> Here is a trivial patch providing the current bro release for a Rsh
> analyser.
> It used to allow the detection of funny behaviors like local/remote
> username mismatch, interactive shell in rsh, etc.
Thanks!, I've integrated this and will include it in either the next release
(out quite soon) or the one after.
Vern
Hi all,
At first,I must thanks a lot to Christian,Robin and so on for your help.
Well,a another question:) There are many *.bif files in src directory.I don't know the format and use of these files.Please explain it as possible as detailed.Thanks!
Best Regards,
Cliff
Hi all,
In Vern's paper,bro:a system for detecting network intruders in real-time,there are the following sentences:
"The resulting filtered packet stream is then handed up to the next layer, the Bro ``event engine.'' This layer first performs several integrity checks to assure that the packet headers are well-formed, including verifying the IP header checksum. If these checks fail, then Bro generates an event indicating the problem and discards the packet. It is also at this point that Bro reassembles IP fragments so it can then analyze complete IP datagrams."
Howerver,I can't find the implementation detail from source code,i.e."verifying the IP header checksum" and "reassembles IP fragments".
I wish get your help.Thanks a lot!
Best Regards,
Cliff
Here is a trivial patch providing the current bro release for a Rsh
analyser.
It used to allow the detection of funny behaviors like local/remote
username mismatch, interactive shell in rsh, etc.
Of few interests now but as it still was in the wish list...
Manu
Hi,
are the following observations correct:
- When Bro encounters a flow mid-stream and that flow gets shut down
normally in the end, I see "SF" in connection summaries.
- Also, it appears that when one port is well-known and the other is
ephemeral, Bro assumes that the connection was established from the
ephemeral to the well-known one.
This is based on the following tiny trace:
http://www.cl.cam.ac.uk/~cpk25/outback/http-single-midstream.trace
I'm asking because I'm selecting flows from a trace based on this output
and the semantics matter. Intuitively I would have assumed that SF is
only printed for flows seen in their entirety. OTH, however, seems to
stand for just mid-stream data with neither handshake nor teardown seen,
and there doesn't seem to be a symbol for flows seen from mid-stream to
the end?
Thanks,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25http://www.whoop.org
Hi,
I'm a student in the UK learning Software Engineering (1st Year) and I
am learning Linux the hard way.
I'm trying to installing bro and the ./configure process works fine, but
when I try to make it just gives me this:
[root@localhost bro-pub-0.8a87]# make
g++ -I. -Ilibedit -O -Ilinux-include -c parse.cc
y.tab.c: In function `int yyparse()':
y.tab.c:1838: error: invalid types `int[int]' for array subscript
make: *** [parse.o] Error 1
I was wondering if its something I've done wrong or something I missed.
I apologise if I seem new to this because I am.
Doug
> When Bro sees an ACK for a packet before the packet
> itself (packet reordering), it considers that it already
> delivered the packet to the upper protocols, because
> it's acked. (see TCP_Contents.cc, line 272).
>
> I was wondering whether this is the intended behavior
> or it's a bug.
Note, that's *not* packet reordering in the sense of a network phenomenon.
Causality requires that acknowledgments come *after* the packets they
acknowledge!
So it's intended behavior. It only becomes a problem in traces for which
causality is broken. Unfortunately, this can happen due to reading from
multiple NICs which have large buffers. If this is a problem in your
environment, you can use packet_sort_window to sort the packets based
on timestamps (assuming your NICs timestamp them correctly - if not,
then all is lost ...).
Vern
