Hi,
I am making a module for Bro to track some specific UDP traffic...
I've an object (GTP_Conn) inheritating from UDP_Conn instantiated in
Session.cc.
I'm using a Dictionary, like the one used for the tcp_conns, udp_conns
variables.
I've created a custom key, the lookup works so I suppose the dictionary
works well.
this is how I created the dictionary:
declare(PDict, GTP_Tunnel); // GTP_Tunnel is the class type of my
custom object
...
PDict(GTP_Tunnel) tunnels;
...
tunnels.SetDeleteFunc(bro_obj_delete_func); // just copied this
from the
// tcp_conns exemple
This is what I get when shuting down after simulating 1 packet:
--
...... received termination signal
1 packets received on interface lo0, 0 dropped
Abort (core dumped)
--
This is what I get when shuting down after simulating a lot of packet BUT
only one GTP_Tunnel instance...
--
...... received termination signal
92854 packets received on interface lo0, 0 dropped
/: write failed, file system full
Abort
--
Note : I have inserted printfs in all the destructors, it seems that the
destructors of the tunnel instance(s) and of the variable 'tunnels' are not
called, but GTP_Conn's one are called.
Magnus.
The problem is that Bro was incorrectly processing an empty regular
expression (corresponding to the "skip_authentication" variable,
which was empty because you commented out its redefinition).
Here's a patch.
Vern
*** RE.cc.ORIG Sun Oct 24 22:55:24 1999
--- RE.cc Wed May 2 16:48:03 2001
***************
*** 428,437 ****
int Specific_RE_Matcher::MatchAll(byte_vec bv, int n)
{
if ( ! dfa )
! {
! run_time("attempt to match to a malformed regular expression");
! return 0;
! }
DFA_State* d = dfa->StartState();
while ( d )
--- 428,436 ----
int Specific_RE_Matcher::MatchAll(byte_vec bv, int n)
{
if ( ! dfa )
! // An empty pattern matches "all" iff what's being
! // matched is empty.
! return n == 0;
DFA_State* d = dfa->StartState();
while ( d )
***************
*** 449,458 ****
int Specific_RE_Matcher::Match(byte_vec bv, int n)
{
if ( ! dfa )
! {
! run_time("attempt to match to a malformed regular expression");
! return 0;
! }
DFA_State* d = dfa->StartState();
--- 448,455 ----
int Specific_RE_Matcher::Match(byte_vec bv, int n)
{
if ( ! dfa )
! // An empty pattern matches anything.
! return 1;
DFA_State* d = dfa->StartState();
[I've put bro(a)lbl.gov back onto the cc line, since others may find
this dialog helpful]
> I run it on FreeBSD4.2.
> The run-time error appears some times, but not allways...
> When I monitor an ethernet network, it may appear 10 times a day.
> but yesterday I tried it on a gigabit link... and the error appears a lot
> more.
>
> It seems to occur with some packet arrival.
>
> $ bro -i wx0 mt.bro
The next thing to do is use -w tracefile to record the traffic that Bro is
reading, and then see if you can reproduce the problem using -r tracefile.
If so, send the trace to me and I'll track it down, and fix the error message.
Vern
>
> Magnus
>
>
> > -----Original Message-----
> > From: Vern Paxson [SMTP:vern@ee.lbl.gov]
> > Sent: Wednesday, May 02, 2001 10:16 AM
> > To: Anderssen Magnus
> > Subject: Re: malformed regular expression
> >
> > > I'm using 0.6 and 0.7.48a...
> >
> > Okay, now I need to know how you're invoking it, because if I try just
> > running "bro" (version 0.7a48) on your policy scripts, it runs okay for
> > me.
> >
> > Vern
Hi,
I'm getting this run-time error:
<some time> rune-time error: attempt to match to a malformed regular
expression.
The problem is that I don't know where it occurs. (in which event,
...)
Do I get this message when trying to write to a file a empty string
returned
by Bro?
Is there a way to get more precise error message? To be able to
correct my
script.
Thanks
<<policy.zip>>
Magnus Anderssen (D2 26A), Network Security
Orange Communications SA
WTC, 2 av. de Gratta-Paille, 1000 Lausanne 30 Grey
direct phone : +41 21 216 1191 : mobile : +41 78 787 1191
fax : +41 86 078 787 1191