zeek August 2007

zeek@lists.zeek.org

17 participants
22 discussions

by abd abd

Hi, a would make a NIDS, for that i must construct a connections, one conection begin with Syn+Syn_Ack+Ack+......+Ack+.......Fin_Ack+ack+Fin_ack+ack. I don't find an exemple, how make FLAG, flag can be S0, RSTO, SF, REJ. Can you give a documentation for construction of connections and attributs like FLAG, Duration, ..... Thank you verry mutch _____________________________________________________________________________ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail

13 years, 10 months

[Bro] A question about generating Makefile.in from Makefile.am

by Po-Ching Lin

Dear All, I added some files under the /src directory and modified Makefile.am to reflect the revision. I tried to use the 'autoconf' commands (e.g., autoscan and automake, etc.) to generate Makefile.in, as suggested on many on-line manuals, but failed to make it. Unlike the cases on these on-line manuals, Bro seems not to need 'configure.in' under the /src directory, but automake will complain of this. I am not so familiar with the autoconf tools. Would anyone please show me the pointer to solve the problem? Thanks. Best regards, -- Po-Ching Lin <pclin(a)cis.nctu.edu.tw>

13 years, 10 months

[Bro] how to deploy bro-ids on openbsd

by whiteln

Hi how to deploy bro-ids on openbsd? While I intall bro-ids on openbsd4.0,there are many errors. What is nessesary for deployment?

13 years, 10 months

[Bro] RST handling

by Adayadil Thomas

Greetings. I have a general TCP RST handling question. Assuming the state of a connection is established, and data has been transferred to and fro and then the server sends a RST packet (or two) [1] to the client and the session ends soon after. >From an IDS/IPS standpoint, - should the session be transitioned to closed upon seeing the first RST ? - if not, is the session marked as SEEN_RST or something and timed out ? >From an IPS point of view (which does not allow stateless traffic) knowing when to remove the connection is critical. is'nt it ? I would like to know from bro standpoint and in general. Thanks a lot for any information/viewpoint. -Ashley [1] Why does the server send two RST as in the example below -- 15:47:05.990438 192.168.0.1.8080 > 192.168.1.1.46615: R 1:1(0) ack 10500305 win 32768 <nop,nop,timestamp 44983385 1113850335> (DF) 15:47:05.990499 192.168.0.1.8080 > 192.168.1.1.46615: R 4223569903:4223569903(0) win 0 (DF)

13 years, 10 months

[Bro] Fwd: Re: Conections

by Sandro Reichert

Hi, sorry, I dont understand your question so I forwarded it to the list. Bye Sandro > Thank you verry mutch for answering my message, > > I would make a NIDS, for that i must construct a conections, one > conection begin with > Syn+Syn_Ack+Ack+......+Ack+.......Fin_Ack+ack+Fin_ack+ack. > I don't find an exemple, how make FLAG, flag can be S0, RSTO, SF, REJ. > > Can you give a documentation for construction of connections and > attributs like FLAG, Duration, ..... > > Thank you verry mutch

13 years, 10 months

[Bro] Connections

by abd abd

13 years, 10 months

[Bro] Construction of connection

by abd abd

Hi, i would make a connection of protocol TCP, can you give me a documentation or an URL who explain why make this, Thank you verry mutch _____________________________________________________________________________ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail

13 years, 10 months

[Bro] Construction of connection

by abd abd

13 years, 10 months

[Bro] runtime-error, value used but not set

by Sandro Reichert

Hi all! We are using bro at Dresden University of Technology to develop a prototype of a mobile wireless ids. I use broccoli to communicate between my local bro and my manager-application. I need to add and remove peers for inter-bro-communication without restarting bro. Therefore I added some new events to remote.bro to add and remove peers. To close a active connection, I added some lines in RemoteSerializer and bro.bif(_orig) to call RS::CloseConnection. Adding and connecting new peers works fine, but I get the runtime-error 'value used but not set' when I call close_connection(id). What did I wrong? Thanks for your help! Sandro my changes: remote.bro: event broccoli_remove_peer(host : addr) { for(id in connected_peers) { if(connected_peers[id]$host == host) { print (fmt("remove peerID '%s', host = %s", id, host)); close_connection(id); } } } bro.bif / bro.bif.orig: function close_connection%(id: count%) : bool %{ return new Val(remote_serializer->CloseConnection(id),TYPE_BOOL); %} RemoteSerializer.h (public): bool CloseConnection(PeerID id); RemoteSerializer.cc: bool RemoteSerializer::CloseConnection(PeerID id) { return CloseConnection(LookupPeer(id, true)); }

13 years, 10 months

[Bro] Erata for the refference manual

by Hassan Syed

Hi guys, As I couldn't create a login for the wiki I'll post some minor errata for the reference manual. Hope its found to be usefull. ------------------------------------------------------------------------ ------------------------------------------ Table assignment section: The part to do with making an assignment to an entire table its a bit confusing as to what this functionality does. Perhaps it would be better to express this in a fashion similar to the "record assignment" section. where it talks about c'esque shallow and deep copies. The way this section is currently expressed was leading me to read more between the lines. ---------------------- Set section "Also as with tables, you can use the &create_expire, &read_expire, and &write_expire attributes to control the automatic expiration of elements in a set. Deficiency: However, the attribute is not currently supported." The attribute lacking is not mentioned causing the person to cross-reference back up to the table attributes. The assumption is that the expiry function attribute is missing. ---------------------- Sets and table section Both sections conclude with "you can loop over all of the indices in a set/table using the statement." The statement that does the looping is not shown. ------------------------------------------------------------------------ ------------------------------------------

13 years, 10 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek August 2007