directory /bin/chown: missing operand after '/usr/local/bro/' Try '/bin/chown --help' for more information make: [install-brolite] Error 1 (ignored) ********************************************************* Please run "/usr/local/bro/etc/bro.rc --start" to start bro ********************************************************* The file /usr/local/bro/etc/bro.rc also does not exist. Any help you could offer would be very much appreciated. Norbert Lange From nlange at ucalgary.ca Wed Jan 21 00:19:23 2009 From: nlange at ucalgary.ca (nlange at ucalgary.ca) Date: Wed, 21 Jan 2009 01:19:23 -0700 (MST) Subject: [Bro] Brolite/Ubuntu Installation "No such file or directory" error Message-ID: <60965.137.186.49.84.1232525963.squirrel@137.186.49.84> Hello, I apologize if this message shows up twice. I tried sending it to one address indicated in some documentation, and then another address provided as part of my confirmation to joining this list. We are a group of students working on our fourth year project at the University of Calgary. As part of our project, we need to install Bro on an Ubuntu system. We are working with the current version of Ubuntu and Bro. The error message looks as follows: make[1]: Leaving directory '/home/terminator/bro-1.4/aux' /bin/chown -R 'cat scripts/bro_user_id' /usr/local/bro/ cat: scripts/bro_user_id: No such file or directory /bin/chown: missing operand after '/usr/local/bro/' Try '/bin/chown --help' for more information make: [install-brolite] Error 1 (ignored) ********************************************************* Please run "/usr/local/bro/etc/bro.rc --start" to start bro ********************************************************* The file /usr/local/bro/etc/bro.rc also does not exist. Any help you could offer would be very much appreciated. Norbert Lange From mayank at in.niksun.com Wed Jan 21 00:51:03 2009 From: mayank at in.niksun.com (Mayank Jain) Date: Wed, 21 Jan 2009 14:21:03 +0530 Subject: [Bro] Brolite/Ubuntu Installation "No such file or directory" error In-Reply-To: <60965.137.186.49.84.1232525963.squirrel@137.186.49.84> Message-ID: <000001c97ba5$641b2290$1c053c0a@in.niksun.com> Hi, Can you let us know what the steps you have performed? Please let us know about the system information. Are you facing same issue with the stable branch? Regards Mayank Jain -----Original Message----- From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of nlange at ucalgary.ca Sent: Wednesday, January 21, 2009 1:49 PM To: bro at ICSI.Berkeley.EDU Subject: [Bro] Brolite/Ubuntu Installation "No such file or directory" error Hello, I apologize if this message shows up twice. I tried sending it to one address indicated in some documentation, and then another address provided as part of my confirmation to joining this list. We are a group of students working on our fourth year project at the University of Calgary. As part of our project, we need to install Bro on an Ubuntu system. We are working with the current version of Ubuntu and Bro. The error message looks as follows: make[1]: Leaving directory '/home/terminator/bro-1.4/aux' /bin/chown -R 'cat scripts/bro_user_id' /usr/local/bro/ cat: scripts/bro_user_id: No such file or directory /bin/chown: missing operand after '/usr/local/bro/' Try '/bin/chown --help' for more information make: [install-brolite] Error 1 (ignored) ********************************************************* Please run "/usr/local/bro/etc/bro.rc --start" to start bro ********************************************************* The file /usr/local/bro/etc/bro.rc also does not exist. Any help you could offer would be very much appreciated. Norbert Lange _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From nlange at ucalgary.ca Wed Jan 21 05:59:30 2009 From: nlange at ucalgary.ca (nlange at ucalgary.ca) Date: Wed, 21 Jan 2009 06:59:30 -0700 (MST) Subject: [Bro] Brolite/Ubuntu Installation 'No such file or directory' error In-Reply-To: <000001c97ba5$641b2290$1c053c0a@in.niksun.com> References: <60965.137.186.49.84.1232525963.squirrel@137.186.49.84> <000001c97ba5$641b2290$1c053c0a@in.niksun.com> Message-ID: <61612.137.186.49.84.1232546370.squirrel@137.186.49.84> Hello Mayank, and thanks for your quick response. I performed the following steps on a Compaq 6910p laptop computer: - Installed Ubuntu 8.10 from scratch, using only default settings. I did not install any of the upgrades indicated by upgrade manager yet. Adminstrator id is 'terminator' - Used synaptic package manager to install the following: - g++ - flex - ssl-dev - libpcap - ncurses - Downloaded bro-1.4-release.tar.gz from www.bro-ids.org - Extracted to /home/terminator/bro-1.4 - Enabled 'root' login - in '/home/terminator/bro-1.4/aux/broccoli', did the following: - ./configure - make - make install - in '/home/terminator/bro-1.4', did the following: - ./configure - make - make install - make install-brolite Do you need any other system information? > Hi, > > Can you let us know what the steps you have performed? Please let us know > about the system information. Are you facing same issue with the stable > branch? > > Regards > Mayank Jain > > > -----Original Message----- > From: bro-bounces at ICSI.Berkeley.EDU > [mailto:bro-bounces at ICSI.Berkeley.EDU] > On Behalf Of nlange at ucalgary.ca > Sent: Wednesday, January 21, 2009 1:49 PM > To: bro at ICSI.Berkeley.EDU > Subject: [Bro] Brolite/Ubuntu Installation "No such file or directory" > error > > Hello, > > I apologize if this message shows up twice. I tried sending it to one > address indicated in some documentation, and then another address > provided > as part of my confirmation to joining this list. > > We are a group of students working on our fourth year project at the > University of Calgary. As part of our project, we need to install Bro > on > an Ubuntu system. We are working with the current version of Ubuntu and > Bro. > > The error message looks as follows: > > make[1]: Leaving directory '/home/terminator/bro-1.4/aux' > /bin/chown -R 'cat scripts/bro_user_id' /usr/local/bro/ > cat: scripts/bro_user_id: No such file or directory > /bin/chown: missing operand after '/usr/local/bro/' > Try '/bin/chown --help' for more information > make: [install-brolite] Error 1 (ignored) > ********************************************************* > Please run "/usr/local/bro/etc/bro.rc --start" to start bro > ********************************************************* > > The file /usr/local/bro/etc/bro.rc also does not exist. Any help you > could offer would be very much appreciated. > > Norbert Lange > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > From robin at icir.org Wed Jan 21 10:43:08 2009 From: robin at icir.org (Robin Sommer) Date: Wed, 21 Jan 2009 10:43:08 -0800 Subject: [Bro] BroLite install (was: Bro 1.4 release now available) In-Reply-To: <6586D1F97DDEDE408BEEF44402F379780D354EB9@mwmx4.mweb.com> References: <6586D1F97DDEDE408BEEF44402F379780D354EA3@mwmx4.mweb.com> <20090116211828.GZ58398@icir.org> <6586D1F97DDEDE408BEEF44402F379780D354EB9@mwmx4.mweb.com> Message-ID: <20090121184308.GE95172@icir.org> On Mon, Jan 19, 2009 at 12:36 +0200, you wrote: > Unfortunately it put the files into /usr/local/bro/site and not into > /usr/local/bro/share/site i.e. a bug. Ok, thanks. I've attached a patch to http://tracker.icir.org/bro/ticket/51 which I hope fixes this problem. Could you give it another try? > Something else I have picked up since is that running site-report.pl > returns the following error: " Can't use an undefined value as a SCALAR > reference at ./site-report.pl line 1278." Any suggestions would be > appreciated. Hmmm.... Don't really know where that comes from but I think it's unrelated to the install-brolite. I've openened another ticket for this: http://tracker.icir.org/bro/ticket/54 Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Wed Jan 21 10:46:19 2009 From: robin at icir.org (Robin Sommer) Date: Wed, 21 Jan 2009 10:46:19 -0800 Subject: [Bro] Brolite/Ubuntu Installation 'No such file or directory' error In-Reply-To: <61612.137.186.49.84.1232546370.squirrel@137.186.49.84> References: <60965.137.186.49.84.1232525963.squirrel@137.186.49.84> <000001c97ba5$641b2290$1c053c0a@in.niksun.com> <61612.137.186.49.84.1232546370.squirrel@137.186.49.84> Message-ID: <20090121184619.GF95172@icir.org> On Wed, Jan 21, 2009 at 06:59 -0700, you wrote: > - make install-brolite There are some problems with "make install-brolite" in 1.4. The tracker ticket at http://tracker.icir.org/bro/ticket/51 has a patch which I hope will fix the installation. Could you guys give that a try? However, please note that starting with 1.4 "make install-brolite" is deprecated anyway and will very likely go away with the next release. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From jdmfontz at yahoo.com Wed Jan 21 11:28:12 2009 From: jdmfontz at yahoo.com (Martin Fontanez) Date: Wed, 21 Jan 2009 11:28:12 -0800 (PST) Subject: [Bro] Bro-1.4 Install Question Message-ID: <510595.98193.qm@web58701.mail.re1.yahoo.com> I am getting a "no terminal emulation library found" error on configure yet as you can see below ncurse and termcap packages are installed.? I am using RedHat Linux EL5.? Does anyone have an idea of why is that?? Thanks in advance. configure: error: No terminal emulation library found! Consider installing termcap, curses, or ncurses. [root at localhost bro-1.4]# rpm -qa | grep ncurse* ncurses-5.5-24.20060715 [root at localhost bro-1.4]# rpm -qa | grep termcap termcap-5.5-1.20060701.1 libtermcap-2.0.8-46.1 [root at localhost bro-1.4]# rpm -qa | grep curses ncurses-5.5-24.20060715 [root at localhost bro-1.4]# -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090121/8e1331e0/attachment.html From nlange at ucalgary.ca Wed Jan 21 19:28:56 2009 From: nlange at ucalgary.ca (nlange at ucalgary.ca) Date: Wed, 21 Jan 2009 20:28:56 -0700 (MST) Subject: [Bro] Running Multiple Copies of Bro Message-ID: <60991.137.186.49.84.1232594936.squirrel@137.186.49.84> Hello, and thanks to everyone (especially Robin) who responded to my questions about geting Bro configured on an Ubuntu system. Now that we have Bro running, we would like to be able to run more than one copy to take advantage of a multi-core machine. We are working on the theory that assigning separate copies of Bro to different processors may improve performance if we separate some of the tasks that each copy needs to perform. We tried simply copying the bro.rc file and calling it bro2.rc, but this doesn't work. We're a bit new at this, so any help would be appreciated. Regards, Norbert From jean-philippe.luiggi at didconcept.com Thu Jan 22 04:58:50 2009 From: jean-philippe.luiggi at didconcept.com (jean-philippe luiggi) Date: Thu, 22 Jan 2009 07:58:50 -0500 Subject: [Bro] Bro-1.4 Install Question In-Reply-To: <510595.98193.qm@web58701.mail.re1.yahoo.com> References: <510595.98193.qm@web58701.mail.re1.yahoo.com> Message-ID: <20090122075850.19f6430b@mygw.lan.mynetwork.local> Hello Martin, For some reasons, the "./configure" isn't able to catch the informations needed (perhaps not a standard path). Could you find the full path of the relevant librairies (use 'find / -name libncurses*') and then use the following environment variables : "LDFLAGS" (linker flags, e.g. -L if you have libraries in a nonstandard directory ) "CPPFLAGS" (C/C++ preprocessor flags, e.g. -I if you have headers in a nonstandard directory ) With regards, Jean-Philippe. On Wed, 21 Jan 2009 11:28:12 -0800 (PST) Martin Fontanez wrote: > I am getting a "no terminal emulation library found" error on > configure yet as you can see below ncurse and termcap packages are > installed.? I am using RedHat Linux EL5.? Does anyone have an idea of > why is that?? Thanks in advance. > > configure: error: No terminal emulation library found! Consider > installing termcap, curses, or ncurses. [root at localhost bro-1.4]# rpm > -qa | grep ncurse* ncurses-5.5-24.20060715 > [root at localhost bro-1.4]# rpm -qa | grep termcap > termcap-5.5-1.20060701.1 > libtermcap-2.0.8-46.1 > [root at localhost bro-1.4]# rpm -qa | grep curses > ncurses-5.5-24.20060715 > [root at localhost bro-1.4]# > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > From christian at whoop.org Thu Jan 22 12:49:11 2009 From: christian at whoop.org (Christian Kreibich) Date: Thu, 22 Jan 2009 12:49:11 -0800 Subject: [Bro] Bro-1.4 Install Question In-Reply-To: <510595.98193.qm@web58701.mail.re1.yahoo.com> References: <510595.98193.qm@web58701.mail.re1.yahoo.com> Message-ID: <1232657351.27745.151.camel@localhost.localdomain> On Wed, 2009-01-21 at 11:28 -0800, Martin Fontanez wrote: > I am getting a "no terminal emulation library found" error on > configure yet as you can see below ncurse and termcap packages are > installed. I am using RedHat Linux EL5. Does anyone have an idea of > why is that? Thanks in advance. Please install the -devel packages as well, and let us know how it goes. -- Cheers, Christian From robin at icir.org Thu Jan 22 16:35:16 2009 From: robin at icir.org (Robin Sommer) Date: Thu, 22 Jan 2009 16:35:16 -0800 Subject: [Bro] Running Multiple Copies of Bro In-Reply-To: <60991.137.186.49.84.1232594936.squirrel@137.186.49.84> References: <60991.137.186.49.84.1232594936.squirrel@137.186.49.84> Message-ID: <20090123003516.GH69671@icir.org> On Wed, Jan 21, 2009 at 20:28 -0700, you wrote: > We are working on the > theory that assigning separate copies of Bro to different processors may > improve performance if we separate some of the tasks that each copy needs > to perform. There's actually a paper about this theory: :-) http://www.icir.org/robin/papers/raid07.pdf bro.rc is not the right environment for this but if something new is in the works: http://www.icir.org/robin/bro-cluster/README.html Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From jdmfontz at yahoo.com Fri Jan 23 06:35:01 2009 From: jdmfontz at yahoo.com (Martin Fontanez) Date: Fri, 23 Jan 2009 06:35:01 -0800 (PST) Subject: [Bro] Bro-1.4 Install Question In-Reply-To: <1232657351.27745.151.camel@localhost.localdomain> Message-ID: <154610.84996.qm@web58707.mail.re1.yahoo.com> I installed the ncurses-devel pkg and ./configure ran ok.? Now I am getting the following errors on make: Making all in lib make[6]: Entering directory `/opt/bro-1.4/aux/binpac/lib' source='binpac_buffer.cc' object='binpac_buffer.o' libtool=no \ ??????? DEPDIR=.deps depmode=none /bin/sh ../depcomp \ ??????? g++ -DHAVE_CONFIG_H -I. -I. -I..????? -c -o binpac_buffer.o binpac_buffer.cc ../depcomp: line 414: exec: g++: not found make[6]: *** [binpac_buffer.o] Error 127 make[6]: Leaving directory `/opt/bro-1.4/aux/binpac/lib' make[5]: *** [all-recursive] Error 1 make[5]: Leaving directory `/opt/bro-1.4/aux/binpac' make[4]: *** [all] Error 2 make[4]: Leaving directory `/opt/bro-1.4/aux/binpac' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/opt/bro-1.4/aux' make[2]: *** [all] Error 2 make[2]: Leaving directory `/opt/bro-1.4/aux' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/bro-1.4' make: *** [all] Error 2 [root at localhost bro-1.4]# Thanks, Martin --- On Thu, 1/22/09, Christian Kreibich wrote: From: Christian Kreibich Subject: Re: [Bro] Bro-1.4 Install Question To: jdmfontz at yahoo.com Cc: Bro at bro-ids.org Date: Thursday, January 22, 2009, 3:49 PM On Wed, 2009-01-21 at 11:28 -0800, Martin Fontanez wrote: > I am getting a "no terminal emulation library found" error on > configure yet as you can see below ncurse and termcap packages are > installed. I am using RedHat Linux EL5. Does anyone have an idea of > why is that? Thanks in advance. Please install the -devel packages as well, and let us know how it goes. -- Cheers, Christian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090123/7bf4f28b/attachment.html From nlange at ucalgary.ca Sun Jan 25 07:15:16 2009 From: nlange at ucalgary.ca (nlange at ucalgary.ca) Date: Sun, 25 Jan 2009 08:15:16 -0700 (MST) Subject: [Bro] Question re: Filtering an IP Range Message-ID: <61289.137.186.49.84.1232896516.squirrel@137.186.49.84> We are very new to the Bro environment, and are learning as we go. We have managed to install Bro and get the Brolite environment working. We would like to filter a range of IP addresses, and haven't quite been able to figure out how to do this. Any help would be greatly appreciated. Thanks. Norbert From jdmfontz at yahoo.com Tue Jan 27 07:56:33 2009 From: jdmfontz at yahoo.com (Martin Fontanez) Date: Tue, 27 Jan 2009 07:56:33 -0800 (PST) Subject: [Bro] Bro-1.4 Install Question In-Reply-To: Message-ID: <605565.15597.qm@web58702.mail.re1.yahoo.com> Hello.? Thank you.? It looks like I have gcc and c++ pkgs installed. [root at localhost opt]# rpm -qa | grep gcc compat-gcc-34-c++-3.4.6-4 compat-libgcc-296-2.96-138 compat-gcc-34-3.4.6-4 libgcc-4.1.2-42.el5 gcc-4.1.2-42.el5 compat-gcc-34-g77-3.4.6-4 [root at localhost opt]# It looks like I also have g++ which gets installed as part of gcc install.? Does this looks like a bro bug? [root at localhost opt]# find / -name "g++*" /usr/bin/g++34 /opt/gcc-4.3.3/gcc/cp/g++spec.c [root at localhost opt]# Regards, Martin --- On Fri, 1/23/09, rmkml wrote: From: rmkml Subject: Re: [Bro] Bro-1.4 Install Question To: "Martin Fontanez" Date: Friday, January 23, 2009, 8:06 AM Hi, need c++ compilator... Regards Rmkml Crusoe-Researches.com On Fri, 23 Jan 2009, Martin Fontanez wrote: > Date: Fri, 23 Jan 2009 06:35:01 -0800 (PST) > From: Martin Fontanez > To: Bro at bro-ids.org, Christian Kreibich > Subject: Re: [Bro] Bro-1.4 Install Question > > I installed the ncurses-devel pkg and ./configure ran ok.? Now I am getting the following errors on make: > > Making all in lib > make[6]: Entering directory `/opt/bro-1.4/aux/binpac/lib' > source='binpac_buffer.cc' object='binpac_buffer.o' libtool=no \ > ??????? DEPDIR=.deps depmode=none /bin/sh ../depcomp \ > ??????? g++ -DHAVE_CONFIG_H -I. -I. -I..????? -c -o binpac_buffer.o binpac_buffer.cc > ../depcomp: line 414: exec: g++: not found > make[6]: *** [binpac_buffer.o] Error 127 > make[6]: Leaving directory `/opt/bro-1.4/aux/binpac/lib' > make[5]: *** [all-recursive] Error 1 > make[5]: Leaving directory `/opt/bro-1.4/aux/binpac' > make[4]: *** [all] Error 2 > make[4]: Leaving directory `/opt/bro-1.4/aux/binpac' > make[3]: *** [all-recursive] Error 1 > make[3]: Leaving directory `/opt/bro-1.4/aux' > make[2]: *** [all] Error 2 > make[2]: Leaving directory `/opt/bro-1.4/aux' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory `/opt/bro-1.4' > make: *** [all] Error 2 > [root at localhost bro-1.4]# > > Thanks, > > Martin > > --- On Thu, 1/22/09, Christian Kreibich wrote: > From: Christian Kreibich > Subject: Re: [Bro] Bro-1.4 Install Question > To: jdmfontz at yahoo.com > Cc: Bro at bro-ids.org > Date: Thursday, January 22, 2009, 3:49 PM > > On Wed, 2009-01-21 at 11:28 -0800, Martin Fontanez wrote: > > I am getting a "no terminal emulation library found" error on > > configure yet as you can see below ncurse and termcap packages are > > installed. I am using RedHat Linux EL5. Does > anyone have an idea of > > why is that? Thanks in advance. > Please install the -devel packages as well, and let us know how it > goes. -- Cheers, > Christian > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090127/272db916/attachment.html From jdmfontz at yahoo.com Tue Jan 27 10:20:04 2009 From: jdmfontz at yahoo.com (Martin Fontanez) Date: Tue, 27 Jan 2009 10:20:04 -0800 (PST) Subject: [Bro] Bro-1.4 Install Question In-Reply-To: <605565.15597.qm@web58702.mail.re1.yahoo.com> Message-ID: <387339.53110.qm@web58705.mail.re1.yahoo.com> Update.? I created a link /usr/bin/g++ for /usr/bin/g++34 and went pass this error on make.? Now I am getting this error on make: source='X509.cc' object='X509.o' libtool=no \ ??????? DEPDIR=.deps depmode=none /bin/sh ../depcomp \ ??????? g++ -DHAVE_CONFIG_H -I. -I. -I..? -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit? -I/opt/libpcap-0.9.8? -I../linux-include -I/usr/local/include -O -W -Wall -Wno-unused -I/opt/libpcap-0.9.8? -I../linux-include -I/usr/local/include?? -c -o X509.o X509.cc X509.cc: In function `X509* d2i_X509_(X509**, const u_char**, int)': X509.cc:18: error: invalid conversion from `u_char**' to `const unsigned char**' X509.cc:18: error:?? initializing argument 2 of `X509* d2i_X509(X509**, const unsigned char**, long int)' make[3]: *** [X509.o] Error 1 make[3]: Leaving directory `/opt/bro-1.4/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/opt/bro-1.4/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/bro-1.4' make: *** [all] Error 2 [root at localhost bro-1.4]# Any help is appreciated. Thank you, Martin --- On Tue, 1/27/09, Martin Fontanez wrote: From: Martin Fontanez Subject: Re: [Bro] Bro-1.4 Install Question To: Bro at bro-ids.org, "rmkml" Date: Tuesday, January 27, 2009, 10:56 AM Hello.? Thank you.? It looks like I have gcc and c++ pkgs installed. [root at localhost opt]# rpm -qa | grep gcc compat-gcc-34-c++-3.4.6-4 compat-libgcc-296-2.96-138 compat-gcc-34-3.4.6-4 libgcc-4.1.2-42.el5 gcc-4.1.2-42.el5 compat-gcc-34-g77-3.4.6-4 [root at localhost opt]# It looks like I also have g++ which gets installed as part of gcc install.? Does this looks like a bro bug? [root at localhost opt]# find / -name "g++*" /usr/bin/g++34 /opt/gcc-4.3.3/gcc/cp/g++spec.c [root at localhost opt]# Regards, Martin --- On Fri, 1/23/09, rmkml wrote: From: rmkml Subject: Re: [Bro] Bro-1.4 Install Question To: "Martin Fontanez" Date: Friday, January 23, 2009, 8:06 AM Hi, need c++ compilator... Regards Rmkml Crusoe-Researches.com On Fri, 23 Jan 2009, Martin Fontanez wrote: > Date: Fri, 23 Jan 2009 06:35:01 -0800 (PST) > From: Martin Fontanez > To: Bro at bro-ids.org, Christian Kreibich > Subject: Re: [Bro] Bro-1.4 Install Question > > I installed the ncurses-devel pkg and ./configure ran ok.? Now I am getting the following errors on make: > > Making all in lib > make[6]: Entering directory `/opt/bro-1.4/aux/binpac/lib' > source='binpac_buffer.cc' object='binpac_buffer.o' libtool=no \ > ??????? DEPDIR=.deps depmode=none /bin/sh ../depcomp \ > ??????? g++ -DHAVE_CONFIG_H -I. -I. -I..????? -c -o binpac_buffer.o binpac_buffer.cc > ../depcomp: line 414: exec: g++: not found > make[6]: *** [binpac_buffer.o] Error 127 > make[6]: Leaving directory `/opt/bro-1.4/aux/binpac/lib' > make[5]: *** [all-recursive] Error 1 > make[5]: Leaving directory `/opt/bro-1.4/aux/binpac' > make[4]: *** [all] Error 2 > make[4]: Leaving directory `/opt/bro-1.4/aux/binpac' > make[3]: *** [all-recursive] Error 1 > make[3]: Leaving directory `/opt/bro-1.4/aux' > make[2]: *** [all] Error 2 > make[2]: Leaving directory `/opt/bro-1.4/aux' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory `/opt/bro-1.4' > make: *** [all] Error 2 > [root at localhost bro-1.4]# > > Thanks, > > Martin > > --- On Thu, 1/22/09, Christian Kreibich wrote: > From: Christian Kreibich > Subject: Re: [Bro] Bro-1.4 Install Question > To: jdmfontz at yahoo.com > Cc: Bro at bro-ids.org > Date: Thursday, January 22, 2009, 3:49 PM > > On Wed, 2009-01-21 at 11:28 -0800, Martin Fontanez wrote: > > I am getting a "no terminal emulation library found" error on > > configure yet as you can see below ncurse and termcap packages are > > installed. I am using RedHat Linux EL5. Does > anyone have an idea of > > why is that? Thanks in advance. > Please install the -devel packages as well, and let us know how it > goes. -- Cheers, > Christian > > > > _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090127/698de8a0/attachment.html From jdmfontz at yahoo.com Tue Jan 27 10:40:13 2009 From: jdmfontz at yahoo.com (Martin Fontanez) Date: Tue, 27 Jan 2009 10:40:13 -0800 (PST) Subject: [Bro] Bro-1.4 Install Question Message-ID: <323498.2486.qm@web58702.mail.re1.yahoo.com> Thanks everyone for all the comments and help.? After removing an install of /opt/libpcap-0.9.8 since I had? libpcap-0.9.4-12.el5 also installed; and re-running ./configure, make ran without errors.? So did make install.? Looks like my box is up and running. Thank you! Martin PS.? Looks like Bro INSTALL doc file might need updating to indicate that corresponding *-devel-* packages also need to be installed. --- On Tue, 1/27/09, Martin Fontanez wrote: From: Martin Fontanez Subject: Re: [Bro] Bro-1.4 Install Question To: Bro at bro-ids.org, "rmkml" Date: Tuesday, January 27, 2009, 1:20 PM Update.? I created a link /usr/bin/g++ for /usr/bin/g++34 and went pass this error on make.? Now I am getting this error on make: source='X509.cc' object='X509.o' libtool=no \ ??????? DEPDIR=.deps depmode=none /bin/sh ../depcomp \ ??????? g++ -DHAVE_CONFIG_H -I. -I. -I..? -I. -I../aux/binpac/lib -I../src -I. -I.. -Ilibedit? -I/opt/libpcap-0.9.8? -I../linux-include -I/usr/local/include -O -W -Wall -Wno-unused -I/opt/libpcap-0.9.8? -I../linux-include -I/usr/local/include?? -c -o X509.o X509.cc X509.cc: In function `X509* d2i_X509_(X509**, const u_char**, int)': X509.cc:18: error: invalid conversion from `u_char**' to `const unsigned char**' X509.cc:18: error:?? initializing argument 2 of `X509* d2i_X509(X509**, const unsigned char**, long int)' make[3]: *** [X509.o] Error 1 make[3]: Leaving directory `/opt/bro-1.4/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/opt/bro-1.4/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/bro-1.4' make: *** [all] Error 2 [root at localhost bro-1.4]# Any help is appreciated. Thank you, Martin --- On Tue, 1/27/09, Martin Fontanez wrote: From: Martin Fontanez Subject: Re: [Bro] Bro-1.4 Install Question To: Bro at bro-ids.org, "rmkml" Date: Tuesday, January 27, 2009, 10:56 AM Hello.? Thank you.? It looks like I have gcc and c++ pkgs installed. [root at localhost opt]# rpm -qa | grep gcc compat-gcc-34-c++-3.4.6-4 compat-libgcc-296-2.96-138 compat-gcc-34-3.4.6-4 libgcc-4.1.2-42.el5 gcc-4.1.2-42.el5 compat-gcc-34-g77-3.4.6-4 [root at localhost opt]# It looks like I also have g++ which gets installed as part of gcc install.? Does this looks like a bro bug? [root at localhost opt]# find / -name "g++*" /usr/bin/g++34 /opt/gcc-4.3.3/gcc/cp/g++spec.c [root at localhost opt]# Regards, Martin --- On Fri, 1/23/09, rmkml wrote: From: rmkml Subject: Re: [Bro] Bro-1.4 Install Question To: "Martin Fontanez" Date: Friday, January 23, 2009, 8:06 AM Hi, need c++ compilator... Regards Rmkml Crusoe-Researches.com On Fri, 23 Jan 2009, Martin Fontanez wrote: > Date: Fri, 23 Jan 2009 06:35:01 -0800 (PST) > From: Martin Fontanez > To: Bro at bro-ids.org, Christian Kreibich > Subject: Re: [Bro] Bro-1.4 Install Question > > I installed the ncurses-devel pkg and ./configure ran ok.? Now I am getting the following errors on make: > > Making all in lib > make[6]: Entering directory `/opt/bro-1.4/aux/binpac/lib' > source='binpac_buffer.cc' object='binpac_buffer.o' libtool=no \ > ??????? DEPDIR=.deps depmode=none /bin/sh ../depcomp \ > ??????? g++ -DHAVE_CONFIG_H -I. -I. -I..????? -c -o binpac_buffer.o binpac_buffer.cc > ../depcomp: line 414: exec: g++: not found > make[6]: *** [binpac_buffer.o] Error 127 > make[6]: Leaving directory `/opt/bro-1.4/aux/binpac/lib' > make[5]: *** [all-recursive] Error 1 > make[5]: Leaving directory `/opt/bro-1.4/aux/binpac' > make[4]: *** [all] Error 2 > make[4]: Leaving directory `/opt/bro-1.4/aux/binpac' > make[3]: *** [all-recursive] Error 1 > make[3]: Leaving directory `/opt/bro-1.4/aux' > make[2]: *** [all] Error 2 > make[2]: Leaving directory `/opt/bro-1.4/aux' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory `/opt/bro-1.4' > make: *** [all] Error 2 > [root at localhost bro-1.4]# > > Thanks, > > Martin > > --- On Thu, 1/22/09, Christian Kreibich wrote: > From: Christian Kreibich > Subject: Re: [Bro] Bro-1.4 Install Question > To: jdmfontz at yahoo.com > Cc: Bro at bro-ids.org > Date: Thursday, January 22, 2009, 3:49 PM > > On Wed, 2009-01-21 at 11:28 -0800, Martin Fontanez wrote: > > I am getting a "no terminal emulation library found" error on > > configure yet as you can see below ncurse and termcap packages are > > installed. I am using RedHat Linux EL5. Does > anyone have an idea of > > why is that? Thanks in advance. > Please install the -devel packages as well, and let us know how it > goes. -- Cheers, > Christian > > > > _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090127/86feedac/attachment.html From cjmanders at gmail.com Tue Jan 27 11:19:37 2009 From: cjmanders at gmail.com (Christopher Jay Manders) Date: Tue, 27 Jan 2009 11:19:37 -0800 Subject: [Bro] Bro-1.4 Install Question In-Reply-To: <387339.53110.qm@web58705.mail.re1.yahoo.com> References: <605565.15597.qm@web58702.mail.re1.yahoo.com> <387339.53110.qm@web58705.mail.re1.yahoo.com> Message-ID: Hi, It sounds like you may need to do a 'make distclean', which will clear out the environment. Then do another ./configure and see what you get. It sure sounds like the tools checked for during the Makefile's creation with configure when you did not have the tools devel packages loaded may need to be flushed out and re-conf'ed. Of course, if you have already done the distclean, then it is something else. HTH Cheers! --Christopher 2009/1/27 Martin Fontanez > Update. I created a link /usr/bin/g++ for /usr/bin/g++34 and went pass > this error on make. Now I am getting this error on make: > > source='X509.cc' object='X509.o' libtool=no \ > DEPDIR=.deps depmode=none /bin/sh ../depcomp \ > g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../aux/binpac/lib -I../src > -I. -I.. -Ilibedit -I/opt/libpcap-0.9.8 -I../linux-include > -I/usr/local/include -O -W -Wall -Wno-unused -I/opt/libpcap-0.9.8 > -I../linux-include -I/usr/local/include -c -o X509.o X509.cc > X509.cc: In function `X509* d2i_X509_(X509**, const u_char**, int)': > X509.cc:18: error: invalid conversion from `u_char**' to `const unsigned > char**' > X509.cc:18: error: initializing argument 2 of `X509* d2i_X509(X509**, > const unsigned char**, long int)' > make[3]: *** [X509.o] Error 1 > make[3]: Leaving directory `/opt/bro-1.4/src' > make[2]: *** [all] Error 2 > make[2]: Leaving directory `/opt/bro-1.4/src' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory `/opt/bro-1.4' > make: *** [all] Error 2 > [root at localhost bro-1.4]# > > Any help is appreciated. > > Thank you, > > Martin > > --- On *Tue, 1/27/09, Martin Fontanez * wrote: > > From: Martin Fontanez > Subject: Re: [Bro] Bro-1.4 Install Question > To: Bro at bro-ids.org, "rmkml" > Date: Tuesday, January 27, 2009, 10:56 AM > > > Hello. Thank you. It looks like I have gcc and c++ pkgs installed. > > [root at localhost opt]# rpm -qa | grep gcc > compat-gcc-34-c++-3.4.6-4 > compat-libgcc-296-2.96-138 > compat-gcc-34-3.4.6-4 > libgcc-4.1.2-42.el5 > gcc-4.1.2-42.el5 > compat-gcc-34-g77-3.4.6-4 > [root at localhost opt]# > > It looks like I also have g++ which gets installed as part of gcc install. > Does this looks like a bro bug? > > [root at localhost opt]# find / -name "g++*" > /usr/bin/g++34 > /opt/gcc-4.3.3/gcc/cp/g++spec.c > [root at localhost opt]# > > Regards, > > Martin > > > > --- On *Fri, 1/23/09, rmkml * wrote: > > From: rmkml > Subject: Re: [Bro] Bro-1.4 Install Question > To: "Martin Fontanez" > Date: Friday, January 23, 2009, 8:06 AM > > Hi, > need c++ compilator... > Regards > Rmkml > Crusoe-Researches.com > > On Fri, 23 Jan 2009, Martin Fontanez wrote: > > > Date: Fri, 23 Jan 2009 06:35:01 -0800 (PST) > > From: Martin Fontanez > > To: Bro at bro-ids.org, Christian Kreibich > > Subject: Re: [Bro] Bro-1.4 Install Question > > > > I installed the ncurses-devel pkg and ./configure ran ok. Now I am > getting the following errors on make: > > > > Making all in lib > > make[6]: Entering directory `/opt/bro-1.4/aux/binpac/lib' > > source='binpac_buffer.cc' object='binpac_buffer.o' > libtool=no \ > > DEPDIR=.deps depmode=none /bin/sh ../depcomp \ > > g++ -DHAVE_CONFIG_H -I. -I. > > -I.. -c -o > binpac_buffer.o binpac_buffer.cc > > ../depcomp: line 414: exec: g++: not found > > make[6]: *** [binpac_buffer.o] Error 127 > > make[6]: Leaving directory `/opt/bro-1.4/aux/binpac/lib' > > make[5]: *** [all-recursive] Error 1 > > make[5]: Leaving directory `/opt/bro-1.4/aux/binpac' > > make[4]: *** [all] Error 2 > > make[4]: Leaving directory `/opt/bro-1.4/aux/binpac' > > make[3]: *** [all-recursive] Error 1 > > make[3]: Leaving directory `/opt/bro-1.4/aux' > > make[2]: *** [all] Error 2 > > make[2]: Leaving directory `/opt/bro-1.4/aux' > > make[1]: *** [all-recursive] Error 1 > > make[1]: Leaving directory `/opt/bro-1.4' > > make: *** [all] Error 2 > > [root at localhost bro-1.4]# > > > > Thanks, > > > > Martin > > > > --- On Thu, 1/22/09, Christian Kreibich wrote: > > From: Christian > > Kreibich > > Subject: Re: [Bro] Bro-1.4 Install Question > > To: jdmfontz at yahoo.com > > Cc: Bro at bro-ids.org > > Date: Thursday, January 22, 2009, 3:49 PM > > > > On Wed, 2009-01-21 at 11:28 -0800, Martin Fontanez wrote: > > > I am getting a "no terminal emulation library found" error > on > > > configure yet as you can see below ncurse and termcap packages are > > > installed. I am using RedHat Linux EL5. Does > > anyone have an idea of > > > why is that? Thanks in advance. > > Please install the -devel packages as well, and let us know how it > > goes. -- Cheers, > > Christian > > > > > > > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090127/268b0012/attachment.html From jdmfontz at yahoo.com Thu Jan 29 11:57:32 2009 From: jdmfontz at yahoo.com (Martin Fontanez) Date: Thu, 29 Jan 2009 11:57:32 -0800 (PST) Subject: [Bro] Log Files Message-ID: <188601.17087.qm@web58705.mail.re1.yahoo.com> Just got Bro up and running.? How do I configure where log files are written to? Thanks, Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090129/673f4d9e/attachment.html From jdmfontz at yahoo.com Thu Jan 29 12:09:26 2009 From: jdmfontz at yahoo.com (Martin Fontanez) Date: Thu, 29 Jan 2009 12:09:26 -0800 (PST) Subject: [Bro] Log Files Message-ID: <352275.24039.qm@web58705.mail.re1.yahoo.com> Never mind,? looks like I need to do a make install-brolite and them look at the /etc/bro.cfg file. Thanks. --- On Thu, 1/29/09, Martin Fontanez wrote: From: Martin Fontanez Subject: Log Files To: Bro at bro-ids.org Date: Thursday, January 29, 2009, 2:57 PM Just got Bro up and running.? How do I configure where log files are written to? Thanks, Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090129/b859321e/attachment.html