zeek December 2003

zeek@lists.zeek.org

11 participants
16 discussions

by Vern Paxson

> g++ -o bif_parse.o -c bif_parse.cc > y.tab.c: In function `int yyparse()': > y.tab.c:1705: syntax error before `goto' y.tab.c is a generated file, so to diagnose it, please send a copy of it, and/or lines 1700-1710 in order to localize the error. Vern

17 years, 8 months

Error compiling bro-pub-0.8a58

by Richard Bejtlich

Hello, I'm running bourque# uname -a FreeBSD bourque.taosecurity.com 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Mon Oct 27 17:51:09 GMT 2003 root@freebsd-stable.sentex.ca:/usr/obj/usr/src/sys/GENERIC i386 I get this error after successfully running 'configure': ... gcc -g -O2 -I. -I. -g -O0 -c help.c gcc -g -O2 -I. -I. -g -O0 -c fgetln.c In file included from fgetln.c:2: compat.h:4: warning: `__RCSID' redefined /usr/include/sys/cdefs.h:225: warning: this is the location of the previous definition compat.h:5: warning: `__COPYRIGHT' redefined /usr/include/sys/cdefs.h:247: warning: this is the location of the previous definition gcc -g -O2 -I. -I. -g -O0 -c readline.c gcc -g -O2 -I. -I. -g -O0 -c strlcpy.c ar -r libedit.a chared.o common.o el.o emacs.o fcns.o hist.o history.o key.o map.o parse.o prompt.o read.o refresh.o search.o sig.o term.o tokenizer.o tty.o vi.o help.o fgetln.o readline.o strlcpy.o bison -y -d -t -v builtin-func.y flex -obif_lex.cc builtin-func.l g++ -o bif_lex.o -c bif_lex.cc g++ -o bif_parse.o -c bif_parse.cc y.tab.c: In function `int yyparse()': y.tab.c:1705: syntax error before `goto' *** Error code 1 Stop in /usr/local/src/bro-pub-0.8a58. -- I appreciate any help. Thank you, Richard Bejtlich http://www.taosecurity.com __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/

17 years, 9 months

Re: Bro 57 segfaults

by Vern Paxson

> I just build and deployed bro-0.8a57 and the thing segfaults after about > 5-100 minutes of running. I tried '-t file', but then it segfaults > immediately. > > Platform is RedHat 9; default build of bro with ssl. Deployed on a fairly > loaded 10MB/s link. > > Anybody else seeing this? I don't run in that environment, but Robin does (or in something similar), and I don't believe he's encountered any problems recently. In general, when reporting a Bro crash, it helps a lot to show a traceback (not -t output, which is generally much to voluminous to aid in debugging crashes). Better (much) still is a tcpdump trace that reprodouces the problem, if you're able to give me a copy of such. Note, I recently ran across a problem running Bro's signature engine against UDP or ICMP traffic. By default, each new UDP/ICMP flow sticks around forever, so this rapidly consumes a huge amount of memory. You can eliminate the problem via "@load reduce-memory". Vern

17 years, 9 months

Re: libpcap compatibility problem (Re: new bro "CURRENT" release - 0.8a57)

by Vern Paxson

> is Bro supported on NetBSD? Not directly, since we don't have any NetBSD machines in house, but it's certainly the intent that it runs under NetBSD (and in general on systems with libpcap), if it's not too painful. > If so, a recent thread on ethereal-dev > discussed pcap_compile_nopcap() in that context and might be relevant > for Bro. Have a look at > > http://www.ethereal.com/lists/ethereal-dev/200312/msg00401.html Looks like some more autoconf'ing will be needed :-(. If someone cares to contribute it, that would be great. Vern

17 years, 9 months

Re: new bro "CURRENT" release - 0.8a57

by Vern Paxson

> For example, what if I run some proprietary service on port 80? > Is is going to be service 'other' or service 'http'? What if > I run telnetd on port 80? Currently, this will be identified as "http". Bro's TCP analyzers are being reworked so that in the future it will be able to run alternate (or multiple) analyzers from that associated with the well-known port. When that works, I think the above example would have "telnet" as the service even though the responder port would be 80/tcp. Vern

17 years, 9 months

Re: new bro "CURRENT" release - 0.8a57

by Vern Paxson

> > Good point. As implemented, it continues to be other-nnnnn, but I think > > just plain "other" makes more sense, since we now can finally cleanly separate > > the notion of service from the notion of port. > > It's cleaner, but is it really separated internally, or just in the logs? The notion of "service" is "what is the actual service [application] running on the connection". It initially arose from the utility of associating "ftp-data" with connections that otherwise might not be identified as such, since they didn't use well-known ports. Bro is moving towards more fully decoupling the notion of what application protocol to analyze vs. what application is usually associated with a given well-known port, so I think the split of service in the connection logs will be helpful in this regard. > I confess (and probably reveal) my near total BRO ignorance, but isn't > service just mapped from port number in some (many?) cases? In most cases, yes, but not in all. > Even if > so, the separation is valuable and clearly necessary where not so, > but I wonder if it wouldn't be useful to have some indication of those > connections that BRO has determined the service of (via inspection) > versus merely inferring the service from a port:name lookup table. Hmmmm, perhaps this should be a new flag (to go along with 'L', and the soon-to-depart 'U'), but I'm not sure it's worth it - do you have an example in which this is particularly handy to have? > PS. any consideration of making the log format a config spec: > > red_log_format: "%time %duration %service %oip %rip %bytes %rbytes ...." > > maybe little value... just a thought. I think a better way to do this is to make it easy for the user to supply their own connection log printer directly. Vern

17 years, 9 months

Re: Serious problem running bro-pub-0.8a48 on OpenBSD 3.3

by Vern Paxson

My apologies for dropping the ball on this thread :-(. > - I am running this on a P3-600 MHz, 200 MB memory system. Is that too > slow? It crticially depends on your traffic volume. In my experience, a machine like that should be able to monitor a network on the order of a hundred machines with a 100 Mbps link; but that's somewhat a guess, as most of my experience is with bigger/faster networks. > - The size of the 'bro.core' file upon the seg-fault is of the order of 500 > MB. > Isn't that weird? This very likely indicates that Bro is crashing because you've reached the process "datasize" limit. See what "limit datasize" reports. > The response time of my system also increases drastically That's because, given 200 MB of real memory, when Bro grows beyond that towards 500 MB, you suffer a great deal of paging. It appears very likely that you are encountering a memory leak. Try (1) running the latest release (I just announced 0.8a58), and, if the problem persists, turning on memory statistics, which you can do by including "statistics.bro" as a policy script on the command line or via @load. Vern

17 years, 9 months

new bro "CURRENT" release - 0.8a58

by Vern Paxson

An updated "CURRENT" version of Bro is now available from the usual location: ftp://ftp.ee.lbl.gov/bro-pub-0.8-current.tar.gz The only change is compatibility with older versions of libpcap, contributed by Chema Gonzalez. Patch appended. Vern -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ diff -wcr --ignore-matching-lines=Id: bro-pub-0.8a57/CHANGES bro-pub-0.8a58/CHANGES --- bro-pub-0.8a57/CHANGES Thu Dec 4 17:24:03 2003 +++ bro-pub-0.8a58/CHANGES Tue Dec 16 08:57:25 2003 @@ -2,6 +2,13 @@ -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +0.8a58 Tue Dec 16 08:55:47 PST 2003 + +- Compatibility with older versions of libpcap (Chema Gonzalez). + + +0.8a57 Tue Dec 9 10:14:30 PST 2003 - The format of Bro's connection summaries is changing. The new format looks like diff -wcr --ignore-matching-lines=Id: bro-pub-0.8a57/PktSrc.cc bro-pub-0.8a58/PktSrc.cc --- bro-pub-0.8a57/PktSrc.cc Tue Oct 21 12:21:01 2003 +++ bro-pub-0.8a58/PktSrc.cc Tue Dec 16 08:55:36 2003 @@ -106,7 +106,11 @@ bpf_program* oldcode = (bpf_program*) filters.Lookup(hash); if ( oldcode ) { +#ifndef DONT_HAVE_LIBPCAP_PCAP_FREECODE pcap_freecode(oldcode); +#else + pcap_freecode(NULL, oldcode); +#endif delete oldcode; } @@ -328,3 +332,58 @@ { delete program->bf_insns; } + + + +#ifdef DONT_HAVE_LIBPCAP_PCAP_FREECODE +extern "C" { +#include "pcap-int.h" + +int pcap_freecode(pcap_t* unused, struct bpf_program* program) + { + program->bf_len = 0; + + if ( program->bf_insns ) + { + free((char*) program->bf_insns); + program->bf_insns = 0; + } + + return 0; + } + +pcap_t* pcap_open_dead(int linktype, int snaplen) + { + pcap_t* p; + + p = (pcap_t*) malloc(sizeof(*p)); + if ( ! p ) + return 0; + + memset(p, 0, sizeof(*p)); + + p->fd = -1; + p->snapshot = snaplen; + p->linktype = linktype; + + return p; + } + +int pcap_compile_nopcap(int snaplen_arg, int linktype_arg, + struct bpf_program* program, char* buf, + int optimize, bpf_u_int32 mask) + { + pcap_t* p; + int ret; + + p = pcap_open_dead(linktype_arg, snaplen_arg); + if ( ! p ) + return -1; + + ret = pcap_compile(p, program, buf, optimize, mask); + pcap_close(p); + + return ret; + } +} +#endif diff -wcr --ignore-matching-lines=Id: bro-pub-0.8a57/PktSrc.h bro-pub-0.8a58/PktSrc.h --- bro-pub-0.8a57/PktSrc.h Tue Oct 21 12:20:41 2003 +++ bro-pub-0.8a58/PktSrc.h Tue Dec 16 08:55:36 2003 @@ -186,5 +186,13 @@ PktFileSrc(const char* readfile, const char* filter, PktSrc_Filter_Type ft=TYPE_FILTER_NORMAL); }; + +#ifdef DONT_HAVE_LIBPCAP_PCAP_FREECODE +extern "C" { + int pcap_freecode(pcap_t*, struct bpf_program*); + int pcap_compile_nopcap(int, int, struct bpf_program*, + char*, int, bpf_u_int32); +} +#endif #endif diff -wcr --ignore-matching-lines=Id: bro-pub-0.8a57/VERSION bro-pub-0.8a58/VERSION --- bro-pub-0.8a57/VERSION Thu Dec 4 15:13:05 2003 +++ bro-pub-0.8a58/VERSION Thu Dec 11 17:20:52 2003 @@ -1,1 +1,1 @@ -0.8a57 +0.8a58 diff -wcr --ignore-matching-lines=Id: bro-pub-0.8a57/config.h.in bro-pub-0.8a58/config.h.in --- bro-pub-0.8a57/config.h.in Tue Nov 18 23:27:19 2003 +++ bro-pub-0.8a58/config.h.in Thu Dec 11 17:21:20 2003 @@ -6,6 +6,10 @@ /* enable IPV6 processing */ #undef BROv6 +/* Old libpcap versions (< 0.6.1) need defining pcap_freecode and + pcap_compile_nopcap */ +#undef DONT_HAVE_LIBPCAP_PCAP_FREECODE + /* should explicitly declare socket() and friends */ #undef DO_SOCK_DECL @@ -26,6 +30,9 @@ /* Define to 1 if you have the `nsl' library (-lnsl). */ #undef HAVE_LIBNSL + +/* Define to 1 if you have the `pcap' library (-lpcap). */ +#undef HAVE_LIBPCAP /* Define to 1 if you have the `resolv' library (-lresolv). */ #undef HAVE_LIBRESOLV diff -wcr --ignore-matching-lines=Id: bro-pub-0.8a57/configure bro-pub-0.8a58/configure --- bro-pub-0.8a57/configure Tue Nov 18 23:27:02 2003 +++ bro-pub-0.8a58/configure Thu Dec 11 17:24:35 2003 @@ -6051,7 +6051,80 @@ echo "${ECHO_T}$libpcap" >&6 fi if test "x$libpcap" != "x-lpcap" ; then - LIBS="$libpcap $LIBS" + LIBS="-L$d -lpcap $LIBS" + fi + + +echo "$as_me:$LINENO: checking for pcap_freecode in -lpcap" >&5 +echo $ECHO_N "checking for pcap_freecode in -lpcap... $ECHO_C" >&6 +if test "${ac_cv_lib_pcap_pcap_freecode+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpcap $LIBS" +cat >conftest.$ac_ext <<_ACEOF +#line $LINENO "configure" +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char pcap_freecode (); +int +main () +{ +pcap_freecode (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_pcap_pcap_freecode=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_pcap_pcap_freecode=no +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_pcap_pcap_freecode" >&5 +echo "${ECHO_T}$ac_cv_lib_pcap_pcap_freecode" >&6 +if test $ac_cv_lib_pcap_pcap_freecode = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPCAP 1 +_ACEOF + + LIBS="-lpcap $LIBS" + +fi + + if test "$ac_cv_lib_pcap_pcap_freecode" = no ; then + unset ac_cv_lib_pcap_pcap_freecode + +cat >>confdefs.h <<\_ACEOF +#define DONT_HAVE_LIBPCAP_PCAP_FREECODE +_ACEOF + fi echo "$as_me:$LINENO: checking for pcap headers" >&5 diff -wcr --ignore-matching-lines=Id: bro-pub-0.8a57/lbl-aclocal.m4 bro-pub-0.8a58/lbl-aclocal.m4 --- bro-pub-0.8a57/lbl-aclocal.m4 Wed Sep 3 23:04:40 2003 +++ bro-pub-0.8a58/lbl-aclocal.m4 Tue Dec 16 08:55:37 2003 @@ -240,7 +240,14 @@ AC_MSG_RESULT($libpcap) fi if test "x$libpcap" != "x-lpcap" ; then - LIBS="$libpcap $LIBS" + LIBS="-L$d -lpcap $LIBS" + fi + + dnl check libpcap is modern enough for Bro (>= 0.6.1) + AC_CHECK_LIB(pcap, pcap_freecode) + if test "$ac_cv_lib_pcap_pcap_freecode" = no ; then + unset ac_cv_lib_pcap_pcap_freecode + AC_DEFINE([DONT_HAVE_LIBPCAP_PCAP_FREECODE],[],[Old libpcap versions (< 0.6.1) need defining pcap_freecode and pcap_compile_nopcap]) fi dnl check pcap headers location

17 years, 9 months

libpcap compatibility problem (Re: new bro "CURRENT" release - 0.8a57)

by Vern Paxson

Argh - the 0.8a57 release uses some new libpcap functionality (pcap_compile_nocap(), and calling pcap_freecode() with a bpf_program*) that isn't supported in older libpcap releases. If someone could please contribute autoconf tweaks to deal with this incompatibility, I'd much appreciate it. Vern

17 years, 9 months

Re: new bro "CURRENT" release - 0.8a57

by Vern Paxson

> The changes notes above don't mention the <addl> field. Is that just > an oversight in the notes, Yes, just an oversight in the notes. > Will <service> still contain port numbers? Or will "other-nnnnn" become > simply "other"? (that would be my preference) Good point. As implemented, it continues to be other-nnnnn, but I think just plain "other" makes more sense, since we now can finally cleanly separate the notion of service from the notion of port. > Although I don't know what the "neighbor net" U flag even means, I wonder > if this is the time to drop that, as the BRO manual says the whole notion > is historical. The notion of "neighbor" is still used a bit in the policy scripts (in scan.bro, in particular - different rules apply to scan detection for activity from neighbors than from others), but arguably this should be structured in a different fashion (a general notion of networks that are allowed to scan), and in fact this has bitten us operationally in the past, when a infected neighbor scanned us. Thanks for the suggestions! Vern

17 years, 9 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek December 2003