I've found an interesting binpac parse error when parsing http headers
from www.golfsmith.com using http-protocol.pac. The problem is that the
golfsmith server is replying with a header that http-protocol.pac is
interpreting as corrupt.
Here's an example of the golfsmith.com headers
HTTP/1.1 200 OK
Date: Fri, 01 Feb 2008 17:10:30 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6
DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Content-Type: text/html
Note the line DAV/2 that is started with a space. That's where the
parsing error occurs. However, it seems like this may actually be legal
according to the standards.
RFC2616 section 2.2 indicates that
"HTTP/1.1 header field values can be folded onto multiple lines if the
continuation line begins with a space or horizontal tab. All linear
white space, including folding, has the same semantics as SP. A
recipient MAY replace any linear white space with a single SP before
interpreting the field value or forwarding the message downstream."
According to this section, the www.golfsmith.com header "Server:" is
broken across the two lines, and it's value is actually "Apache/2.2.6
(Unix) mod_ssl/2.2.6<LF><SP>DAV/2 PHP/5.2.5"
Does anyone have ideas on how http-protocol.pac should be modified to
handle this situation?
Thanks,
Kelvin Edmison
Hello,
I checked out and built the latest version from stable svn tree, and now
startup is failing on an error from the scan.bro policy.
<snip>
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/bro/policy/scan.bro, line 302 (): error, empty list in untyped
initialization
/usr/local/bro/policy/scan.bro, line 313 (): error, empty list in untyped
initialization
/usr/local/bro/policy/scan.bro, line 313 (&mergeable): error, &mergeable
only applicable to tables/sets
/usr/local/bro/policy/scan.bro, line 377 (): error, empty list in untyped
initialization
/usr/local/bro/policy/scan.bro, line 377 (&mergeable): error, &mergeable
only applicable to tables/sets
/usr/local/bro/policy/scan.bro, line 385 (): error, empty list in untyped
initialization
/usr/local/bro/policy/scan.bro, line 385 (&mergeable): error, &mergeable
only applicable to tables/sets
/usr/local/bro/policy/scan.bro, line 398 (): error, empty list in untyped
initialization
/usr/local/bro/policy/scan.bro, line 398 (&mergeable): error, &mergeable
only applicable to tables/sets
/usr/local/bro/policy/scan.bro, line 421 (): error, empty list in untyped
initialization
/usr/local/bro/policy/scan.bro, line 421 (&mergeable): error, &mergeable
only applicable to tables/sets
/usr/local/bro/policy/scan.bro, line 424 (): error, empty list in untyped
initialization
/usr/local/bro/policy/scan.bro, line 424 (&mergeable): error, &mergeable
only applicable to tables/sets
/usr/local/bro/policy/scan.bro, line 448 (): error, empty list in untyped
initialization
... FAILED
</snip>
I see the "set() &mergeable" notation in other policy files, and I'm not
sure I see what is different in this one.
Let me know if you need more supporting info.
Thanks,
-Stephen
Hi everyone....plz help me out...
Actually I want to find out the URL's visited by the users...plz tell me how to do that....
im trying to do that by using followoing event...
global http_request: event(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
{
print original_URI."------";
}
but i dont know the datastructure of original_URI.....plz tell me where r these datastructures defined.....like the data structure for c:connection is...
type connection: record {
id: conn_id;
orig: endpoint;
resp: endpoint;
start_time: time;
duration: interval;
service: string;
# if empty, service not yet determined
addl: string;
hot: count;
history: string;
};
if u have other idea plz let me know.....i new to bro...I will be evry thankful to you....
Thanks & Regards
Navdeep Singh
+91-094640-77449
---------------------------------
Looking for last minute shopping deals? Find them fast with Yahoo! Search.
hi everyone...somebody plz help me...how can i build custom scripts....plz give me a small code...like...
@load ....... <------- // I dont know why this is used for...
@prefix ...... <------ // same problem with this.....
and do we need to save it as xxx.bro and store in SITE directory and can we access it as
#bro -r trace.out xxx.bro
plz tell me the procedure so that i can get the start.....
Thanks & Regards
Navdeep Singh
094640-77449
---------------------------------
Looking for last minute shopping deals? Find them fast with Yahoo! Search.
Sorry but when i try to read a file i recive the next output
root@lobito:/usr/local/bro/etc# /usr/local/bro/bin/bro -r segment190.pcap
line 1: error: can't open bro.init
root@lobito:/usr/local/bro/etc# netstat -natu -p
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:*
LISTEN 2317/hpiod
tcp 0 0 127.0.0.1:36942 0.0.0.0:*
LISTEN 2320/python
tcp 0 0 0.0.0.0:111 0.0.0.0:*
LISTEN 2006/portmap
tcp 0 0 0.0.0.0:113 0.0.0.0:*
LISTEN 2619/inetd
tcp 0 0 0.0.0.0:39636 0.0.0.0:*
LISTEN 2709/rpc.statd
tcp 0 0 127.0.0.1:631 0.0.0.0:*
LISTEN 2433/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:*
LISTEN 2563/exim4
udp 0 0 0.0.0.0:32768 0.0.0.0:*
2507/avahi-daemon:
udp 0 0 0.0.0.0:32770 0.0.0.0:*
2709/rpc.statd
udp 0 0 192.168.150.134:32787 192.168.150.2:53
ESTABLISHED21988/bro
udp 0 0 0.0.0.0:68 0.0.0.0:*
3184/dhclient
udp 0 0 0.0.0.0:5353 0.0.0.0:*
2507/avahi-daemon:
udp 0 0 0.0.0.0:111 0.0.0.0:*
2006/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:*
2433/cupsd
udp 0 0 0.0.0.0:765 0.0.0.0:*
2709/rpc.statd
Does anybody knows what im doing wrong? or i have to set and another
option to read this file???
thanks
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
I have been testing Bro 1.2.1 and the current 1.3.2. In both cases over time
the memory is eventaully exhausted. It takes only a few hours with some
intensive pcaps to reach this point. I spent a little bit of time running
1.3.2 through Valgrind but I was not able to find a definitive leak.
I will keep looking into this more but I wanted to see if anyone was aware
if there are any potential memory leaks or are resources being used that
are not being released?
Thanks,
// Joel
On Fri, Mar 14, 2008 at 03:00:06AM +0100, rmkml wrote:
> Hi Robin,
> That contains the line 1281 on /usr/local/bin/site-report.pl ?
> Regards
> Rmkml
>
The following entry:
..
if( !( print $fh $$part ) )
..
site-report.pl is located in the bro source tree under scripts/perl/script.
Regards,
Robin Gruyters
>
> On Fri, 14 Mar 2008, Robin Gruyters wrote:
>
> >Date: Fri, 14 Mar 2008 08:57:27 +0100
> >From: Robin Gruyters <r.gruyters(a)yirdis.nl>
> >To: bro(a)ICSI.Berkeley.EDU
> >Subject: [Bro] undefined value as a SCALAR
> >
> >Hi ya,
> >
> >Yesterday I have installed Bro 1.3.x from SVN on one of our test servers
> >and
> >noticed the follow message when try to run site-report.pl:
> >
> >Finished processing alarm files
> >Starting processing of conn file
> >/nsm/bro/logs/conn.test.08-03-12_13.48.58-08-03-13_00.00.00
> >Finished processing conn file
> >Starting processing of conn file
> >/nsm/bro/logs/conn.test.08-03-13_13.15.13-08-03-13_13.15.20
> >Finished processing conn file
> >Can't use an undefined value as a SCALAR reference at
> >/usr/local/bin/site-report.pl line 1281.
> >: 1204412358.158256
> >Generating report file: /nsm/bro/reports/yirdis.net.1205481090.21744.rpt
> >
> >Although it says it is generating a report, the report itself is empty:
> >
> ># ls -l /nsm/bro/reports/yirdis.net.1205481090.21744.rpt
> >-rw-r--r-- 1 root bro 0 Mar 14 08:51
> >/nsm/bro/reports/yirdis.net.1205481090.21744.rpt
> >
> >Kind regards,
> >--
> >Robin Gruyters
> >Network and Security Engineer
> >Betronic Nederland B.V.
> >I: http://yirdis.com
> >I: http://betronic.nl
> >P: +31 (0)20 5659191
> >F: +31 (0)20 5659190
> >
Hi ya,
Yesterday I have installed Bro 1.3.x from SVN on one of our test servers and
noticed the follow message when try to run site-report.pl:
Finished processing alarm files
Starting processing of conn file /nsm/bro/logs/conn.test.08-03-12_13.48.58-08-03-13_00.00.00
Finished processing conn file
Starting processing of conn file /nsm/bro/logs/conn.test.08-03-13_13.15.13-08-03-13_13.15.20
Finished processing conn file
Can't use an undefined value as a SCALAR reference at /usr/local/bin/site-report.pl line 1281.
: 1204412358.158256
Generating report file: /nsm/bro/reports/yirdis.net.1205481090.21744.rpt
Although it says it is generating a report, the report itself is empty:
# ls -l /nsm/bro/reports/yirdis.net.1205481090.21744.rpt
-rw-r--r-- 1 root bro 0 Mar 14 08:51 /nsm/bro/reports/yirdis.net.1205481090.21744.rpt
Kind regards,
--
Robin Gruyters
Network and Security Engineer
Betronic Nederland B.V.
I: http://yirdis.com
I: http://betronic.nl
P: +31 (0)20 5659191
F: +31 (0)20 5659190
I'm cc'ing this issue to the Bro mailing list.
On Mar 14, 2008, at 3:46 AM, Anh Le wrote:
> Hello Matthias,
>
> I am very interested in your work on NIDS cluster. I have read both
> your Bachelor's thesis and your recent publication in RAID 2007. They
> are very nicely done. However, during my reading, I have several
> questions regarding the Inter-Connection Analysis which I can not find
> the answers. In particular, my questions arise from this paragraph:
>
> ------------------------------
> Some scripts, however, do require information from multiple
> connections. A prominent example is the scan detector, which counts
> connection attempts per source address. If these reach a certain
> threshold, the system raises an alarm. In the cluster setup, the scan
> detector now must count across backends; we therefore synchronize the
> corresponding tables of counters (which simply entails annotating the
> corresponding script variables with the attribute &synchronized).
> Other examples of scripts needing synchronization are the worm
> detector (which maintains a global list of infected hosts) and the
> SMTP relay detector (which identifies open SMTP relays by associating
> incoming with outgoing mails). Overall, we needed to synchronize 29
> script-level variables spanning 19 different types of analysis.
> ------------------------------
>
> 1. I can not find details about the 19 types of analysis and 29
> variables mentioned above. I wonder if you could help me with the
> details about them.
Hi Anh,
thanks for delving into these issues so profoundly. I hope I can help
you with your questions.
At the time of writing the thesis, we counted 29 script variables that
had to be synchronized in order to maintain the correct global
semantics. The 19 types of analysis are simply the different uses,
e.g. scan detection, SMTP relay detection, worm detection, etc.. By
looking at the &synchronized variables in the code, you can check to
which type of analysis the variable corresponds. To this end, consult
Robin's work branch with the most recent updates on cluster work. Here
is some information that might help you getting started: http://blog.icir.org/search/label/subversion
.
> 2. I also wonder if during your experimentation, you have any
> statistics or insights about the percentage of detection requiring
> Inter-Connection Analysis in comparison with the one only requiring
> Intra-Connection Analysis.
We did not explicitly measure the percentage of of inter-connection
vs. intra-connection ratio. When we performed the measurements, the
scan detection accounted for largest share of inter-connection
analysis. The other types of analysis were comparably negligible. Note
that this greatly depends on your traffic's application mix and may
greatly vary in different environments.
> 3. Finally, does Bro have any DDoS detection policy scripts which
> require Inter-Connection Analysis?
To my knowledge, no such scripts exist (please correct me if I am
wrong!). But if they did, they sure would require inter-connection
analysis, as this type of analysis has global semantics.
Feel free to ask any further questions, preferably to the Bro mailing
list directly!
Matthias
--
Matthias Vallentin
vallentin(a)icsi.berkeley.edu
pgp/gpg: 0x37F34C16