> How long does Bro keep ip-fragments ?
Forever.
This isn't great - clearly there should be a user-controllable timeout.
However, if you set the timeout too low, then you become vulnerable to an
evasion attack. It's not clear what's a safe timeout value (some stacks
might use a fixed-size buffer, say, and ignore implementing a timer at
all). A project I'm working on with a student (Umesh Shankar) may wind
up assessing this further.
If someone wants to add a user-controllable timeout, that would be great.
Vern
hi: I am new to bro. After downloading the source
code, I try to install it on my linux machine. First I
run configure command. The output is as following:
[root@jqxin bro-pub-0.7a90]# configure
loading cache ./config.cache
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
checking build system type... i686-pc-linux-gnu
checking Linux kernel version... (cached) 2
checking for gcc... (cached) gcc
checking whether the C compiler (gcc ) works... yes
checking whether the C compiler (gcc ) is a
cross-compiler... no
checking whether we are using GNU C... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for bison... (cached) bison -y
checking for c++... (cached) c++
checking whether the C++ compiler (c++ ) works... yes
checking whether the C++ compiler (c++ ) is a
cross-compiler... no
checking whether we are using GNU C++... (cached) yes
checking whether c++ accepts -g... (cached) yes
checking for flex... (cached) flex
checking for yywrap in -lfl... (cached) yes
checking for a BSD compatible install... (cached)
/usr/bin/install -c
checking whether make sets ${MAKE}... (cached) yes
checking for gzip... (cached) gzip
checking how to run the C preprocessor... (cached) gcc
-E
checking for ANSI C header files... (cached) yes
checking return type of signal handlers... (cached)
void
checking for sigset... (cached) yes
checking whether time.h and sys/time.h may both be
included... (cached) yes
checking for memory.h... (cached) yes
checking if syslog returns int... (cached) no
checking if we should declare socket and friends...
(cached) no
checking if we should declare gettimeofday... (cached)
yes
checking for gethostbyname... (cached) yes
checking for socket... (cached) yes
checking for putmsg in -lstr... (cached) no
checking for local pcap library... not found
checking for pcap_open_live in -lpcap... yes
checking for 8-bit clean memcmp... (cached) no
checking for strftime... (cached) yes
checking for strerror... (cached) yes
creating ./config.status
creating Makefile
creating aux/hf/Makefile
sed: can't read ./aux/hf/Makefile.in: No such file or
directory
creating aux/cf/Makefile
creating config.h
config.h is unchanged
It seems fine. But when it comes to make. The output
is as following:
[root@jqxin bro-pub-0.7a90]# make
c++ -I. -O -Ilinux-include -c Func.cc
Func.cc: In function `void do_fmt (const char *&, Val
*, ODesc *)':
Func.cc:247: `localtime' undeclared (first use this
function)
Func.cc:247: (Each undeclared identifier is reported
only once for each
function it appears in.)
Func.cc:247: `strftime' undeclared (first use this
function)
make: *** [Func.o] Error 1
So I do not know how to tackle this problem. Would you
please give me some hint? Thanks very much for your
kind help.
yours,
Xin
__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com
hi,
How long does Bro keep ip-fragments ? The ip rfc tells:
The maximum this timer value could reach is the maximum time to live
(approximately 4.25 minutes). The current recommendation for the
initial timer setting is 15 seconds. This may be changed as the
experience with this protocol accumulates.
Considering resource constraints does bro keep the fragments for shorter
time ? Looking through Frag.cc,Sessions.cc i could'nt track where that
timer portion of code comes.(if anyone could point it)
Any pointers is appreciated.
- thanks
Ashley