From seth at icir.org Mon Jan 3 09:06:29 2011 From: seth at icir.org (Seth Hall) Date: Mon, 3 Jan 2011 12:06:29 -0500 Subject: [Bro] New year with Bro Message-ID: <8EFCD23A-4849-4C2B-8AFC-61EE805E827C@icir.org> Hi everyone! Now that it's the new year, I wanted to take a second to reiterate the changes that are coming to the project and where we are going. We are several months into a 3 year grant from the National Science Foundation for improving the project on all fronts including code quality and supportability, "out of the box" detections, improved user support, and new documentation. We are planning on creating much more community involvement as well. One way that anyone can get involved is to participate in the script comment periods that are going to be taking place soon on the bro-dev mailing list. We will be auditing and cleaning up *all* of the existing Bro scripts. It should be a good way for users to slowly accumulate knowledge about how Bro works and what it can and does detect. This year we have the 1.6 release to look forward to which will have some major changes along with some minor ones. *Lots* of tickets in the tracker will be closed. If you pay attention to various sources, you'll probably hear about many of the features as they are developed. Short upcoming list: New website New logo Snort/Suricata alerts supported in Bro through Barnyard2 (next release of barnyard2) A few resources: Please report bugs! http://tracker.icir.org/bro Feel free to lurk on the bro-dev list! http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev One final item, I'm available for speaking engagements about all aspects of Bro (introduction to Bro, large/small installations, trace file processing, debugging, development, general advocacy, whatever). Please send email to info at bro-ids.org to see if I can attend your event. I'm really looking forward to 2011 and helping you answer questions about your network! (along with finding intruders of course) .Seth -- (Bro) because everyone has a network Research Engineer International Computer Science Institute seth at icir.org From estrada.veronica at gmail.com Thu Jan 6 00:39:20 2011 From: estrada.veronica at gmail.com (Veronica Estrada) Date: Thu, 6 Jan 2011 17:39:20 +0900 Subject: [Bro] TCP handshake Message-ID: What happens with Bro when 3 way handshake packets are not synchronized? In the case of offline analysis, inbound packets and outbound packets may receive timestamps that are not synchronize (maybe due to problems in capture machine setup). We think that it may affect short connections. For example, the pcap file can contain a syn-ack with a timestamp before the first SYN packet. Can Bro detect the 3-way handshake in this situation? Or the ACK-SYN get discarded? Regards, VE -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110106/8323f4e6/attachment.html From robin at icir.org Thu Jan 6 08:35:46 2011 From: robin at icir.org (Robin Sommer) Date: Thu, 6 Jan 2011 08:35:46 -0800 Subject: [Bro] TCP handshake In-Reply-To: References: Message-ID: <20110106163546.GC24708@icir.org> On Thu, Jan 06, 2011 at 17:39 +0900, you wrote: > We think that it may affect short connections. For example, the pcap file > can contain a syn-ack with a timestamp before the first SYN packet. Yes, Bro will have trouble with that. It assumes that it sees packets in the order they were on the wire and if that's not the case, results are not really predictable. If the problem were just packets not sorted in terms of their timestamps, you could use Bro's "packet sorter" feature to get them into the right order, but it sounds like here them timestamps themselves are already off. It's worth trying hard to avoid that at the point where packets are captured. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From james.swaro at gmail.com Thu Jan 6 12:50:14 2011 From: james.swaro at gmail.com (James Swaro) Date: Thu, 06 Jan 2011 15:50:14 -0500 Subject: [Bro] ConnCompressor, TCP options Message-ID: <4D262B06.5090104@gmail.com> I am developing a module for offline analysis of bulk traces to detect and categorize TCP behavior when a retransmission takes place. I was browsing through ConnCompressor.cc when I read the heading at the top of the file. Why is initial packet faked and not passed as originally observed? Is it something specific about the use of Bro as an IDS? Can you disable the use of the compressor? If so, how ? Thanks! -- -James Swaro -Graduate Student -Ohio University From rmkml at free.fr Thu Jan 6 13:00:27 2011 From: rmkml at free.fr (rmkml) Date: Thu, 6 Jan 2011 22:00:27 +0100 (CET) Subject: [Bro] ConnCompressor, TCP options In-Reply-To: <4D262B06.5090104@gmail.com> References: <4D262B06.5090104@gmail.com> Message-ID: Hi James, For disable it, change on policy/bro.init: const use_connection_compressor = F &redef; Regards Rmkml On Thu, 6 Jan 2011, James Swaro wrote: > I am developing a module for offline analysis of bulk traces to detect > and categorize TCP behavior when a retransmission takes place. I was > browsing through ConnCompressor.cc when I read the heading at the top of > the file. > > Why is initial packet faked and not passed as originally observed? Is it > something specific about the use of Bro as an IDS? > > Can you disable the use of the compressor? If so, how ? > > Thanks! > > -- > -James Swaro > -Graduate Student > -Ohio University > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From robin at icir.org Thu Jan 6 16:20:29 2011 From: robin at icir.org (Robin Sommer) Date: Thu, 6 Jan 2011 16:20:29 -0800 Subject: [Bro] ConnCompressor, TCP options In-Reply-To: <4D262B06.5090104@gmail.com> References: <4D262B06.5090104@gmail.com> Message-ID: <20110107002029.GB67546@icir.org> On Thu, Jan 06, 2011 at 15:50 -0500, you wrote: > Why is initial packet faked and not passed as originally observed? Because it is not completely stored at that point. For a connection's initial packet, the compressor remembers only what's necessary for later analyzing it in full if more packets are coming in. That saves a lot of memory (and CPU actually) for things like scans and floods because for all those connections, Bro needs hardly any resources. > Can you disable the use of the compressor? If so, how ? See other mail. For an offline trace analysis, you probably want to do that. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From james.swaro at gmail.com Thu Jan 6 17:58:28 2011 From: james.swaro at gmail.com (James Swaro) Date: Thu, 06 Jan 2011 20:58:28 -0500 Subject: [Bro] ConnCompressor, TCP options In-Reply-To: <20110107002029.GB67546@icir.org> References: <4D262B06.5090104@gmail.com> <20110107002029.GB67546@icir.org> Message-ID: <4D267344.3030806@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/06/2011 07:20 PM, Robin Sommer wrote: > > On Thu, Jan 06, 2011 at 15:50 -0500, you wrote: > >> Why is initial packet faked and not passed as originally observed? > > Because it is not completely stored at that point. For a > connection's initial packet, the compressor remembers only what's > necessary for later analyzing it in full if more packets are coming > in. That saves a lot of memory (and CPU actually) for things like > scans and floods because for all those connections, Bro needs hardly > any resources. > >> Can you disable the use of the compressor? If so, how ? > > See other mail. For an offline trace analysis, you probably want to > do that. > > Robin > Thank you for both answers. The first was a curiosity question and the second, a necessity. Thank you, and rmkml for the prompt answers. - -- - -James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNJnNAAAoJEDmtrYOauimSMYQH/AgcauOcaMshYNT8AmtwjBwv lebjyBVxjbSCKkuoD+3TdMeaQ6mU6CtIdKDy2lGhNYcw7jVP6q5cPAad4E2qE+cX YquqpcwOc8hqWwiUnc6NU5AQehFneZMNoeOo6qu54Z8tCDk0D/0PtXQcISCFD86R aORD0ljHRh4WLnOFNoFOep3V2K4JqdzP+6xhqFC4eZCnLMT4/oY1mGyjOVLP5A37 uCpBxN27pQdSbHc3IAxcUNvJ65XRzYxv6OVKdDaa8Qb4ri5xYoMnShpNkq+pPWfa ox2KO1K9eFN/vvogh+B1jic1pThsxSWMHeg4pMxa13j4NRgoU+w0BELTiWOWPeE= =yAdE -----END PGP SIGNATURE----- From estrada.veronica at gmail.com Sat Jan 8 03:08:30 2011 From: estrada.veronica at gmail.com (Veronica Estrada) Date: Sat, 8 Jan 2011 20:08:30 +0900 Subject: [Bro] TCP handshake In-Reply-To: <20110106163546.GC24708@icir.org> References: <20110106163546.GC24708@icir.org> Message-ID: Thank you! I done some metrics, and the problem is confined to just a few cases with fast handshake process. There also some other rare cases maybe more related to anomalies on the net (crud). V.E. On Fri, Jan 7, 2011 at 1:35 AM, Robin Sommer wrote: > > On Thu, Jan 06, 2011 at 17:39 +0900, you wrote: > > > We think that it may affect short connections. For example, the pcap file > > can contain a syn-ack with a timestamp before the first SYN packet. > > Yes, Bro will have trouble with that. It assumes that it sees > packets in the order they were on the wire and if that's not the > case, results are not really predictable. If the problem were just > packets not sorted in terms of their timestamps, you could use Bro's > "packet sorter" feature to get them into the right order, but it > sounds like here them timestamps themselves are already off. It's > worth trying hard to avoid that at the point where packets are > captured. > > Robin > > -- > Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110108/be788990/attachment.html From robin at icir.org Wed Jan 12 21:50:59 2011 From: robin at icir.org (Robin Sommer) Date: Wed, 12 Jan 2011 21:50:59 -0800 Subject: [Bro] Bro 1.5.2 release now available Message-ID: <20110113055059.GD19204@icir.org> Bro release 1.5.2 is now available from: ftp://bro-ids.org/bro-1.5.2.tar.gz This version is a maintenance release coming with quiet a number of refinements and fixes, per the appended changelog entries. Robin --------- cut ------------------------------------------------------- 1.5.2 Wed Jan 12 17:34:55 PST 2011 - Portability fixes for --enable-int64 (Vern Paxson). - Bug fix for Active Mapping support (Kevin Lo). - Broccoli compiler warning fixes (Kevin Lo). - Bug fixes for --enable-int64 and for avoiding bogus statistics / bad memory references when generating profiling information upon exit (Vern Paxson). - Bug fixes for terminating connections (Tyler Schoenke and Vern Paxson). - Removed now-quite-stale SSHv1 overflow detection, as it's more prone to false positives than useful detection (Vern Paxson). - The SWIG file now explicitly lists those pieces from broccoli.h which it wants to wrap, rather than just including all of broccoli.h (Robin Sommer). - http-header.bro now includes a global "include_header: set[string]" If it contains any strings, then only those headers will be processed. If left empty, then you continue to get the current behavior of processing all headers. (Robin Sommer). - Several changes to drop.bro (Robin Sommer): * If True, the new flag Drop::dont_drop_locals indicates that local hosts should never be dropped. On by default. * If True, the new flag Drop::debugging activates extensive debugging output for the catch-and-release logic. Off by default. * The timeout for tracking dropping information is now 1 day rather than 7 days, to better echo the one-restart-a-day semantics used in the past. * Bug fix for hosts once dropped by later cleared; some state for them persisted. - Portability fix for Broccoli Python bindings on 64-bit platforms (Robin Sommer). - The HTTP analyzer no longer attempts to track Server/User-Agent versions, as these are hugely voluminous (Seth Hall). - HTTP and SMTP no longer have extra-short inactivity timeouts, as these were too often leading to premature expiration of a connection (Robin Sommer). - Tracking of HTTP refer[r]er's by setting log_referrer. (Vern Paxson). - The "rst" tool (aux/rst/) now takes an optional "-I " argument that instructs it to inject as payload rather than sending a RST packet (Vern Paxson). must be NUL-terminated, and the NUL is not included. - Bug fix for crashes in the DNS analyzer when processing replies for which no request was seen (Robin Sommer). - Addressed a number of lint nits (Vern Paxson). - Rotation post-processors are now passed an additional argument indicating whether Bro is terminating (Robin Sommer). - Bro now consistently generates a file_opened event for all fopen() calls. (Robin Sommer). - The "cf" utility now ignores a leading "t=" prefix, for compatibility with Bro's "tagged" logging format (Robin Sommer). - You can now redefine the email_notice_to function (Robin Sommer). - Fix for packet processing resumption when a remote Bro dies during state synchronization (Robin Sommer). - OpenSSL/X509 portability fix, at long last (Gregor Maier & Christian Kreibich). - Fix for compatibility with newer versions of autoconf (Gregor Maier). - A larger BroControl update (Robin Sommer, if not marked otherwise): o Increasing default timeouts for scan detector significantly. o Increasing the manager's max_remote_events_processed to something large, as it would slow down the process too much otherwise and there's no other work to be interleaved with it anyway. o Adding debug output to cluster's part of catch-and-release (extends the debugging already present in policy/debug.bro) o Fixing typo in util.py. Closes #223. o Added note to README pointing to HTML version. o Disabling print_hook for proxies' remote.log. o broctl's capstats now reports a total as well, and stats.log tracks these totals. Closes #160. o Avoiding spurious "waiting for lock" messages in cron mode. Closes #206. o Bug fixes for installation on NFS. o Bug fix for top command on FreeBSD 8. o crash-diag now checks whether gdb is available. o trace-summary reports the sample factor in use in its output, and now also applies it to the top-local-networks output (not doing the latter was a bug). o Removed the default twice-a-day rotation for conn.log. The default rotation for conn.log now is now once every 24h, just like for all other logs with the exception of mail.log (which is still rotated twice a day, and thus the alarms are still mailed out twice a day). o Fixed the problem of logs sometimes being filed into the wrong directory (see the (now gone) FAQ entry in the README). o One can now customize the archive naming scheme. See the corresponding FAQ entry in the README. o Cleaned up, and extended, collection of cluster statistics. ${logdir}/stats now looks like this: drwxr-xr-x 4 bro wheel 59392 Apr 5 17:55 . drwxr-xr-x 96 bro wheel 2560 Apr 6 12:00 .. -rw-r--r-- 1 bro wheel 576 Apr 6 16:40 meta.dat drwxr-xr-x 2 bro wheel 2048 Apr 6 16:40 profiling -rw-r--r-- 1 bro wheel 771834825 Apr 6 16:40 stats.log drwxr-xr-x 2 bro wheel 2048 Apr 6 16:25 www stats.log accumulates cluster statistics collected every time "cron" is called. - profiling/ keeps the nodes' prof.logs. - www/ keeps a subset of stats.log in CSV format for easy plotting. - meta.dat contains meta information about the current cluster state (in particular which nodes we have, and when the last stats update was done). Note that there is no Web setup yet to actually visualize the data in www/. o BroControl now automatically maintains links inside today's log archive directory pointing to the current live version of the corresponding log file (if Bro is running). For example: smtp.log.11:52:18-current -> /usr/local/cluster/spool/manager/smtp.log o Alarms mailed out by BroControl now (1) have the notice msg in the subject; and (2) come with the full mail.log entry in the body. o Fixing broctl's top output. (Seth Hall). o Fixing broctl's df output in certain situations. o BroControl fix for dealing with large vsize values reported by "top" (Craig Leres). From sridhar.basam at gmail.com Thu Jan 13 08:05:48 2011 From: sridhar.basam at gmail.com (sridhar basam) Date: Thu, 13 Jan 2011 11:05:48 -0500 Subject: [Bro] Bro 1.5.2 release now available In-Reply-To: <20110113055059.GD19204@icir.org> References: <20110113055059.GD19204@icir.org> Message-ID: First of all thanks for a new release of bro. It is a great tool which i use regularly. Could i request you make the releases available via HTTP too, if possible. This would help out people behind firewalls which only open a handful of protocols? There was a patch which Vern had forwarded to me which i was hoping made it into the release. Not a big deal since it is just a 2 line patch, but wanted to see if it could be rolled into the mainline. The patch had to do with enabling the HTTP analyser to kick in even for connections where we miss the tcp handshake. There were a single line in ContentLine.cc and HTTP.cc which had to be changed for this to happen. Any reason we couldn't make that on by default or enable that via a configure option. If you need me to help out wrt this, i am willing to do so. thanks, Sridhar On Thu, Jan 13, 2011 at 12:50 AM, Robin Sommer wrote: > Bro release 1.5.2 is now available from: > > ftp://bro-ids.org/bro-1.5.2.tar.gz > > This version is a maintenance release coming with quiet a number of > refinements and fixes, per the appended changelog entries. > > Robin > > --------- cut ------------------------------------------------------- > > 1.5.2 Wed Jan 12 17:34:55 PST 2011 > > - Portability fixes for --enable-int64 (Vern Paxson). > > - Bug fix for Active Mapping support (Kevin Lo). > > - Broccoli compiler warning fixes (Kevin Lo). > > - Bug fixes for --enable-int64 and for avoiding bogus statistics / > bad memory references when generating profiling information upon > exit (Vern Paxson). > > - Bug fixes for terminating connections (Tyler Schoenke and Vern Paxson). > > - Removed now-quite-stale SSHv1 overflow detection, as it's more prone > to false positives than useful detection (Vern Paxson). > > - The SWIG file now explicitly lists those pieces from broccoli.h which it > wants to wrap, rather than just including all of broccoli.h (Robin > Sommer). > > - http-header.bro now includes a global "include_header: set[string]" If it > contains any strings, then only those headers will be processed. If left > empty, then you continue to get the current behavior of processing all > headers. (Robin Sommer). > > - Several changes to drop.bro (Robin Sommer): > > * If True, the new flag Drop::dont_drop_locals indicates that > local hosts should never be dropped. On by default. > > * If True, the new flag Drop::debugging activates extensive > debugging > output for the catch-and-release logic. Off by default. > > * The timeout for tracking dropping information is now 1 day > rather than 7 days, to better echo the one-restart-a-day semantics > used in the past. > > * Bug fix for hosts once dropped by later cleared; some state > for them persisted. > > - Portability fix for Broccoli Python bindings on 64-bit platforms (Robin > Sommer). > > - The HTTP analyzer no longer attempts to track Server/User-Agent > versions, as these are hugely voluminous (Seth Hall). > > - HTTP and SMTP no longer have extra-short inactivity timeouts, as > these were too often leading to premature expiration of a connection > (Robin Sommer). > > - Tracking of HTTP refer[r]er's by setting log_referrer. (Vern Paxson). > > - The "rst" tool (aux/rst/) now takes an optional "-I " argument > that instructs it to inject as payload rather than sending a RST > packet (Vern Paxson). must be NUL-terminated, and the NUL is not > included. > > - Bug fix for crashes in the DNS analyzer when processing replies for > which no request was seen (Robin Sommer). > > - Addressed a number of lint nits (Vern Paxson). > > - Rotation post-processors are now passed an additional argument > indicating whether Bro is terminating (Robin Sommer). > > - Bro now consistently generates a file_opened event for all fopen() calls. > (Robin Sommer). > > - The "cf" utility now ignores a leading "t=" prefix, for compatibility > with Bro's "tagged" logging format (Robin Sommer). > > - You can now redefine the email_notice_to function (Robin Sommer). > > - Fix for packet processing resumption when a remote Bro dies during > state synchronization (Robin Sommer). > > - OpenSSL/X509 portability fix, at long last (Gregor Maier & Christian > Kreibich). > > - Fix for compatibility with newer versions of autoconf (Gregor Maier). > > - A larger BroControl update (Robin Sommer, if not marked otherwise): > > o Increasing default timeouts for scan detector significantly. > > o Increasing the manager's max_remote_events_processed to > something large, as it would slow down the process too much > otherwise and there's no other work to be interleaved with it > anyway. > > o Adding debug output to cluster's part of catch-and-release > (extends the debugging already present in policy/debug.bro) > > o Fixing typo in util.py. Closes #223. > > o Added note to README pointing to HTML version. > > o Disabling print_hook for proxies' remote.log. > > o broctl's capstats now reports a total as well, and stats.log > tracks these totals. Closes #160. > > o Avoiding spurious "waiting for lock" messages in cron mode. > Closes #206. > > o Bug fixes for installation on NFS. > > o Bug fix for top command on FreeBSD 8. > > o crash-diag now checks whether gdb is available. > > o trace-summary reports the sample factor in use in its output, > and now also applies it to the top-local-networks output (not > doing the latter was a bug). > > o Removed the default twice-a-day rotation for conn.log. The > default rotation for conn.log now is now once every 24h, just > like for all other logs with the exception of mail.log (which is > still rotated twice a day, and thus the alarms are still mailed > out twice a day). > > o Fixed the problem of logs sometimes being filed into the wrong > directory (see the (now gone) FAQ entry in the README). > > o One can now customize the archive naming scheme. See the > corresponding FAQ entry in the README. > > o Cleaned up, and extended, collection of cluster statistics. > > ${logdir}/stats now looks like this: > > drwxr-xr-x 4 bro wheel 59392 Apr 5 17:55 . > drwxr-xr-x 96 bro wheel 2560 Apr 6 12:00 .. > -rw-r--r-- 1 bro wheel 576 Apr 6 16:40 meta.dat > drwxr-xr-x 2 bro wheel 2048 Apr 6 16:40 profiling > -rw-r--r-- 1 bro wheel 771834825 Apr 6 16:40 stats.log > drwxr-xr-x 2 bro wheel 2048 Apr 6 16:25 www > > stats.log accumulates cluster statistics collected every time > "cron" is called. > > - profiling/ keeps the nodes' prof.logs. > > - www/ keeps a subset of stats.log in CSV format for easy plotting. > > - meta.dat contains meta information about the current cluster > state (in particular which nodes we have, and when the last > stats update was done). > > Note that there is no Web setup yet to actually visualize the data in > www/. > > o BroControl now automatically maintains links inside today's log > archive directory pointing to the current live version of the > corresponding log file (if Bro is running). For example: > > smtp.log.11:52:18-current -> > /usr/local/cluster/spool/manager/smtp.log > > o Alarms mailed out by BroControl now (1) have the notice msg in the > subject; and (2) come with the full mail.log entry in the body. > > o Fixing broctl's top output. (Seth Hall). > > o Fixing broctl's df output in certain situations. > > o BroControl fix for dealing with large vsize values reported by > "top" (Craig Leres). > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110113/2a7d0be0/attachment.html From robin at icir.org Thu Jan 13 08:43:31 2011 From: robin at icir.org (Robin Sommer) Date: Thu, 13 Jan 2011 08:43:31 -0800 Subject: [Bro] Bro 1.5.2 release now available In-Reply-To: References: <20110113055059.GD19204@icir.org> Message-ID: <20110113164331.GB36781@icir.org> On Thu, Jan 13, 2011 at 11:05 -0500, sridhar basam wrote: > First of all thanks for a new release of bro. You're welcome. > Could i request you make the releases available via HTTP too, if possible. It's now available via HTTP as well: http://www.bro-ids.org/download/bro-1.5.2.tar.gz > The patch had to do with enabling the HTTP analyser to kick in even for > connections where we miss the tcp handshake. Hmm ... I don't remember that patch right now. Could you see whether is already recorded with the tracker at http://tracker.icir.org, and if not, open a new ticket. Thanks! However, in any case, it sounds like this patch is changing Bro's semantics in terms of how/when connections are analyzed, which generally is something we prefer to avoid doing for maintainace releases like this one. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From r.fulton at auckland.ac.nz Thu Jan 13 11:20:36 2011 From: r.fulton at auckland.ac.nz (Russell Fulton) Date: Fri, 14 Jan 2011 08:20:36 +1300 Subject: [Bro] Bro 1.5.2 release now available In-Reply-To: <20110113055059.GD19204@icir.org> References: <20110113055059.GD19204@icir.org> Message-ID: On 13/01/2011, at 6:50 PM, Robin Sommer wrote: > Bro release 1.5.2 is now available from: > > ftp://bro-ids.org/bro-1.5.2.tar.gz > > This version is a maintenance release coming with quiet a number of > refinements and fixes, per the appended changelog entries. Question from a very new Bro user. (Seth helped us do the original set up earlier this week -- Thanks!!) If I do a standard 'make install' will that clobber anything vital in an existing config? Russell From sridhar.basam at gmail.com Thu Jan 13 11:40:52 2011 From: sridhar.basam at gmail.com (sridhar basam) Date: Thu, 13 Jan 2011 14:40:52 -0500 Subject: [Bro] Bro 1.5.2 release now available In-Reply-To: <20110113164331.GB36781@icir.org> References: <20110113055059.GD19204@icir.org> <20110113164331.GB36781@icir.org> Message-ID: On Thu, Jan 13, 2011 at 11:43 AM, Robin Sommer wrote: > > On Thu, Jan 13, 2011 at 11:05 -0500, sridhar basam wrote: > > > First of all thanks for a new release of bro. > > You're welcome. > > > Could i request you make the releases available via HTTP too, if > possible. > > It's now available via HTTP as well: > > http://www.bro-ids.org/download/bro-1.5.2.tar.gz > > Thanks. > The patch had to do with enabling the HTTP analyser to kick in even for > > connections where we miss the tcp handshake. > > Hmm ... I don't remember that patch right now. Could you see whether > is already recorded with the tracker at http://tracker.icir.org, and > if not, open a new ticket. Thanks! > > I did not see anything related to partial connections in the tracker. I will add an entry for it. thanks, Sridhar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110113/ee967594/attachment.html From robin at icir.org Thu Jan 13 12:57:26 2011 From: robin at icir.org (Robin Sommer) Date: Thu, 13 Jan 2011 12:57:26 -0800 Subject: [Bro] Bro 1.5.2 release now available In-Reply-To: References: <20110113055059.GD19204@icir.org> Message-ID: <20110113205726.GK42688@icir.org> On Fri, Jan 14, 2011 at 08:20 +1300, you wrote: > If I do a standard 'make install' will that clobber anything vital in an existing config? No, it shouldn't. Note that if you're using broctl, you need a "make install-broctl" to install everything, but that should likewise not clobber anything. (Of course, it never hurts to make a backup of anything you couldn't restore otherwise ...) Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From jones at tacc.utexas.edu Fri Jan 14 09:00:32 2011 From: jones at tacc.utexas.edu (William Jones) Date: Fri, 14 Jan 2011 11:00:32 -0600 Subject: [Bro] Bro 1.5.2 release now available In-Reply-To: References: <20110113055059.GD19204@icir.org> <20110113164331.GB36781@icir.org> Message-ID: I got this error when installing a bro-close with 1.5.2 [worker-4] ==== stderr.log /usr/local/bro/share/bro/broctl/cluster-addrs.hot.bro, line 3 (Hot::ssh_notice_hosts): error, "redef" used but not previously defined I commented the redef line out of /usr/local/bro/share/bro/broctl/cluster-addrs.hot.bro and all the work nodes came up. Bill Jones -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110114/03cc875f/attachment.html From robin at icir.org Fri Jan 14 14:45:11 2011 From: robin at icir.org (Robin Sommer) Date: Fri, 14 Jan 2011 14:45:11 -0800 Subject: [Bro] Bro 1.5.2 release now available In-Reply-To: References: <20110113055059.GD19204@icir.org> <20110113164331.GB36781@icir.org> Message-ID: <20110114224511.GM92979@icir.org> On Fri, Jan 14, 2011 at 11:00 -0600, you wrote: > /usr/local/bro/share/bro/broctl/cluster-addrs.hot.bro, line 3 (Hot::ssh_notice_hosts): error, "redef" used but not previously defined Doh! That fix didn't get backported from the current development version. > I commented the redef line out of > /usr/local/bro/share/bro/broctl/cluster-addrs.hot.bro and all the > work nodes came up. That's indeed the right thing to do. In fact you could also just delete the whole file as there's nothing else in there. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From orsr88 at gmail.com Sun Jan 16 06:33:35 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Sun, 16 Jan 2011 09:33:35 -0500 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: Message-ID: ---------- Forwarded message ---------- From: rajasekhar reddy Date: Sun, Jan 16, 2011 at 9:25 AM Subject: RE: problem installing bro on ubuntu 10.04 To: Bro at bro-ids.org hi all when iam trying to install bro 1.5.1 on ubuntu 10.04 i did > ./configure --prefix=/path/to/bro > make here i got problems like.. raj/Desktop/libpcap-1.1.1 -lpcap -lssl -lcrypto -lresolv -ltermcap -ltermcap -lm -L../aux/binpac/lib -lbinpac -lGeoIP -lmagic -lz -lpcap -lpcap -L/home/raj/Desktop/libpcap-1.1.1 -lpcap -lssl -lcrypto -lresolv -ltermcap -ltermcap make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/src' make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/src' Making all in scripts make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts' Making all in s2b make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' Making all in bro-include make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bro-include' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bro-include' Making all in example_bro_files make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/example_bro_files' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/example_bro_files' Making all in etc make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/etc' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/etc' Making all in bin make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bin' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bin' Making all in pm make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/pm' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/pm' Making all in snort_rules2.2 make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/snort_rules2.2' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/snort_rules2.2' make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' make[4]: Nothing to be done for `all-am'. make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts' make[3]: Nothing to be done for `all-am'. make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts' make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts' Making all in policy make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy' Making all in sigs make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy/sigs' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy/sigs' Making all in time-machine make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy/time-machine' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy/time-machine' make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy' make[3]: Nothing to be done for `all-am'. make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy' make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy' Making all in doc make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc' Making all in ref-manual make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/ref-manual' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/ref-manual' Making all in quick-start make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/quick-start' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/quick-start' Making all in user-manual make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/user-manual' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/user-manual' make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc' make[3]: Nothing to be done for `all-am'. make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc' make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc' make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1' make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1' make[1]: Leaving directory `/home/raj/Desktop/bro-1.5.1' so waht i did wrong i installed all following build essentialls libncurser5 g++ bison flex libmagic-dev libgeoip-dec libssl-dev python-dev libpcap-dev.. i stuck here from lot of days Thanks alot -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110116/d990aaf7/attachment.html From rmkml at free.fr Sun Jan 16 09:55:04 2011 From: rmkml at free.fr (rmkml) Date: Sun, 16 Jan 2011 18:55:04 +0100 (CET) Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: Message-ID: Hi Rajasekhar, Can you try with last bro v1.5.2 please? Regards Rmkml On Sun, 16 Jan 2011, rajasekhar reddy wrote: > > > ---------- Forwarded message ---------- > From: rajasekhar reddy > Date: Sun, Jan 16, 2011 at 9:25 AM > Subject: RE: problem installing bro on ubuntu 10.04 > To: Bro at bro-ids.org > > > hi all > when iam trying to install bro 1.5.1 on ubuntu 10.04 > i did > > > ./configure --prefix=/path/to/bro > > > make > here i got problems like.. > raj/Desktop/libpcap-1.1.1 -lpcap -lssl -lcrypto -lresolv -ltermcap -ltermcap -lm -L../aux/binpac/lib -lbinpac -lGeoIP -lmagic -lz -lpcap -lpcap -L/home/raj/Desktop/libpcap-1.1.1 -lpcap -lssl -lcrypto -lresolv -ltermcap -ltermcap > > > make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/src' > make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/src' > Making all in scripts > make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts' > > > Making all in s2b > make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' > Making all in bro-include > make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bro-include' > make[4]: Nothing to be done for `all'. > > > make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bro-include' > Making all in example_bro_files > make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/example_bro_files' > make[4]: Nothing to be done for `all'. > > > make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/example_bro_files' > Making all in etc > make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/etc' > make[4]: Nothing to be done for `all'. > > > make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/etc' > Making all in bin > make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bin' > make[4]: Nothing to be done for `all'. > > > make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bin' > Making all in pm > make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/pm' > make[4]: Nothing to be done for `all'. > > > make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/pm' > Making all in snort_rules2.2 > make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/snort_rules2.2' > make[4]: Nothing to be done for `all'. > > > make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/snort_rules2.2' > make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' > make[4]: Nothing to be done for `all-am'. > make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' > > > make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' > make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts' > make[3]: Nothing to be done for `all-am'. > make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts' > > > make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts' > Making all in policy > make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy' > Making all in sigs > make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy/sigs' > > > make[3]: Nothing to be done for `all'. > make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy/sigs' > Making all in time-machine > make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy/time-machine' > > > make[3]: Nothing to be done for `all'. > make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy/time-machine' > make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy' > make[3]: Nothing to be done for `all-am'. > > > make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy' > make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy' > Making all in doc > make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc' > > > Making all in ref-manual > make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/ref-manual' > make[3]: Nothing to be done for `all'. > make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/ref-manual' > > > Making all in quick-start > make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/quick-start' > make[3]: Nothing to be done for `all'. > make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/quick-start' > > > Making all in user-manual > make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/user-manual' > make[3]: Nothing to be done for `all'. > make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/user-manual' > > > make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc' > make[3]: Nothing to be done for `all-am'. > make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc' > make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc' > > > make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1' > make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1' > make[1]: Leaving directory `/home/raj/Desktop/bro-1.5.1' > so waht i did wrong i installed all following > > > build essentialls > libncurser5 > g++ > bison > flex > libmagic-dev > libgeoip-dec > libssl-dev > python-dev > libpcap-dev.. > i stuck here from lot of days > Thanks alot From orsr88 at gmail.com Mon Jan 17 12:53:01 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Mon, 17 Jan 2011 20:53:01 +0000 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: Message-ID: hi thanx for ur reply i tried vt this version as well but i am getting similar error.. Can anyone help me plzzzz.? Thanks & Regards Rajasekhar On Sun, Jan 16, 2011 at 5:55 PM, rmkml wrote: > Hi Rajasekhar, > Can you try with last bro v1.5.2 please? > Regards > Rmkml > > > > On Sun, 16 Jan 2011, rajasekhar reddy wrote: > > >> >> ---------- Forwarded message ---------- >> From: rajasekhar reddy >> Date: Sun, Jan 16, 2011 at 9:25 AM >> Subject: RE: problem installing bro on ubuntu 10.04 >> To: Bro at bro-ids.org >> >> >> hi all >> when iam trying to install bro 1.5.1 on ubuntu 10.04 >> i did >> >> > ./configure --prefix=/path/to/bro >> >> > make >> here i got problems like.. >> raj/Desktop/libpcap-1.1.1 -lpcap -lssl -lcrypto -lresolv -ltermcap >> -ltermcap -lm -L../aux/binpac/lib -lbinpac -lGeoIP -lmagic -lz -lpcap -lpcap >> -L/home/raj/Desktop/libpcap-1.1.1 -lpcap -lssl -lcrypto -lresolv -ltermcap >> -ltermcap >> >> >> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/src' >> make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/src' >> Making all in scripts >> make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts' >> >> >> Making all in s2b >> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' >> Making all in bro-include >> make[4]: Entering directory >> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bro-include' >> make[4]: Nothing to be done for `all'. >> >> >> make[4]: Leaving directory >> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bro-include' >> Making all in example_bro_files >> make[4]: Entering directory >> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/example_bro_files' >> make[4]: Nothing to be done for `all'. >> >> >> make[4]: Leaving directory >> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/example_bro_files' >> Making all in etc >> make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/etc' >> make[4]: Nothing to be done for `all'. >> >> >> make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/etc' >> Making all in bin >> make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bin' >> make[4]: Nothing to be done for `all'. >> >> >> make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bin' >> Making all in pm >> make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/pm' >> make[4]: Nothing to be done for `all'. >> >> >> make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/pm' >> Making all in snort_rules2.2 >> make[4]: Entering directory >> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/snort_rules2.2' >> make[4]: Nothing to be done for `all'. >> >> >> make[4]: Leaving directory >> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/snort_rules2.2' >> make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' >> make[4]: Nothing to be done for `all-am'. >> make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' >> >> >> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' >> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts' >> make[3]: Nothing to be done for `all-am'. >> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts' >> >> >> make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts' >> Making all in policy >> make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy' >> Making all in sigs >> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy/sigs' >> >> >> make[3]: Nothing to be done for `all'. >> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy/sigs' >> Making all in time-machine >> make[3]: Entering directory >> `/home/raj/Desktop/bro-1.5.1/policy/time-machine' >> >> >> make[3]: Nothing to be done for `all'. >> make[3]: Leaving directory >> `/home/raj/Desktop/bro-1.5.1/policy/time-machine' >> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy' >> make[3]: Nothing to be done for `all-am'. >> >> >> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy' >> make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy' >> Making all in doc >> make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc' >> >> >> Making all in ref-manual >> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/ref-manual' >> make[3]: Nothing to be done for `all'. >> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/ref-manual' >> >> >> Making all in quick-start >> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/quick-start' >> make[3]: Nothing to be done for `all'. >> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/quick-start' >> >> >> Making all in user-manual >> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/user-manual' >> make[3]: Nothing to be done for `all'. >> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/user-manual' >> >> >> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc' >> make[3]: Nothing to be done for `all-am'. >> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc' >> make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc' >> >> >> make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1' >> make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1' >> make[1]: Leaving directory `/home/raj/Desktop/bro-1.5.1' >> so waht i did wrong i installed all following >> >> >> build essentialls >> libncurser5 >> g++ >> bison >> flex >> libmagic-dev >> libgeoip-dec >> libssl-dev >> python-dev >> libpcap-dev.. >> i stuck here from lot of days >> Thanks alot >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110117/58407a42/attachment.html From rackow at anl.gov Mon Jan 17 14:05:32 2011 From: rackow at anl.gov (rackow at anl.gov) Date: Mon, 17 Jan 2011 16:05:32 -0600 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: Your message of "Mon, 17 Jan 2011 20:53:01 GMT." Message-ID: <20110117220533.326729160F0@lutze.cis.anl.gov> Have you looked closely at the configure output? It tends to indicate what items are not found and from there make additions to the system to fill in the missing pieces. rajasekhar reddy made the following keystrokes: >--===============0313865660== >Content-Type: multipart/alternative; boundary=0016367d6f323d7797049a10f872 > >--0016367d6f323d7797049a10f872 >Content-Type: text/plain; charset=ISO-8859-1 > >hi >thanx for ur reply i tried vt this version as well but i am getting similar >error.. > >Can anyone help me plzzzz.? > >Thanks & Regards >Rajasekhar > >On Sun, Jan 16, 2011 at 5:55 PM, rmkml wrote: > >> Hi Rajasekhar, >> Can you try with last bro v1.5.2 please? >> Regards >> Rmkml >> >> >> >> On Sun, 16 Jan 2011, rajasekhar reddy wrote: >> >> >>> >>> ---------- Forwarded message ---------- >>> From: rajasekhar reddy >>> Date: Sun, Jan 16, 2011 at 9:25 AM >>> Subject: RE: problem installing bro on ubuntu 10.04 >>> To: Bro at bro-ids.org >>> >>> >>> hi all >>> when iam trying to install bro 1.5.1 on ubuntu 10.04 >>> i did >>> >>> > ./configure --prefix=/path/to/bro >>> >>> > make >>> here i got problems like.. >>> raj/Desktop/libpcap-1.1.1 -lpcap -lssl -lcrypto -lresolv -ltermcap >>> -ltermcap -lm -L../aux/binpac/lib -lbinpac -lGeoIP -lmagic -lz -lpcap -lpcap >>> -L/home/raj/Desktop/libpcap-1.1.1 -lpcap -lssl -lcrypto -lresolv -ltermcap >>> -ltermcap >>> >>> >>> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/src' >>> make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/src' >>> Making all in scripts >>> make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts' >>> >>> >>> Making all in s2b >>> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' >>> Making all in bro-include >>> make[4]: Entering directory >>> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bro-include' >>> make[4]: Nothing to be done for `all'. >>> >>> >>> make[4]: Leaving directory >>> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bro-include' >>> Making all in example_bro_files >>> make[4]: Entering directory >>> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/example_bro_files' >>> make[4]: Nothing to be done for `all'. >>> >>> >>> make[4]: Leaving directory >>> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/example_bro_files' >>> Making all in etc >>> make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/etc' >>> make[4]: Nothing to be done for `all'. >>> >>> >>> make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/etc' >>> Making all in bin >>> make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bin' >>> make[4]: Nothing to be done for `all'. >>> >>> >>> make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bin' >>> Making all in pm >>> make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/pm' >>> make[4]: Nothing to be done for `all'. >>> >>> >>> make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/pm' >>> Making all in snort_rules2.2 >>> make[4]: Entering directory >>> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/snort_rules2.2' >>> make[4]: Nothing to be done for `all'. >>> >>> >>> make[4]: Leaving directory >>> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/snort_rules2.2' >>> make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' >>> make[4]: Nothing to be done for `all-am'. >>> make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' >>> >>> >>> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' >>> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts' >>> make[3]: Nothing to be done for `all-am'. >>> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts' >>> >>> >>> make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts' >>> Making all in policy >>> make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy' >>> Making all in sigs >>> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy/sigs' >>> >>> >>> make[3]: Nothing to be done for `all'. >>> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy/sigs' >>> Making all in time-machine >>> make[3]: Entering directory >>> `/home/raj/Desktop/bro-1.5.1/policy/time-machine' >>> >>> >>> make[3]: Nothing to be done for `all'. >>> make[3]: Leaving directory >>> `/home/raj/Desktop/bro-1.5.1/policy/time-machine' >>> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy' >>> make[3]: Nothing to be done for `all-am'. >>> >>> >>> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy' >>> make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy' >>> Making all in doc >>> make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc' >>> >>> >>> Making all in ref-manual >>> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/ref-manual' >>> make[3]: Nothing to be done for `all'. >>> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/ref-manual' >>> >>> >>> Making all in quick-start >>> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/quick-start' >>> make[3]: Nothing to be done for `all'. >>> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/quick-start' >>> >>> >>> Making all in user-manual >>> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/user-manual' >>> make[3]: Nothing to be done for `all'. >>> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/user-manual' >>> >>> >>> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc' >>> make[3]: Nothing to be done for `all-am'. >>> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc' >>> make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc' >>> >>> >>> make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1' >>> make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1' >>> make[1]: Leaving directory `/home/raj/Desktop/bro-1.5.1' >>> so waht i did wrong i installed all following >>> >>> >>> build essentialls >>> libncurser5 >>> g++ >>> bison >>> flex >>> libmagic-dev >>> libgeoip-dec >>> libssl-dev >>> python-dev >>> libpcap-dev.. >>> i stuck here from lot of days >>> Thanks alot >>> >> > >--0016367d6f323d7797049a10f872 >Content-Type: text/html; charset=ISO-8859-1 >Content-Transfer-Encoding: quoted-printable > >hi=A0
thanx for ur reply i tried vt this version as well but i am getti= >ng similar error..

Can anyone help me plzzzz.?v>

Thanks & Regards
Rajasekhar

class=3D"gmail_quote"> >On Sun, Jan 16, 2011 at 5:55 PM, rmkml <lto:rmkml at free.fr">rmkml at free.fr> wrote:
=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padd= >ing-left:1ex;"> >Hi Rajasekhar,
>Can you try with last bro v1.5.2 please?
>Regards
>Rmkml

>
>
>On Sun, 16 Jan 2011, rajasekhar reddy wrote:
>
>
x #ccc solid;padding-left:1ex"> >
>
>---------- Forwarded message ----------
>From: rajasekhar reddy <lank">orsr88 at gmail.com>
>Date: Sun, Jan 16, 2011 at 9:25 AM
>Subject: RE: problem installing bro on ubuntu 10.04
>To: Bro at bro-ids.org>
>
>
>hi all
>when iam trying to install bro 1.5.1 on ubuntu 10.04
>i did
>
>> ./configure --prefix=3D/path/to/bro
>
>> make
>=A0here i got problems like..
>raj/Desktop/libpcap-1.1.1 -lpcap =A0-lssl -lcrypto -lresolv -ltermcap -lter= >mcap -lm -L../aux/binpac/lib -lbinpac -lGeoIP -lmagic -lz -lpcap -lpcap -L/= >home/raj/Desktop/libpcap-1.1.1 -lpcap =A0-lssl -lcrypto -lresolv -ltermcap = >-ltermcap
> >
>
>make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/src'
>make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/src'
>Making all in scripts
>make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts'
>
>
>Making all in s2b
>make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b'r> >Making all in bro-include
>make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bro-in= >clude'
>make[4]: Nothing to be done for `all'.
>
>
>make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bro-inc= >lude'
>Making all in example_bro_files
>make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/exampl= >e_bro_files'
>make[4]: Nothing to be done for `all'.
>
>
>make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/example= >_bro_files'
>Making all in etc
>make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/etc= >9;
>make[4]: Nothing to be done for `all'.
>
>
>make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/etc'= >;
>Making all in bin
>make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bin= >9;
>make[4]: Nothing to be done for `all'.
>
>
>make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bin'= >;
>Making all in pm
>make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/pm'= >;
>make[4]: Nothing to be done for `all'.
>
>
>make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/pm'= >
>Making all in snort_rules2.2
>make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/snort_= >rules2.2'
>make[4]: Nothing to be done for `all'.
>
>
>make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b/snort_r= >ules2.2'
>make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b'r> >make[4]: Nothing to be done for `all-am'.
>make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b'> >
>
>make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b'> >make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts'
>make[3]: Nothing to be done for `all-am'.
>make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts'
>
>
>make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts'
>Making all in policy
>make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy'
>Making all in sigs
>make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy/sigs'r> >
>
>make[3]: Nothing to be done for `all'.
>make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy/sigs'> >Making all in time-machine
>make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy/time-machin= >e'
>
>
>make[3]: Nothing to be done for `all'.
>make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy/time-machine= >'
>make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy'
>make[3]: Nothing to be done for `all-am'.
>
>
>make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy'
>make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy'
>Making all in doc
>make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc'
>
>
>Making all in ref-manual
>make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/ref-manual'= >;
>make[3]: Nothing to be done for `all'.
>make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/ref-manual'= >
>
>
>Making all in quick-start
>make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/quick-start= >9;
>make[3]: Nothing to be done for `all'.
>make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/quick-start'= >;
>
>
>Making all in user-manual
>make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc/user-manual= >9;
>make[3]: Nothing to be done for `all'.
>make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc/user-manual'= >;
>
>
>make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc'
>make[3]: Nothing to be done for `all-am'.
>make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc'
>make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc'
>
>
>make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1'
>make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1'
>make[1]: Leaving directory `/home/raj/Desktop/bro-1.5.1'
>so waht i did wrong i installed all following
>
>
>build essentialls
>libncurser5
>g++
>bison
>flex
>libmagic-dev
>libgeoip-dec
>libssl-dev
>python-dev
>libpcap-dev..
>i stuck here from lot of days
>Thanks alot
>
>

> >--0016367d6f323d7797049a10f872-- > >--===============0313865660== >Content-Type: text/plain; charset="us-ascii" >MIME-Version: 1.0 >Content-Transfer-Encoding: 7bit >Content-Disposition: inline > >_______________________________________________ >Bro mailing list >bro at bro-ids.org >http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >--===============0313865660==-- From mfw113 at psu.edu Mon Jan 17 16:26:06 2011 From: mfw113 at psu.edu (Mike Waite) Date: Mon, 17 Jan 2011 19:26:06 -0500 Subject: [Bro] GeoIP support Message-ID: <4D34DE1E.4060802@psu.edu> Is there anyone successfully using GeoIP support in 1.5 on linux that would be willing to share some pointers? -- Michael Waite Enterprise Security Analyst Enterprise Information Privacy and Security Services (EIPSs) Security Operations and Services (SOS) Information Technology Services (ITS) The Pennsylvania State University (PSU) Direct Telephone: 814-865-2297 ITS-SOS Telephone: 814-863-9533 ITS-SOS E-Mail: security at psu.edu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 553 bytes Desc: OpenPGP digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110117/175e654e/attachment.bin From mfw113 at psu.edu Mon Jan 17 16:52:16 2011 From: mfw113 at psu.edu (Mike Waite) Date: Mon, 17 Jan 2011 19:52:16 -0500 Subject: [Bro] GeoIP support In-Reply-To: <4D34DE1E.4060802@psu.edu> References: <4D34DE1E.4060802@psu.edu> Message-ID: <4D34E440.6020705@psu.edu> Nevermind, it is right there on the wiki http://www.bro-ids.org/wiki/index.php/GeoLocation Michael Waite Enterprise Security Analyst Enterprise Information Privacy and Security Services (EIPSs) Security Operations and Services (SOS) Information Technology Services (ITS) The Pennsylvania State University (PSU) Direct Telephone: 814-865-2297 ITS-SOS Telephone: 814-863-9533 ITS-SOS E-Mail: security at psu.edu On 01/17/2011 07:26 PM, Mike Waite wrote: > Is there anyone successfully using GeoIP support in 1.5 on linux that would be willing to share some pointers? > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 553 bytes Desc: OpenPGP digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110117/662e08e9/attachment.bin From orsr88 at gmail.com Mon Jan 17 17:06:35 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Mon, 17 Jan 2011 20:06:35 -0500 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: <20110117220533.326729160F0@lutze.cis.anl.gov> References: <20110117220533.326729160F0@lutze.cis.anl.gov> Message-ID: Hi Thanx to every one.. I am new to linux and i need bro to be installed on my lap to work on my project on network security AND THIS IS WHAT I GOT WHEN I CONFIGURE IT raj at ubuntu:~/Desktop/bro-1.5.2$ ./configure --prefix=/path/to/bro checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu checking target system type... x86_64-unknown-linux-gnu checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking for flex... flex checking lex output file root... lex.yy checking lex library... -lfl checking whether yytext is a pointer... yes checking for bison... bison -y checking for g++... g++ checking whether we are using the GNU C++ compiler... yes checking whether g++ accepts -g... yes checking dependency style of g++... gcc3 checking for a BSD-compatible install... /usr/bin/install -c checking whether make sets $(MAKE)... (cached) yes checking for ranlib... ranlib checking for gzip... gzip checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking stdio.h usability... yes checking stdio.h presence... yes checking for stdio.h... yes checking for stdio.h... (cached) yes checking for stdio.h... (cached) yes checking for OPENSSL_add_all_algorithms_conf in -lcrypto... yes checking for SSL_new in -lssl... yes checking whether OPENSSL_add_all_algorithms_conf is declared... yes checking for OpenSSL >= 0.9.7... yes checking whether d2i_X509() uses a const unsigned char**... yes checking for perl5... no checking for perl... /usr/bin/perl checking for chown... /bin/chown checking Linux kernel version... 2 checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... no checking for ANSI C header files... (cached) yes checking return type of signal handlers... void checking for sigset... yes checking for int32_t using gcc... yes checking for u_int32_t using gcc... yes checking for u_int16_t using gcc... yes checking for u_int8_t using gcc... yes checking whether time.h and sys/time.h may both be included... yes checking for memory.h... (cached) yes checking netinet/in.h usability... yes checking netinet/in.h presence... yes checking for netinet/in.h... yes checking socket.h usability... no checking socket.h presence... no checking for socket.h... no checking getopt.h usability... yes checking getopt.h presence... yes checking for getopt.h... yes checking for net/ethernet.h... yes checking for netinet/ether.h... yes checking for netinet/if_ether.h... yes checking for sys/ethernet.h... no checking for netinet/ip6.h... yes checking for socklen_t... yes checking if syslog returns int... no checking if we should declare socket and friends... no checking for gethostbyname... yes checking for socket... yes checking for putmsg in -lstr... no checking for local pcap library... /home/raj/Desktop/libpcap-1.1.1/libpcap.a checking for pcap_freecode in -lpcap... yes checking for pcap headers... /usr/include checking if pcap_compile_nopcap needs error parameter... not needed checking pcap-int.h usability... yes checking pcap-int.h presence... yes checking for pcap-int.h... yes checking for bpf_set_bufsize... no checking for pcap_version in libpcap... yes checking for main in -lpcap... yes checking if char_traits defines all methods... yes checking for ns_msg... yes checking for ns_inittab/res_mkquery with resolver 'none'... no checking for ns_inittab/res_mkquery with resolver '-lresolv'... yes configure: Nonblocking DNS enabled. checking for working memcmp... yes checking for strftime... yes checking for strerror... yes checking for strsep... yes checking for strcasestr... yes checking for mallinfo... yes checking for getopt_long... yes checking for library containing inet_aton... none required checking for deflatePrime in -lz... yes checking magic.h usability... yes checking magic.h presence... yes checking for magic.h... yes checking for magic_open in -lmagic... yes checking GeoIPCity.h usability... yes checking GeoIPCity.h presence... yes checking for GeoIPCity.h... yes checking for GeoIP_open_type in -lGeoIP... yes checking for tgetnum in -ltermcap... yes checking termcap.h usability... yes checking termcap.h presence... yes checking for termcap.h... yes checking term.h usability... yes checking term.h presence... yes checking for term.h... yes yes checking readline/readline.h usability... no checking readline/readline.h presence... no checking for readline/readline.h... no checking readline/history.h usability... no checking readline/history.h presence... no checking for readline/history.h... no checking for using_history in -lreadline... no checking whether byte ordering is bigendian... no checking for union semun... no checking for struct sembuf... yes checking for struct sockaddr_in.sin_len... no checking for long long... yes checking size of long long... 8 checking for long int... yes checking size of long int... 8 checking for void *... yes checking size of void *... 8 checking Linux kernel version support selectable fds... 2.6 is ok checking for dag_open in -ldag... no checking pcap.h usability... yes checking pcap.h presence... yes checking for pcap.h... yes checking for python... /usr/bin/python checking for Python >= 2.4... yes checking for python-config... yes === configuring in aux/broctl Created Makefile. Created bin/broctl. Created bin/make-wrapper. Bro Control Configuration Summary ========================================================== Installation directory: /path/to/bro Bro distribution: /home/raj/Desktop/bro-1.5.2 Bro build directory: /home/raj/Desktop/bro-1.5.2 Bro Control distribution: /home/raj/Desktop/bro-1.5.2/aux/broctl Bro Control build directory: /home/raj/Desktop/bro-1.5.2/aux/broctl Standalone installation: yes configure: creating ./config.status config.status: creating Makefile config.status: creating src/Makefile config.status: creating doc/Makefile config.status: creating doc/ref-manual/Makefile config.status: creating doc/quick-start/Makefile config.status: creating doc/user-manual/Makefile config.status: creating aux/adtrace/Makefile config.status: creating aux/cf/Makefile config.status: creating aux/hf/Makefile config.status: creating aux/nftools/Makefile config.status: creating aux/scripts/Makefile config.status: creating aux/bdcat/Makefile config.status: creating aux/rst/Makefile config.status: creating aux/Makefile config.status: creating policy/Makefile config.status: creating policy/sigs/Makefile config.status: creating policy/time-machine/Makefile config.status: creating scripts/Makefile config.status: creating scripts/bro_config config.status: creating scripts/bro.rc config.status: creating scripts/localnetMAC.pl config.status: creating scripts/s2b/Makefile config.status: creating scripts/s2b/bro-include/Makefile config.status: creating scripts/s2b/example_bro_files/Makefile config.status: creating scripts/s2b/etc/Makefile config.status: creating scripts/s2b/bin/Makefile config.status: creating scripts/s2b/pm/Makefile config.status: creating scripts/s2b/snort_rules2.2/Makefile config.status: creating config.h config.status: config.h is unchanged config.status: executing depfiles commands config.status: executing default commands === configuring in aux/broccoli (/home/raj/Desktop/bro-1.5.2/aux/broccoli) configure: running /bin/bash ./configure '--prefix=/path/to/bro' --cache-file=/dev/null --srcdir=. checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu checking target system type... x86_64-unknown-linux-gnu checking host system type... (cached) x86_64-unknown-linux-gnu checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking for gcc... (cached) gcc checking whether we are using the GNU C compiler... (cached) yes checking whether gcc accepts -g... (cached) yes checking for gcc option to accept ISO C89... (cached) none needed checking dependency style of gcc... (cached) gcc3 checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for a BSD-compatible install... /usr/bin/install -c checking for flex... flex checking lex output file root... lex.yy checking lex library... -lfl checking whether yytext is a pointer... yes checking for bison... bison -y checking for a sed that does not truncate output... /bin/sed checking for fgrep... /bin/grep -F checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B checking the name lister (/usr/bin/nm -B) interface... BSD nm checking whether ln -s works... yes checking the maximum length of command line arguments... 1572864 checking whether the shell understands some XSI constructs... yes checking whether the shell understands "+="... yes checking for /usr/bin/ld option to reload object files... -r checking for objdump... objdump checking how to recognize dependent libraries... pass_all checking for ar... ar checking for strip... strip checking for ranlib... ranlib checking command to parse /usr/bin/nm -B output from gcc object... ok checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking for dlfcn.h... yes checking for objdir... .libs checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC -DPIC checking if gcc PIC flag -fPIC -DPIC works... yes checking if gcc static flag -static works... yes checking if gcc supports -c -o file.o... yes checking if gcc supports -c -o file.o... (cached) yes checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes checking whether -lc should be explicitly linked in... no checking dynamic linker characteristics... GNU/Linux ld.so checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... yes checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... yes checking whether byte ordering is bigendian... no checking for geteuid... yes checking for getpwuid... yes checking for uint... yes checking pcap.h usability... yes checking pcap.h presence... yes checking for pcap.h... yes checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes checking for OPENSSL_add_all_algorithms_conf in -lcrypto... yes checking for SSL_new in -lssl... yes checking for gtkdoc-mkdb... false checking for openjade... no configure: creating ./config.status config.status: creating Makefile config.status: creating broccoli-config config.status: creating src/Makefile config.status: creating src/broccoli.h config.status: creating test/Makefile config.status: creating docs/Makefile config.status: creating docs/mkhtml config.status: creating bindings/Makefile config.status: creating config.h config.status: config.h is unchanged config.status: executing depfiles commands config.status: executing libtool commands config.status: executing default commands Broccoli Configuration Summary ========================================================== - Debugging enabled: no - Pcap packet support: yes === configuring in aux/binpac (/home/raj/Desktop/bro-1.5.2/aux/binpac) configure: running /bin/bash ./configure '--prefix=/path/to/bro' --cache-file=/dev/null --srcdir=. checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu checking target system type... x86_64-unknown-linux-gnu checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking for style of include used by make... GNU checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking dependency style of gcc... gcc3 checking for flex... flex checking lex output file root... lex.yy checking lex library... -lfl checking whether yytext is a pointer... yes checking for bison... bison -y checking for g++... g++ checking whether we are using the GNU C++ compiler... yes checking whether g++ accepts -g... yes checking dependency style of g++... gcc3 checking for ranlib... ranlib checking for a BSD-compatible install... /usr/bin/install -c checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking whether byte ordering is bigendian... no configure: creating ./config.status config.status: creating Makefile config.status: creating src/Makefile config.status: creating lib/Makefile config.status: creating lib/binpac.h config.status: creating config.h config.status: config.h is unchanged config.status: executing depfiles commands Binpac Configuration Summary ========================================================== - Debugging enabled: no === configuring in aux/broctl/aux/capstats (/home/raj/Desktop/bro-1.5.2/aux/broctl/aux/capstats) configure: running /bin/bash ./configure '--prefix=/path/to/bro' --cache-file=/dev/null --srcdir=. checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking for g++... g++ checking for C++ compiler default output file name... a.out checking whether the C++ compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C++ compiler... yes checking whether g++ accepts -g... yes checking for style of include used by make... GNU checking dependency style of g++... gcc3 checking for gcc... gcc checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking dependency style of gcc... gcc3 checking for dag_open in -lpcap... no checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking netinet/in.h usability... yes checking netinet/in.h presence... yes checking for netinet/in.h... yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking syslog.h usability... yes checking syslog.h presence... yes checking for syslog.h... yes checking for unistd.h... (cached) yes checking for stdbool.h that conforms to C99... yes checking for _Bool... yes checking for an ANSI C-conforming const... yes checking whether time.h and sys/time.h may both be included... yes checking for error_at_line... yes checking return type of signal handlers... void checking for alarm... yes checking for gettimeofday... yes checking for memset... yes checking for strerror... yes checking for dag_open in -ldag... no checking pcap.h usability... yes checking pcap.h presence... yes checking for pcap.h... yes configure: creating ./config.status config.status: creating Makefile config.status: creating config.h config.status: config.h is unchanged config.status: executing depfiles commands Capstats Configuration Summary ========================================================== Configuration Summary: - DAG support: no Bro Configuration Summary ========================================================== - Debugging enabled: no - OpenSSL support: yes - Non-blocking main loop: yes - Non-blocking resolver: yes - Installation prefix: /path/to/bro - Perl interpreter: /usr/bin/perl - Using basic_string: yes - Using libmagic: yes - Using perftools: no - Binpac used: shipped with Bro - Using libGeoIP: yes - Enabled broctl: yes - Enabled cluster: no - Pcap used: system-provided AND THIS IS WHAT I GOT WHEN DID MAKE COMMAND mv -f .deps/PIA.Tpo .deps/PIA.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT POP3.o -MD -MP -MF .deps/POP3.Tpo -c -o POP3.o POP3.cc In file included from NetVar.h:8, from POP3.cc:14: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/POP3.Tpo .deps/POP3.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT Portmap.o -MD -MP -MF .deps/Portmap.Tpo -c -o Portmap.o Portmap.cc In file included from NetVar.h:8, from Portmap.cc:7: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/Portmap.Tpo .deps/Portmap.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT RPC.o -MD -MP -MF .deps/RPC.Tpo -c -o RPC.o RPC.cc In file included from NetVar.h:8, from RPC.cc:9: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/RPC.Tpo .deps/RPC.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT RemoteSerializer.o -MD -MP -MF .deps/RemoteSerializer.Tpo -c -o RemoteSerializer.o RemoteSerializer.cc In file included from Expr.h:13, from Serializer.h:12, from RemoteSerializer.h:10, from RemoteSerializer.cc:176: Val.h:258: warning: type qualifiers ignored on function return type RemoteSerializer.cc: In member function ?void RemoteSerializer::InternalCommError(const char*)?: RemoteSerializer.cc:2726: warning: format not a string literal and no format arguments RemoteSerializer.cc: In member function ?bool SocketComm::ProcessParentMessage()?: RemoteSerializer.cc:3076: warning: format not a string literal and no format arguments mv -f .deps/RemoteSerializer.Tpo .deps/RemoteSerializer.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT Rlogin.o -MD -MP -MF .deps/Rlogin.Tpo -c -o Rlogin.o Rlogin.cc In file included from NetVar.h:8, from Rlogin.cc:7: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/Rlogin.Tpo .deps/Rlogin.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT RSH.o -MD -MP -MF .deps/RSH.Tpo -c -o RSH.o RSH.cc In file included from NetVar.h:8, from RSH.cc:7: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/RSH.Tpo .deps/RSH.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT Rule.o -MD -MP -MF .deps/Rule.Tpo -c -o Rule.o Rule.cc In file included from Expr.h:13, from PktSrc.h:9, from Net.h:11, from RuleMatcher.h:11, from Rule.cc:6: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/Rule.Tpo .deps/Rule.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT RuleAction.o -MD -MP -MF .deps/RuleAction.Tpo -c -o RuleAction.o RuleAction.cc In file included from Expr.h:13, from PktSrc.h:9, from Net.h:11, from RuleMatcher.h:11, from RuleAction.cc:9: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/RuleAction.Tpo .deps/RuleAction.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT RuleCondition.o -MD -MP -MF .deps/RuleCondition.Tpo -c -o RuleCondition.o RuleCondition.cc In file included from Expr.h:13, from Debug.h:25, from Func.h:10, from RuleCondition.h:7, from RuleCondition.cc:5: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/RuleCondition.Tpo .deps/RuleCondition.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT RuleMatcher.o -MD -MP -MF .deps/RuleMatcher.Tpo -c -o RuleMatcher.o RuleMatcher.cc In file included from Conn.h:11, from Analyzer.h:11, from RuleMatcher.cc:5: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/RuleMatcher.Tpo .deps/RuleMatcher.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT SMB.o -MD -MP -MF .deps/SMB.Tpo -c -o SMB.o SMB.cc In file included from NetVar.h:8, from SMB.cc:5: Val.h:258: warning: type qualifiers ignored on function return type In file included from SMB.cc:6: SMB.h:150: warning: type qualifiers ignored on function return type SMB.cc: In member function ?void SMB_Session::Deliver(int, int, const u_char*)?: SMB.cc:169: warning: format ?%d? expects type ?int?, but argument 3 has type ?long int? mv -f .deps/SMB.Tpo .deps/SMB.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT SMTP.o -MD -MP -MF .deps/SMTP.Tpo -c -o SMTP.o SMTP.cc In file included from NetVar.h:8, from SMTP.cc:9: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/SMTP.Tpo .deps/SMTP.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT SSH.o -MD -MP -MF .deps/SSH.Tpo -c -o SSH.o SSH.cc In file included from NetVar.h:8, from SSH.cc:9: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/SSH.Tpo .deps/SSH.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT SSL-binpac.o -MD -MP -MF .deps/SSL-binpac.Tpo -c -o SSL-binpac.o SSL-binpac.cc In file included from Conn.h:11, from Analyzer.h:11, from TCP.h:8, from SSL-binpac.h:6, from SSL-binpac.cc:3: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/SSL-binpac.Tpo .deps/SSL-binpac.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT Serializer.o -MD -MP -MF .deps/Serializer.Tpo -c -o Serializer.o Serializer.cc In file included from Expr.h:13, from Serializer.h:12, from Serializer.cc:12: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/Serializer.Tpo .deps/Serializer.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT Sessions.o -MD -MP -MF .deps/Sessions.Tpo -c -o Sessions.o Sessions.cc In file included from Expr.h:13, from PktSrc.h:9, from Net.h:11, from Sessions.cc:13: Val.h:258: warning: type qualifiers ignored on function return type Sessions.cc: In member function ?void NetSessions::Internal(const char*, const pcap_pkthdr*, const u_char*)?: Sessions.cc:1357: warning: format not a string literal and no format arguments mv -f .deps/Sessions.Tpo .deps/Sessions.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT Stats.o -MD -MP -MF .deps/Stats.Tpo -c -o Stats.o Stats.cc In file included from Conn.h:11, from Stats.cc:3: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/Stats.Tpo .deps/Stats.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT SteppingStone.o -MD -MP -MF .deps/SteppingStone.Tpo -c -o SteppingStone.o SteppingStone.cc In file included from Expr.h:13, from Debug.h:25, from Func.h:10, from EventRegistry.h:8, from Event.h:8, from SteppingStone.cc:9: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/SteppingStone.Tpo .deps/SteppingStone.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT TCP.o -MD -MP -MF .deps/TCP.Tpo -c -o TCP.o TCP.cc In file included from Conn.h:11, from Analyzer.h:11, from PIA.h:8, from TCP.cc:7: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/TCP.Tpo .deps/TCP.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT TCP_Endpoint.o -MD -MP -MF .deps/TCP_Endpoint.Tpo -c -o TCP_Endpoint.o TCP_Endpoint.cc In file included from Expr.h:13, from PktSrc.h:9, from Net.h:11, from TCP_Endpoint.cc:5: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/TCP_Endpoint.Tpo .deps/TCP_Endpoint.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT TCP_Reassembler.o -MD -MP -MF .deps/TCP_Reassembler.Tpo -c -o TCP_Reassembler.o TCP_Reassembler.cc In file included from Conn.h:11, from Analyzer.h:11, from TCP_Reassembler.cc:3: Val.h:258: warning: type qualifiers ignored on function return type TCP_Reassembler.cc: In member function ?virtual void TCP_Reassembler::Overlap(const u_char*, const u_char*, int)?: TCP_Reassembler.cc:379: warning: suggest braces around empty body in an ?if? statement mv -f .deps/TCP_Reassembler.Tpo .deps/TCP_Reassembler.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT TCP_Rewriter.o -MD -MP -MF .deps/TCP_Rewriter.Tpo -c -o TCP_Rewriter.o TCP_Rewriter.cc In file included from Expr.h:13, from Debug.h:25, from Func.h:10, from EventRegistry.h:8, from Event.h:8, from TCP_Rewriter.cc:42: Val.h:258: warning: type qualifiers ignored on function return type TCP_Rewriter.cc: In member function ?void TCP_RewriterEndpoint::DoWriteData(int, const u_char*)?: TCP_Rewriter.cc:668: warning: suggest braces around empty body in an ?if? statement mv -f .deps/TCP_Rewriter.Tpo .deps/TCP_Rewriter.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT Telnet.o -MD -MP -MF .deps/Telnet.Tpo -c -o Telnet.o Telnet.cc In file included from Conn.h:11, from Analyzer.h:11, from TCP.h:8, from Login.h:8, from Telnet.h:8, from Telnet.cc:7: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/Telnet.Tpo .deps/Telnet.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT UDP.o -MD -MP -MF .deps/UDP.Tpo -c -o UDP.o UDP.cc In file included from Expr.h:13, from PktSrc.h:9, from Net.h:11, from UDP.cc:7: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/UDP.Tpo .deps/UDP.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT Val.o -MD -MP -MF .deps/Val.Tpo -c -o Val.o Val.cc In file included from Val.cc:17: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/Val.Tpo .deps/Val.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT ZIP.o -MD -MP -MF .deps/ZIP.Tpo -c -o ZIP.o ZIP.cc In file included from Conn.h:11, from Analyzer.h:11, from TCP.h:8, from ZIP.h:13, from ZIP.cc:5: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/ZIP.Tpo .deps/ZIP.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT UDP_Rewriter.o -MD -MP -MF .deps/UDP_Rewriter.Tpo -c -o UDP_Rewriter.o UDP_Rewriter.cc In file included from Expr.h:13, from Debug.h:25, from Func.h:10, from EventRegistry.h:8, from Event.h:8, from UDP_Rewriter.cc:11: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/UDP_Rewriter.Tpo .deps/UDP_Rewriter.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT DNS_Rewriter.o -MD -MP -MF .deps/DNS_Rewriter.Tpo -c -o DNS_Rewriter.o DNS_Rewriter.cc In file included from NetVar.h:8, from DNS_Rewriter.cc:12: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/DNS_Rewriter.Tpo .deps/DNS_Rewriter.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT PacketDumper.o -MD -MP -MF .deps/PacketDumper.Tpo -c -o PacketDumper.o PacketDumper.cc In file included from Expr.h:13, from Debug.h:25, from Func.h:10, from EventRegistry.h:8, from Event.h:8, from PacketDumper.cc:11: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/PacketDumper.Tpo .deps/PacketDumper.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT Rewriter.o -MD -MP -MF .deps/Rewriter.Tpo -c -o Rewriter.o Rewriter.cc In file included from TCP_Rewriter.h:12, from Rewriter.cc:5: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/Rewriter.Tpo .deps/Rewriter.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT X509.o -MD -MP -MF .deps/X509.Tpo -c -o X509.o X509.cc In file included from Conn.h:11, from Analyzer.h:11, from TCP.h:8, from SSLProxy.h:6, from X509.h:10, from X509.cc:5: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/X509.Tpo .deps/X509.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT SSLInterpreter.o -MD -MP -MF .deps/SSLInterpreter.Tpo -c -o SSLInterpreter.o SSLInterpreter.cc In file included from Conn.h:11, from Analyzer.h:11, from TCP.h:8, from SSLProxy.h:6, from SSLInterpreter.h:7, from SSLInterpreter.cc:3: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/SSLInterpreter.Tpo .deps/SSLInterpreter.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT SSLProxy.o -MD -MP -MF .deps/SSLProxy.Tpo -c -o SSLProxy.o SSLProxy.cc In file included from Conn.h:11, from Analyzer.h:11, from TCP.h:8, from SSLProxy.h:6, from SSLProxy.cc:3: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/SSLProxy.Tpo .deps/SSLProxy.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT SSLv2.o -MD -MP -MF .deps/SSLv2.Tpo -c -o SSLv2.o SSLv2.cc In file included from Conn.h:11, from Analyzer.h:11, from TCP.h:8, from SSLProxy.h:6, from SSLInterpreter.h:7, from SSLv2.h:6, from SSLv2.cc:3: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/SSLv2.Tpo .deps/SSLv2.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT SSLv3.o -MD -MP -MF .deps/SSLv3.Tpo -c -o SSLv3.o SSLv3.cc In file included from Conn.h:11, from Analyzer.h:11, from TCP.h:8, from SSLProxy.h:6, from SSLInterpreter.h:7, from SSLv3.h:6, from SSLv3.cc:3: Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/SSLv3.Tpo .deps/SSLv3.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT binpac-lib_pac.o -MD -MP -MF .deps/binpac-lib_pac.Tpo -c -o binpac-lib_pac.o binpac-lib_pac.cc mv -f .deps/binpac-lib_pac.Tpo .deps/binpac-lib_pac.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT binpac_bro-lib_pac.o -MD -MP -MF .deps/binpac_bro-lib_pac.Tpo -c -o binpac_bro-lib_pac.o binpac_bro-lib_pac.cc mv -f .deps/binpac_bro-lib_pac.Tpo .deps/binpac_bro-lib_pac.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT bittorrent_pac.o -MD -MP -MF .deps/bittorrent_pac.Tpo -c -o bittorrent_pac.o bittorrent_pac.cc In file included from ../src/Conn.h:11, from ../src/Analyzer.h:11, from ../src/binpac_bro.h:11, from ../src/bittorrent_pac.h:11, from bittorrent_pac.cc:3: ../src/Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/bittorrent_pac.Tpo .deps/bittorrent_pac.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT dce_rpc_pac.o -MD -MP -MF .deps/dce_rpc_pac.Tpo -c -o dce_rpc_pac.o dce_rpc_pac.cc In file included from ../src/Conn.h:11, from ../src/Analyzer.h:11, from ../src/binpac_bro.h:11, from ../src/dce_rpc_pac.h:11, from dce_rpc_pac.cc:3: ../src/Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/dce_rpc_pac.Tpo .deps/dce_rpc_pac.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT dce_rpc_simple_pac.o -MD -MP -MF .deps/dce_rpc_simple_pac.Tpo -c -o dce_rpc_simple_pac.o dce_rpc_simple_pac.cc In file included from ../src/Conn.h:11, from ../src/Analyzer.h:11, from ../src/binpac_bro.h:11, from ../src/dce_rpc_simple_pac.h:11, from dce_rpc_simple_pac.cc:3: ../src/Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/dce_rpc_simple_pac.Tpo .deps/dce_rpc_simple_pac.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT dhcp_pac.o -MD -MP -MF .deps/dhcp_pac.Tpo -c -o dhcp_pac.o dhcp_pac.cc In file included from ../src/Conn.h:11, from ../src/Analyzer.h:11, from ../src/binpac_bro.h:11, from ../src/dhcp_pac.h:11, from dhcp_pac.cc:3: ../src/Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/dhcp_pac.Tpo .deps/dhcp_pac.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT dns_pac.o -MD -MP -MF .deps/dns_pac.Tpo -c -o dns_pac.o dns_pac.cc In file included from ../src/Conn.h:11, from ../src/Analyzer.h:11, from ../src/binpac_bro.h:11, from ../src/dns_pac.h:11, from dns_pac.cc:3: ../src/Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/dns_pac.Tpo .deps/dns_pac.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT dns_tcp_pac.o -MD -MP -MF .deps/dns_tcp_pac.Tpo -c -o dns_tcp_pac.o dns_tcp_pac.cc In file included from ../src/Conn.h:11, from ../src/Analyzer.h:11, from ../src/binpac_bro.h:11, from ../src/dns_pac.h:11, from ../src/dns_tcp_pac.h:11, from dns_tcp_pac.cc:3: ../src/Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/dns_tcp_pac.Tpo .deps/dns_tcp_pac.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT http_pac.o -MD -MP -MF .deps/http_pac.Tpo -c -o http_pac.o http_pac.cc In file included from ../src/Conn.h:11, from ../src/Analyzer.h:11, from ../src/binpac_bro.h:11, from ../src/http_pac.h:11, from http_pac.cc:3: ../src/Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/http_pac.Tpo .deps/http_pac.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT ncp_pac.o -MD -MP -MF .deps/ncp_pac.Tpo -c -o ncp_pac.o ncp_pac.cc In file included from ../src/Conn.h:11, from ../src/Analyzer.h:11, from ../src/binpac_bro.h:11, from ../src/ncp_pac.h:11, from ncp_pac.cc:3: ../src/Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/ncp_pac.Tpo .deps/ncp_pac.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT netflow_pac.o -MD -MP -MF .deps/netflow_pac.Tpo -c -o netflow_pac.o netflow_pac.cc In file included from ../src/Expr.h:13, from ../src/Debug.h:25, from ../src/Func.h:10, from ../src/EventRegistry.h:8, from ../src/Event.h:8, from ../src/netflow_pac.h:11, from netflow_pac.cc:3: ../src/Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/netflow_pac.Tpo .deps/netflow_pac.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT rpc_pac.o -MD -MP -MF .deps/rpc_pac.Tpo -c -o rpc_pac.o rpc_pac.cc In file included from ../src/Conn.h:11, from ../src/Analyzer.h:11, from ../src/binpac_bro.h:11, from ../src/rpc_pac.h:11, from rpc_pac.cc:3: ../src/Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/rpc_pac.Tpo .deps/rpc_pac.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT smb_pac.o -MD -MP -MF .deps/smb_pac.Tpo -c -o smb_pac.o smb_pac.cc In file included from ../src/Conn.h:11, from ../src/Analyzer.h:11, from ../src/binpac_bro.h:11, from ../src/smb_pac.h:11, from smb_pac.cc:3: ../src/Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/smb_pac.Tpo .deps/smb_pac.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT ssl_pac.o -MD -MP -MF .deps/ssl_pac.Tpo -c -o ssl_pac.o ssl_pac.cc In file included from ../src/Conn.h:11, from ../src/Analyzer.h:11, from ../src/binpac_bro.h:11, from ../src/ssl_pac.h:11, from ssl_pac.cc:3: ../src/Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/ssl_pac.Tpo .deps/ssl_pac.Po g++ -DHAVE_CONFIG_H -I. -I.. -I. -I../aux/binpac/lib -I../src -I. -I.. -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -O -W -Wall -Wno-unused -I/home/raj/Desktop/libpcap-1.1.1 -I../linux-include -g -O2 -MT ssl-record-layer_pac.o -MD -MP -MF .deps/ssl-record-layer_pac.Tpo -c -o ssl-record-layer_pac.o ssl-record-layer_pac.cc In file included from ../src/Conn.h:11, from ../src/Analyzer.h:11, from ../src/binpac_bro.h:11, from ../src/ssl-record-layer_pac.h:11, from ssl-record-layer_pac.cc:3: ../src/Val.h:258: warning: type qualifiers ignored on function return type mv -f .deps/ssl-record-layer_pac.Tpo .deps/ssl-record-layer_pac.Po g++ -g -O2 -o bro main.o net_util.o util.o parse.o scan.o re-parse.o re-scan.o rule-parse.o rule-scan.o Active.o Analyzer.o Anon.o ARP.o Attr.o BackDoor.o Base64.o BitTorrent.o BitTorrentTracker.o BPF_Program.o BroString.o CCL.o ChunkedIO.o CompHash.o Conn.o ConnCompressor.o ContentLine.o DCE_RPC.o DFA.o DHCP-binpac.o DNS.o DNS-binpac.o DNS_Mgr.o DbgBreakpoint.o DbgHelp.o DbgWatch.o Debug.o DebugCmds.o DebugLogger.o Desc.o Dict.o Discard.o DPM.o EquivClass.o Event.o EventHandler.o EventLauncher.o EventRegistry.o Expr.o FTP.o File.o FileAnalyzer.o Finger.o FlowSrc.o Frag.o Frame.o Func.o Gnutella.o HTTP.o HTTP-binpac.o Hash.o ICMP.o ID.o Ident.o IntSet.o InterConn.o IOSource.o IRC.o List.o Logger.o Login.o MIME.o NCP.o NFA.o NFS.o NTP.o NVT.o Net.o NetVar.o NetbiosSSN.o Obj.o OSFinger.o PacketFilter.o PacketSort.o PersistenceSerializer.o PktDagSrc.o PktSrc.o PIA.o PolicyFile.o POP3.o Portmap.o PrefixTable.o PriorityQueue.o Queue.o RE.o RPC.o Reassem.o RemoteSerializer.o Rlogin.o RSH.o Rule.o RuleAction.o RuleCondition.o RuleMatcher.o ScriptAnaly.o SmithWaterman.o SMB.o SMTP.o SSH.o SSL-binpac.o Scope.o SerializationFormat.o SerialObj.o Serializer.o Sessions.o StateAccess.o Stats.o SteppingStone.o Stmt.o TCP.o TCP_Endpoint.o TCP_Reassembler.o TCP_Rewriter.o Telnet.o Timer.o Traverse.o Trigger.o TwoWise.o Type.o UDP.o Val.o Var.o XDR.o ZIP.o bsd-getopt-long.o cq.o md5.o patricia.o setsignal.o version.o UDP_Rewriter.o DNS_Rewriter.o PacketDumper.o Rewriter.o strsep.o nb_dns.o X509.o SSLCiphers.o SSLInterpreter.o SSLProxy.o SSLv2.o SSLv3.o SSLv3Automaton.o binpac-lib_pac.o binpac_bro-lib_pac.o bittorrent_pac.o dce_rpc_pac.o dce_rpc_simple_pac.o dhcp_pac.o dns_pac.o dns_tcp_pac.o http_pac.o ncp_pac.o netflow_pac.o rpc_pac.o smb_pac.o ssl_pac.o ssl-record-layer_pac.o -lGeoIP -lmagic -lz -lpcap -lpcap -L/home/raj/Desktop/libpcap-1.1.1 -lpcap -lssl -lcrypto -lresolv -ltermcap -ltermcap -lm -L../aux/binpac/lib -lbinpac -lGeoIP -lmagic -lz -lpcap -lpcap -L/home/raj/Desktop/libpcap-1.1.1 -lpcap -lssl -lcrypto -lresolv -ltermcap -ltermcap make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.2/src' make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.2/src' Making all in scripts make[2]: Entering directory `/home/raj/Desktop/bro-1.5.2/scripts' Making all in s2b make[3]: Entering directory `/home/raj/Desktop/bro-1.5.2/scripts/s2b' Making all in bro-include make[4]: Entering directory `/home/raj/Desktop/bro-1.5.2/scripts/s2b/bro-include' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.2/scripts/s2b/bro-include' Making all in example_bro_files make[4]: Entering directory `/home/raj/Desktop/bro-1.5.2/scripts/s2b/example_bro_files' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.2/scripts/s2b/example_bro_files' Making all in etc make[4]: Entering directory `/home/raj/Desktop/bro-1.5.2/scripts/s2b/etc' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.2/scripts/s2b/etc' Making all in bin make[4]: Entering directory `/home/raj/Desktop/bro-1.5.2/scripts/s2b/bin' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.2/scripts/s2b/bin' Making all in pm make[4]: Entering directory `/home/raj/Desktop/bro-1.5.2/scripts/s2b/pm' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.2/scripts/s2b/pm' Making all in snort_rules2.2 make[4]: Entering directory `/home/raj/Desktop/bro-1.5.2/scripts/s2b/snort_rules2.2' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.2/scripts/s2b/snort_rules2.2' make[4]: Entering directory `/home/raj/Desktop/bro-1.5.2/scripts/s2b' make[4]: Nothing to be done for `all-am'. make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.2/scripts/s2b' make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.2/scripts/s2b' make[3]: Entering directory `/home/raj/Desktop/bro-1.5.2/scripts' make[3]: Nothing to be done for `all-am'. make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.2/scripts' make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.2/scripts' Making all in policy make[2]: Entering directory `/home/raj/Desktop/bro-1.5.2/policy' Making all in sigs make[3]: Entering directory `/home/raj/Desktop/bro-1.5.2/policy/sigs' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.2/policy/sigs' Making all in time-machine make[3]: Entering directory `/home/raj/Desktop/bro-1.5.2/policy/time-machine' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.2/policy/time-machine' make[3]: Entering directory `/home/raj/Desktop/bro-1.5.2/policy' make[3]: Nothing to be done for `all-am'. make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.2/policy' make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.2/policy' Making all in doc make[2]: Entering directory `/home/raj/Desktop/bro-1.5.2/doc' Making all in ref-manual make[3]: Entering directory `/home/raj/Desktop/bro-1.5.2/doc/ref-manual' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.2/doc/ref-manual' Making all in quick-start make[3]: Entering directory `/home/raj/Desktop/bro-1.5.2/doc/quick-start' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.2/doc/quick-start' Making all in user-manual make[3]: Entering directory `/home/raj/Desktop/bro-1.5.2/doc/user-manual' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.2/doc/user-manual' make[3]: Entering directory `/home/raj/Desktop/bro-1.5.2/doc' make[3]: Nothing to be done for `all-am'. make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.2/doc' make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.2/doc' make[2]: Entering directory `/home/raj/Desktop/bro-1.5.2' make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.2' make[1]: Leaving directory `/home/raj/Desktop/bro-1.5.2' raj at ubuntu:~/Desktop/bro-1.5.2$ Can any one please help me Thanks & Regards Rajasekhar On Mon, Jan 17, 2011 at 5:05 PM, wrote: > Have you looked closely at the configure output? It tends to indicate > what items are not found and from there make additions to the system > to fill in the missing pieces. > > > rajasekhar reddy made the following keystrokes: > >--===============0313865660== > >Content-Type: multipart/alternative; > boundary=0016367d6f323d7797049a10f872 > > > >--0016367d6f323d7797049a10f872 > >Content-Type: text/plain; charset=ISO-8859-1 > > > >hi > >thanx for ur reply i tried vt this version as well but i am getting > similar > >error.. > > > >Can anyone help me plzzzz.? > > > >Thanks & Regards > >Rajasekhar > > > >On Sun, Jan 16, 2011 at 5:55 PM, rmkml wrote: > > > >> Hi Rajasekhar, > >> Can you try with last bro v1.5.2 please? > >> Regards > >> Rmkml > >> > >> > >> > >> On Sun, 16 Jan 2011, rajasekhar reddy wrote: > >> > >> > >>> > >>> ---------- Forwarded message ---------- > >>> From: rajasekhar reddy > >>> Date: Sun, Jan 16, 2011 at 9:25 AM > >>> Subject: RE: problem installing bro on ubuntu 10.04 > >>> To: Bro at bro-ids.org > >>> > >>> > >>> hi all > >>> when iam trying to install bro 1.5.1 on ubuntu 10.04 > >>> i did > >>> > >>> > ./configure --prefix=/path/to/bro > >>> > >>> > make > >>> here i got problems like.. > >>> raj/Desktop/libpcap-1.1.1 -lpcap -lssl -lcrypto -lresolv -ltermcap > >>> -ltermcap -lm -L../aux/binpac/lib -lbinpac -lGeoIP -lmagic -lz -lpcap > -lpcap > >>> -L/home/raj/Desktop/libpcap-1.1.1 -lpcap -lssl -lcrypto -lresolv > -ltermcap > >>> -ltermcap > >>> > >>> > >>> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/src' > >>> make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/src' > >>> Making all in scripts > >>> make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts' > >>> > >>> > >>> Making all in s2b > >>> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' > >>> Making all in bro-include > >>> make[4]: Entering directory > >>> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bro-include' > >>> make[4]: Nothing to be done for `all'. > >>> > >>> > >>> make[4]: Leaving directory > >>> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bro-include' > >>> Making all in example_bro_files > >>> make[4]: Entering directory > >>> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/example_bro_files' > >>> make[4]: Nothing to be done for `all'. > >>> > >>> > >>> make[4]: Leaving directory > >>> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/example_bro_files' > >>> Making all in etc > >>> make[4]: Entering directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/etc' > >>> make[4]: Nothing to be done for `all'. > >>> > >>> > >>> make[4]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/etc' > >>> Making all in bin > >>> make[4]: Entering directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bin' > >>> make[4]: Nothing to be done for `all'. > >>> > >>> > >>> make[4]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bin' > >>> Making all in pm > >>> make[4]: Entering directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/pm' > >>> make[4]: Nothing to be done for `all'. > >>> > >>> > >>> make[4]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/pm' > >>> Making all in snort_rules2.2 > >>> make[4]: Entering directory > >>> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/snort_rules2.2' > >>> make[4]: Nothing to be done for `all'. > >>> > >>> > >>> make[4]: Leaving directory > >>> `/home/raj/Desktop/bro-1.5.1/scripts/s2b/snort_rules2.2' > >>> make[4]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' > >>> make[4]: Nothing to be done for `all-am'. > >>> make[4]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' > >>> > >>> > >>> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts/s2b' > >>> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts' > >>> make[3]: Nothing to be done for `all-am'. > >>> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts' > >>> > >>> > >>> make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts' > >>> Making all in policy > >>> make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy' > >>> Making all in sigs > >>> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy/sigs' > >>> > >>> > >>> make[3]: Nothing to be done for `all'. > >>> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy/sigs' > >>> Making all in time-machine > >>> make[3]: Entering directory > >>> `/home/raj/Desktop/bro-1.5.1/policy/time-machine' > >>> > >>> > >>> make[3]: Nothing to be done for `all'. > >>> make[3]: Leaving directory > >>> `/home/raj/Desktop/bro-1.5.1/policy/time-machine' > >>> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy' > >>> make[3]: Nothing to be done for `all-am'. > >>> > >>> > >>> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy' > >>> make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy' > >>> Making all in doc > >>> make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc' > >>> > >>> > >>> Making all in ref-manual > >>> make[3]: Entering directory > `/home/raj/Desktop/bro-1.5.1/doc/ref-manual' > >>> make[3]: Nothing to be done for `all'. > >>> make[3]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/doc/ref-manual' > >>> > >>> > >>> Making all in quick-start > >>> make[3]: Entering directory > `/home/raj/Desktop/bro-1.5.1/doc/quick-start' > >>> make[3]: Nothing to be done for `all'. > >>> make[3]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/doc/quick-start' > >>> > >>> > >>> Making all in user-manual > >>> make[3]: Entering directory > `/home/raj/Desktop/bro-1.5.1/doc/user-manual' > >>> make[3]: Nothing to be done for `all'. > >>> make[3]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/doc/user-manual' > >>> > >>> > >>> make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc' > >>> make[3]: Nothing to be done for `all-am'. > >>> make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc' > >>> make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc' > >>> > >>> > >>> make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1' > >>> make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1' > >>> make[1]: Leaving directory `/home/raj/Desktop/bro-1.5.1' > >>> so waht i did wrong i installed all following > >>> > >>> > >>> build essentialls > >>> libncurser5 > >>> g++ > >>> bison > >>> flex > >>> libmagic-dev > >>> libgeoip-dec > >>> libssl-dev > >>> python-dev > >>> libpcap-dev.. > >>> i stuck here from lot of days > >>> Thanks alot > >>> > >> > > > >--0016367d6f323d7797049a10f872 > >Content-Type: text/html; charset=ISO-8859-1 > >Content-Transfer-Encoding: quoted-printable > > > >hi=A0
thanx for ur reply i tried vt this version as well but i am > getti= > >ng similar error..

Can anyone help me > plzzzz.? >v>

Thanks & > Regards
Rajasekhar

> class=3D"gmail_quote"> > >On Sun, Jan 16, 2011 at 5:55 PM, rmkml < href=3D"mai= > >lto:rmkml at free.fr ">rmkml at free.fr> > wrote:
>=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc > solid;padd= > >ing-left:1ex;"> > >Hi Rajasekhar,
> >Can you try with last bro v1.5.2 please?
> >Regards
> >Rmkml

> >
> >
> >On Sun, 16 Jan 2011, rajasekhar reddy wrote:
> >
> >
.8ex;border-left:1p= > >x #ccc solid;padding-left:1ex"> > >
> >
> >---------- Forwarded message ----------
> >From: rajasekhar reddy < target=3D"_b= > >lank">orsr88 at gmail.com>
> >Date: Sun, Jan 16, 2011 at 9:25 AM
> >Subject: RE: problem installing bro on ubuntu 10.04
> >To: Bro at bro-ids.org > >>
> >
> >
> >hi all
> >when iam trying to install bro 1.5.1 on ubuntu 10.04
> >i did
> >
> >> ./configure --prefix=3D/path/to/bro
> >
> >> make
> >=A0here i got problems like..
> >raj/Desktop/libpcap-1.1.1 -lpcap =A0-lssl -lcrypto -lresolv -ltermcap > -lter= > >mcap -lm -L../aux/binpac/lib -lbinpac -lGeoIP -lmagic -lz -lpcap -lpcap > -L/= > >home/raj/Desktop/libpcap-1.1.1 -lpcap =A0-lssl -lcrypto -lresolv > -ltermcap = > >-ltermcap
> > > >
> >
> >make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/src'
> >make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/src'
> >Making all in scripts
> >make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts'
> >
> >
> >Making all in s2b
> >make[3]: Entering directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b' >r> > >Making all in bro-include
> >make[4]: Entering directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bro-in= > >clude'
> >make[4]: Nothing to be done for `all'.
> >
> >
> >make[4]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bro-inc= > >lude'
> >Making all in example_bro_files
> >make[4]: Entering directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/exampl= > >e_bro_files'
> >make[4]: Nothing to be done for `all'.
> >
> >
> >make[4]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/example= > >_bro_files'
> >Making all in etc
> >make[4]: Entering directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/etc= > >9;
> >make[4]: Nothing to be done for `all'.
> >
> >
> >make[4]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/etc'= > >;
> >Making all in bin
> >make[4]: Entering directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bin= > >9;
> >make[4]: Nothing to be done for `all'.
> >
> >
> >make[4]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/bin'= > >;
> >Making all in pm
> >make[4]: Entering directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/pm'= > >;
> >make[4]: Nothing to be done for `all'.
> >
> >
> >make[4]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/pm'= > >
> >Making all in snort_rules2.2
> >make[4]: Entering directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/snort_= > >rules2.2'
> >make[4]: Nothing to be done for `all'.
> >
> >
> >make[4]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b/snort_r= > >ules2.2'
> >make[4]: Entering directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b' >r> > >make[4]: Nothing to be done for `all-am'.
> >make[4]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b' >> > >
> >
> >make[3]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/scripts/s2b' >> > >make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/scripts'
> >make[3]: Nothing to be done for `all-am'.
> >make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts'
> >
> >
> >make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/scripts'
> >Making all in policy
> >make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy'
> >Making all in sigs
> >make[3]: Entering directory > `/home/raj/Desktop/bro-1.5.1/policy/sigs' >r> > >
> >
> >make[3]: Nothing to be done for `all'.
> >make[3]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/policy/sigs' >> > >Making all in time-machine
> >make[3]: Entering directory > `/home/raj/Desktop/bro-1.5.1/policy/time-machin= > >e'
> >
> >
> >make[3]: Nothing to be done for `all'.
> >make[3]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/policy/time-machine= > >'
> >make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/policy'
> >make[3]: Nothing to be done for `all-am'.
> >
> >
> >make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy'
> >make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/policy'
> >Making all in doc
> >make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc'
> >
> >
> >Making all in ref-manual
> >make[3]: Entering directory > `/home/raj/Desktop/bro-1.5.1/doc/ref-manual'= > >;
> >make[3]: Nothing to be done for `all'.
> >make[3]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/doc/ref-manual'= > >
> >
> >
> >Making all in quick-start
> >make[3]: Entering directory > `/home/raj/Desktop/bro-1.5.1/doc/quick-start= > >9;
> >make[3]: Nothing to be done for `all'.
> >make[3]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/doc/quick-start'= > >;
> >
> >
> >Making all in user-manual
> >make[3]: Entering directory > `/home/raj/Desktop/bro-1.5.1/doc/user-manual= > >9;
> >make[3]: Nothing to be done for `all'.
> >make[3]: Leaving directory > `/home/raj/Desktop/bro-1.5.1/doc/user-manual'= > >;
> >
> >
> >make[3]: Entering directory `/home/raj/Desktop/bro-1.5.1/doc'
> >make[3]: Nothing to be done for `all-am'.
> >make[3]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc'
> >make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1/doc'
> >
> >
> >make[2]: Entering directory `/home/raj/Desktop/bro-1.5.1'
> >make[2]: Leaving directory `/home/raj/Desktop/bro-1.5.1'
> >make[1]: Leaving directory `/home/raj/Desktop/bro-1.5.1'
> >so waht i did wrong i installed all following
> >
> >
> >build essentialls
> >libncurser5
> >g++
> >bison
> >flex
> >libmagic-dev
> >libgeoip-dec
> >libssl-dev
> >python-dev
> >libpcap-dev..
> >i stuck here from lot of days
> >Thanks alot
> >
> >

> > > >--0016367d6f323d7797049a10f872-- > > > >--===============0313865660== > >Content-Type: text/plain; charset="us-ascii" > >MIME-Version: 1.0 > >Content-Transfer-Encoding: 7bit > >Content-Disposition: inline > > > >_______________________________________________ > >Bro mailing list > >bro at bro-ids.org > >http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > >--===============0313865660==-- > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110117/f3b32b80/attachment.html From jsiwek at ncsa.illinois.edu Tue Jan 18 09:50:55 2011 From: jsiwek at ncsa.illinois.edu (Jonathan Siwek) Date: Tue, 18 Jan 2011 11:50:55 -0600 (CST) Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: Message-ID: <21041997.410.1295373050337.JavaMail.jsiwek@tangent.ncsa.illinois.edu> Rajasekhar, The configure/build output looked pretty "normal" (error-free) to me, but when/if you go to execute `make install`... > raj at ubuntu:~/Desktop/bro-1.5.2$ ./configure --prefix=/path/to/bro that installation prefix (/path/to/bro) is probably not what you want. - Jon From bboe at cs.ucsb.edu Tue Jan 18 14:44:32 2011 From: bboe at cs.ucsb.edu (Bryce Boe) Date: Tue, 18 Jan 2011 14:44:32 -0800 Subject: [Bro] Ignore 802.1Q vlan-tagging Message-ID: Hi, I'm curious if anyone has a patch which allows bro to essentially ignore the 802.1Q header if present. Alternatively could someone point me to where in the code I should look so that I can modify the code myself? Thanks in advance! -Bryce Boe From seth at icir.org Tue Jan 18 17:22:59 2011 From: seth at icir.org (Seth Hall) Date: Tue, 18 Jan 2011 20:22:59 -0500 Subject: [Bro] Ignore 802.1Q vlan-tagging In-Reply-To: References: Message-ID: <8F526EFB-E84F-46DE-BFD3-6850AB7CE404@icir.org> On Jan 18, 2011, at 5:44 PM, Bryce Boe wrote: > I'm curious if anyone has a patch which allows bro to essentially > ignore the 802.1Q header if present. Alternatively could someone point > me to where in the code I should look so that I can modify the code > myself? Add the "vlan" keyword to the beginning of your filter so that BPF passes the packets on to Bro and then load the "vlan" script. There is a set of changes in the pipe now that will make this a little more straightforward (and do the same thing for MPLS), but what's there now should work fine for you if you are just working with VLAN tagged packets. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From vin123456 at mail.ru Wed Jan 19 00:55:43 2011 From: vin123456 at mail.ru (=?koi8-r?B?98nOz8fSwcTP1yDg0snK?=) Date: Wed, 19 Jan 2011 11:55:43 +0300 Subject: [Bro] SMTP connection states in SMTP analyzer Message-ID: <002f01cbb7b6$a7e75e40$f7b61ac0$@ru> Hello, everyone! The question is about SMTP states in SMTP analyzer. The state of SMTP analyzer becomes "SMTP_INITIATED" after SMTP command "AUTH" and SMTP replay 235. And next command "MAIL TO" leads to event "SMTP command unexpected", but as I know this is not right(They can perform command "MAIL TO" right now after success authorization, and it is not "unexpected"). As I found inside source code, it must be state "SMTP_READY" after SMTP reply 235 for command "AUTH". Is it right? I'm sorry if I'm wrong and something has not considered. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/80d7668a/attachment.html From orsr88 at gmail.com Wed Jan 19 01:35:26 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Wed, 19 Jan 2011 09:35:26 +0000 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: <21041997.410.1295373050337.JavaMail.jsiwek@tangent.ncsa.illinois.edu> References: <21041997.410.1295373050337.JavaMail.jsiwek@tangent.ncsa.illinois.edu> Message-ID: hi, thanx for reply now i managed to install bro.. but i again i got a prblm on running bro ids.. can any pls let me know how to run bro on command line on ubuntu 10.04 thanx & regards On Tue, Jan 18, 2011 at 5:50 PM, Jonathan Siwek wrote: > Rajasekhar, > > The configure/build output looked pretty "normal" (error-free) to me, but > when/if you go to execute `make install`... > > > raj at ubuntu:~/Desktop/bro-1.5.2$ ./configure --prefix=/path/to/bro > > that installation prefix (/path/to/bro) is probably not what you want. > > - Jon > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/afbf4c81/attachment.html From orsr88 at gmail.com Wed Jan 19 02:04:05 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Wed, 19 Jan 2011 05:04:05 -0500 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <21041997.410.1295373050337.JavaMail.jsiwek@tangent.ncsa.illinois.edu> Message-ID: Hi can anyone pls help me to run bro ids i really need it. please Thakns & Regards Rajasekhar On Wed, Jan 19, 2011 at 4:35 AM, rajasekhar reddy wrote: > hi, > thanx for reply now i managed to install bro.. > > but i again i got a prblm on running bro ids.. can any pls let me know how > to run bro on command line on ubuntu 10.04 > > thanx & regards > > > On Tue, Jan 18, 2011 at 5:50 PM, Jonathan Siwek wrote: > >> Rajasekhar, >> >> The configure/build output looked pretty "normal" (error-free) to me, but >> when/if you go to execute `make install`... >> >> > raj at ubuntu:~/Desktop/bro-1.5.2$ ./configure --prefix=/path/to/bro >> >> that installation prefix (/path/to/bro) is probably not what you want. >> >> - Jon >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/e9ad550e/attachment.html From orsr88 at gmail.com Wed Jan 19 04:40:02 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Wed, 19 Jan 2011 07:40:02 -0500 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> Message-ID: hi when i tried to run bro ids i am getting this error did i done any mistake... root at ubuntu:/usr/local/bro/ etc# bro.rc start bro.rc: command not found root at ubuntu:/usr/local/bro/etc# Thanks & Regards On Tue, Jan 18, 2011 at 10:55 AM, Vern Paxson wrote: > Could you clarify the error condition that you're encountering? It wasn't > clear to me from your original post. > > Vern > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/553ce2aa/attachment.html From j.sentier206 at laposte.net Wed Jan 19 05:48:03 2011 From: j.sentier206 at laposte.net (j.sentier206) Date: Wed, 19 Jan 2011 14:48:03 +0100 (CET) Subject: [Bro] Ignore 802.1Q vlan-tagging In-Reply-To: <8F526EFB-E84F-46DE-BFD3-6850AB7CE404@icir.org> References: <8F526EFB-E84F-46DE-BFD3-6850AB7CE404@icir.org> Message-ID: <7125805.1251.1295444883291.JavaMail.www@wwinf8220> Here is a little patch (to bro1.5.2) I made to get both vlan traffic and regular ethernet traffic at the same time. It could prove useful to you > Message du 19/01/11 02:24 > De : "Seth Hall" > A : "Bryce Boe" > Copie ? : bro at bro-ids.org > Objet : Re: [Bro] Ignore 802.1Q vlan-tagging > > > > On Jan 18, 2011, at 5:44 PM, Bryce Boe wrote: > > > I'm curious if anyone has a patch which allows bro to essentially > > ignore the 802.1Q header if present. Alternatively could someone point > > me to where in the code I should look so that I can modify the code > > myself? > > > Add the "vlan" keyword to the beginning of your filter so that BPF passes the packets on to Bro and then load the "vlan" script. > > There is a set of changes in the pipe now that will make this a little more straightforward (and do the same thing for MPLS), but what's there now should work fine for you if you are just working with VLAN tagged packets. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > Une messagerie gratuite, garantie ? vie et des services en plus, ?a vous tente ? Je cr?e ma bo?te mail www.laposte.net -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: vlan.diff Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/ffb5ec31/attachment.ksh From sridhar.basam at gmail.com Wed Jan 19 07:20:01 2011 From: sridhar.basam at gmail.com (sridhar basam) Date: Wed, 19 Jan 2011 10:20:01 -0500 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> Message-ID: You might be missing "." from your path. What happens when you issue the command "/usr/local/bro/etc/bro.rc start"? Sridhar On Wed, Jan 19, 2011 at 7:40 AM, rajasekhar reddy wrote: > hi when i tried to run bro ids i am getting this error did i done any > mistake... > > root at ubuntu:/usr/local/bro/ > etc# bro.rc start > > bro.rc: command not found > root at ubuntu:/usr/local/bro/etc# > > Thanks & Regards > > > On Tue, Jan 18, 2011 at 10:55 AM, Vern Paxson wrote: > >> Could you clarify the error condition that you're encountering? It wasn't >> clear to me from your original post. >> >> Vern >> > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/49f45db9/attachment.html From orsr88 at gmail.com Wed Jan 19 07:21:11 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Wed, 19 Jan 2011 15:21:11 +0000 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> Message-ID: i tried that as well i coming same thing like command not found Regards On Wed, Jan 19, 2011 at 3:20 PM, sridhar basam wrote: > You might be missing "." from your path. What happens when you issue the > command "/usr/local/bro/etc/bro.rc start"? > > Sridhar > > On Wed, Jan 19, 2011 at 7:40 AM, rajasekhar reddy wrote: > >> hi when i tried to run bro ids i am getting this error did i done any >> mistake... >> >> root at ubuntu:/usr/local/bro/ >> etc# bro.rc start >> >> bro.rc: command not found >> root at ubuntu:/usr/local/bro/etc# >> >> Thanks & Regards >> >> >> On Tue, Jan 18, 2011 at 10:55 AM, Vern Paxson wrote: >> >>> Could you clarify the error condition that you're encountering? It >>> wasn't >>> clear to me from your original post. >>> >>> Vern >>> >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/6dd226d6/attachment.html From sridhar.basam at gmail.com Wed Jan 19 07:26:58 2011 From: sridhar.basam at gmail.com (sridhar basam) Date: Wed, 19 Jan 2011 10:26:58 -0500 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> Message-ID: Do "/bin/sh -x /usr/local/bro/etc/bro.rc start" and see what is happening. Sridhar On Wed, Jan 19, 2011 at 10:21 AM, rajasekhar reddy wrote: > i tried that as well i coming same thing like command not found > Regards > > > On Wed, Jan 19, 2011 at 3:20 PM, sridhar basam wrote: > >> You might be missing "." from your path. What happens when you issue the >> command "/usr/local/bro/etc/bro.rc start"? >> >> Sridhar >> >> On Wed, Jan 19, 2011 at 7:40 AM, rajasekhar reddy wrote: >> >>> hi when i tried to run bro ids i am getting this error did i done any >>> mistake... >>> >>> root at ubuntu:/usr/local/bro/ >>> etc# bro.rc start >>> >>> bro.rc: command not found >>> root at ubuntu:/usr/local/bro/etc# >>> >>> Thanks & Regards >>> >>> >>> On Tue, Jan 18, 2011 at 10:55 AM, Vern Paxson wrote: >>> >>>> Could you clarify the error condition that you're encountering? It >>>> wasn't >>>> clear to me from your original post. >>>> >>>> Vern >>>> >>> >>> >>> _______________________________________________ >>> Bro mailing list >>> bro at bro-ids.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/558fc8db/attachment.html From seth at icir.org Wed Jan 19 07:27:34 2011 From: seth at icir.org (Seth Hall) Date: Wed, 19 Jan 2011 10:27:34 -0500 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> Message-ID: On Jan 19, 2011, at 7:40 AM, rajasekhar reddy wrote: > hi when i tried to run bro ids i am getting this error did i done any mistake... > > root at ubuntu:/usr/local/bro/ > etc# bro.rc start Apologies for the documentation being so out of date, but the bro.rc has not been included in the 1.5 release. If you want to just Bro as a normal program, you can run the bro binary directly. If you want to run it as a daemon watching live traffic you will likely want to run it with BroControl. Here are some docs for installing and running Bro with BroControl http://svn.icir.org/bro/releases/release_1_5/bro/aux/broctl/README.html .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From sridhar.basam at gmail.com Wed Jan 19 07:35:23 2011 From: sridhar.basam at gmail.com (sridhar basam) Date: Wed, 19 Jan 2011 10:35:23 -0500 Subject: [Bro] Tracker login Message-ID: Hey, Can someone tell me how i can get an account on the tracker? I needed to open a issue with partial connections. I tried to send email to info at tracker.icir.org but haven't heard anything back for a few days. thanks, Sridhar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/d470660a/attachment.html From seth at icir.org Wed Jan 19 07:40:44 2011 From: seth at icir.org (Seth Hall) Date: Wed, 19 Jan 2011 10:40:44 -0500 Subject: [Bro] Tracker login In-Reply-To: References: Message-ID: <4C18A035-522C-4F29-AC9D-503F04352952@icir.org> On Jan 19, 2011, at 10:35 AM, sridhar basam wrote: > I tried to send email to info at tracker.icir.org but haven't heard anything back for a few days. There is no email address at info at tracker.icir.org, it's info at bro-ids.org. I'll follow up off-list. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From orsr88 at gmail.com Wed Jan 19 10:24:03 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Wed, 19 Jan 2011 18:24:03 +0000 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> Message-ID: hi guys thanks for ur concern i found some thing to wrk on bro ids.. can anyone tell me how to do these steps in configuring these steps in configuration of bro ids - The installation installs three configuration files which you should edit: - etc/broctl.cfg is the overall *BroControl* configuration. Initially, you probably only need to edit the email address for mails sent by the framework; that's the MailTo line. - In etc/nodes.cfg, you need to specify the network interface Bro is to monitor; that's the interface line. - In etc/networks.cfg, list all the networks which Bro should consider as local to the monitored enviroment. thanks in advance Rajasekhar On Wed, Jan 19, 2011 at 3:27 PM, Seth Hall wrote: > > On Jan 19, 2011, at 7:40 AM, rajasekhar reddy wrote: > > > hi when i tried to run bro ids i am getting this error did i done any > mistake... > > > > root at ubuntu:/usr/local/bro/ > > etc# bro.rc start > > Apologies for the documentation being so out of date, but the bro.rc has > not been included in the 1.5 release. If you want to just Bro as a normal > program, you can run the bro binary directly. If you want to run it as a > daemon watching live traffic you will likely want to run it with BroControl. > Here are some docs for installing and running Bro with BroControl > > http://svn.icir.org/bro/releases/release_1_5/bro/aux/broctl/README.html > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/b80dabb8/attachment.html From orsr88 at gmail.com Wed Jan 19 10:43:31 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Wed, 19 Jan 2011 18:43:31 +0000 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> Message-ID: hi guys thanks for ur concern please i am very new to linux any one pls help me i found some thing to wrk on bro ids.. can anyone tell me how to do these steps in configuring these steps in configuration of bro ids - The installation installs three configuration files which you should edit: - etc/broctl.cfg is the overall *BroControl* configuration. Initially, you probably only need to edit the email address for mails sent by the framework; that's the MailTo line. - In etc/nodes.cfg, you need to specify the network interface Bro is to monitor; that's the interface line. - In etc/networks.cfg, list all the networks which Bro should consider as local to the monitored enviroment. thanks in advance On Wed, Jan 19, 2011 at 6:24 PM, rajasekhar reddy wrote: > > hi guys thanks for ur concern > > i found some thing to wrk on bro ids.. > > can anyone tell me how to do these steps in configuring these steps in > configuration of bro ids > > > - > > The installation installs three configuration files which you should > edit: > - > > etc/broctl.cfg is the overall *BroControl* configuration. Initially, > you probably only need to edit the email address for mails sent by the > framework; that's the MailTo line. > - > > In etc/nodes.cfg, you need to specify the network interface Bro is > to monitor; that's the interface line. > - > > In etc/networks.cfg, list all the networks which Bro should consider > as local to the monitored enviroment. > > thanks in advance > > Rajasekhar > > > > > On Wed, Jan 19, 2011 at 3:27 PM, Seth Hall wrote: > >> >> On Jan 19, 2011, at 7:40 AM, rajasekhar reddy wrote: >> >> > hi when i tried to run bro ids i am getting this error did i done any >> mistake... >> > >> > root at ubuntu:/usr/local/bro/ >> > etc# bro.rc start >> >> Apologies for the documentation being so out of date, but the bro.rc has >> not been included in the 1.5 release. If you want to just Bro as a normal >> program, you can run the bro binary directly. If you want to run it as a >> daemon watching live traffic you will likely want to run it with BroControl. >> Here are some docs for installing and running Bro with BroControl >> >> http://svn.icir.org/bro/releases/release_1_5/bro/aux/broctl/README.html >> >> .Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro-ids.org/ >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/c1e0ba40/attachment.html From seth at icir.org Wed Jan 19 10:57:20 2011 From: seth at icir.org (Seth Hall) Date: Wed, 19 Jan 2011 13:57:20 -0500 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> Message-ID: <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> On Jan 19, 2011, at 1:24 PM, rajasekhar reddy wrote: > can anyone tell me how to do these steps in configuring these steps in configuration of bro ids What's your question? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From orsr88 at gmail.com Wed Jan 19 10:58:30 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Wed, 19 Jan 2011 18:58:30 +0000 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> Message-ID: - The installation installs three configuration files which you should edit: - etc/broctl.cfg is the overall *BroControl* configuration. Initially, you probably only need to edit the email address for mails sent by the framework; that's the MailTo line. - In etc/nodes.cfg, you need to specify the network interface Bro is to monitor; that's the interface line. - In etc/networks.cfg, list all the networks which Bro should consider as local to the monitored enviroment. CAN U PLS TELL ME HOW TO DO ABOVE STEPS On Wed, Jan 19, 2011 at 6:57 PM, Seth Hall wrote: > > On Jan 19, 2011, at 1:24 PM, rajasekhar reddy wrote: > > > can anyone tell me how to do these steps in configuring these steps in > configuration of bro ids > > What's your question? > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/c0e1fe9a/attachment.html From seth at icir.org Wed Jan 19 11:04:10 2011 From: seth at icir.org (Seth Hall) Date: Wed, 19 Jan 2011 14:04:10 -0500 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> Message-ID: On Jan 19, 2011, at 1:58 PM, rajasekhar reddy wrote: > ? The installation installs three configuration files which you should edit: > > ? etc/broctl.cfg is the overall BroControl configuration. Initially, you probably only need to edit the email address for mails sent by the framework; that's the MailTo line. > > ? In etc/nodes.cfg, you need to specify the network interface Bro is to monitor; that's the interface line. > > ? In etc/networks.cfg, list all the networks which Bro should consider as local to the monitored enviroment. > > CAN U PLS TELL ME HOW TO DO ABOVE STEPS Those files should be in your directory where you installed Bro. You just need to edit them to suit your environment. Looking at the format of those files should be fairly obvious where and how to change them. Please ask if you have specific questions about how those files should be configured. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From orsr88 at gmail.com Wed Jan 19 11:06:15 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Wed, 19 Jan 2011 19:06:15 +0000 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> Message-ID: i find them but i can't able to edit those r in read only mode.. Y need them i cant able to run my bro ids which is already installed.. I hope u understand my problem On Wed, Jan 19, 2011 at 7:04 PM, Seth Hall wrote: > > On Jan 19, 2011, at 1:58 PM, rajasekhar reddy wrote: > > > ? The installation installs three configuration files which you > should edit: > > > > ? etc/broctl.cfg is the overall BroControl configuration. > Initially, you probably only need to edit the email address for mails sent > by the framework; that's the MailTo line. > > > > ? In etc/nodes.cfg, you need to specify the network > interface Bro is to monitor; that's the interface line. > > > > ? In etc/networks.cfg, list all the networks which Bro > should consider as local to the monitored enviroment. > > > > CAN U PLS TELL ME HOW TO DO ABOVE STEPS > > Those files should be in your directory where you installed Bro. You just > need to edit them to suit your environment. Looking at the format of those > files should be fairly obvious where and how to change them. Please ask if > you have specific questions about how those files should be configured. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/9a72bad9/attachment.html From orsr88 at gmail.com Wed Jan 19 12:19:49 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Wed, 19 Jan 2011 20:19:49 +0000 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> Message-ID: yeah thanx i got that root at raj-Satellite-L300:/path/to/bro/bin# broctl install No command 'broctl' found, did you mean: Command 'brctl' from package 'bridge-utils' (main) broctl: command not found can u tell me is this right path trying to install broctl or any other mistake Thaks & Regards On Wed, Jan 19, 2011 at 8:17 PM, rmkml wrote: > use `sudo vi ...` for editing... > Regards > Rmkml > > > > On Wed, 19 Jan 2011, rajasekhar reddy wrote: > > i find them but i can't able to edit those r in read only mode.. >> >> Y need them i cant able to run my bro ids which is already installed.. >> >> I hope u understand my problem >> >> On Wed, Jan 19, 2011 at 7:04 PM, Seth Hall wrote: >> >> On Jan 19, 2011, at 1:58 PM, rajasekhar reddy wrote: >> >> > ? The installation installs three configuration files which >> you should edit: >> > >> > ? etc/broctl.cfg is the overall BroControl >> configuration. Initially, you probably only need to edit the email address >> for mails sent by the framework; that's the MailTo line. >> > >> > ? In etc/nodes.cfg, you need to specify the network >> interface Bro is to monitor; that's the interface line. >> > >> > ? In etc/networks.cfg, list all the networks which >> Bro should consider as local to the monitored enviroment. >> > >> > CAN U PLS TELL ME HOW TO DO ABOVE STEPS >> >> Those files should be in your directory where you installed Bro. You just >> need to edit them to suit your environment. Looking at the format of those >> files should be fairly obvious where and how to change them. Please ask >> if you have specific questions about how those files should be configured. >> >> .Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro-ids.org/ >> >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/d32a5757/attachment.html From orsr88 at gmail.com Wed Jan 19 12:29:16 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Wed, 19 Jan 2011 20:29:16 +0000 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> Message-ID: thankx alot it wrks On Wed, Jan 19, 2011 at 8:19 PM, rajasekhar reddy wrote: > yeah thanx i got that > > root at raj-Satellite-L300:/path/to/bro/bin# broctl install > No command 'broctl' found, did you mean: > Command 'brctl' from package 'bridge-utils' (main) > broctl: command not found > > > can u tell me is this right path trying to install broctl or any other > mistake > > Thaks & Regards > > On Wed, Jan 19, 2011 at 8:17 PM, rmkml wrote: > >> use `sudo vi ...` for editing... >> Regards >> Rmkml >> >> >> >> On Wed, 19 Jan 2011, rajasekhar reddy wrote: >> >> i find them but i can't able to edit those r in read only mode.. >>> >>> Y need them i cant able to run my bro ids which is already installed.. >>> >>> I hope u understand my problem >>> >>> On Wed, Jan 19, 2011 at 7:04 PM, Seth Hall wrote: >>> >>> On Jan 19, 2011, at 1:58 PM, rajasekhar reddy wrote: >>> >>> > ? The installation installs three configuration files which >>> you should edit: >>> > >>> > ? etc/broctl.cfg is the overall BroControl >>> configuration. Initially, you probably only need to edit the email address >>> for mails sent by the framework; that's the MailTo line. >>> > >>> > ? In etc/nodes.cfg, you need to specify the network >>> interface Bro is to monitor; that's the interface line. >>> > >>> > ? In etc/networks.cfg, list all the networks which >>> Bro should consider as local to the monitored enviroment. >>> > >>> > CAN U PLS TELL ME HOW TO DO ABOVE STEPS >>> >>> Those files should be in your directory where you installed Bro. You >>> just need to edit them to suit your environment. Looking at the format of >>> those files should be fairly obvious where and how to change them. Please >>> ask >>> if you have specific questions about how those files should be >>> configured. >>> >>> .Seth >>> >>> -- >>> Seth Hall >>> International Computer Science Institute >>> (Bro) because everyone has a network >>> http://www.bro-ids.org/ >>> >>> >>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/dd2535e2/attachment.html From orsr88 at gmail.com Wed Jan 19 12:30:16 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Wed, 19 Jan 2011 20:30:16 +0000 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> Message-ID: hi Can any one know how to run this command.. 0-59/5 * * * * /usr/local/bro/bin/broctl cron thaks & regards Rajasekhar On Wed, Jan 19, 2011 at 8:29 PM, rajasekhar reddy wrote: > > thankx alot it wrks > > > > On Wed, Jan 19, 2011 at 8:19 PM, rajasekhar reddy wrote: > >> yeah thanx i got that >> >> root at raj-Satellite-L300:/path/to/bro/bin# broctl install >> No command 'broctl' found, did you mean: >> Command 'brctl' from package 'bridge-utils' (main) >> broctl: command not found >> >> >> can u tell me is this right path trying to install broctl or any other >> mistake >> >> Thaks & Regards >> >> On Wed, Jan 19, 2011 at 8:17 PM, rmkml wrote: >> >>> use `sudo vi ...` for editing... >>> Regards >>> Rmkml >>> >>> >>> >>> On Wed, 19 Jan 2011, rajasekhar reddy wrote: >>> >>> i find them but i can't able to edit those r in read only mode.. >>>> >>>> Y need them i cant able to run my bro ids which is already installed.. >>>> >>>> I hope u understand my problem >>>> >>>> On Wed, Jan 19, 2011 at 7:04 PM, Seth Hall wrote: >>>> >>>> On Jan 19, 2011, at 1:58 PM, rajasekhar reddy wrote: >>>> >>>> > ? The installation installs three configuration files which >>>> you should edit: >>>> > >>>> > ? etc/broctl.cfg is the overall BroControl >>>> configuration. Initially, you probably only need to edit the email address >>>> for mails sent by the framework; that's the MailTo line. >>>> > >>>> > ? In etc/nodes.cfg, you need to specify the network >>>> interface Bro is to monitor; that's the interface line. >>>> > >>>> > ? In etc/networks.cfg, list all the networks which >>>> Bro should consider as local to the monitored enviroment. >>>> > >>>> > CAN U PLS TELL ME HOW TO DO ABOVE STEPS >>>> >>>> Those files should be in your directory where you installed Bro. You >>>> just need to edit them to suit your environment. Looking at the format of >>>> those files should be fairly obvious where and how to change them. Please >>>> ask >>>> if you have specific questions about how those files should be >>>> configured. >>>> >>>> .Seth >>>> >>>> -- >>>> Seth Hall >>>> International Computer Science Institute >>>> (Bro) because everyone has a network >>>> http://www.bro-ids.org/ >>>> >>>> >>>> >>>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/00dd8911/attachment.html From sroddy at ligo-la.caltech.edu Wed Jan 19 12:30:58 2011 From: sroddy at ligo-la.caltech.edu (Shannon Roddy) Date: Wed, 19 Jan 2011 14:30:58 -0600 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> Message-ID: <4D374A02.5020201@ligo-la.caltech.edu> On 01/19/2011 02:19 PM, rajasekhar reddy wrote: > yeah thanx i got that > > root at raj-Satellite-L300:/path/to/bro/bin# broctl install > No command 'broctl' found, did you mean: > Command 'brctl' from package 'bridge-utils' (main) > broctl: command not found Try "./broctl install" Note the "./" in front of the command. Or give the full path in your command, eg. /path/to/bro/bin/broctl install or add /path/to/bro/bin to your path. Google for an explanation of the PATH environment variable for an explanation. I'll even supply a link for you. http://www.codecoffee.com/tipsforlinux/articles/11.html > > > can u tell me is this right path trying to install broctl or any other > mistake > > Thaks & Regards > > On Wed, Jan 19, 2011 at 8:17 PM, rmkml > wrote: > > use `sudo vi ...` for editing... > Regards > Rmkml > > > > On Wed, 19 Jan 2011, rajasekhar reddy wrote: > > i find them but i can't able to edit those r in read only mode.. > > Y need them i cant able to run my bro ids which is already > installed.. > > I hope u understand my problem > > On Wed, Jan 19, 2011 at 7:04 PM, Seth Hall > wrote: > > On Jan 19, 2011, at 1:58 PM, rajasekhar reddy wrote: > > > ? The installation installs three configuration > files which you should edit: > > > > ? etc/broctl.cfg is the overall BroControl > configuration. Initially, you probably only need to edit the > email address for mails sent by the framework; that's the MailTo > line. > > > > ? In etc/nodes.cfg, you need to specify the > network interface Bro is to monitor; that's the interface line. > > > > ? In etc/networks.cfg, list all the > networks which Bro should consider as local to the monitored > enviroment. > > > > CAN U PLS TELL ME HOW TO DO ABOVE STEPS > > Those files should be in your directory where you installed Bro. > You just need to edit them to suit your environment. Looking > at the format of those files should be fairly obvious where and > how to change them. Please ask > if you have specific questions about how those files should be > configured. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > > > > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From sri at basam.org Wed Jan 19 12:35:29 2011 From: sri at basam.org (sridhar basam) Date: Wed, 19 Jan 2011 15:35:29 -0500 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> Message-ID: It sounds like you need to get familiar with linux/unix in general. There are a lot of excellent books on Linux on Amazon for questions such as these. These questions aren't directly related to Bro. The below looks like a cron entry to be run every 5 minutes. Sridhar On Wed, Jan 19, 2011 at 3:30 PM, rajasekhar reddy wrote: > hi > > Can any one know how to run this command.. > > 0-59/5 * * * * /usr/local/bro/bin/broctl cron > > thaks & regards > Rajasekhar > > > > On Wed, Jan 19, 2011 at 8:29 PM, rajasekhar reddy wrote: > >> >> thankx alot it wrks >> >> >> >> On Wed, Jan 19, 2011 at 8:19 PM, rajasekhar reddy wrote: >> >>> yeah thanx i got that >>> >>> root at raj-Satellite-L300:/path/to/bro/bin# broctl install >>> No command 'broctl' found, did you mean: >>> Command 'brctl' from package 'bridge-utils' (main) >>> broctl: command not found >>> >>> >>> can u tell me is this right path trying to install broctl or any other >>> mistake >>> >>> Thaks & Regards >>> >>> On Wed, Jan 19, 2011 at 8:17 PM, rmkml wrote: >>> >>>> use `sudo vi ...` for editing... >>>> Regards >>>> Rmkml >>>> >>>> >>>> >>>> On Wed, 19 Jan 2011, rajasekhar reddy wrote: >>>> >>>> i find them but i can't able to edit those r in read only mode.. >>>>> >>>>> Y need them i cant able to run my bro ids which is already installed.. >>>>> >>>>> I hope u understand my problem >>>>> >>>>> On Wed, Jan 19, 2011 at 7:04 PM, Seth Hall wrote: >>>>> >>>>> On Jan 19, 2011, at 1:58 PM, rajasekhar reddy wrote: >>>>> >>>>> > ? The installation installs three configuration files >>>>> which you should edit: >>>>> > >>>>> > ? etc/broctl.cfg is the overall BroControl >>>>> configuration. Initially, you probably only need to edit the email address >>>>> for mails sent by the framework; that's the MailTo line. >>>>> > >>>>> > ? In etc/nodes.cfg, you need to specify the >>>>> network interface Bro is to monitor; that's the interface line. >>>>> > >>>>> > ? In etc/networks.cfg, list all the networks which >>>>> Bro should consider as local to the monitored enviroment. >>>>> > >>>>> > CAN U PLS TELL ME HOW TO DO ABOVE STEPS >>>>> >>>>> Those files should be in your directory where you installed Bro. You >>>>> just need to edit them to suit your environment. Looking at the format of >>>>> those files should be fairly obvious where and how to change them. Please >>>>> ask >>>>> if you have specific questions about how those files should be >>>>> configured. >>>>> >>>>> .Seth >>>>> >>>>> -- >>>>> Seth Hall >>>>> International Computer Science Institute >>>>> (Bro) because everyone has a network >>>>> http://www.bro-ids.org/ >>>>> >>>>> >>>>> >>>>> >>> >> > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/0254c4aa/attachment.html From orsr88 at gmail.com Wed Jan 19 12:53:46 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Wed, 19 Jan 2011 20:53:46 +0000 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> Message-ID: hi root at raj-Satellite-L300:/path/to/bro/bin# broctl start No command 'broctl' found, did you mean: Command 'brctl' from package 'bridge-utils' (main) broctl: command not found i am getting error when i did broctl installation thru this steps Installing a Stand-alone Bro This is the default installation. Configure and compile Bro as usual, specifying the target installation path as `prefix` (we use /usr/local/broas an example): > cd /path/to/bro/source/distribution > ./configure --prefix=/usr/local/bro > make - Install *BroControl*: > make install-broctl (This includes the standard "make install".) - Add /bin to your PATH. - The installation installs three configuration files which you should edit: - etc/broctl.cfg is the overall *BroControl* configuration. Initially, you probably only need to edit the email address for mails sent by the framework; that's the MailTo line. - In etc/nodes.cfg, you need to specify the network interface Bro is to monitor; that's the interface line. - In etc/networks.cfg, list all the networks which Bro should consider as local to the monitored enviroment. - Once you have updated these files, install the modified configuration: > broctl install - Some tasks need to be run on a regular basis. Insert a line like this into your crontab: 0-59/5 * * * * /usr/local/bro/bin/broctl cron - Finally, you can start Bro: > broctl start can anyone help me please On Wed, Jan 19, 2011 at 8:35 PM, sridhar basam wrote: > It sounds like you need to get familiar with linux/unix in general. There > are a lot of excellent books on Linux on Amazon for questions such as these. > These questions aren't directly related to Bro. > > The below looks like a cron entry to be run every 5 minutes. > > Sridhar > > > On Wed, Jan 19, 2011 at 3:30 PM, rajasekhar reddy wrote: > >> hi >> >> Can any one know how to run this command.. >> >> 0-59/5 * * * * /usr/local/bro/bin/broctl cron >> >> thaks & regards >> Rajasekhar >> >> >> >> On Wed, Jan 19, 2011 at 8:29 PM, rajasekhar reddy wrote: >> >>> >>> thankx alot it wrks >>> >>> >>> >>> On Wed, Jan 19, 2011 at 8:19 PM, rajasekhar reddy wrote: >>> >>>> yeah thanx i got that >>>> >>>> root at raj-Satellite-L300:/path/to/bro/bin# broctl install >>>> No command 'broctl' found, did you mean: >>>> Command 'brctl' from package 'bridge-utils' (main) >>>> broctl: command not found >>>> >>>> >>>> can u tell me is this right path trying to install broctl or any other >>>> mistake >>>> >>>> Thaks & Regards >>>> >>>> On Wed, Jan 19, 2011 at 8:17 PM, rmkml wrote: >>>> >>>>> use `sudo vi ...` for editing... >>>>> Regards >>>>> Rmkml >>>>> >>>>> >>>>> >>>>> On Wed, 19 Jan 2011, rajasekhar reddy wrote: >>>>> >>>>> i find them but i can't able to edit those r in read only mode.. >>>>>> >>>>>> Y need them i cant able to run my bro ids which is already installed.. >>>>>> >>>>>> I hope u understand my problem >>>>>> >>>>>> On Wed, Jan 19, 2011 at 7:04 PM, Seth Hall wrote: >>>>>> >>>>>> On Jan 19, 2011, at 1:58 PM, rajasekhar reddy wrote: >>>>>> >>>>>> > ? The installation installs three configuration files >>>>>> which you should edit: >>>>>> > >>>>>> > ? etc/broctl.cfg is the overall BroControl >>>>>> configuration. Initially, you probably only need to edit the email address >>>>>> for mails sent by the framework; that's the MailTo line. >>>>>> > >>>>>> > ? In etc/nodes.cfg, you need to specify the >>>>>> network interface Bro is to monitor; that's the interface line. >>>>>> > >>>>>> > ? In etc/networks.cfg, list all the networks >>>>>> which Bro should consider as local to the monitored enviroment. >>>>>> > >>>>>> > CAN U PLS TELL ME HOW TO DO ABOVE STEPS >>>>>> >>>>>> Those files should be in your directory where you installed Bro. You >>>>>> just need to edit them to suit your environment. Looking at the format of >>>>>> those files should be fairly obvious where and how to change them. Please >>>>>> ask >>>>>> if you have specific questions about how those files should be >>>>>> configured. >>>>>> >>>>>> .Seth >>>>>> >>>>>> -- >>>>>> Seth Hall >>>>>> International Computer Science Institute >>>>>> (Bro) because everyone has a network >>>>>> http://www.bro-ids.org/ >>>>>> >>>>>> >>>>>> >>>>>> >>>> >>> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/6f9992cf/attachment.html From orsr88 at gmail.com Wed Jan 19 12:58:33 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Wed, 19 Jan 2011 20:58:33 +0000 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> Message-ID: thanx its done ... can anyone please tell me how & where can i see bro ouput please On Wed, Jan 19, 2011 at 8:53 PM, rajasekhar reddy wrote: > hi > > root at raj-Satellite-L300:/path/to/bro/bin# broctl start > > No command 'broctl' found, did you mean: > Command 'brctl' from package 'bridge-utils' (main) > broctl: command not found > > i am getting error when i did broctl installation thru this steps > > Installing a Stand-alone Bro > > This is the default installation. Configure and compile Bro as usual, > specifying the target installation path as `prefix` (we use /usr/local/broas an example): > > > cd /path/to/bro/source/distribution > > ./configure --prefix=/usr/local/bro > > make > > > - > > Install *BroControl*: > > > make install-broctl > > (This includes the standard "make install".) > > - > > Add /bin to your PATH. > - > > The installation installs three configuration files which you should > edit: > - > > etc/broctl.cfg is the overall *BroControl* configuration. Initially, > you probably only need to edit the email address for mails sent by the > framework; that's the MailTo line. > - > > In etc/nodes.cfg, you need to specify the network interface Bro is > to monitor; that's the interface line. > - > > In etc/networks.cfg, list all the networks which Bro should consider > as local to the monitored enviroment. > - > > Once you have updated these files, install the modified configuration: > > > broctl install > > - > > Some tasks need to be run on a regular basis. Insert a line like this > into your crontab: > > 0-59/5 * * * * /usr/local/bro/bin/broctl cron > > - > > Finally, you can start Bro: > > > broctl start > > > can anyone help me please > > > > On Wed, Jan 19, 2011 at 8:35 PM, sridhar basam wrote: > >> It sounds like you need to get familiar with linux/unix in general. There >> are a lot of excellent books on Linux on Amazon for questions such as these. >> These questions aren't directly related to Bro. >> >> The below looks like a cron entry to be run every 5 minutes. >> >> Sridhar >> >> >> On Wed, Jan 19, 2011 at 3:30 PM, rajasekhar reddy wrote: >> >>> hi >>> >>> Can any one know how to run this command.. >>> >>> 0-59/5 * * * * /usr/local/bro/bin/broctl cron >>> >>> thaks & regards >>> Rajasekhar >>> >>> >>> >>> On Wed, Jan 19, 2011 at 8:29 PM, rajasekhar reddy wrote: >>> >>>> >>>> thankx alot it wrks >>>> >>>> >>>> >>>> On Wed, Jan 19, 2011 at 8:19 PM, rajasekhar reddy wrote: >>>> >>>>> yeah thanx i got that >>>>> >>>>> root at raj-Satellite-L300:/path/to/bro/bin# broctl install >>>>> No command 'broctl' found, did you mean: >>>>> Command 'brctl' from package 'bridge-utils' (main) >>>>> broctl: command not found >>>>> >>>>> >>>>> can u tell me is this right path trying to install broctl or any other >>>>> mistake >>>>> >>>>> Thaks & Regards >>>>> >>>>> On Wed, Jan 19, 2011 at 8:17 PM, rmkml wrote: >>>>> >>>>>> use `sudo vi ...` for editing... >>>>>> Regards >>>>>> Rmkml >>>>>> >>>>>> >>>>>> >>>>>> On Wed, 19 Jan 2011, rajasekhar reddy wrote: >>>>>> >>>>>> i find them but i can't able to edit those r in read only mode.. >>>>>>> >>>>>>> Y need them i cant able to run my bro ids which is already >>>>>>> installed.. >>>>>>> >>>>>>> I hope u understand my problem >>>>>>> >>>>>>> On Wed, Jan 19, 2011 at 7:04 PM, Seth Hall wrote: >>>>>>> >>>>>>> On Jan 19, 2011, at 1:58 PM, rajasekhar reddy wrote: >>>>>>> >>>>>>> > ? The installation installs three configuration files >>>>>>> which you should edit: >>>>>>> > >>>>>>> > ? etc/broctl.cfg is the overall BroControl >>>>>>> configuration. Initially, you probably only need to edit the email address >>>>>>> for mails sent by the framework; that's the MailTo line. >>>>>>> > >>>>>>> > ? In etc/nodes.cfg, you need to specify the >>>>>>> network interface Bro is to monitor; that's the interface line. >>>>>>> > >>>>>>> > ? In etc/networks.cfg, list all the networks >>>>>>> which Bro should consider as local to the monitored enviroment. >>>>>>> > >>>>>>> > CAN U PLS TELL ME HOW TO DO ABOVE STEPS >>>>>>> >>>>>>> Those files should be in your directory where you installed Bro. You >>>>>>> just need to edit them to suit your environment. Looking at the format of >>>>>>> those files should be fairly obvious where and how to change them. Please >>>>>>> ask >>>>>>> if you have specific questions about how those files should be >>>>>>> configured. >>>>>>> >>>>>>> .Seth >>>>>>> >>>>>>> -- >>>>>>> Seth Hall >>>>>>> International Computer Science Institute >>>>>>> (Bro) because everyone has a network >>>>>>> http://www.bro-ids.org/ >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> >>>> >>> >>> _______________________________________________ >>> Bro mailing list >>> bro at bro-ids.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/afb82019/attachment.html From seth at icir.org Wed Jan 19 13:07:14 2011 From: seth at icir.org (Seth Hall) Date: Wed, 19 Jan 2011 16:07:14 -0500 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> Message-ID: On Jan 19, 2011, at 3:58 PM, rajasekhar reddy wrote: > thanx its done ... > > can anyone please tell me how & where can i see bro ouput What sort of output are you looking for or expecting? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From orsr88 at gmail.com Wed Jan 19 13:10:45 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Wed, 19 Jan 2011 21:10:45 +0000 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> Message-ID: i am expecting network traffic and if any attacks there then bro should respond vt an alarm.. Thanx On Wed, Jan 19, 2011 at 9:07 PM, Seth Hall wrote: > > On Jan 19, 2011, at 3:58 PM, rajasekhar reddy wrote: > > > thanx its done ... > > > > can anyone please tell me how & where can i see bro ouput > > What sort of output are you looking for or expecting? > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/82984840/attachment.html From orsr88 at gmail.com Wed Jan 19 13:51:24 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Wed, 19 Jan 2011 21:51:24 +0000 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> Message-ID: Hi again i installed bro ids on ubuntu when ever i say ./broctl start its saying bro running but i need to see bro output and its traffic and more can anyone let me know where i can find output for bro or do ineed to install any thing more.. please any can help me On Wed, Jan 19, 2011 at 9:10 PM, rajasekhar reddy wrote: > i am expecting network traffic and if any attacks there then bro should > respond vt an alarm.. > > Thanx > > > On Wed, Jan 19, 2011 at 9:07 PM, Seth Hall wrote: > >> >> On Jan 19, 2011, at 3:58 PM, rajasekhar reddy wrote: >> >> > thanx its done ... >> > >> > can anyone please tell me how & where can i see bro ouput >> >> What sort of output are you looking for or expecting? >> >> .Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro-ids.org/ >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/75cc0596/attachment.html From seth at icir.org Wed Jan 19 13:58:43 2011 From: seth at icir.org (Seth Hall) Date: Wed, 19 Jan 2011 16:58:43 -0500 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> Message-ID: <34743D78-9EF4-4455-88D6-86E868DDB57F@icir.org> On Jan 19, 2011, at 4:51 PM, rajasekhar reddy wrote: > Hi again > i installed bro ids on ubuntu > > when ever i say ./broctl start > its saying bro running > > but i need to see bro output and its traffic and more Bro doesn't output traffic. It outputs logs and alarms. You can find your logs in the spool/ directory and I think those are rotated into the logs/ directory every 24 hours by default. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From orsr88 at gmail.com Wed Jan 19 22:13:45 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Thu, 20 Jan 2011 06:13:45 +0000 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: <34743D78-9EF4-4455-88D6-86E868DDB57F@icir.org> References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> <34743D78-9EF4-4455-88D6-86E868DDB57F@icir.org> Message-ID: hi can any help me resolving this problem.. root at raj-Satellite-L300:/path/to/bro/bin# ./broctl start starting bro ... warning: cannot send mail bro terminated immediately after starting; check output with "diag" root at raj-Satellite-L300:/path/to/bro/bin# i given my email address orsr88 at gmail.com at mailto line on broctl.cfg Thanks & Regards On Wed, Jan 19, 2011 at 9:58 PM, Seth Hall wrote: > > On Jan 19, 2011, at 4:51 PM, rajasekhar reddy wrote: > > > Hi again > > i installed bro ids on ubuntu > > > > when ever i say ./broctl start > > its saying bro running > > > > but i need to see bro output and its traffic and more > > Bro doesn't output traffic. It outputs logs and alarms. You can find your > logs in the spool/ directory and I think those are rotated into the logs/ > directory every 24 hours by default. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110120/08d6921a/attachment.html From orsr88 at gmail.com Thu Jan 20 00:49:37 2011 From: orsr88 at gmail.com (rajasekhar reddy) Date: Thu, 20 Jan 2011 08:49:37 +0000 Subject: [Bro] Fwd: problem installing bro on ubuntu 10.04 In-Reply-To: References: <20110118155535.B52A736A599@taffy.ICSI.Berkeley.EDU> <8E99765A-61AD-4453-9CDD-BDA49D6B9542@icir.org> <34743D78-9EF4-4455-88D6-86E868DDB57F@icir.org> Message-ID: hi can anyone please help me on this when i run broctl immediately after installation but when i did same thing after restarting the computer i am getting this error. root at raj-Satellite-L300:/path/ to/bro/bin# ./broctl start starting bro ... warning: cannot send mail bro terminated immediately after starting; check output with "diag" root at raj-Satellite-L300:/path/to/bro/bin# i given my email address orsr88 at gmail.com at mailto line on broctl.cfg Thanks & Regards On Thu, Jan 20, 2011 at 6:13 AM, rajasekhar reddy wrote: > hi can any help me resolving this problem.. > > > root at raj-Satellite-L300:/path/to/bro/bin# ./broctl start > starting bro ... > warning: cannot send mail > bro terminated immediately after starting; check output with "diag" > > root at raj-Satellite-L300:/path/to/bro/bin# > > i given my email address orsr88 at gmail.com at mailto line on broctl.cfg > > Thanks & Regards > > On Wed, Jan 19, 2011 at 9:58 PM, Seth Hall wrote: > >> >> On Jan 19, 2011, at 4:51 PM, rajasekhar reddy wrote: >> >> > Hi again >> > i installed bro ids on ubuntu >> > >> > when ever i say ./broctl start >> > its saying bro running >> > >> > but i need to see bro output and its traffic and more >> >> Bro doesn't output traffic. It outputs logs and alarms. You can find >> your logs in the spool/ directory and I think those are rotated into the >> logs/ directory every 24 hours by default. >> >> .Seth >> >> -- >> Seth Hall >> International Computer Science Institute >> (Bro) because everyone has a network >> http://www.bro-ids.org/ >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110120/686059f4/attachment.html From sri at basam.org Thu Jan 20 11:37:53 2011 From: sri at basam.org (sridhar basam) Date: Thu, 20 Jan 2011 14:37:53 -0500 Subject: [Bro] Bro regex documentation Message-ID: Can anyone point me at documentation on Bro's builtin string/pattern functions? The reference manual on the wiki points me at strings.bif.bro which doesn't have a lot of documentation around it. Does bro support back-references? I am trying to look for specific patterns in a tcp stream and need to be able to log out said patterns to a file. thanks, Sridhar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110120/a96b63a4/attachment.html From seth at icir.org Thu Jan 20 12:23:59 2011 From: seth at icir.org (Seth Hall) Date: Thu, 20 Jan 2011 15:23:59 -0500 Subject: [Bro] Bro regex documentation In-Reply-To: References: Message-ID: On Jan 20, 2011, at 2:37 PM, sridhar basam wrote: > Can anyone point me at documentation on Bro's builtin string/pattern functions? The regular expressions are most similar to flex's regular expressions (with minor differences), but you can typically assume that they are POSIX regular expressions. > Does bro support back-references? No. I'll let Robin or Vern give more detail here if they want to, I'm definitely not qualified to explain all of the reasons that back references aren't supported. :) > I am trying to look for specific patterns in a tcp stream and need to be able to log out said patterns to a file. Why don't the string splitting functions (defined in strings.bif) work for your scenario? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From vin123456 at mail.ru Fri Jan 21 06:56:19 2011 From: vin123456 at mail.ru (Yuriy) Date: Fri, 21 Jan 2011 17:56:19 +0300 Subject: [Bro] policy event engine Message-ID: <00a401cbb97b$5ce4b700$16ae2500$@ru> Hello, I can`t understand scripts asynchronous call behavior. When I pointing 20 second in table`s data type attributes "&create_expire=20sec", I find unpredictable behavior: the table`s item removed not in 20 seconds, it can be removed after 25,30 etc seconds. As I found it is depending on how many packets in the network: if there is no packets after timer value, my timer will never expire. And when the first packet appear, the timer immediately expire (but, for example, has been more than a few hours). Why is this so? Thank you for explanation. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110121/28904519/attachment.html From sri at basam.org Fri Jan 21 07:04:17 2011 From: sri at basam.org (sridhar basam) Date: Fri, 21 Jan 2011 10:04:17 -0500 Subject: [Bro] Bro regex documentation In-Reply-To: References: Message-ID: On Thu, Jan 20, 2011 at 3:23 PM, Seth Hall wrote: > > On Jan 20, 2011, at 2:37 PM, sridhar basam wrote: > > > I am trying to look for specific patterns in a tcp stream and need to be > able to log out said patterns to a file. > > > Why don't the string splitting functions (defined in strings.bif) work for > your scenario? > > Yeah, those can be used together to see what i want. Wanted to see if there was something similar to the match function in gawk where the function returns an array of all of the variables you collect in your pattern. I didn't see anything like it. Sridhar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110121/46eae1f2/attachment.html From seth at icir.org Fri Jan 21 07:07:30 2011 From: seth at icir.org (Seth Hall) Date: Fri, 21 Jan 2011 10:07:30 -0500 Subject: [Bro] policy event engine In-Reply-To: <00a401cbb97b$5ce4b700$16ae2500$@ru> References: <00a401cbb97b$5ce4b700$16ae2500$@ru> Message-ID: <5D1A06A6-E2F2-4C06-9A0C-4CB3BF37BB25@icir.org> On Jan 21, 2011, at 9:56 AM, Yuriy wrote: > I can`t understand scripts asynchronous call behavior. When I pointing 20 second in table`s data type attributes ?&create_expire=20sec?, I find unpredictable behavior Unpredictable but expected. :) Timers in Bro aren't "hard". They will be dispatched when Bro gets around to them, not at the exact moment the timer was scheduled to fire. The only thing you can be assured of is that it won't be dispatched prior to the time which is set. > : the table`s item removed not in 20 seconds, it can be removed after 25,30 etc seconds. As I found it is depending on how many packets in the network: if there is no packets after timer value, my timer will never expire. By default, the notion of time in Bro is driven forward by the packet timestamps which means that timer expirations will go accordingly. No packets == no time advancement == no timer expiration. If remote communication is enabled, the internal time will be clock driven. I don't know offhand if that requires an actual connection or if just holding open a socket will work. > And when the first packet appear, the timer immediately expire (but, for example, has been more than a few hours). I don't understand what you are saying here. Which timer expires immediately? .Seth From seth at icir.org Fri Jan 21 07:20:20 2011 From: seth at icir.org (Seth Hall) Date: Fri, 21 Jan 2011 10:20:20 -0500 Subject: [Bro] Bro regex documentation In-Reply-To: References: Message-ID: <803F67AA-EBCE-4BB2-9D05-A07A08EEB118@icir.org> On Jan 21, 2011, at 10:04 AM, sridhar basam wrote: > Yeah, those can be used together to see what i want. Wanted to see if there was something similar to the match function in gawk where the function returns an array of all of the variables you collect in your pattern. I didn't see anything like it. The match function in gawk only seem to return the position of the beginning of the match? I this the split_all function should work for what you are trying to do. Here's a note from the source code... # For example, split_all("a-b--cd", /(\-)+/) returns {"a", "-", "b", # "--", "cd"}: odd-indexed elements do not match the pattern # and even-indexed ones do. split_all will give you all of the things matching the split regex and the bits between the split regex. You can just look into the string_array for odd numbers indexes if you want what didn't match as a separator and even if you want what did match. .Seth From vin123456 at mail.ru Fri Jan 21 07:36:40 2011 From: vin123456 at mail.ru (Yuriy) Date: Fri, 21 Jan 2011 18:36:40 +0300 Subject: [Bro] policy event engine In-Reply-To: <5D1A06A6-E2F2-4C06-9A0C-4CB3BF37BB25@icir.org> References: <00a401cbb97b$5ce4b700$16ae2500$@ru> <5D1A06A6-E2F2-4C06-9A0C-4CB3BF37BB25@icir.org> Message-ID: <00aa01cbb980$ffbbeed0$ff33cc70$@ru> Thank you for the quick reply, Can you understand me (at least briefly) what is the reason of "...the notion of time in Bro is driven forward by the packet timestamps...", why not internal clock? As I understood the only way to change such behavior (packet timestamps clock driven) is "If remote communication is enabled, the internal time will be clock driven...". Can one little detail, please? -----Original Message----- From: Seth Hall [mailto:seth at icir.org] Sent: Friday, January 21, 2011 6:08 PM To: Yuriy Cc: Bro at bro-ids.org Subject: Re: [Bro] policy event engine On Jan 21, 2011, at 9:56 AM, Yuriy wrote: > I can`t understand scripts asynchronous call behavior. When I pointing 20 second in table`s data type attributes "&create_expire=20sec", I find unpredictable behavior Unpredictable but expected. :) Timers in Bro aren't "hard". They will be dispatched when Bro gets around to them, not at the exact moment the timer was scheduled to fire. The only thing you can be assured of is that it won't be dispatched prior to the time which is set. > : the table`s item removed not in 20 seconds, it can be removed after 25,30 etc seconds. As I found it is depending on how many packets in the network: if there is no packets after timer value, my timer will never expire. By default, the notion of time in Bro is driven forward by the packet timestamps which means that timer expirations will go accordingly. No packets == no time advancement == no timer expiration. If remote communication is enabled, the internal time will be clock driven. I don't know offhand if that requires an actual connection or if just holding open a socket will work. > And when the first packet appear, the timer immediately expire (but, for example, has been more than a few hours). I don't understand what you are saying here. Which timer expires immediately? .Seth From sri at basam.org Fri Jan 21 07:34:36 2011 From: sri at basam.org (sridhar basam) Date: Fri, 21 Jan 2011 10:34:36 -0500 Subject: [Bro] Bro regex documentation In-Reply-To: <803F67AA-EBCE-4BB2-9D05-A07A08EEB118@icir.org> References: <803F67AA-EBCE-4BB2-9D05-A07A08EEB118@icir.org> Message-ID: On Fri, Jan 21, 2011 at 10:20 AM, Seth Hall wrote: > > On Jan 21, 2011, at 10:04 AM, sridhar basam wrote: > > > Yeah, those can be used together to see what i want. Wanted to see if > there was something similar to the match function in gawk where the function > returns an array of all of the variables you collect in your pattern. I > didn't see anything like it. > > The match function in gawk only seem to return the position of the > beginning of the match? > > The match function will also return substrings from your regex pattern and return it in an array if you provide the optional 3rd parameter. So if you do match(input, /a=(.+) b=(.+) c=(.+)/, ret), you will get the values you want in the array ret. I think with what you pointed out for split functions i should be able to get what i need though. thanks, Sridhar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110121/95428c06/attachment.html From seth at icir.org Fri Jan 21 07:43:03 2011 From: seth at icir.org (Seth Hall) Date: Fri, 21 Jan 2011 10:43:03 -0500 Subject: [Bro] policy event engine In-Reply-To: <00aa01cbb980$ffbbeed0$ff33cc70$@ru> References: <00a401cbb97b$5ce4b700$16ae2500$@ru> <5D1A06A6-E2F2-4C06-9A0C-4CB3BF37BB25@icir.org> <00aa01cbb980$ffbbeed0$ff33cc70$@ru> Message-ID: <5C91ACEA-6CF6-4054-9893-75ED170B5B1E@icir.org> On Jan 21, 2011, at 10:36 AM, Yuriy wrote: > Thank you for the quick reply, > Can you understand me (at least briefly) what is the reason of "...the > notion of time in Bro is driven forward by the packet timestamps...", why > not internal clock? I expect that it was an optimization, but you'll have to wait for a response from Robin or Vern to clarify that point. > As I understood the only way to change such behavior (packet timestamps > clock driven) is "If remote communication is enabled, the internal time will > be clock driven...". Can one little detail, please? If you load the listen-clear.bro script, that may make Bro drive off of the clock and not packet timestamps. This is where my comment about me not knowing whether an actual connection has to take place or not applies. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From vern at icir.org Fri Jan 21 08:17:09 2011 From: vern at icir.org (Vern Paxson) Date: Fri, 21 Jan 2011 08:17:09 -0800 Subject: [Bro] policy event engine In-Reply-To: <5C91ACEA-6CF6-4054-9893-75ED170B5B1E@icir.org> (Fri, 21 Jan 2011 10:43:03 EST). Message-ID: <20110121161709.3F16A36A02F@taffy.ICSI.Berkeley.EDU> > > Can you understand me (at least briefly) what is the reason of "...the > > notion of time in Bro is driven forward by the packet timestamps...", why > > not internal clock? > > I expect that it was an optimization, but you'll have to wait for a response from Robin or Vern to clarify that point. Yes, because in a typical deployment environment, many packets stream in every second, and they arrive via pcap with timestamps attached. Plus, we haven't perceived an important benefit from having precise timers; for typical uses (keeping tables from growing too large), imprecise timers are generally fine. Vern From robin at icir.org Fri Jan 21 09:47:37 2011 From: robin at icir.org (Robin Sommer) Date: Fri, 21 Jan 2011 09:47:37 -0800 Subject: [Bro] Bro regex documentation In-Reply-To: References: Message-ID: <20110121174737.GA6823@icir.org> On Thu, Jan 20, 2011 at 15:23 -0500, Seth wrote: > > Does bro support back-references? > > No. I'll let Robin or Vern give more detail here if they want to, The quick answer here is that Bro matches regexps with DFAs. While DFAs are very efficient, they can't do backreferences. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Fri Jan 21 09:54:36 2011 From: robin at icir.org (Robin Sommer) Date: Fri, 21 Jan 2011 09:54:36 -0800 Subject: [Bro] policy event engine In-Reply-To: <20110121161709.3F16A36A02F@taffy.ICSI.Berkeley.EDU> References: <5C91ACEA-6CF6-4054-9893-75ED170B5B1E@icir.org> <20110121161709.3F16A36A02F@taffy.ICSI.Berkeley.EDU> Message-ID: <20110121175436.GB6823@icir.org> There's actually one more aspect to this: while Bro's timers are not precise, in typical situations they are also not *that* imprecise as you are observing here with tables. The reason here is that table expiration is actually done in batches: there's not a an individual timer per element (in which case expiration would be more timely), but one per *table*. Every time that one first, a certain number of table elements is checked to see whether they have already expired---which is why you're seeing expirations occuring in discrete intervals. You can fine-tune the specifics of this process with the parameters table_expire_interval, table_incremental_step, and table_expire_delay; see policy/bro.init. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Fri Jan 21 09:57:35 2011 From: robin at icir.org (Robin Sommer) Date: Fri, 21 Jan 2011 09:57:35 -0800 Subject: [Bro] policy event engine In-Reply-To: <20110121175436.GB6823@icir.org> References: <5C91ACEA-6CF6-4054-9893-75ED170B5B1E@icir.org> <20110121161709.3F16A36A02F@taffy.ICSI.Berkeley.EDU> <20110121175436.GB6823@icir.org> Message-ID: <20110121175735.GA7933@icir.org> On Fri, Jan 21, 2011 at 09:54 -0800, I wrote: > but one per *table*. Every time that one first, s/first/fires. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org