Greetings
I am integrating bro into a larger system so that I can use it to keep track
of connections (which seems easier than trying to write a method from
scratch with pcap). I thought it would be straightforward to grep for print
or email or alarm statements to figure out where to put the hooks for an IPC
message but so far it eludes me. Is there a principal module for outputting
the notifications?
Thanks
Mike
It's been a couple weeks since I had a problem, so now I've got two. :)
1) hex-string to addr type conversion
I've got a udp packet that contains an IP address in the packet
contents[*]. I can easily grab it with sub_bytes() and end up with a
string like "\x8d\x8e\xde!" [**]. I'd like to convert that to an addr
so I can do comparisons easily. After looking though the *.bif.bro
files for conversion functions I'm stuck. There's to_addr(), but the
string would need to actually be the IP address and not a hex
representation.
2) table of set initialization (curiosity)
I have something like this that works:
global myset: set[addr] = {192.168.1.1};
global mytable: table[string] of set[addr] = {
["blaa"] = myset,
};
When I try to combine that into one it breaks:
global mytable: table[string] of set[addr] = {
["blaa"] = 192.168.1.1,
};
bad tag in Val::CONVERTER (addr/table)
I read somewhere that 'bad tag' is an internal error and I should never
see it. I saw it. :)
-Mike
[*] -- It's a klog request for afs-kaserver3 through kaforwarder and
fakeka. So the originating requester's IP is stored in the epoch time
field of the RX packet. Whee!
[**] -- 141.142.222.33
Hello,
I'm developping support for ICMPv6 in Bro and I have a problem with an
include I can't solve.
I have just added "#include <netinet/icmp6.h>" in net_util.h and I get
errors not (apparently) related to this change :
if g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac/lib -I../src
-I. -I.. -Ilibedit -I../linux-include -O -W -Wall -Wno-unused
-I../linux-include -g -O2 -MT dns_pac.o -MD -MP -MF ".deps/dns_pac.Tpo"
-c -o dns_pac.o dns_pac.cc; \
then mv -f ".deps/dns_pac.Tpo" ".deps/dns_pac.Po"; else rm -f
".deps/dns_pac.Tpo"; exit 1; fi
../src/Analyzer.h:100: warning: 'class Analyzer::OutputHandler' has
virtual functions but non-virtual destructor
../src/dns_pac.h:328: error: expected ',' or '...' before '.' token
../src/dns_pac.h:424: error: expected ';' before '.' token
../src/dns_pac.h:425: error: expected `;' before 'uint16'
../src/dns_pac.h:453: error: expected ';' before '.' token
../src/dns_pac.h:454: error: expected `;' before 'uint16'
dns_pac.cc:535: error: expected ',' or '...' before '.' token
dns_pac.cc: In constructor
'binpac::DNS::DNS_rdata::DNS_rdata(binpac::DNS::DNS_message*,
binpac::uint16)':
dns_pac.cc:547: error: request for member 'icmp6_type' in 'rr_hdr',
which is of non-class type 'binpac::uint16'
dns_pac.cc:548: error: argument of type 'binpac::uint16
(binpac::DNS::DNS_rdata::)()const' does not match 'binpac::uint16'
dns_pac.cc: In member function 'int binpac::DNS::DNS_rdata::Parse(const
binpac::uint8*, const binpac::uint8*, binpac::DNS::ContextDNS*, int)':
dns_pac.cc:614: error: 'rr_hdr' was not declared in this scope
dns_pac.cc: In member function 'int binpac::DNS::DNS_rr::Parse(const
binpac::uint8*, const binpac::uint8*, binpac::DNS::ContextDNS*, int)':
dns_pac.cc:779: error: 'rr_hdr' was not declared in this scope
dns_pac.cc: In member function 'Val*
binpac::DNS::DNS_Flow::build_dns_answer(binpac::DNS::DNS_rr*)':
dns_pac.cc:1244: error: 'class binpac::DNS::DNS_rr' has no member named
'rr_hdr'
dns_pac.cc: In member function 'Val*
binpac::DNS::DNS_Flow::build_edns_additional(binpac::DNS::DNS_rr*)':
dns_pac.cc:1280: error: 'class binpac::DNS::DNS_rr' has no member named
'rr_hdr'
dns_pac.cc: In member function 'bool
binpac::DNS::DNS_Flow::process_dns_rr(binpac::DNS::DNS_rr*)':
dns_pac.cc:1311: error: 'class binpac::DNS::DNS_rr' has no member named
'rr_hdr'
dns_pac.cc:1320: error: 'class binpac::DNS::DNS_rr' has no member named
'rr_hdr'
I have made this modification in the bro-1.2.1 sources without any other
changes.
I have the same problem on GNU/Linux and OpenBSD 4.
Does anyone have an idea how to solve/debug this problem ?
Thanks a lot !
Julien Desfossez
Registration for the Bro Hands-on Workshop, July 23-25, at
the San Diego Supercomputer Center (SDSC) is now open.
See: http://www.bro-ids.org/bro-workshop-2007/Bro07-workshop.html
Space is limited, so if you wish to attend please register as soon as
possible. Registration deadline is July 8.
The workshop will start with a half day Bro overview and tutorial
that is free and open to anyone that signs up. This
will be followed by 2 day hands-on workshop that is only open
to a smaller number registrants ($50 registration fee).
You must have a Unix-based laptop with a working Bro installation
to attend this part of the workshop.
If you have written any custom Bro policy scripts or Bro log file
analysis tools that you would like to present, please let us know.
If enough people register soon we will look into reserving a block of
hotel rooms.
Without tcp.bro the memory footprint of the Bro process increases until it
reaches the memory limit and Bro dies. I conducted the following tests:
1. bro -i eth0 profiling.bro
2. bro -i eth0 -f "tcp" profiling.bro
3. bro -i eth0 -f "tcp profiling.bro tcp.bro
4. bro -i eth0 profiling.bro tcp.bro
Only test 4 didn't result in outrageous memory usage. Obviously the
capture-filter preventing the processing of data packets is the reason. But
I'm curious, what exactly does Bro store when processing data packets that
causes such a memory bloat? I would have figured the processing of data
packets only results in updating pre-existing connection state objects. Is
there any way to prevent this bloat without modifying the source code?
Thanks,
Eric
Hi all,
I have been working on the development of an ssl analyzer using binpac,
which is now finished. In the process of development, I have found and fixed
some bugs in binpac, as well as added an additional feature to binpac.
Attached you can find the patches for binpac in the bro-1.2.1 distribution
(binpac-[1-8].patch) with a file documenting the patches (
binpac-patch-doc.txt). I would like to ask you to have a look over those
patches (especially Ruoming). All of the patches should be applied with
patch -p1 in the main bro directory.
Cheers,
Tobias
I would like to have in myscript.bro
const SOMENETS : set[subnet] &redef;
and then run
bro 'SOMENETS += 1.2.3.0/8' myscript.bro
but I get an error
<params>, line 1 (1.2.3.0/8): error, bad initializer
Any chance this will work w/ slightly different syntax on the cmd line...?
Thanks,
Mike
Hi all,
as some of you will know, I am writing a SIP and (soonish) a RTCP analyzer
in BinPAC.
I have a question regarding the analyzation of protocols which are
inlined into other protocols.
The relation of SIP to SDP could losely be described as that of a HTML
header and body. When the Content-Length field in the SIP packet is
non-zero, there is a SDP payload that also needs to be parsed.
I am not sure if it would make more sense to hook another analyzer into
the SIP analyzer or to just parse the SDP payload within my SIP
analyzer.
Another consideration would be how to write the SDP analyzer in a way
that accounts for both for standalone detection and as a plugin for my
SIP analyzer (working on packets vs working on data i feed it directly).
Any feedback is appreciated,
Richard
Hello All :
I came across the following run-time error which resulted in a crash of bro. Just through should bring this to the attention:
1178868745.638454 /usr/local/bro/policy/login.bro, line 608 (c): run-time error, value used but not set
I don't have packet traces so would be difficult to pin point exactly what was going on. Let me know if you need any other details.
Thanks
Aashish