Hi,
I wrote a patch that enable Bro to compile on a OpenBSD system. This
patch is downloadable here :
http://www.detilly.net/ids/download/bro-0.8a32-OpenBSD.patch
See the README.OpenBSD which is given in the patch.
You should use the bind library too due to the libc resolv functions
which are not as complete as FreeBSD one. If you don't want to install
all bind9 sources, I just separate the interesting part here :
http://www.detilly.net/ids/download/bind.tgz
Regards,
--
Sylvain de Tilly
"Mettons nous tout GNU !"
un GNUdiste.
> PktSrc.h:26:18: pcap.h: No such file or directory
> make: *** [main.o] Error 1
>
> I "fix" it by adding 'INCLS = -Ilinux-include -I/usr/include/pcap'
One of the recent additions was to change
#include "pcap.h"
in PktSrc.h to
#include <pcap.h>
I imagine this is the problem. I'm not quite sure what's the "right"
solution here, but maybe we should just go back to using "pcap.h". That's
what I've tentatively done.
> util.cc: In function `void init_random_seed ()':
> util.cc:395: `uint32_t' undeclared (first use this function)
I've changed this to uint32 (and also for the declaration of "result" a
little later in the function. That should do the trick.
Vern
> I encountered a problem while compiling bro(v0.8a20) on Linux machine.
As just announced on the bro-devel(a)lbl.gov list, there's now a new "CURRENT"
release, 0.8a32, available from
ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.8-current.tar.gz
Please give it a try and see whether it fixes the portability problems
you encountered - it should build better under Linux now.
> Well, is there the archive for this mailing list?
Yes - "get bro archive" via majordomo(a)lbl.gov retrieves the archive, though
unfortunately it is only available as a single humongous file :-(.
Vern
This was caused by a subscriber who apparently auto-forwarded posts back
to the list. I've removed them, so that should fix the problem. Sorry
about the clutter!
Vern
Hello,
I encountered a problem while compiling bro(v0.8a20) on Linux machine. I
wonder if anyone had the same problem before. I have libpcap, flex, byacc,
and bison installed.
Here is the error msg.
---------------------------------------------------
g++ -o bif_parse.o -c bif_parse.cc
builtin-func.y:60: 'vector' is used as a type, but is not defined as a
type.
builtin-func.y: In function `int yyparse()':
builtin-func.y:148: `args' undeclared (first use this function)
builtin-func.y:148: (Each undeclared identifier is reported only once for
each
function it appears in.)
make: *** [bif_parse.o] Error 1
-----------------------------------------------------
Well, is there the archive for this mailing list?
If so, I may search the archive before throwing a question to the mailing
list. Thank you.
- Hyang-Ah
** WAR IS NOT AN ANSWER. GIVE PEACE A CHANCE. **
> > I used the trace file from NLANR to test Bro. But Bro does nothing
but
> > report
> > bad checksum.
>
>That's because those traces don't have any packet contents.
But the checksum function seems do not check the checksum of contents,
just the packet head.
>
> > What should I do , to make trace file available to Bro?
>
>You should first consider whether it will be useful to analyze them with
>Bro, given a lack of contents.
I see the stepping.bro is using the ON/OFF algorithm, when report "time".
I have a novel way to detect connection pair! And I want to compare my
algorithm
with the ON/OFF. :)
>
>If so, then "redef ignore_checksums = T" will turn off the checksum tests.
Have nice day!
-- cloud
_________________________________________________________________
与联机的朋友进行交流,请使用 MSN Messenger: http://messenger.msn.com/cn
> > I have one more question: when Bro detected a Stepping Stone , it show
us a
> > time. Is the time
> > when Bro see a packet belong to the Chain?
>
>It's the time when Bro's algorithm has determined that a stepping stone
exists.
>You could follow the logic in stepping.bro regarding when it generates
this
>output in order to determine this.
stepping.bro use the function of networktime() to report the time.
And networktime() is the time , when see the packet!
It is different to the currenttime().
Have a nice day!
-- cloud
_________________________________________________________________
与联机的朋友进行交流,请使用 MSN Messenger: http://messenger.msn.com/cn
Hello,
I update the Manux patch which enable bro to be a prelude sensor
(previous patch was here : http://manux.rstack.org/prelude_bro/).
Alerts are not as well integrate as prelude-nids but it could be in
next future a very interesting sensor for prelude.
You could download it here :
http://www.detilly.net/ids/download, it's the
"bro-0.8a20-prelude-sensor.patch" file. Don't hesitate to read the
readme.txt file before using the patch.
Any critics are welcome.
Regards,
--
Sylvain de Tilly
"Mettons nous tout GNU !"
un GNUdiste.
> I have one more question: when Bro detected a Stepping Stone , it show us a
> time. Is the time
> when Bro see a packet belong to the Chain?
It's the time when Bro's algorithm has determined that a stepping stone exists.
You could follow the logic in stepping.bro regarding when it generates this
output in order to determine this.
Vern
Sorry for the very long delay in replying to your message. I've been
really underwater :-(, but now am surfacing.
> I try to use bro under Debian un-stable (today upgrade) and after some
> light modification, I was able to compile bro. But after that, I 've a
> segmentation fault...
I am working on getting a new Bro "current" release out the door soon.
It will include a number of portability fixes.
> 3- I replace '#include <hash_map>' by '#include <hash_map.h>' because,
> hash_map wasn't founded. This work fine but added a warning like that:
(The fix for this was to remove use of hash_map's completely.)
> I just change "if ( prefix.compare(curr_name, 0, arglen ) )" by "if (
> prefix.compare(arglen, 0, curr_name ) )"
FYI, this has been changed to:
if ( strncmp(curr_name, prefix.c_str(), arglen) )
> 6- A classical link problem with bro compilation under Linux, solve by
> replacing: "-lresolv" by "/usr/lib/resolv.a" in the Makefile.
This one may remain - I'm not enough of an autoconf whiz to untangle
these sorts of headache.
> After that, the compilation go to the end but, when I compile bro with
> the -g flag and run gdb, I could see that:
Once I get the "current" release out the door (and *do* bug me about it
if I let it lapse, sigh), please let me know if this remains.
Vern
