zeek June 2004

zeek@lists.zeek.org

11 participants
19 discussions

compile problems on Mac OS X (with XCode 1.2 and BIND9)

by Ruoming Pang

Hi, I don't if this is the right list to post this message, but in case someone has the same problem, she can resolve it manually before we fix in in the configure script. (Vern, I can't find project Bro on either Mantis or bugzilla.) I am trying to compile Bro on a Mac OS X and encounter the following two problems, both related to nb_dns.c: The first is compile error. It is because the header file arpa/nameser.h does not define HEADER, which is defined in arpa/nameser_compat.h. nameser_compat.h will be included by nameser.h only if BIND_8_COMPAT is defined, but I don't know if we should define that. After including nameser_compat.h in nb_dns.c, it is able to compile correctly. gcc -I. -Ilibedit -O -c nb_dns.c nb_dns.c: In function `_nb_dns_mkquery': nb_dns.c:255: error: syntax error before '*' token nb_dns.c:306: error: `hp' undeclared (first use in this function) nb_dns.c:306: error: (Each undeclared identifier is reported only once nb_dns.c:306: error: for each function it appears in.) nb_dns.c:306: error: `HEADER' undeclared (first use in this function) nb_dns.c:306: error: parse error before ')' token nb_dns.c: In function `nb_dns_host_request2': nb_dns.c:340: error: `T_A' undeclared (first use in this function) nb_dns.c:345: error: `T_AAAA' undeclared (first use in this function) nb_dns.c: In function `nb_dns_addr_request2': nb_dns.c:412: error: `T_PTR' undeclared (first use in this function) nb_dns.c: In function `nb_dns_activity': nb_dns.c:468: error: `HFIXEDSZ' undeclared (first use in this function) nb_dns.c:576: error: `T_A' undeclared (first use in this function) nb_dns.c:577: error: `T_AAAA' undeclared (first use in this function) nb_dns.c:605: error: `T_PTR' undeclared (first use in this function) make: *** [nb_dns.o] Error 1 Next came the link error: ld: Undefined symbols: _res_9_dn_expand _res_9_init _res_9_mkquery _res_9_ns_initparse _res_9_ns_msg_getflag _res_9_ns_parserr This is because libresolv is not linked. Looking at the configure script reveals that it looks for libresolv.a, but only libresolv.dylib is available. Just adding '-lresolv' to Makefile solves the problem. Ruoming

16 years, 10 months

[Bro] add _ in "bad option termination" file : weird.log

by <rmkml

Hi, I found this new event : bad option termination in weird.log but this event not contains "_" ? Possible change to : ? bad_option_termination Regards Rmkml(a)Wanadoo.fr

16 years, 10 months

Re: no response from bro get archive

by Vern Paxson

> I want to read the bro archives. > > After sending - get bro archive - to majordomo(a)bro-ids.org, from two different mailing addresses I have received the following responses: > I'm now back from vacation and am looking into this. This happened a few months ago because a virus was in one of the (spam) messages in the archive, and the viruswall wouldn't allow it to be sent outbound. That may have happened again, sigh. Vern

16 years, 10 months

Re: [Bro] add detect bad tcp options ?

by Vern Paxson

> I received this packet, > but bro not detect bad tcp options, > possible pb on bro ? > because 'bad tcp cksum' ? If the TCP checksum is bad, then the packet is ill-formed. It does not make sense in that case to complain about a bad option, since the packet cannot be processed in any case. > why bro detect OTH ? Because the connection is not in a well-defined state. Bro does *not* consider it to have corresponded to a SYN being sent, because the packet carrying the SYN was ill-formed. For all it can tell, part of the damage to the packet might have been to the control flags, and the SYN setting is bogus. Vern

16 years, 10 months

Broccoli 0.4 released

by Christian Kreibich

Hi all, I've just released version 0.4 of Broccoli. Not much new in the code but it now comes with a -- tadaa -- manual that you can also see online at http://www.cl.cam.ac.uk/~cpk25/broccoli/manual/ You can grab a tarball here: http://www.cl.cam.ac.uk/~cpk25/downloads/broccoli-0.4.tar.gz Regards, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org

16 years, 10 months

testing cross bro communication

by scott campbell

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have begun testing the cross-bro communication functionality, and have a few problems. Are there any example configurations that I might look at? Currently I have boxes acknowledging one another, but am having difficulty getting events to move across. Does anybody have any sort of documentation or examples? Anything would be helpful at this point... Many thanks! scott -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFA2KI8K2Plq8B7ZBwRAkeWAKC2QbxpigefqhmRPVCaGINjC3Qv1wCg0v27 DcTy/qPa6z5CHh6PMQ/yJ9g= =ptxn -----END PGP SIGNATURE-----

16 years, 10 months

Re: compile problems on Mac OS X (with XCode 1.2 and BIND9)

by Christian Kreibich

On Mon, 2004-06-21 at 16:13, Ruoming Pang wrote: > I have the same problems with 0.8a86. > > Ruoming > > On Jun 21, 2004, at 7:04 PM, Ruoming Pang wrote: > > >> what version is this? > > > > It's the latest version: 0.9a2. Let me download 0.8 and see if that > > compiles. Somebody sponsor me a powerbook and I'll fix it in no time! *grin* (Sorry I have no way to reproduce that ... good luck!) Cheers, Christian. -- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org

16 years, 10 months

no response from bro get archive

by plucs＠bigpond.net.au

Hi, I want to read the bro archives. After sending - get bro archive - to majordomo(a)bro-ids.org, from two different mailing addresses I have received the following responses: -- >>>> get bro archive List 'bro' file 'archive' is being sent as a separate message. >>>> >>>> >>>> >>>> >>>> However, I have not receieved the archive files after many days. Regards, Phillip Lucs

16 years, 10 months

None

by plucs＠bigpond.net.au

get bro archive

16 years, 10 months

[Bro] add detect bad tcp options ?

by <rmkml

Hi, I received this packet, but bro not detect bad tcp options, possible pb on bro ? because 'bad tcp cksum' ? why bro detect OTH ? because three packet contain Syn set only. Regards 21:01:18.415654 219.159.210.66.4763 > 2.3.4.1.1025: S [bad tcp cksum 48e0!] 3183998805:3183998805(0) win 16384 <mss 144,[bad opt]> (DF) (ttl 109, id 12816, len 48) 21:01:21.267525 219.159.210.66.4763 > 2.3.4.1.1025: S [bad tcp cksum 48e0!] 3183998805:3183998805(0) win 16384 <mss 144,[bad opt]> (DF) (ttl 109, id 13811, len 48) 21:01:27.327379 219.159.210.66.4763 > 2.3.4.1.1025: S [bad tcp cksum 48e0!] 3183998805:3183998805(0) win 16384 <mss 144,[bad opt]> (DF) (ttl 109, id 15717, len 48) bro1.log:1087585278.415652 ? 219.159.210.66 2.3.4.1 other 4763 1025 tcp ? ? OTH X bro1.log:1087585281.267523 ? 219.159.210.66 2.3.4.1 other 4763 1025 tcp ? ? OTH X bro1.log:1087585287.327377 ? 219.159.210.66 2.3.4.1 other 4763 1025 tcp ? ? OTH X weird.log:1087585278.415652 219.159.210.66/4763 > 2.3.4.1/1025: bad_TCP_checksum weird.log:1087585281.267523 219.159.210.66/4763 > 2.3.4.1/1025: active_connection_reuse weird.log:1087585281.267523 219.159.210.66/4763 > 2.3.4.1/1025: bad_TCP_checksum weird.log:1087585287.327377 219.159.210.66/4763 > 2.3.4.1/1025: active_connection_reuse weird.log:1087585287.327377 219.159.210.66/4763 > 2.3.4.1/1025: bad_TCP_checksum PS: snort/prelude/firestorm not event this packet !

16 years, 11 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek June 2004