On Sun, Jan 27, 2008 at 02:26:01AM +0200, Georgios Spathoulas wrote:
> But it again stops complaining about openssl
>
> checking openssl/ssl.h usability... no
> checking openssl/ssl.h presence... no
> checking for openssl/ssl.h... no
> configure: error: cannot find openssl/ssl.h, sorry
> configure: error: /bin/bash './configure' failed for aux/broccoli
Just repeat installing libraries. In this case, you'll need some
flavor of libssl or openssl and the corresponding "dev" package. There
might be more unresolved dependencies like this, and the solution is
always the same :-)
Bernhard
--
Technische Universität Berlin
An-Institut Deutsche Telekom Laboratories
FG INET, Research Group Anja Feldmann
Sekr. TEL 4
Ernst-Reuter-Platz 7
D-10587 Berlin
Hello Guys,
Anyone is having ProtocolViolation alarms with Google
IPs? Analizying the packet trace I've noticed that either GMAIL or
Google Talk is alerting Protocol Violation for the HTTP Analyzer.
t=1201268671.707425 no=ProtocolViolation na=NOTICE_ALARM_ALWAYS
sa=x.x.x.x sp=1233/tcp da=209.85.171.86 dp=80/tcp msg=x.x.x.x/1233\ >\
209.85.171.86/http\ analyzer\ HTTP\ disabled\ due\ to\ protocol\
violation sub=not\ a\ http\ reply\ line tag=@4792
Tks
Hello to all,
I am an Intrusion Detection Researcher from Greece. I try to create an
experimental setup, in order to test data fusion methods for combining
alerts from different IDSs.
I am trying to setup Bro IDS on an Ubuntu 7.10 system. I have tried both 1.2and
1.3 versions and I get the same error when I run the ./configure command :
checking for local pcap library... not found
checking for pcap_open_live in -lpcap... no
checking for pcap_open_live in -lpcap... no
configure: error: see the INSTALL doc for more info
I guess I am missing something. I have Snort installed on the same system, I
hope this does not create a problem.
Whoever can help, please post to me a probable solution.
Thank you in advance.
The whole output of the ./configure command is
giorgos@m1330:~/Desktop/bro-1.3.2$ ./configure
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking for style of include used by make... GNU
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking dependency style of gcc... gcc3
checking for flex... flex
checking for yywrap in -lfl... yes
checking lex output file root... lex.yy
checking whether yytext is a pointer... yes
checking for bison... bison -y
checking for g++... g++
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking for a BSD-compatible install... /usr/bin/install -c
checking whether make sets $(MAKE)... (cached) yes
checking for ranlib... ranlib
checking for gzip... gzip
checking for OPENSSL_add_all_algorithms_conf in -lcrypto... no
checking for perl5... no
checking for perl... /usr/bin/perl
checking for chown... /bin/chown
checking Linux kernel version... 2
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... 64
checking for _LARGE_FILES value needed for large files... no
checking how to run the C preprocessor... gcc -E
checking for egrep... grep -E
checking for ANSI C header files... yes
checking return type of signal handlers... void
checking for sigset... yes
checking for int32_t using gcc... yes
checking for u_int32_t using gcc... yes
checking for u_int16_t using gcc... yes
checking for u_int8_t using gcc... yes
checking whether time.h and sys/time.h may both be included... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h.. . yes
checking for unistd.h... yes
checking for memory.h... (cached) yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking socket.h usability... no
checking socket.h presence... no
checking for socket.h... no
checking getopt.h usability... yes
checking getopt.h presence... yes
checking for getopt.h... yes
checking for net/ethernet.h... yes
checking for netinet/ether.h... yes
checking for netinet/if_ether.h... yes
checking for sys/ethernet.h... no
checking for netinet/ip6.h... yes
checking for socklen_t... yes
checking if syslog returns int... no
checking if we should declare socket and friends... no
checking for gethostbyname... yes
checking for socket... yes
checking for putmsg in -lstr... no
checking for local pcap library... not found
checking for pcap_open_live in -lpcap... no
checking for pcap_open_live in -lpcap... no
configure: error: see the INSTALL doc for more info
Hello Guys,
After enabling the dpd (const use_dpd = T;) I am having
problems starting bro with the following message:
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/bro/policy/scan.bro, line 92: warning: no such host:
j5004.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 92: warning: no such host:
j5005.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host:
j5006.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host:
j100.inktomi.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host:
j101.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host:
j3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host:
si3000.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host:
si3001.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host:
si3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host:
si3003.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host:
si4000.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host:
si4001.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host:
si4002.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host:
wm3018.inktomi.com
line 1: error: Can't open signature file dpd.sig
... FAILED
Hai,
Currently I'm on the job of profiling Bro. I have been trying to use vtune
profiler but has been unsuccessful. As I try to profile the vtune gets
hanged. May be because that I haven't given the proper specificatins
regarding
1. Application to launch:
2. Application arguments: (optional)
3. Working directory: (optional)
I believe that vtune profiles the binary file of Bro. Please tell me the
binary file corresponding to the Bro IDS software.
Can anybody suggest any other profilers for the software other than vtune
which is user friendly?
I shall be much obliged if anyone come up with a solution to help me.
Specifications:
Bro-IDS v1.2.1
Fedora 6
vtune v9.0
Thanking you,
Yours sincerely,
Abin C M
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments contained in it.
Contact your Administrator for further information.
Hi
I have a rather urgent problem. For the evaluation of my diploma
thesis, I want to run Bro in a DSL-Core Network. The traffic there is
encapsulated multiple times and Bro does not inspect the real payload
without adjustment. This is what I could determine from looking at a
sample trace:
MPLS: 4 bytes
MPLS: 4 bytes
IP: 20 bytes
UDP: 8 bytes
L2TP: 8 bytes
PPP: 4 bytes
Total encapsulation headers: 48 bytes
I tried playing around with parse_udp_tunnels, udp_tunnel_port and
encap_hdr_size (set to 48), but without any real success. Any chance I
can get this working?
Regards - Fabian
I just realized. I had to do a
redef capture_filters += { ["mpls"] = "mpls"};
redef encap_hdr_size = 48;
Because the outermost encapsulation is MPLS...
- Fabian
On Jan 17, 2008 4:01 PM, Ashley Thomas <ashley.thomas(a)gmail.com> wrote:
> What would be the tcpdump filter you would use in that setup
> let's say to capture only tcp packets.
>
> Bro uses libpcap like tcpdump to capture the packets.
>
> You can modify the filters that's there in the policy scripts to read
> the packets
> off the network interface.
>
>
>
> On Jan 17, 2008 8:59 AM, Fabian Hensel <irdeto(a)gmail.com> wrote:
> > Hi
> >
> > I have a rather urgent problem. For the evaluation of my diploma
> > thesis, I want to run Bro in a DSL-Core Network. The traffic there is
> > encapsulated multiple times and Bro does not inspect the real payload
> > without adjustment. This is what I could determine from looking at a
> > sample trace:
> >
> > MPLS: 4 bytes
> > MPLS: 4 bytes
> > IP: 20 bytes
> > UDP: 8 bytes
> > L2TP: 8 bytes
> > PPP: 4 bytes
> > Total encapsulation headers: 48 bytes
> >
> > I tried playing around with parse_udp_tunnels, udp_tunnel_port and
> > encap_hdr_size (set to 48), but without any real success. Any chance I
> > can get this working?
> >
> > Regards - Fabian
> > _______________________________________________
> > Bro mailing list
> > bro(a)bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
>
>
>
> --
> Karmanye Vadhikaraste Ma Phaleshu Kadachana, Ma Karma Phala Hetur
> Bhurmatey Sangostva Akarmani
>
hai
i'm facing an issue when trying to profile bro ids 1.2.1 using vtune in
fedora 6.
i gets an error as cannot access bro.init and vtune is not responding.
i tried with export BROPATH=/usr/local/bro and still the problem exists.
can u help me out in this issue.
please recommend some profiling tools to profile bro software and how to
profile it.
expecting a + reply .
thankyou.
abin c m
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments contained in it.
Contact your Administrator for further information.
Have the semantics of the "L" flag in the conn log been changed?
>From http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_Event…:
Line format:
-----
<start> <duration> <local IP> <remote IP> <service> <local port> \
<remote port> <protocol> <org bytes sent>, <res bytes sent> <state> \
<flags> <tag>
-----
and
-----
L indicates that the connection was initiated locally, i.e., the host corresponding to A_l initiated the connection. If L is missing, then the host corresponding to A_r initiated the connection.
-----
However, this does not seem to agree with what I see in the conn log. When interpreted this way, I see strange stuff like a web server making outbound connections from port 80 to some high numbered port. This is even more confusing when trying to figure out which host is portscanning and which one is being scanned.
The correct line format seems to be <start> <duration> <originating IP> <responding IP> <service> <originating port> <responding port>... Can anyone confirm this?
conn.bro, line 275 suggests that this is the case:
-----
local log_msg =
fmt("%.6f %s %s %s %s %d %d %s %s %s %s %s",
c$start_time, duration, id$orig_h, id$resp_h, s,
-----
However, I'd like to make sure that it is.
Thanks.