> As you kownn, snort works on packet data, while Bro works on connection
> data.
Bro also has a signature engine that can read Snort rules, per the
CHANGES file.
> I
> want to know how to use Bro to save all the connection to dist file.
I don't quite know what you mean. Bro writes connection summaries to
stdout if you load tcp.bro (or the usual load of mt.bro). It also can
write a tcpdump packet trace file if you specify -w file.
Vern
Hi All
As you kownn, snort works on packet data, while Bro works on connection
data. I
want to know how to use Bro to save all the connection to dist file.
Could you help me.
Best regards!
_________________________________________________________________
享用世界上最大的电子邮件系统― MSN Hotmail。http://www.hotmail.com/cn
>I guess that you're using Linux, right? Please try the attached
Right ! I am using Linux. Could you tell me which system is the best to run
Bro?
>patch. But even if it helps, you may get more errors during linking
>(which I haven't tried to solve yet).
Great, it almost works! Why , just changing h_errno to host_errno ?
But new error like :
nb_dns.o: In function '_nb_dns_mkquery':
*/bro/nb_dns.c:203: undefined reference to '__res_mkquery'
...
<< attach5 >>
How to open the attach5?
_________________________________________________________________
与联机的朋友进行交流,请使用 MSN Messenger:
http://messenger.microsoft.com/cn/
hi,
My sincere thanks to Prof. Vern for sending us the next release of Bro.
However I tried to make Bro stable version ie
> The current stable release remains 0.7a175b, available from:
> ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7-stable.tar.gz
But I am facing problem during make. I am running Linux 6.2
kernel 2.2.14-12.
I am getting compilation problems which I tried to change code and
recompile, but not successful.
The file the errors report is "DebugCmds.cc"
These are the errors I am getting::
_______________________________________
c++ -I. -O -Ilinux-include -c DebugCmds.cc
DebugCmds.cc: In function `void lookup_global_symbols_regex(const class
stoing &, class vector<ID *,__default_alloc_template<true,0> > &, bool =
false)':
DebugCmds.cc:41: no matching function for call to `string::push_back
(char)'
DebugCmds.cc:42: no matching function for call to `string::push_back
(char)'
DebugCmds.cc:44: no matching function for call to `string::push_back
(char)'
make: *** [DebugCmds.o] Error 1
__________________________________________
What possibly could be the reason, is there something that needs to be
modified in code. Can anybody help me out.
Thanks
Mayank
A new Bro alpha release is now available from:
ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.8a1.tar.gzftp://ftp.ee.lbl.gov/.vp-bro-pub-0.8-current.tar.gz
This is a "bleeding edge" release with a number of changes (appended).
The current stable release remains 0.7a175b, available from:
ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7-stable.tar.gz
- Vern
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0.8a1 Sat Sep 21 22:09:23 PDT 2002
- IPv6 support enabled if you build using -DBROv6. Deficiencies: Bro
doesn't yet look up hostnames for AAAA records; no handling of extension
headers (if you have traces of these, please send them to me!); no
handling of FTP PORT/PASV w/ IPv6 addresses (again, if you have traces,
please send them!); DNS analyzer doesn't understand AAAA yet (again,
please send me traces!); you have to change the capture_filter line
in tcp.bro (as indicated in the script) in order to process TCP traffic,
due to deficiencies in libpcap's support for IPv6.
- Bro is migrating towards a more structured way of handling log messages /
alerts. Analyzers now @load alert.bro, which has a function ALERT()
for processing alerts. Soon this function will provide a variety of
filtering/processing hooks; expect changes.
- Bro now has an HTTP response analyzer (contributed by Ruoming Pang).
The HTTP policy scripts have been split up into http.bro (just general
definitions), http-request.bro (handles requests; loaded by http.bro),
http-reply.bro (handles replies; you need to explicitly load this), and
http-detail.bro (handles individual headers). http-reply.bro will be
undergoing some significant reworking in the near future; probably the
scripts will be merged back into a single http.bro plus http-detail.bro.
- ssl-worm.bro contains a prototype policy script for detecting the
Scalper SSL worm (contributed by Robin Sommer). It uses the signature
file sig.ex.ssl-worm.bro. If someone has traces of Scalper in action
to send us, that would be great.
- A new policy script, contents.bro, extracts the contents of each
Bro connection into its own pair of files (one file for each
direction). Use in conjunction with -f or discarder_XXX() to
extract specific connections.
- A new built-in function, strcmp(), returns the usual comparison between
two strings (contributed by Robin Sommer).
- A new event, content_gap(), is generated when Bro detects that it is
forced to skip over data in a reconstructed TCP stream because it is
missing from the packet input.
- BIND8 is no longer included with the distribution. If this causes you
problems, let me know.
- aux/scripts/bro_logchk is a Perl script for parsing Bro HTTP & FTP logs
(contributed by Jim Barlow).
- You can now compare addresses to see which is larger. a < b means
that in network order, the octets making up 'a' are ordered before
those for 'b'. E.g., 128.2.3.4 < 128.2.3.5 < 129.0.0.1. Note that
IPv4 addresses are all < IPv6 addresses (other than IPv4 addresses
that are embedded in IPv6 addresses, e.g., ::128.2.3.4 < 128.2.3.5).
- Serious bug in TCP option handling fixed.
- Some bugs in CRLF handling fixed (courtesy Ruoming Pang).
- Bug in the implementation of &optional fixed.
- Bug in computing memory statistics when not reading packets (from
an interface or the trace file) fixed.
- You can now include a trailing comma after the last item in an
"enum" enumeration list.
- port-name.bro now maps 389/tcp to "ldap".
- A bug has been fixed in loading files multiple times
The 0.7a175 release had a serious bug in it, in which a malformed TCP
option could wedge Bro. This is fixed in the 0.7a175b release, now
available from:
ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7a175b.tar.gz
I've also appended a patch for the 0.7a175 sources.
More generally, I want to start moving towards the notion of "stable"
versus "current" releases, where "stable" releases just have bug fixes
applied to them, and no new features. In light of this, the above
is also available as:
ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7-stable.tar.gz
- Vern
*** TCP.cc.ORIG Tue Aug 27 15:47:09 2002
--- TCP.cc.NEW Thu Sep 19 22:49:27 2002
***************
*** 857,868 ****
int SACK = 0;
// Parse TCP options.
! char* options = (char*) tcp + sizeof(struct tcphdr);
! char* opt_end = (char*) tcp + tcp->th_off * 4;
while ( options < opt_end )
{
! int opt = options[0];
if ( opt == TCPOPT_EOL )
// All done - could flag if more junk left over ....
--- 898,909 ----
int SACK = 0;
// Parse TCP options.
! u_char* options = (u_char*) tcp + sizeof(struct tcphdr);
! u_char* opt_end = (u_char*) tcp + tcp->th_off * 4;
while ( options < opt_end )
{
! unsigned int opt = options[0];
if ( opt == TCPOPT_EOL )
// All done - could flag if more junk left over ....
***************
*** 878,899 ****
// We've run off the end, no room for the length.
break;
! int opt_len = options[1];
if ( options + opt_len >= opt_end )
// No room for rest of option.
break;
switch ( opt ) {
case TCPOPT_SACK_PERMITTED:
SACK = 1;
break;
case TCPOPT_MAXSEG:
MSS = (options[2] << 8) | options[3];
break;
case 3: /* TCPOPT_WSCALE */
winscale = options[2];
break;
--- 919,950 ----
// We've run off the end, no room for the length.
break;
! unsigned int opt_len = options[1];
if ( options + opt_len >= opt_end )
// No room for rest of option.
break;
+ if ( opt_len == 0 )
+ // Trashed length field.
+ break;
+
switch ( opt ) {
case TCPOPT_SACK_PERMITTED:
SACK = 1;
break;
case TCPOPT_MAXSEG:
+ if ( opt_len < 4 )
+ break; // bad length
+
MSS = (options[2] << 8) | options[3];
break;
case 3: /* TCPOPT_WSCALE */
+ if ( opt_len < 3 )
+ break; // bad length
+
winscale = options[2];
break;
> I can not understand the class of ODesc.
ODesc is used by Bro objects to describe themselves. An ODesc can associated
with a file, in which case the description is written to the file; or, if
no file is specified, then the description is built up in string internal
to the ODesc object, which can then be retireved using Description(),
Bytes(), or TakeBytes(). One way to figure this out by yourself is to search
on references in the source code to ODesc. You'll find that they're all
in Describe() and ValDescribe() methods.
> Could you tell the detail of it :
> each variable represent what, how does each function work?
The workings should be apparent with a bit of inspection to those with a
good familiarity with C++. Such familiarity is required at this point for
those who want to delve into the details of Bro's inner workings.
Vern