> It looks like the bro/scripts/pm directory is missing from the tar ball. Is there any way I can get a copy?
I've put a snapshot in
http://www.icir.org/vern/tmp/bro-pm.tar.gz
- Vern
Greetings,
I'm in the process of building bro 0.90 on FreeBSD 5.2. I'm getting the following errors toward the end of the "make install" process:
/usr/bin/install -c -d /usr/local/bro/scripts/pm
/usr/bin/install -c -d /usr/local/bro/scripts/pm/Bro
/usr/bin/install -c -d /usr/local/bro/scripts/pm/Bro/Report
/usr/bin/install -c -d /usr/local/bro/scripts/pm/Bro/Log
/usr/bin/install -c site-report.pl /usr/local/bro/scripts/site-report.pl
/usr/bin/install -c -c -m 644 pm/Bro/Report.pm /usr/local/bro/scripts/pm/Bro/Report.pm
install: pm/Bro/Report.pm: No such file or directory
*** Error code 71
Stop in /usr/local/downloads/bro-pub-0.9a4a/scripts.
*** Error code 1
Stop in /usr/local/downloads/bro-pub-0.9a4a/scripts.
*** Error code 1
It looks like the bro/scripts/pm directory is missing from the tar ball. Is there any way I can get a copy?
Regards,
Randy
> I use bro,
>
> but not have more 1 link to InterNet,
>
> Possible disable split_routing detecting/function ?
If it's not possible that you're seeing split routing, then it's important
to figure out why Bro believes it's seeing it. You should capture a trace
using -w for which Bro reports split routing; see if running on the trace
off-line reproduces that message; and, if so, investigate the trace to
determine whether in fact the given connection is missing part of its
SYN/SYN-ACK pair.
Vern
Good questions!
> global a: table[count] of table[addr] of port;
>
> 1) How do I create yields for the overall table, i.e., how
> do I create an object of type "table[addr] of port" ?
>
> I want to eventually have:
>
> global a: table[count] of table[addr] of port = {
> [0] = XXX,
> [1] = XXX,
> };
You have to do it the way you listed:
> global a0: table[addr] of port;
> global a1: table[addr] of port;
> global a: table[count] of table[addr] of port = {
> [0] = a0,
> [1] = a1,
> };
because there's currently no way to "construct" a table using an expression
by itself (unlike record constructors, such as [$foo=1, $bar="hi"]).
> 2) When I define attributes for the table, which table is
> affected, the total one, or the yield one?
The total one.
> If I define the original, total table as:
>
> global a: table[count] of table[addr] of port &write_expire= {
> [0] = a0,
> [1] = a1,
> };
>
> and I don't modify any of the values in a0, will the full
> a0 table expire, or just the values from a0?
If you want to affect the yield table, define its own type:
type yield_table: table[addr] of port &write_expire = 5 sec;
global a: table[count] of yield_table = { ... }
- Vern
> I think Vern meant to say "module FTP" and
>
> redef FTP::log_file = open_log_file("comex");
Yep, thanks! Hazards of sending email before one's morning coffee ...
Vern
I've got 2 questions on multi-dimensional tables. For
both of them, I'll try to work with:
global a: table[count] of table[addr] of port;
1) How do I create yields for the overall table, i.e., how
do I create an object of type "table[addr] of port" ?
I want to eventually have:
global a: table[count] of table[addr] of port = {
[0] = XXX,
[1] = XXX,
};
I can predefine all the subtables, and then assing them,
but it doesn't seem too clean.
global a0: table[addr] of port;
global a1: table[addr] of port;
global a: table[count] of table[addr] of port = {
[0] = a0,
[1] = a1,
};
2) When I define attributes for the table, which table is
affected, the total one, or the yield one? In other words,
If I define the original, total table as:
global a: table[count] of table[addr] of port &write_expire= {
[0] = a0,
[1] = a1,
};
and I don't modify any of the values in a0, will the full
a0 table expire, or just the values from a0?
TIA.
-Chema
In reply to Randolph Reitz <rreitz(a)fnal.gov> :
> When devfs creates the /dev/bpfxx files, it creates them as follows...
>
> crw------- 1 root wheel 23, 1 Sep 24 14:14 /dev/bpfxx
>
> After the /dev/bpfxx is created, bro complains that it can't read the
> /dev/bpfxx and stops. I change the owner to bro and then restart bro.
> The traffic I'm currently monitoring is not the Fermi border traffic,
> it's internal traffic. So only two bpfxx have been automatically
> created. When I hook up the border traffic, I expect that a lot of
> /dev/bpfxx will be created, so I need to find a way to tell devfs to
> create /dev/bpfxx with owner 'bro'. I don't know how to do this.
take a look at /etc/devfs.conf and /etc/rc.d/devfs
also man devfs
--eli
>
> The /dev/MAKEDEV doesn't exist in 5.2.
>
> Randy
>
> On Sep 24, 2004, at 4:43 PM, Vern Paxson wrote:
>
> >> OK, but the devfs devices are created as...
> >>
> >> gumshoe# ls -lt /dev/b*
> >> crw------- 1 bro wheel 23, 1 Sep 24 14:14 /dev/bpf1
> >> crw------- 1 bro wheel 23, 0 Sep 24 14:14 /dev/bpf0
> >>
> >> (I changed the owner from root to bro.) If bro is a member of group
> >> wheel, bro still can't read the device.
> >
> > I'm confused. If the files are mode 600 and "bro" owns them, then
> > it certainly should be able to read them ... !
> >
> >> I don't know how to control
> >> the permissions, owner or group of devfs devices. The devfs(5) man
> >> page is useless.
> >
> > So the problem is that devfs creates them on-the-fly, so you're not
> > able
> > to alter their ownership? What happens if you create them statically
> > via
> > /dev/MAKEDEV?
> >
> > Vern
> > _______________________________________________
> > Bro mailing list
> > Bro(a)ICSI.Berkeley.EDU
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> Randy Reitz
> Computer Security Team
>
> _______________________________________________
> Bro mailing list
> Bro(a)ICSI.Berkeley.EDU
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> OK, but the devfs devices are created as...
>
> gumshoe# ls -lt /dev/b*
> crw------- 1 bro wheel 23, 1 Sep 24 14:14 /dev/bpf1
> crw------- 1 bro wheel 23, 0 Sep 24 14:14 /dev/bpf0
>
> (I changed the owner from root to bro.) If bro is a member of group
> wheel, bro still can't read the device.
I'm confused. If the files are mode 600 and "bro" owns them, then
it certainly should be able to read them ... !
> I don't know how to control
> the permissions, owner or group of devfs devices. The devfs(5) man
> page is useless.
So the problem is that devfs creates them on-the-fly, so you're not able
to alter their ownership? What happens if you create them statically via
/dev/MAKEDEV?
Vern