> Lot of OS probes works by sending a combination of flags like
>
> SFU12, SF12 etc and seeing how the OS behaves. I was wondering how to detect
> these kind of probes using bro .
>
> I know it can be done easily in the TCPConnection::NextPacket()
> where you have the syn,fin,rst and other flags in separate variables.
> Probably i could look for those pattern call the Weird().
>
> But is that the way to go about it ? Or should the detection be done
> at the bro-script level.
The right way to do it is either via Weird(), or (better) by introducing
a new event handler, something like:
event strange_TCP_flag_combo(c: connection, SYN: bool, FIN: bool, RST: bool, ACK: bool, PSH: bool, URG: count)
Your policy script could then decide how to react to specific combinations.
Vern
> c++ -I. -O -I../libpcap-0.4 -Ilinux-include -c Func.cc
> Func.cc: In function `void do_fmt (const char *&, Val *, ODesc *)':
> Func.cc:244: `localtime' undeclared (first use this function)
> Func.cc:244: (Each undeclared identifier is reported only once for each
> function it appears in.)
> Func.cc:244: `strftime' undeclared (first use this function)
Try adding an include of <time.h> at the beginning of Func.cc and see
if that resolves the problem.
Vern
> I know that bro runs on almost all the OSs like
> OpenBSD/Linux/Sloaris etc.
>
> But from your experience, on which OS does bro run/execute
> fastest ? i mean the time taken considering the whole system including
> bro and libpcap..
>
> It is just to get an opinion regarding the matter.
>
> It will surely depend on the fact that on some OSs libpcap executes
> faster and so one but could you give a general observation ...
I run it just under FreeBSD. I would expect that it runs *much* better
on systems that have kernel packet filters that libpcap knows how to take
advantage of, which pretty much means BPF systems like *BSD.
Vern
Hi ,
I know that bro runs on almost all the OSs like
OpenBSD/Linux/Sloaris etc.
But from your experience, on which OS does bro run/execute
fastest ? i mean the time taken considering the whole system including
bro and libpcap..
It is just to get an opinion regarding the matter.
It will surely depend on the fact that on some OSs libpcap executes
faster and so one but could you give a general observation ...
thanks
tom
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
Hi,
I am using bro 0.7a61 and Red hat linux 2.4.2. When I compile the files, the error message is
c++ -I. -O -I../libpcap-0.4 -Ilinux-include -c Func.cc
Func.cc: In function `void do_fmt (const char *&, Val *, ODesc *)':
Func.cc:244: `localtime' undeclared (first use this function)
Func.cc:244: (Each undeclared identifier is reported only once for each
function it appears in.)
Func.cc:244: `strftime' undeclared (first use this function)
make: *** [Func.o] Error 1
Any suggestion will be greatly appreciated.
thanks,
-Wei
> ../bro -f "port imap" -i xl0 mt
>
> (the network traffic did not have any imap traffic) but still the received
> packets was showing the total number of packets originally on the network.
>
> This problem is not there when i run bro on Linux (2.2.16)
> On linux it gives the correct received packets (but linux has
> a bug that it always returns the dropped packets as 0)
>
> Has anyone seen this problem before. Any fixes/suggestions.
Different systems report different statistics, unfortunately. Some report
a count of only filtered packets, others report a count of all packets.
For Bro, though, he point of the statistics is to see whether you're
dropping packets, so the count of received packets isn't as important as
the count of dropped packets. That said, for kernels that misreport the
count of dropped packets, there's not much you can do.
Vern
> I need to traverse the table sequentially (upwards and downwards).
> However it seems that the 'for' command does not do that.
Right, it doesn't. (It's also not clear what "sequentially" means for
some types of table indexes, for example address/port pairs.)
What particular problem are you trying to solve? I ask because that'll
help me think about what sort of mechanism to add to support it.
Vern
