zeek December 2005

zeek@lists.zeek.org

6 participants
7 discussions

by Mike Muratet

Greetings I am integrating bro into a larger system so that I can use it to keep track of connections (which seems easier than trying to write a method from scratch with pcap). I thought it would be straightforward to grep for print or email or alarm statements to figure out where to put the hooks for an IPC message but so far it eludes me. Is there a principal module for outputting the notifications? Thanks Mike

14 years, 1 month

Re: [Bro] Bro1.0 make-problem

by Vidar Evenrud Seeberg

Thank you, Jason! It did the trick Merry Christmas to you all! Regards Vidar S ons, 21,.12.2005 kl. 13.35 -0800, skrev Jason Lee (DSD staff): > Vidar, > > Attached is a patch to fix your compile problem. > > All you should need to do is: > > % cd bro-1.0/src/ > % patch < openssl.patch > > Cheers, > jason >

15 years, 9 months

Re: [Bro] Bro1.0 make-problem

by Vern Paxson

> After a crash I had to reinstall Ubuntu Breezy. I then compiled Bro 1.0, > and when "make" I got this error: > ... > -L../aux/libpcap-0.7.2 -lpcap -lz /usr/lib/libresolv.a -ltermcap -lm > /usr/bin/ld: warning: libc.so.5, needed > by /usr/lib/gcc/i486-linux-gnu/4.0.2/../../../../lib/libtermcap.so, may Did you recompile everything starting with a "make clean"? If not, then it appears that the system you reinstalled differs a bit from the one used to build the .o's, which is uncovering an inconsistency. Vern

15 years, 9 months

[Bro] Bro1.0 make-problem

by Vidar Evenrud Seeberg

Hello! After a crash I had to reinstall Ubuntu Breezy. I then compiled Bro 1.0, and when "make" I got this error: make all-recursive make[1]: Entering directory `/compile/bro-1.0' Making all in aux make[2]: Entering directory `/compile/bro-1.0/aux' make all-recursive make[3]: Entering directory `/compile/bro-1.0/aux' Making all in adtrace make[4]: Entering directory `/compile/bro-1.0/aux/adtrace' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/compile/bro-1.0/aux/adtrace' Making all in cf make[4]: Entering directory `/compile/bro-1.0/aux/cf' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/compile/bro-1.0/aux/cf' Making all in hf make[4]: Entering directory `/compile/bro-1.0/aux/hf' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/compile/bro-1.0/aux/hf' Making all in rst make[4]: Entering directory `/compile/bro-1.0/aux/rst' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/compile/bro-1.0/aux/rst' Making all in scripts make[4]: Entering directory `/compile/bro-1.0/aux/scripts' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/compile/bro-1.0/aux/scripts' make[4]: Entering directory `/compile/bro-1.0/aux' make[4]: Nothing to be done for `all-am'. make[4]: Leaving directory `/compile/bro-1.0/aux' make[3]: Leaving directory `/compile/bro-1.0/aux' make[2]: Leaving directory `/compile/bro-1.0/aux' Making all in src make[2]: Entering directory `/compile/bro-1.0/src' make all-recursive make[3]: Entering directory `/compile/bro-1.0/src' Making all in binpac make[4]: Entering directory `/compile/bro-1.0/src/binpac' make[4]: Nothing to be done for `all'. make[4]: Leaving directory `/compile/bro-1.0/src/binpac' make[4]: Entering directory `/compile/bro-1.0/src' g++ -g -O2 -o bro dce_rpc_pac.o ncp_pac.o smb_pac.o main.o net_util.o util.o parse.o scan.o re-parse.o re-scan.o rule-parse.o rule-scan.o Active.o Anon.o Attr.o BackDoor.o Base64.o BPF_Program.o BroString.o CCL.o ChunkedIO.o CompHash.o Conn.o ConnCompressor.o DCE_RPC.o DFA.o DNS.o DNS_Mgr.o DbgBreakpoint.o DbgHelp.o DbgWatch.o Debug.o DebugCmds.o DebugLogger.o Desc.o Dict.o Discard.o EquivClass.o Event.o EventHandler.o EventRegistry.o Expr.o FTP.o File.o Finger.o Frag.o Frame.o Func.o Gnutella.o HTTP.o Hash.o ICMP.o ID.o Ident.o IntSet.o InterConn.o IOSource.o IRC.o List.o Logger.o Login.o MIME.o NCP.o NFA.o NFS.o NTP.o NVT.o Net.o NetVar.o NetbiosSSN.o Obj.o OSFinger.o PacketFilter.o PacketSort.o PersistenceSerializer.o PktSrc.o PolicyFile.o POP3.o Portmap.o PrefixTable.o PriorityQueue.o Queue.o RE.o RPC.o Reassem.o RemoteSerializer.o Rlogin.o RSH.o Rule.o RuleAction.o RuleCondition.o RuleMatcher.o ScriptAnaly.o SMB.o SmithWaterman.o SMTP.o SSH.o Scope.o SerializationFormat.o SerialObj.o Serializer.o Sessions.o StateAccess.o Stats.o SteppingStone.o Stmt.o TCP.o TCP_Contents.o TCP_Endpoint.o TCP_Rewriter.o Telnet.o Timer.o Traverse.o TwoWise.o Type.o UDP.o Val.o Var.o XDR.o bsd-getopt-long.o cq.o md5.o patricia.o setsignal.o version.o strsep.o nb_dns.o -Llibedit -ledit -L../aux/libpcap-0.7.2 -lpcap -lz /usr/lib/libresolv.a -ltermcap -lm /usr/bin/ld: warning: libc.so.5, needed by /usr/lib/gcc/i486-linux-gnu/4.0.2/../../../../lib/libtermcap.so, may conflict with libc.so.6 /lib/libc.so.5: warning: the `gets' function is dangerous and should not be used. /lib/libc.so.5: warning: the `getpw' function is dangerous and should not be used. /lib/libc.so.5: warning: `sys_nerr' is deprecated; use `strerror' or `strerror_r' instead /lib/libc.so.5: warning: the use of `mktemp' is dangerous, better use `mkstemp' /lib/libc.so.5: warning: warning: `siggetmask' is obsolete; `sigprocmask' is best /lib/libc.so.5: warning: `sys_errlist' is deprecated; use `strerror' or `strerror_r' instead /lib/libc.so.5: warning: the use of `tmpnam' is dangerous, better use `mkstemp' /lib/libc.so.5: warning: the `llseek' function may be dangerous; use `lseek64' instead. /lib/libc.so.5: warning: the use of `tempnam' is dangerous, better use `mkstemp'/lib/libc.so.5: warning: the `getwd' function is dangerous and should not be used. RemoteSerializer.o: In function `SocketComm::ProcessPeerCompress(SocketComm::Peer*)': RemoteSerializer.cc:(.text+0x39eb): undefined reference to `vtable for CompressedChunkedIO' RemoteSerializer.o: In function `SocketComm::ProcessParentCompress()': RemoteSerializer.cc:(.text+0x3fcc): undefined reference to `vtable for CompressedChunkedIO' collect2: ld returned 1 exit status make[4]: *** [bro] Error 1 make[4]: Leaving directory `/compile/bro-1.0/src' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/compile/bro-1.0/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/compile/bro-1.0/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/compile/bro-1.0' make: *** [all] Error 2 Any ideas? Regards Vidar E. Seeberg

15 years, 10 months

[Bro] cf.c speedup patch

by Mark Dedlow

This simple patch speeds up the cf program by 2-3 times (on my system) for the typical log file I process, esp. conn logs. It's based on the observation that the integer part of the unix time typically repeats frequently (ie, the are many connections per second) so it caches the time from one line to next, and only bothers calling localtime() and strftime() if the time is different than on the last line. Mark --- cf.c.orig 2005-12-16 09:28:22.000000000 -0800 +++ cf.c 2005-12-16 09:38:28.000000000 -0800 @@ -46,6 +46,8 @@ int utc = 0; char *fmt = "%b %e %H:%M:%S"; char *lfmt = "%b %e %H:%M:%S %Y"; +time_t pt; /* time of previous line read */ +char ts[1024]; /* Forwards */ int main(int, char **); @@ -128,7 +130,7 @@ register char *bp, *dotbp; register struct tm *tp; register int dot_count; - char buf[1024], ts[128]; + char buf[1024]; while (fgets(buf, sizeof(buf), fin)) { bp = buf; @@ -152,11 +154,14 @@ fputs(buf, fout); continue; } - if (!utc) - tp = localtime(&t); - else - tp = gmtime(&t); - (void)strftime(ts, sizeof(ts), fmt, tp); + if (t != pt) { /* time different than last line */ + if (!utc) + tp = localtime(&t); + else + tp = gmtime(&t); + (void)strftime(ts, sizeof(ts), fmt, tp); + pt = t; + } fputs(ts, fout); if (preserve && dotbp != NULL) bp = dotbp;

15 years, 10 months

Re: [Bro] wrong size computation

by Vern Paxson

> Here it is a sample... it is just an handshake but if you run > > $bro -r to-brolist_anonym.pcap brolite > > you will see in the conn.log file the BIG computation mistake... Hmmm, this appears to be specific to brolite.bro. If I run on the trace with mt.bro, it flags the sizes as "? ?", which seems fine in this case. We'll look into it further. Vern

15 years, 10 months

[Bro] wrong size computation

by Vincenzo Falletta

Hi folks, As regards the way bro deals with the number of bytes transferred for each connection, it seems that bro DOES NOT keep a variable in which incrementally stores the sum of each packet size for all the packets involved in that very connection, but instead does a certain computation (i wonder how...) involving only the first and the last packet in the connection... Am I correct? I'm asking this question because I've found something very strange. In bro's conn.log file there are lines like this: Dec 1 00:22:53 1.058870 A B http 49331 80 tcp 886477697 ? RSTOS0 L (yes it's correct, 800MB in 1 second) but if I look at the trace, this is what I see: A B 49331 --> 80 (SYN) Seq=0,Ack=0 49331 <-- 80 (ACK) Seq=0,Ack=0 49331 --> 80 (RST) Seq=0,Ack=188164531 (Only 3 packets transferred...) Of course there's some bug in these hosts, but bro should not be misleaded in computing the amount of bytes transferred inside a connection. Could someone explain me what's happening here? Best regards, Vincenzo

15 years, 10 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek December 2005