Hi,
I try to use bro under Debian un-stable (today upgrade) and after some
light modification, I was able to compile bro. But after that, I 've a
segmentation fault...
First, modifications :
1- I've some gcc 3.2.3 problem which looks like :
| g++ -o bif_parse.o -c bif_parse.cc
| builtin-func.y:63: 'vector' is used as a type, but is not defined as a type.
| builtin-func.y: In function `int yyparse()':
| builtin-func.y:151: `args' undeclared (first use this function)
| builtin-func.y:151: (Each undeclared identifier is reported only once for each
| function it appears in.)
| make: *** [bif_parse.o] Error 1
I solve them by added "using namespace std;" just after the include headers.
Same things with Type.h and Anon.h
2- The "yy_current_buffer" (line 474) not declare... I change "if (
yy_current_buffer )" it by "if ( YY_CURRENT_BUFFER )" and the
compilation continue.
3- I replace '#include <hash_map>' by '#include <hash_map.h>' because,
hash_map wasn't founded. This work fine but added a warning like that:
| /usr/include/c++/3.2/backward/backward_warning.h:32:2: warning:
| #warning This file includes at least one deprecated or antiquated
| header. Please consider using one of the 32 headers found in section
| 17.4.1.2 of the C++ standard. Examples include substituting the <X>
| header for the <X.h> header for C++ includes, or <sstream> instead of
| the deprecated header <strstream.h>. To disable this warning use
| -Wno-deprecated.
4- The function isspace wasn't founded too in Debug.cc, so I added
"#include <ctype.h>"
5- The DebugCmds.cc file generate a problem too :
| g++ -I. -Ilibedit -O -Ilinux-include -c DebugCmds.cc
| DebugCmds.cc: In function `int find_all_matching_cmds(const std::string&, const
| char**)':
| DebugCmds.cc:164: invalid conversion from `const char*' to `unsigned int'
| DebugCmds.cc:164: initializing argument 1 of `int std::basic_string<_CharT,
| _Traits, _Alloc>::compare(_Alloc::size_type, _Alloc::size_type, const
| _CharT*) const [with _CharT = char, _Traits = std::char_traits<char>, _Alloc
| = std::allocator<char>]'
| DebugCmds.cc:164: invalid conversion from `unsigned int' to `const char*'
| DebugCmds.cc:164: initializing argument 3 of `int std::basic_string<_CharT,
| _Traits, _Alloc>::compare(_Alloc::size_type, _Alloc::size_type, const
| _CharT*) const [with _CharT = char, _Traits = std::char_traits<char>, _Alloc
| = std::allocator<char>]'
| make: *** [DebugCmds.o] Error 1
I just change "if ( prefix.compare(curr_name, 0, arglen ) )" by "if (
prefix.compare(arglen, 0, curr_name ) )"
6- A classical link problem with bro compilation under Linux, solve by
replacing: "-lresolv" by "/usr/lib/resolv.a" in the Makefile.
After that, the compilation go to the end but, when I compile bro with
the -g flag and run gdb, I could see that:
| (gdb) r -i eth0
| Starting program: /usr/local/src/bro-pub-0.8a20/bro -i eth0
|
| Program received signal SIGSEGV, Segmentation fault.
| 0x401b3364 in strcmp () from /lib/libc.so.6
| (gdb) bt
| #0 0x401b3364 in strcmp () from /lib/libc.so.6
| #1 0x0804db83 in streq(char const*, char const*) (s1=0x0, s2=0x0)
| at util.cc:54
| #2 0x0809e5c9 in BroObj::SetLocationInfo(Location const*, Location const*) (
| this=0x812ffb8, start=0xbfffe24c, end=0xbfffe24c) at Obj.cc:99
| #3 0x0805c6ff in Attr (this=0x812ffb8, t=ATTR_OPTIONAL, e=0x0) at Attr.cc:42
| #4 0x0805070e in yyparse() () at parse.y:868
| #5 0x0804cb93 in main (argc=135439840, argv=0xbffffdd4) at main.cc:328
| (gdb) p start_location -> first_line
| $1 = 137
| (gdb) p start_location -> last_line
| $2 = 137
I know that I've done too much modification from original
sources... But via some fprintf, I discover that, in the previous call
to this function, the Locations was in the bro.init file.
Does anybody have an idea ?
Thanks for all. Regards,
--
Sylvain de Tilly
"Mettons nous tout GNU !"
un GNUdiste.
ps: Sorry for my poor English.
Hello,
I wrote a patch (very very crapy code) to enable bro to read IP packet
encapsulate in pppoe. This patch only indicate which header size it
must skip to read IP packet.
I also add a boolean which pass true when the packet is a pppoe
signalisation. In that case, the weird module don't log the packet as
an not IP packet.
If you want to use it, don't forget to put an appropriate filter like
this in you personal bro configuration file :
redef capture_filter += "ether proto 0x8864" ;
The patch is enable here :
http://www.detilly.net/bro-0.8a20-pppoe.patch
Regards,
--
Sylvain de Tilly
"Mettons nous tout GNU !"
un GNUdiste.
> In order to make an OpenBSD port, I have to patch Bro but I can't find
> any CVS.
Bro is not presently available via public CVS. Please send patches to
me so I can integrate them into future releases.
Vern
Hello,
Now, thanks to Vern, all work fine with Bro under OpenBSD 3.3 !
But before working well, I had modified sources (a few lines in
TCP_Rewriter.cc) and the Makefile.
In order to make an OpenBSD port, I have to patch Bro but I can't find
any CVS. Do I modify the 0.8a20 version ? If I do, where could I find
the Makefile.am needed to generate the Makefile (via automake..)
If you have any suggestion, I'm open to them !
Thanks & regards,
--
Sylvain de Tilly
"Mettons nous tout GNU !"
un GNUdiste.
hi all,
Well this doubt is certainly not specific to any IDS but I just wanted to
put it to our Bro community.
In IDS scenario, we say that the sensors and main IDS server when deployed
communicate with each other. Now there is a special term known as
"backbone network" about which specialists say that the IDS does not rely
on the underlyting network, so that attackers cannot compromise upon the
messages transferred by IDS syatem.
What could be this back bone network.....it seems to be different from the
normal TCP/IP...or is it same and a different technique used .....
Can anyone throw some light on this topic?
Thanks and regards,
Mayank Bhatnagar
National Centre for Software Technology,
Bangalore, India.
For what you are doing, you will need to either edit scan.bro to
remove the hostnames, for example replacing
const skip_scan_sources = {
...
};
with
const skip_scan_sources: set[addr];
(you can't replace it with just "const skip_scan_sources = { };", because
then Bro can't figure out the variable's type); or you could arrange for
the DNS service on your box to resolve them directly via /etc/hosts.
Vern
> >an empty value after loading the scan rule (loading via http rule) ;
> ~~~~~~~~~~~~try 127.0.0.1
That will often work too, though it's potentially a bit risky - you need
to understand how the variable's used in order to be sure that 127.0.0.1
won't ever be a legitimate value for it. It's cleaner to change it per
the description in my previous note, that way the intent is clear.
Vern
>I'm trying to configure a bridge-firewall with the bro IDS on it to
>check web traffic (for example). But I've some troubles. Actually, if
>I launch bro with the http rules, due to dependences I have to load
>scan rules. And the scan rules try to connect some machines... But my
>aim is to have an IDS without IP address, so without connection from
>and to the bridge.
>
>Due to that, bro give me a lot of warnings and is very long to
>launch...
>
>I try to modify the rules via my conf file but there are some kinds I
>don't understand. For examples, if I change the "skip_scan_sources" to
>an empty value after loading the scan rule (loading via http rule) ;
~~~~~~~~~~~~try 127.0.0.1
>bro try to resolve address before changing the value. And if I put the
>redef variable before loading the rule, Bro say me : "redef" used but
>not previously defined"...
>
>I think there are some fundamentals thinks I don't understand but I'll
>try to.
>
>If anybody have an idea about that or eventually a configuration file
>to give me some ideas, It could be great !
_________________________________________________________________
免费下载 MSN Explorer: http://explorer.msn.com/lccn/
