> How long does Bro keep ip-fragments ?
Forever.
This isn't great - clearly there should be a user-controllable timeout.
However, if you set the timeout too low, then you become vulnerable to an
evasion attack. It's not clear what's a safe timeout value (some stacks
might use a fixed-size buffer, say, and ignore implementing a timer at
all). A project I'm working on with a student (Umesh Shankar) may wind
up assessing this further.
If someone wants to add a user-controllable timeout, that would be great.
Vern
hi all,
I have added a bro variable in bro.init.
global var = 1 &redef;
--------------------------------------
Also in NetVar
int var;
var = opt_internal_int("var");
--------------------------------------
Now if i change var in the any of the .cc files does the change reflect at
the policy level ?
in any .cc file -> var = 2;
what will be the value in the policy scripts ?
--------------------------------------
**Otherwise is there a way to share a variable between the .cc files and
the policy scripts ?? **
thanks a lot
ashley
hi,
I have posted a similar mail before but could'nt find an answer.
I get this error while installing bro:
(bro-pub-0.7a90/libpcap0.6.2)
-------------------------------------------------------------------------------------------
<snip>
gcc -I. -O -I../libpcap-0.6.2 -c cq.c
gcc -I. -O -I../libpcap-0.6.2 -Ibind8/include -Ibind8/portinc -c nb_dns.c
gcc -I. -O -I../libpcap-0.6.2 -c setsignal.c
gcc -I. -O -I../libpcap-0.6.2 -I. -c version.c
c++ -o bro main.o net_util.o parse.o scan.o re-parse.o re-scan.o util.o
Attr.o BackDoor.o BroString.o CCL.o CompHash.o Conn.o DFA.o Desc.o Dict.o
Discard.o DNS.o DNS_Mgr.o EquivClass.o Event.o Expr.o File.o Finger.o
Frag.o Frame.o FTP.o Func.o Hash.o HTTP.o ICMP.o ID.o Ident.o InterConn.o
List.o Logger.o Login.o NFA.o NTP.o NVT.o Net.o NetVar.o Obj.o PktSrc.o
Portmap.o PriorityQueue.o Queue.o Reassem.o Rlogin.o RE.o RPC.o Scope.o
Sessions.o SteppingStone.o Stmt.o TCP.o Telnet.o Timer.o Type.o UDP.o
Val.o Var.o XDR.o cq.o nb_dns.o setsignal.o version.o -Lbind8/lib -lbind
../libpcap-0.6.2/libpcap.a -lm
parse.o: Definition of symbol `_yylhs' (multiply defined)
parse.o: Definition of symbol `_yylen' (multiply defined)
parse.o: Definition of symbol `_yydefred' (multiply defined)
parse.o: Definition of symbol `_yydgoto' (multiply defined)
parse.o: Definition of symbol `_yysindex' (multiply defined)
parse.o: Definition of symbol `_yyrindex' (multiply defined)
parse.o: Definition of symbol `_yygindex' (multiply defined)
parse.o: Definition of symbol `_yytable' (multiply defined)
parse.o: Definition of symbol `_yycheck' (multiply defined)
../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yylhs'
(multiply defined)
../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yylen'
(multiply defined)
../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yydefred'
(multiply defined)
../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yydgoto'
(multiply defined)
../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yysindex'
(multiply defined)
../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yyrindex'
(multiply defined)
../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yygindex'
(multiply defined)
../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yytable'
(multiply defined)
../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yycheck'
(multiply defined)
collect2: ld returned 1 exit status
*** Error code 1
Stop in /home/athomas/BRO/bro-pub-0.7a90 (line 90 of Makefile).
-----------------------------------------------------------------------------------------
Any pointers on what might be the problem and how to get around ?
It sees multiple definitions while doing 'make' ...
Is it some problem with the flex/bison etc..
I am attaching what i saw while doing .configure if that might help in
showing what might be the problem in my setting up ...
While doing a ./configure in libpcap-0.6.2
i see:
<snip>
checking for flex... (cached) flex
checking for flex 2.4 or higher... (cached) yes
checking for bison... no
configure: warning: don't have both flex and bison; reverting to lex/yacc
checking for capable lex... (cached) yes
<snip>
and running ./configure in bro-pub-0.7a90
i see:
<snip>
checking for bison... no
checking for byacc... no
checking for c++... c++
checking whether the C++ compiler (c++ ) works... yes
checking whether the C++ compiler (c++ ) is a cross-compiler... no
checking whether we are using GNU C++... yes
checking whether c++ accepts -g... yes
checking for flex... flex
checking for yywrap in -lfl... yes
<snip>
----------------------------------------------------------------------------------------
Any help is appreciated..
thanks for your time
regards
ashley
> Is there an archive of the mailing list where the ignorant (i.e. me)
> can avoid asking questions already asked on the list?
Yes, send email to majordomo(a)lbl.gov with
get bro archive
in the body.
> If not, is there
> experience with bro on gigE speed links
Yep - that's what we run it on at LBL and UC Berkeley.
Vern
Is there an archive of the mailing list where the ignorant (i.e. me)
can avoid asking questions already asked on the list? If not, is there
experience with bro on gigE speed links or is it hopeless before I start :-)
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
> Is it possible to do a pattern matching using bro scripts
> for a hex pattern.
> for eg:
> "90 31 C0 99 52 52 B017 CD80 68 CC 73 68"
> or it supports only pattern matching for strings.
What do you mean by a "hex pattern"? You can search for 8-bit regular
expressions, e.g. /\x90\x31\xc0\x99/. Bro's regular expressions operate
on strings, but strings can contain arbitrary binary data.
Vern
> I think sometimes HTTP reply especially the first line is very useful.
> Through it, we can know whether the attack is successful.
> That is right?
Yes, and HTTP.cc has *most* of the internal analysis already to extract
this. What it's missing is the ability to accurately track persistent
connections, which requires being able to tell when an item ends. For
some items, finding the end is easy, you just use the content-length; but
for those encoded using chunking or (especially) MIME/multipart, this is
more work, and that's the part that's missing. If someone wants to finish
it up, that would be great.
> How to detect the syn flood attack using Bro? May I use a timer In th Bro's
> interpret,so we can know the statistic of some network event?
You could use a timer, or you could count the number of connection attempts
arriving after a particular time for each server. One thing to note is
that if you use connection_attempt, you only get the events after Bro
times out the connection attempt (controlled by the tcp_attempt_delay
variable). If you instead use new_connection, you'll get the events
immediately.
Vern
hi,
Is it possible to do a pattern matching using bro scripts
for a hex pattern.
for eg:
"90 31 C0 99 52 52 B017 CD80 68 CC 73 68"
or it supports only pattern matching for strings.
thanks a lot
ashley
Hi,all:
I think sometimes HTTP reply especially the first line is very useful. Through it, we can know whether the attack is successful.
That is right? Forgive me poor English. Another question, How to detect the syn flood attack using Bro? May I use a timer In th Bro's
interpret,so we can know the statistic of some network event?
wushi
2002.3.18
