Greetings
I am integrating bro into a larger system so that I can use it to keep track
of connections (which seems easier than trying to write a method from
scratch with pcap). I thought it would be straightforward to grep for print
or email or alarm statements to figure out where to put the hooks for an IPC
message but so far it eludes me. Is there a principal module for outputting
the notifications?
Thanks
Mike
Thank you, Jason!
It did the trick
Merry Christmas to you all!
Regards
Vidar S
ons, 21,.12.2005 kl. 13.35 -0800, skrev Jason Lee (DSD staff):
> Vidar,
>
> Attached is a patch to fix your compile problem.
>
> All you should need to do is:
>
> % cd bro-1.0/src/
> % patch < openssl.patch
>
> Cheers,
> jason
>
> After a crash I had to reinstall Ubuntu Breezy. I then compiled Bro 1.0,
> and when "make" I got this error:
> ...
> -L../aux/libpcap-0.7.2 -lpcap -lz /usr/lib/libresolv.a -ltermcap -lm
> /usr/bin/ld: warning: libc.so.5, needed
> by /usr/lib/gcc/i486-linux-gnu/4.0.2/../../../../lib/libtermcap.so, may
Did you recompile everything starting with a "make clean"? If not, then
it appears that the system you reinstalled differs a bit from the one used
to build the .o's, which is uncovering an inconsistency.
Vern
Hello!
After a crash I had to reinstall Ubuntu Breezy. I then compiled Bro 1.0,
and when "make" I got this error:
make all-recursive
make[1]: Entering directory `/compile/bro-1.0'
Making all in aux
make[2]: Entering directory `/compile/bro-1.0/aux'
make all-recursive
make[3]: Entering directory `/compile/bro-1.0/aux'
Making all in adtrace
make[4]: Entering directory `/compile/bro-1.0/aux/adtrace'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory `/compile/bro-1.0/aux/adtrace'
Making all in cf
make[4]: Entering directory `/compile/bro-1.0/aux/cf'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory `/compile/bro-1.0/aux/cf'
Making all in hf
make[4]: Entering directory `/compile/bro-1.0/aux/hf'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory `/compile/bro-1.0/aux/hf'
Making all in rst
make[4]: Entering directory `/compile/bro-1.0/aux/rst'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory `/compile/bro-1.0/aux/rst'
Making all in scripts
make[4]: Entering directory `/compile/bro-1.0/aux/scripts'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory `/compile/bro-1.0/aux/scripts'
make[4]: Entering directory `/compile/bro-1.0/aux'
make[4]: Nothing to be done for `all-am'.
make[4]: Leaving directory `/compile/bro-1.0/aux'
make[3]: Leaving directory `/compile/bro-1.0/aux'
make[2]: Leaving directory `/compile/bro-1.0/aux'
Making all in src
make[2]: Entering directory `/compile/bro-1.0/src'
make all-recursive
make[3]: Entering directory `/compile/bro-1.0/src'
Making all in binpac
make[4]: Entering directory `/compile/bro-1.0/src/binpac'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory `/compile/bro-1.0/src/binpac'
make[4]: Entering directory `/compile/bro-1.0/src'
g++ -g -O2 -o bro dce_rpc_pac.o ncp_pac.o smb_pac.o main.o
net_util.o util.o parse.o scan.o re-parse.o re-scan.o rule-parse.o
rule-scan.o Active.o Anon.o Attr.o BackDoor.o Base64.o BPF_Program.o
BroString.o CCL.o ChunkedIO.o CompHash.o Conn.o ConnCompressor.o
DCE_RPC.o DFA.o DNS.o DNS_Mgr.o DbgBreakpoint.o DbgHelp.o DbgWatch.o
Debug.o DebugCmds.o DebugLogger.o Desc.o Dict.o Discard.o EquivClass.o
Event.o EventHandler.o EventRegistry.o Expr.o FTP.o File.o Finger.o
Frag.o Frame.o Func.o Gnutella.o HTTP.o Hash.o ICMP.o ID.o Ident.o
IntSet.o InterConn.o IOSource.o IRC.o List.o Logger.o Login.o MIME.o
NCP.o NFA.o NFS.o NTP.o NVT.o Net.o NetVar.o NetbiosSSN.o Obj.o
OSFinger.o PacketFilter.o PacketSort.o PersistenceSerializer.o PktSrc.o
PolicyFile.o POP3.o Portmap.o PrefixTable.o PriorityQueue.o Queue.o RE.o
RPC.o Reassem.o RemoteSerializer.o Rlogin.o RSH.o Rule.o RuleAction.o
RuleCondition.o RuleMatcher.o ScriptAnaly.o SMB.o SmithWaterman.o SMTP.o
SSH.o Scope.o SerializationFormat.o SerialObj.o Serializer.o Sessions.o
StateAccess.o Stats.o SteppingStone.o Stmt.o TCP.o TCP_Contents.o
TCP_Endpoint.o TCP_Rewriter.o Telnet.o Timer.o Traverse.o TwoWise.o
Type.o UDP.o Val.o Var.o XDR.o bsd-getopt-long.o cq.o md5.o patricia.o
setsignal.o version.o strsep.o nb_dns.o -Llibedit -ledit
-L../aux/libpcap-0.7.2 -lpcap -lz /usr/lib/libresolv.a -ltermcap -lm
/usr/bin/ld: warning: libc.so.5, needed
by /usr/lib/gcc/i486-linux-gnu/4.0.2/../../../../lib/libtermcap.so, may
conflict with libc.so.6
/lib/libc.so.5: warning: the `gets' function is dangerous and should not
be used.
/lib/libc.so.5: warning: the `getpw' function is dangerous and should
not be used.
/lib/libc.so.5: warning: `sys_nerr' is deprecated; use `strerror' or
`strerror_r' instead
/lib/libc.so.5: warning: the use of `mktemp' is dangerous, better use
`mkstemp'
/lib/libc.so.5: warning: warning: `siggetmask' is obsolete;
`sigprocmask' is best
/lib/libc.so.5: warning: `sys_errlist' is deprecated; use `strerror' or
`strerror_r' instead
/lib/libc.so.5: warning: the use of `tmpnam' is dangerous, better use
`mkstemp'
/lib/libc.so.5: warning: the `llseek' function may be dangerous; use
`lseek64' instead.
/lib/libc.so.5: warning: the use of `tempnam' is dangerous, better use
`mkstemp'/lib/libc.so.5: warning: the `getwd' function is dangerous and
should not be used.
RemoteSerializer.o: In function
`SocketComm::ProcessPeerCompress(SocketComm::Peer*)':
RemoteSerializer.cc:(.text+0x39eb): undefined reference to `vtable for
CompressedChunkedIO'
RemoteSerializer.o: In function `SocketComm::ProcessParentCompress()':
RemoteSerializer.cc:(.text+0x3fcc): undefined reference to `vtable for
CompressedChunkedIO'
collect2: ld returned 1 exit status
make[4]: *** [bro] Error 1
make[4]: Leaving directory `/compile/bro-1.0/src'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/compile/bro-1.0/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/compile/bro-1.0/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/compile/bro-1.0'
make: *** [all] Error 2
Any ideas?
Regards
Vidar E. Seeberg
This simple patch speeds up the cf program by 2-3 times (on my system)
for the typical log file I process, esp. conn logs.
It's based on the observation that the integer part of the unix
time typically repeats frequently (ie, the are many connections
per second) so it caches the time from one line to next, and only
bothers calling localtime() and strftime() if the time is different
than on the last line.
Mark
--- cf.c.orig 2005-12-16 09:28:22.000000000 -0800
+++ cf.c 2005-12-16 09:38:28.000000000 -0800
@@ -46,6 +46,8 @@
int utc = 0;
char *fmt = "%b %e %H:%M:%S";
char *lfmt = "%b %e %H:%M:%S %Y";
+time_t pt; /* time of previous line read */
+char ts[1024];
/* Forwards */
int main(int, char **);
@@ -128,7 +130,7 @@
register char *bp, *dotbp;
register struct tm *tp;
register int dot_count;
- char buf[1024], ts[128];
+ char buf[1024];
while (fgets(buf, sizeof(buf), fin)) {
bp = buf;
@@ -152,11 +154,14 @@
fputs(buf, fout);
continue;
}
- if (!utc)
- tp = localtime(&t);
- else
- tp = gmtime(&t);
- (void)strftime(ts, sizeof(ts), fmt, tp);
+ if (t != pt) { /* time different than last line */
+ if (!utc)
+ tp = localtime(&t);
+ else
+ tp = gmtime(&t);
+ (void)strftime(ts, sizeof(ts), fmt, tp);
+ pt = t;
+ }
fputs(ts, fout);
if (preserve && dotbp != NULL)
bp = dotbp;
> Here it is a sample... it is just an handshake but if you run
>
> $bro -r to-brolist_anonym.pcap brolite
>
> you will see in the conn.log file the BIG computation mistake...
Hmmm, this appears to be specific to brolite.bro. If I run on the trace
with mt.bro, it flags the sizes as "? ?", which seems fine in this case.
We'll look into it further.
Vern
Hi folks,
As regards the way bro deals with the number of bytes transferred for
each connection, it seems that bro DOES NOT keep a variable in which
incrementally stores the sum of each packet size for all the packets
involved in that very connection, but instead does a certain computation
(i wonder how...) involving only the first and the last packet in the
connection... Am I correct?
I'm asking this question because I've found something very strange.
In bro's conn.log file there are lines like this:
Dec 1 00:22:53 1.058870 A B http 49331 80 tcp 886477697 ? RSTOS0 L
(yes it's correct, 800MB in 1 second) but if I look at the trace, this
is what I see:
A B
49331 --> 80 (SYN) Seq=0,Ack=0
49331 <-- 80 (ACK) Seq=0,Ack=0
49331 --> 80 (RST) Seq=0,Ack=188164531
(Only 3 packets transferred...)
Of course there's some bug in these hosts, but bro should not be
misleaded in computing the amount of bytes transferred inside a
connection. Could someone explain me what's happening here?
Best regards,
Vincenzo