Greetings
I am integrating bro into a larger system so that I can use it to keep track
of connections (which seems easier than trying to write a method from
scratch with pcap). I thought it would be straightforward to grep for print
or email or alarm statements to figure out where to put the hooks for an IPC
message but so far it eludes me. Is there a principal module for outputting
the notifications?
Thanks
Mike
The problem:
type MyRecord = record {
f1: SomeRecordType;
f2: bytestring &length=body_len;
} &let {
body_len: uint32 = f1.rec_len - sizeof (f1);
};
The above definition looks familiar, uh? It is a simplifed version of
the DCE RPC PDU. If MyRecord is incrementally parsed, the sizeof (f1)
in the &let construct will cause trouble because getFieldBegin and
getFieldEnd can only be used for non-incremental parsed record. If
the size of SomeRecordType is decideable statically (in the case of
DCE RPC, it is), then the patch fixes the problem. Now we can make
the PDU incrementally parsed.
Cheers,
Jimmy
____________________________________________________________
The future is not set. There is no fate but what we make
for ourselves. - Terminator II, Judgment Day
------------------------------------------------------------
It's been a couple weeks since I had a problem, so now I've got two. :)
1) hex-string to addr type conversion
I've got a udp packet that contains an IP address in the packet
contents[*]. I can easily grab it with sub_bytes() and end up with a
string like "\x8d\x8e\xde!" [**]. I'd like to convert that to an addr
so I can do comparisons easily. After looking though the *.bif.bro
files for conversion functions I'm stuck. There's to_addr(), but the
string would need to actually be the IP address and not a hex
representation.
2) table of set initialization (curiosity)
I have something like this that works:
global myset: set[addr] = {192.168.1.1};
global mytable: table[string] of set[addr] = {
["blaa"] = myset,
};
When I try to combine that into one it breaks:
global mytable: table[string] of set[addr] = {
["blaa"] = 192.168.1.1,
};
bad tag in Val::CONVERTER (addr/table)
I read somewhere that 'bad tag' is an internal error and I should never
see it. I saw it. :)
-Mike
[*] -- It's a klog request for afs-kaserver3 through kaforwarder and
fakeka. So the originating requester's IP is stored in the epoch time
field of the RX packet. Whee!
[**] -- 141.142.222.33
Hi,
please i am a researcher interested to test your powerful system Bro compare our method of anomaly detection implemented in our laboratory in france;
Plz i have some questions, plz i need a help to know responses on them:
our traces are files saved on a certain server in TCPDump format,and we need only to know if the anomalies in these traces are detected or not then we need only to test Bro with offline data and then i am interested to know,can we do that?
and then can we avoid the configuration phase of Bro(giving interfaces names and local nets)?
How can we get the detection alert of Bro, is it just by email?
If i want to run Bro in TRW mode, can i do it?and how?
I try to install the Bro but i dont have a root log in and i tried to installa it and when i do configure, it give an error that it does not found the OpenSSL libcrypto library?how can i resolve this problem to arrive to make and make install the Bro?
thank you very much.
---------------------------------
Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when.
my mail is delrabih(a)yahoo.com
---------------------------------
Be a PS3 game guru.
Get your game face on with the latest PS3 news and previews at Yahoo! Games.
Oooops, sent the wrong patch. Here is the correct one. Sorry about that.
---------- Forwarded message ----------
Date: Thu, 7 Jun 2007 14:10:44 -0700 (PDT)
From: jmzhou.ml(a)gmail.com
Reply-To: Jingmin Zhou <zhouji(a)cs.ucdavis.edu>
To: bro(a)bro-ids.org
Subject: binpac const string size patch
Hi,
Here is a patch to fix length calculation of a const string. The problem:
if you define a const string such as "Whatever\x00" in binpac, the size of
the string becomes 8 instead of 9!
Happy hacking!
Jimmy
____________________________________________________________
The future is not set. There is no fate but what we make
for ourselves. - Terminator II, Judgment Day
------------------------------------------------------------
Hi,
Here is a patch to fix length calculation of a const string. The problem:
if you define a const string such as "Whatever\x00" in binpac, the size of
the string becomes 8 instead of 9!
Happy hacking!
Jimmy
____________________________________________________________
The future is not set. There is no fate but what we make
for ourselves. - Terminator II, Judgment Day
------------------------------------------------------------
Hello,
I'm developping support for ICMPv6 in Bro and I have a problem with an
include I can't solve.
I have just added "#include <netinet/icmp6.h>" in net_util.h and I get
errors not (apparently) related to this change :
if g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac/lib -I../src
-I. -I.. -Ilibedit -I../linux-include -O -W -Wall -Wno-unused
-I../linux-include -g -O2 -MT dns_pac.o -MD -MP -MF ".deps/dns_pac.Tpo"
-c -o dns_pac.o dns_pac.cc; \
then mv -f ".deps/dns_pac.Tpo" ".deps/dns_pac.Po"; else rm -f
".deps/dns_pac.Tpo"; exit 1; fi
../src/Analyzer.h:100: warning: 'class Analyzer::OutputHandler' has
virtual functions but non-virtual destructor
../src/dns_pac.h:328: error: expected ',' or '...' before '.' token
../src/dns_pac.h:424: error: expected ';' before '.' token
../src/dns_pac.h:425: error: expected `;' before 'uint16'
../src/dns_pac.h:453: error: expected ';' before '.' token
../src/dns_pac.h:454: error: expected `;' before 'uint16'
dns_pac.cc:535: error: expected ',' or '...' before '.' token
dns_pac.cc: In constructor
'binpac::DNS::DNS_rdata::DNS_rdata(binpac::DNS::DNS_message*,
binpac::uint16)':
dns_pac.cc:547: error: request for member 'icmp6_type' in 'rr_hdr',
which is of non-class type 'binpac::uint16'
dns_pac.cc:548: error: argument of type 'binpac::uint16
(binpac::DNS::DNS_rdata::)()const' does not match 'binpac::uint16'
dns_pac.cc: In member function 'int binpac::DNS::DNS_rdata::Parse(const
binpac::uint8*, const binpac::uint8*, binpac::DNS::ContextDNS*, int)':
dns_pac.cc:614: error: 'rr_hdr' was not declared in this scope
dns_pac.cc: In member function 'int binpac::DNS::DNS_rr::Parse(const
binpac::uint8*, const binpac::uint8*, binpac::DNS::ContextDNS*, int)':
dns_pac.cc:779: error: 'rr_hdr' was not declared in this scope
dns_pac.cc: In member function 'Val*
binpac::DNS::DNS_Flow::build_dns_answer(binpac::DNS::DNS_rr*)':
dns_pac.cc:1244: error: 'class binpac::DNS::DNS_rr' has no member named
'rr_hdr'
dns_pac.cc: In member function 'Val*
binpac::DNS::DNS_Flow::build_edns_additional(binpac::DNS::DNS_rr*)':
dns_pac.cc:1280: error: 'class binpac::DNS::DNS_rr' has no member named
'rr_hdr'
dns_pac.cc: In member function 'bool
binpac::DNS::DNS_Flow::process_dns_rr(binpac::DNS::DNS_rr*)':
dns_pac.cc:1311: error: 'class binpac::DNS::DNS_rr' has no member named
'rr_hdr'
dns_pac.cc:1320: error: 'class binpac::DNS::DNS_rr' has no member named
'rr_hdr'
I have made this modification in the bro-1.2.1 sources without any other
changes.
I have the same problem on GNU/Linux and OpenBSD 4.
Does anyone have an idea how to solve/debug this problem ?
Thanks a lot !
Julien Desfossez