> if i use http_session_id in http.bro and my_script.bro
As I mentioned before:
> If you're setting it by hand instead, that's your problem. If not, please
> send me exactly how you're invoking Bro and with what policy script.
I really can't help with problems in my_script.bro unless I know what's in it!
(and, naturally, any changes you've made to the scripts that come with the
distribution)
Vern
hi,
if i use http_session_id in http.bro and my_script.bro
i define
global http_session_id = 0 ;
in both the scripts.
It says "already defined".
If i remove from one place it says "Not defined"
Can i get around this prob ? I thought global would make the variable
visible to all the scripts.
thanks
>From: Vern Paxson <vern(a)ee.lbl.gov>
>To: Phil C <flah(a)phess.org>
>CC: bro(a)listserv.lbl.gov
>Subject: Re: Common Question?
>Date: Sun, 25 Feb 2001 23:48:29 PST
>
> > I am using bro version 0.7a48, which ofcourse came with the usual slew
>of
> > scripts in /usr/local/share/bro. Bro always complains about the file
>conn.bro
> > line 197, which is trying to:
> >
> > if ( have_FTP && is_ftp_data_conn(c) )
> >
> > That looks ok to me (have_FTP is set to T), the error is:
> >
> > 982815367.072217 ./conn.bro, line 198 (is_ftp_data_conn): run-time
>error, value used but not set
>
>have_FTP should only be true if you did "@load ftp" somewhere in your
>policy script (or loaded one of the standard scripts that does this).
>If you're setting it by hand instead, that's your problem. If not, please
>send me exactly how you're invoking Bro and with what policy script.
>
> > One more quick question, what does &redef do? I see it smattered all
>over but
> > never mentioned in the docs.
>
>It marks a variable as redefinable (or refinable). So for example you
>can have:
>
> global foo = 5 &redef;
>
> ...
>
> redef foo = 4;
>
>and the second definition redefines foo's initial value to be 4 rather than
>5.
>You also can use += and -= to redef aggregate variables (tables, sets) to
>have
>more or fewer members (and you can use += to add to a pattern variable).
>
>If the first declaration of foo above didn't include &redef, then Bro
>would complain upon seeing the second definition.
>
>redef is a basic mechanism for allowing one policy script to override
>some of the values in another script so you can express one policy as
>modifications to another policy, rather than having to maintain two
>slightly different versions of the policies.
>
> Vern
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
> internal_func(const char* name) , in Var.cc returns NULL when 'http_request'
> is being passed to it.
This will happen unless your policy script defines a http_request event
handler (which you can do, for example, by using "@load http" to pull in
the usual HTTP handler). If that doesn't explain the problem you're
encountering, please send exactly how you're invoking Bro and with what
policy script.
Vern
> I am using bro version 0.7a48, which ofcourse came with the usual slew of
> scripts in /usr/local/share/bro. Bro always complains about the file conn.bro
> line 197, which is trying to:
>
> if ( have_FTP && is_ftp_data_conn(c) )
>
> That looks ok to me (have_FTP is set to T), the error is:
>
> 982815367.072217 ./conn.bro, line 198 (is_ftp_data_conn): run-time error, value used but not set
have_FTP should only be true if you did "@load ftp" somewhere in your
policy script (or loaded one of the standard scripts that does this).
If you're setting it by hand instead, that's your problem. If not, please
send me exactly how you're invoking Bro and with what policy script.
> One more quick question, what does &redef do? I see it smattered all over but
> never mentioned in the docs.
It marks a variable as redefinable (or refinable). So for example you
can have:
global foo = 5 &redef;
...
redef foo = 4;
and the second definition redefines foo's initial value to be 4 rather than 5.
You also can use += and -= to redef aggregate variables (tables, sets) to have
more or fewer members (and you can use += to add to a pattern variable).
If the first declaration of foo above didn't include &redef, then Bro
would complain upon seeing the second definition.
redef is a basic mechanism for allowing one policy script to override
some of the values in another script so you can express one policy as
modifications to another policy, rather than having to maintain two
slightly different versions of the policies.
Vern
hi,
I am using bro-pub-0.7a48.
internal_func(const char* name) , in Var.cc returns NULL when 'http_request'
is being passed to it.
this function calls internal_val(const char* name)
which does this:
ID* id = lookup_ID(name);
id->ID_Val();
but this ID_Val function returns NULL.
I saw this because when an HTTP connection came in
c = new HTTP_Conn....line in Sessions.cc was not being executed because the
http_request variable was not set.
This happens only for http_request.
ftp / telnet etc runs fine.
I ran bro-pub-0.6 which didnt have this problem.
I cant figure out why.
Any insight into this will be very helpful.
thanks a lot
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
I am using bro version 0.7a48, which ofcourse came with the usual slew of
scripts in /usr/local/share/bro. Bro always complains about the file conn.bro
line 197, which is trying to:
if ( have_FTP && is_ftp_data_conn(c) )
That looks ok to me (have_FTP is set to T), the error is:
982815367.072217 ./conn.bro, line 198 (is_ftp_data_conn): run-time error, value used but not set
If I am suffering from this problem, I assume it is by now a common question
on this list. If so and there are archives or places for 'newbies' to go
please point me there...
One more quick question, what does &redef do? I see it smattered all over but
never mentioned in the docs.
--
Thanks,
Phil
subscribe bro
============================================
Young-Jun Heo
Senior Member of engineering Staff
Network Security Architecture Research Team
Information Security Application Department
Information Security Technology Division
ETRI
161 Kajong-dong, Yusong-Gu, Taejon, 305-350, KOREA
Tel: +82 42 860 5473
Fax: +82 42 860 5611
> I just compiled the bro.7a48 vers and ran.
> it ran for the first time and went to listening mode on the port i
> specified. .."listening on eth0"
>
> i stopped it. The next time i run it gives..
>
> policy/login.bro, line 362 (weird_file): error, undeclared variable
> policy/login.bro, line 404 (weird_file): error, undeclared variable
> policy/login.bro, line 409 (weird_file): error, undeclared variable
> policy/login.bro, line 414 (weird_file): error, undeclared variable
>
> I have'nt changed anything.
>
> Has anyone seen this problem ?
The problem is this. The first time you're running Bro, it's creating a
"weird" file to record unusual events. The name of this file is
"weird.$BRO_ID", but if you haven't set $BRO_ID then it's just "weird".
However, login.bro contains "@load weird", which instructs Bro to look
for a policy file called "weird" or "weird.bro". The first of these
is the problem, it's loading the empty file it just created rather than
policy/weird.bro.
Workaround: set $BRO_ID before running.
Probably the correct longer term fix is to have a default name that still
has a suffix (probably ".log").
Vern
> I get this message concerning a record type variable :
> - login.bro, line 100 (record { user:string, demuxed:bool... }): bad tag
> in BroType::AsTableType.
>
> I've been modifying (simplifying) the example scripts. Even removing
> all the variables from the record does no help : I still get the error
> message with empty { }.
>
> Did somebody have the same problem ? How did you solve the problem ?
Send me the script(s) you're using and the invocation arguments. Generally,
"bad tag" indicates an internal error in which there's a type inconsistency,
such as bro.init giving one type for a variable, but the Bro interpreter
assuming a different type.
Vern
> I've installed Bro on a machine with freeBSD4.2 ( libpcap0.5). Since
> I cannot connect the machine on the network where I am now, I would like
> test my policy. I've tried to start bro on the localhost interface. I am
> only using the standard conn.bro file modified a little bit : the only
> processing of event I do is to write the name of the event function. I works
> with bro_init(). But nothing is logged ( I am not using the log module so it
> shoult appear in my terminal), but tcpdump 'sees' the traffic (telnet and
> ftp on localhost).
> I've also tried to read from a dump file of tcpdump (tcpdump -i lo0
> -w filename), but I get this kind of output :
> ...
> weird: 981105864.406810 bad_IP_cheksum
The problem is likely in PktSrc::SetHdrSize(), which is hardwired to know
about a few interface types. Presumably libpcap returns DLT_NULL for
the loopback interface. The code currently sets the header length to 4 bytes
for that type. Perhaps this has changed under FreeBSD (or never worked).
Vern